I have a setup with one FortiManager that today manages internal firewalls. It has an interface connected to a mgmt network where most of our internal networking equipment are connected to.
We want to use this FortiManager to also manage other Fortigates from different customers.
My initial plan is to create a private VLAN and let a new interface on the FortiManager be behind a promiscious port,.It's only used for adding the units to the Fortimanager.
My consern is that the FortiManager becomes a bridge between our internal mgmt network and customers mgmt network. Example someone makes a static route on the customer Firewall that points to our internal mgmt network with the FortiManager as next hop.
I have not yet found any way to have an ACL directly on the FortiManager and would in this case be only dependent on the customer Fortigate ACL.
Another solution would be to route the traffic towards the FortiManager through a firewall, but I want to keep customer mgmt traffic outside of our internal mgmt network as much as possible.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @Qwireca
The Fortimanager will not act as a bridge and will not route the traffic between connected FGTs
each FMG <> FGT connection will be on a separate FGFM tunnel between the Fortigate and the Fortimanager
Hello Qwireca,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Although I didn't set up our FMG that way (everything is coming over the internet port), in your case, I would separate the customer FGT's connections on a different port, say port2, while your FGT is connected through port1. I don't think ACL is available on FMGs, so I would put a switch inbetween and set up ACLs there.
Or, if you don't have a switch that supports ACL and that has at least two ports available, I would sacrifice your own FGT's two ports for that purpose and control the FGFM traffic by a set of policies.
Just an idea without having any concrete design.
Toshi
Thanks for the idea.
We ended up routing in the customer Fortigate LAN interface into our network management network.
It was considered safe enough as it's going through two firewalls and the FortiManager do have trusted IP:s set.
Hello @Qwireca
The Fortimanager will not act as a bridge and will not route the traffic between connected FGTs
each FMG <> FGT connection will be on a separate FGFM tunnel between the Fortigate and the Fortimanager
Thank you for checking up on my conserns.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.