Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Qwireca
New Contributor

ACL between ports on FortiManager 7.2.4

I have a setup with one FortiManager that today manages internal firewalls. It has an interface connected to a mgmt network where most of our internal networking equipment are connected to.

 

We want to use this FortiManager to also manage other Fortigates from different customers.  
My initial plan is to create a private VLAN and let a new interface on the FortiManager be behind a promiscious port,.It's only used for adding the units to the Fortimanager. 

 

My consern is that the FortiManager becomes a bridge between our internal mgmt network and customers mgmt network. Example someone makes a static route on the customer Firewall that points to our internal mgmt network with the FortiManager as next hop. 

I have not yet found any way to have an ACL directly on the FortiManager and would in this case be only dependent on the customer Fortigate ACL.

 

Another solution would be to route the traffic towards the FortiManager through a firewall, but I want to keep customer mgmt traffic outside of our internal mgmt network as much as possible. 

1 Solution
asrour
Staff
Staff

Hello @Qwireca 

The Fortimanager will not act as a bridge and will not route the traffic between connected FGTs

each FMG <> FGT connection will be on a separate FGFM tunnel between the Fortigate and the Fortimanager

A Srour

View solution in original post

5 REPLIES 5
Stephen_G
Moderator
Moderator

Hello Qwireca,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Stephen - Fortinet Community Team
Toshi_Esumi
Esteemed Contributor III

Although I didn't set up our FMG that way (everything is coming over the internet port), in your case, I would separate the customer FGT's connections on a different port, say port2, while your FGT is connected through port1. I don't think ACL is available on FMGs, so I would put a switch inbetween and set up ACLs there.
Or, if you don't have a switch that supports ACL and that has at least two ports available, I would sacrifice your own FGT's two ports for that purpose and control the FGFM traffic by a set of policies.
Just an idea without having any concrete design.

 

Toshi

Qwireca

Thanks for the idea. 

We ended up routing in the customer Fortigate LAN interface into our network management network. 

It was considered safe enough as it's going through two firewalls and the FortiManager do have trusted IP:s set.  

asrour
Staff
Staff

Hello @Qwireca 

The Fortimanager will not act as a bridge and will not route the traffic between connected FGTs

each FMG <> FGT connection will be on a separate FGFM tunnel between the Fortigate and the Fortimanager

A Srour
Qwireca
New Contributor

Thank you for checking up on my conserns. 

Top Kudoed Authors