Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

BO and VLANs


We have a couple of BO where security is very bad so we want to have separate VLAN just for each of these BOs. 

Our goal is to have one VLAN for each BO with one subnet on it for workstations. That VLAN needs only internet access. Now, besides this simple configuration, we would like to have access to each of these PCs from HQ workgroup VLAN for remote support.

In this case, do we need to:

- create VLAN on HQ and BO FGs?

- Make DHCP on VLAN at HQ or BO?

- If we have to create (and I think we have to) VLAN on HQ FG, do we create that VLAN on the same physical interface where we have other VLANs for HQ?

- Firewall policy on HQ or BO FGs?


Thank you in advance!


Hi 3x-t,


you need only a VLAN on the branch office (with the proper subnet).

> you can create more than one per site, to segregate users/departments etc.

Then for each VLAN:

- DHCP service on BO FGT VLAN interface

- A policy from IPSec tunnel to VLAN (for remote support) and another the other way around (for BO users to access HQ resources)

- HQ FGT must have static routes to each VLAN subnet with the respective tunnel interface.


Best regards,



Top Kudoed Authors