Configuration Options for Integrating Camera System Router with Client's Firewall

atnsi · ‎08-22-2024

I’m working on a project where a client is installing a new camera system. The vendor will provide their own router and PoE switch. We need to connect this router to the client’s existing firewall (91G), and the client has available public IP addresses.

Can I configure the 91G firewall to pass-through mode, allowing the vendor’s router to use a public IP directly? Or is there a better approach to integrate the vendor’s router with the client’s firewall?

BTW, the camera vendor will handle all system management independently and requires full access to their equipment, which will be completely separate from the client’s network.

Thanks!

AEK · ‎08-27-2024

Yes I'd do it that way.

AEK

View solution in original post

adambomb1219 · ‎08-22-2024

What is the reason to put the device behind the firewall? Why not use NAT mode? Does the public IP space exist on the 91G itself? Or in front of it?

atnsi · ‎08-27-2024

The camera vendor wants complete access to their equipment and cameras. Yes the firewall is handling the public IP space.

They also want their router to have a public IP address.

AEK · ‎08-22-2024

You can use virtual wire pair or transparent VDOM.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/166804/virtual-wire-pair

But I'd prefer use a VIP instead, I mean the public IP defined on FortiGate and mapped to private IP of the camera router. I find this cleaner and you can do better security.

AEK

atnsi · ‎08-27-2024

would a DMZ with VIP a better solution?

AEK · ‎08-27-2024

Yes I'd do it that way.

AEK

Configuration Options for Integrating Camera System Router with Client's Firewall

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website