Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Design/Configuration for migration

Hello All,


As I am new to the forum so please pardon for which place or topic option will be suitable for my query. 

As you can see in attached we are separating the same physical site into two sites with the name Site-A and Site-B. Both having separate ISP's. 

On Site-A, intervlan routing, DHCP, ACL's and default route towards firewall happening on Core switch and Site-A firewall only be used for internal/external policies. Please note that communication between core and firewall is layer3.

On Site-B we have been told to use separate zones for each department, printer, Server's (DMZ), intervlan routing, DHCP, etc on the internal firewall.


The main requirement

The main requirement is Site-A users or vlans should access or communicate with the Site-B DNS/domain controller. For example, if support person from Site-A needs to add PC in Domain, that should be successful.


- Please suggest the design between Site-A and Site-B. 

- It's appropriate with the firewall to firewall connectivity or it can be between core and a site-b firewall.

- what will be the configuration for smooth connectivity?


We tried a lot of connectivity configuration but failed.


Please Note: All the firewalls are Fortigate and all switches are Cisco. Before going to production we deploy it in EVE and tested but communication between Site-A and Site-B failed, apart from that everything fine. We cannot go directly to production until we sure that is the way.


Your help will highly appreciated.

Contributor III

Do you have connectivity between FG-site-A and Internal FW in side B? I understand the switch between is L2 and port2 and port5 are in the same subnet? What do you mean by "We tried a lot of connectivity configuration but failed." -> what communication failed? Between FortiGates?   On both FG you just need routing and firewall policies.

New Contributor

Hi Hubertw,


Thanks for the reply. Actually, there is connectivity between the SiteA firewall and SiteB Internal Firewall. The main problem or the goal we want to achieve is SiteA all vlans subnets/PC's should reach SiteB Servers for joining in Domain (DMZ). We change/apply a lot of policies but we failed to communicate between SiteA Subnets/Pcs's with SiteB DC. Please find attached screenshots for your reference.

















interface Ethernet0/0  switchport trunk encapsulation dot1q  switchport mode trunk  duplex auto ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3  no switchport  ip address ! interface Vlan10  ip address ! interface Vlan20  ip address ! ! no ip http server ! ip route !


Can you focus on one pair of IPs (source and destination) and check if routing and policies are in place on both firewalls?

I understand is port1 IP on the Fortigate in the site A, correct? What is the routing on this FortiGate?


The last image you pasted in a wrong way. I can't see it.


Hello Hubertzw,


Sorry for bad last post, i was strugling with uploading screenshorts. Please click below url it will take you to screenshorts. Lets focus on source is PC which is in VLAN-10 on Site-A, needs to reach DC Server in Zone on Site-B for Active Directory services.


I am kind of new to Fortinet. I don't know where i doing mistake. As this project is on my head. I hope this url will work.


Is there anyone else who can Help me out on this.


On the site-B Fortigate in the firewall policy change the outgoing interface from port4 to DC-LAN40.

Show me the routing table on both FGs

Top Kudoed Authors