Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Holy
Contributor

Design for ISFW (Internal Segmentation Firewall) Nat or Transparent?

Hello Guys,

 

i am about to do a Concept and a Network Security Design for a customer who needs an ISFW for His Core Network.

 

it will be my first time, implementing an ISFW and so i have a couple of questions that someone who has more experience with that propably could answer.

 

I want to do it with a 2 x FG15000D because the customer want to have at leaset 40Gig of Stateful Firewall Perfomance and some IPS Policies on Top for some VLANs and Ports.

So it would be easier to use it in Transparent mode, but all the Access Switches (25 Switches / Stacks) have 10Gig Uplinks to the Core Cluster of Cisco6500 . So we have then 50 10Gig Uplinks that i would have to handle in Transparent mode and with 1500D it cannot work.

So i though of aggregating 4x 10Gig Interfaces on FortiGate Cluster and have build so a Trunk between Core - Switch and Fortigate with all the VLANs beeing proceed to Fortigate. So the FortiGate will be a defaul Gateway for each VLAN.

See the Picture Attached.

 

Howeve here are my doubts.

 

Will the FortiGate Handle it to be a Default Gateway for all of the VLANs? If a broadcast storm will happen, then the FortiGate will Fail completly? or is there some kind of Storm Control Protection?

 

What do you think about design? will it work that way?

 

if i use an Active - Active Cluster will the Desing still the Same or do i have then to do Differet Aggregation Trunks on Master and Slave?

 

maybe i didn´t understand it right with Transparent mode and ISFW but which FortiGate would Handle 50x 10Gig Uplinks to be implemented in Transparent Mode without a need for redesign?

 

Thank you all.

 

 

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
4 REPLIES 4
FortiMcPorty
New Contributor

VLANs break up broadcast domains. A broadcast storm shouldn't be a problem because of this.

 

I think it may work, but if the links saturate, I think you'll suffer contention of the system bus. I did a quick search for hardware docs for that model but could not find anything. So, my hunch is the top four 10g ports should be assigned to one agg and the bottom 4 assigned to another. This will ensure that the traffic flows into and out of the system bus without contention... but I could be wrong about this. Without a hardware doc, is hard to say. The system bus (or 'backplane') is always the weakest link, so understanding how the traffic flows through the firewalls is key to extracting top performance.

 

I don't think any statefull firewall can keep up with 50 10gb links running at full saturation. I would suggest further network analysis to determine actual needs.

 

Your use of the term "default gateway" implies routing which the fortigate can not do in transp. mode. I'm guessing you dont mean default gateway so I'm ignoring that statement.  I encourage you to avoid routing if you can. I worked in an environment that used two large fortigates in AA mode, fully-meshed, fully redundant with monitored ports and round robin load balancing. We used nat/route mode and it was the most complicated monster that I have ever seen. Because of the routing, a packet would traverse the firewall several times before going where it needed to go. It was a nightmare to support. Analyzing a packet sniff was simply painful.  Mere mortals would swear the network was broken after seeing a raw packet capture (looks like tons of retrans). Stick with transp mode if you can.

 

 

 

 

Holy

Hello,

attached is the FG15000D Hardware Shematic.

 

I know that Vlans do not forward broadcast but if the Fortigate is a Default Gateways for all of the VLANs, then she see all the broadcast on every vlan and has to spend cpu power to react to that. 

And yes when i say "Default Gateway" i do mean routing and this Design is in NAT/Mode because as i said i can´t do transparent mode do to lack of so many 10Gig interfaces. So The FortiGate Cluster will be the Default Gateways for all Vlans and of course will then do Routing between the Vlans as they are all directly connected to them.

 

Do you see here some other Design with Transparent mode? I also have my doubts using Active Active Cluster because i heard that troubleshooting an A-A is a nightmare. But this is probably that what the Customer want to get more Throuphput out of 1500D.

 

The question is how do i then have to Connect and aggregate the Ports for using it as a A-A Cluster? The Same as in my Picture for A - P Cluster?

 

Thank you very much

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
Holy

Here the 2nd Picture of 1500D shematic

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
FortiMcPorty

Wiring for AA mode is the same as AP.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors