Fortinet Community

Hallo DDSKier, Thanks a lot for your message, I guess we will go for the 300B , now the question is how to configure this box to achieve what we would like to do . as stated below : - Redundant firewall configuration based on. 2 Fortigate appliances in High Availability mode; -The appliance (s) are set to transparent mode in the network (not routed!) -The appliance filters Transparently a trunk connection, where multiple VLANs go over it ; - Multi-Context mode, using 3x virtual firewalls for 3 different networks going over one trunk (for corp, guest and WLAN traffics), Filtering traffic of AV, URL and email (including spam) -Different Policies for filtering rules for different virtual domains - MS AD integration .... Thanks for the suggestions ...

That isn' t an easy question to answer over the forums. That takes some experience and training on the devices to answer. If you have a need I would suggest some fortinet training.

1st off cool diagram , I wish others would do the same when posting questions in this forum

-The appliance filters Transparently a trunk connection, where multiple VLANs go over it ; - Multi-Context mode, using 3x virtual firewalls for 3 different networks going over one trunk (for corp, guest and WLAN traffics), Filtering traffic of AV,

I would look for a model that has alot of ports personally and try to avoid trunking all lans over just one link. You might want to look at link aggregation betwee hub siteA and ASA as while if possible. We would need to know what the asa/router device is in order to give you more specific suggestions? ( model, how many ports ) things and questions to ask ; q1:Are the guest +wireless lan both WLAN? q1-A: what type of WLAN controller if any? q1-B: or do you have a bunch of autonoumous running APs? q2: do you need traffic shaping between the multiple lans? q3:do you have any voip requirements thru the fortigate? q4:are the squid boxes transparent ? q5:are you caching and proxying off the squid? q6:what bandwidth do you have internall and externally ( FastE, GIG, WAN....) q7: between siteA to B to C, is this a flat lan, a routed segement, is site A a router-l3-switch. A fortigate can be used in this case with no problems. I' m not 1005 sure on how you will get AV/SPAM filtering to work with good results from a transparent fw-devices, but it is doable. To be honest, crafting this a l3-device would be; 1: easier to manage 2: over all simple to deploy with all lan/wlan segments being isolated behind he fire 3: gives you better control of your network space if siteA/B/C are unique addressed networks A simple shared handoff media between you and the ASA/ROUTER would be more simpler. I' m assuming this a 3rd managed-party devices?

Hallo Emnoc , Thanks for the reply.. I would look for a model that has alot of ports personally and try to avoid trunking all lans over just one link. You might want to look at link aggregation betwee hub siteA and ASA as while if possible. We cannot change this setup since this is recommended by the customer. We would need to know what the asa/router device is in order to give you more specific suggestions? ( model, how many ports ) its ASA 5500, I guess we would go for the FortiGate-300A . things and questions to ask ; q1:Are the guest +wireless lan both WLAN? Wireless = Wlan, guest= wired network. q1-A: what type of WLAN controller if any? There is no WLan controller available yet. q1-B: or do you have a bunch of autonoumous running APs? yes there are APs ( currently we are working to build this network ) q2: do you need traffic shaping between the multiple lans? yes the shaping will be done via the Squid per location q3:do you have any voip requirements thru the fortigate? No q4:are the squid boxes transparent ? No, they are setup in Routed mode . q5:are you caching and proxying off the squid? yes q6:what bandwidth do you have internall and externally ( FastE, GIG, WAN....) GIG q7: between siteA to B to C, is this a flat lan, a routed segement, is site A a router-l3-switch. There is a fiber glass connection btw these three locations, routed segment , and yes its a layer3 switch . A fortigate can be used in this case with no problems. I' m not 100% sure on how you will get AV/SPAM filtering to work with good results from a transparent fw-devices, but it is doable. Why do you think it will not work 100% ? The next steps are, what do I need to do to achieve this ? and there will be by the way two fortigates to be configured in fail-over mode ( HA ) . -The appliance filters Transparently a trunk connection, where multiple VLANs go over it ; How to configure the fortifate to have this connected to the three networks ? - Multi-Context mode, using 3x virtual firewalls for 3 different networks going over one trunk (for corp, guest and WLAN traffics), Filtering traffic of AV, URL and email (including spam) ? Do i need to create 3 virtual domains for this ? and 3 separate firewall policies ? Per connection ( domain ) a policy ? - MS AD integration ...how to do this ? Thanks in advance for the help, am very new to the fortigate world, excuse my ignorance' s.

Hallo All , Anyone an help out with this ? Many thanks !