- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Design question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Design question
Dear all,
We have a design and how to question regarding fortigate implementation :
Attached you will find the network diag, the implementation should meet all the criteria below :
- Redundant firewall configuration based on. 2 Fortigate appliances in High Availability mode;
-The appliance (s) are set to transparent mode in the network (not routed!)
-The appliance filters Transparently a trunk connection, where multiple VLANs go over it ;
- Multi-Context mode, using 3x virtual firewalls for 3 different networks going over one trunk (for corp, guest and WLAN traffics), Filtering traffic of AV, URL and email (including spam)
-Different Policies for filtering rules for different virtual domains
- MS AD integration ....
Can you please advise which model can be used and how to achieve these requirements?
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m not sure your design has much impact on which Fortinet model you want to choose. They all have the same capability with the expection of throughput and the number of ports. (Except for the really low end models which remove some Wan Opt and other features.)
Check out this product matrix for more detail:
http://www.fortinet.com/sites/default/files/basicfiles/ProductMatrix.pdf
-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hallo DDSKier,
Thanks a lot for your message, I guess we will go for the 300B , now the question is how to configure this box to achieve what we would like to do .
as stated below :
- Redundant firewall configuration based on. 2 Fortigate appliances in High Availability mode;
-The appliance (s) are set to transparent mode in the network (not routed!)
-The appliance filters Transparently a trunk connection, where multiple VLANs go over it ;
- Multi-Context mode, using 3x virtual firewalls for 3 different networks going over one trunk (for corp, guest and WLAN traffics), Filtering traffic of AV, URL and email (including spam)
-Different Policies for filtering rules for different virtual domains
- MS AD integration ....
Thanks for the suggestions ...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That isn' t an easy question to answer over the forums.
That takes some experience and training on the devices to answer. If you have a need I would suggest some fortinet training.
-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1st off cool diagram , I wish others would do the same when posting questions in this forum
-The appliance filters Transparently a trunk connection, where multiple VLANs go over it ; - Multi-Context mode, using 3x virtual firewalls for 3 different networks going over one trunk (for corp, guest and WLAN traffics), Filtering traffic of AV,I would look for a model that has alot of ports personally and try to avoid trunking all lans over just one link. You might want to look at link aggregation betwee hub siteA and ASA as while if possible. We would need to know what the asa/router device is in order to give you more specific suggestions? ( model, how many ports ) things and questions to ask ; q1:Are the guest +wireless lan both WLAN? q1-A: what type of WLAN controller if any? q1-B: or do you have a bunch of autonoumous running APs? q2: do you need traffic shaping between the multiple lans? q3:do you have any voip requirements thru the fortigate? q4:are the squid boxes transparent ? q5:are you caching and proxying off the squid? q6:what bandwidth do you have internall and externally ( FastE, GIG, WAN....) q7: between siteA to B to C, is this a flat lan, a routed segement, is site A a router-l3-switch. A fortigate can be used in this case with no problems. I' m not 1005 sure on how you will get AV/SPAM filtering to work with good results from a transparent fw-devices, but it is doable. To be honest, crafting this a l3-device would be; 1: easier to manage 2: over all simple to deploy with all lan/wlan segments being isolated behind he fire 3: gives you better control of your network space if siteA/B/C are unique addressed networks A simple shared handoff media between you and the ASA/ROUTER would be more simpler. I' m assuming this a 3rd managed-party devices?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hallo Emnoc ,
Thanks for the reply..
I would look for a model that has alot of ports personally and try to avoid trunking all lans over just one link. You might want to look at link aggregation betwee hub siteA and ASA as while if possible.
We cannot change this setup since this is recommended by the customer.
We would need to know what the asa/router device is in order to give you more specific suggestions? ( model, how many ports )
its ASA 5500, I guess we would go for the FortiGate-300A .
things and questions to ask ;
q1:Are the guest +wireless lan both WLAN?
Wireless = Wlan, guest= wired network.
q1-A: what type of WLAN controller if any?
There is no WLan controller available yet.
q1-B: or do you have a bunch of autonoumous running APs?
yes there are APs ( currently we are working to build this network )
q2: do you need traffic shaping between the multiple lans?
yes the shaping will be done via the Squid per location
q3:do you have any voip requirements thru the fortigate?
No
q4:are the squid boxes transparent ?
No, they are setup in Routed mode .
q5:are you caching and proxying off the squid?
yes
q6:what bandwidth do you have internall and externally ( FastE, GIG, WAN....)
GIG
q7: between siteA to B to C, is this a flat lan, a routed segement, is site A a router-l3-switch.
There is a fiber glass connection btw these three locations, routed segment , and yes its a layer3 switch .
A fortigate can be used in this case with no problems. I' m not 100% sure on how you will get AV/SPAM filtering to work with good results from a transparent fw-devices, but it is doable.
Why do you think it will not work 100% ?
The next steps are, what do I need to do to achieve this ? and there will be by the way two fortigates to be configured in fail-over mode ( HA ) .
-The appliance filters Transparently a trunk connection, where multiple VLANs go over it ; How to configure the fortifate to have this connected to the three networks ?
- Multi-Context mode, using 3x virtual firewalls for 3 different networks going over one trunk (for corp, guest and WLAN traffics), Filtering traffic of AV, URL and email (including spam) ? Do i need to create 3 virtual domains for this ? and 3 separate firewall policies ? Per connection ( domain ) a policy ?
- MS AD integration ...how to do this ?
Thanks in advance for the help, am very new to the fortigate world, excuse my ignorance' s.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hallo All ,
Anyone an help out with this ?
Many thanks !
Related Posts
- FortiMail issue ip reputation 94 Views
- FortiSiem FSM-2000F the external collector 96 Views
- DoS policy in FortiGate 281 Views
- Akira Ransomware 243 Views
- Forticlient 7.2.2 with vulnerable OpenSSL Library... 82 Views
Labels
-
FortiGate
6,526 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.