Except that DMZ flow will pass by level 2 on the FGT. For DMZ on FGT, can i use just the GigaEthernet ports (normaly 2 ports)? i' m asking for that because we have a port DMZ on this appliance, what is its role please?

Port naming scheme doesn' t reflect any extra functionality. the only difference is that you may have non-accelerated vs accelerated ports, but this also has nothing to do with DMZ name. its all about simplifying administration only. If i understood your statement (Except that DMZ flow will pass by level 2 on the FGT), you may configure your FortiGate with two VDOMs, one are NAT/Route to serve your users, and another transparent one to serve the DMZ Mohammad

Yes the naming don' t mean nothing. You can use any port that you want & regardless of the naming. So have you finalized the design? you have numerous scenario and options but NAT/Routed or transparent. Single or two vdom. To add, if you run the FGT in a NAT/routed mode and behind the cisco you might want to disable tcp random sequencing. You don' t need both appliance doing this. And next, do you need vpn terminations IPSEC or SSLVPN, you might want to consider that most cisco ASA (depending on licenses type ) are more restrictive with regardless to these vpn types.

I' m new in FGT Technos, so i must have a look to VDOMs concept. But certainly ASA will be on NAT/routed mode, so i think i have the choice on my FGT to run it in a routed or in a NAT/routed mode (on " LAN" VDom" ). Beside this, in the DMZ link, i will have multiple DMZ " trunked" , (multiple Subnet partionned), i don' t know if i must have a separate Vdom for each dmz? About IPSEC / SSLVPN question, we have them already on ASA, I think the passage of these flows through FGT will be transparent. So, my desing will be like the drawing below: - On my Backbone, the default route will send all flows to FGT. - The direct link between Backbone and ASA is a choice, i can bypass FGT if problem on it (by changing default route in BBO). - i have just a special case, some users/subnet are on DMZ (behind ASA), so proxy must be explicit for them inorder to don' t have a full internet access. Hope that design don' t block this need.

Thoughts & opinions if I may. I ' m not a big fan of transparent firewall operation, but if the " green lan" is already in place, you could do transparent mode here, and not change one aspect of the lan. The same holds true, with regards to the DMZ On the DMZ and trunking, there' s no problems with doing tagging in transparent mode. On the earlier comment by another & with regards to AS and Fortimail, the Fortigate does provide AS function and you don' t need a separate ESA just for AS. On the ASA & FGT, do you have any concerns with sessions limits? thru-put ? The reason I say this (above bold ), I did something like the above design that your proposing, but with an older ASA 5510 and FGT200B and the choke point was the 5510 in regards to thru-put. ( fwiw you will not get more than 350mbps out of a ASA5510 no matter whatever you do or with gige ports and security+ ) This is why I question the ASA, & it' s role and if it' s a business requirement. You probably would want to look at that, and make sure you don' t have ay portion of the stacked/tiered firewalls being a bottleneck/chokepoint regardless if it encrypted or non-encrypted traffic. So i would pull the numbers for both models and do comparisons. The cool thing with vdoms on the fortigate, you could set sessions limits and resources limits. ( see attach drawing ) In the end of the day, you have about 6 or more options. Just vet each one and do your research. Did you engage your fortinet partnet or sales team for there opinions?

@ rzahraoui Speacking of VDOM, just think of it from virtuilization point of view: you create multiple guest operating systems " virtual domain" into the same host operating system " FortiGate hardware & firmware" , by which you start slicing the performance capacity for each one in reference to your needs. For the DMZ thing, technically you can do it with one physical interface hosting multiple logical interfaces, however, jeopardizing your DMZ subnets availability is not an option, so i do recommend to implement LACP between you FortiGate and your L2/L3 switch. if you have modular/cluster switching design, mesh topology will be recommended also For the IPSec you have on the ASA, yes it will be transparent to your FortiGate. @emnoc FortiGate does AS, but its very limited to the current SPAM floods we experience. bottom line we cant call it comprehensive protection, but it will do you little filtering capabilities. Mohammad