- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Device based rule in 3 tier network with inter...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Device based rule in 3 tier network with intervlan routing switch at distribution level
Hi,
I'm pretty sure that this is a self answered post, but here goes...
Network has switches at the access level, all of them trunked with the company vlans to a distribution switch, which is trunked up to the fortigate - see simplified diagram network.jpg
The vlans are being routed at the distribution switch, so this switch is the gateway for each vlan. the gateway for the switch is the fortigate of course.
the trunk between the distribution switch and the forti includes the vlans also - just because i want the forti to detect the devices being connected on each vlan, other than that if i could i would eliminate this trunk.
Upon setting this up (which is a production system that had no vlans and is heavily secured with both device based rules and FSSO rules), the FSSO rules keep working great. As for the device based rules they stopped working.
My assumption is that when datagrams reach the distro switch and then are forwarded to the fortigate, the mac address at this point is the distro switch and not the client device anymore. I conclude that this is basic networking 101 and there is nothing to do here, right? no chance to use device based rules anymore.
I guess that either i would either change the set up to router on a stick (not going to happen, no need for extra hops, these vlans have intensive workload) or create extra groups and move those device based rules to FSSO rules - so for now this is my best solution to this case.
Any comments/ideas would be appreciated.
Thanks
David
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi David,
you are correct. Device based policies require the FortiGate to uniquely identify devices. One of the ways it can do this is by MAC address. Having those devices behind a router stops this from working.
The only way around it as far as I'm aware is to have the FortiGate as the gateway and the distribution layer switched and not routed.
Cheers,
Paul
NSE4
NSE4
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi David,
you are correct. Device based policies require the FortiGate to uniquely identify devices. One of the ways it can do this is by MAC address. Having those devices behind a router stops this from working.
The only way around it as far as I'm aware is to have the FortiGate as the gateway and the distribution layer switched and not routed.
Cheers,
Paul
NSE4
NSE4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you configure Fortigate as member of all other vlans you may recieve the broadcast from your access switches.
So device Policy would work in your environment.
Best Regards,
Ricardo Correa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The broadcast works, as i want to populate de mac devices on the fortigate for status only (health check), but being a member on each vlan does not make it the gateway on that vlan. Datagrams take another path via the distro switch and up to the fortigate. At this point they were routed by the switch and the mac on the datagrams is no longer the original one. That's why I can see the macs on the Devices tab, but can not use them for firewall policy. The only way it could work was that if the fortigate on each vlan was the vlans gateway..but that creates too much traffic unecessary.
Related Posts
- Route filtering with a distribution list 459 Views
- Allowing traffic between 2 Vlan switches 851 Views
- InterVlan Routing - Not all VLAN... 2187 Views
- SDWAN and Inter-vlan routing 1121 Views
- FortiGate 200F capacity 1415 Views
Labels
-
FortiGate
6,450 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.