Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dbarroco
New Contributor III

Device based rule in 3 tier network with intervlan routing switch at distribution level

Hi, 

I'm pretty sure that this is a self answered post, but here goes...

 

Network has switches at the access level, all of them trunked with the company vlans to a distribution switch, which is trunked up to the fortigate - see simplified diagram network.jpg

 

The vlans are being routed at the distribution switch, so this switch is the gateway for each vlan. the gateway for the switch is the fortigate of course.

 

the trunk between the distribution switch and the forti includes the vlans also - just because i want the forti to detect the devices being connected on each vlan, other than that if i could i would eliminate this trunk.

 

Upon setting this up (which is a production system that had no vlans and is heavily secured with both device based rules and FSSO rules), the FSSO rules keep working great. As for the device based rules they stopped working.

 

My assumption is that when datagrams reach the distro switch and then are forwarded to the fortigate, the mac address at this point is the distro switch and not the client device anymore. I conclude that this is basic networking 101 and there is nothing to do here, right? no chance to use device based rules anymore. 

 

I guess that either i would either change the set up to router on a stick (not going to happen, no need for extra hops, these vlans have intensive workload) or create extra groups and move those device based rules to FSSO rules - so for now this is my best solution to this case. 

 

Any comments/ideas would be appreciated.

 

Thanks

David

 

 

1 Solution
Paul_Dean
Contributor

Hi David,

 

you are correct. Device based policies require the FortiGate to uniquely identify devices. One of the ways it can do this is by MAC address. Having those devices behind a router stops this from working.

 

The only way around it as far as I'm aware is to have the FortiGate as the gateway and the distribution layer switched and not routed.

 

Cheers,

Paul

NSE4

View solution in original post

NSE4
3 REPLIES 3
Paul_Dean
Contributor

Hi David,

 

you are correct. Device based policies require the FortiGate to uniquely identify devices. One of the ways it can do this is by MAC address. Having those devices behind a router stops this from working.

 

The only way around it as far as I'm aware is to have the FortiGate as the gateway and the distribution layer switched and not routed.

 

Cheers,

Paul

NSE4
NSE4
correa

If you  configure  Fortigate as member of all other vlans you may recieve the broadcast from your access switches.

So  device  Policy would  work in your environment.

 

Best Regards,

      Ricardo Correa

 

dbarroco
New Contributor III

The broadcast works, as i want to populate de mac devices on the fortigate for status only (health check), but being a member on each vlan does not make it the gateway on that vlan. Datagrams take another path via the distro switch and up to the fortigate. At this point they were routed by the switch and the mac on the datagrams is no longer the original one. That's why I can see the macs on the Devices tab, but can not use them for firewall policy. The only way it could work was that if the fortigate on each vlan was the vlans gateway..but that creates too much traffic unecessary.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors