Hi,
I'm pretty sure that this is a self answered post, but here goes...
Network has switches at the access level, all of them trunked with the company vlans to a distribution switch, which is trunked up to the fortigate - see simplified diagram network.jpg
The vlans are being routed at the distribution switch, so this switch is the gateway for each vlan. the gateway for the switch is the fortigate of course.
the trunk between the distribution switch and the forti includes the vlans also - just because i want the forti to detect the devices being connected on each vlan, other than that if i could i would eliminate this trunk.
Upon setting this up (which is a production system that had no vlans and is heavily secured with both device based rules and FSSO rules), the FSSO rules keep working great. As for the device based rules they stopped working.
My assumption is that when datagrams reach the distro switch and then are forwarded to the fortigate, the mac address at this point is the distro switch and not the client device anymore. I conclude that this is basic networking 101 and there is nothing to do here, right? no chance to use device based rules anymore.
I guess that either i would either change the set up to router on a stick (not going to happen, no need for extra hops, these vlans have intensive workload) or create extra groups and move those device based rules to FSSO rules - so for now this is my best solution to this case.
Any comments/ideas would be appreciated.
Thanks
David
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi David,
you are correct. Device based policies require the FortiGate to uniquely identify devices. One of the ways it can do this is by MAC address. Having those devices behind a router stops this from working.
The only way around it as far as I'm aware is to have the FortiGate as the gateway and the distribution layer switched and not routed.
Cheers,
Paul
Hi David,
you are correct. Device based policies require the FortiGate to uniquely identify devices. One of the ways it can do this is by MAC address. Having those devices behind a router stops this from working.
The only way around it as far as I'm aware is to have the FortiGate as the gateway and the distribution layer switched and not routed.
Cheers,
Paul
If you configure Fortigate as member of all other vlans you may recieve the broadcast from your access switches.
So device Policy would work in your environment.
Best Regards,
Ricardo Correa
The broadcast works, as i want to populate de mac devices on the fortigate for status only (health check), but being a member on each vlan does not make it the gateway on that vlan. Datagrams take another path via the distro switch and up to the fortigate. At this point they were routed by the switch and the mac on the datagrams is no longer the original one. That's why I can see the macs on the Devices tab, but can not use them for firewall policy. The only way it could work was that if the fortigate on each vlan was the vlans gateway..but that creates too much traffic unecessary.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1522 | |
1020 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.