Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
axlmac
New Contributor

FG 60E with all the interfaces on a trunk, would you recommend this approach for a school?

Hi all,

 

I'm going to configure a FG 60E for a school. We would like to take advantage of VDOMs (up to ten) because the firewall will serve also other tenants 

 

I have to plan the network from scratch, firewall included and unfortunately I don't have physical access to it to play with the commands.

 

I would like the maximum flexibility in assigning a public IP address to VDOMs without using NAT and for this reasons I would forget of the WAN1/WAN2/DMZ interfaces and go for a trunk of four (or even six) interfaces and then create SVI (sorry I use Cisco ternimology) that I will assign to VDOM based on the needs.

As I said In this way each VDOM may have the possibility to be exposed to the Internet with NATted IP address. We have a /27 prefix assigned.

 

Does anyone have any objection/advice on this approach? Will we loose any feature by configuring the 60E in this way?

 

Non very important but is any feature for dual-homing tightened to the physical WAN1/WAN2 interfaces or such feature can be used on any interface?

 

 

Any feedback will be much appreciated :)

 

Alex

10 REPLIES 10
lobstercreed
Valued Contributor

There isn't any technical reason you can't do this that I am aware of, but I would be worried that you're putting too much load on a box this small based on how you've described it.  Others may have more experience with something like this though.

axlmac

Thanks Daniel,

 

the number of users may be up to 200 though the concurrent ones might be around 50. As the majority is made of students indeed the FG would be called to do a lot of checks. The pipe to the Internet is 1Gibt/s and we will have to carefully choose up to which level of protection to push/enable on the FG.

 

The implementation of having more than few VDOM might be postponed and done at will when maybe students have to learn firewalling.

 

Many thanks for your precious reply,

 

Alex

emnoc
Esteemed Contributor III

This is called a firewall on a stick approach and I have done this many times when ports where limited. Unless you have limitation in your switch port type or availability, I see no reason to do a "firewall on a stick".

 

Also if your interface is 1gbps your not going to get 1gbps with a "firewall on a stick".

 

Where I used "firewall on a stick" where when 10/40gbe switchports where limited in the switch-fabric and or the model has a limited number ( i.e FGT5100D )

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
axlmac
New Contributor

Hi Ken,

 

indeed for the main or the few of them (two or more) I may use physical interfaces on the WAN side (WAN1/WAN2) but for the internal ones I may go for the trunk (four or six) , in this way if I needed a new L3 segment (regardless if for a new VDOM or not) I would just need to add a new VLAN and that would be it.

 

Many thans,

 

Alex

axlmac
New Contributor

Hi Ken/Daniel,

 

I have just realized the main reason for going for the Firewall on the stick.

We have two 3com switches that run in stack, hence if we want to benefit of the redundancy (without manual intervention) we have to have the L3 interface of the firewall to both the switches and the only way that came in to my mind was the trunk. The bandwith will be automatically used by the VLANs.

The only question I have is if the WAN1/WAN2 can be treated as L2 interface and can join an etherchannel or they are fixed L3.

 

Sorry for not having mentioned from the beginning but by trying to make the long story short I left behind an important detail.

 

Thanks again,

 

Alex

andrewbailey

Hi Alex,

 

I might be wrong, but it seems perhaps you are missing one of the most fundamental points here.

 

The 60E will not provide 1Gb/s throughput in your scenario of a 1Gb/s ISP link. 

 

According to the spec sheets ( https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60E_Series.pdf ) it is capable of only 250Mb/s throughput running NGFW (performance is measured with Firewall, IPS, and Application Control enabled).

 

So unless you turn off all the NGFW features you will never see the maximum bandwidth your ISP is providing. And if you are going to turn off those features you may as well use something like a cheap Cisco SMB router which may deliver a higher overall WAN speed.

 

Perhaps you have considered all of that already- but it isn't just the number of  users or the number of ADOMS that will likely limit what you are trying to achieve here (although these are also critical factors).

 

I'm sorry if I sound slightly negative- you sound like a creative designer. But if speed is also part of your design equation then I think the 60E is going to disappoint you.

 

Have you already purchased the 60E?

 

I'm sure you are probably aware that there is a 60F now? That has much better performance, exactly the same layout/ ports etc and is a very similar price. It should achieve up to 700Mb/s with full NGFW features enabled.

 

However, if you need the full 1Gb/s to be shared between those users you will need something bigger. Google the Fortinet Product Matrix which shows a comparison of the appliances. From what I can see the Fortigate 100F is the first box which will likely support that full line speed of 1Gb/s in NGFW mode. Here in the UK the Fortigate 100F is around 4 times the price of a 60F (or 60E).

 

Sizing the Fortigate product for the solution is an important step- I would hate to see make an expensive mistake if you got that part wrong.

 

Good luck, and hope this helps you a little.

 

Kind Regards,

 

 

Andy.

axlmac

Hi Andy,

 

thanks for your reply, your observation is indeed a good point. I am aware of the performances the 60E provides but unfortunately it has already been bought, I don't know if in case it may be replaced. I'll see what can be done. Thanks,

Alex

axlmac
New Contributor

Well,

 

sorry to pick up this old thread but eventually I managed to apply many features. The Box is connected through LACP both in the internal and the Internet-caììfacing interface, many VDOMs, on the external LACP I'm using EMAC-VLAN, secondary public address on all the VDOMs, internal VDOMs to handle many GRE over one single IPSEC tunnel. It's really fun. Thans everybody for each piece of contribution.

 

Alex

emnoc
Esteemed Contributor III

We have two 3com switches that run in stack

 

if you have a stack you should really look for a model that support  802.3ad and do aggregated ethernet imho. That would not be possible in a 60 model but you would need to check.

 

 

With a bundle your single firewall could be linked to both members in the stack and depending on hashing you will have the advantage of both 1gige uplinks.

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors