Hello, I have FG 60D and I am using it as switch - LAN1 is "WAN" from my ISP router and other LANs are for my PC, WiFi routers etc. Is there a way to keep using it as described and keep using firewall for blocking specific pages? Thank you for advices.
60D is very old at this point and should be replaced.
Yes, I am aware of this but that is not the question.
Yeah but this firewall should no longer be used or connected to the internet. There is nothing wrong with your setup per se but its a pretty big security risk from a vulnerability standpoint.
Main firewall is set up at the ISP router but I would like to block some specific website by 60D. I would set it up at the ISP router but the thing is it is MikroTik and it uses Layer 7 fw for websites and it is enormous CPU consumer.
Without knowing more about your configuration I'd say yes but if this is in a production environment I'd get it upgraded ASAP.
Without knowing specifics I'd wager that this FTG has a few known vulnerabilities.
Main firewall is set up at the ISP router but I would like to block some specific website by 60D. I would set it up at the ISP router but the thing is it is MikroTik and it uses Layer 7 fw for websites and it is enormous CPU consumer.
The FortiGate also uses Layer7 for inspection. In general I don't really think its a good idea to daisy chain devices like this.
Hi @RobbieI
If your 60D still has an active UTP license, you could use this as another layer of security in transparent mode.
Transparent mode is used if you want to apply security scanning to traffic without applying routing or network address translation (NAT), such as when a FortiGate is used as an Internal Segmentation Firewall (ISFW).
Here are some case scenarios and how to implement transparent mode.
https://community.fortinet.com/t5/Support-Forum/Fortigate-Transparent-mode-Operating-in-transparent-...
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/463938/installing-a-fortigate-in-transpa...
Regards,
In general, yes, you could use the FortiGate to block specific websites by either creating policies with action block for those websites, or applying webfilter.
Please note that the webfilter option might need certificate inspection enabled to detect the destination website properly (and block it as desired).
However, as has been mentioned above, the 60D is an outdated model and from a security viewpoint I would strongly recommend replacing device if you're using it as anything more than just a basic switch/router (and even then it might be vulnerable).
Cheers,
Debbie
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.