Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RobbieI
New Contributor

FortiGate 60D as switch with firewall

Hello, I have FG 60D and I am using it as switch - LAN1 is "WAN" from my ISP router and other LANs are for my PC, WiFi routers etc. Is there a way to keep using it as described and keep using firewall for blocking specific pages? Thank you for advices.

9 REPLIES 9
adambomb1219
SuperUser
SuperUser

60D is very old at this point and should be replaced.  

RobbieI

Yes, I am aware of this but that is not the question.

adambomb1219

Yeah but this firewall should no longer be used or connected to the internet.  There is nothing wrong with your setup per se but its a pretty big security risk from a vulnerability standpoint.

RobbieI

Main firewall is set up at the ISP router but I would like to block some specific website by 60D. I would set it up at the ISP router but the thing is it is MikroTik and it uses Layer 7 fw for websites and it is enormous CPU consumer.

RobbieRigel
New Contributor

Without knowing more about your configuration I'd say yes but if this is in a production environment I'd get it upgraded ASAP. 

Without knowing specifics I'd wager that this FTG has a few known vulnerabilities. 

RobbieI

Main firewall is set up at the ISP router but I would like to block some specific website by 60D. I would set it up at the ISP router but the thing is it is MikroTik and it uses Layer 7 fw for websites and it is enormous CPU consumer.

adambomb1219

The FortiGate also uses Layer7 for inspection.  In general I don't really think its a good idea to daisy chain devices like this.

rvillaroman
Staff
Staff

Hi @RobbieI 

 


If your 60D still has an active UTP license, you could use this as another layer of security in transparent mode.
Transparent mode is used if you want to apply security scanning to traffic without applying routing or network address translation (NAT), such as when a FortiGate is used as an Internal Segmentation Firewall (ISFW).

Here are some case scenarios and how to implement transparent mode.
https://community.fortinet.com/t5/Support-Forum/Fortigate-Transparent-mode-Operating-in-transparent-...
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/463938/installing-a-fortigate-in-transpa...

 

Regards,

rvillaroman
Debbie_FTNT
Staff
Staff

In general, yes, you could use the FortiGate to block specific websites by either creating policies with action block for those websites, or applying webfilter.

Please note that the webfilter option might need certificate inspection enabled to detect the destination website properly (and block it as desired).

However, as has been mentioned above, the 60D is an outdated model and from a security viewpoint I would strongly recommend replacing device if you're using it as anything more than just a basic switch/router (and even then it might be vulnerable).

 

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors