- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate 60D as switch with firewall
Hello, I have FG 60D and I am using it as switch - LAN1 is "WAN" from my ISP router and other LANs are for my PC, WiFi routers etc. Is there a way to keep using it as described and keep using firewall for blocking specific pages? Thank you for advices.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
60D is very old at this point and should be replaced.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I am aware of this but that is not the question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah but this firewall should no longer be used or connected to the internet. There is nothing wrong with your setup per se but its a pretty big security risk from a vulnerability standpoint.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Main firewall is set up at the ISP router but I would like to block some specific website by 60D. I would set it up at the ISP router but the thing is it is MikroTik and it uses Layer 7 fw for websites and it is enormous CPU consumer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without knowing more about your configuration I'd say yes but if this is in a production environment I'd get it upgraded ASAP.
Without knowing specifics I'd wager that this FTG has a few known vulnerabilities.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Main firewall is set up at the ISP router but I would like to block some specific website by 60D. I would set it up at the ISP router but the thing is it is MikroTik and it uses Layer 7 fw for websites and it is enormous CPU consumer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The FortiGate also uses Layer7 for inspection. In general I don't really think its a good idea to daisy chain devices like this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @RobbieI
If your 60D still has an active UTP license, you could use this as another layer of security in transparent mode.
Transparent mode is used if you want to apply security scanning to traffic without applying routing or network address translation (NAT), such as when a FortiGate is used as an Internal Segmentation Firewall (ISFW).
Here are some case scenarios and how to implement transparent mode.
https://community.fortinet.com/t5/Support-Forum/Fortigate-Transparent-mode-Operating-in-transparent-...
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/463938/installing-a-fortigate-in-transpa...
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In general, yes, you could use the FortiGate to block specific websites by either creating policies with action block for those websites, or applying webfilter.
Please note that the webfilter option might need certificate inspection enabled to detect the destination website properly (and block it as desired).
However, as has been mentioned above, the 60D is an outdated model and from a security viewpoint I would strongly recommend replacing device if you're using it as anything more than just a basic switch/router (and even then it might be vulnerable).
Cheers,
Debbie