I am currently in the process of evaluating FortiGate firewall to be deployed at customer locations. The plan is to use IPSec tunnel between the FortiGate and a VPN gateway (Cisco or FortiGate) located in the data center. The plan is to share the same VPN gateway (pair to be precise) for multiple customers. On the Cisco platform I am used to using VRFs which allow the data traffic from customers to be separated. One of the options I will be considering is " VRF Aware IPSec" feature available on Cisco routers. Is something similar possible with the FortiGate firewalls? Should add that I don' t want to use VDOMs as the plan is to keep the tunnel end point IP address the same for all the FortiGate firewalls that are deployed. Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We use vdoms for that purpose. If don't, your customers share the same routing domain at the termination point of VPN, which defeats the purpose of having separate MPLS(VRF) network per customer on Cisco side.
I believe VRF support is being added in FortiOS 6.4.
I heard that rumor. But I didn't know it's in their road-map now. It would be more than a year out, I guess, even if that's true.
VRF support in a vdom is already here iirc
Ken Felix
PCNSE
NSE
StrongSwan
I don't think the currently implementation is fully compatible with other vendor's, like Cisco, Juniper, etc. The available number of vrf is merely 0 - 31.
The purpose is to Don't use vdoms for each VPN .We want to have the same public IP for all VPN and after separate the traffic with vrf for each customers . I dont now if it's possible to do .
VRf support in vdom is added in fortiOS 6.2.3. i'm trying to build a comp for testing it .
The only downside to this would be the 32 limits for total VRFs. So that would equal to 32 max clients if you can get it working. Also this was discuss last month about VRF and VRF support
https://forum.fortinet.com/tm.aspx?m=181441
I played with it , but not with tunnels. I would not see any reason why it would not work, fwiw. So vdom would be cost prohibit in that you have hard set limits for the appliance and then license addon cost $$$$, VRF could be stroke upto 32 and then you deal with it as you by adding more fortigate and more IPs and go at it.
The other issues which is more pressing ( imho ) , how much ipsec traffic and a performance degradation for up to 32x ipsec-tunnels. ( i.e are you using a mid-range or entry level fortigate, what's the total IPSEC traffic in bps that is expected, etc.…..)
Ken Felix
PCNSE
NSE
StrongSwan
Hi Guys,
we have some old Cisco Nexus 5K and it would be funny to replace them with the FortiCluster
But is out there any kind of documentation for the VRF use? My aim would be to have the Firewall as a CustomerEdge device!
Cherrio Raffa
thanks in advanced Rafael
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.