Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ihaveabike
New Contributor

Created on ‎05-07-2018 02:26 PM

Fortigate as a core router

Hi There,

 

I'm wondering if anyone is using their fortigate as a core router to manage inter-vlan traffic.  We're looking to build a simple network with basic server, client, management vlans.  We could do routing on a layer 3 switch but we have an 81e at the gateway and were wondering if that could also handle internal traffic.  We really want to get some visibility into the intervlan traffic for security.  Basically we'd want to set up firewall rules to just allow the required ports between client and server network and we'd also want everything logged and aggregated into our fortianalyzer.  We'd also still want the device handling our WAN gateway traffic, which has all the scanning bells and whistles on those policies.  It not a huge network, about 150 users, about 100 devices, 1 site to site vpn connected to another fortigate for a small office of about 20 users.

 

Any experts out there that can advise if this is a doable setup and does anyone have the same setup?  Would we be asking to much of the current FG in this scenario and would a more powerful box do the trick, and if so, any thoughts on how to appropriately choose an adequately powerful device?  Is there a better way of handling this using our layer 3 switch and the FG to at least still get the FG to be able to log traffic between our internal vlans without impacting speeds?  Any insight is appreciated.

11267
0 Kudos
5 REPLIES 5
aagrafi
Contributor II

Created on ‎05-08-2018 05:35 AM

We have several deployments with FGs doing such things at even larger scale than yours. This is a fully supported configuration, but make sure to size the FortiGate properly.

4513
0 Kudos
emnoc
Esteemed Contributor III
In response to aagrafi

Created on ‎05-08-2018 07:59 AM

Do you nee security between vlans? A l3+firewall  is higher cost than a layer3 switch or router. Price per port and bps is higher on a NGFW imho

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
4513
0 Kudos
ihaveabike
New Contributor
In response to emnoc

Created on ‎05-08-2018 10:46 AM

Sizing is a question of mine aagrafi, do you have any guidance on how to properly size a FG for this purpose by chance? 

 

emnoc - I think these days that traffic between client and server vlans should be separated and at least monitored and limited to the ports/services required (at least in smaller environments where this is feasible).  So I guess I do think we should have some security between these vlans. But I maybe crazy for thinking this way and I'm open being told different.  We could probably do at least this much on a good layer3 switch but we are used to analyzing the fortigates traffic info from a security perspective between lan and wan, so we're thinking it would be good to consolidate intervlan security and gateway security on the same box.  I agree that doing this on the FG will be more expensive, but this is also part of why I'm querying the forum for sizing a FG for this purpose.  Maybe doing this will be cost prohibitive compared to a l3 but maybe the extra costs will be worth it.  

 

I'm certainly open to more discussion on this from anyone willing to jump in 

 

4513
0 Kudos
emnoc
Esteemed Contributor III
In response to ihaveabike

Created on ‎05-08-2018 11:21 AM

Security is always good and inspections is also great. Since this is a core ENV, do you need   HA ? Again cost will become a issues.

 

[ul]
  • Next, what type of interfaces ? and how many ( 1  or 10 gig, LACP,etc...)
  • LACP? etherchannel bonding
  • What type of  UTM features ( AV? TLS-insp? proxy ? )
  • So again, as you enable these services, your thru-put will be greatly impacted & require even a bigger hardware items or possible VM-based firewalls[/ul]

     

     

    So to size this all up,  you need to have answers to the above at minimum, and before anybody could even remotely give you numbers.

     

    Define your requirement and business use case 1st, and then get the numbers ;)

    • PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    4513
    0 Kudos
    aagrafi
    Contributor II

    Created on ‎05-08-2018 11:56 PM

    You have to answer to this question first, before answering the sizing question: What is the anticipated aggregate inter-VLAN traffic and what inspection do you deed to apply (antivirus, IPS, etc)? Your customer should probably be able to give you some figures here, based in the current traffic. But simply put, the number of users alone cannot give you the size of the firewall. In many networks, a few users may produce much more traffic than hundreds of users do in other networks.

    4513
    0 Kudos
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.