Hello Dear Friends,.
As a Cisco guy I need help for a Fortigate internal firewall implementation :)
I have 3 vlans and I want to put an internal firewall for 1 vlan.
I did it many times for Cisco ASA but I am stuck with Fortigate.
I have basic knowledge of Forti OS and GUI but this is a little bit fizzy for me.
On this topology I want to implement a firewall (not transparent mode) for vlan 66
So all the internal traffic will hit the internal firewall.
On the firewall I will put some policies to decide who can access to vlan 66 and from vlan 66 to outside.
Note: I have Cisco L3 core switch. And here on this example port2 for Fortigate management.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
In this case you need to add the 3 vlans into FortGate and based on your needs you can manage the policy access rules from inside or outside towards these 3 vlans and VS.
You need to create the vlans under the interface where FGT is connected with Cisco SW.
For more info review the following article how to create vlans:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...
-BR-
Hello Ndumaj,
Thank you for your kind and fast reply but I have still questions.
I want to keep other vlans on the core switch. I will only create 1 more on the firewall for this.
-Should there be only one physical port connections?
-How this connection should be defined at cisco side trunk or access?
Could you please give me more specific information?
Thanks a lot
Hello bkyuksel,
Great you can create only one vlan up to you, based on your needs.
-Should there be only one physical port connections? -- You can use the second connection for redundancy purposes.
Please review the following article:
https://community.fortinet.com/t5/FortiGate/Setup-comparison-between-FortiGate-Hardware-switch-Softw...
-How this connection should be defined at cisco side trunk or access? -- On cisco side the port should be trunk.
-BR-
Thank you so much I will try it tonight again. I appreciate.
Also any static routing?
Yeap, you should use some static if there is no dynamic routing in place.
-BR-
Hi @bkyuksel
You can put a default static route for the vlan traffic to reach internet and also create firewall policies to filter who can reach internet etc.
Not any chance. I tried every possible solution but none of them works. On ASA, we create a transit connection and also 1 trunk port. And I create the new Vlan on ASA and direct the subnet traffic from Cisco core switch with ip route 192.168.66.0 255.255.255.0 192.168.1.2 and this is it. But on fortigate, I created Vlan on the connected port. allowed everything on policies and still cannot ping.
Found the solution. It was about some IPV4 policies. it is working now.
Nice to hear that you found the solution.
Well Done!
-BR-
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.