Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bkyuksel
New Contributor II

Fortigate internal firewall for a VLAN

Hello Dear Friends,.

As a Cisco guy I need help for a Fortigate internal firewall implementation :)

I have 3 vlans and I want to put an internal firewall for 1 vlan.

I did it many times for Cisco ASA but I am stuck with Fortigate.

I have basic knowledge of Forti OS and GUI but this is a little bit fizzy for me.

On this topology I want to implement a firewall (not transparent mode) for vlan 66

So all the internal traffic will hit the internal firewall. 

On the firewall I will put some policies to decide who can access to vlan 66 and from vlan 66 to outside.

Note: I have Cisco L3 core switch. And here on this example port2 for Fortigate management.forti_internal.png

9 REPLIES 9
ndumaj
Staff
Staff

Hello,

In this case you need to add the 3 vlans into FortGate and based on your needs you can manage the policy access rules from inside or outside towards these 3 vlans and VS.
You need to create the vlans under the interface where FGT is connected with Cisco SW.

For more info review the following article how to create vlans:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...

-BR-

- Happy to help, hit like and accept the solution -
bkyuksel
New Contributor II

Hello Ndumaj,

 

Thank you for your kind and fast reply but I have still questions.

I want to keep other vlans on the core switch. I will only create 1 more on the firewall for this.

-Should there be only one physical port connections? 

-How this connection should be defined at cisco side trunk or access?

Could you please give me more specific information?

Thanks a lot

ndumaj

Hello bkyuksel,

Great you can create only one vlan up to you, based on your needs.

-Should there be only one physical port connections? -- You can use the second connection for redundancy purposes.
Please review the following article:
https://community.fortinet.com/t5/FortiGate/Setup-comparison-between-FortiGate-Hardware-switch-Softw...

-How this connection should be defined at cisco side trunk or access?  -- On cisco side the port should be trunk.

-BR-



- Happy to help, hit like and accept the solution -
bkyuksel
New Contributor II

Thank you so much I will try it tonight again. I appreciate.

Also any static routing?

ndumaj

Yeap, you should use some static if there is no dynamic routing in place.

-BR-

- Happy to help, hit like and accept the solution -
vbandha
Staff
Staff

Hi @bkyuksel 

You can put a default static route for the vlan traffic to reach internet and also create firewall policies to filter who can reach internet etc.

bkyuksel
New Contributor II

Not any chance. I tried every possible solution but none of them works. On ASA, we create a transit connection and also 1 trunk port. And I create the new Vlan on ASA and direct the subnet traffic from Cisco core switch with ip route 192.168.66.0 255.255.255.0 192.168.1.2 and this is it. But on fortigate, I created Vlan on the connected port. allowed everything on policies and still cannot ping.

bkyuksel
New Contributor II

Found the solution. It was about some IPV4 policies. it is working now.

ndumaj
Staff
Staff

Nice to hear that you found the solution.
Well Done!
-BR-

- Happy to help, hit like and accept the solution -
Top Kudoed Authors