Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bkyuksel
New Contributor II

Created on ‎11-12-2023 06:51 AM

Fortigate internal firewall for a VLAN

Hello Dear Friends,.

As a Cisco guy I need help for a Fortigate internal firewall implementation :)

I have 3 vlans and I want to put an internal firewall for 1 vlan.

I did it many times for Cisco ASA but I am stuck with Fortigate.

I have basic knowledge of Forti OS and GUI but this is a little bit fizzy for me.

On this topology I want to implement a firewall (not transparent mode) for vlan 66

So all the internal traffic will hit the internal firewall. 

On the firewall I will put some policies to decide who can access to vlan 66 and from vlan 66 to outside.

Note: I have Cisco L3 core switch. And here on this example port2 for Fortigate management.forti_internal.png

Labels:
1996
0 Kudos
9 REPLIES 9
ndumaj
Staff
Staff

Created on ‎11-12-2023 07:25 AM

Hello,

In this case you need to add the 3 vlans into FortGate and based on your needs you can manage the policy access rules from inside or outside towards these 3 vlans and VS.
You need to create the vlans under the interface where FGT is connected with Cisco SW.

For more info review the following article how to create vlans:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...

-BR-

- Happy to help, hit like and accept the solution -
1980
bkyuksel
New Contributor II
In response to ndumaj

Created on ‎11-12-2023 07:47 AM

Hello Ndumaj,

 

Thank you for your kind and fast reply but I have still questions.

I want to keep other vlans on the core switch. I will only create 1 more on the firewall for this.

-Should there be only one physical port connections? 

-How this connection should be defined at cisco side trunk or access?

Could you please give me more specific information?

Thanks a lot

1972
0 Kudos
ndumaj
Staff
Staff
In response to bkyuksel

Created on ‎11-12-2023 08:02 AM

Hello bkyuksel,

Great you can create only one vlan up to you, based on your needs.

-Should there be only one physical port connections? -- You can use the second connection for redundancy purposes.
Please review the following article:
https://community.fortinet.com/t5/FortiGate/Setup-comparison-between-FortiGate-Hardware-switch-Softw...

-How this connection should be defined at cisco side trunk or access?  -- On cisco side the port should be trunk.

-BR-



- Happy to help, hit like and accept the solution -
1956
bkyuksel
New Contributor II
In response to ndumaj

Created on ‎11-12-2023 08:04 AM

Thank you so much I will try it tonight again. I appreciate.

Also any static routing?

1951
ndumaj
Staff
Staff
In response to bkyuksel

Created on ‎11-12-2023 09:20 AM

Yeap, you should use some static if there is no dynamic routing in place.

-BR-

- Happy to help, hit like and accept the solution -
1929
0 Kudos
vbandha
Staff
Staff

Created on ‎11-12-2023 09:21 AM

Hi @bkyuksel 

You can put a default static route for the vlan traffic to reach internet and also create firewall policies to filter who can reach internet etc.

1928
bkyuksel
New Contributor II

Created on ‎11-12-2023 11:26 AM

Not any chance. I tried every possible solution but none of them works. On ASA, we create a transit connection and also 1 trunk port. And I create the new Vlan on ASA and direct the subnet traffic from Cisco core switch with ip route 192.168.66.0 255.255.255.0 192.168.1.2 and this is it. But on fortigate, I created Vlan on the connected port. allowed everything on policies and still cannot ping.

1911
0 Kudos
bkyuksel
New Contributor II

Created on ‎11-14-2023 11:34 PM

Found the solution. It was about some IPV4 policies. it is working now.

1859
ndumaj
Staff
Staff

Created on ‎11-15-2023 12:31 AM

Nice to hear that you found the solution.
Well Done!
-BR-

- Happy to help, hit like and accept the solution -
1848
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.