Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Fortinet connect to core switch
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet connect to core switch
Dear All,
Can someone guide me what is the best way to setup fortigate in this scenario plz.
1) i have a fortigate & a core switch
2) they are having several vlan configured on the core switch included vlan for voice
3) right now intervlan routing if being done on the core switch
4) if we need to install fortigate as firewall how we can simply the config to the best way
5) i have several server on a specific vlan and also some server web server will need to access from outside on the internet.
6) i have also some vpn users who will need to access the internal resources from outside the network
7) The important thing also if i want to block certain users from a specific vlan not to access other vlan if it will be possible.
The way i want to setting up the fortigate i want to configure an interface on the fortigate example port 1 & port 2 as link aggregation and connect the core switch on port 1 & 2 as aggregation using LACP protocol. And configure and ip address on the fortigate link aggregation interface and configure an ip address to a vlan on the core switch. And on the core switch configure a default route going to the fortigate.
Can anyone may help me plz thanks alot
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
23 REPLIES 23
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any feedback plz
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
any feedback plz
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) i have a fortigate & a core switch 2) they are having several vlan configured on the core switch included vlan for voice 3) right now intervlan routing if being done on the core switch 4) if we need to install fortigate as firewall how we can simply the config to the best way 5) i have several server on a specific vlan and also some server web server will need to access from outside on the internet. 6) i have also some vpn users who will need to access the internal resources from outside the network 7) The important thing also if i want to block certain users from a specific vlan not to access other vlan if it will be possible.item #1 what your asking is all simple. for vpn access you want to probably use SSLvpn and define user-groups. You could control someone the same thing with ipsec to some degree Do you want the firewall to have a downlink to the core ? and keep inter-vlan routing on the core? Remember with any RA-access, once a end users get' s access on that server, he/she has access to everything that server would have access , as-if a lcoal user on the console. So police and organize the fwpolicies fo lacp that' s no problem, just grab your 2 links and set them as a virtualinterface and and apply the fwpolocies to that virtual link. Do a search here with me as author, numeours examples has been posed for virtual-link that are LACP and the cfg is simple.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Thanks for your reply.
But i think you did not get me what i want exactly to achieve. And for the question 7 no answer for that.
Look my mission i want to do all the intervlan routing on the core switch itself and create a vlan point to point from core switch to fortinet and example ip address on core switch 192.168.1.2/29 and ip add 192.168.1.1/29 on fortinet and a default route on core switch toward fortinet which will be 192.168.1.1 the default gateway.
All users will use gateway on the core switch and core switch will talk to fortigate for internet etc.
As inter vlan routing are doing on the core switch but users will get access on every vlan but i do not want to allow users to access to all vlan only certain vlan. and some remote users will need to get access to internal resources via vpn. and will port forwarding possible in the setup from outside to inside
find attached the design
can you guide me how to achieve this plz.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) i have a fortigate & a core switch 2) they are having several vlan configured on the core switch included vlan for voice 3) right now intervlan routing if being done on the core switch 4) if we need to install fortigate as firewall how we can simply the config to the best way 5) i have several server on a specific vlan and also some server web server will need to access from outside on the internet. 6) i have also some vpn users who will need to access the internal resources from outside the network 7) The important thing also if i want to block certain users from a specific vlan not to access other vlan if it will be possible.ad. 4 & 7 You should be more specific about which internetwork segments need to be firewalled. If vlan 10, vlan 20, vlan 30 represent intranet logical segments and if they are to be separated with a firewall, then you have two distinct options: 1- core switch as a L3-L4 FW In point 3) you specify that inter-vlan routing is performed in the core switch. Keeping that fair design, just create access-lists in that switch and bind them to respective vlan interfaces (SVIs). Your intranet traffic will then avoid the inefficiencies of router-on-the-stick. The downside may be poor managability of multiple access lists with multiple access entries and lack of L7 firewall if you care. 2- Fortigate as intranet firewall This design basically reverses the pros and cons of the option 1 but suffers some scalability issues due to router-on-the-stick. Consider that to divert local traffic away from current inter-vlan routing, you need to delete SVIs on your core switch actually relocating them onto your FortiGate, set up a 801.1q between the core and FortiGate and use FortiGate vlan interfaces as default gateways for your segments. Best practice in scalable designs is to keep UTM (Fortigate) for Internet/DMZ/LAN only and a separate FW for intranet. What brand/model is your core switch device?
FCNSP 4.x running FortiOS 5.0.4 on FG621B A-A HA
FCNSP 4.x running FortiOS 5.0.4 on FG621B A-A HA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But i think you did not get me what i want exactly to achieve. And for the question 7 no answer for that.I know actually what you want. The topology diagram makes it even more clearier. I think RafaIS , summed up your dilema quite well. Your asking the wrong question in regards to using the firewall as a controlling devices for inter-vlan routing on the core switch. If you want todo it on the FGT; than that' s fine enable L3 interfaces for the clans and a 802.1q trunk and even better yet, a LACP 802.1q trunk back to the core and more are L3 SVI from the core switch into the FGT. Keep in mind; packets that travel the wire twice , is probably not good for performance. Managing L3 ACLs is probably not idea, either and I' m not sure of what switch you have but a ZBFW ( zone base firewall ) might not be doable. If you have let' s a 6500 with a FWSM ( firewall service module ) you could do your internal firewall within the core and the FGT would handle traffic destine outbound to the internet. You have so many options and choices, but you would have to determine where and how you want to go about. another choice might be one of the Fortinet Switches, I think they have a means for some type of firewall policies deploy iirc. But to be quite frank have sued enough of them and not overly impressed with them to begin with.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello thanks for both,
i really appreciate the reply.
let me more simple.
Question 1
Right now intervlan routing is doing on the core switch okay.
Question 2
i want to keep everything internal traffic on the core switch itself as rafals mention and only filter traffic for internet / dmz & lan only
but my problem is only to limit certain vlan not to access other vlan
example vlan users should not be able to access vlan management .
as intervlan routing is performing on the core switch obviously they will be able to access each vlan.
i want to setup like this
fortinet----> core switch --------> access switch --------> vlan user / vlan server / vlan management & voice vlan
on the core switch a default gateway toward the fortinet interface and all users & and server will use gateway as each interface configure on the core switch
got me.
A
is it okay like this plz. anything else better
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to manage that with L3 ACLs on the core-switch if you want or do not want inter-vlan access. The fortigate is useless in this manner.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- SSLVPN on VDOM 486 Views
- Configuration on FortiGate verses FortiManager 133 Views
- Client Windows Remove DHCP due to... 64 Views
- Software switch witouth loop in fortigate? 91 Views
- Seeking Guidance on Configuring DHCP Relay... 209 Views
Labels
-
FortiGate
8,465 -
FortiClient
1,713 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
220 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.