Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Hot two connect Fortigate 90D ( DMZ mode ) to ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hot two connect Fortigate 90D ( DMZ mode ) to Fortigate 90D ( LAN mode )
Hi beautiful people,
i need again your help.
I have to create from scratch an infrastructure in this way:
Rack 1
Fortigate 90D ( DMZ mode )
Switch HP ( with different VLANs like 192.168.100.1[management], 192.168.200.1[services] )
Rack 2
Fortigate 90D ( LAN mode )
Switch HP ( with different VLAN like 192.168.101.1[management], 192.168.201.1[services] )
My issues are:
How to setup the fortigate in rack 1 in DMZ mode.
How to connect fortigate in rack 1 to the fortigate in rack 2
Hope you can help me.
Have a nice day.
Mike
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well fist of all there is no "DMZ-Mode" on a FGT.
You will need a vlan trunk from the switch to the FGT in each Rack.
You will need to set up a virtual interface for every vlan in this rack on the FGT in this rack.
You will need to create static routes for the subnets in the opposite rack
You will need to create policies to allow the traffic
You didnt't write what means of connection there is between the two ricks (and with that the two FGT).
Probably you will have one port (or a trunk if your FGT supports that) to wire them together.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sw2090,
i really appreciate that you answered me really fast! :)
With the DMZ-mode i only wanted to explain the topology of the infrastructure.
"
You will need a vlan trunk from the switch to the FGT in each Rack. Done! You will need to set up a virtual interface for every vlan in this rack on the FGT in this rack. How? You will need to create static routes for the subnets in the opposite rack. How? You will need to create policies to allow the traffic. Done!
"
RACK1
I have to connect the rack 1 to the internet ( i connected it temporary with a modem lte on wan1 of fortigate)
In the fortigate i have created 3 interface: MGT ( 192.168.100.1),SVC( 192.168.200.1),DMZ( 192.168.240.1)
In the switch i have created 3 vlans:MGT ( 192.168.100.1),SVC( 192.168.200.1),DMZ( 192.168.240.1)
I have 3 cables connected to/from fortigate and switch( one for each vlan).
RACK2
In the fortigate i have created 3 interface: MGT ( 192.168.101.1),SVC( 192.168.201.1),DMZ( 192.168.241.1)
In the switch i have created 3 vlans:MGT ( 192.168.101.1),SVC( 192.168.201.1),DMZ( 192.168.241.1)
I have 3 cables connected to/from fortigate and switch( one for each vlan).
I do not know how to connect in the secure way the two rack.
I would that the first rack can act like a DMZ and the second like a LAN.
The first rack is connected to internet ( sftp server, wsus, ecc. ) the second rack is offline and only connected to the rack 1 in LAN for services like SFTP, WSUS, ecc. for update some workstation and printers.
Thank you and sorry if i explain stuff in a bad manner.
Mike
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
virtual vlan interfaces +vlan trunk is the way I do it here. Since you have ports for the vlans you don't need either of them. You just have to make sure the ports are (un)tagged in the correct vlan on the switches.
Is there atm any connection betweet the two fortigates?
if so you just need to set up static routes to the opposite networks on each FGT.
And you need some policies to allow the traffic you want to have there.
You do not need to care for vlanids or tagging in policies. Just set your vlan port als source/destination. The Port will do the rest for vlan interfaces on FGTs are always in "untagged" mode - i.e. FGT will rewrite the vlan tag with the vid specfied on the interface.
Optional (might in this case be overkill *g) you could set up some IPSec or SSL VPN on top of the FGT<->FGT Connection and route the traffic through it.
I use this here to router traffic from here (central) to our shops via IPSec Tunnels with FGT on both ends.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At least one common subnet/vlan is needed to let two FGTs talk each other unless a router is in-between. For security concern, FW policies are the main tool to segregate different types of user traffic based on source/destination/services, etc.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Toshi, all my FGT here prove you wrong.
You do not have to have a common subnet. If you don't have one you do need statc routing. The FGT can do static routing themselves so you don't need a extra router here basically.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not talking about IPSec situation, in which you can use phase1 interface name to route through without specifying a GW. If FGT1-FGT2 are directly (or via switches) connected, they need to have a common subnet.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, maybe this is my another mis-understanding of FGT concept, like tanr recently corrected. FGT takes a gateway IP, which isn't inside of the interface subnet. So as long as vlan tagging is matching on both ends the static route might work like GW:192.168.101.1 while interface IP is 192.168.100.1/24.
Any L3 routers would reject that kind of static route config so I was assuming above example wouldn't work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you all for your replies. :)
at this point, i have another question:
is it better connect to the second FW with a Switch or directly with a server?
My need is that before to connect from network A ( DMZ ) to Network B ( LAN ) i have to protect every Network with a Firewall.
So for you is better, thinking about security, connect them with:
Rack A(DMZ) - Rack B(LAN)
Solution 1) FW to FW
Solution 2) SW to FW
Solution 3) HOST to FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as it passes through one of FWs, that would become a security checkpoint. Not much difference from security standpoint. You should design it from network architecture, like changeability, maintenanceability, expandability, etc.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,698 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
209 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.