Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mike9891
New Contributor

Hot two connect Fortigate 90D ( DMZ mode ) to Fortigate 90D ( LAN mode )

Hi beautiful people,

 

i need again your help.

 

I have to create from scratch an infrastructure in this way:

 

Rack 1

Fortigate 90D ( DMZ mode )

Switch HP ( with different VLANs like 192.168.100.1[management], 192.168.200.1[services] )

 

 

Rack 2

Fortigate 90D ( LAN mode )

Switch HP ( with different VLAN like 192.168.101.1[management], 192.168.201.1[services] )

 

 

My issues are:

 

How to setup the fortigate in rack 1 in DMZ mode.

How to connect fortigate in rack 1 to the fortigate in rack 2

 

Hope you can help me.

 

Have a nice day.

 

 

Mike

9 REPLIES 9
sw2090
Honored Contributor

Well fist of all there is no "DMZ-Mode" on a FGT. 

 

You will need a vlan trunk from the switch to the FGT in each Rack.

You will need to set up a virtual interface for every vlan in this rack on the FGT in this rack.

You will need to create static routes for the subnets in the opposite rack 

You will need to create policies to allow the traffic

 

You didnt't write what means of connection there is between the two ricks (and with that the two FGT).

Probably you will have one port (or a trunk if your FGT supports that) to wire them together.

 

 


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

mike9891

Hi sw2090,

 

i really appreciate that you answered me really fast! :)

 

With the DMZ-mode i only wanted to explain the topology of the infrastructure.

 

"

You will need a vlan trunk from the switch to the FGT in each Rack. Done! You will need to set up a virtual interface for every vlan in this rack on the FGT in this rack. How? You will need to create static routes for the subnets in the opposite rack. How? You will need to create policies to allow the traffic. Done!

"

RACK1

I have to connect the rack 1 to the internet ( i connected it temporary with a modem lte on wan1 of fortigate)

In the fortigate i have created 3 interface: MGT ( 192.168.100.1),SVC( 192.168.200.1),DMZ( 192.168.240.1)

In the switch i have created 3 vlans:MGT ( 192.168.100.1),SVC( 192.168.200.1),DMZ( 192.168.240.1)

I have 3 cables connected to/from fortigate and switch( one for each vlan).

 

RACK2

In the fortigate i have created 3 interface: MGT ( 192.168.101.1),SVC( 192.168.201.1),DMZ( 192.168.241.1)

In the switch i have created 3 vlans:MGT ( 192.168.101.1),SVC( 192.168.201.1),DMZ( 192.168.241.1)

I have 3 cables connected to/from fortigate and switch( one for each vlan).

 

I do not know how to connect in the secure way the two rack.

I would that the first rack can act like a DMZ and the second like a LAN.

 

The first rack is connected to internet ( sftp server, wsus, ecc. ) the second rack is offline and only connected to the rack 1 in LAN for services like SFTP, WSUS, ecc. for update some workstation and printers.

 

Thank you and sorry if i explain stuff in a bad manner.

 

Mike

sw2090
Honored Contributor

virtual vlan interfaces +vlan trunk is the way I do it here. Since you have ports for the vlans you don't need either of them. You just have to make sure the ports are (un)tagged in the correct vlan on the switches.

 

Is there atm any connection betweet the two fortigates?

if so you just need to set up static routes to the opposite networks on each FGT.

And you need some policies to allow the traffic you want to have there.

You do not need to care for vlanids or tagging in policies. Just set your vlan port als source/destination. The Port will do the rest for vlan interfaces on FGTs are always in "untagged" mode - i.e. FGT will rewrite the vlan tag with the vid specfied on the interface.

 

Optional (might in this case be overkill *g) you could set up some IPSec or SSL VPN on top of the FGT<->FGT Connection and route the traffic through it.

 

I use this here to router traffic from here (central) to our shops via IPSec Tunnels with FGT on both ends.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Toshi_Esumi
Esteemed Contributor III

At least one common subnet/vlan is needed to let two FGTs talk each other unless a router is in-between. For security concern, FW policies are the main tool to segregate different types of user traffic based on source/destination/services, etc.

sw2090
Honored Contributor

Toshi, all my FGT here prove you wrong. 

You do not have to have a common subnet. If you don't have one you do need statc routing. The FGT can do static routing themselves so you don't need a extra router here basically.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Toshi_Esumi
Esteemed Contributor III

I'm not talking about IPSec situation, in which you can use phase1 interface name to route through without specifying a GW. If FGT1-FGT2 are directly (or via switches) connected, they need to have a common subnet.

Toshi_Esumi
Esteemed Contributor III

Ok, maybe this is my another mis-understanding of FGT concept, like tanr recently corrected. FGT takes a gateway IP, which isn't inside of the interface subnet. So as long as vlan tagging is matching on both ends the static route might work like GW:192.168.101.1 while interface IP is 192.168.100.1/24.

Any L3 routers would reject that kind of static route config so I was assuming above example wouldn't work.

mike9891

Thank you all for your replies. :)

 

at this point, i have another question:

 

is it better connect to the second FW with a Switch or directly with a server?

 

My need is that before to connect from network A ( DMZ ) to Network B ( LAN ) i have to protect every Network with a Firewall.

 

So for you is better, thinking about security, connect them with:

                    Rack A(DMZ) - Rack B(LAN)

 

Solution 1)                 FW to FW

 

 

Solution 2)                 SW to FW

 

 

Solution 3)                HOST to FW

 

 

Toshi_Esumi
Esteemed Contributor III

As long as it passes through one of FWs, that would become a security checkpoint. Not much difference from security standpoint. You should design it from network architecture, like changeability, maintenanceability, expandability, etc.