Hi this amazing community!
I am pretty new in Fortinet world (from basically cisco background). Company advised to see alternate vendor so i am considering Fortinet stack as better fit for us. I know its more like consultation questions but want to hear from you all based on your experience:
1. Can we configure front door VRF in ADVPN like in DMVPN? main reason is security (separate internet and local traffic on vrf level). My thought is we probably don't need VRF as its firewall where we can enable security feature on public line but my manager pushing for front door VRF to separate traffic saying security reason.
2. Can we assign Public IP behind the FortiGate (without NAT) device? We will gone have PA for client VPN (for at least 1-2 yrs).
3. Can we assign multiple Public IP on a WAN interface? we have 2 block of /29 public from a provider and another /32 just for internet. from that two /29, some service needs direct public IP (like client VPN) and some other services just need public IP directly. and some we will use for VIPs.
Appreciates for any insight/recommendation/advise.
Cheers,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
I may not have the exact responses to your questions but I hope it will help.
1. I actually don't know ADVPN can be VRF aware but I think doing it with a dedicated VDOM can be a satisfying solution for you.
2. Didn't try it in NAT mode (however I guess it is doable) but it should be easily done with transparent VDOM.
3. Certainly you can, just add as many secondary addresses to your WAN interface as you need.
im currently experimenting with this and have it working. my lab is three fw creating an advpn hub and spoke network.
1. enable encapsulation vpn-id-ipip under your phase1 interfaces.
2. create a vrf and assign the ce role to it with rd, im/ex statements and assign the default vrf used for the hub and spoke to pe role.
we back to back the ce/pe with a seperate business(customer) fw that only knows the routes of the ce vrf.
3. you must enable "pass AS number" in bgp config on the customer fw.
If you want to enable route leaking between the pe and ce or ce to ce you need to do it on the pe/ce and enable vdoms.
Testing it with the 7.2.7. So far so good.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.