Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Manage many internal subnets
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Manage many internal subnets
Hi,
We just purchased a new FortiGate 100E for HQ and FortiGate 60E for Branch, logs will be sent to a new Analyzer 200F also at HQ. The current network has no Firewalls and routing/subnets is handled by MikroTik isp Router. Dhcp is handled by another MikroTik router that is behind the ISP router. There is also an ipsec vpn site to site link between two MikroTiks. All subnets and vlans share the same switches.
I want to manage everything from the FortiGates except Voice.
We have quite a number of different subnets at HQ that I want to know which is the best way to configure this on the FortiGate.
10.1.0.x/24, This is the native Lan at HQ which consists of all the staff devices and servers and is limit on IP's available. I configured a physical interface for this. All devices will receive dhcp ip and will be reserved with mac reservations and address groups.
10.2.0.x/24 This is the native Lan at Branch site and falls under another MikroTik Router linked with ipSec vpn between sites. I will set this up on the 60E as the main interface and link to HQ with ipsec vpn between 100E and 60E gates.
10.3.0.x/24 This is another subnet at HQ which only contains 3 VMware Hosts and a Vcenter server. No Vlan (I am planning on moving them into the 10.1.0.x/24 range)
10.4.0.x/24 This subnet contains all our access points at HQ which is statically configured and no vlan.(What do I do with this on this fortigate? I want only admin source IP's to access and manage these from range 10.1.0.x/24)
10.5.0.x/24 This is for the staff wireless network and on vlan 50. I configured a vlan under physical interface 10.1.0.x on the 100E. I want devices on here to be able to communicate with range 10.1.0.x/24. How will I go about doing this in the best way? Devices on here will be reserved with mac reservations and dhcp is on.
10.6.0.x/24 This range contains all our switches, 22 of them all static interfaces.
10.7.0.x/24 This is the Guest wireless vlan 60 range. Dhcp is on and I will configure this to be isolated. Created vlan under 10.1.0.x/24 interface.
10.8.0.x/24 This contains all our printers and CCTV cameras, all static. I want to move the printers perhaps to another range and keep CCTV on this range, I want to use untagged PVID access ports on the Cisco switches to completely seperate this network from the rest of the networks and will use another interface on the 100E Gate. Also remote access will be set up to this interface to access CCTV.
10.10.0.x/24 This is the 3CX Voice vlan 5. I want to create another vlan under 10.1.0.x/24 interface with dhcp for the phones. I do not want to manage the breakout and the ISP will MikroTik will still handle that. I want to also manage the phones from range 10.1.0.x/24.
So what I am confused with is what is the best way to manage all the other devices on different subnets by using the fortigate 100E. Will I just add a secondary ip address within those ranges so I can access the devices on there? Do I create policy routes? But which interface do I use then? Or must I create physical interfaces for all of them. I hope someone can clear up this confusion for me. Thank you
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would focus on physical paths to get to each group of devices you listed. Then let the switches do switching and cable management as much as possible. Since an 100E has enough ports, you could separate all to individual ports if you want, but I prefer combining them into fewer ports with vlans and connect them to switches then break them up using access ports before going out. Vlans are logical interfaces in a FGT so you can apply policy independently just like a physical port.
What I wouldn't do is secondary ips, which would mix up broadcast domains and create problems with DHCP servers and other issues.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Toshi,
Thank you for your response and advise, I will certainly run the CCTV on it's own physical interface with access ports as I know cctv can put strain on the other networks. One more thing that I would like to clarify, if I have subnet 10.1.0.x/24 with a vlan 10.3.0.x/24 and I configure these with a policy route to see each other, will their dhcp servers hand out IP's to all clients or only clients on the matching subnet. Thank you for the assistance.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, you don't need any additional routes to route between directly connected subnets. You just need a policy. Not a policy route.
DHCP server works on each broadcast domain. Vlans separate them.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to show you - this is how I do this here.
I run Fortigates (also 100Es mainly) here at HQ and in our shops all over germany. Each shop has several subnets for different purposes (cash desks, wlan, ...) just like at your side.
I always have one main net that is used for clients and for some servers that need to be in the same subnet (like DCs e.g.) and the rest are just vlans on the port where the main net is.
Since vlans are logical interfaces they behave like any other port on a FGT.
I then just do policies to let them have internet over the WLLB or access something in some other subnet. Also I run redundant IPSec Tunnels fro HQ to the shops to be able to transfer data and do maintenance.
In this case all routes I need is at shop side: a default route for internet and a route to the HQ SUbnet(s) that goes over the IPSec. The rest on this side does have interfaces (Logical or physical) and with that autmagically does have a net route the FGT knows. So for these no route need to be set up manually.
HQ then needs routes to the shop subnets that go over the ipsec and a default route for internet.
Additionally you of course need a bunch of policies on both side to rule who should get where :)
With that all subets a physically divided and cannot basically not affect each other (but they can affect the internet lines ;) ). The disadvantage of this is that you need vlan capable switches to be able to tag a vlan to a specific client or you would have to have the client do the tagging (which not every client is able to).
Maybe this helps you making you decision :)
cheers
Sebastian
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,763 -
FortiClient
1,779 -
5.2
801 -
FortiManager
738 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
477 -
Fortiap
475 -
FortiClient EMS
437 -
6.0
416 -
5.6
362 -
FortiMail
323 -
SSL-VPN
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
214 -
FortiWeb
210 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
100 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
56 -
High Availability
56 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
48 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
NAT
36 -
FortiGate v5.4
35 -
SAML
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
Radius
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiGate-VM
21 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1740 | |
| 1108 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.