fortigate in headquarter and switch and fortiap in the branch office connected in VPN is it possible to connect them to the fortigate? Are they managed by the fortigate? can I address them at the IP level? how do I do it? keep in mind that the VPN based (91fgt) while in the shops there are mikrotik all connected in IPSEC.
I attached the PHOTO
Solved! Go to Solution.
Hi,
Thank you for your inquiry. Yes you can manage FortiSwitch and FortiAP remotely through ipsec tunnel were the controller/HQ fortigate have to receive these packets through IPSEC tunnel. This will required that the branch router where the FSWs and FAPs are directly connected is allowing this traffic through the tunnel with the required rules and routes as well as the ipsec phase2 selector on the ipsec tunnel have to include the ip addresses for the subnet that connects these devices. ON the HQ fortigate similar config is required:
1- firewall policy where the source interface is the ipsec tunnel and destination is the fortilink interface with matching ip addresses for source and destination
2- routes allowing the HQ fortigate to learn about the remote subnets belonging to the FAPs and FSWs.
3- phase2 selector must be configured on the fortigate where the remote address is that of the fortiswitches and the fortiaps.
Note: I assumed site-to-site ipsec tunnel connecting HQ fortigate to the remote/branch router. If fortigate configuration is "Dialup server" vpn then phase2 selectors will not have any addresses as the dialup server learn those from the connecting dialup clients.
Thank you,
saleha
Hi Tannu1986,
Thank you for the reply. That is actually a good point. Here is a guide about fortilink that may assist with your project although it only illustrates assuming direct connection between the fortigate and the switch:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/67245ccb-eab8-11ed-8e6d-fa163e...
Thank you,
saleha
Hi,
Thank you for your inquiry. Yes you can manage FortiSwitch and FortiAP remotely through ipsec tunnel were the controller/HQ fortigate have to receive these packets through IPSEC tunnel. This will required that the branch router where the FSWs and FAPs are directly connected is allowing this traffic through the tunnel with the required rules and routes as well as the ipsec phase2 selector on the ipsec tunnel have to include the ip addresses for the subnet that connects these devices. ON the HQ fortigate similar config is required:
1- firewall policy where the source interface is the ipsec tunnel and destination is the fortilink interface with matching ip addresses for source and destination
2- routes allowing the HQ fortigate to learn about the remote subnets belonging to the FAPs and FSWs.
3- phase2 selector must be configured on the fortigate where the remote address is that of the fortiswitches and the fortiaps.
Note: I assumed site-to-site ipsec tunnel connecting HQ fortigate to the remote/branch router. If fortigate configuration is "Dialup server" vpn then phase2 selectors will not have any addresses as the dialup server learn those from the connecting dialup clients.
Thank you,
saleha
HI,
Thank you very much for your reply. Yes, your hypothesis "site-to-site ipsec tunnel connecting fortigate HQ to remote router/branch" is correct
so at this point I can reach all my devices from the office.
What I don't understand is how to address my fortiswitches since I have to manage them from the office, I would like to configure them before installing them in the branches. Sorry but I don't know much about these devices for the first time I use them, now I'm preparing to take a dedicated course.
Hi Tannu1986,
Thank you for the reply. That is actually a good point. Here is a guide about fortilink that may assist with your project although it only illustrates assuming direct connection between the fortigate and the switch:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/67245ccb-eab8-11ed-8e6d-fa163e...
Thank you,
saleha
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.