- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Moving from a solution of another brand to fortine...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Moving from a solution of another brand to fortinet design
Hello, guys I am new here in the forums, and I would like to know if you could give me some advice of how would be the best way to do this?
We are working with someone that has a full solution with firewalls doing sd branches, they have all APS switches, etc
They want to start with the only thing they have that does not belong to the Vendor X solution which is the switch core.
I saw partially the config but it seems that all the default gateways are on the firewall of the vendor X and not in the Switch core, maybe they have like a few but I think they just don't have any, and they moved all to Vendor X firewall. (I'll check that on the next session)
Anyways as I said, they will just start with the Switch Core in which they connect servers and some of the uplinks of other buildings in the central site.
I was thinking of something simple to start which was just replacing the switch core they have with a fortiswitch data center one.
Later when they decide to change the firewall which has all the default gateways. I'll put there a FortiGate which will be like an internal segmentation firewall ( but I'm not sure if I should put an edge firewall and also Another firewall inside just for the default gateways and the visibility and all that)
They have many branches and they are doing sd branches and the VPN builds all automatically between those firewalls, they have switches on those remote sites and aps on those remote sites as well.
Anyways back to the Central site for now is just replacing the Core switch that connects Servers and some uplinks and that's it, most of the routing is being done on the firewall they have but is not being changed on this part of the project
So my questions are:
1-The datacenter fortiswitch manages L3 routing if it's needed?. I think I saw they can do it without a firewall in stand-alone
2-Moving forward in stage 2 which would be replacing the main firewall what do you guys it would be the best? having just one big firewall that manages WAN and LAN with the default gateways or having an edge firewall for internet and the VPNS and all that and the internal FortiGate managing all the default gateways, and all the fortiswitches and the forti APs in the central site.
Is there something that can tell me when I should go with one of the other options?
I guess I will discuss it with someone from Fortinet but still would like to have some ideas before that.
Note: I know I need to ask the client about how changing the firewall would impact their remote sites as they need that to build all the sd wan and all that, and I will have to see how to work with them on this.
Labels:
- Labels:
-
FortiGate
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
1. FortiSwitch can indeed handle Layer 3 routing if needed. In a stand-alone deployment, a FortiSwitch can act as a Layer 3 switch and perform routing functions between VLANs without the need for a separate firewall. However, it is important to note that this functionality may vary depending on the specific model and firmware version of the FortiSwitch.
2. The decision to use a single firewall for WAN and LAN or to use an edge firewall for internet and VPNs and an internal firewall for default gateways and internal devices depends on various factors, such as the size of the network, security requirements, budget, and performance needs.
A single firewall can simplify management and reduce costs, but it may not provide the same level of granular control and protection that multiple firewalls can offer. On the other hand, using multiple firewalls can provide greater security and flexibility, but it can also be more complex to manage and more expensive to implement.
It's best to assess the specific needs and requirements of the network before deciding on a particular approach. Working with Fortinet or a Fortinet partner can help determine the best solution for your particular situation, as they have the expertise to evaluate your current network infrastructure and recommend the best course of action.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help Christian!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @retsam ,
Question 1:
If you are using Fortigate and Fortiswitch in your network, the Fortigate will manage the Fortiswitch.
All configuration can be done on the Fortigate through Fortilink.
Fortigate - manage fortiswitch, FortiAP
Fortilink - connectivity link to manage fortiswitch
Fortiswitch - Switch for the server/user/ap
If you only have Fortiswitch(no Fortigate), you can manage it standalone.
Question 2:
You can use 1 big firewall and do VDOM. VDOM is considered as "separate" firewall.
1 VDOM = 1 firewall
Its easier to manage 1 physical firewall instead of many firewall. Too many devices in network may cause higher chance of breakdown if any unit in the path is failed.
For designing, i would suggest to work with Professional Service.
They will evaluate your current environment and propose accordingly. Hope my answer helpful.
haiqal
Related Posts
- issues deploying fortinet free licence 32 Views
- Physical AP error on deleting WLAN... 72 Views
- Cisco Trunk port to Fortiswitch 364 Views
- FortiOS Recommended Release 74 Views
- Mistake in FCF - Getting Started... 48 Views
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.