Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Moving from a solution of another brand to fortinet design

Hello, guys I am new here in the forums, and I would like to know if you could give me some advice of how would be the best way to do this?


We are working with someone that has a full solution with firewalls doing sd branches, they have all APS switches, etc 


They want to start with the only thing they have that does not belong to the Vendor X solution which is the switch core.


I saw partially the config but it seems that all the default gateways are on the firewall of the vendor X and not in the Switch core, maybe they have like a few but I think they just don't have any, and they moved all to Vendor X firewall. (I'll check that on the next session)


Anyways as I said, they will just start with the Switch Core in which they connect servers and some of the uplinks of other buildings in the central site.


I was thinking of something simple to start which was just replacing the switch core they have with a fortiswitch data center one.

Later when they decide to change the firewall which has all the default gateways.  I'll put there a FortiGate  which will be like an internal segmentation firewall ( but I'm not sure if I should put an edge firewall and also Another firewall inside just for the default gateways and the visibility and all that)

They have many branches and they are doing sd branches and the VPN builds all automatically between those firewalls, they have switches on those remote sites and aps on those remote sites as well.


Anyways back to the Central site for now is just replacing the Core switch that connects Servers and some  uplinks and that's it, most of the routing is being done on the firewall they have but is not being changed on this part of the project


So my questions are:

1-The datacenter fortiswitch manages L3 routing if it's needed?. I think I saw they can do it without a firewall in stand-alone

2-Moving forward in stage 2 which would be replacing the main firewall what do you guys it would be the best? having just one big firewall that manages WAN and LAN with the default gateways or having an edge firewall for internet and the VPNS and all that and the internal FortiGate managing all the default gateways, and all the fortiswitches and the forti APs in the central site.   

Is there something that can tell me when I should go with one of the other options?

I guess I will discuss it with someone from Fortinet but still would like to have some ideas before that.


Note: I know I need to ask the client about how changing the firewall would impact their remote sites as they need that to build all the sd wan and all that, and I will have to see how to work with them on this.

Contributor III



1. FortiSwitch can indeed handle Layer 3 routing if needed. In a stand-alone deployment, a FortiSwitch can act as a Layer 3 switch and perform routing functions between VLANs without the need for a separate firewall. However, it is important to note that this functionality may vary depending on the specific model and firmware version of the FortiSwitch.

2. The decision to use a single firewall for WAN and LAN or to use an edge firewall for internet and VPNs and an internal firewall for default gateways and internal devices depends on various factors, such as the size of the network, security requirements, budget, and performance needs.

A single firewall can simplify management and reduce costs, but it may not provide the same level of granular control and protection that multiple firewalls can offer. On the other hand, using multiple firewalls can provide greater security and flexibility, but it can also be more complex to manage and more expensive to implement.

It's best to assess the specific needs and requirements of the network before deciding on a particular approach. Working with Fortinet or a Fortinet partner can help determine the best solution for your particular situation, as they have the expertise to evaluate your current network infrastructure and recommend the best course of action.


Thanks for your help  Christian!



Hi @retsam ,


Question 1: 
If you are using Fortigate and Fortiswitch in your network, the Fortigate will manage the Fortiswitch.
All configuration can be done on the Fortigate through Fortilink.
Fortigate - manage fortiswitch, FortiAP

Fortilink - connectivity link to manage fortiswitch

Fortiswitch - Switch for the server/user/ap
If you only have Fortiswitch(no Fortigate), you can manage it standalone.

Question 2:

You can use 1 big firewall and do VDOM. VDOM is considered as "separate" firewall.
1 VDOM = 1 firewall
Its easier to manage 1 physical firewall instead of many firewall. Too many devices in network may cause higher chance of breakdown if any unit in the path is failed.

For designing, i would suggest to work with Professional Service.
They will evaluate your current environment and propose accordingly. Hope my answer helpful.

Top Kudoed Authors