We have a few Fortinet devices and are trying to configure the network with only partial success so far.
This is an early design doc that I can share with you, the main difference is we have opted to using just 1 switch on each level for now.
~~Top level FortiGate 100F <HA> FortiGate 100F Port X1 to Port 25 on switch. port X1 to Port 26 on switch. 3 vlans are configured on port X1, let's call them top(10.20.50.0/24), middle(169.254.1.0/24), and bototm(10.20.60.0/24). VPN is configured on those firewalls.
FortiSwitch 424E. No Fortilink. Cannot use fortilink due to routing limitations. Used as a standalobe L3 switch. Also referred to as the middle switch. All top level devices connect here. Using the top vlan. The middle vlan is used as a way to route communication between top and bottom devices.
The Firewalls are using port 13 as a WAN to access the internet. They can also access all devices connected to the switch on the top vlan. Port X1 on FW is configured as a LAN to conenct downwards, 169.254.1.1 The switch is configured to use 169.254.1.2, acting as the middle communication level. ~~
~~Bottom level FortiGate 100F <HA> FortiGate 100F Port X1 to port 27 on the top switch. Port X1 to port 28 on the top switch. Port X2 to port 25 on the bottom switch. Port X2 to port 26 on the bottom switch.
FortiSwitch 424E. With Fortilink. Managed by the bottom FortiGate. All bottom level devices connect here. Using the bottom vlan.
Port X2 on the FW is assigned to the Fortilink and contains the bottom vlan. All devices are accesible locally on the .60 subnet. Port X1 is configured to go up to the top level as a WAN. 169.254.1.3 ~~
With this setup, the communication among top level devices and firewall is fine. The communication among bottom level devices and firewall is fine.
However the 2 layers have broken communication with each other. Depending on the configuration setup we are trying to test, the best case scenario is the bottom layer is able to reach the top layer switch and devices, but not the top layer firewall or the internet. Also, no matter how much we tried, the top firewall can never reach the bottom firewall, nor the devices there. The switch in the middle is able to communicate with the firewall on the top awalys, and the bottom sometimes - depending on the config we are testing.
We have spent 2 solid weeks on this, trying to establish proper communication between the top and bottom networks. The main thing we found out is the switch in the middle, belonging to the top network, cannot be part of the fortilink due to routing issues.
The setup we aim for is VPN <> FW-TOP <> SW-TOP+devices <> FW-BOT <fortilink?> SW-BOT+devices We want to be able to go all the way down and up. And have the top and bottom devices communicate.
The current firewall rules are open to all traffic for everything, so we can minimize the debugging steps for now. We test mainly with pinging the various devices and networks. The HA on the firewalls is Active-Passive.
Updated to 7.0.9
What kind of setings to we have to verify on the firewalls and switch? Port, vlan addresses, vlan IDs, static routes (using the port x1 or the vlan?). For the switch we assign native vlan to be the middle vlan, and allow the top and bottom VLANs. Do we need to create a trunk for the ports and put 1 in each? for vlan routing purposes.
After 2 weeks it feels like we are very close, yet not quite there. No progress in the past few days.
Hoping you can help clarify what we are missing, probably something small.
We are not experts, but are becoming fairly knowledgeable.
This really sounds like a routing issue to me but could be hundreds of potential issues. I would really suggest looking for a local Fortinet partner professional services engagement to work through these issues. Troubleshooting through a public forum is going to be extremely difficult and would need to include network information and configuration files that should most likely not be shared in a public forum like this.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.