What's up all. Novice at networking here, bear with me. Trying to dump my cheap home firewalls and go with the real thing. Looking to purchase a Fortigate Firewall and Catalyst 1200 Series Switch. Pretty basic setup. I need to:
Create VLANS and have them access the internet
Completely isolate the VLANS at Layer 3
I have been looking at a few different ways to do this but need help. I can figure out most of the config but could use assistance with the design / have a few config questions.
Would you:
Go layer 2 VLANS at the switch and then tag them up to the firewall and create firewall policies to separate the VLANS? Would I even need to tag them on the firewall?
Would inter-vlans need to be created on the firewall to deny all traffic or could I just create firewall polices for each lan and have the switch handle the tagging?
or
Go Inter-vlan on the switch and create ACLS on the switch as opposed to having the firewall do the work. It seems strange to me to have a firewall perform switching functions as I am trying to separate this all out.
Performance is not a concern as this is a basic network, security is top of mind. Thanks to anyone that can help.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Technician-109
You would need to create VLANs on the fortigate. Here is a guide for that:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...
You will also need appropriate firewall policies on fortigate for inter vlan routing and any other access
By default firewall will deny access so you don't need deny policy between vlans.
I agree that switch side you could leave as basic setup
Especially considering security aspect, you want firewall to be handling all this routing so you can apply security profiles if needed.
Regards,
Varun
And, for No.2, you just need to create different sets of protection profiles Webfilters/IPS sensors, then use them in different sets of policies per VLAN interface (source interface) to your wan interface(s) (destination interface).
Toshi
A novice user wouldn't go with FGT+C1200. You sounds very confident how to configure both.
The C1200 is basically a L2 switch although it would do some routing. Therefor you could do the second option if you want. But you wouldn't want to waste your investment on an expensive FW device (unless you're a super rich) which is designed to do all sorts of access control and sophisticated virus/intrusion/application controls at upper layers.
So it's better pulling all VLAN traffic on the switch up to the FGT over a trunked(VLAN/hardware switch) port (ports, in case you use an aggregate link) when inter-VLAN connections need to happen, and leave the L2 switch as an L2 switch. So you can manage it at one place, not have to juggle between two places.
Toshi
Hey Toshi,
Thanks very much. I understand terminology and basic network config but am far from a Network Technician. Thanks for the vote of confidence, nonetheless. I am going to trunk from the switch to the firewall and let the firewall handle policy. I have a few additional questions if you don't mind. I am also going to pose the same question to @vbandha. Hopefully you don't mind.
1. Not too familiar with configuring zones. Would I have a separate zone for each VLAN, or would there be 1 zone for VLANS and another for WAN? The goal being to 100% keep traffic separate between all VLANS and also to create web / IPS policies for each, which brings me to my next question.
2. How do I create separate WEB/IPS/Firewall policies for each VLAN?
Thanks again
Thanks, Toshi!
Hi @Technician-109
You would need to create VLANs on the fortigate. Here is a guide for that:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...
You will also need appropriate firewall policies on fortigate for inter vlan routing and any other access
By default firewall will deny access so you don't need deny policy between vlans.
I agree that switch side you could leave as basic setup
Especially considering security aspect, you want firewall to be handling all this routing so you can apply security profiles if needed.
Regards,
Varun
Hey Varun,
Thanks for your help. I answered @Toshi_Esumi as well, and wanted your thoughts on these questions.
1. Not too familiar with configuring zones. Would I have a separate zone for each VLAN, or would there be 1 zone for VLANS and another for WAN? The goal being to 100% keep traffic separate between all VLANS and also to create web / IPS policies for each, which brings me to my next question.
2. How do I create separate WEB/IPS/Firewall policies for each VLAN?
Thanks
Hi,
Regarding your questions:
1. Are you talking about adding interfaces to a zone?
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/116821/zone
This is not a requirement for network setup, more like a feature to be used as per your need. Zones are used if there are certain interfaces which would need same firewall policies and settings. One drawback of using zones is that you cannot create separate policies for each interface which is part of the zone and have to create policies for the zone itself.
If you would like more flexibility, it would better to not use zones.
Whether you use zones or not, the traffic between vlans will be separate and one vlan traffic will not go to another vlan, unless you make a policy for it.
2. So this question, answers your first question. If you want separate policies for each VLAN, you cannot do that with zones. You have to use them individually.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/402940/vlans
If you have any further query on this, please let me know.
Regards,
Varun
And, for No.2, you just need to create different sets of protection profiles Webfilters/IPS sensors, then use them in different sets of policies per VLAN interface (source interface) to your wan interface(s) (destination interface).
Toshi
Thanks, Varun!
It sounds like you're dealing with quite the network configuration challenge! I’ve been through similar issues in the past, and sometimes just tweaking a few settings can make a huge difference. Have you tried adjusting the firewall rules or double-checking the routing settings? The Fortinet community is really helpful, so I'm sure you'll get some great advice here. Best of luck—hope you get it resolved soon!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.