What's up all. Novice at networking here, bear with me. Trying to dump my cheap home firewalls and go with the real thing. Looking to purchase a Fortigate Firewall and Catalyst 1200 Series Switch. Pretty basic setup. I need to:
Create VLANS and have them access the internet
Completely isolate the VLANS at Layer 3
I have been looking at a few different ways to do this but need help. I can figure out most of the config but could use assistance with the design / have a few config questions.
Would you:
Go layer 2 VLANS at the switch and then tag them up to the firewall and create firewall policies to separate the VLANS? Would I even need to tag them on the firewall?
Would inter-vlans need to be created on the firewall to deny all traffic or could I just create firewall polices for each lan and have the switch handle the tagging?
or
Go Inter-vlan on the switch and create ACLS on the switch as opposed to having the firewall do the work. It seems strange to me to have a firewall perform switching functions as I am trying to separate this all out.
Performance is not a concern as this is a basic network, security is top of mind. Thanks to anyone that can help.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Technician-109
You would need to create VLANs on the fortigate. Here is a guide for that:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...
You will also need appropriate firewall policies on fortigate for inter vlan routing and any other access
By default firewall will deny access so you don't need deny policy between vlans.
I agree that switch side you could leave as basic setup
Especially considering security aspect, you want firewall to be handling all this routing so you can apply security profiles if needed.
Regards,
Varun
And, for No.2, you just need to create different sets of protection profiles Webfilters/IPS sensors, then use them in different sets of policies per VLAN interface (source interface) to your wan interface(s) (destination interface).
Toshi
Thanks, @SabtainSaleem
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.