Hello. I'm working on using our 101E for internal network segmentation. I've set up a LAG port to use to increase the amount of bandwidth available for segment to segment communication. I would like to route Internet access through a separate interface than the LAG port. The reason being is that I have a third party IDS that I want to continue mirroring Internet traffic to and the LAG port on the Cisco switch we use won't allow setting it up for port mirroring.
So I want to route internal traffic through the LAG and Internet traffic through a different port on the Fortigate.
When I add an IP address to the LAG port that is on our main subnet, the Fortigate automatically starts routing all traffic for that subnet to the LAG port. This takes things down as far as Internet access. The LAG port needs to be reachable by internal workstations, so it needs an IP that is reachable by the subnet.
Does someone have recommendations on how to set this up?
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It might help to draw out the topology you're after. No duplicate IP addresses should exist for things to work properly (this is a router after all).
We use our FortiGate extensively as an internal segmentation firewall as well as for Internet traffic with no issues. I've got 2 LAGs to my core (1 to carry a bunch of VLANs that connect directly to the firewall (L3 gateway is the FGT) and another for core-routed traffic (traffic whose GWs exist on the core). Then I've got my two Internet connections heading to my ISPs (where I presume you are using your 3rd party IDS).
rg2017 wrote:
...When I add an IP address to the LAG port that is on our main subnet, ...
Why? If you add that IP address to the VLAN, issue resolved. No IP addresses should have to reside on the LAG since it is a trunk.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
It might help to draw out the topology you're after. No duplicate IP addresses should exist for things to work properly (this is a router after all).
We use our FortiGate extensively as an internal segmentation firewall as well as for Internet traffic with no issues. I've got 2 LAGs to my core (1 to carry a bunch of VLANs that connect directly to the firewall (L3 gateway is the FGT) and another for core-routed traffic (traffic whose GWs exist on the core). Then I've got my two Internet connections heading to my ISPs (where I presume you are using your 3rd party IDS).
If you have a WAN interface on the FGt why do the IDS/IPS inspect at that point to catch only "internet" facing traffic? if the WAN port(s) are plumb into the cisco switch just san those to your port-mirror. TheLAG you keep mentioning is not relevant.
e.g
# assume 50 your ISP links terminated into a cisco and the IDP is on port gi0/10
monitor session 10 source vlan 50 monitor session 10 interface gi0/10 You can also apply filter with laye3 access if you are looking at specific traffic monitor session 10 filter session internet_traffic_tool_port If you need to run IDS on internal get a 2nd tool port on he IDS or a 2nd IDS and create a session just for that traffic and the vlans related to your internal LANs. YMMV Ken Felix
PCNSE
NSE
StrongSwan
emnoc wrote:I don't understand.If you have a WAN interface on the FGt why do the IDS/IPS inspect at that point to catch only "internet" facing traffic? if the WAN port(s) are plumb into the cisco switch just san those to your port-mirror. TheLAG you keep mentioning is not relevant.
e.g
# assume 50 your ISP links terminated into a cisco and the IDP is on port gi0/10
monitor session 10 source vlan 50 monitor session 10 interface gi0/10 You can also apply filter with laye3 access if you are looking at specific traffic monitor session 10 filter session internet_traffic_tool_port If you need to run IDS on internal get a 2nd tool port on he IDS or a 2nd IDS and create a session just for that traffic and the vlans related to your internal LANs. YMMV Ken Felix
rg2017 wrote:
...When I add an IP address to the LAG port that is on our main subnet, ...
Why? If you add that IP address to the VLAN, issue resolved. No IP addresses should have to reside on the LAG since it is a trunk.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.