We would like to migrate our datacenter FTD firewalls over to Fortigates. We would like to run these firewalls in parallel and migrate services selectively. Both sets of firewalls are connected to different ISPs. The datacenter core is learning a default route from the FTDs currently. Until the time migration is completed, how can we ensure that the traffic that comes through the Fortigates to the core goes out that same path? Do I need a source NAT on the Fortigates to translate the source addresses for traffic destined to the datacenter core? Or is there a better way here?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello SixtyIsTheNewForti,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello SixtyIsTheNewForti,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Hi Sixty,
the layout will help here, but you should generally use SNAT of your network outbound. If you have internal traffic you should not need SNAT as I doubt that internal resources will have traffic going over both firewalls simultaneously.
Your routing should otherwise automatically deal with the respective traffic going over the old firewall. Change the distances/metrics of your routing protocols in order to switch to the new firewalls.
Best regards,
Markus
Hey Markus, thanks for your reply. Imagine 2 ISP clouds at the top and 2 sets of firewalls (FTD and Fortigate) connected to each of those ISPs using a unique public address space. Imagine core datacenter network behind these firewalls. When we migrate a web server from ISP1 over to ISP2 and have it come through the Fortigates, how will my datacenter core override the default route that is pointing to go out the FTD? Hence, the reason, I am asking if we can SNAT the traffic that comes in via the Fortigates using probably its LAN interface pointed to the core? Hope it makes sense.
Hello,
There is no universal answer for this. Probably the most often scenario is that FortiGate is preconfigured with Vlans, IPs, routing, etc, all cables are connected but interfaces are disabled. And then when the migration happens, old firewall is disabled/shutdown and FortiGate interfaces are enabled. And then it is up to network to see if routing is up, traffic flowing, etc.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1066 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.