Hi there.
We are replacing our ASA's in our office with Fortigate 100D's and what my seniors want me to do is create two portchannels on the Fortigate that connect into our core switch (Cisco 3750X).
We have about 10 different VLAN's in our office, so what I want to do is have 5 VLAN subinterfaces set up per port channel.
So Interface 1 and 2 will be port channel 1 and interface 3 and 4 is port channel two - and each has 5 VLAN gateways set up on them. The firewall will be NATíng and routing out to the internet. First off, is what I'm doing something that will work?
Another main question I have, is that If I create a policy, and I want to say deny traffic from somewhere, I obviously specify a source and destination interface ; so if i want to deny incoming from the internet, and specify WAN1 as my source and Port-channel1 as my destination, does it then deny to whatever VLAN's are configured under PortChannel1? Kind Regards, Adam
Yes, it should work fine. And no, those VLANs are individual interfaces you can apply policy with. You wouldn't need any policies on the agg interface/port-channel unless it carries untagged traffic. If you want to bind all or some of VLANs together in policies, you can use zones.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.