I have a Fortigate 60E firewall and need to split it into 2 networks, there's currently no budget for a FortiSwitch which I think is needed for VLANs.
However if I set up 2 LANS assigning each a different port and then plug a Gigabit switch into each they work and seem to be separate from one another.
So my question is this as secure as a VLAN? Is there any issues with doing it this way?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Short answer, Yes and No. You will be fine the two ports are isolated at layer2/3 and with security policy
PCNSE
NSE
StrongSwan
+1 if the gigabit switch is capable of splitting the segments as well. If the two Fortigate ports are on the same segment on the switch then all bets are off.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
thanks, not so sure what you mean by same segments. I have port 1 going to LAN1, port 2 going to LAN2, etc and then the others unassigned?
Are your two lans actually defined as vlan sub-interfaces on the FortiGate?
Assuming they are, which means they will be producing and accepting vlan tagged traffic, then you need to configure your (hopefully managed) switch to work with that. If your switch is not managed there isn't a good way to do this.
If the gigabit switch is managed, you need to set up matching vlans (same vlan ID) on the switch itself, and set those so they only accept tagged vlan traffic for the two ports you connect to the FortiGate (or you could trunk it). For the switch ports that are connected to end users you would set them up to to only allow untagged (native vlan) for one vlan or the other.
Thanks, no there defined as LANs but I've set Intenal1(Port1) to one of the LANS and then a unmanaged switch goes into this port for that network only. The Internal2(Port 2) has another separate unmanaged switch going to the other LAN.
Both are set with different network IP Addresses and cannot ping one another. I am not trying to use one switch for both LANs they each have their own unmanaged switch but in ports assigned to the correct LAN. However I'm not sure if this is enough as you mention I should have sub-interfaces or is this only if I have 1 switch trying to use VLANs?
Without defined vlans on the FortiGate, and without managed switches that have the vlans defined, you don't have vlans, and thus don't have layer 2 separation.
This may be fine, since you're using separate switches connected to the different FortiGate ports with different subnets since the FortiGate security policies can keep the two subnets/interfaces separate from each other.
This may NOT be fine if you have some other way that those two networks might connect to each other over layer 2, say by computers from one subnet connecting to a wired network printer that also happens to generate its own WiFi access point to conveniently allow the other subnet to connect to it (run into this all the time). Or when somebody adds another switch, or when someone on one wired subnet connects to the WiFi AP for the other subnet at the same time, or when somebody connects their dual-nic computer to two different ports, etc. etc.
It sounds like in your case you may not really need to use vlans, but as I mention above, you just need to make sure you don't have some of these possible issues.
Well basically you don't need a FortiSwitch. Each FGT can do virtual switch and vlans natively.
However FGT only handles vlan tagged traffic - in both directions (from and to FGT). So Traffic that goes form the FGT onto your vlan will always be tagged by the FGT (i.e. "Untagged" in switch terms). Traffic coming to the FGT from out of your vlan musst then be tagged too.
If you do not happen to have a managed switch capable of vlan management you cannot have the switch doing this for you. This would mean that your clients will have to do the vlan tagging.
However this is a pain in the a** on windows and mostly rather impossible on embedded devices.
So if you really need vlans I recommend using managed switches that can do the vlan tagging on their ports.
Is there a special reason why you do want vlans?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1703 | |
1092 | |
752 | |
446 | |
229 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.