Hi,
we play around with ZTNA and I am not sure, if I am to silly ;) or I have a single point of missing knowledge or misconfiguration.
Our Setup:
2 x FGT (HA) -> Fortiswitch (VLAN) <-- fiber, with transfernetwork --> FortiSwitch (VLAN) -> 2 x FGT (HA)
Some hints:
- we use a Fortiswitch on each site, we have a highspeed fiber ($$$) and this is just in place once, so for HA purposes on the FGT, we use this Fortiswitch,
- the VLAN is configured with same ID on both sites and dataflow works
- we need at both site a full FGT cluster, to setup local ip settings, manage the local switches and can run both sites without interruptions if one site fails (we have a fallback route on site A to reach site B)
- first idea was, to manage *ALL* switches and networks from site (B), this would work, but then, we can not manage the setup on site (A) if there will be any problem with site (B).
And now, the fun begins...
We setup a simple EMS Cloud to fulfill ZTNA.
a) Normally, a ZTNA server setup is required for this. I played around with FortiOS 7.0/7.2/7.4. Hm :/. Only TCP is working, no loadbalancing, no UDP and no Port-range support is given. So, for many applications, this will not fit.
b) It is possible to work with Tags (MAC, IP based) in the policies. But this will not work because if different locations. We tried to allow a Tag on Site (B) from Site (A) which is synced from EMS cloud, but this is not working. I believe/suppose, but are not sure, this is because of the Layer 3 Setup between the both Site A/Site B VLANs. Means, a Client on Site (A) having this TAG assigned, can not pass through a policy on Site (B) (C) (D) wherever. Is this right? Idea then is, but I am not sure, to Setup the VLAN on (A) and (B) to 0.0.0.0/0.0.0.0 to have a simple Layer 2 setup. But routing will not work then and I think, Layer 2 is not even possible with FGT in setup.
Thanks for any ideas.
Ronny
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Tags alone should be fine in the policies. Ensure that tags are synced properly to EMS Cloud on each FortiGate and show the same list of IPs for that tag.
I would make sure that the policy going from one FortiGate to another would not be NATting the traffic, as the real IP of the client is required for it to work.
This is now working fine using VLANs. Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.