Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- edge router
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
edge router
Has anyone had success with the 50B, 60B or 60C as an edge router? Our application is essentially an executive office suite building whereby we have a single fiber circuit (15 Mbps) that we provide as a WAN interface to the individual suites. Each suite needs one or more public IPs.
We were looking at some pure routers (Cisco 2811, 2911) and L3 switches (Catalyst 3750, 3560) but it seems like for what we need the Fortigate' s might be a better solution.
Our only requirements are to route the public IPs and configure the guarantee/max/priority bandwidth features of traffic shaping. We really aren' t interested in the security features because each interface will have it' s own firewall behind it.
So my questions are:
1. How does traffic shaping in the 50B/60B/60C compare to rate-limiting and policing in Cisco devices such as the ones listed above? Does it work well for both ingress and egress?
2. In the limited exposure I' ve had with a 50B (very impressed) there were some issues with SIP ALG and a particular SIP trunk provider (requiring that we disable it). If we configure the device in routing/transparent mode, are things like SIP ALG automatically disabled? We need the traffic to pass through Fortigate without any dynamic port mapping, etc.
Thanks for any thoughts or feedback.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you said you won' t need security features and just
need routing and qos. I would go with the cisco solution
since this have been tried and tested. You can' t go wrong
with this one.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Fortigate will work perfectly in this scenario and gives you the ability to turn on security features later if required.
For example If you are offering the WAN link, maybe you would like to throttle P2P traffic so your WAN link isn' t exhausted. This would appear to a Cisco to simply be port 80, whereas the FG can delve deeper if needed in the future.
For the Function you are looking at, NAT mode would be better and you can simply use the FG as router, and be clever with VIPs and IP pools as well if you need it in the future.
Don' t forget that you can also use a USB 3G dongle as a backup in case you have a WAN problem.
You can always disable helpers if you see a problem and you can effectively turn off the Firewall state features by setting asynchronous-mode.
Still learning to type " the"
Still learning to type " the"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
doshbass,
That sounds good, but did you mean to say NAT mode? That would involve remapping IPs and possible issues with protocols as SIP that aren' t very NAT friendly.
I would need to send public IPs to each user so that they have full access to configure things on their segment as they wish.
The only type of security that would be needed/desired in this scenario might be DDoS.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet uses the term NAT mode to mean Layer 3 routing. I simply meant that rather than transparent which is Layer 2.
Still learning to type " the"
Still learning to type " the"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So my questions are: 1. How does traffic shaping in the 50B/60B/60C compare to rate-limiting and policing in Cisco devices such as the ones listed above? Does it work well for both ingress and egress? 2. In the limited exposure I' ve had with a 50B (very impressed) there were some issues with SIP ALG and a particular SIP trunk provider (requiring that we disable it). If we configure the device in routing/transparent mode, are things like SIP ALG automatically disabled? We need the traffic to pass through Fortigate without any dynamic port mapping, etc.On #1, traffic shaping and packet priority is simple with a fortigate. In order to take advantage of TrafficShaping, you will need unique individual FWpolicies installed for the traffic that you will shape. So keep that in mind Also imho, traffic shapping on ingress is useless, you should rather shape the traffic at the egress and as close to the edge as possible. On #2, what' s specifically is the SIP problem with your SIP trunking and ALG? If your not doing any private-address-2-NAT/PAT translations, than dynamic ports openings should not be as critical. And lastly you should evaluate what you need? A router and firewall are not designed for the same functions and serve a different need. Let a router route data and a firewall perform it' s intended function. And yes a Firewall also does L3routing.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: emnoc Also imho, traffic shapping on ingress is useless, you should rather shape the traffic at the egress and as close to the edge as possible.Have you dealt with file sharing and large downloads lately?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This device will be placed as close to the edge as possible. I understand that a router and firewall are not designed for the same functions and serve a different need. What I' m having a hard time grasping is that it appears the 50B/60B/60C can function as a pure router (without any firewall services) and can handle the throughput that we need in our application.
That being the case would you recommend a 50B/60B/60C or a Cisco 2811/2911 to serve as our router that connects to our ISPs Ethernet hand-off?
In my experience Fortinet' s SIP ALG does not work with certain SIP providers. It sends responses to a different port than it was sent on and in my case I had to dsiable (along with the SIP helper).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This device will be placed as close to the edge as possible. I understand that a router and firewall are not designed for the same functions and serve a different need. What I' m having a hard time grasping is that it appears the 50B/60B/60C can function as a pure router (without any firewall services) and can handle the throughput that we need in our application.Yes the Fortigate can act as a pure router, but it cannot act without firewall services. Remember that after configuring ip addresses on interfaces and routing whether dynamic or static. You need to create firewall policies to enable traffic flow. Creating firewall policies activates a " firewall service" which is the statefull firewall of the Fortigate. A statefull firewall keeps tracks of sessions going in and out of the firewall as oppose to a router which just passes on traffic. Since a Fortigate has limited resources its session tracking has its limits, for an FG60B that would be 70,000 sessions. So depending on your traffic once you hit the session limit I believe FG will start blocking new sessions. So its not just about the throughput performance, you have to take into account the session limits of the FG. FG is a great product just use where it was designed/built for. In my opinion Routing and L2 Switching is Cisco domain (no offense to HP procurve :) ). For the 2900 series router based on datasheet it can handle 75MBps traffic with other services enabled aside from routing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also imho, traffic shapping on ingress is useless, you should rather shape the traffic at the egress and as close to the edge as possible.I agree with this one since traffic has already consumed capacity on the link before the Fortigate/Router can even drop it. Some applications might even make the situation worse since after a drop it will request the dropped packet to be retransmitted.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,803 -
FortiClient
1,787 -
5.2
801 -
FortiManager
744 -
5.4
639 -
FortiAnalyzer
566 -
FortiSwitch
481 -
FortiAP
476 -
FortiClient EMS
439 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
256 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
217 -
FortiWeb
211 -
5.0
196 -
FortiNAC
195 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
110 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
58 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
NAT
37 -
RADIUS
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
32 -
VDOM
32 -
FortiConnect
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
23 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1744 | |
| 1114 | |
| 760 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.