- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- edge router
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
edge router
Has anyone had success with the 50B, 60B or 60C as an edge router? Our application is essentially an executive office suite building whereby we have a single fiber circuit (15 Mbps) that we provide as a WAN interface to the individual suites. Each suite needs one or more public IPs.
We were looking at some pure routers (Cisco 2811, 2911) and L3 switches (Catalyst 3750, 3560) but it seems like for what we need the Fortigate' s might be a better solution.
Our only requirements are to route the public IPs and configure the guarantee/max/priority bandwidth features of traffic shaping. We really aren' t interested in the security features because each interface will have it' s own firewall behind it.
So my questions are:
1. How does traffic shaping in the 50B/60B/60C compare to rate-limiting and policing in Cisco devices such as the ones listed above? Does it work well for both ingress and egress?
2. In the limited exposure I' ve had with a 50B (very impressed) there were some issues with SIP ALG and a particular SIP trunk provider (requiring that we disable it). If we configure the device in routing/transparent mode, are things like SIP ALG automatically disabled? We need the traffic to pass through Fortigate without any dynamic port mapping, etc.
Thanks for any thoughts or feedback.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you said you won' t need security features and just
need routing and qos. I would go with the cisco solution
since this have been tried and tested. You can' t go wrong
with this one.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Fortigate will work perfectly in this scenario and gives you the ability to turn on security features later if required.
For example If you are offering the WAN link, maybe you would like to throttle P2P traffic so your WAN link isn' t exhausted. This would appear to a Cisco to simply be port 80, whereas the FG can delve deeper if needed in the future.
For the Function you are looking at, NAT mode would be better and you can simply use the FG as router, and be clever with VIPs and IP pools as well if you need it in the future.
Don' t forget that you can also use a USB 3G dongle as a backup in case you have a WAN problem.
You can always disable helpers if you see a problem and you can effectively turn off the Firewall state features by setting asynchronous-mode.
Still learning to type " the"
Still learning to type " the"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
doshbass,
That sounds good, but did you mean to say NAT mode? That would involve remapping IPs and possible issues with protocols as SIP that aren' t very NAT friendly.
I would need to send public IPs to each user so that they have full access to configure things on their segment as they wish.
The only type of security that would be needed/desired in this scenario might be DDoS.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet uses the term NAT mode to mean Layer 3 routing. I simply meant that rather than transparent which is Layer 2.
Still learning to type " the"
Still learning to type " the"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So my questions are: 1. How does traffic shaping in the 50B/60B/60C compare to rate-limiting and policing in Cisco devices such as the ones listed above? Does it work well for both ingress and egress? 2. In the limited exposure I' ve had with a 50B (very impressed) there were some issues with SIP ALG and a particular SIP trunk provider (requiring that we disable it). If we configure the device in routing/transparent mode, are things like SIP ALG automatically disabled? We need the traffic to pass through Fortigate without any dynamic port mapping, etc.On #1, traffic shaping and packet priority is simple with a fortigate. In order to take advantage of TrafficShaping, you will need unique individual FWpolicies installed for the traffic that you will shape. So keep that in mind Also imho, traffic shapping on ingress is useless, you should rather shape the traffic at the egress and as close to the edge as possible. On #2, what' s specifically is the SIP problem with your SIP trunking and ALG? If your not doing any private-address-2-NAT/PAT translations, than dynamic ports openings should not be as critical. And lastly you should evaluate what you need? A router and firewall are not designed for the same functions and serve a different need. Let a router route data and a firewall perform it' s intended function. And yes a Firewall also does L3routing.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: emnoc Also imho, traffic shapping on ingress is useless, you should rather shape the traffic at the egress and as close to the edge as possible.Have you dealt with file sharing and large downloads lately?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This device will be placed as close to the edge as possible. I understand that a router and firewall are not designed for the same functions and serve a different need. What I' m having a hard time grasping is that it appears the 50B/60B/60C can function as a pure router (without any firewall services) and can handle the throughput that we need in our application.
That being the case would you recommend a 50B/60B/60C or a Cisco 2811/2911 to serve as our router that connects to our ISPs Ethernet hand-off?
In my experience Fortinet' s SIP ALG does not work with certain SIP providers. It sends responses to a different port than it was sent on and in my case I had to dsiable (along with the SIP helper).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This device will be placed as close to the edge as possible. I understand that a router and firewall are not designed for the same functions and serve a different need. What I' m having a hard time grasping is that it appears the 50B/60B/60C can function as a pure router (without any firewall services) and can handle the throughput that we need in our application.Yes the Fortigate can act as a pure router, but it cannot act without firewall services. Remember that after configuring ip addresses on interfaces and routing whether dynamic or static. You need to create firewall policies to enable traffic flow. Creating firewall policies activates a " firewall service" which is the statefull firewall of the Fortigate. A statefull firewall keeps tracks of sessions going in and out of the firewall as oppose to a router which just passes on traffic. Since a Fortigate has limited resources its session tracking has its limits, for an FG60B that would be 70,000 sessions. So depending on your traffic once you hit the session limit I believe FG will start blocking new sessions. So its not just about the throughput performance, you have to take into account the session limits of the FG. FG is a great product just use where it was designed/built for. In my opinion Routing and L2 Switching is Cisco domain (no offense to HP procurve :) ). For the 2900 series router based on datasheet it can handle 75MBps traffic with other services enabled aside from routing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also imho, traffic shapping on ingress is useless, you should rather shape the traffic at the egress and as close to the edge as possible.I agree with this one since traffic has already consumed capacity on the link before the Fortigate/Router can even drop it. Some applications might even make the situation worse since after a drop it will request the dropped packet to be retransmitted.
Related Posts
- FortiGate 60D as switch with firewall 265 Views
- Checking traffic through an F60 163 Views
- Fortigate Not Receiving Public IP from... 112 Views
- how to create point to multiple... 125 Views
- Setting Up FortiGate DDNS Behind ZTE... 146 Views
Labels
-
FortiGate
6,926 -
FortiClient
1,365 -
5.2
801 -
5.4
639 -
FortiManager
598 -
FortiAnalyzer
438 -
6.0
416 -
5.6
362 -
FortiAP
361 -
FortiSwitch
357 -
FortiClient EMS
280 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
123 -
FortiGuard
111 -
IPsec
97 -
FortiGateCloud
91 -
FortiSIEM
91 -
SSL-VPN
85 -
FortiCloud Products
85 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
41 -
Fortivoice
41 -
FortiDNS
37 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
VLAN
27 -
High Availability
27 -
FortiAuthenticator
26 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
FortiConverter
21 -
FortiGate v5.2
19 -
DNS
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
FortiLink
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Fortigate Cloud
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
SSID
8 -
FortiBridge
8 -
WAN optimization
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 986 | |
| 821 | |
| 457 | |
| 440 | |
| 131 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.