I have a customer and Customer access our data center on MPLS. we use fortigate firewall while access switch and servers. Now we want to put another firewall for blocking some ip address in vlan. i added network topology. like this:
Now working: Customers>>MPLS>>FGT1>>Switch>servers
I understand currently as per your customer's setup you are having one FGT allowing the access from your customer to your DC subnets. Now you want to add a new firewall in between your FGT1 and switch.
For example, I am considering your customer subnet is 10.0.0.0/24, and your server subnet is 10.0.1.0/24.
When you want to add the FGT2 in between the FGT1 and switch, on FGT2 are you trying to configure multiple VLANs. If that is the case, please follow the below article:
you may specifically look for "To add VLAN subinterfaces" part.
+ If you do not want to add the VLANs, you may just configure the server subnet IP on physical interface.
Once the above done, then please add the route for the 10.0.0.0/24 on the FGT2 towards your FGT1. In your case as per the diagram via your lan port.
Then you may need to create the policy on FGT2 accordingly, sintf as your lan port, dintf as your vlan interface/physical interface on which you configured the server subnet IP, source as 10.0.0.0/24 in case if you want to allow all the sources, and destination as 10.0.1.0/24 in case if you want to allow traffic to all the destinations.
On the FGT1 you will need to add the route for 10.0.1.0/24 pointing to FGT2 and configure the policy to allow the traffic, with sintf as your MPLS connected interface, dintf as your interface connected to FGT2. Source as 10.0.0.0/24 and Destination as 10.0.1.0/24.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.