Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fakeseller
New Contributor

Created on ‎02-11-2023 08:00 AM

lan connection from Fortigate to Fortigate

I have a customer and Customer access our data center on MPLS. we use fortigate firewall while access switch and servers. Now we want to put another firewall for blocking some ip address in vlan. i added network topology. like this:

Now working: Customers>>MPLS>>FGT1>>Switch>servers

New: Customer>>MPLS>>FGT1>>FGT2>>Switch>servers

 

tp2.JPGtp3.JPG

Labels:
1684
0 Kudos
4 REPLIES 4
fakeseller
New Contributor

Created on ‎02-11-2023 11:29 AM Edited on ‎02-11-2023 01:42 PM

this is possible? what rules should i write or static route etc. Can i carry vlan to FGT1?

1657
0 Kudos
tthrilok
Staff
Staff
In response to fakeseller

Created on ‎02-11-2023 10:12 PM

Hi Customer,

 

Thank you for the query!

 

I understand currently as per your customer's setup you are having one FGT allowing the access from your customer to your DC subnets. Now you want to add a new firewall in between your FGT1 and switch. 

 

For example, I am considering your customer subnet is 10.0.0.0/24, and your server subnet is 10.0.1.0/24.

 

When you want to add the FGT2 in between the FGT1 and switch, on FGT2 are you trying to configure multiple VLANs. If that is the case, please follow the below article:

 

>> https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/402940/vlans


you may specifically look for "To add VLAN subinterfaces" part.

+ If you do not want to add the VLANs, you may just configure the server subnet IP on physical interface.

 

Once the above done, then please add the route for the 10.0.0.0/24 on the FGT2 towards your FGT1. In your case as per the diagram via your lan port.

 

Then you may need to create the policy on FGT2 accordingly, sintf as your lan port, dintf as your vlan interface/physical interface on which you configured the server subnet IP, source as 10.0.0.0/24 in case if you want to allow all the sources, and destination as 10.0.1.0/24 in case if you want to allow traffic to all the destinations.

 

On the FGT1 you will need to add the route for 10.0.1.0/24 pointing to FGT2 and configure the policy to allow the traffic, with sintf as your MPLS connected interface, dintf as your interface connected to FGT2. Source as 10.0.0.0/24 and Destination as 10.0.1.0/24.

 

+ Let us know if you have any further queries!

1621
fakeseller
New Contributor
In response to tthrilok

Created on ‎02-12-2023 08:49 AM

Thank you. My senario is same Vlan in tranparent mode. but i cant ping if i not add ip address subinterface

example.JPG

 

 

https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/402940/vlans

 

edit VLAN_200_int
        set type vlan
        set interface internal
        set vlanid 200
    next
    edit VLAN_200_ext
        set type vlan
        set interface external
        set vlanid 200
    end

 

 

1606
0 Kudos
fakeseller
New Contributor
In response to tthrilok

Created on ‎02-14-2023 02:48 AM

I guess. Virtual wire pair resolved my problem

1566
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.