Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fakeseller
New Contributor

lan connection from Fortigate to Fortigate

I have a customer and Customer access our data center on MPLS. we use fortigate firewall while access switch and servers. Now we want to put another firewall for blocking some ip address in vlan. i added network topology. like this:

Now working: Customers>>MPLS>>FGT1>>Switch>servers

New: Customer>>MPLS>>FGT1>>FGT2>>Switch>servers

 

tp2.JPGtp3.JPG

4 REPLIES 4
fakeseller
New Contributor

this is possible? what rules should i write or static route etc. Can i carry vlan to FGT1?

tthrilok

Hi Customer,

 

Thank you for the query!

 

I understand currently as per your customer's setup you are having one FGT allowing the access from your customer to your DC subnets. Now you want to add a new firewall in between your FGT1 and switch. 

 

For example, I am considering your customer subnet is 10.0.0.0/24, and your server subnet is 10.0.1.0/24.

 

When you want to add the FGT2 in between the FGT1 and switch, on FGT2 are you trying to configure multiple VLANs. If that is the case, please follow the below article:

 

>> https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/402940/vlans


you may specifically look for "To add VLAN subinterfaces" part.

+ If you do not want to add the VLANs, you may just configure the server subnet IP on physical interface.

 

Once the above done, then please add the route for the 10.0.0.0/24 on the FGT2 towards your FGT1. In your case as per the diagram via your lan port.

 

Then you may need to create the policy on FGT2 accordingly, sintf as your lan port, dintf as your vlan interface/physical interface on which you configured the server subnet IP, source as 10.0.0.0/24 in case if you want to allow all the sources, and destination as 10.0.1.0/24 in case if you want to allow traffic to all the destinations.

 

On the FGT1 you will need to add the route for 10.0.1.0/24 pointing to FGT2 and configure the policy to allow the traffic, with sintf as your MPLS connected interface, dintf as your interface connected to FGT2. Source as 10.0.0.0/24 and Destination as 10.0.1.0/24.

 

+ Let us know if you have any further queries!

fakeseller

Thank you. My senario is same Vlan in tranparent mode. but i cant ping if i not add ip address subinterface

example.JPG

 

 

https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/402940/vlans

 

edit VLAN_200_int
        set type vlan
        set interface internal
        set vlanid 200
    next
    edit VLAN_200_ext
        set type vlan
        set interface external
        set vlanid 200
    end

 

 

fakeseller

I guess. Virtual wire pair resolved my problem

Top Kudoed Authors