Hi,
We are using fortigate firewall 101E and cisco switch with One vlan one Network 192.168.x.x
I want to segregate each department for exp: Our one department PC/Printer/Laptop can not communicate with other department PC/Laptop/Printer.
It's possible to work it.
for me 2 possible options on how to achieve your target.
1. create vlans on your cisco switch if capable, or,
2. since FGT 100E supports 200 interfaces, you can configured those ports as routed or independed ports and assigned diff subnets on each interfaces. Firewall policy will dictates outgoing traffic at the same time port to port communication
Fortigate Newbie
if you do not want or cannot create more vlans or/and subnets you can only use ip-ranges. You would then have to make sure that the devices of each departmend stay in their range (e.g. dhcp reservations) and then use the range as destination/target in policies to allow or not allow traffic like you want to.
However I would recommend using more vlans and subnets for this. Makes life easier ;)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
For a secure network, you cannot use IP ranges to segment a LAN. I'd just confgure an 'interesting' IP statically on my device and grant myself priviledges.
VLANs can only communicate through routers. As long as I have no access to these, the VLAN keeps me limited.
yes. agreed
If you want communication and physical separation, do not use the cisco router L3, span the vlans to the FGT and let the default-gateway be in the FGT and let the firewall control the traffic
Defined your vlan and networks and set policy for what & where you need traffic
e.g
config system interface edit "vlan1" set vdom "root" set device-identification enable set role lan set snmp-index 19 set interface "port1" set vlanid 1
set ip 10.10.1.0/24
next
edit "vlan2" set vdom "root" set device-identification enable set role lan set snmp-index 20 set interface "port1" set vlanid 2
set ip 10.10.2.1/24
next
edit "vlan3" set vdom "root" set device-identification enable set role lan set snmp-index 21 set interface "port1" set vlanid 3
set ip 10.10.3.1/24
next
and so on
address groups
config firewall address
edit "NET_10.10.1.0" set subnet 10.10.1.0/24 next
edit "NET_10.10.2.0" set subnet 10.10.2.0/24 next
edit "NET_10.10.3.0" set subnet 10.10.3.0/24 next
adn so on
Then build policies
Ken Felix
'
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.