How to Access a Remote Subnet which is configured on a Layer3 Cisco Switch not on Fortigate Interface ?
Using FW 100D
Suppose .. My HQ Fortigate Internal Interface(Port1) IP is 192.168.10.254 which is Connected with a Cisco Layer 3 Switch (Gi0/1 - access vlan 10 and VLAN SVI is 192.168.10.1). And have many VLAN's Configured on this Cisco L3 switch(IP Routing Enabled)
Could you Please explain how can we access Server/User/Voice VLAN's Subnet from Branch Office Subnet
Branch office Fortigate has its Internal(Port1) IP 192.168.100.254 which connects with a Cisco Layer2 Switch, All the Systesm connected to this Cisco layer2 switch getting IP Scope from Fortigate Firewall(Port1) - Subnet 192.168.100.0/24
Could you please Explain in this scenario how can i access my HQ Subnets and Branch Office Subnet and Vice Versa. Appreciate your Suggestions.
assuming you did the site-2-site IPsec between the FortiGates with the wizzard and the HQ FGT has all the routes to the local networks in place (192.168.11.0/24,192.168.12.0/24,192.168.13.0/24), it should be fairly straight forward.
On the branch FGT you need to configure the routes to the networks on the HQ site going to the IPsec interface:
Via GUI navigate to Network -> Static Routes -> Create New
Repeat that for 192.168.12.0/24 and 192.168.13.0/24
Now create policies to allow the traffic between the networks and interfaces.
For example: From IPsec interface -> port1, and vice versa
On the HQ FGT you need a static route to the 192.168.100.0/24 network, also pointing to the IPsec interface.
Make sure you have policies to allow traffic from the branch (IPsec interface) to the local networks (port1), and also from the branch office to the local networks.
If you haven't created any site-to-site vpn between two FGs before the best option would be using IPsec wizard [Site to site] to create all config for one pair of source and destination subnet (192.168.10.0/24<->192.168.100.0/24) first. You can find some cookbooks for this part if you google it. Then learn via CLI what the wizard generated under:
config vpn ipsec phase1-interface
config vpn ipsec phase2-interface
config firewall address
config firewall policy
config router static[/ul]
Then modify those that includes 192.168.10.0/24 to like 192.168.10.0/22 to include all subnets on the switch.
I would assume static routes to get to the switch for those subnets are already there in the HQ FG but if not you need to add them.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.