Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alex126
New Contributor

New Fortigate User (forgive my ignorance) Architecture Question

Well this is my first post here, so I'll just jump right into it.

 

After over a year of trying, I finally convinced management that we needed to implement a NGFW solution on our network. We wound up selecting a FortiGate 100F, as it suits our throughput needs fairly well. 

 

Here is where I ran into a dilemma- our network configuration isn't exactly the simplest thing in the world. We have 3 separate internet connections feeding into two routers, then into 4 rack switches, etc. (I didn't set it up this way). Router A controls traffic for our internal network and Router B is only responsible for Guest WiFi APs. Router A also has several VPNs that connect to our off site locations. 

 

Placing the FortiGate in NAT mode at the network edge was my first thought, but that would take down our VPNs and (I believe) there would be subnet conflicts between the two routers.

 

My next thought was to use Transparent mode and create VLANs to route traffic appropriately, would that be viable? I can't find a clear answer one way or the other.

 

Finally, I was considering utilizing VDOMs (one for Router A, one for Router B).

 

Which method would be recommended here? I'm a one man show and trying to learn all of this on the fly. 

2 REPLIES 2
GDiFi
Staff
Staff

What is your goal for the Fortigate?  Do you just want to inspect traffic or do you want to replace the router(s).  If you are only concerned with inspection, you can setup transparent vdoms to inspect the traffic and use the root for management. 

nejcs
New Contributor II

Hi Alex,

 

I've been trough this a few years before. We then decided to go with 2 VDOMs - one transparent and one in NAT mode. 

Guess what? We are now working hard to get rid off transparent one..

 

To answer your question.. I would invest some more time into this cut-ower and replace all the other routers. Probably with one vdom only, unless you have a strong reason for another one (like if one part of the network is managed by somebody else).

On this new VDOM I would combine all 3 ISPs into one SD-WAN and set up outgoing roules accordingly, so that guest network for example, can still use separate ISP. But this separate ISP is now available for others also if needed (maybe as a spill over?).

Once you have SD-WAN in place, you can also measure quality of your links, and for critical applicatons decide to take the one with maybe lovest latency or whathever might be best for your app.

 

 For internal networks - I would recommend using only X connectors (10Gbps) on the unit for all vlans, both of them if you can setup LACP on your switches. We use stackable switches, so one connection can go into one switch and the other to the second one. Switches must support mlag in one or the other way. This setup is the most flexible, since fortigate does not allow you to change vlan ID or other parameters of the interface once it is created. It can be done in config files (exporting, editing, importing), but then you have to restart the system to import the new config.. I would also leave default vlan for switch and AP managment, sou you can add new equipment easily.  

 

Good luck, 

Jernej