Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rg2017
New Contributor III

Question regarding using our Fortigate for internal segmentation

Hello. I'm working on using our 101E for internal network segmentation. I've set up a LAG port to use to increase the amount of bandwidth available for segment to segment communication. I would like to route Internet access through a separate interface than the LAG port. The reason being is that I have a third party IDS that I want to continue mirroring Internet traffic to and the LAG port on the Cisco switch we use won't allow setting it up for port mirroring.

 

So I want to route internal traffic through the LAG and Internet traffic through a different port on the Fortigate.

 

When I add an IP address to the LAG port that is on our main subnet, the Fortigate automatically starts routing all traffic for that subnet to the LAG port. This takes things down as far as Internet access. The LAG port needs to be reachable by internal workstations, so it needs an IP that is reachable by the subnet.

 

Does someone have recommendations on how to set this up?

 

Thanks

2 Solutions
lobstercreed
Valued Contributor

It might help to draw out the topology you're after.  No duplicate IP addresses should exist for things to work properly (this is a router after all).

 

We use our FortiGate extensively as an internal segmentation firewall as well as for Internet traffic with no issues.  I've got 2 LAGs to my core (1 to carry a bunch of VLANs that connect directly to the firewall (L3 gateway is the FGT) and another for core-routed traffic (traffic whose GWs exist on the core).  Then I've got my two Internet connections heading to my ISPs (where I presume you are using your 3rd party IDS).

View solution in original post

rwpatterson
Valued Contributor III

rg2017 wrote:
...When I add an IP address to the LAG port that is on our main subnet, ...

Why? If you add that IP address to the VLAN, issue resolved. No IP addresses should have to reside on the LAG since it is a trunk.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
4 REPLIES 4
lobstercreed
Valued Contributor

It might help to draw out the topology you're after.  No duplicate IP addresses should exist for things to work properly (this is a router after all).

 

We use our FortiGate extensively as an internal segmentation firewall as well as for Internet traffic with no issues.  I've got 2 LAGs to my core (1 to carry a bunch of VLANs that connect directly to the firewall (L3 gateway is the FGT) and another for core-routed traffic (traffic whose GWs exist on the core).  Then I've got my two Internet connections heading to my ISPs (where I presume you are using your 3rd party IDS).

emnoc
Esteemed Contributor III

If you have a WAN interface on the FGt why do the IDS/IPS inspect at that point to catch only "internet" facing traffic? if the WAN port(s) are plumb into the cisco switch just san those to your port-mirror. TheLAG you keep mentioning is not relevant.

 

e.g 

# assume 50 your ISP links terminated into a cisco and the IDP is on port gi0/10

 

  monitor session 10  source  vlan 50

  monitor session 10  interface gi0/10

 

You can also apply filter with laye3 access if you are looking at specific traffic 

 

  monitor session 10 filter session internet_traffic_tool_port

 

If you need to run IDS on internal get a 2nd tool port on he IDS or a 2nd IDS and create a session just for that traffic and the vlans related to your internal LANs.

 

 

YMMV

 

Ken Felix

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
rg2017
New Contributor III

emnoc wrote:

If you have a WAN interface on the FGt why do the IDS/IPS inspect at that point to catch only "internet" facing traffic? if the WAN port(s) are plumb into the cisco switch just san those to your port-mirror. TheLAG you keep mentioning is not relevant.

 

e.g 

# assume 50 your ISP links terminated into a cisco and the IDP is on port gi0/10

 

  monitor session 10  source  vlan 50  monitor session 10  interface gi0/10 You can also apply filter with laye3 access if you are looking at specific traffic    monitor session 10 filter session internet_traffic_tool_port If you need to run IDS on internal get a 2nd tool port on he IDS or a 2nd IDS and create a session just for that traffic and the vlans related to your internal LANs.  YMMV Ken Felix  

 

I don't understand.

rwpatterson
Valued Contributor III

rg2017 wrote:
...When I add an IP address to the LAG port that is on our main subnet, ...

Why? If you add that IP address to the VLAN, issue resolved. No IP addresses should have to reside on the LAG since it is a trunk.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Labels
Top Kudoed Authors