Results 1 to 6 of 6

Thread: Fortinet 3200d's in a Intellegent Transportation System

  1. #1
    Junior Member
    Join Date
    Jan 2017
    Posts
    4

    Fortinet 3200d's in a Intellegent Transportation System

    I have two 3200d's to be setup with HA Active - Active

    Both will be used primarily used to secure inside trusted networks from outside untrusted networks all connected via multi ten gig links via Cisco 4500x's and Brocade ICX 7450's

    There are a lot of vlans in use that will be handling multicast and unicast traffic from over 190 miles of fiber

    I am looking for suggestions, advice, and tips regarding the deployment.

    Thanks in advanced!

    d3admin

  2. #2
    I would use Zones to ease your policy configuration. If you are using it strictly as a border patrol unit that would be the most straight forward.

    Some questions I have to better direct you would be:
    1. Do you terminate the VLANs on the Gate or are they on core infrastructure elsewhere?
    2. Do you want internal VLANs to talk to each other without the need of firewall policy (if they do terminate on the Gate)

    From there I can explain how I would do it personally.

  3. #3
    Junior Member
    Join Date
    Jan 2017
    Posts
    4
    Prior to Fortigate install everything terminated at the core (Cisco 4506)
    I installed all 10 gig circuits that were on the core onto a cisco 4500x from 3 hub sites which are 1 Brocade ICX 7450 and 2 Cisco 4500x uplinked via lacp trunk to the core cisco 4506.
    I have 2 vlans I designated Trusted and all other external vlans untrusted. So in essence the core is on the trusted side of the firewall and the cisco 4500x is untrusted.

    Inter vlans can talk to each other on the trusted side
    Inter vlans can talk to each other on the untrusted side with policies in place

  4. #4
    Junior Member
    Join Date
    Jan 2017
    Posts
    4
    I have created port groups/ vlan groups already and firewall policy service groups.

  5. #5
    Junior Member
    Join Date
    Jan 2017
    Posts
    4
    CHP_Overview.jpg
    Here is a PIC of the layout

  6. #6
    Awesome. So here is what I would do.

    On the trusted side of the Gate create a zone called TRUSTED and make sure "block intra-zone traffic" is unchecked. Assign the interfaces that are part of the trusted trunk to this zone.

    On the untrusted side do the same thing (cept call it UNTRUSTED) and make sure "block intra-zone traffic" is CHECKED. Assign those trunked interfaces to the Zone.

    policies will be created to allow trusted to communicate with untrusted.

    if the vlans that are untrusted end up terminating on the gate you can also create untrust to untrust policies to control that communication.

    That will be the simplest layout as all of your policy will be tied to trust / untrust and you will always know where things are. Makes it easy for new hires to come in and get to work as well.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •