How to configure FortiGate for VLANs and Inter-VLAN Routing.
HTML-код
- Опубликовано: 19 авг 2024
- To configure VLANs in FortiGate, follow these steps:
1. Log in to the FortiGate web interface using your administrator credentials.
2. Navigate to the "Network" menu and select "Interfaces."
3. Click on "Create New" to create a new interface.
4. Select "VLAN Interface" as the interface type.
5. Enter a name for the VLAN interface in the "Name" field.
6. In the "VLAN ID" field, enter the VLAN ID you want to use for this interface.
7. Choose the appropriate physical interface that will be used for this VLAN under the "Physical Interface" dropdown menu.
8. Configure the IP address, and subnet mask for the VLAN interface.
9. Click on "OK" to save the configuration.
10. Repeat these steps to create additional VLANs, if necessary.
After creating VLANs, you will need to assign them to firewall policies to allow or deny traffic between the VLANs and other interfaces on the FortiGate. To do this, follow these steps:
1. Navigate to the "Policy & Objects" menu and select "IPv4 Policy."
2. Click on "Create New" to create a new policy.
3. In the "Source Interface" field, select the VLAN interface that you want to use as the source for the traffic.
4. In the "Destination Interface" field, select the interface or VLAN that will be the destination for the traffic.
5. Configure the policy with the appropriate actions, such as allowing or denying traffic, and specify any other necessary options.
6. Click on "OK" to save the policy.
7. Once you have configured your VLANs and firewall policies, you should be able to route traffic between them and other interfaces on the FortiGate as needed. To become a Fortigate Subject Matter expert, visit rakshitvidyart...
Getting NSE4/5/7 is just an outcome! Or you can connect over call/WhatsApp at +91 8882199074
Excellent video. Thank you very much for your time and perfect explanations. This helped me out huge.
Thanks for your sharing, this video is really helpful for me.
Thanks for the video sir!
Have some doubts, could you please explain.
1. In virtual interface to virtual interface traffic (FIN --> MKT) policy NAT was enabled, is it required?
2. To forward Virtual interface (VLAN 10 and 20) traffic to internet to internet, do we need static route for both of the subnet, or default route is enough.
1--> in most cases no, as the vlan traffic are mostly internal unless or otherwise stated by the customer.
2--> Default route pointing towards port1 (wan) is enough. Static routes are required only if you need to move a specific destination traffic towards another interface.
Hope it helps!
@@rakshitvidyarthi Thanks for your time 🙏
question, can I use the 802.3ad interface as my vlan connection? i have a 100d running with version 5. i know this is an old device but I want to know if I can do this on the latest OS?
yes absolutely possible. All the best!
Why port3 has an IP? do you use that as a management?
Port3 is acting as gateway for LAN segments/Users
@@rakshitvidyarthi ok but if i had a switch attached to that port,,i would give it that network as a management ip?
@@maurofadda289 the idea behind connecting devices in such a topology is to emulate an environment of lan users connecting to their gateway which is firewall. In real scenarios, we have MGMT ports which are used to keep the management pane separate from data pane.
Hi,
i was tasked with a setup of the following.
4 Vlans where they all have dhcp
vlan 1 and vlan 2 should have access between eachother.
And vlan 3 and 4 should be stand alone.
They are also all suppose to have 100 adresses each.
I created 4 vlans on 4 different internal switches and i added a 4 policys on vlan 1 and vlan 2.
Since im unsure how the access between 2 vlans is suppose to be so that they can fully access eachother. but not allowing the others in.
Now im not sure if this video is the correct one to use for such a setup.
also i might as im very new to this kind of stuff. So would be nice to get some help.
If i understand this correctly, let me share what needs to be done on fortigate:
reate VLAN interfaces (vlan1, vlan2, vlan3, and vlan4) on the FortiGate.
Assign IP addresses to each VLAN interface.
Allowed necessary services (like ping, SSH, HTTP) on each VLAN interface.
et up DHCP servers for each VLAN interface.
Configure a range of 100 IP addresses for each VLAN.
reate firewall policies:
Allowed traffic from vlan1 to vlan2.
Allowed traffic from vlan2 to vlan1.
This ensures vlan1 and vlan2 can communicate but vlan3 and vlan4 remain standalone.
(if needed):
Create NAT policies to allow internet access from each VLAN to the internet (assuming this was required).
config system interface
edit vlan1
set type vlan
set vlanid 1
set interface
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
next
edit vlan2
set type vlan
set vlanid 2
set interface
set ip 192.168.2.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
next
edit vlan3
set type vlan
set vlanid 3
set interface
set ip 192.168.3.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
next
edit vlan4
set type vlan
set vlanid 4
set interface
set ip 192.168.4.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
next
end
config system dhcp server
edit 1
set interface vlan1
set default-gateway 192.168.1.1
set netmask 255.255.255.0
set ip-range start 192.168.1.10 end 192.168.1.109
next
edit 2
set interface vlan2
set default-gateway 192.168.2.1
set netmask 255.255.255.0
set ip-range start 192.168.2.10 end 192.168.2.109
next
edit 3
set interface vlan3
set default-gateway 192.168.3.1
set netmask 255.255.255.0
set ip-range start 192.168.3.10 end 192.168.3.109
next
edit 4
set interface vlan4
set default-gateway 192.168.4.1
set netmask 255.255.255.0
set ip-range start 192.168.4.10 end 192.168.4.109
next
end
config firewall policy
edit 1
set name "VLAN1 to VLAN2"
set srcintf vlan1
set dstintf vlan2
set srcaddr all
set dstaddr all
set action accept
next
edit 2
set name "VLAN2 to VLAN1"
set srcintf vlan2
set dstintf vlan1
set srcaddr all
set dstaddr all
set action accept
next
end
You can always modify the source and destination address as per the real IP address requirements. Treat this as a high level overview of what needs to be executed on Fortigate.
Hope this help.
All the best!
Hi sir how can i contact you
you can search me on google or visit rakshitvidyarthi.com/.