Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1307
Views
1
Helpful
5
Replies

3rd party firewall as fusion device

KevinR99
Level 1
Level 1

‎08-19-2023 06:06 AM

Hi

We are deploying an SDA fabric that will be handed off to an existing fortinet firewall as a fusion device.  Is it possible to extend the SGT information to the fortinet then we can use the SGT’s in the firewall rules?  If so how do we extend the SGT information to the fortinet when it is stripped off at the fabric border handoff ?

Thanks, Kev.

Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎08-19-2023 07:00 AM

Hi @KevinR99 

 As the fusion device is a device outside the fabric, theorically it could be any device. The question that needs to be done is does the Fortnet will support to be the fusion?

 If we look at the fusion role configuration on cisco docs, we have some specific requirements like support for BGP and enable to perform route linking.

"Fusion - Cisco Router with Support for Inter-VRF leaking"

"Fusion device is outside the fabric, though, and so is configured manually."

 

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/dna-center/213525-sda-steps-to-configure-fusion-router.html

 

0 Helpful

KevinR99
Level 1
Level 1
In response to Flavio Miranda

‎08-19-2023 07:44 AM

Flavio

My firewall does support BGP and route leaking is simply achieved via routing on the firewall.  Each vrf can see other vrf routes and traffic between them is controlled by firewall routes.  So I return to my original question, how does the firewall get the SGT information on which to base rules on if the SGTs are stripped at the Border handoff?

Kev

0 Helpful

Flavio Miranda
VIP
VIP
In response to KevinR99

‎08-19-2023 09:56 AM - edited ‎08-19-2023 09:56 AM

@KevinR99  now I will say based on what I've seing and done.

The SGT is meant to be used in lateral control not in north/South communication. 

 When creating the SGT map on the DNAC you create devices groups and control the communication between those groups by using SGTs. This is called microsegmentation.

I do believe the SGT will not get to the Fusion device because it is not part of the fabric and it would be a north/South communication. 

 

0 Helpful

jedolphi
Cisco Employee
Cisco Employee
In response to Flavio Miranda

‎08-20-2023 09:15 PM - edited ‎08-20-2023 09:19 PM

Hi team, SGTs can be sent from the SD-Access Fabric to external devices, either in the data plane or the control plane, see this Cisco Live presentation where we do exactly that.

In this case we need to find out if Fortinet support SGTs and how they support SGTs. This would be a question best directed to your Fortinet representative please. (A quick web search suggests they have some level of support on some software/hardware). Best regards, Jerome

KevinR99
Level 1
Level 1
In response to jedolphi

‎08-21-2023 11:22 AM - edited ‎08-21-2023 11:22 AM

Thanks Jerome, that Cisco Live presentation was very useful.  I think it ran on a bit so hopefully you didn’t get marked down.  

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card