Re: Fortinet/Fortigate with Cisco ASA in failover?

ahmad82pkn · ‎06-26-2012

Hi,

in My current scenario i have two Cisco 5520 ASA running in Active/standby mode and a single Fortinet unit is connected to primary firewall.

every thing is working smooth, and Firewall is failing over properly in case of link failures.

Now we want to add a secondary Fortinet unit , as per Fortinet documenation, Fortinet internal and external interfaces must be connected with some hub/switch ( Diagram attached ) where as i was planning to place it in between second Cisco ASA and core. is that right place to plug it in?

or i really need to introduce a hib/switch in internal and external side as per diagram mentioned by Fortinet?

Need advise for placement of fortinet.

Attached is my current design and Fortinet manual proposal design.

Fazal E Rasool Khan · ‎06-28-2012

Hi,

You can use Core switch for the internal interfaces. Just create the seperate VLAN for fortigate connections and assign the same subnet ip to SVI of this VLAN.

You can use any 8 or 24 port switch for external connections and it can also be used for DMZ connections if you have DMZ Zone with two seprate vlans (external and DMZ).

ahmad82pkn · ‎10-09-2014

Hi Systenetwork, As Fazal said, or in other words, just simply configure fortinet is trnasparent mode. and connect it as a bump between Core switch and Firewall inside interface like this.

CORE----FORTNIET---FIREWALL----INTERNET

for example Core has IP 10.111.10.1 , and Firewall has IP 10.111.10.10 so fortinet will have no ip just sitting in between.

you can create SVI as Fazal said, or you can create Layer 3 port on Core switch and assign it IP.

sytnetwork · ‎10-10-2014

ahmad82pkn

we thought it was that simple too, we have a Port-channel Trunk with 3 vlans that pass between the core and the firewall. we are on our 3rd attempt to put the fortigate "in-line" and have it sucessful. we configured the fortigate interfaces as an aggregate in LACP mode and created the internal and external vlans's on the fortigate as suggested in there documenation.

first attempt fortinet told us er needed to use there forwarding domainn feature

2nd attempt they told us we had to enable STP on the fortigate

3rd attempt we were using "Port-Pairs" between the vlans and things seemed better they had to disable "anti-spoofing" and it got a litte better, but DHCP was still not acting quite right.

we have had quite the challange getting this fortigate in place, 1 thing that we do have is... the firewall is actually the Default gateway for the clients and 2 of the vlans are wireless networks that run in H-REAP\Flexconnect mode

sytnetwork · ‎10-08-2014

ahmad82pkn,

I am attempting to setup a Fortigate in Transparent mode for IPS services between our Cisco ASA active/standby mode firewalls just like you have in your diagram. Did you have an aggragate and a trunk going between the fortigate and ASA's? or was it just an access port? we have had a terrible time getting this configutration running in our environment and Fortinet support has been less than helpful

Mario Erceg · ‎06-28-2021

Hi,

Can you send me your final design?

I have two ASAs active/standby, two core switches in stack and one Fortigate in transparent mode on primary path. Secondary ASA is directly connected to switch.

I want to add second Fortigate in backup path. Can I connect them directly to ASAs or I need to insert switches between Fortigates and ASAs?

Thanks