Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Fortinet/Fortigate with Cisco ASA in failover?

Hi,

in My current scenario i have two Cisco 5520 ASA running in Active/standby mode and a single Fortinet unit is connected to primary firewall.

every thing is working smooth, and Firewall is failing over properly in case of link failures.

Now we want to add a secondary Fortinet unit , as per Fortinet documenation, Fortinet internal and external interfaces must be connected with some hub/switch ( Diagram attached ) where as i was planning to place it in between second Cisco ASA and core. is that right place to plug it in?

or i really need to introduce a hib/switch in internal and external side as per diagram mentioned by Fortinet?

Need advise for placement of fortinet.

Attached is my current design and Fortinet manual proposal design.

4 REPLIES

Re: Fortinet/Fortigate with Cisco ASA in failover?

Hi,

You can use Core switch for the internal interfaces. Just create the seperate VLAN for fortigate connections and assign the same subnet ip to SVI of this VLAN.

You can use any 8 or 24 port switch for external connections and it can also be used for DMZ connections if you have DMZ Zone with two seprate vlans  (external and DMZ).

New Member

Hi Systenetwork, As Faraz

Hi Systenetwork, As Fazal said, or in other words, just simply configure fortinet is trnasparent mode. and connect it as a bump between Core switch and Firewall inside interface like this.

 

CORE----FORTNIET---FIREWALL----INTERNET

for example Core has IP 10.111.10.1 , and Firewall has IP 10.111.10.10 so fortinet will have no ip just sitting in  between.

you can create SVI as Fazal said, or you can create Layer 3 port on Core switch and assign it IP.

New Member

ahmad82pknwe thought it was

ahmad82pkn

we thought it was that simple too, we have a Port-channel Trunk with 3 vlans that pass between the core and the firewall. we are on our 3rd attempt to put the fortigate "in-line" and have it sucessful. we configured the fortigate interfaces as an aggregate in LACP mode and created the internal and external vlans's on the fortigate as suggested in there documenation.

 

first attempt fortinet told us er needed to use there forwarding domainn feature

2nd attempt they told us we had to enable STP on the fortigate

3rd attempt we were using "Port-Pairs" between the vlans and things seemed better they had to disable "anti-spoofing" and it got a litte better, but DHCP was still not acting quite right.

 

we have had quite the challange getting this fortigate in place, 1 thing that we do have is... the firewall is actually the Default gateway for the clients and 2 of the vlans are wireless networks that run in H-REAP\Flexconnect mode  

New Member

ahmad82pkn,I am attempting to

ahmad82pkn,

I am attempting to setup a Fortigate in Transparent mode for IPS services between our Cisco ASA active/standby mode firewalls just like you have in your diagram. Did you have an aggragate and a trunk going between the fortigate and ASA's? or was it just an access port? we have had a terrible time getting this configutration running in our environment and Fortinet support has been less than helpful 

1397
Views
0
Helpful
4
Replies
CreatePlease to create content