Business Community > General Discussion > How to add Fortigate to network without routing all traffic through it?
< General Discussion

How to add Fortigate to network without routing all traffic through it?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

How to add Fortigate to network without routing all traffic through it?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
How to add Fortigate to network without routing all traffic through it?
How to add Fortigate to network without routing all traffic through it?
2024-06-12 10:18:47 - last edited 2024-06-13 02:02:06
Model: OC200  
Hardware Version: V1
Firmware Version:

Hi,

I'm relatively new to networiking.

 

I have device from ISP that is set in Bridge mode.

I have Omada router connected to it.

I have switch connected to Omada router.

I have ACs and other devices connected to this switch.

 

I have client tha requires VPN connection to their office. They are using FortiGate VPN. But they are routing all traffic through it. I can't request them to change it.

I thought of getting a FortiGate device. Set it up to connect to client's VPN and rout only some traffic through it.

 

Where should I add this FortiGate device?

I was thinking to connect it's LAN output to WAN input on Omada Router and set it up as second WAN and then route some IP's or Netowrk to it.

But where to connect WAN on FortiGate? Should I connect it to LAN output of Omada Router or Switch? Or will 1 cable connected only to WAN be enough?

 

Sorry for stupid question. But I didn't really found how to do it. I only found solutions where all trafic goes throush fortigate and it seats between ISP device and router. But I don't want it this way.

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:How to add Fortigate to network without routing all traffic through it?-Solution
2024-06-13 02:01:57 - last edited 2024-06-13 02:03:50

Hi @Hooch 

Thanks for posting in our business forum.

Hooch wrote

I have client tha requires VPN connection to their office. They are using FortiGate VPN. But they are routing all traffic through it. I can't request them to change it.

I thought of getting a FortiGate device. Set it up to connect to client's VPN and rout only some traffic through it.

 

If the VPN server end has determined to route all the traffic, as long as you connect to it, it will affect your network regardless of whatsoever you have configured.

When you select the local networks to apply the VPN tunnel, that's defined and cannot be changed unless the server changes.

You should wait for the future firmware that supports the Policy Routing which may improve the situation you face now.

 

If you are talking about the WG VPN, you probably can modify the allowed IP to adjust this. Instead of using the 0.0.0.0/0, use the remote subnet then.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#2
Options
2 Reply
Re:How to add Fortigate to network without routing all traffic through it?-Solution
2024-06-13 02:01:57 - last edited 2024-06-13 02:03:50

Hi @Hooch 

Thanks for posting in our business forum.

Hooch wrote

I have client tha requires VPN connection to their office. They are using FortiGate VPN. But they are routing all traffic through it. I can't request them to change it.

I thought of getting a FortiGate device. Set it up to connect to client's VPN and rout only some traffic through it.

 

If the VPN server end has determined to route all the traffic, as long as you connect to it, it will affect your network regardless of whatsoever you have configured.

When you select the local networks to apply the VPN tunnel, that's defined and cannot be changed unless the server changes.

You should wait for the future firmware that supports the Policy Routing which may improve the situation you face now.

 

If you are talking about the WG VPN, you probably can modify the allowed IP to adjust this. Instead of using the 0.0.0.0/0, use the remote subnet then.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#2
Options
Re:How to add Fortigate to network without routing all traffic through it?
2024-06-18 08:24:01 - last edited 2024-06-18 08:27:59

 

Adding a Fortigate firewall to a network without routing all traffic through it involves setting it up in a mode that allows monitoring and controlling traffic selectively. One effective way to achieve this is by configuring the Fortigate in "Transparent Mode" or using it for specific functions like web filtering, intrusion detection, or VPN services. Here’s a detailed guide on how to do it:-

1. Planning and Preparation
Network Assessment:- Understand your current network topology and identify where the Fortigate will be placed.
Objectives:- Determine the primary purpose of adding the Fortigate (e.g., monitoring, filtering, VPN, etc.).
2. Setting Up Fortigate in Transparent Mode
In Transparent Mode, the Fortigate operates at Layer 2 (like a bridge) and does not require reconfiguring the IP scheme of your network.

1. Initial Configuration:-

Connect to the Fortigate via console or web interface.
Configure basic settings like management IP, admin credentials, etc.
2. Change to Transparent Mode:-

Navigate to System > Settings.
Set the Operation Mode to Transparent.
3. Configure Management IP:-

Assign a management IP to the Fortigate that matches your network’s subnet.
Ensure the IP does not conflict with other devices on the network.
4. Bridge Network Interfaces:-

Bridge the internal and external interfaces so the Fortigate can pass traffic between them.
Example: Bridge port1 and port2 if those are the interfaces connected to your network.
5. Policy and Security Profiles:-

Set up security policies to inspect and filter traffic as needed.
Apply necessary security profiles (e.g., antivirus, web filtering, IPS) to these policies.
3. Selective Traffic Routing
If the goal is to route only specific types of traffic through the Fortigate, you can achieve this by setting up policy routes or static routes.

1. Define Policy Routes:-

Go to Network > Policy Routes.
Create rules to direct specific traffic (based on IP, protocol, port, etc.) through the Fortigate.
2. Static Routes:-

Navigate to Network > Static Routes.
Add static routes for specific subnets or destinations that need to go through the Fortigate.

  0  
  0  
#3
Options

Information

Helpful: 0

Views: 1034

Replies: 2

Related Articles
Add client to policy routing omada controller / ER
510 0
Tunnel IPSec vs Fortigate
1323 0
Fortigate 100E, OC200, EAP615-Wall no WAN port
465 0
Problem with policy routing
1306 0
Master Administrator left, how to remove his account without redoing the network?
380 0
 Can we install Fortinet firewall Fortigate 80F with omada controller
790 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.