Business Community > General Discussion > How to add Fortigate to network without routing all traffic through it?
< General Discussion

How to add Fortigate to network without routing all traffic through it?

How to add Fortigate to network without routing all traffic through it?

How to add Fortigate to network without routing all traffic through it?
How to add Fortigate to network without routing all traffic through it?
3 weeks ago - last edited 3 weeks ago
Model: OC200  
Hardware Version: V1
Firmware Version:

Hi,

I'm relatively new to networiking.

 

I have device from ISP that is set in Bridge mode.

I have Omada router connected to it.

I have switch connected to Omada router.

I have ACs and other devices connected to this switch.

 

I have client tha requires VPN connection to their office. They are using FortiGate VPN. But they are routing all traffic through it. I can't request them to change it.

I thought of getting a FortiGate device. Set it up to connect to client's VPN and rout only some traffic through it.

 

Where should I add this FortiGate device?

I was thinking to connect it's LAN output to WAN input on Omada Router and set it up as second WAN and then route some IP's or Netowrk to it.

But where to connect WAN on FortiGate? Should I connect it to LAN output of Omada Router or Switch? Or will 1 cable connected only to WAN be enough?

 

Sorry for stupid question. But I didn't really found how to do it. I only found solutions where all trafic goes throush fortigate and it seats between ISP device and router. But I don't want it this way.

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:How to add Fortigate to network without routing all traffic through it?-Solution
3 weeks ago - last edited 3 weeks ago

Hi @Hooch 

Thanks for posting in our business forum.

Hooch wrote

I have client tha requires VPN connection to their office. They are using FortiGate VPN. But they are routing all traffic through it. I can't request them to change it.

I thought of getting a FortiGate device. Set it up to connect to client's VPN and rout only some traffic through it.

 

If the VPN server end has determined to route all the traffic, as long as you connect to it, it will affect your network regardless of whatsoever you have configured.

When you select the local networks to apply the VPN tunnel, that's defined and cannot be changed unless the server changes.

You should wait for the future firmware that supports the Policy Routing which may improve the situation you face now.

 

If you are talking about the WG VPN, you probably can modify the allowed IP to adjust this. Instead of using the 0.0.0.0/0, use the remote subnet then.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  1  
  1  
#2
Options
2 Reply
Re:How to add Fortigate to network without routing all traffic through it?-Solution
3 weeks ago - last edited 3 weeks ago

Hi @Hooch 

Thanks for posting in our business forum.

Hooch wrote

I have client tha requires VPN connection to their office. They are using FortiGate VPN. But they are routing all traffic through it. I can't request them to change it.

I thought of getting a FortiGate device. Set it up to connect to client's VPN and rout only some traffic through it.

 

If the VPN server end has determined to route all the traffic, as long as you connect to it, it will affect your network regardless of whatsoever you have configured.

When you select the local networks to apply the VPN tunnel, that's defined and cannot be changed unless the server changes.

You should wait for the future firmware that supports the Policy Routing which may improve the situation you face now.

 

If you are talking about the WG VPN, you probably can modify the allowed IP to adjust this. Instead of using the 0.0.0.0/0, use the remote subnet then.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  1  
  1  
#2
Options
Re:How to add Fortigate to network without routing all traffic through it?
2 weeks ago - last edited 2 weeks ago

 

Adding a Fortigate firewall to a network without routing all traffic through it involves setting it up in a mode that allows monitoring and controlling traffic selectively. One effective way to achieve this is by configuring the Fortigate in "Transparent Mode" or using it for specific functions like web filtering, intrusion detection, or VPN services. Here’s a detailed guide on how to do it:-

1. Planning and Preparation
Network Assessment:- Understand your current network topology and identify where the Fortigate will be placed.
Objectives:- Determine the primary purpose of adding the Fortigate (e.g., monitoring, filtering, VPN, etc.).
2. Setting Up Fortigate in Transparent Mode
In Transparent Mode, the Fortigate operates at Layer 2 (like a bridge) and does not require reconfiguring the IP scheme of your network.

1. Initial Configuration:-

Connect to the Fortigate via console or web interface.
Configure basic settings like management IP, admin credentials, etc.
2. Change to Transparent Mode:-

Navigate to System > Settings.
Set the Operation Mode to Transparent.
3. Configure Management IP:-

Assign a management IP to the Fortigate that matches your network’s subnet.
Ensure the IP does not conflict with other devices on the network.
4. Bridge Network Interfaces:-

Bridge the internal and external interfaces so the Fortigate can pass traffic between them.
Example: Bridge port1 and port2 if those are the interfaces connected to your network.
5. Policy and Security Profiles:-

Set up security policies to inspect and filter traffic as needed.
Apply necessary security profiles (e.g., antivirus, web filtering, IPS) to these policies.
3. Selective Traffic Routing
If the goal is to route only specific types of traffic through the Fortigate, you can achieve this by setting up policy routes or static routes.

1. Define Policy Routes:-

Go to Network > Policy Routes.
Create rules to direct specific traffic (based on IP, protocol, port, etc.) through the Fortigate.
2. Static Routes:-

Navigate to Network > Static Routes.
Add static routes for specific subnets or destinations that need to go through the Fortigate.

  0  
  0  
#3
Options

Information

Helpful: 0

Views: 129

Replies: 2

Related Articles
Tunnel IPSec vs Fortigate
431 0
Fortigate 100E, OC200, EAP615-Wall no WAN port
230 0
Add client to policy routing omada controller / ER
305 0
Problem with policy routing
631 0
Can we install Fortinet firewall Fortigate 80F with omada controller
379 0
ER605 device add to omada cloud (without controller)
508 0
About Us
Press
Copyright © TP-LINK CORPORATION PTE. LTD. All rights reserved.