Cisco SG-350 Switch and Fortigate Firewall Configuration: Ask Question

Cisco SG-350 Switch and Fortigate Firewall
Configuration
Ask Question
Asked 8 months ago
Active 8 months ago
Viewed 853 times
2
1
I'm not what you would call a Network Engineer, but right now i have a (somewhat) complex
network problem that i have to solve. I must configure a SG-35028p cisco switch and a fortigate 60f
firewall to give internet access (kinda in a router on a stick fashion if you ask me).
Right now i haven't been able to achieve the objectives that the attached image shows because i'm not
really sure why my vlans do not have internet access, or how to correctly configure a vlan for that
matter.
Things that i have tried:
• Call eigrp on Switch:Didn't work. Command not recogniz.

• Static routg on Switch: Didn't work, maybe i did it wrong.
EDIT: I'll add my current switch configuration to clarify the state of the setup:
-vlan database
-vlan 10,20,30,40,66,77
-exit
-ip dhcp server

-ip dhcp pool network EA_POOL
-address low 192.168.40.10 high 192.168.40.15 255.255.255.0
-exit
-ip dhcp pool network Main_Pool

-address low 192.168.1.10 high 192.168.1.19 255.255.255.0
-default-router 192.168.1.1
-dns-server 192.168.1.1
-exit
-ip dhcp pool network Testing_POOL

-address low 192.168.20.10 high 192.168.20.20 255.255.255.0
-exit
-ip dhcp pool network Production_POOL

-address low 192.168.30.10 high 192.168.30.20 255.255.255.0
-exit
-ip dhcp pool network Development_POOL

-address low 192.168.10.10 high 192.168.10.20 255.255.255.0
-exit
-ip dhcp information option

-bonjour interface range vlan 1
-qos advanced
-line console
-no autobaud
-exit
-ip name-server 192.168.2.99

-ip telnet server
-!
-interface vlan 1
-ip address 192.168.2.210 255.255.255.0
-no ip address dhcp
-!
-interface vlan 10
-name Development_VLAN
-ip address 192.168.10.10 255.255.255.0
-!
-interface vlan 20
-name Testing_VLAN
-ip address 192.168.20.10 255.255.255.0
-!
-interface vlan 30
-name Production_VLAN
-ip address 192.168.30.10 255.255.255.0
-!
-interface vlan 40
-name EA_VLAN
-ip address 192.168.40.10 255.255.255.0
-!
-interface vlan 66
-name unused-ports
-shutdown
-!
-interface vlan 77
-name OUTGOING
-!
-interface GigabitEthernet3
-switchport access vlan 10
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-!
-no switchport
-!
-exit
-ip default-gateway 192.168.2.99
ciscoswitchvlanfirewall
Share
Improve this question
Follow
edited Jul 16 '20 at 18:58
asked Jul 16 '20 at 18:25
Santiago Hernández
2344 bronze badges
• Unfortunately, your question is too broad, and it lacks details, such as the network device configurations. With a
layer-3 switch, you should do the LAN routing on the switch and simply have a routed link to the firewall. Please
edit your question to include the network device configurations. – Ron Maupin♦ Jul 16 '20 at 18:35
• What else should i clarify? The firewall configuration is already on the image. – Santiago Hernández Jul 16 '20 at
19:35
Add a comment
3 Answers
ActiveOldestVotes
2
The Fortigate requires routes to the networks behind the SG 350. (Make sure routing has been
activated on the 350, but I think it's by default.)
Since the 350 doesn't seem to support any routing protocol you'll need to set up static routes on the
Fortigate.
In the GUI, static routes are in Network -> Static Routes. If you're not using those addresses
anywhere else but the Fortigate or the 350, a single entry 192.168.0.0/16 -> 192.168.2.210 on
Internal should do, with a Distance of 50 e.g., so you could still route single subnets elsewhere (with
a lower Distance).
Note that your setup doesn't use a router-on-a-stick since you route at the "core" 350 (at least looks
like that).
If you used the 350 as L2 only and trunked all VLANs to the Fortigate, that would be considered a
router-on-a-stick.
Share
Improve this answer
Follow
answered Jul 16 '20 at 21:04
Zac67
58.8k22 gold badges4343 silver badges9494 bronze badges
• Thank you for your help! With routing protocol you mean OSPF and EIRPG don't you? If that's the case you are
probably correct (just checked). Anyways, do you have an example of how to configure the Fortinet routes? I'm
pretty confused as if i should configure a new interface for vlans or i can use an already existing interface, and so on.
I'm kinda unsure if my switch configuration is right too. – Santiago Hernández Jul 16 '20 at 21:13
• Yes, OSPF and the like (there are several others). I'm adding the route setup to the answer. Since you seem to be
routing everything private on the 350, you don't have to trunk the VLANs to the Fortigate. It doesn't require
additional subinterfaces either. – Zac67 Jul 17 '20 at 6:12
• Thanks, you were right! It was a static route problem. The trouble arised because i configured the gateways with an
ip higher than the interface ip. – Santiago Hernández Jul 24 '20 at 23:01
Add a comment
2
Please refer the link for configuration of subinterface or router on stick configuration on fortigate
firewall
https://youtu.be/bIeQyQKptRc
If your using fortigate firewall as core or perimeter devices and Cisco SG300 as distribution switch
in your setup then you can accomplish this task by creating sub interface on fortigate firewall
Configure SG300 switch to Fortigate firewall with trunk link allowing all vlans
And configuration public ip of isp on outside interface of fortigate and configure default route in
fortinet firewall pointing towards isp gateway
And now in SG300 switch create all vlans which were created in fortigate subinterface . Now create
access ports in SG300 switch for desktops ,and server connetivity.
Then after create outbound policy in perimeter firewall for internet access
source interface : Lan destination interface : Outside facing interface source

address : LAN POOL NETWORK Destination address : ANY servies: ports allowed as per
your requirements action : ALLOWED Security profiles: ON
Then create inbound policy in firewall if your are having application hosted in your local lan and
wants to access from internet
Creaat VIP object as Publi ip mapping with " Object name " WEB SERVER = Publicip
mapped with application hosted private ip
inbound policy
source interface : outside interface destination interface : LAN SOURCE ADDRESS : any
destination address : WEB SERVER /*As per vip created above */ services : as per
application requirement mostly "https" security profiles : on action : allowed
*Create implicit deny policy at bottom \ this policy is used to deny non matching traffic and to
monitoring unwanted traffic on firewall
Source interface : any destination interface :ANY Source address : any destination
address : any services ports : any action : deny
Share
Improve this answer
Follow
community wiki
3 revs
Sagar Uragonda
• Link only answers are discouraged here. Please consider adding more details so this answer remains useful even
after the linked video is removed. – Teun Vink♦ Jul 17 '20 at 6:25
• Thank you, you helped to clarify the issue. It was a static route problem, but still it was pretty important to configure
the ipv4 policies. – Santiago Hernández Jul 24 '20 at 22:59
Add a comment
1
If your using fortigate firewall as core or perimeter devices and Cisco SG300 as distribution switch
in your setup then you can accomplish this task by creating sub interface on fortigate firewall
Configure SG300 switch to Fortigate firewall with trunk link allowing all vlans
And configuration public ip of isp on outside interface of fortigate and configure default route in
fortinet firewall pointing towards isp gateway
And now in SG300 switch create all vlans which were created in fortigate subinterface . Now create
access ports in SG300 switch for desktops ,and server connetivity.
Then after create outbound policy in perimeter firewall for internet access
source interface : Lan destination interface : Outside facing interface source

address : LAN POOL NETWORK Destination address : ANY servies: ports allowed as per
your requirements action : ALLOWED Security profiles: ON
Then create inbound policy in firewall if your are having application hosted in your local lan and
wants to access from internet
Creaat VIP object as Publi ip mapping with " Object name " WEB SERVER = Publicip
mapped with application hosted private ip
inbound policy
source interface : outside interface destination interface : LAN SOURCE ADDRESS : any
destination address : WEB SERVER /*As per vip created above */ services : as per
application requirement mostly "https" security profiles : on action : allowed
*Create implicit deny policy at bottom \ this policy is used to deny non matching traffic and to
monitoring unwanted traffic on firewall
Source interface : any destination interface :ANY Source address : any destination
address : any services ports : any action : deny
Setup diagram
Share
Improve this answer
Follow
community wiki
5 revs
Sagar Uragonda
• Thank you very much for your help!. Just as you said, i'm trying to use a fortigate 60f as a "core" and a sg350 as
"distribution". Do you have an example of how to create a subinterface on the fortigate, and an example of a trunk
port configuration for all vlans on sg350? i haven't been able to do what you suggested. – Santiago Hernández Jul 16
'20 at 21:07

Cisco SG-350 Switch and Fortigate Firewall Configuration: Ask Question

Uploaded by

Copyright:

Available Formats

You might also like

Cisco SG-350 Switch and Fortigate Firewall Configuration: Ask Question

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco SG-350 Switch and Fortigate Firewall Configuration: Ask Question

Uploaded by

Copyright:

Available Formats

Cisco SG-350 Switch and Fortigate Firewall

Things that i have tried:

• Call eigrp on Switch:Didn't work. Command not recogniz.

-ip dhcp server

-ip dhcp pool network Main_Pool

-ip dhcp pool network Testing_POOL

-ip dhcp pool network Production_POOL

-ip dhcp pool network Development_POOL

-ip dhcp information option

-ip name-server 192.168.2.99

source interface : Lan destination interface : Outside facing interface source

source interface : Lan destination interface : Outside facing interface source

You might also like