I was asked by a colleague at work the other day, can we replace the Cisco firewalls with FortiGate firewalls for a client? As a business we are heading towards Forti, but before I said yes I wanted to know what the firewall was actually doing before I said yes. On closer inspection the firewall in question didn’t appear to be doing anything too scary, but I did notice that the LAN interface was sub-interfaced to the various internal VLANs. I didn’t know how FortiGate handled this, so I fired it up on the test bench to test FortiGate Sub Interfaces.
So I needed to create TWO sub interfaces on the FortiGate (on port3).
Creating FortiGate Sub Interfaces
Simply put, on a FortiGate if you want what a Cisco engineer would refer to as a ‘sub interface‘, then you simply add a VLAN interface to a physical interface. Like so, Network > Interfaces > {Physical Interface} > Create New > Interface.
Give the new interface a name (and alias if required) > Interface Type should be VLAN > Select the parent physical interface > Add the VLAN ID (Tag) and specify an IP address of the interface.
Just for testing I’ll allow PING, on the VLAN interface also > OK.
Repeat the procedure to add further sub interfaces (VLANs).
Remember this is just a ‘Router on a stick‘ configuration, to further allow traffic to the internet, (or between VLANs) you still need to add that traffic to the firewall policy to let the traffic through, (it is a firewall after all!)
Setting up Switches for FortiGate Sub Interfaces?
I’ve probably got this covered elsewhere on the site, but the core switch is Cisco so I just created a trunk port, and allowed ALL VLANs, (because I’m lazy, in production, you might want to lock that down a little!)
You can take the physical interface of a Cisco ASA firewall, (or an ether channel) and split it down into further sub-interfaces. This way you can set multiple VLANs to use this interface as a gateway at the same time whilst still separating the traffic.
In this scenario I’m going to have two VLANs, one for my wired clients, and one for a ‘Guest WiFi’ that I’m setting up. I want the guest WiFi to run in its own separate VLAN, so it can’t touch my corporate network. And I want to NAT both networks to my public IP.
Maximum number of sub interfaces, depends on the hardware model maximum number of VLANs so;
Model
Max VLANS
5506-X
5 (30 with Security Plus)
5506-W-X
5 (30 with Security Plus)
5506-H-X
30
5508-X
50
5510
50 (100 with Security Plus)
5512-X
10 (100 with Security Plus)
5515-X
100
5516-X
100
5520
150
5525-X
200
5540
200
5545-X
300
5550
250
5555-X
500
5580
250
5585-X
1024
Note: Sub interfaces are NOT supported on the ASA 5505. (But you can have up to 20 VLANs with a ‘security-plus‘ licence, or 3 (DMZ restricted) with a ‘base‘ licence).
Solution
To create sub interfaces on a physical interface, that interface must have no settings on it (other than it should not be shutdown).
[/box] Then create a sub-interface for each of my VLANs. [box]
Create Sub interface for VLAN 2
Petes-ASA(config)# interface gigabitEthernet 1.2
Petes-ASA(config-subif)# vlan 2
Petes-ASA(config-subif)# nameif Corp-LAN
INFO: Security level for "Corp-LAN" set to 0 by default.
Petes-ASA(config-subif)# security-level 100
Petes-ASA(config-subif)# ip address 10.2.2.254 255.255.0.0
Petes-ASA(config-subif)# exit
Petes-ASA(config)#
Create Sub interface for VLAN 3
Petes-ASA(config)# interface gigabitEthernet 1.3
Petes-ASA(config-subif)# vlan 3
Petes-ASA(config-subif)# nameif Corp-WiFi
INFO: Security level for "Corp-Wifi” set to 0 by default.
Petes-ASA(config-subif)# security-level 90
Petes-ASA(config-subif)# ip address 10.3.3.254 255.255.0.0
Petes-ASA(config-subif)# exit
Petes-ASA(config)#
[/box]
Note: I’ve manually set the security levels and made the corp-lan interface more trusted.
So my firewall config now looks like this;
[box]
!
interface GigabitEthernet1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1.2
vlan 2
nameif Corp-LAN
security-level 100
ip address 10.2.2.254 255.255.0.0
!
interface GigabitEthernet1.3
vlan 3
nameif Corp-WiFi
security-level 90
ip address 10.3.3.254 255.255.0.0
!
[/box]
NAT/PAT Traffic From Your Sub-Interfaces
Taking all traffic from both subnets (10.2.0.0/16 and 10.3.0.0/16), and I’m going to NAT both of these to my public IP. (Note: I’m actually going to PAT the addresses, but that’s just semantics).
If you have ACLs you will need to allow the traffic out, and if you want to test connectivity by pinging a public IP address you will need to have ICMP inspection configured on the firewall.
What if you want the WiFi VLAN to have a different Public IP?
If you want to use another public IP from your public range, here is an example of the config;
This will depend upon the vendor, but essentially if it’s a Cisco Switch you make the uplink switch port a ‘trunk-port’, and either allow ALL or VLAN 2 and 3. Then every wired connection will connect to a port you have setup as a ‘access-port’ on VLAN 2. All the wireless equipment will plug into ports that you have made ‘access-ports’ on VLAN 3.
For other vendors you would need to ‘tag’VLANs 2 and 3 onto the firewall uplink port. Then ‘untag’VLAN 2 on all the wired ports. Then finally ‘untag‘ VLAN 3 on all the wireless ports.