How To enable multiple VLANs on a FortiGate firewall and segment them by different services (such as voice, data, CCTV, etc.

  • هذا الموضوع فارغ.
  • Post
    • ديسمبر 21, 2024 الساعة 6:24 ص
    Weekend Wiki
    مدير عام
    Here is a step-by-step guide on how to configure multiple VLANs (Voice, Data, CCTV, etc.) on a FortiGate firewall via the GUI, including examples for each step:

    1. Define VLANs and Subnets via the FortiGate GUI

    Step 1: Log in to the FortiGate Web GUI

    • Open a web browser and enter the IP address of your FortiGate firewall (e.g., https://192.168.1.99).
    • Log in with your admin credentials.

    Step 2: Navigate to the Network Interface Settings

    • Go to Network > Interfaces.

    Step 3: Create VLAN Interfaces

    To create VLAN interfaces, you’ll associate each VLAN with a physical port (e.g., port1).

    Voice VLAN (VLAN ID 10):
    1. Click Create New and select VLAN.
    2. Set the following values:
      • Name: VLAN_Voice
      • Type: VLAN
      • VLAN ID: 10 (VLAN ID for Voice)
      • Interface: Select the physical interface (e.g., port1).
      • IP Address: 192.168.10.1/24 (Assign an IP address for the Voice VLAN)
      • Security Zone: voice_zone (Create a new zone if needed)
      • Role: LAN
      • DHCP Server: Enable DHCP if you want the firewall to assign IPs. Example:
        • Range: 192.168.10.10 to 192.168.10.50
    3. Click OK.
    Data VLAN (VLAN ID 20):
    1. Click Create New and select VLAN.
    2. Set the following values:
      • Name: VLAN_Data
      • Type: VLAN
      • VLAN ID: 20 (VLAN ID for Data)
      • Interface: Select the same physical interface (e.g., port1).
      • IP Address: 192.168.20.1/24 (Assign an IP address for the Data VLAN)
      • Security Zone: data_zone (Create a new zone if needed)
      • Role: LAN
      • DHCP Server: Enable DHCP if needed. Example:
        • Range: 192.168.20.10 to 192.168.20.50
    3. Click OK.
    CCTV VLAN (VLAN ID 30):
    1. Click Create New and select VLAN.
    2. Set the following values:
      • Name: VLAN_CCTV
      • Type: VLAN
      • VLAN ID: 30 (VLAN ID for CCTV)
      • Interface: Select the same physical interface (e.g., port1).
      • IP Address: 192.168.30.1/24 (Assign an IP address for the CCTV VLAN)
      • Security Zone: cctv_zone (Create a new zone if needed)
      • Role: LAN
      • DHCP Server: Enable DHCP if needed. Example:
        • Range: 192.168.30.10 to 192.168.30.50
    3. Click OK.

    2. Create Firewall Policies for VLAN Communication

    You will need to create firewall policies to control traffic between VLANs and other networks.

    Example: Allow Traffic from Voice VLAN to Data VLAN

    1. Go to Policy & Objects > IPv4 Policy.
    2. Click Create New to create a new policy.
    3. Set the following values:
      • Name: Allow_Voice_to_Data
      • Incoming Interface: Select VLAN_Voice.
      • Outgoing Interface: Select VLAN_Data.
      • Source Address: Choose all or create a custom address object for the Voice VLAN (e.g., 192.168.10.0/24).
      • Destination Address: Choose all or create a custom address object for the Data VLAN (e.g., 192.168.20.0/24).
      • Action: Set to Accept.
      • NAT: Disable NAT (as this is internal traffic).
    4. Click OK.

    Example: Deny Traffic from CCTV VLAN to Data VLAN

    1. Go to Policy & Objects > IPv4 Policy.
    2. Click Create New to create a new policy.
    3. Set the following values:
      • Name: Deny_CCTV_to_Data
      • Incoming Interface: Select VLAN_CCTV.
      • Outgoing Interface: Select VLAN_Data.
      • Source Address: Choose all or create a custom address object for the CCTV VLAN (e.g., 192.168.30.0/24).
      • Destination Address: Choose all or create a custom address object for the Data VLAN (e.g., 192.168.20.0/24).
      • Action: Set to Deny.
      • NAT: Disable NAT.
    4. Click OK.

    3. Enable DHCP for VLANs (Optional)

    If you want the FortiGate to assign IP addresses via DHCP for each VLAN, follow these steps:

    For Voice VLAN (VLAN 10):

    1. Go to Network > Interfaces.
    2. Click on the VLAN_Voice interface you created earlier.
    3. Under the DHCP Server section, enable the DHCP server and set the range:
      • IP Range: 192.168.10.10 to 192.168.10.50
      • Netmask: 255.255.255.0
    4. Click OK.

    For Data VLAN (VLAN 20):

    1. Go to Network > Interfaces.
    2. Click on the VLAN_Data interface.
    3. Under the DHCP Server section, enable the DHCP server and set the range:
      • IP Range: 192.168.20.10 to 192.168.20.50
      • Netmask: 255.255.255.0
    4. Click OK.

    For CCTV VLAN (VLAN 30):

    1. Go to Network > Interfaces.
    2. Click on the VLAN_CCTV interface.
    3. Under the DHCP Server section, enable the DHCP server and set the range:
      • IP Range: 192.168.30.10 to 192.168.30.50
      • Netmask: 255.255.255.0
    4. Click OK.

    4. Verify Connectivity and Monitor Traffic

    Step 1: Check Connectivity

    • Use ping or traceroute to test connectivity between devices in different VLANs.
    • For example, test if devices in the Voice VLAN (192.168.10.0/24) can reach devices in the Data VLAN (192.168.20.0/24) and if CCTV VLAN (192.168.30.0/24) traffic is properly isolated.

    Step 2: Monitor VLAN Traffic

    • Go to Log & Report > Traffic Log to see the traffic passing between VLANs.
    • You can filter the logs based on specific VLAN interfaces to verify if the firewall policies are working as expected.

    Summary

    • You created VLAN interfaces for each service: Voice, Data, and CCTV.
    • You configured IP address ranges for each VLAN, with optional DHCP server configuration.
    • You set up firewall policies to control communication between VLANs.
    • Finally, you monitored traffic to ensure everything works as expected.

    This setup allows you to segment your network into isolated VLANs for different types of services (Voice, Data, CCTV), giving you better control and security over the network.

  • يجب تسجيل الدخول للرد على هذا الموضوع.
arArabic
en_USEnglish arArabic