General Discussions

Expand all | Collapse all

Connect meraki MX with fortigate (one-arm concentrator)

  • 1.  Connect meraki MX with fortigate (one-arm concentrator)

    Posted 12 days ago
    Hi,

    We have some vlans configured in our fortigate and we want to connect this fortigate with a meraki MX to use it as vpn concentrator (the MX is a vpn concentrator). Another meraki Z3C with establish an ipsec connection to the MX and then we need to route the trafic to that specific vlan behind the fortigate.

    Now my question is how should I configure the port which connects to the MX. I have a lot of ports on fortigate which are not used. I know that I have to create routes on fortigate to go through this port on the other side (to the resources behind the Z3C) but I need to know how the port on the fortigate should be configured.


  • 2.  RE: Connect meraki MX with fortigate (one-arm concentrator)

    Posted 8 days ago
    If the MX is connected directly to the Fortigate then i think the simplest setup would be for the Fortigate port to be a routed port on a single VLAN (non trunk port).

    Not sure if that's the information your looking for but I have an MX in HA connected in a DMZ behind a Fortigate and it works a treat. The DMZ interface off the Fortigate however, is a trunk (multiple VLANs) connected to a switch which then has the MX connected.


  • 3.  RE: Connect meraki MX with fortigate (one-arm concentrator)

    Posted 3 days ago
    Hi Bill,

    Behind the fortigate there are different vlan and the users behind the Z3C need to access only one of these vlan through the MX which will ve connected to the fortigate. Can I configure the link between the MX and fortigate as access link, since the traffic coming on the fortigate port is layer 3 traffic and then when the traffic reaches the fortigate (it has packets which has destination IP which corresponds to the target vlan) it will go through the policys which we will allow the traffic to pass through it toward that specific vlan. Than of course we will create routes back through the MX's IP address of link (next hop from the fortigate perspective).


  • 4.  RE: Connect meraki MX with fortigate (one-arm concentrator)

    Posted 3 days ago
    If I'm understanding your reply, that is correct. A basic topology I'm interpreting is as follows:

    Logical Topo:
    LAN------Z3C----------Auto_VPN_Tunnel---------MX_Concentrator(WAN_port)--------------(Access_port)FG_FW----VLAN_X


    Physical Topo at HUB:
    VLAN_X------FG_FW(WAN)------------{Internet}
                             |
                         (Access_port)
                             |
                             |
                             |
                             |
                        (WAN)
                  MX_Concentrator


    You will need:
    1. routing at the FG_FW for networks at the other side of all the MX Auto-VPN(s) pointing to the MX(WAN) IP address as the next hop.
    2. A default route at the MX, with a next hop of the FG_FW(Access_port) interface IP.
    3. FG_FW policies permitting traffic accordingly.

    I hope this helps.

    Cheers,
    Bill.