Fortinet black logo

Handbook

Best practices

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:271861
Download PDF

Best practices

  1. Create forwarding domains when VLANs are used and set vlanforward to disable on all relevant physical interface.
  2. The forward-domain ID can be different to the VLAN ID, but it is recommended for troubleshooting and readability to keep them the same.
  3. Only interfaces from the same forwarding domains can have firewall policies between each others.
  4. In order to allow IVL (independent VLAN learning), the VLANs must be placed in separate forwarding domains.
  5. If an out-of-band management is desired, use if possible a VDOM in NAT mode as management VDOM and create (an) other transparent mode VDOM(s) for the user traffic.
  6. As Spanning Tree BPDUs are not forwarded by default, insert the FortiGate with caution to avoid L2 loops.
  7. Multicast packets are not forwarded by default; this might cause routing protocols (RIP2, OSPF) disruption.
  8. When using HSRP or VRRP configure static MAC entries for the Virtual MAC addresses.

Best practices

  1. Create forwarding domains when VLANs are used and set vlanforward to disable on all relevant physical interface.
  2. The forward-domain ID can be different to the VLAN ID, but it is recommended for troubleshooting and readability to keep them the same.
  3. Only interfaces from the same forwarding domains can have firewall policies between each others.
  4. In order to allow IVL (independent VLAN learning), the VLANs must be placed in separate forwarding domains.
  5. If an out-of-band management is desired, use if possible a VDOM in NAT mode as management VDOM and create (an) other transparent mode VDOM(s) for the user traffic.
  6. As Spanning Tree BPDUs are not forwarded by default, insert the FortiGate with caution to avoid L2 loops.
  7. Multicast packets are not forwarded by default; this might cause routing protocols (RIP2, OSPF) disruption.
  8. When using HSRP or VRRP configure static MAC entries for the Virtual MAC addresses.