Cyber Range Old
ATC
Fortinet Next-Generation Firewalls
Cisco ACI
Fortinet
Zero Trust
Data Center Networking
Network Security
Cisco
Networking
Security Transformation
Advanced Configuration Lab
Fortinet FGT integration in ACI using PBR Service Graph redirection Lab
Advanced Configuration Lab
Solution overview
The use of a single bridge domain in ACI brings a FW integration challenge as a typical L4-7 service requires a separate bridge domain for each FW interface. Given that a true Application Centric approach typically requires a single bridge domain with multiple subnets, forcing traffic through a FW or LB has a great deal of challenges in the design. By utilizing a service graph and PBR (policy-based redirection), traffic can be redirected from this single bridge domain to a single interface on the FW or LB. A very large caveat is that some FW vendors do not allow traffic to come in and exit the same interface. There are a few vendors that can do this one-armed mode, and we will show the Fortinent FGT-based solution using the virtual Fortinent FGT known as the vFGT.
Lab diagram
Contributors
Principal Solutions Architect