Should I connect my back up connection through my firewall(fortigate) or directly to my switch

Posted on 2011-02-24
Last Modified: 2012-08-13
I now have a back up connection with a provider that is not using any public IP's on their network.  They have installed a router at my host location where my Core is located
 I am weighing the pros and cons of going through the Firewall( managed by security) or connect directly to our core switch( i manage).  

The WAN ip is 172.30 and LAN ip is 10.10 which is going to connect to my switch.  We will be running OSPF area 48591 for 172. and 4589 for the 10. network

I dont see a reason to go through the firewall since there are no public IP's, and just connect to my switch and NAT .....any thoughts, would be appreciated.....thank you

Question by:mlc1971
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4

Author Comment

ID: 34973698
hello and likewise

Expert Comment

ID: 34974003
Do you trust that your service provider protects you as good as your own fortigate does?
I don't think you have all the information from the service provider to really see whats going on in their network.
They probably deliver a service that is as transparent and open as it can be.
So I think that your firewall protects you even if I don't know your configuration.
And if you use outgoing protection. URL-filters, IPS, Antivirus, Antispam. Then it's no question that the fw should be there.

One thing you want to protect you network from is if an internal pc has a virus/worm/trojan that wants to connect to the outside.
It might do that on certain ports or to specific url:s to get inversions of itself or instructions what to do.
An outgoing URL-filter or IPS can protect you in these cases.
Even if you don't have outgoing protection today, you might want to turn that on in a few minutes when rumors of a new trojan starts to spread.
Just one example of why I think you should have a firewall there.

Author Comment

ID: 34978825
thanks torvir..I see your point and do agree.. I was thinking since its a private network and that in order for those users to get to the internet they would ultimately have to go through my firewall.  You are saying becuase I can't/don't see whats on their private network that my remote users could be affected on the Back-up private network, and there would be know way of knowing until its too late...
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.


Expert Comment

ID: 34979386
Yes, thats right. Depending on the solution at the service provider there could be this worst-case-scenario where more customers resides on the same side of the NAT-device that you are, and they could therefore have full access to your private network that the provider gave you.
Don't take for granted that they will protect you if they don't explicity say that.
Just for fun you could try the free netscanner at to see if you can reach private networks that are in ranges nearby yours.

Author Comment

ID: 34980558
I am not too familiar with the Firewalls, and if we go through the firewall, will the NAT'ng be peformed on the Firewall or on my switch (Cisco6509)?  It doesnt seem like there is much configuring I have to do on my switch(OSPF,ACL);  mostly on the Firewall that is managed by security....The provider has indicated they are not NAT''ng, .........torvir you have been very helpful and informative

Expert Comment

ID: 34981725
The NATing should be done by the firewall if there should be NATing.
I'm beginning to think that I have misunderstood what the backup connection should do.
As you were talking about firewalls I thought that it was a backup Internet connection.
But I may be wrong. Is it an internal backup connection between two sites?

Author Comment

ID: 34982486
Its a private back up for our 47 remote sites coming back to our HQ..............I have a primary with AT&T and  I have New Edge providing my back up on their private network.  I am connecting to their router at the field offieces with the FE ports on both our routers with a weighted IP route...   They have a router at HQ and I am going to connect to either the Firewall or directly to my core switch...I am sorry if I confused you or was not concise

Accepted Solution

torvir earned 500 total points
ID: 34983434
Ok, now I see.
These backup lines are normally concidered part of your internal network and you don't normally use fw there.
It's also easier without fw as you run dynamic routing protocols.
There are solutions where you want to protect the datacenter from internal attacks caused by virus outbreaks and such.
Even more common nowadays is to protect database clusters so that only the necessary traffic reaches them.
But if you don't have fw between HQ and AT&T you shouldn't need to concider that on the backup lines.
Sorry if I led you through a longer route than necessary.

Author Comment

ID: 34986876
thanks again torvir for all our help

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question