Should I connect my back up connection through my firewall(fortigate) or directly to my switch

I now have a back up connection with a provider that is not using any public IP's on their network.  They have installed a router at my host location where my Core is located
 I am weighing the pros and cons of going through the Firewall( managed by security) or connect directly to our core switch( i manage).  

The WAN ip is 172.30 and LAN ip is 10.10 which is going to connect to my switch.  We will be running OSPF area 48591 for 172. and 4589 for the 10. network

I dont see a reason to go through the firewall since there are no public IP's, and just connect to my switch and NAT .....any thoughts, would be appreciated.....thank you

Who is Participating?

Improve company productivity with a Business Account.Sign Up

torvirConnect With a Mentor Commented:
Ok, now I see.
These backup lines are normally concidered part of your internal network and you don't normally use fw there.
It's also easier without fw as you run dynamic routing protocols.
There are solutions where you want to protect the datacenter from internal attacks caused by virus outbreaks and such.
Even more common nowadays is to protect database clusters so that only the necessary traffic reaches them.
But if you don't have fw between HQ and AT&T you shouldn't need to concider that on the backup lines.
Sorry if I led you through a longer route than necessary.
mlc1971Author Commented:
hello and likewise
Do you trust that your service provider protects you as good as your own fortigate does?
I don't think you have all the information from the service provider to really see whats going on in their network.
They probably deliver a service that is as transparent and open as it can be.
So I think that your firewall protects you even if I don't know your configuration.
And if you use outgoing protection. URL-filters, IPS, Antivirus, Antispam. Then it's no question that the fw should be there.

One thing you want to protect you network from is if an internal pc has a virus/worm/trojan that wants to connect to the outside.
It might do that on certain ports or to specific url:s to get inversions of itself or instructions what to do.
An outgoing URL-filter or IPS can protect you in these cases.
Even if you don't have outgoing protection today, you might want to turn that on in a few minutes when rumors of a new trojan starts to spread.
Just one example of why I think you should have a firewall there.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

mlc1971Author Commented:
thanks torvir..I see your point and do agree.. I was thinking since its a private network and that in order for those users to get to the internet they would ultimately have to go through my firewall.  You are saying becuase I can't/don't see whats on their private network that my remote users could be affected on the Back-up private network, and there would be know way of knowing until its too late...
Yes, thats right. Depending on the solution at the service provider there could be this worst-case-scenario where more customers resides on the same side of the NAT-device that you are, and they could therefore have full access to your private network that the provider gave you.
Don't take for granted that they will protect you if they don't explicity say that.
Just for fun you could try the free netscanner at to see if you can reach private networks that are in ranges nearby yours.
mlc1971Author Commented:
I am not too familiar with the Firewalls, and if we go through the firewall, will the NAT'ng be peformed on the Firewall or on my switch (Cisco6509)?  It doesnt seem like there is much configuring I have to do on my switch(OSPF,ACL);  mostly on the Firewall that is managed by security....The provider has indicated they are not NAT''ng, .........torvir you have been very helpful and informative
The NATing should be done by the firewall if there should be NATing.
I'm beginning to think that I have misunderstood what the backup connection should do.
As you were talking about firewalls I thought that it was a backup Internet connection.
But I may be wrong. Is it an internal backup connection between two sites?
mlc1971Author Commented:
Its a private back up for our 47 remote sites coming back to our HQ..............I have a primary with AT&T and  I have New Edge providing my back up on their private network.  I am connecting to their router at the field offieces with the FE ports on both our routers with a weighted IP route...   They have a router at HQ and I am going to connect to either the Firewall or directly to my core switch...I am sorry if I confused you or was not concise
mlc1971Author Commented:
thanks again torvir for all our help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.