Explorer II

Question

design help

Forum|Forum|4 years ago
March 25, 2022
3 replies
3560 views

Hi

I have the below topology ,

Where should I create DMZ zone in the above topolgy , on edge firewall or dc firewall

Thanks pa dmz.JPG

FortiGate

Toshi_Esumi

SuperUser

That would depend on where all internal devices are connected to in the diagram, and the purpose/role of "dc firewall" in addition to those PAs(PANs?). DMZ should be located on the border between "outside" and "inside", although nowadays you can have many different ways to place it physically wherever you choose, and set up networks to place it on the border logically.

Toshi

simsAuthor

Explorer II

Hi @Toshi_Esumi

nd the purpose/role of "dc firewall" in addition to those PAs(PANs?)

it is pal alto and the dc firewall is FortiGate

The role of the dc firewall is to all the server VLANs svi are created on the dc firewall.

If I want to create a DMZ on the dc firewall , do I need a dmz zone on the edge firewall too ?

Can you please give me a typical dmz design for better understanding ?

Thanks

Toshi_Esumi

SuperUser

Your network design is not typical. A typical network doesn't have both PANs and FGTs. You're still not giving us enough information to think where to place those servers in DMZ to let outside and inside access to them. Handling VLANs would be best if you let the Core SWs do it. You/your customer must have reasons to spend double for both PAN and FGT.

But to let outside parties access the servers in DMZ, ether the servers need to have public IPs or a FW that has public IPs has DNATs(VIPs for FGT) mapped to local IPs on the servers. Depending on which FW, either PAN or FGT, is handling public IPs, I would let THAT FW to have the DMZ interface, then the other one would just routes DMZ accessing traffic to the FW.

simsAuthor

Explorer II

Hi @Toshi_Esumi

Thanks for the clarification, I have couple of web servers and vdi desktop machines , these servers need to be accessed local lan and from internet

the web servers need to communicate with database servers which in in dc . and the web pages has authentication, the authentication must be done against local active directory

Hope I could clarify

Thanks

Toshi_Esumi

SuperUser

Sound like only PANs are handling public side and PANs communication to FGTs seems to be over private subnets. Then I would set your DMZ (you probably have it already as an interface) on PANs and place those servers facing both sides in the zone/on the interface. Then the servers' internal connection to devices like the DB server is just routing through the FGTs.

Toshi

simsAuthor

Explorer II

@Toshi_Esumi wrote:
Sound like only PANs are handling public side and PANs communication to FGTs seems to be over private subnets. Then I would set your DMZ (you probably have it already as an interface) on PANs and place those servers facing both sides in the zone/on the interface. Then the servers' internal connection to devices like the DB server is just routing through the FGTs.

Both sides in the zone /on the interface , what does it mean ? . Can you Please elaborate

Toshi

Debbie_FTNT

Staff & Editor

I'm pretty sure Toshi meant servers that deal with public and internal traffic (facing public side and internal side).

-> those servers (accessible from outside) usually go into DMZ

-> if the servers are connected to PAN firewalls, that's probably where you want to create and manage a DMZ

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded