Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
For the web-server the internal users will look like internet-usersThat' s becuase they are internet users. Split DNS is very easy...if he is using AD it would take 3 seconds to resolve this issue. How is it another point of failure?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
ORIGINAL: ejhardin What??? Ok first please agree with my statement that it is a security risk to exit a firewall to access internal resoucres.I totally agree to that statement! But no-one here is talking about a situation where internal traffic would leave the firewall! None of the packets would ever be seen on a wan1 or wan2 port! Split DNS with AD is pretty easy in some situations... But not everyone has AD in place for all of that... I' ve seen situations where it made the situation even more complex... mostly because of admins have just forgot to manage 2 dns zones then! ... which could easily lead to situations where MXs are not in place so on... cheers.roman
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I' m sorry guys but I do not agree... Your configuration is a loopback scenario which is less secure. My configuration the firewall would not be involved. Spend the time to do it rightI agree with rwpatterson with this one, most of what you are saying isnt quite correct. There is no ' loopback scenario' as such, its just all internal routing, which is what the firewalls job is. Even in your suggestions routing would still have to take place. I do agree its easy to resolve to the ' real' dmz address, using DNS, and I do sometimes do this for customers. But its easier to not create extra work for yourself, epecially in the long term, when servers, ISPs change. Also, doing it your way would not allow the benefits of load-balancing and port-forwarding etc, which the VIP provides... In terms of extra load on the firewall by using the VIP, in my opinion, its negligable.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.