Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Big_Abe
New Contributor

Created on ‎06-03-2016 01:20 PM

Architecture Critique - hit me with ideas, or tell me what I'm wrong

Good Day All,

 

I have an HA cluster of Firewalls in a "Spider Topology" connected as "Next hop" on my large switching routers across several physical facilities.  

 

I'm trying to solve 3 major problems, mostly around policy housekeeping:

[ul]
  • Logging - Using Splunk/FortiAnalyzer or other data-sized cost model systems is heinously pricey, mostly from the required policy cleanup
  • Performance - Getting Kernel Conserve issues on IPS / AV and its from being excessively aggressive in some places, and too many 'blanket' UTM features applied IMHO
  • Simplicity - Its getting harder to onboard new systems into the environment, and new engineers onto the network as there is a long history of ad-hoc. [/ul]

     

    Sidebar:  I love FortiOS 5.4  Thank-you.

     

    I'll leave this as an intermediate-level "Bleached" MAN-sized config scenario.

     

    This somewhat generic, but a unrealistic comparable to my questions.

     

     

    [ul]
  • I currently have a handful of physical ports, several VLANS on each physical and redundant WAN links.  Some traffic is divided by custom route, but then is waterfalled by a 10.0.0.0 to the primary datacenter/serverland interface and so rogue/extraneous/misconfigured traffic is lost in serverland data.  :O[/ul][ul]
  • I have a few external agencies that are tenants on my network.  Many of which are caught by the above as well.[/ul][ul]
  • I have a truck-ton of redundant policies, excessive alerting noise, waterfalled policies and a huge lack of uniformity, and lately I'm seeing an upswing of kernel-conserve mode from IPS or AV so I want to streamline that.  [/ul][ul]
  • I've booked a system-wide outage and intend to rebuild from the ground-up, and turn this from an inherited environment to my environment.[/ul][ul]
  • I want to rebuild for simplicity and performance and really leverage the UTM features and some of the balancing features and I have very little industry compliance to worry about.[/ul]

     

    Here's my intended design, please critique and critique harshly. 

    [ul]
  • Zones:  I want to leverage the bulk of my traffic as Zones:[ul]
  • Tenant1[ul]
  • Browsing Access Outbound, Very little filtering etc - They don't care, and neither do I, if it doesn't touch my network.  They have their own staff etc to handle sysadmin stuff.[/ul]
  • Tenant2[ul]
  • Dictated to be wide open AND unmonitored, freedom of speech type-scenario.  Same as above.[/ul]
  • Corporate  (Interface-Interface specific rules can be added by CLI if I'm not mistaken)[ul]
  • Internet Policies, AV, IPS rules, exemptions as required, denies as required[/ul]
  • DMZ[ul]
  • Inbound VIP (spending half my time applying specific ports to all public IPs vs wide open)
  • Outbound IP Pools (things like PCoIP tunnels require same outbound IP etc)[/ul]
  • Internet[ul]
  • Well, its either a source or destination for the most part.  My policies should hopefully be halved by WAN LLB alone.[/ul]
  • Public Use[ul]
  • We operate a good-sized guest network of free wifi etc - No, I don't have the resources to give them their own WAN, so it the basics outbound.  Don't want to burn CPU/memory on the free-wifi, I just want to ensure its nowhere near my stuff.[/ul][/ul]
  • Wan LLB[ul]
  • Add WAN links to this with appropriate weight per size (e.g. 1 pipe = 500Mbps other is 200Mbps)[ul]
  • I'm really curious to see how the traffic flows from layer 2 into this.  If core routers are set as HA cluster next hop, and WAN links are physically in different locations -> How can I default the balance from the nearest routing switch to the physically nearest wan link?[/ul]
  • I currently have over 60 policies from "Specific Interface/VLAN -> port 80 or 443 alone and a huge variance in applied rules and UTM features on each, not from necessity - but lack of tidyness.  I want this to be basically:[ul][ul]
  • Tenant 1, 2 Public: -> Internet All -> All -> Any service
  • Corporate -> Internet :  [style="background-color: #ffff00;"]Secret Sauce[/style]
  • Internet -> DMZ : [style="background-color: #ffff00;"]Secret Sauce[/style]
  • Corporate -> DMZ -> Corporate : [style="background-color: #ffff00;"]Secret Sauce[/style][/ul][/ul][/ul]
  • DNS [ul]
  • Corporate currently internal DNS that forwards to Recursives in the DMZ. [ul]
  • Not sure if I like this or not.  I'd welcome input on this.  To me, I'd like[ul]
  • internal DNS -> Fortigate Interface and
  • Fortigate System DNS -> ISP / google/whatever
  • + DNS Database so it can be monitored /logged easier.[/ul][/ul]
  • DMZ has inbound Nameservers, this will remain the same and PTRs to ISP
  • I'd like to put the DNS server on the FG for the Tenants and Public. [ul]
  • What is the performance cost on this?

     

    [/ul][/ul][/ul]

     

    I'll leave it at that.  This is the planning stage please let me know what you think, or if you see any pitfalls?  Any "Hey, how will this work" scenarios?  or Really bad practices that stand out.  Its hard when you have very few on your team to bounce off of, and noone is a master of all things. 

     

    Thanks FNetters.

     

    • FCNSP

    -------------------------------------

    "They have us surrounded again, those poor bastards."

    -Unnamed Medic

    FCNSP ------------------------------------- "They have us surrounded again, those poor bastards." -Unnamed Medic
    1811
    0 Kudos
    0 REPLIES 0
    Related Posts
    View all
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.