Hello,
We have a couple of BO where security is very bad so we want to have separate VLAN just for each of these BOs.
Our goal is to have one VLAN for each BO with one subnet on it for workstations. That VLAN needs only internet access. Now, besides this simple configuration, we would like to have access to each of these PCs from HQ workgroup VLAN for remote support.
In this case, do we need to:
- create VLAN on HQ and BO FGs?
- Make DHCP on VLAN at HQ or BO?
- If we have to create (and I think we have to) VLAN on HQ FG, do we create that VLAN on the same physical interface where we have other VLANs for HQ?
- Firewall policy on HQ or BO FGs?
Thank you in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi 3x-t,
you need only a VLAN on the branch office (with the proper subnet).
> you can create more than one per site, to segregate users/departments etc.
Then for each VLAN:
- DHCP service on BO FGT VLAN interface
- A policy from IPSec tunnel to VLAN (for remote support) and another the other way around (for BO users to access HQ resources)
- HQ FGT must have static routes to each VLAN subnet with the respective tunnel interface.
Best regards,
Markus
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1094 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.