Hi,
I have 2 1200D (for ha). I have a question about best practices for vdom security.
Our 1200D is multi-tenant and use a vdom per tenant.
We have a 'WAN' Vdom to connect our Internet Access.
Each vdom (or tenant) has one or more Ip public address as a loopback and an inter-link to the WAN vdom. So, many DNAT for each tenant and masquerading.
We have a "special" vdom : Shared Services (SS). For example, for our Cloud tenants, we have a KMS Server, An antivirus server, an AD, ... and many DNAT too. For exemple, we configured a DNAT from an Public IP address to your ldaps AD. This vdom as masquerading to goes out too.
If we want a tenant vdom to communicate with SS vdom, the traffic goes from Tenant vdom1 to WAN vdom to SS vdom.
So we have many static route, many DNAT, SNAT, firewall policy ...
Is it a bad idea to interconnect tenant vdom directly to the SS vdom ?? And don't pass throught the IP public and NAT to do this ??
Because I think it's a very bad idea to DNAT a Active Directory (Yes, the firewall protect, but..) and some many Windows Services..
Thanks you
Joffrey54 wrote:...
Is it a bad idea to interconnect tenant vdom directly to the SS vdom ?? And don't pass throught the IP public and NAT to do this ??
Because I think it's a very bad idea to DNAT a Active Directory (Yes, the firewall protect, but..) and some many Windows Services..
It depends...but IMO you have pretty much the same level of security with one exception: you have to reveal real IPs of the SS infrastructure. I don't know if it is any problem for you. You can have the same firewall polices in both scenarios.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.