Designs Fortigate (FireWall / Proxy)

rzahraoui · ‎07-28-2014

Hi All, My company has purchased FortiGate 100D, with the aim of using them as proxy. Except that I also want to enjoy the Firewalling and IDS roles of that range ==> I want to use as the first level Firewall keeping existing firewalls (ASA). Could you help me by telling me what design/architecture to implement for both cases, knowing that we already have to keep ASA Firewall Case 1: Fortigate as proxy + Firewall ASA. Case 2: Fortigate as Proxy/Firewall/IDS + ASA Firewall (in this case the DMZ already created in the ASA Firewall will be moved to Fortigate) Thanks for all, Rachid

emnoc · ‎08-01-2014

You could do exactly what you want and in " transparent" mode. Do you really need proxy in a dmz and what other UTM features do you need within the DMZ ( i.e webfilter, email AS, AV detection or DLP, etc......) Transparent will provide the simplest and least impact to any network changes. ANd doesn' t require any l3 re-addressing. If you want to run a tier' d stacked firewalls ( ASA exterior and FGT interior ) and protect your internal lan depts, you could also do this. As a matter of fact your could run mixed-match transparent and routed vdoms to do what you want in each vdom. please see sample drawg

PCNSE

NSE

StrongSwan

rzahraoui · ‎08-01-2014

Thanks! Yes i want use all of these features (email AS, AV detec...)

lightmoon1992 · ‎08-01-2014

Old school: it would be better to have two consecutive firewalls with the DMZ setup. Functionality point of view, ASA will do you nothing more than firewalling, which could be handled by the FortiGate itself, so this will save you extra processing layer with all of its time related consumptions. Do you have any published servers so you may need to consider other security layers? Mohammad

Mohammad Al-Zard

rzahraoui · ‎08-01-2014

Yes i have some published servers, majority of them are on DMZ behind ASA.

lightmoon1992 · ‎08-01-2014

Just keep in mind FortiGate is doing the network security part of the cycle, however, if you have mail server for example, you should take care of it by another appliance (Fortinet FortiMail). for published servers, you keep them apart from your local network, this is by different logical or physical network. Mohammad

Mohammad Al-Zard

rzahraoui · ‎08-04-2014

Hi All, I re-take emnoc' s scheme with a slight modification, I added an inter-subnet between ASA and FGT (a dedicate private network between them). So i will use ASA in NAT/Routed mode, and FGT will be explict. All Flow on FGT will be sent to ASA (default route). I keep DMZs on ASA, but I don' t know if there is an utility to pass this dmz through the FGT? What do you think about this design, is there any inconvenient on it? Rachid

lightmoon1992 · ‎08-04-2014

First of all, you need to make sure that you are configuring two different L2 networks at your internal switch, otherwise it will be big problem. Also, why you are making direct connection between switch and ASA? this may lead to bypassing the FortiGate Mohammad

Mohammad Al-Zard

rzahraoui · ‎08-04-2014

This Direct connection is for managing ASA, is there other way to get this without direct connection?

lightmoon1992 · ‎08-04-2014

You still can access the ASA through the same link for users. the most important question is how you manage these three segments via your switch? is it L2/L3 switch or just configured as on broadcast domain? Mohammad

Mohammad Al-Zard

rzahraoui · ‎08-04-2014

Yes, subnets/vlans will be manage by a L2/L3 Switch. Intreco Scheme will be like this, Still the question, DMZ can pass trough FGT, or there is no need ==> DMZ directly connected between Backbone(Switch) and ASA.

Designs Fortigate (FireWall / Proxy)

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website