This may be too broad of a question, but will ask in the event some replies or questions may provide any guidance at all. We just ordered FortiPAM, but am struggling on placement of the device based on the design documentation as per this link https://docs.fortinet.com/document/fortipam/1.6.0/administration-guide/541708/fortipam-designs. Most VLANS at HQ (1st floor, second floor, 3rd floor, servers...) reside on an Layer 3 Aruba 5406Z switch and the respective VLANS are trunked down to access switches. Our FortiManager and FortiAnalyzer also belong to the server VLAN on the 5406Z. We have one switch port directly connected to the firewall with appropriate routes in and out. We also have SSL-VPN on this firewall and connectivity to remote sites are via SDWAN ADVPN. Additionally, we have FortiClient EMS cloud. Any suggestions on placement of FortiPAM? Does it need to be on it's own interface on the firewall? There is mention in the article about single or multiple interface design but all examples I find are where the critical devices are segmented.
FortiPAM is exposed to the external world, so I always put it in the DMZ, in single interface design.
I appreciate the reply, but looks like there are methods to set it up without public access, which is what I prefer to do. I forgot to include that in the original post. Just failing to find the correct documentation. I may have to contact our SE for assistance.
Even in that case I prefer single interface design, since it makes life simpler.
It also depends on the point of view of the network and security departments of your company. They may not (or may) accept the multiple interface design.
You can also have a look at Advantages and Disadvantages of each design type.
User | Count |
---|---|
2551 | |
1356 | |
795 | |
646 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.