Network Segmentation advise

acsuser · ‎04-24-2015

Hi Guys,

I'm speaking to a new client about replacing their Draytek with a Fortigate 60C NGFW, they currently have their network segmented into 3 VLAN's on different network ranges, is this the best way to do this? I have attached a diagram of their current setup.

I was thinking that the best way to do this would be to ditch the VLAN's and configure 4 separate zones (Untrust, Corp, guest, companyx), all using the same address range and DHCP provided by the Fortigate and with separate rule policies between each zone.

emnoc · ‎04-24-2015

The 1st question, do you understand the zone concept of a FGT? Listening to what you stated make me think not.

I was thinking that the best way to do this would be to ditch the VLAN's and configure 4 separate zones (Untrust, Corp, guest, companyx), all using the same address range and DHCP provided by the Fortigate and with separate rule policies between each zone.

But let's recap a zone. A zone is a collection of interfaces for simplification of rules. Nothing more or less. WARNING:The one draw-back to a zone; it's a lot harder to build things to "just" one member within a zone once you created the zone. It's also impossible to build a zone and install a member into if it if policies are ALREADY attach to that member.

So keep these single thoughts in mind.

Once you go the zone route, your pretty much have to stay on that path. If you want or think zones are the thing you need, than by all means start now. It would be much harder and service impacting to change to a zone concept at some later date. Just think things out now & plan accordingly.

off the top of my head & thinking out loud ;

If you place all in just ONE address range, than it would be very hard to use a zone concept ( zone are interface(s) based ) ;)

I would not change the layer2/3 structure of the existing network.As a matter of fact the isolation of the hosts per layer2 boundaries just makes your network better secured imho.

The "KISS" principles really applies here.

I would even secure the wireless by creating lack another layer2 sub-boundary or deploy various fortigate AP in a VAP setup.

I would craft the same 802.1q tags # 1,2,3 vlan interfaces on the Fortigate to match the existing network as-is

If you fore-see the need for more interfaces in the future & with similar policy needs; " than by all means a zone-concept and the bundling of these new interfaces into the zone would ease policies management ", by I think a lot of admins are miss using/understanding & crafting issues for the zone concept for problems that don't exist. Simple policy management to include address and addressGroup is pretty much all you need in the long run zone or no zones.

If your org has less than 100 fwpolicies & with less than 20% in duplication, you pretty much don't need a zone imho

I've only deployed zones 4x, In all of my life, & all w/previous environments that used fortigates but we are talking much bigger than a SOHO/SMB firewall and on par with 57K fwpolicies within 20 zones and between a few hundreds of sub-interfaces.

Be advise of my earlier warning tho about zones.

PCNSE

NSE

StrongSwan

acsuser · ‎04-25-2015

OK, that makes sense - so for simplicity is sounds like the best way to configure this is a small network is something like this:

http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_install-vla...

I believe this is untagged VLAN's as we only have a single VLAN per interface/cable, is there any easy way to provide 2 VLANs on a single wire? The reason i ask is that one room has users from 2 companies and i would like to segment these up although there is only a single cable running to that office.

emnoc · ‎04-25-2015

Yes you can tag mutiple vlans over the same interface.

e.g

config sys int

edit VLAN1001

set allow access ssh https

set type vlan

set vlanid 1001

set vdom root

set interface port1

set ip 192.168.1.0/24

set allow access ssh https

set type vlan

set vlanid 1002

set vdom root

set interface port1

set ip 192.168.2.0/24

PCNSE

NSE

StrongSwan

acsuser · ‎04-25-2015

ok so still a little confused,

We have 2 vlans configured for the same interface, so if we plug a machine into this interface it can communicated on both VLANs? What IP addresses will it pick up the one for VLAN1 or VLAN2?

I want both VLANs on the interface but a way of enforcing what VLAN connected machines are on, as some may not be authorised to access data on both VLAN's.

Dave_Hall · ‎04-25-2015

It is assumed tagged vlan traffic will be hitting the interface, either through a switch port configured for such or the machine themselves configured as such. Untagged traffic will either fall under the main interface or is dropped.

Edit: just to clarify, the document you originally linked above shows this vlan switch.

If the 60C is capable of being placed into interface mode, you may be better off going that route. So you'll have 5 x internal interface to play around with instead of 1 internal switch, DMZ, 2 x WAN ports. And of course you can still attach vlan sub-interface to those 5 x internal ports.

Edit: You could of course do away with vlans and configure the 60C ports as such:

WAN1 = ISP connection

WAN2= Company x

DMZ = Guest Wifi

Internal switch = Corp + AP

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

acsuser · ‎04-25-2015

Ah OK, That makes sense, and actually using the interface modes was what i was thinking of doing to create segmentation. thinking about the wireless design using separate interfaces and having 3 separate wireless solutions to manage, I think it would be easier to go down the VLAN route and then use a single AP solution with an SSID for each VLAN.

if we are using Tagged VLAN's then we will need a switch to isolated hosts between the different VLAN's, i wasn't planning on configuring a switch also as the only one we have is unmanaged, so the following setup sound like it would work (and be feasible):

Create the following tagging

Vlan10 - Corporate

Vlan20 - Companyx

Vlan30 - Guest

Configure the following Interfaces

Int1 - WAN link

Int2 - VLAN10&VLAN30 with Wireless AP that has individual SSID's for both corporate and Guest

Int3 - VLAN10&VLAN30 with Wireless AP that has individual SSID's for both corporate and Guest

Int4 - VLAN10&VLAN20&VLAN30 with Wireless AP that has individual SSID's for both corporate, Guest and Comapnyx

Int5 - VLAN 10 cabled connection going to a unmanaged switch (Is there any problems sending Tagged traffic to a unmanaged Switch?)

^The reason i want multiple interfaces with the same configuration is because there is existing cabling to other buildings.

emnoc · ‎04-26-2015

You can't share the vlans tags on interface xyx with interface abc. Each tagged-interface is a layer3 interface and will expect a l3-address. So if your intentions are to shae vlan 10/30 and even the vlan 20 between all interface-mode interfaces, this will not work.

The fortigate doesn't not operate as SVI as compared to the cisco ASA or juniper SRX.

PCNSE

NSE

StrongSwan

acsuser · ‎04-27-2015

OK so its not possible in my scenario to have vlans for segmentation and share 2 vlans on a single cable to a room on the other side of the building that has structured cabling?

acsuser · ‎04-29-2015

.....If not i will have to use the WAN1, WAN2, DMZ & INT route, but this means i will have 3 separate Wireless AP's systems with multiple AP's in the same rooms for each segment.