Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

New Configuration Questions

Hi all,


we are changing a HA platform and so we are checking for new ideas and securing the configuration.


One thing is that we have a VIP in a DMZ and we have to get rid of it. Is it recommendable to create an extra Interface just for the VIP to avoid problems in segmentation?


The same problem with the VIPs for the cameras, we would like to move them to an isolate "camera" interface.


Thanks for your ideas!



To me it's not about VIPs or no VIPs, but it's about what are on the current DMZ interface. If it's serving multiple customers proprietary devices or VMs, you should probably have separated when you built it originally. Or if a part belongs to credit card related, in other words in the PCI-DSS domains, you have to separate/isolate it as much as possible.

Otherwise, external access is controlled by those VIPs specifically to individual devices in the DMZ, I wouldn't worry much if they're in one DMZ or multiple ones per function.




Or, if those devices need to communicate each other, which you need to control/regulate, you need to put them on different interfaces so that you can apply policies between them.

Contributor III

1. **VIP in a DMZ:**
- **Purpose of DMZ:** DMZs are typically used to isolate and secure services that need to be accessible from the internet while protecting your internal network. If your VIP serves a purpose that aligns with DMZ principles (e.g., a web server, email server), it's generally recommended to keep it in the DMZ.
- **Separate Interface:** Creating a dedicated interface for the VIP in the DMZ can help with network segmentation and improve security. This approach ensures that traffic to and from the VIP is isolated from other internal network traffic.

2. **VIPs for Cameras:**
- **Camera Isolation:** Isolating cameras on a dedicated "camera" interface is a good idea from a security standpoint. This helps prevent potential camera vulnerabilities from affecting other parts of your network.
- **Traffic Management:** Consider how you will manage traffic between the camera VIPs and other parts of your network that may need access to camera streams. You may need to set up rules or access controls to allow necessary communication.

When implementing these changes, keep these best practices in mind:

- **Access Control:** Use firewalls and access control lists (ACLs) to control traffic to and from the VIPs. Only allow necessary traffic, and block all other traffic to enhance security.

- **Monitoring:** Implement monitoring and logging for the VIPs to detect and respond to any security incidents or issues promptly.

- **Redundancy:** Ensure that your new HA platform maintains the necessary redundancy and failover capabilities, especially if you're making significant changes to the infrastructure.

- **Documentation:** Document your configurations thoroughly, including network diagrams, firewall rules, and access policies. This documentation is crucial for maintaining and troubleshooting your network.

- **Testing:** Before implementing these changes in a production environment, thoroughly test them in a controlled environment to identify any potential issues or conflicts.

- **Compliance:** Ensure that your changes align with any industry-specific regulations or compliance requirements that your organization must adhere to.

Remember that network configurations can vary based on the specific requirements and constraints of your organization, so it's essential to tailor your approach to your unique needs and security policies. Additionally, consider involving network and security experts if you're unsure about the best practices for your specific situation.




thanks for your input.


The idea is to move these "unimportant traffic" away from the DMZ. The config is like >10 years so maybe sometime it made sense, but e.g there is just one VIP service to a VM left and I would like to move it to a new interface just for this external access and deal with inside policies to secure access.


The same with the cameras, they can be accese via web portal and I dont see any reason why it should be in the same inteface than LAN or DMZ.


For me it would be a new aspect, like having more interfaces and more segments to secure everything and the only disadvantages I see maybe in FW performance???








I think you already have a good idea/plan what they should look like. There is no hard rule how they should or have to. You just need to follow your basic security principles and re-built them.




It sounds like your plan to move "unimportant traffic" away from the DMZ and create new interfaces for specific services like the VIP and cameras is a reasonable approach, especially if the existing configuration is outdated and doesn't align with your current security and segmentation needs. Here are some additional considerations:

1. **Network Segmentation:** Creating additional interfaces and segments for specific services can enhance your network's security posture. It allows you to apply different access control policies and firewall rules to each segment, reducing the attack surface and potential impact of security incidents.

2. **Performance Considerations:** While adding more interfaces and segments can increase the complexity of your network, it may not significantly impact firewall performance unless you're dealing with very high traffic loads or using older hardware. Modern firewalls are designed to handle multiple interfaces and segments efficiently. However, it's essential to monitor performance during and after the implementation to ensure it meets your requirements.

3. **Access Control and Policies:** With this approach, you'll have the flexibility to define granular access control policies for each segment, which can improve security. Make sure to thoroughly plan and document these policies to ensure they align with your organization's security requirements.

4. **Monitoring and Logging:** Implement robust monitoring and logging for each segment to detect and respond to any security incidents or abnormal activities. Centralized logging and analysis can provide insights into network traffic and potential threats.

5. **Testing:** Before implementing these changes in a production environment, perform thorough testing in a controlled environment to identify any issues or conflicts. This testing will help you refine your configurations and ensure a smooth transition.

6. **Documentation:** Keep comprehensive documentation of the new network configuration, including diagrams, firewall rules, access policies, and any changes made. Documentation is essential for troubleshooting, auditing, and future reference.

7. **Regular Audits:** Periodically review and audit your network configuration and access control policies to ensure they remain effective and aligned with your security goals. Security requirements and threat landscapes can change over time, so it's crucial to adapt as needed.

Overall, your approach to segmenting and securing your network is a proactive step toward improving security and aligning your network architecture with current best practices. Just be mindful of performance considerations and ensure that the segmentation strategy effectively meets your organization's security objectives while maintaining the necessary functionality for your services.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors