Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Spock
New Contributor II

New FortiWiFi 60D setup best practices for multi-zone security monitored home network?

I am new to Fortinet, but eager to learn how to deploy my new FortiWiFi 60D in my home lab network.

Goals:

1. Setup different security zones, using VLANs I think, that segregate high risk guest traffic, medium risk production traffic,  and highly secure financial & network admin vlan subnets from each other.

2. Setup a highly secure network admin workstation that can log, monitor & analyze any traffic that appears suspicious, as well as monitor & control traffic QoS and bandwidth utilization.

3. Use security policies to restrict guest wifi access and blacklist inappropriate websites, content or mobile devices that launch detected malware-based network attacks.

4. Use network security best practices at all times to create a stable, secure SOHO network that will support both my creative production work AND my interest in learning more network administration & security theory & practice.

 

My FortiWiFi 60D came with firmware version 5.2.3, build 670.

 

My questions for more experienced users are:

1. Should I upgrade my firmware, and if yes, at what version/build number should I stop in order to get a stable platform that will support my above goals?

2. Is there any good cookbook info online for setting up a network admin workstation that is optimized for real time network monitoring & administration?

 

Thanks in advance for any help offered. Appreciate you taking the time to help someone who is just coming online.

 

Live long & prosper!

4 REPLIES 4
dbadams
New Contributor II

Greetings Spock! 

 

Reading over your post, I think you should consider using Virtual Domains or VDOMS. This feature allows you to break up your FortiWifi into multiple virtual devices which goes beyond just using VLANS. This way you can have one VDOM as your stable home network, one for experimenting with, another for your more secure financial network and another for guest. You can even have your VDOMS in different operating modes such as transparent.

 

Just a word of warning though, if I remember right, VDOMS do have to be enabled through the CLI first before they will appear in the GUI. So if you don't see the feature, don't worry, its there! 

 

As for the version, I would definitely upgrade to at least 5.4. They cleaned up the GUI and added many new features compared to 5.2. 

 

Lastly, there are plenty of good videos and cookbooks at support.fortinet.com for you to review. I personally live by my copy of the FortiOS handbook which explains a lot of these features in depth along with an entire chapter dedicated to best practices.

 

Good luck Spock and drop a quick reply sometime to report your progress.

Devin

 

(You cant see it, but I am making the Vulcan "V" hand gesture as I hit the submit button!)  

Spock
New Contributor II

Greetings Earthling Devin! Thanks for your reply & suggestions.

 

What I'm worried about with VDOMs is I am wondering if they use more system resources than VLANs?

 

I'll want to do some fancy, in-depth network monitoring pretty continuously, including some packet captures & traffic analysis, so I think I'll need to consider the processing limitations of a FortiWiFi 60D platform if I want to maintain throughput performance & QoS.

 

Do you know if VDOMs impose a greater resource utilization than VLANs, and if so, by how much? (if it's not much, then the multiple operating modes scenario could be very useful to me in my network security learning experiments.)

 

P.S. The Federation is watching developments on your planet with increasing alarm. I noticed the other day that the warning beacons at the edge of your solar system have been updated to OffCon 5 - an offensive classification usually reserved for Romulan Space and two steps worse than those pesky Ferengi. Hope you personally have not been adversely affected by recent developments as yet.

 

Spock out...

 

 

 

 

 

 

dbadams
New Contributor II

Good Morning Spock, 

 

The one of the best part about VDOMs is it's resource allocation. Once enabled, you'll have an additional option in the GUI that allows you to not only monitor the resources that are being consumed by each VDOM, but to also assign resources to each VDOM from a global pool. This way a single VDOM cannot "starve" out the other VDOMs. 

 

As for how much resources does the actual feature consume? I'm not too sure. I can only imagine that VLAN tagging would be the lesser of the two. I'm sure there are VDOM daemons involved that can be monitored, but I personally haven't done so. 

 

VDOMs, from my experience, are pretty cool! It literally feels like creating several fortigates from one, which goes beyond layer 2 segmentation. Either way, let me know what you decide to do. I'm interested. Nothing that is is unimportant, right? 

 

Also, thanks for the heads up about the outer solar system disturbance. I'll stay on red alert until further notice! 

 

Peace and long life. 

 

Devin. 

Spock
New Contributor II

Great feedback Devin - thanks!

 

I hope a FortiNet engineer will comment on this thread and enlighten us about VDOM resource utilization vs VLAN tagging. (Basic hardware operation intuition does indeed imply that VLAN tagging should impose much lower cpu overhead than entire VDOM instances, but to make an informed decision about which LAN segmentation architecture to choose requires some savvy engineering performance feedback from a Fortinet insider. Hope someone else is listening in and able to quantify the performance hit.)

 

In fact, it would be great to be able to communicate with a Senior Engineer at Fortinet who wants to get periodic feedback from an exclusive group of power users and network security research professionals.

 

(I, for one, occasionally write technical articles for TechTarget on products & methods to improve IT network security, and I am hoping that fast rising & highly affordable Fortinet appliances can deliver improved security to the millions of SMB & SOHO users who currently are flying blind with only consumer level firewall/routers. But my level of due diligence is all about using a product in my own enterprise on a daily basis and pushing it to its limits, before I form an opinion on its technical/value proposition merits.)

 

That said, I am coming to Fortinet through numerous recent "Smart Hands" Fortinet installs for MSSP's like Trustwave, who wouldn't be deploying Fortinet boxes if they didn't deliver the capabilities to monitor & manage network security on a very large number of small business enterprises (hundreds, if not thousands!). So, I am eager to put my FortiWiFi 60D thru its paces in my very complex & dynamic SOHO business, research and guest services environment to see what it can do.

 

Thanks for sharing your expertise.

 

Spock out

 

 

Labels
Top Kudoed Authors