Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
netfox
New Contributor

New network design help

Hi, I'm new to the forum.

 

I'm writing to ask an advice on a network design.

I would like to design a network in order to simplify management (there's a world shortage of IT people) while having acceptable reliability and security. I know it's a daunting task, but I have to work it out somehow.

I begun thinking about this block diagram:

internal LANs ---> CORE SWITCH ----> 2 Fortigate in HA with a DMZ in between ----> SWITCH ----> 2 firewalls in HA ----> Internet

I would like also to connect a network recorder to the Fortigates.

The network will be copper based, max throughput from LANs to core Switch reasonably max 1Gbps per single LAN and from Core switch to IPS reasonably max 1 Gbps.

So these are my questions:

 

1. Does the block diagram make sense?

2. Would it be possible to use all Fortinet devices in order to mitigate interoperability issues with other vendor's devices?

3. Would it be possible to set the IPS as a proxy HTTPS, SSH etc. and use it as a probe passing all the data with the proxied (not encrypted) data to the network recorder?

4. I need to connect to internal LANs through a VPN from outside, does Fortinet provide a client? If yes, will this setup jeopardize that funcionality in some way?

5. Based on the intended use, could you suggest some specific Fortinet device to use as a HA IPS, Network recorder, HA Firewall and Switch (also Core)?

6. Do Cisco switches eventually used in internal LANs (or as a core switch) interfere somehow with this setup?

 

I apologize for asking so many questions but I want to have things clear.

 

Thank you

5 REPLIES 5
ede_pfau
SuperUser
SuperUser

hi,

 

and welcome to the forums. Nice question.

Question like these provoke answers which tend to be biased towards products which the answering person has used in the past himself. Even 'best practices' are subjective to an extent.

Anyways, here are some thoughts:

 

1. double firewalls in line

Just to protect the DMZ you wouldn't need 2 firewalls in series. I use to think of DMZ servers as being hacked, and the firewall merely mitigates the amount of havoc on the internal LAN hosts.

I have a strong feeling that I'd never put 2 firewalls of the same vendor behind each other. If I need this kind of protection then I would not rely on one AV/IPS engine and one set of signatures or heuristics. Coplayers like Checkpoint, Cisco and to an extent Palo Alto come to my mind which would hopefully stand in for whatever known or unknown deficiencies the Fortigates have. There are more contenders in the market, just what I've thought of first.

 

The real question is whether it pays off to invest in double the hardware, services, product knowledge and support processes to minimize the risk - by how much?

Besides, there are other bad scenarios like DDoS attacks which cannot be mitigated with CPE alone - this is best done at provider level (multiple providers, load balancers,...).

 

As for the architecture, think of a FGT HA pair as one FGT - the DMZ is not between a pair of HA members but on one port of the cluster FGT.

 

2. one vendor strategy

For firewalls and 'network recorder' which translates as 'logging and reporting device' to me, yes, I'd go with FTNT equipment. The logging device is called FortiAnalyzer. Switches on the other hand are L2 devices, at least they don't interact on L4 to L7. So I'd choose whatever enterprise level model I have most experience with: Cisco, HP/H3C etc. They should support stacking and distributed LACP for redundancy. The FGTs support that.

 

3. IPS 'proxy'

The FGT is quite good as an IPS device, even better for Application Control. The main advantage of not splitting UTM functions into several appliances is latency. Having n devices scan your traffic will introduce n times the delays of one device. If you look at the traffic very early and make some decisions, many security checks can be avoided altogether. But that will only work in an integrated UTM firewall.

A FGT can send packets to the FAZ which have triggered the IPS sensor. Don't know if that is sufficient for you.

For efficient SSL offloading the FGT is probably not the best choice. Look FortiWeb instead.

 

4. Remote client IPsec VPN access

Yes and no. There is a client for Windows and MacOSX available for free from FTNT, the FortiClient. The software as such does not compromise security, it's the remote LAN which is difficult to control in terms of up-to-date signatures, program patches etc. The FortiClient offers some 'Endpoint control' to alleviate this, have a look into this.

Besides, there's SSL VPN in the same client (and as a standard, no extra fees feature in the FGT) which you could use as an alternative.

 

6. Cisco switches interfering?

No, see 2.

 

5. models

Well, Fortigate for firewalling+IPS+AV+AppControl, FortiAnalyzer for logging & reporting, switches you are proficient with. A mere 1 Gbps throughput though will not blush Fortinet's devices. That is, even the smallest FGT (60D) will do firewalling in wirespeed multiple times (because FGTs use offloading to specialized hardware).

Same applies for IPsec throughput - it's not done via CPU but offloaded to an ASIC. Very, very fast.

If you want 1 Gbps AV OTOH, then you enter the midrange FGTs, like 200D and up. You can get the core figures from Fortinet's datasheets (Fortinet Product Datasheets).

 

Sorry for the longwinded answers. IMHO you should start out with 2 main questions:

1. which level of security do I have to attain?

2. which kind of budget do I have at my disposal?

 

Especially no.2 is the reality check. If there's ample budget and high requirements you can go two-tiered, multiple vendor. But there are decent alternatives with Fortinet if you have to compromise on one or the other.

 

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
seadave

When you look at a Fortigate (FG), you can configure it were all ports are governed as a single switch by the firewall rules, or where each port is a unique interface with full L3 capabilities (recommended and gives you way more flexibility). 

 

So for a DMZ, you only need one firewall.  Port1 is WAN (you can have multiple for WAN link load balancing), Port2 is LAN, Port3 is DMZ, etc, and you can assign specific flow rules and filtering for each.  For instance if rule Port2 to Port1 is for your internal DHCP clients, you can enable Web/App/and Client OS IDS/IPS filtering (something suitable for Mac/Windows clients) and it is NAT'd of course.  You then create another rule for Port3 to Port1 and Port1 to Port3 for a webserver that you want to be isolated in a DMZ.  That way if it is compromised, the attacker cannot probe the machines connected on Port2 unless you have rules setup allowing such traffic (Port3 to Port2) or course.  On those ports you create IDS/IPS rules suitable for Apache or IIS.  The FG is very flexible this way. 

 

You can buy two of the same model, put a layer 2 dumb switch in front of them, link them directly for high availability (HA), and use the switch to tie the ISP incoming connection to the WAN ports on each FG.  When in HA mode, you have a single management IP that you use to manage the pair.  I tend not to do this.  I buy two.  One for production and the other for testing POC.  Makes upgrades much easier and less stressful. 

 

I've used Fortigates for 11 years and have never had one fail (I've also never had a Crypto variant or any virus for that matter make it to my LAN, lots of drive by download attempts, but the FG always blocks the payload sparing me the infection).  Started with the 60 series and we now use the 500D.  If you are in a "downtime is not an option" industry, that may not be a choice you can make, although in that case I would suggest you buy two firewalls for HA and one VM license so you can test firmware updates via the VM.

 

A word about firmware.  Be on the conservative side when it comes to updating.  FG has a very nice section in the new 5.4 FortiOS guide (P.613) regarding best practices.  More people need to read and understand this.

 

http://docs.fortinet.com/d/fortigate-fortios-handbook-the-complete-guide-to-fortios-beta

 

The ONLY bad thing about Fortinet IMHO is that in the past they have tended to release firmware at times that is not as stable or well tested as it should be.  That is NOT to say these are not stable devices (my current one has been up for 175 days), but make sure you wait at least 30 days after a new release and monitor these forums for the people who do blind upgrades and then wonder why they are having problems so you can learn from their experiences.  I'm currently testing the 5.4 release which is a major release for them.  So far so good (much better than the past), but I have yet to put it under load.  Some here indicate issues with it in specific cases.

 

Based on reading these forums, it seems folks with the lower end units tend to have more issues, but that is just a gut based analysis.  Know why you need to upgrade, know the bugs that exist, ALWAYS reboot first and backup your current config (keeping a local copy of your current firmware on hand should you need to downgrade and restore your backup config), and you will have a much easier time with them.

 

I agree with @ede_phau, FortiAnalyzer (FAZ) is your best bet unless you have very specific high detail needs, and buy a VM not the dedicated model.  The VM is much faster if you can put it on a SAN or dedicated server with enough IOPs.  The latest version 5.4 is very good and makes it easy to search for traffic.  It also generates very nice daily reports that you can use for auditing/compliance.  The FG also allows you to dedicate a port as a one arm sniffer to capture PCAP files (if you want to dig deeper using Wireshark) and you can also output syslog to a SEIM such as Splunk if you have it.  We use a FAZ VM64 but we also have Dell SecureWorks monitoring our FG via Syslog output to their Counter Threat Appliance.  Very happy with this setup. (See attached JPG).

 

VPN should not be an issue.  Test both.  IPsec is about 4x faster than SSL VPN.  Fortinet allows Windows and MacOS clients to connect (also Android and iOS) and as mentioned they offer the FortiClient (FC), which can install only VPN components or act as your endpoint Antivirus also.  You can download and mess with it for free here:

 

http://www.fortinet.com/resource_center/product_downloads.html

 

The current 5.4 release is new and there have been some issues (BSODs) for some folks.  Most recent version is supposed to resolve.  There is an ongoing DNS/Kernel Panic issue with FC on Mac OSX 10.11.X.  I'm running FortiClient 5.2.5 on MacOSX 10.11.3 and my only issue is I cannot resolve hostnames without FDQN because the silly client doesn't give you the option to enter search domains like the native L2TP and IPsec MacOS clients do.

 

Like all technology there will be minor frustrations, but overall compared to Cisco or PA, you cannot beat their price and performance.  To get an idea for pricing, you can check out http://www.avfirewalls.com/.

 

I really like the 500D.  It is a solid firewall.  We are supporting 175 people on it with a 100Mbps connection, we just got a 1Gbps connection.  Doing some tests with Google Fiber speedtest I was able to get 850Mbps avg throughput with all filters enabled so pretty happy about that.

netfox
New Contributor

First of all, I'm thankful to you, Ede and Seadave, for the prompt and thorough answers. That's the kind of support I hoped to receive from this forum. took some time to study your answers and thinking about the project, I'll try to reply in order to Ede and Seadave advices. Reply to Ede: 1. Budget and security Budget should not be a problem (hopefully), I just jave to justify design with common sense explanations and if there will be advantage by buying some more devices I'll be able to do that. Level of security should be adequate, not paranoid. With "adequate" I mean around 80%, with "paranoid" I mean around 95%. Oviously 100% does not exist. This could be reasonable because in our small company there are few factotum people with many IT tasks and within this small group an even smaller group has network security and administration tasks. If the network design is too much complicated to handle for few people, there will be what I call the "open-hole-mindset", in order to make things work ASAP you open holes in firewall or security to stop the workers complaints. I want to avoid this will all my heart so I will try to simplify things for IT people as much as I can. 2. Inline firewall Bearing point 1 in mind, I think I will accept your advice of using only the FGT UTM (in HA) and not two inline firewall, as I think this will not raise the overall security but instead will lower manageability. 3. Network recorder I could use also FAZ, since it will be integrated with FGT and provide the logging funcionality. I should investigate more if we require to log ALL the metadata traffic (for example with nBox recorder product) or should be enough to log triggered IPS events like FAZ does. 4. App proxy Thank you for spotting me Fortiweb, I took note of that. 5. VPN VPN feature as you explained should be OK. 6. Switches As you explained, I think we'll use switches we are proficient with. 7. Models I think I will need 1Gbps AV so I should look into a mid-range FGT model. Reply to Seadave: 1. DMZ & firewall thank you for the DMZ flow rule example, it was very clearly explained. From your reply I understood that you wouldn't use two inline firewalls, am I right? A question about FGT equipment in FA, if it is managed as a single IP do I need to buy double update licenses or one is enough for both equipments? 2. Firmware I'll follow your advice on waiting before installing firmware and I will explore the possibility of buying a test equipment as you do. 3. FAZ VM I'll study that option. Thank you for the advice. 4. Models I'll investigate which mid-range models better suit our needs. Thank you for sharing your experience. This should be the new block according to Ede and seadave advices: Internal LANs ---> Core Switch ---> 2 UTM FGT in HA managed as single IP and DMZ connected ---> FAZ connected to FGT ---> Switch ---> Router ---> internet Thanks again for your support, please let me know your further thoughts as I appreciate them a lot.

ede_pfau

Good. The FAZ (or any other logging device) usually is connected to the LAN somewhere, or via a management VLAN, but not to the DMZ.

 

For 1+ Gbps AV you should be good with a 300D or higher. 400D and 500D only differ in having 0 or 1 internal SSD. Internal storage wouldn't be important if you will be logging to an external device anyway. For selection, see the current FTNT Product Matrix doc at http://www.fortinet.com/sites/default/files/productdatasheets/Fortinet_Product_Matrix.pdf .

 

Unfortunately, for a cluster of 2 you will need 2 full licences, FortiCare plus some UTM / FortiGuard subscription. In old times, Fortinet offered the second licence for 50% but would not discount the hardware. Today, if you buy the hardware, get the bundle (hw plus subscriptions for a couple of years) and negotiate with your FTNT partner. Subscription renewals cannot be much less than listprice.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Big_Abe

Just out of curiosity, as I'm going through the same - what did you implement?

FCNSP

-------------------------------------

"They have us surrounded again, those poor bastards."

-Unnamed Medic

FCNSP ------------------------------------- "They have us surrounded again, those poor bastards." -Unnamed Medic
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors