Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Crown_Services_Tech
New Contributor

Segmentation

Hello All! I am new to Fortinet and was am looking for assistance. My Director would like me to segment our HQ Network so that it is more secure.

He wants the following to have their own VLAN:

- Accounting (10.8.10.x)

-Operations (10.8.20.x)

-IT (10.8.30.x)

-Executives(10.8.40.x)

-"General Data" (10.8.50.x)

- Server (10.8.60.x)

-Wifi (Easy enough)

-VOIP Vlan

Now,  he wants every VLAN to be segmented from the other with the IT team and an executive (we will call him BOB) to have access to only their own VLAN. Basically he wants BOB to have access to both the accounting and executive VLANs. He also wants a way for everyone in the IT team to be able to access all the other VLANs (to do "IT stuff". Is there any way that we can use the fortigate to limit the internal permissions? Any help is appreciated!

 

1 Solution
Cajuntank
Contributor II

I literally just did this a few weeks ago. I created a aggregation interface from my main core switch to my FortiGate to get multiple ports for throughput and redundancy. Created VLANs using the aggregate as my interface. Moved the IPs away from my core L3 switch to the new VLANs on my FortiGate (so those vlans on the L3 switch are just L2), then created all of the policies needed for communication between each of them as I deemed necessary. Policies can be done at the address level, user level, or Internet Service level as needed. Security inspection can be defined as needed on each policy. If you are going to do user level access, then make sure you have your firewall connecting to whatever user source needed (LDAP, FSSO, Radius, locally defined, etc...). Make sure you have your routing also set depending on your network size and other L3 devices as well. Just let me know if there is something more specific you need to know.

View solution in original post

2 REPLIES 2
Cajuntank
Contributor II

I literally just did this a few weeks ago. I created a aggregation interface from my main core switch to my FortiGate to get multiple ports for throughput and redundancy. Created VLANs using the aggregate as my interface. Moved the IPs away from my core L3 switch to the new VLANs on my FortiGate (so those vlans on the L3 switch are just L2), then created all of the policies needed for communication between each of them as I deemed necessary. Policies can be done at the address level, user level, or Internet Service level as needed. Security inspection can be defined as needed on each policy. If you are going to do user level access, then make sure you have your firewall connecting to whatever user source needed (LDAP, FSSO, Radius, locally defined, etc...). Make sure you have your routing also set depending on your network size and other L3 devices as well. Just let me know if there is something more specific you need to know.

ede_pfau
SuperUser
SuperUser

@Cajuntank, this 100%! I am so glad that you shared these sound ideas. OP, if you follow this advice there is not much you can do to top it.

 

Except maybe for micro-segmentation. Where segmentation uses VLANs for either user groups or host groups (think client vs. servers), micro-segmentation calls for specific policies (= relations) between the main players on your network. This is enforced by tight addresses (host address instead of LANs), an enumeration of well defined services (instead of service=ALL), and specific UTM protection.

 

BTW, I take it as granted that you will never use the 'any' interface, or even multiple interfaces per policy. Spares some effort initially but costs time and security/transparency in the long run.

 

For example, access to the central DNS will need one policy per source LAN, a host address as destination, "DNS" as service, and Application control to detect rogue traffic over port 53. Plus some extras to allow DoH in the future. Same 'tight' policies for access to your ISP's DNS. And a block-all policy to block access to any other DNS in the world. It's dangerous enough to trust your ISP, no client should be able to query arbitrary DNS in doubtful countries. The FGT does a good job as DNS relay, often that is all that is needed.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors