Hello All! I am new to Fortinet and was am looking for assistance. My Director would like me to segment our HQ Network so that it is more secure.
He wants the following to have their own VLAN:
- Accounting (10.8.10.x)
-Operations (10.8.20.x)
-IT (10.8.30.x)
-Executives(10.8.40.x)
-"General Data" (10.8.50.x)
- Server (10.8.60.x)
-Wifi (Easy enough)
-VOIP Vlan
Now, he wants every VLAN to be segmented from the other with the IT team and an executive (we will call him BOB) to have access to only their own VLAN. Basically he wants BOB to have access to both the accounting and executive VLANs. He also wants a way for everyone in the IT team to be able to access all the other VLANs (to do "IT stuff". Is there any way that we can use the fortigate to limit the internal permissions? Any help is appreciated!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I literally just did this a few weeks ago. I created a aggregation interface from my main core switch to my FortiGate to get multiple ports for throughput and redundancy. Created VLANs using the aggregate as my interface. Moved the IPs away from my core L3 switch to the new VLANs on my FortiGate (so those vlans on the L3 switch are just L2), then created all of the policies needed for communication between each of them as I deemed necessary. Policies can be done at the address level, user level, or Internet Service level as needed. Security inspection can be defined as needed on each policy. If you are going to do user level access, then make sure you have your firewall connecting to whatever user source needed (LDAP, FSSO, Radius, locally defined, etc...). Make sure you have your routing also set depending on your network size and other L3 devices as well. Just let me know if there is something more specific you need to know.
I literally just did this a few weeks ago. I created a aggregation interface from my main core switch to my FortiGate to get multiple ports for throughput and redundancy. Created VLANs using the aggregate as my interface. Moved the IPs away from my core L3 switch to the new VLANs on my FortiGate (so those vlans on the L3 switch are just L2), then created all of the policies needed for communication between each of them as I deemed necessary. Policies can be done at the address level, user level, or Internet Service level as needed. Security inspection can be defined as needed on each policy. If you are going to do user level access, then make sure you have your firewall connecting to whatever user source needed (LDAP, FSSO, Radius, locally defined, etc...). Make sure you have your routing also set depending on your network size and other L3 devices as well. Just let me know if there is something more specific you need to know.
@Cajuntank, this 100%! I am so glad that you shared these sound ideas. OP, if you follow this advice there is not much you can do to top it.
Except maybe for micro-segmentation. Where segmentation uses VLANs for either user groups or host groups (think client vs. servers), micro-segmentation calls for specific policies (= relations) between the main players on your network. This is enforced by tight addresses (host address instead of LANs), an enumeration of well defined services (instead of service=ALL), and specific UTM protection.
BTW, I take it as granted that you will never use the 'any' interface, or even multiple interfaces per policy. Spares some effort initially but costs time and security/transparency in the long run.
For example, access to the central DNS will need one policy per source LAN, a host address as destination, "DNS" as service, and Application control to detect rogue traffic over port 53. Plus some extras to allow DoH in the future. Same 'tight' policies for access to your ISP's DNS. And a block-all policy to block access to any other DNS in the world. It's dangerous enough to trust your ISP, no client should be able to query arbitrary DNS in doubtful countries. The FGT does a good job as DNS relay, often that is all that is needed.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.