Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Segmenting our Network

Hello to all Cybersecurity enthusiastic,

I would like to get some best practices, advices for my next project.

On one location we didn't do barely any segmentation since last IT Manager so it's time to make it more secure and better.

Current Situation is like this:

  • VLAN 1 "Clients"
    • Here in our Clients VLAN we have regular clients (notebooks, workstations), printers, VoIP devices, meeting devices (cameras, microphones etc)
  • VLAN 2 "Servers"
    • Here in Servers VLAN we have domain controllers, file servers, backup servers, repositories etc

What would be a general recommendation?
I would like to segment it a bit more and create separate VLANs for Printers, VoIP, IoT, Backup Network etc.

Our Infrastructure is as follows:
2 x FortiGate 200F in an HA Cluster (Active/Passive)
2 x Core FortiSwitches in an MC-LAG
3 X Access FortiSwitches

 

I'm new to this forum.
I'm NSE4 certified. 

1 Solution
ndumaj
Staff
Staff

Hello Infotech22,

You can add additional VLANs on the interfaces in order to segment your network.
Please review the following article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...

- Then firewall policies should be created to allow traffic from the switch interface to the interface or the VLAN to reach. NAT should be enabled were it is needed.

-BR-

- Happy to help, hit like and accept the solution -

View solution in original post

12 REPLIES 12
ndumaj
Staff
Staff

Hello Infotech22,

You can add additional VLANs on the interfaces in order to segment your network.
Please review the following article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...

- Then firewall policies should be created to allow traffic from the switch interface to the interface or the VLAN to reach. NAT should be enabled were it is needed.

-BR-

- Happy to help, hit like and accept the solution -
Infotech22

Thank you for the suggestion.

Yes, the plan is to do something like that

VLAN 1 is 10.10.0.0/16
VLAN 2 is 192.168.10.0/24

So I would probably do some subnetting on the VLAN 1 so that I create different Subnets for more VLANS, example:
10.10.1.0 - 10.10.5.0 - for Clients

10.10.255.0 - 10.10.255.254 - For Pritners etc.

Is this approach okay?

_emeste
New Contributor

Hi,

In my opinion, network segmentation is a process that requires good planning.
I always trying to approach this issue in the following way
1. I'm trying to determine which VLANs I should create and then I group the devices. For example:
Printers
Clients
Media
WiFi
DCs
etc.
Imo An inventory of the network is necessary.
2. I'm creating a network diagram at a logical level.
3. I'm preparing the device configuration and move the devices into predetermined VLANs.

If devices are in defined VLANs you can focus on the security layer. Limit access to each network segment to only those who need on Your firewall

Also The ZTNA concept can be useful in planning network segmentation.

ps.

In the case of VOIP, it is worth noting that users often have their PCs connected to them.

Infotech22

Thank you for the informations.
I have 2 month to plan everything so each recommendations is welcomed. 

ndumaj
Staff
Staff

Hello,

If you have VLAN 1 is 10.10.0.0/16 that cover

10.10.0.0 - 10.10.255.255 

You cant create a new vlanx 10.10.1.0 - 10.10.5.0 - for Clients or 10.10.255.0 - 10.10.255.254 - For Pritners etc.
The new vlans should be on different subnet :|

You can also review the following articles that might help to make the changes:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Transfer-Migrate-VLAN-to-another-interface...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Edit-VLAN-ID-of-a-VLAN-interface/ta-p/2152...

-BR-

- Happy to help, hit like and accept the solution -
Infotech22

Yes,

That is the current situation of the VLAN 1.

I will subnet it to have smaller number of available host per vlan.
For Clients I dont need more than /24 but in this case i would use something like
10.10.0.0/21 etc.

So that I have rest to divide for Printers, IoT etc

I hope that you understand what I'm trying to say 

ndumaj

As Emeste mentioned network segmentation is the most important process that requires good planning, if you have a good segmentation plan then the implementation the easy part.

Yeap  you can divide VLAN1 10.10.0.0/16 into smaller vlans for clients:
10.10.1.0 - 10.10.5.0 - for Clients --> 10.10.0.0/21
For printers:
10.10.255.0 - 10.10.255.254 - For Printers -->10.10.255.0/24
etc..

that works :)
-BR-

- Happy to help, hit like and accept the solution -
Infotech22

Thank you for the confirmation.

That is the approach I would take probably,
Because I want to have more than /24 for the VLANs, its not so scalable.

ndumaj

You are welcome!
Happy to help you!

Based on the needs you have to decide for the subnet.
If the requirement is for 1000 host I would provide double of IPs available 2046 that stands for /21 :)
If you plan to have at max 100 printers then go for 254 available IP -->/24 :)

This is my approach because the requirements might be change nexts years and  you need to expand again the network or do additional configuration.

-BR-

- Happy to help, hit like and accept the solution -
Top Kudoed Authors