Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tedauction
New Contributor III

VIP policies to LAN or DMZ ?

Hello, we have a DMZ vdom, however we still have many legacy incoming public VIP rules that point to our 'non-DMZ' LAN vdom.

Is this considered bad security practice?

These public facing VIP rules are quite strict with ports allowed, but I just feel that any public facing ports at all should be directed to the DMZ ?

Am I being to wary ?

1 REPLY 1
ede_pfau
Esteemed Contributor III

Nope. IMHO if you take the pain, cost and effort to create a DMZ VDOM in the first place you are obliged to adhere to these principles. I tend to explain to customers what a DMZ is for in saying "imagine the servers in the DMZ are hacked and now under control of some evil guy - what can happen?". Which prevents policies from DMZ to LAN, for instance. Sometimes workflows have to be redesigned for this, but better you put some effort here than fix a leak later.

Whenever I encounter VIP access rules in a firewall I feel uncomfortable. Sometimes you can replace them with VPN access and tight policies, which is way more secure. But it'll take more effort.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors