design help

sims · ‎03-25-2022

Hi

I have the below topology ,

Where should I create DMZ zone in the above topolgy , on edge firewall or dc firewall

Thanks pa dmz.JPG

Toshi_Esumi · ‎03-25-2022

That would depend on where all internal devices are connected to in the diagram, and the purpose/role of "dc firewall" in addition to those PAs(PANs?). DMZ should be located on the border between "outside" and "inside", although nowadays you can have many different ways to place it physically wherever you choose, and set up networks to place it on the border logically.

Toshi

sims · ‎03-25-2022

Hi @Toshi_Esumi

nd the purpose/role of "dc firewall" in addition to those PAs(PANs?)

it is pal alto and the dc firewall is FortiGate

The role of the dc firewall is to all the server VLANs svi are created on the dc firewall.

If I want to create a DMZ on the dc firewall , do I need a dmz zone on the edge firewall too ?

Can you please give me a typical dmz design for better understanding ?

Thanks

Toshi_Esumi · ‎03-25-2022

Your network design is not typical. A typical network doesn't have both PANs and FGTs. You're still not giving us enough information to think where to place those servers in DMZ to let outside and inside access to them. Handling VLANs would be best if you let the Core SWs do it. You/your customer must have reasons to spend double for both PAN and FGT.

But to let outside parties access the servers in DMZ, ether the servers need to have public IPs or a FW that has public IPs has DNATs(VIPs for FGT) mapped to local IPs on the servers. Depending on which FW, either PAN or FGT, is handling public IPs, I would let THAT FW to have the DMZ interface, then the other one would just routes DMZ accessing traffic to the FW.

sims · ‎03-25-2022

Hi @Toshi_Esumi

Thanks for the clarification, I have couple of web servers and vdi desktop machines , these servers need to be accessed local lan and from internet

the web servers need to communicate with database servers which in in dc . and the web pages has authentication, the authentication must be done against local active directory

Hope I could clarify

Thanks

Toshi_Esumi · ‎03-26-2022

Sound like only PANs are handling public side and PANs communication to FGTs seems to be over private subnets. Then I would set your DMZ (you probably have it already as an interface) on PANs and place those servers facing both sides in the zone/on the interface. Then the servers' internal connection to devices like the DB server is just routing through the FGTs.

Toshi

sims · ‎05-08-2022

@Toshi_Esumi wrote:
Sound like only PANs are handling public side and PANs communication to FGTs seems to be over private subnets. Then I would set your DMZ (you probably have it already as an interface) on PANs and place those servers facing both sides in the zone/on the interface. Then the servers' internal connection to devices like the DB server is just routing through the FGTs.

Both sides in the zone /on the interface , what does it mean ? . Can you Please elaborate

Toshi

Debbie_FTNT · ‎05-09-2022

I'm pretty sure Toshi meant servers that deal with public and internal traffic (facing public side and internal side).

-> those servers (accessible from outside) usually go into DMZ

-> if the servers are connected to PAN firewalls, that's probably where you want to create and manage a DMZ

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Toshi_Esumi · ‎05-09-2022

Probably my English was poor, or not remembering PAN config/architecture well since it was long time ago when I touched. So I don't remember you can have, or have already had, the policies to/from outside and to/from inside using PAN's zone or interface for the DMZ area (as you know PAN's zone is different from FGT's zone). You should know much better than us since you're actively working on the PANs, and this is FTNT forum so you can't expect somebody tell you how to configure PANs.

Toshi

design help

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website