Helpful ReplyHot!options to segregate host on a LAN

Author
journeyman
Gold Member
  • Total Posts : 156
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/03/15 22:56:36
  • Status: offline
2017/08/08 22:46:00 (permalink) 5.4
0

options to segregate host on a LAN

We have a /24 LAN configured on a vlan interface. It has been requested to segregate one host on the LAN so it can only reach other LAN hosts via defined policies.
Is it possible to do this without changing the host IP address, subnet and default gateway?
 
For instance, is there any way that can two VLANs be treated as one interface in terms of their subnet but control traffic between them using policies?
We have a lot of flexibility with VLAN configuration. We do not currently use zones but I do not believe this would help.
The managed switches support private VLAN, but this is not an option since we have multiple switches on the LAN (the privacy setting is restricted to the local switch only).
 
From what I can see this is not possible, but it is certainly worth asking.
 
If there are no other options we'll just assign a new IP range to the host and proceed with a regular layer 3 solution. But it would be very nice to do this somehow "in the background". And it would be very useful elsewhere - Oh, all those stray devices I could isolate!
#1
ede_pfau
Expert Member
  • Total Posts : 5265
  • Scores: 334
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: options to segregate host on a LAN 2017/08/09 00:41:04 (permalink)
0
IMHO you can only police / manage this host's traffic on the FGT if it traverses the FGT. This implies routing at least, so you will have to change the host's address or net mask. It just won't use the FGT if addressing other hosts in the same subnet.
On the FGT you then have the device dependent policies to do whatever you like.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#2
journeyman
Gold Member
  • Total Posts : 156
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/03/15 22:56:36
  • Status: offline
Re: options to segregate host on a LAN 2017/08/09 17:10:58 (permalink)
0
By asking here I was hoping to discover an sufficiently advanced technology of which I was ignorant :)
 
I know it is necessary to force the traffic to traverse the FGT; it is easy to do that by applying a new subnet but was hoping the FGT could somehow magically have one subnet on two interfaces and force the traversal that way, or something.
 
And if this magic existed, it would then be possible to isolate any device on our networks at will, and oh how powerful that would be.
#3
Iescudero
Silver Member
  • Total Posts : 70
  • Scores: 4
  • Reward points: 0
  • Joined: 2015/01/21 13:34:23
  • Location: Buenos Aires, Argentina
  • Status: offline
Re: options to segregate host on a LAN 2017/08/10 05:20:02 (permalink)
0
Hi there!
The only way to achieve this is if the traffic goes through the firewall, we're all agree with that, but that doesn't mean that you have to create a new subnet or vlan to do that.
You can do this putting your fortigate in transparent mode:
"...A FortiGate in Transparent mode is installed between the internal network and the router. In this mode, the FortiGate does not make any changes to IP addresses and only applies security scanning to traffic. When a FortiGate is added to a network in Transparent mode, no network changes are required, except to provide the FortiGate with a management IP address. Transparent mode is used primarily when there is a need to increase network protection but changing the configuration of the network itself is impractical..."
 
Hope it helps!!
#4
dmcquade
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/31 06:21:51
  • Status: offline
Re: options to segregate host on a LAN 2017/08/10 08:22:52 (permalink)
0
I don't believe transparent mode will help. In this mode, the FGT is typically placed inline to the next hop / router. If devices are on the same subnet and connected into the same switch, the FGT will never inspect the traffic.
 
What I would recommend is to segment the network into multiple VLANs. You could then make a physical connection between your FGT and the switch as a trunk connection. Define VLAN interfaces on the FGT to match the VLANs on the switch. Then you can create policies using the VLAN interfaces for the source and destination interfaces in your policies. You would also have to make sure you have inter-VLAN routing disabled for the VLANs that you want to pass through the firewall. The firewall's VLAN interface IP address should be the default gateway for the hosts on that VLAN. If you use DHCP, you will need to setup a separate DHCP scope for each VLAN.
 
Hope that helps.
Don
#5
emnoc
Expert Member
  • Total Posts : 4400
  • Scores: 249
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: options to segregate host on a LAN 2017/08/10 10:34:42 (permalink)
0
Your using a wrong  device for this . If you want layer2 restictions between 2 or more hosts &  in a common subnet , than  you need  one or combination of ;
 
 
layer2  PVLAN enabled switches
layer2  multiple-VLANs and use a layer3 filter ( ACLs or stateful firewalls )
layer2  VACLs  supported switch ( vlan acls )
host_based_firewall-services applied on that host directly
etc....
 
A layer3 router firewall or transparent mode is NOT going to  help
 

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#6
Kenundrum
Silver Member
  • Total Posts : 112
  • Scores: 8
  • Reward points: 0
  • Joined: 2008/05/15 10:25:50
  • Location: Rhode Island, US
  • Status: offline
Re: options to segregate host on a LAN 2017/08/10 13:17:35 (permalink) ☄ Helpfulby journeyman 2017/08/10 23:39:18
0
I have this kind of setup on one of my boxes. I believe this is refered to as a VLAN translation setup. Here is a quick simplified overview...
You have your "normal" unsecured, everything else VLAN. You then also have one or more "secured" vlans depending on your segregation needs. You have a fortigate operating in transparent mode connected to a switch. On that switch, you have devices plugged into ports that are ONLY allowed to use one vlan. So your users and upstream routers are connected to vlan 1, a web server on vlan 2, and database on vlan 3 (for example). The web server switch port is only allowed vlan2, the database port is only allowed vlan3, and all other ports are only allowed vlan1. You then have your fortigate plugged into the switch on a trunk port that is allowed vlan 1, 2, and 3. You create rules that state users can connect from vlan1 to vlan2 to the web server on appropriate ports. The web server can connect to the backend database from vlan2 to vlan3 on appropriate ports, but users on vlan1 cannot talk to the database due to an implicit deny.
What happens is that in transparent mode- the firewall will advertise mac addresses across all interfaces. So your web server on vlan2 cannot see any other devices because only it and the firewall sit on vlan2. The firewall advertises that it has routes to all other mac addresses on the local network and therefore traffic can flow. The same holds true in reverse for users to get to the web server as long as appropriate firewall policies are in place.
Doing it this way allows you to scale your setup as you can just add more ports to the secured vlan and protect more servers behind the firewall without every changing any ip settings. The caveat is that the machines on the same vlan have unrestricted access to each other and you will eventually need aggregated interfaces to make sure you have enough throughput. You can also do this in a cheap fashion by directly connecting the devices to the physical interfaces on the firewall and forgetting about vlans- but it doesn't scale.
 
if you already have a NAT mode fortigate- you need to enable VDOMs and create a new transparent vdom which will add some complexities. You could also just build a transparent mode configuration from the ground up if that is the device's only function.

NSE4 (at Accelerate2017!)
Some FGT500Ds, 60Ds at work
FWF60E, FWF80CM, FGT60C, and FWF60B at home
#7
journeyman
Gold Member
  • Total Posts : 156
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/03/15 22:56:36
  • Status: offline
Re: options to segregate host on a LAN 2017/08/10 23:37:19 (permalink)
0
Kenundrum's solution sounds great and I will investigate this further. Others respondents above have said a transparent firewall won't work, any comments on the solution as described?
 
We already have our Fortigate in NAT mode and would hence be looking at a transparent VDOM. But it might be worth the effort to implement due to the stuff we find on our networks. We have not used FGT VDOMs before, I guess I'll be doing a lot of reading in the near future. Can we leave the bulk of the configuration in the root vdom and "add on" the transparent vdom? Any tips on VDOMs, traps for beginners?
 
@emnoc - Thanks, VACLs are new to me. They would be ideal but unfortunately the functionality is not available on our hardware. We already investigated PVLAN but on our hardware it's limited to the local switch; because we have multiple switches looped together the functionality fails. I don't believe that PVLAN would actually solve our problem of controlling access to other hosts on the same VLAN; it would only block it completely.
 
If a transparent VDOM gets too hard, VLANS and layer 3 rules will have to do. But I am hopeful. Thanks all for your comments.
 
Edit: Existing FGT is an A-P HA cluster running in interface mode with OSPF on one interface.
post edited by journeyman - 2017/08/11 00:29:28
#8
oheigl
Gold Member
  • Total Posts : 243
  • Scores: 8
  • Reward points: 0
  • Joined: 2010/02/18 04:27:05
  • Location: Austria
  • Status: online
Re: options to segregate host on a LAN 2017/08/11 01:31:07 (permalink)
0
If you activate VDOMs on your device everything will be moved to the root VDOM, so nothing really changes on your existing setup. Then just create a new VDOM and put the interfaces in this new VDOM you would like to configure.
Regarding Kenundrum's solution I have a question: I understand how it should work, but why should the FortiGate forward these packets between the different VLANs?
I did some research, and it seems that it really is enabled by default (taken from the Layer 2 solutions guide on the KB): Note: Broadcast packets will be flooded to all ports even if the VLAN ID is different. This is a common cause of broadcast storms and/or packet of death spirals in L2 deployments. 
I guess this will really work, but I hope you are not running into some serious issues with loops and storms etc. I would advise you to configure a separate network for this host, it's much cleaner and safer this way.
#9
Kenundrum
Silver Member
  • Total Posts : 112
  • Scores: 8
  • Reward points: 0
  • Joined: 2008/05/15 10:25:50
  • Location: Rhode Island, US
  • Status: offline
Re: options to segregate host on a LAN 2017/08/11 07:20:37 (permalink)
0
So there are a few caveats to the setup. In general a layer 2 setup is a stopgap. After 3 years of running layer 2, we are making arrangements to migrate to layer 3 and change a bunch of ip ranges for servers and end up segregating a lot more devices. You end up with a bunch of questions like "hey is that thing behind the firewall" because the ip addresses are scattered all over the place. it's a lot easier to simply know that all the servers with 192.168.20.x are web servers on vlan20 and 192.168.21.x are databases on vlan21. 
You can also only do one subnet per transparent vdom, so all of them need to be in the same ip range. I don't have a problem with the broadcast packets because i have very strict firewall rules. I did have a problem with port flapping in fortios 5.2.x. On the trunked ports, the fortinet was advertising mac addresses on both the vlan tagged and untagged interfaces- so the switch was seeing mac addresses on multiple vlans and was shutting down the ports to prevent broadcast storms. I had to set the default untagged vlan id for the trunk ports to go to a blackhole on the switch to stop that. In hindsight, changing the forward-domain for the untagged interface on the firewall probably would also work.
 

NSE4 (at Accelerate2017!)
Some FGT500Ds, 60Ds at work
FWF60E, FWF80CM, FGT60C, and FWF60B at home
#10
Spock
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/05/25 04:03:24
  • Status: offline
Re: options to segregate host on a LAN 2017/08/11 07:27:20 (permalink)
0
If you do activate VDOMs on your device, I would be very interested in knowing how much of a cpu/memory/throughput performance hit your Fortinet takes after VDOM implementation.
 
I am interested because I have to decide how to segment my own FortiWiFi 60D network, and I want to optimize both multi-departmental segmentation and packet traffic flow. (VLAN's are very popular and VLAN tagging is very efficient, but what is the VDOM load on the Fortinet hardware and does it impose an overall performance penalty?)
 
A two VDOM configuration, with one VDOM loaded up with multiple VLAN's could become a very desirable configuration if Fortinet performance remains robust and real time monitoring & occasional packet captures are not impacted adversely.
 
If you go this route, please let us all know what it was like.
 
Good luck,
Spock out...
#11
Kenundrum
Silver Member
  • Total Posts : 112
  • Scores: 8
  • Reward points: 0
  • Joined: 2008/05/15 10:25:50
  • Location: Rhode Island, US
  • Status: offline
Re: options to segregate host on a LAN 2017/08/11 07:55:50 (permalink) ☄ Helpfulby Spock 2017/08/11 08:55:18
0
Vdoms add up on smaller devices because in effect you spawn worker processes for each vdom separately. Also it becomes a chore to synchronize address and custom service lists between them. The primary reason for vdom separation is to have a firewall that operates in transparent and NAT mode at the same time or for administrative separation. You can set minimum and maximum values for certain resources like vpn tunnels, policies, and sessions but not really a maximum/minimum CPU/memory so resource management on smaller boxes can be tricky if you're using a lot of UTM functions.

NSE4 (at Accelerate2017!)
Some FGT500Ds, 60Ds at work
FWF60E, FWF80CM, FGT60C, and FWF60B at home
#12
Spock
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/05/25 04:03:24
  • Status: offline
Re: options to segregate host on a LAN 2017/08/11 09:20:31 (permalink)
0
Thanks Kenundrum for your fast reply to my VDOM vs VLAN performance query!
 
Journeyman doesn't say what Fortinet device he is running, so, hopefully, he will see your posting and dig a little deeper into multiple VDOM resource utilization if, like me, he has a less powerful Fortinet deployed. (Better to consider a change like this before taking the plunge rather than finding out later that routing performance could dive into a shallow puddle on an overloaded box.)
 
Question: is there an in-depth KB article on VDOM vs VLAN implementation that relates network architecture choice to Fortinet device cpu/ram/version or model numbers?  (In other words, how can we know before "experimenting" with a production configuration?) Some guidelines would be helpful and probably reduce the number of "Oh God!" moments in the network admin community.
 
Spock out...
 
 
 
 
#13
journeyman
Gold Member
  • Total Posts : 156
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/03/15 22:56:36
  • Status: offline
Re: options to segregate host on a LAN 2017/08/15 00:24:26 (permalink)
0
@Spock, yes this is a 60D cluster. We intend to swap to 60E for asset management rather than performance reasons.
 
Reading through this discussion I'm pretty sure we can accommodate all the issues raised and have a stable and well-behaved solution. That said there is some risk in this approach and we have not yet made our decision to proceed.
We have a small test area where we can evaluate our more adventurous improvements, but beyond verifying basic functionality this one will be hard to test as some important LAN elements are missing from the test environment.
 
Happy to post back with results if we proceed.
#14
journeyman
Gold Member
  • Total Posts : 156
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/03/15 22:56:36
  • Status: offline
Re: options to segregate host on a LAN 2017/08/17 23:57:16 (permalink)
0
For those interested in the results of this solution, we will not proceed for our immediate requirement and will implement plain boring layer 2 & 3 segregation.
#15
Jump to:
© 2017 APG vNext Commercial Version 5.5