Hot!Design Questions - Replacing several firewalls

Author
v20100
Bronze Member
  • Total Posts : 29
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/07 22:28:14
  • Status: offline
2018/10/15 15:12:46 (permalink)
0

Design Questions - Replacing several firewalls

Hi
Our current HQ, uses Fortigate firewalls
Situation a few months ago:
BranchA had FirewallBrandA, and connected to HQ via IPSEC VPN. Users connect to branch via FirewallBrandA VPN client
BranchB had FirewallBrandB and connected to HQ via IPSEC VPN. Users connect to branchB via FirewalBrandB VPN client
 
Current situation:
The 2 branches merged physically.
Each 'branch' is still using the same setup as when separated except for the internet which is now common.
 
Planned solution:
We are going to replace FirewallBrandA and FirewallBrandB with only one Fortigate.
Initial thought was to plug each 'branch' on a different interface and have their own rules
 
Q1: Do we keep 2 IPSEC VPN to HQ, or can we have only 1? Not sure if we can have 2 VPN links pointing to the same HQ IP. On the other hand, I do not know how to set up a VPN link using 2 interfaces (and rules). Is it possible and how?
 
Q2: what about SSLVPN: I have played on our HQ firewall with having 2 SSLPortals, with each one authenticating against a different Radius server (and having their own subnets and rules). It seems to work but looks it is flaky. Also, not sure how Fortigate decices which portal to use depending of the user.
For example, from the same https address, how can UserA be authenticated by RadiusA and then get access to BranchA and how UserB be authenticated by RadiusB and then get access to BranchB
 
I also looked at Vlan on Fortigate on the same interface, to connect each 'branch', but will it not be the same for Ipsec and SSLVPN?
 
Any input would be greatly appreciated
 
Thanks in advance
 
 
 
#1

3 Replies Related Threads

    lobstercreed
    Bronze Member
    • Total Posts : 33
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: Design Questions - Replacing several firewalls 2018/12/04 09:59:39 (permalink)
    0
    Did you ever get this figured out?  It sounds to me like you need only one VPN link between HQ and new merged branch, but possibly different policies on the branch FortiGate to apply appropriately to legacy BranchA and BranchB.  This is more a matter of understanding what can be done with policies on the FortiGate than anything else super complicated.
    #2
    v20100
    Bronze Member
    • Total Posts : 29
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/09/07 22:28:14
    • Status: offline
    Re: Design Questions - Replacing several firewalls 2018/12/04 16:42:49 (permalink)
    0
    Hi
    Sort of, but not tested yet. We only get the units last week and have not been able to work on it.
    Found this article that might be the answer: https://cookbook.fortinet.com/using-zones-to-simplify-firewall-policies-56/
     
    Will find out in a couple of weeks!
     
    Cheers
    #3
    sw2090
    Gold Member
    • Total Posts : 247
    • Scores: 8
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Design Questions - Replacing several firewalls 2018/12/04 23:20:31 (permalink)
    0
    Well both is possible.
     
    I here e.g. use two ipsecs over different wan interfaces to have redundancy. Both route the same subnet(s). Redundancy is done by priority based routing (i.e. it primary uses the tunnel that has the route with the lowest prio and if that don't work it uses the other one).
    If you don't want/need redundancy you don't need two ipsec tunnels anymore.
    #4
    Jump to:
    © 2018 APG vNext Commercial Version 5.5