Network redesigning / security hardening updates / thoughts needed

SmokeyMountian_Tech · ‎11-18-2020

So we're replacing our existing 100D's in HA with 600E's.

I'm only about 3 months in with a new company managing their networks.

It consists of 1 primary location with roughly 200-300 users and about 20 remote locations with 200-300 total users.

The current setup is:

[ol]

100D's in HA at main site with Aruba 5406R-zl2 (Aruba is doing routing for local VLANs)[ol]

10.1.x.x through 10.9.x.x Each subnet will be on its own VLAN. (in the process now)

Dual WAN

OSPF for remote sites that are on the private LAN

FortiManager / FortiAnalyzer (Still working on getting the setup)[/ol]

most remote sites are sitting on Private 50-100Mb Fiber LAN back to our main office using OSPF[ol]

The private Lan is using a 10.255.255.x subnet and the connections are using NAT

Backup 4G internet W/IPSec tunnel[/ol]

Non-private lan remote sites are using IPSec split tunnels [ol]

Backup 4G internet W/IPSec tunnel[/ol]

Remote users:[ol]

work from home users: Have a 30E Firewall and also use SSL from behind their 30E

SSL VPN for remote access when needed.[/ol][/ol]

I'm planning on building up the 600E's from scratch because I know there's a lot of config in the 100D's that is not needed/old.

Some question I have and what I'm thinking for our new 600E's is:

[ol]

Thinking of setting up the new firewalls in tandem with the existing firewalls and moving internal and external sites over to it 1 at a time.

I'm thinking of setting the new firewalls up to do all the interoffice routing instead of the Aruba so we can apply security profiles to interoffice networks.

Thinking of migrating to SDWAN in the process. (Are there any reason not to start using SDWAN?)

Thinking we can set up the 30E's to have dynamic IPSec split tunnels for the home users so they don't have to SSL from behind the 30E.

Will be setting up a new subnet/VLAN for mobile devices that will have internet access only and isolation.[ol]

I'm thinking we have the new 600's handle this network so we don't have to pass traffic to our Windows DHCP servers.[/ol][/ol]

Other thoughts:

[ol]

For our remote offices on private LAN, is there any security benefit to NAT'ing the traffic? or should we just pass the traffic un NAT'd and use policies to apply security?

We're also looking to set up a management VLAN, any tips/thoughts?

We're slowing getting into the VOIP scene and have been setting them up on their own VLAN

Should we make 1 large Printer VLAN for all sites? and lock down access to each site/users that need to print to multiple sites? (Currently, we have a print server and we enable "Branch Office Direct Printing")

We're starting to put CC machines on their own VLAN on each Subnet.[/ol]

I want to make sure security practices are being followed and we're not making management harder than it needs to be.

TIA.