DMZ – with vlan 100D + 30D
This post discuss how we managed to isolate each of our servers to its own network (vlan).
In this scenario, We have 2 firewalls in place for some reason.
Fortigate 30D and Fortigate 100D. All wan-side incoming traffic will be received by 30D. 30D will then send them to the servers based on the Virtual IP configuration (port forwarding).
The reply packets from servers will go out through the 100D fortigate (100D is the gateway).
- Create and assign vlan in switch port.
create a vlan for each server. Then assign them to the port to which the physical servers are connected.
#Switchport mode access
#switchport access vlan
- create vlan in esxi:
open esxi server,
select physical server and goto configurations tab,
selct networing on left panel then click on properties
click add, select virual machine, give a network lable and vlan ID. (network label: name for the vlan)
- assign the vlan to VM:
right clik – edit server
select netowrk adapter
change network label.(select the vlan label created in step 2)
- Open the server and make necessory changes
Change RDP port in server.
give ip address in the vlan range.
set default gateway 100D
- open 30D and Add vlan.
basically we need to create a vlan port and assign an ip in vlan range.
- OPEN 30D- create virtual IPs and group
Policy and object
create virtual ip ( rdp,http,https )
create virtual ip group, for example:server-vlan-group. #Change RDP port in server.
- create wan-incoming policy on 30D
Outgoing interface: VlanInterface
destination: server-vlan-group( virtual ip group )
security profile: select default.
- Open 100D and create vlan.
network – interfaces – create new – interface
interface: new vlan will come under this interface.
Vlan ID: give vlan number
vitual domain: select your vdom
IP/Network: IP address/Subnet mask for the vlan port
administrationve access: give none.
- create address for vlan subnet in 100D. example: DMZ01
or create a device-address for the server.
- create lan-wan policy on 100D:
Name: give a name
incoming int: vlan interface
outgoing int: WAN port
source:name of address group we created in step 9
select security profiles.