RSS

DMZ – with vlan 100D + 30D

05 Jan

DMZ – with vlan 100D + 30D

This post discuss how we managed to isolate each of our servers to its own network (vlan).

In this scenario, We have 2 firewalls in place for some reason.
Fortigate 30D and Fortigate 100D. All wan-side incoming traffic will be received by 30D. 30D will then send them to the servers based on the Virtual IP configuration (port forwarding).
The reply packets from servers will go out through the 100D fortigate (100D is the gateway).

  1. Create and assign vlan in switch port.
    create a vlan for each server. Then assign them to the port to which the physical servers are connected.
    on cisco:
    #Switchport mode access
    #switchport access vlan
  2. create vlan in esxi:
    open esxi server,
    select physical server and goto configurations tab,
    selct networing on left panel then click on properties
    click add, select virual machine, give a network lable and vlan ID. (network label: name for the vlan)
  3. assign the vlan to VM:
    select VM
    right clik – edit server
    select netowrk adapter
    change network label.(select the vlan label created in step 2)
  4. Open the server and make necessory changes
    Change RDP port in server.
    give ip address in the vlan range.
    set default gateway 100D
  5. open 30D and Add vlan.
    basically we need to create a vlan port and assign an ip in vlan range.
  6. OPEN 30D- create virtual IPs and group
    Policy and object
    virtual IP
    create virtual ip ( rdp,http,https )
    create virtual ip group, for example:server-vlan-group. #Change RDP port in server.
  7. create wan-incoming policy on 30D
    name:DMZ-name
    incoming:WAN port
    Outgoing interface: VlanInterface
    destination: server-vlan-group( virtual ip group )
    schedule: always
    service:all
    action: accept
    security profile: select default.
  8. Open 100D and create vlan.
    open vdom
    network – interfaces – create new – interface
    name: vlanname
    alias:
    type:vlan
    interface: new vlan will come under this interface.
    Vlan ID: give vlan number
    vitual domain: select your vdom
    role: LAN
    IP/Network: IP address/Subnet mask for the vlan port
    administrationve access: give none.
  9. create address for vlan subnet in 100D. example: DMZ01
    or create a device-address for the server.
  10. create lan-wan policy on 100D:
    Name: give a name
    incoming int: vlan interface
    outgoing int: WAN port
    source:name of address group we created in step 9
    destination:all
    schedule:always
    service:all
    accept
    select security profiles.
 
Leave a comment

Posted by on January 5, 2021 in Fortigate

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: