Design topology
In the example topology, minor changes to the existing physical infrastructure were necessary. FortiGates replaced existing firewalls at headquarters (HQ) and a regional office. A FortiGate VM was added to Azure to provide NGFW protection for the cloud datacenter, and to mirror existing IPsec VPN services.
The internal application servers stayed in place with the same IP scheme in the server VLAN. For remote clients to reach the application servers, no dial-up VPN is required.
A DMZ was created to host Fortinet services that must always be accessible from the internet.
An internal client VLAN was created for client access, and it requires all endpoints to pass through the FortiGate. The NGFW feature and ZTNA secure access protects the server VLAN. For internal network users, ZTNA secure access is used. For remote users, no access is provided directly to the internal network; ZTNA access proxy is used. To gain access to the server VLAN the following is required:
ZTNA component |
Functional description |
---|---|
FortiClient |
Installs device certificates from the FortiClient EMS CA service Performs ZTNA checks required by the following ZTNA rules:
Provides dial-up VPN services during the ZTNA migration period |
FortiClient EMS Server |
|
FortiGate ZTNA access proxy |
|
FortiGate ZTNA secure access |
For internal users, it was decided not to use a full access-proxy, but ZTNA posture and identity checks are required to gain access to the server VLAN |
FortiAuthenticator and FortiToken |
Because more than one FortiGate is in the topology, it was decided to implement FortiAuthenticator to:
|
FortiAnalyzer |
Logging, reporting, and analytics for all the Fortinet devices. In the future, SOC features will be enabled to help the company manage security events and incidents as well as automate response and remediation |