Fortinet black logo

Concept Guide

Home FortiSASE Concept Guide

Standard firewall architecture

Copy Link
Copy Doc ID 0d39b943-c520-11ee-8c42-fa163e15d75b:520918
Download PDF

Standard firewall architecture

Typically, an organization has a next generation firewall (NGFW) that protects its network or data center from the internet and acts a default gateway to the internet through one or more WAN links, as the diagram shows:

The NGFW is usually a physical or virtual appliance situated at the organization’s network edge.

A virtual private network (VPN) is the industry-standard solution that provides remote access, authentication, and encryption capabilities using a software client or agent to secure traffic between a user on the internet and the VPN gateway protecting an organization’s network. Remote access VPNs rely on IPsec or SSL-based VPN implementations.

Typically, an organization provides its remote users with protected access to its network via VPN connections or provides its branch users with protected access via other WAN technologies, such as multiprotocol label switching.

Organizations have extended this scenario to ensure its remote users have secure internet access by enforcing VPN connections with full tunneling enabled. With full tunneling VPNs, the following traffic goes through the VPN:

  • Traffic destined for the organization’s internal network
  • Traffic destined for the internet is sent to the internet through the VPN to the NGFW for threat detection and mitigation

Therefore, a remote user’s internet traffic not only goes through its own local ISP to establish a VPN connection with the NGFW, but also goes through the NGFW’s WAN link. This operation is known as WAN backhauling.

Previous
Next

Standard firewall architecture

Typically, an organization has a next generation firewall (NGFW) that protects its network or data center from the internet and acts a default gateway to the internet through one or more WAN links, as the diagram shows:

The NGFW is usually a physical or virtual appliance situated at the organization’s network edge.

A virtual private network (VPN) is the industry-standard solution that provides remote access, authentication, and encryption capabilities using a software client or agent to secure traffic between a user on the internet and the VPN gateway protecting an organization’s network. Remote access VPNs rely on IPsec or SSL-based VPN implementations.

Typically, an organization provides its remote users with protected access to its network via VPN connections or provides its branch users with protected access via other WAN technologies, such as multiprotocol label switching.

Organizations have extended this scenario to ensure its remote users have secure internet access by enforcing VPN connections with full tunneling enabled. With full tunneling VPNs, the following traffic goes through the VPN:

  • Traffic destined for the organization’s internal network
  • Traffic destined for the internet is sent to the internet through the VPN to the NGFW for threat detection and mitigation

Therefore, a remote user’s internet traffic not only goes through its own local ISP to establish a VPN connection with the NGFW, but also goes through the NGFW’s WAN link. This operation is known as WAN backhauling.

Previous
Next