topic Re: dmz data flow in General Topics

dmz data flow

simsim — Sat, 18 Dec 2021 18:48:09 GMT

Hi,

Please advise

Hi,

I have a design flaw . I am trying to test dual dmz . dmz server the gateway is on the dmz firewall .

If the server in dmz wants to send data to dc server it has to go back through the same switch

How to avoid this ?

And also, please point out pros and cons for the below design

Thanks

Re: dmz data flow

BPry — Sun, 19 Dec 2021 06:50:56 GMT

@simsim,

Your diagram isn't incredibly well labelled, at least to my eyes. I don't see where you have a dual DMZ configured, nor do I honestly fully understand your question.

@simsim wrote:
If the server in dmz wants to send data to dc server it has to go back through the same switch

How to avoid this ?

Why do you think this is a problem that needs to be avoided. Ideally your DMZ wouldn't be allowed to access resources in your DC, but in the event this is needed I would have the traffic separated through different physical switches, or have the DMZ isolated to it's own VRF on any shared switches.

Re: dmz data flow

simsim — Mon, 20 Dec 2021 17:05:39 GMT

Hi @BPry

I have updated the diagram.Hopes it make sense now

I don't see where you have a dual DMZ configured, nor do I honestly fully understand your question.

I meand dual firewall dmz ,I want to ask the above design is ok ?

Ideally your DMZ wouldn't be allowed to access resources in your DC,

what if a web server wants to talk to a DB server inside

but in the event this is needed I would have the traffic separated through different physical switches, or have the DMZ isolated to it's own VRF on any shared switches.

Please provide a rough diagram

Thanks for your support

Hi @BPry

It would be great if you can reply

Re: dmz data flow

OtakarKlier — Mon, 20 Dec 2021 21:50:04 GMT

Hello,

A DMZ is just a vlan that is anchored at the firewall. Using two different vendors, no longer makes sense to me in the modern world, especially with PaloAlto. I would simplify the diagram and get rid of the Fortinet firewall. Also make sure all traffic to/from the DMZ serer goes through the palo alto and gets inspected.

Regards,

Re: dmz data flow

simsim — Tue, 21 Dec 2021 01:59:02 GMT

Hi @OtakarKlier and @BPry

Can I make a DMZ zone in the dc firewall?

In the above diagram which one is good .My purpose is i will keep all web server in dmz and the server has t ocommunicate internal vlan and ldap .Please suggest

Re: dmz data flow

OtakarKlier — Tue, 21 Dec 2021 21:37:33 GMT

Hello,

I've always been a fan of keeping things simple. There are a few things to keep in mind when architecting networks, some of these are where are the systems that require a NAT from outside to inside (if at all) and what function do all the devices perform. You have a device called 'core' yet in the second diagram, you have a way to bypass it? Depending on its overall function, I would either go with the first or third diagram. I would also let the PAN's handel the routing and anchor the vlans so that the traffic can be inspected and monitored.

Hope that makes sense.

Regards,

Re: dmz data flow

simsim — Wed, 22 Dec 2021 02:54:35 GMT

Hi @OtakarKlier

"you have a device called 'core' yet in the second diagram, you have a way to bypass it? Depending on its overall function"

That is my core device for routing and edge switches are connected. Inter VLAN routing is happening on core

What does it mean by anchor the vlan ?

Thanks

Re: dmz data flow

OtakarKlier — Wed, 22 Dec 2021 16:43:16 GMT

Hello,

Meaning the vlan IP for routing etc is on the firewall and the switch is just layer 2 for that particular vlan.

Regards,