I was toying with an idea of doing /31 subnets for our DMZ servers, just with VLANs now but later maybe with VXLANs. Then lot's of interfaces on the Fortigate firewall and everything under a DMZ zone.
We don't have more than hundred servers where we'd like to allow access from internet. All the access to those would come via F5 BIG-IP load balancers, and the BIG-IPs would have the public IPs. Those /31 subnets would be with private IPs.
Reasoning that then I could allow access between two DMZ servers if needed, and via firewall. If using private VLANs I couldn't route the traffic through the Fortigate I think?
Though the firewall doesn't do anything advanced, maybe I could just use the firewall on the BIG-IP and have it do all those WAF thingies etc. Usually the rule would just be "anything from the internet, allow to port 443 on server". BIG-IP can also sustain more session and everything than our firewalls.
Any thoughts?
No comments:
Post a Comment