I implemented Palo Alto (PAN) firewalls at my last job, and loved them. I've always heard the two best options these days are PAN or Fortinet, so when I started at a new company, and they had Fortigate in place, I was excited to dig into them.
I started to notice some weird things when going through existing config, like the security policy section is called "IPv4 Policy"...but where's IPv6? Security policies referenced actual interfaces, instead of zones. NAT was configured in the security policy, not separately. I couldn't find everything I needed until I checked a "Feature Visibility" button or found out it had to be done via CLI.
So I started to read through the Fortigate Cookbook, and guess what I found out? There is a million ways to do everything (*slightly exaggerated). Some quick examples:
IPv6: You need to enable IPv6 in Feature Visibility, then you'll be able to configure IPv6 security policies that are completely separate from IPv4 policies. But, would you rather have your policies not be IPv4/IPv6 dependent, and all be in one place? That's possible too, if you enable "Consolidated Firewall Mode", but watch out, as that will delete all your current IPv4 and IPv6 policies.
NAT: Each policy has a NAT section, which is fine when you have a couple rules in a branch office, but troubleshooting that can be a nightmare with hundreds of rules at HQ/DC. No problem, Fortigate gives you the option to enable "Central NAT", which enables another configuration section for centralized NAT configuration. Now, you should also be aware if the firewall is in profile NGFW mode or policy NGFW mode. Because this will also affect NAT configuration, and separates "Firewall" policies from "Security" policies...
This may not be a big deal, but when you're on a team, and everyone does things slightly different, its nice to just have one "right" way to get things done. With PAN, you have to use zones, there is one place for all IPv4/IPv6 policies, one place for NAT...you get the picture. You don't have to worry about which configuration "mode" the firewall is in. Oh and you need FortiManager and FortiAnalyzer to replace Panorama...and I might need FortiAuthenticator as well? I think I have a FortiHeadache...
I'm really hoping it gets better from here, because right now I want to run back to my old DC and give my PAN's a hug.
Note: I will give Fortinet kudo's for being inexpensive, having a decent, free SD-WAN implementation, and a variety of models (with PoE too!)
No comments:
Post a Comment