Technical > Deployment

Suggested deployment between two firewalled sites

<< < (2/2)

ahenning:
One thing to check with this design is whether the FW will allow the subnets from the remote site, to be the source IP when Wanos sends it back to the FW once the traffic gets off the tunnel. What happens is the FW sees the remote site subnets source IP coming from the Wanos/DMZ/Additional LAN section, when the routing table says the traffic should come from the External interface. What we sometimes need to do is disable Reverse Path Check or Asymmetric routing checks on the FW interface going to Wanos.

More info available at: http://kb.fortinet.com/kb/documentLink.do?externalID=FD30543

blazarov:
Yep, RPF was exactly what i was worried for. I know how to do it (Palo Alto on left side, Fortigate on right side), butf or now i really dont want to disable RPF.

Also usually stateful firewalls (esp. NGFW) track ingress and egress interfaces for each session and set them during initial session establishment. This deployment approach, i believe, will mess up that logic too.

One extra question on licensing:
Customer bought "Plus 10/100" license. What will this license give us in terms of maximum bandwidth and how does it measure it - before or after optimization?

ahenning:
Outbound/Transmit optimization, after optimization/compression, excluding pass-through = 10Mbps (Typically the links speed TX rate)
Outbound/Inbound pass-through, QoS, Path-Selection, TCP acceleration = 100Mbps

blazarov:
Hi Again,
since disabling RPF check and enabling Asymmetric flows was not acceptable solution we have delayed the implementation.
Meanwhile another migration took place and the now the infrastructure on both ends, i believe, allows for better integration with WanOS.

Please look at the attachment.

Currently the connection works as in the diagram, except for the WANOS appliances. On both sides there is a separate VPN router and there is a /24 transport network between the firewall and that VPN router. Currently there is a static routing between the VPN router and the firewall in that transport network.
i was thinking of deploying the WANOS in the transport network and force the traffic to traverse the appliance using static routes and probably tracking for bypass in case of failure.
Will this work? WIll all optimization features work that way?
Will the two WANOS correctly discover themselves?
Thanks in advance! Will appreciate your responses and suggestions!

ahenning:
Hi,

Yes, tunnel mode should work fine in that configuration as long as the redirect config is applied both sides.
Traceroute from both sides to the other should show the path going over Wanos, then all should be good to go.

Navigation

[0] Message Index

[*] Previous page