Firewall Implementation Non AIS Managed
Qualification Questions
Do you need to connect your sites together with Site to Site VPN tunnels? If so, how many tunnels do you need?
Do you need a web filter configured? If so, how many user groups are needed?
Will the cutover take place outside standard business hours?
Do you need Radius/LDAP Configured? If so, how many directory services are needed?
Do you need a separate guest network configured?
Is firewall dynamic routing required? If so, how many subnets?
Is firewall failover isp configuration required? If so, how many gateways?
Is firewall firewall consolidation required? If so, how many firewalls?
Do you need AIS Firewalls Implemented? If so, at how many locations?
Is firewall high availability/failover required? If so, how many firewall pairs?
Do you need advanced security features configured?
Will users need to VPN into the network with the Fortinet VPN?
Is firewall if migrating from different brand required? If so, how many firewalls?
Does the firewall need to act as a VPN Server? If so, for how many users?
Do you need Nat rules configured? If so, how many?
Is firewall up to 10 rules/groups for content filtering required? If so, how many units?
Is firewall multi factor authentication required? If so, how many security domain groups?
Example Project Plan
Solution Design
- Confirm Bill of Materials Accuracy
- Determine best fit routing protocol
- Determine best fit routing protocol
Implementation
- Firewall Implementation Web Filter Global Base Configuration (non user based)
- Work with Customer to determine what categories need to be blocked
- Apply filter settings globally
- Network Switch Configuration
- Identify IP Subnet address and VLAN ID to be used for Guest Network Devices
- Identify network switchport VLAN changes required
- Identify required routing changes
- Identify desired traffic flow Access List (ACL) restrictions
- Update network switch configuration for Guest VLAN ID’s
- Wireless Access Point Configuration
- Update wireless access point SSID’s for Guest VLAN access
- Update firewall configuration for Guests
- Configure Guest Network IP Subnet settings on firewall
- Configure Additional ISP
- Add new WAN interface
- Configure rules for access on new WAN interface
- Configure required routing for new WAN interface
- Configure all Site to Site VPN settings needed
- Active/Passive Failover Configuration
- Configure failover policy
- Physical Decommissioning
- Disconnect firewall from power, remove from rack
- Logical Decommissioning
- Remove routes and IP references to device being decommissioned
- Firewall Configuration
- Configure primary ISP
- Configure secondary ISP
- Configure LAN interface
- Configure VPN
- Configure VLAN
- Configure routing
- Firewall Cutover
- Swap to new firewall
- Confirm changes and commit
- Setup of VPN Users
- Configuration of Requested Rules/Groups for Content Filtering
Planning
- After Hours Scheduling
- After Hours Scheduling
- Guest Network Settings
- Determine which device should provide DHCP Server services to the Guest Network
- Determine if custom DNS servers are desired for Guest Network
- Develop routing traffic test plan to confirm during implementation
- Develop routing traffic test plan to confirm during implementation
- Confirm/Review ISP Information
- Confirm all network information needed for configuration is available and accurate
- Confirm if equipment to be decommissioned should be e wasted or otherwise disposed
- Confirm if equipment to be decommissioned should be e wasted or otherwise disposed
- Send Forticlient End User VPN Instructions to Users
Discovery
- Identify internal/external subnets requiring routes
- Identify internal/external subnets requiring routes
- Discovery of current firewall configuration
- Review existing firewall configuration and download a copy of the current configuration for backup purposes
Validation
- Perform testing to verify traffic is routing as expected
- Perform testing to verify traffic is routing as expected
Last modified
August 2, 2022