Recently I received a task to implement FTD ACP & IPS policies for a customer, but I have noticed flaws in the network design regarding the placement of the WebSec/Proxy as well as the FTD boxes, not sure if I am right as I'm not a design expert.
Any suggestions on the WebSec/Proxy & FTD placement design?
A simplified topology is attached
FTD can not replace 100% WebProxy here. (if not why cisco selll still WSA here)
If the Webproxy replacing then FTD/IPS should be in the path. May be this is Physical diagram how you connecing, we are not sure how your flows.
is the Servers forms in DMZ ? what is the Fortigate Firewall here.
Yes you are right we cannot replace the proxy with the FTD, I did not mean that in the first place.
My point is that the proxy connection to this layer of the network is a flaw in the design, it is connected directly to server-farm-switch and all the traffic that is destined to the internet (from the users or the servers) must pass through the server-farm-switch then the proxy. also, the servers are not in a DMZ zone.
the other thing is the servers are in different vlans, and the proxy is communicating through one of those vlans.
patch management server is on vlan 20
proxy is on vlan 20 also
if the patch management server attempt to download a package from the public repository the traffic will not hit the FTD (DC-FW), it will go through the server-farm-switch only.
if AD server is on vlan 30, the traffic will hit the FTD box (DC-FW) and will be routed back to the proxy.
the Fortigate is out of my scope, but it's considered as an edge firewall to the internet.
--> if the patch management server attempt to download a package from the public repository the traffic will not hit the FTD (DC-FW), it will go through the server-farm-switch only. if AD server is on vlan 30, the traffic will hit the FTD box (DC-FW) and will be routed back to the proxy.
It is difficult to follow that without knowing the exact traffic flows in your network. Either way, all traffic destined for the Internet will hit the proxy server, which indeed is usually placed in a DMZ. What is the purpose of the dual HA firewall pairs in the inner perimeter of your network ?
I guess it would help if you could outline what you WANT the traffic flow to be
The main goal is to secure the connectivity between the end-users and the servers in the datacenter server-farm. and from the server-farm and users to the internet.
also to limit the access for the users to the server-farm so not all the users can access all the services & applications as well as the users and the server to have limited access to the internet.
The traffic flow from the end-users and server to the internet to be through the proxy but in a separate zone (outside or DMZ), to have more control over the traffic and a more secure environment.
Its all depends on the requirement how they want to be access.
some guidance and documents for CVD :
it is not obvious right away whether or not this is a flawed design. The HA FTD pairs seem to serve as an inner perimeter firewall, then for external access, the WebSec proxy and the Fortigate are placed at the network edge.
Are you reviewing an existing design (the design in your image), or is that design what you have come up with ?
Yes it is an existing design.
Exactly as you said above.
my point is the proxy placement in this layer of the network is a flaw in the design, it is connected directly to the server-farm-switch and resides on one of the VLANs that is used for some of the servers.
if traffic generated by a server in the same VLAN of the proxy will not hit the FTD DC-FW if attempts to communicate with the internet, so the ACPs & IPS rules will be useless in this case.