We help IT Professionals succeed at work.
Troubleshooting Question

Two tier firewall design

Last Modified: 2020-08-18
Running Cisco ASA5545 firewall at office, planning to add fortigate to form two tier level. What's the guide/ good practice to design and configure of the two tier firewall so that well protect and easy admin (such as troubleshooting, add access rule..etc)? 
Watch Question

Pete LongTechnical Architect
Distinguished Expert 2019

Two Tier?

Mohammad RummanehSr.Network & Security Engineer

Usually we used two firewalls one is facing internet and wan connection called ( internet gateway ) the other firewall will be used internally to protect your DMZ ( servers ) we can call it data-center firewall .
some hint for deploying as this setup:

  1. If customer have internal servers and internal team wants to use, those servers will be in behind lan firewall. Create NAT to hide the real server ip from internal user communication.
  2. All DMZ servers will be on Internet firewall.
  3. Use P2P IPSEC/GRE tunnels between Client to customers/vendor communication on Internet firewall for more secure.
  4. Create contexts for multiple clients.
  5. Place the proxy server between lan and internet firewall for internet access

Steve JenningsSr Manager Cloud Networking Ops

The design above seems to address your question and is a common implementation. I would only add that some financial institutions will architect "enclaves" where each enclave has an internal firewall that must be passed to enter the enclave. Data bases and applications can be assigned to specific enclaves.

So, for example, data bases in a data base enclave will only accept traffic from specific subnets, usually NOT the NAT range admitted by the external firewall.

I think this design can get overly complicated quickly. But it can provide a more secure environment for preventing exfiltration.

Have fun!
Get access with a 7-day free trial.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.