The initiation of this project had many reasons behind them as follows:
- Initially there was no firewall used in their network, which means there existed a threat to their network from spam email, malware, antivirus, malicious traffic etc.
- There were no such appliances which could perform the we b filtering i.e. Allowing/Blocking of the websites like for example YouTube and various other media streaming websites were opened for access which used to consume lot of bandwidth thereby slowing down the entire network which had an impact on their business.
- Their network had services from 2 ISPs (Roke Telecom and Africel) which had provided two different WAN links used for redundancy. But the challenge was when one link goes down the other one had to be manually fail-over which would consume some time leading to business impact.
- The branches were not connected to each other so if any resources were supposed to be shared between them it was only done through emails and using FTP clients.
Below are solutions implemented for the above business challenges:
- Fortigate 100D provides the Fortiguard services like Email protection, Antivirus, IPS and Web- Filtering which helped in blocking all the suspicious websites, unwanted and bandwidth consuming sites as well as preventing the threats, malwares coming from the outside world.
- Fortigate 100D firewall comes with dual WAN link load balancing features which can enable the two links at the same time and has the auto failover option so that if one link goes down, the other will support the network without causing any disruption and if both the links are up and running then the traffic will be shared between them to prevent overloading.
- An IPsec Site-to-Site VPNs were configured to connect the branch offices as well as Remote Access VPNs for allowing the partners to connect to the office of OiLibya, Uganda so that the resources shared between them or the communication will now be in an encrypted way.
While implementing the above solutions to meet customer’s requirement there were few challenges faced in doing the same.
- Although the Fortigate comes with 1 year of free Fortiguard services. The features can be availed only if the device serial no. is registered with the vendor in their portal. But after connecting it to the network there was internet access but the device was not showing as registered and we were unable to use the Fortiguard services especially the Web-filtering which was the urgent requirement of the client. This issue was sorted out by changing the primary DNS IP address to the public DNS IP 22.214.171.124
- While implementing the Dual WAN Link Load Balancing solution, post configuration of the same when the 2 links were connected, there was an entire outage of network in the building. This happened several times while testing and every time we had to roll it back to the previous configurations. This issue was resolved by putting the WAN1 (Roke) link as primary and the WAN2 link (Africel) as the LLB. After changing the configs and applying the policies for both the links the issue got resolved and now the traffic was shared between both the links preventing overloading as well as if any one of the link goes down then the other will do an auto-failover without disrupting the entire network.
- Due to the configuration of multiple VPNs IPsec S2S and Remote Access for connectivity of the branches in a secured manner, there occurred problem with the hardware and the device started freezing frequently almost 2-3 times in a week and during this period there used to be complete network outage impacting business. The only solution to restore it back was to power cycle. This problem was overcome by creating separate VDOMs (Virtual Domains) for different VPN s configured. Post this configuration the problem was resolved.