Overview

This case study relates to our client OILIBYA, Uganda. OiLibya is the brand name used by the affiliates owned by Libya Oil Holdings and previously known as Tamoil Africa. The Libyan state-owned company has over 3000 branches in 21 countries across Africa, including Libya, Egypt, Senegal, Ivory Coast, Cameroon, Gabon, Kenya, Mali, Burkina Faso, Niger, Chad, Eritrea, Uganda, Nigeria, Mauritius, Reunion, Morocco, Tunisia, Ethiopia, Sudan and Djibouti. OiLibya is managed by the Libyan Investment Authority, a sovereign wealth fund that manages Libya’s assets in other countries.
The main objective of this project was to install a Fortigate 100D firewall in the existing network of our customer OILIBYA, Uganda to meet their corporate aims through the best use of Network Security. The installation included the firewall configuration, availing the Fortiguard services like web filtering, IPS and Email protection. Apart from these services there was VPN configuration to link the remote branches and multiple ISPs link load balancing to share the load of the network traffic.

Business Challenge

The initiation of this project had many reasons behind them as follows:

  • Initially there was no firewall used in their network, which means there existed a threat to their network from spam email, malware, antivirus, malicious traffic etc.
  • There were no such appliances which could perform the we b filtering i.e. Allowing/Blocking of the websites like for example YouTube and various other media streaming websites were opened for access which used to consume lot of bandwidth thereby slowing down the entire network which had an impact on their business.
  • Their network had services from 2 ISPs (Roke Telecom and Africel) which had provided two different WAN links used for redundancy. But the challenge was when one link goes down the other one had to be manually fail-over which would consume some time leading to business impact.
  • The branches were not connected to each other so if any resources were supposed to be shared between them it was only done through emails and using FTP clients.

Solution

Below are solutions implemented for the above business challenges:

  • Fortigate 100D provides the Fortiguard services like Email protection, Antivirus, IPS and Web- Filtering which helped in blocking all the suspicious websites, unwanted and bandwidth consuming sites as well as preventing the threats, malwares coming from the outside world.
  • Fortigate 100D firewall comes with dual WAN link load balancing features which can enable the two links at the same time and has the auto failover option so that if one link goes down, the other will support the network without causing any disruption and if both the links are up and running then the traffic will be shared between them to prevent overloading.
  • An IPsec Site-to-Site VPNs were configured to connect the branch offices as well as Remote Access VPNs for allowing the partners to connect to the office of OiLibya, Uganda so that the resources shared between them or the communication will now be in an encrypted way.

Implementation Challenges

While implementing the above solutions to meet customer’s requirement there were few challenges faced in doing the same.

  • Although the Fortigate comes with 1 year of free Fortiguard services. The features can be availed only if the device serial no. is registered with the vendor in their portal. But after connecting it to the network there was internet access but the device was not showing as registered and we were unable to use the Fortiguard services especially the Web-filtering which was the urgent requirement of the client. This issue was sorted out by changing the primary DNS IP address to the public DNS IP 8.8.8.8
  • While implementing the Dual WAN Link Load Balancing solution, post configuration of the same when the 2 links were connected, there was an entire outage of network in the building. This happened several times while testing and every time we had to roll it back to the previous configurations. This issue was resolved by putting the WAN1 (Roke) link as primary and the WAN2 link (Africel) as the LLB. After changing the configs and applying the policies for both the links the issue got resolved and now the traffic was shared between both the links preventing overloading as well as if any one of the link goes down then the other will do an auto-failover without disrupting the entire network.
  • Due to the configuration of multiple VPNs IPsec S2S and Remote Access for connectivity of the branches in a secured manner, there occurred problem with the hardware and the device started freezing frequently almost 2-3 times in a week and during this period there used to be complete network outage impacting business. The only solution to restore it back was to power cycle. This problem was overcome by creating separate VDOMs (Virtual Domains) for different VPN s configured. Post this configuration the problem was resolved.

Data and Application Security

Data and Application Security