Engagement Overview
| Field | Detail |
|---|
| Organization | Manufacturing company, 4 physical sites (anonymized) |
| Environment | Mixed SonicWall/legacy firewall infrastructure, flat network topology across all sites |
| Objective | Replace aging SonicWall firewalls with Fortinet FortiGate NGFW across all 4 sites; unify policy management via FortiManager |
| Previous State | Separate SonicWall units per site, no centralized management, inconsistent policies, no IPS/IDS, no SSL inspection, flat network at every location |
| Outcome | FortiGate NGFW deployed at all 4 sites · Centralized FortiManager/FortiAnalyzer · VLAN segmentation at every site · Full IPsec VPN mesh · Zero unplanned downtime |
Executive Summary
A mid-size manufacturing company operating across four physical sites was running end-of-life SonicWall appliances as its sole perimeter security. Each site had an independently managed firewall with no centralized policy management, no consistency between rule sets, and no next-generation inspection capabilities — basic stateful packet filtering only. The organization had no visibility across sites and no mechanism for detecting or responding to threats at the network boundary.
The network at every site was completely flat. All devices — corporate workstations, production-floor machines, operational technology (OT) systems, servers, and guest WiFi clients — shared the same broadcast domain with no segmentation. A compromise on any single endpoint had unrestricted lateral reach to every other device on the network without traversing a security control. Combined with any/any outbound policies found at three of the four sites, the environment presented a critical attack surface for lateral movement, data exfiltration, and ransomware propagation into OT systems.
The refresh deployed FortiGate NGFW at all four sites, implemented consistent VLAN segmentation, established a full site-to-site IPsec VPN mesh, enabled complete NGFW security profiles (IPS, Application Control, Web Filtering, SSL Inspection, AV), and centralized all management and log aggregation via FortiManager and FortiAnalyzer — executed with zero unplanned production downtime across all four locations.
Phase 1 — Current State Assessment
Site Audit
| Site | Firewall | Status | Key Findings |
|---|
| Site A (HQ) | SonicWall TZ600 | End-of-support firmware | any/any outbound, flat LAN, 47 rules (12 obsolete), no IPS/IDS |
| Site B | SonicWall TZ400 | End-of-support firmware | any/any outbound, no VPN to HQ (inter-site traffic over public internet unencrypted), flat LAN |
| Site C | SonicWall TZ300 | End-of-life hardware | any/any outbound, NAT-only configuration, no outbound filtering, no logging |
| Site D | SonicWall TZ300 | End-of-life hardware | any/any outbound, no VPN connectivity, no logging, flat LAN — highest OT exposure |
Technical Debt Identified
| Finding | Impact |
|---|
| Shadow rules — obsolete rules referencing decommissioned servers | Increased attack surface; audit complexity |
Overly permissive any/any outbound policies at 3 of 4 sites | No egress filtering; data exfiltration and C2 callback risk |
| No VLAN segmentation at any site | Flat network enables unrestricted lateral movement |
| Unpatched firmware on all appliances | Known CVEs unpatched; no vendor support available |
| No IPS/IDS on any device | No inspection of traffic for known exploit signatures |
| Inconsistent VPN configurations | Inter-site traffic traversing public internet unencrypted at one site |
Phase 2 — Design & Planning
FortiGate Model Selection
| Site | Model | Throughput | HA | Rationale |
|---|
| Site A (HQ) | FortiGate 100F | 20 Gbps / 1 Gbps threat | Active-Passive HA pair | Highest user count, ERP servers, primary site — requires resilience |
| Site B | FortiGate 60F | 10 Gbps / 700 Mbps threat | Standalone | Medium site, standard office + production floor |
| Site C | FortiGate 40F | 5 Gbps / 600 Mbps threat | Standalone | Mid-size production site, dual WAN for SD-WAN failover |
| Site D | FortiGate 40F | 5 Gbps / 600 Mbps threat | Standalone | Highest OT concentration — isolated from corporate traffic; prioritized for VLAN segmentation |
Network Segmentation Design
| VLAN | Name | Purpose | Inter-VLAN Access |
|---|
| VLAN 10 | Corporate | Office workstations, admin systems | Full access to servers; internet via web filter |
| VLAN 20 | Manufacturing/OT | Production-floor machines, CNC, PLCs | Restricted — ERP server only; no direct internet |
| VLAN 30 | Servers | Domain controllers, file servers, ERP | Accessible from Corporate and Manufacturing per policy |
| VLAN 40 | Guest WiFi | Guest wireless access | Internet-only — no access to any internal VLAN |
| VLAN 99 | Management | Network infrastructure | Restricted to IT admin workstations only |
Migration Strategy
A parallel-run cutover strategy was adopted to eliminate production risk:
1. Install FortiGate alongside existing SonicWall (parallel run)
2. Configure FortiGate with translated rules + new segmentation
3. Staged cutover — migrate VLANs one at a time during maintenance window
4. Validate all production traffic flows post-cutover
5. Monitor for 72 hours before decommissioning SonicWall
6. Decommission and physically remove SonicWall hardware
Phase 3 — FortiGate Deployment
VLAN Configuration
config system interface
edit "VLAN10-Corporate"
set vdom "root"
set type vlan
set vlanid 10
set interface "lan"
set ip 10.1.10.1 255.255.255.0
set allowaccess ping https
next
end
Security Profile Configuration
| Profile | Configuration |
|---|
| IPS | Enabled with ICS signatures — block mode for critical/high severity; monitor for medium |
| Application Control | Block high-risk apps (P2P, anonymizers, unauthorized remote access tools) |
| Web Filter | Block malware, phishing, high-risk categories; custom whitelist for manufacturing vendor portals |
| SSL Inspection | Deep inspection on Corporate and Guest VLANs; certificate inspection only on OT VLAN |
| Antivirus | Proxy-based AV on HTTP/HTTPS/FTP; integrated with FortiGuard threat intelligence |
Site-to-Site VPN Mesh
| Tunnel | Sites | Configuration |
|---|
| Tunnel 1 | Site A ↔ Site B | IPsec IKEv2, AES-256, SHA-256, DH Group 14 |
| Tunnel 2 | Site A ↔ Site C | IPsec IKEv2, AES-256, SHA-256, DH Group 14 |
| Tunnel 3 | Site B ↔ Site C | IPsec IKEv2, AES-256, SHA-256, DH Group 14 |
| Tunnel 4 | Site A ↔ Site D | IPsec IKEv2, AES-256, SHA-256, DH Group 14 |
| Tunnel 5 | Site B ↔ Site D | IPsec IKEv2, AES-256, SHA-256, DH Group 14 |
| Tunnel 6 | Site C ↔ Site D | IPsec IKEv2, AES-256, SHA-256, DH Group 14 |
- Dead peer detection (DPD) enabled for automatic tunnel recovery
- Redundant WAN paths at Site A leveraged via SD-WAN for VPN failover
- Phase 2 selectors configured to route only required inter-site traffic
Phase 4 — Policy Migration & Hardening
Rule Translation & Cleanup
| Step | Action | Result |
|---|
| 1 | Export all SonicWall rules to spreadsheet | 47 rules at Site A, 31 at Site B, 18 at Site C, 14 at Site D |
| 2 | Identify and flag obsolete rules | 12 obsolete removed at Site A, 8 at Site B, 4 at Site C — zero valid rules found at Site D (all permissive) |
| 3 | Replace any/any outbound rules with least-privilege egress | Applied at all 4 sites — outbound restricted to explicitly required services only |
| 4 | Map remaining rules to FortiGate policy objects | Validated against traffic baseline — no legitimate traffic blocked |
| 5 | Apply security profiles to all allowed policies | IPS, App Control, Web Filter, AV attached to every permit rule |
Outbound Policy Hardening
# Example: Corporate VLAN outbound policy
Source: VLAN10-Corporate (10.1.10.0/24)
Destination: All (Internet)
Service: HTTP, HTTPS, DNS, NTP
Action: ACCEPT
Security: IPS + App Control + Web Filter + AV + SSL Inspection
Logging: All Sessions
# All other outbound traffic — denied by default (implicit deny)
Phase 5 — Validation
| Test | Method | Result |
|---|
| Production traffic flow | Monitor FortiGate session table during business hours | Pass |
| VLAN segmentation | Nmap scans from each VLAN targeting other VLANs | Pass |
| Outbound policy | Attempted connections on unauthorized ports from each VLAN | Pass |
| IPS validation | Vulnerability scanner against internal hosts from test VLAN | Pass |
| Guest isolation | Connected to Guest WiFi; attempted access to Corporate VLANs | Pass |
Failover Testing (Site A)
| Test | Result |
|---|
| HA failover (active → passive) | Failover in <3 seconds — no session loss for established connections |
| WAN failover (primary → secondary) | SD-WAN triggered failover in <10 seconds; VPN tunnels re-established automatically |
| VPN tunnel recovery | DPD detected drop and re-established tunnel in <30 seconds |
Outcomes
| Metric | Before | After |
|---|
| Sites under management | 3 independently managed units | 4 sites unified under FortiManager — consistent policy across all locations |
| Centralized management | None — site-by-site manual changes | FortiManager — single pane of glass; policy changes push to all sites simultaneously |
| Security inspection | Basic stateful packet filtering only | IPS, App Control, Web Filter, SSL Inspection, AV — all sites |
| Network segmentation | Flat network at all 4 sites — zero isolation | 5 VLANs at each site — Corporate / OT / Servers / Guest / Mgmt |
| Log visibility | Minimal or no logging at 3 of 4 sites | FortiAnalyzer — centralized log aggregation, 90-day retention, dashboards across all sites |
| Site-to-site VPN | Partial — 2 sites unencrypted over public internet | Full IPsec mesh (6 tunnels) — AES-256, IKEv2, DPD, SD-WAN failover — all 4 sites |
| Outbound policy | any/any at 3 of 4 sites | Least-privilege egress at all sites — explicit allow only, all other traffic denied |
| High availability | None at any site | Active-Passive HA at HQ; SD-WAN WAN failover at dual-WAN sites |
| OT/IT isolation | None — OT and corporate on same broadcast domain | OT VLAN isolated — restricted to ERP server only, no direct internet access |
Findings (Pre-Refresh)
| # | Finding | Severity | Recommendation |
|---|
| 1 | End-of-life SonicWall appliances across all 4 sites — no vendor support, no patches, known CVEs unaddressed | Critical | Replace with currently supported NGFW (FortiGate) with active FortiGuard threat intelligence |
| 2 | Flat network at all 4 sites — OT, corporate, servers, and guests on the same broadcast domain | Critical | Implement VLAN segmentation at every site — isolate OT, corporate, server, guest, and management traffic |
| 3 | OT systems (PLCs, CNC machines) reachable from guest WiFi and corporate workstations with no security boundary | Critical | Enforce OT VLAN with explicit deny-by-default — allow only required ERP communication |
| 4 | any/any outbound rules at 3 of 4 sites | High | Replace with least-privilege egress policies — explicit allow for required services only at all sites |
| 5 | No IPS/IDS capability on any firewall across all 4 sites | High | Enable FortiGate IPS in block mode for critical/high severity, including ICS/SCADA signatures for OT VLAN |
| 6 | Inter-site traffic traversing public internet unencrypted at 2 sites — including domain replication and file share traffic | High | Establish full IPsec VPN mesh between all 4 sites — no inter-site traffic outside an encrypted tunnel |
| 7 | No centralized log aggregation or security monitoring — 3 of 4 sites had no logging configured | Medium | Deploy FortiAnalyzer with centralized collection across all sites; minimum 90-day retention |
| 8 | Obsolete firewall rules referencing decommissioned servers — increasing audit complexity and potential for stale allow rules | Medium | Full rule audit during migration — remove all rules with no traffic baseline in 90+ days |
| 9 | No WAN redundancy or automated failover at any site | Medium | Implement SD-WAN at sites with dual WAN connections; DPD on all VPN tunnels for automatic recovery |
MITRE ATT&CK Coverage
| Technique ID | Technique | How Mitigated |
|---|
| T1190 | Exploit Public-Facing Application | IPS signatures detect and block known exploit attempts against public-facing services |
| T1071 | Application Layer Protocol (C2) | Application Control identifies and blocks non-standard protocols used for C2 |
| T1048 | Exfiltration Over Alternative Protocol | Least-privilege egress policies restrict outbound traffic to explicitly allowed services |
| T1021 | Remote Services (Lateral Movement) | VLAN segmentation restricts lateral movement — inter-VLAN traffic traverses firewall policy |
| T1133 | External Remote Services | VPN access controlled and logged; unauthorized remote access tools blocked |
| T1572 | Protocol Tunneling | SSL Inspection detects encrypted tunneling; Application Control blocks known tunneling tools |
| T1595 | Active Scanning / Reconnaissance | IPS and geo-blocking reduce exposure to external scanning from high-risk regions |
Tools Used
This write-up reflects a real-world engagement performed at my current employer. The organization, site names, and specific IP addressing have been anonymized to protect client confidentiality. Network architecture, security findings, and measurable outcomes are based on actual deployment results.