The bit about getting the "horse" planted reminded me of how vulnerable we all are to that kind of attack vector.
The sad thing is that he could have allowed the appliance site without opening the firewall completely, and the CryptoLocker download would not have happened. BOOM! CryptoLocker! This was the company's in-house IT guy, so I had no control over his changes. With the WatchGuard and MY configuration, he went five years ten months WITHOUT A SINGLE INFECTION, then he added an Any rule because a whiny user couldn't look up an appliance repair shop.
Make sure all of the subnets and VLANs are distinct and separate. Not too many ways to handle it differently, really. The ones I've seen are all pretty much the same. I sold a WatchGuard Core X550e many years ago to a new client whose in-house IT guy said that he spent 20-25 hours per MONTH cleaning up infections, month after month. Sonicwall lets you specify which subnets/networks are accessible over the tunnel, not sure how Fortinet handles this.
I just pick a random printer driver to try to download, and if it offers to save the file, it already failed the test, because malware can get pushed silently. Test your current firewall to see if it can block executable file downlods in HTTP and HTTPS traffic.
Regarding your "Built in windows VPN currently being used but need to come off asap" comment, which built-in VPN? Windows 10 and IKEv2 VPN with 2FA is easy to set up and much faster and more stable than an SSLVPN agent, in my experience. I have been using WatchGuard firewalls for about 10 years after wanting to gouge out my eyes when looking at SonicWALL's interface. I've used such trays to mount 80C and 60E/F units on. Fortinet makes them and you can get 3rd parties as well.
Anything below the 100 series isn't rack mountable out of the box and you'd have to find rack shelves/trays to mount them on. You might even be able to go down a model or two. If you don't scan traffic on the LAN side it can push through 10-20 Gbps aggregate. In essence with all security featured turn on, you can still expect 1 Gbps throughput (Internet and inter-VLAN/subnet on the LAN side). The 100F can do 58K new sessions/second, 1 Gbps Threat Protection throughput, 1 Gbps SSL-VPN throughput, 500 concurrent SSL-VPN connections, and some other stats that probably are irrelevant to most people.
You just need to look at the full datasheet to ensure it's up to task. The devices are solid, and the features from their security arm (Fortiguard) are definitely top notch if you have a need for them in your network (IPS, AV, web, DNS and layer 7 application monitoring/filtering). No, not the cheapest option out there, anybody who uses that will mention that. I've been a long time user of Fortigates for over a decade now and have about 70 or so of them in service at the moment. I will put my vote in for the Fortigate option. IP Address: 192.168.10.Not Texas/Seattle here. Name: My Secondary Subnet (or any friendly name) Under Network Menu Click Address Objects. It might be late for RAIN, but as I was among the people who still faced this issue, I thought it might help others also to learn another more direct approach on this setup: (I asked a similar, yet more complicated, question earlier although, I realized that I cannot solve that without first solving this (which may actually solve my original question)) I can ping 192.168.3.254 from any device in the 192.168.2.0/24 network although I cannot ping/connect to any device within the 192.168.3.0/24 network. Judging by various articles and KBs I've read, this is all that should be necessary, although it does not work. Next, I gave it a static ip address of 192.168.3.254 and set the Zone to LAN (the same Zone for the X0 interface). So far, I have done the following: I connected the X3 Interface on the Sonicwall to the 192.168.3.0/24 network switch (shown as the dashed red line in the diagram). My goal is to allow devices within the 192.168.2.0/24 network to access devices in the 192.168.3.0/24 network.
One is being managed by a Sonicwall NSA 220, the other by some other router (the brand is not important). As shown by the network diagram below, I have two completely separate networks.