Implementation Document - Pengadaan Perangkat HPE Aruba Dan Fortinet + Implementasi

Pengadaan Perangkat HPE Aruba
dan Fortinet + Implementasi
Prepared by:
Singgih Saputra
Wahyudin Djohan
Zul Ridwan
DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
The information in this document is confidential and meant for use only by the intended recipient and
only in connection with and subject to the terms of its contractual relationship with MASTERSYSTEM.
Acceptance and/or use of any of the information contained in this document indicates agreement not
to disclose or otherwise make available to any person who is not an employee of the intended
recipient, or to any other entity, any of the information contained herein. This documentation has the
sole purpose of providing information regarding a MASTERSYSTEM software product or service and
shall be disclosed only to those individuals who have a need to know.
Any entity or person with access to this information shall be subject to this confidentiality statement.
No part of this publication may be reproduced or transmitted in any form or by any means for any
purpose without the express written permission of MASTERSYSTEM.
Copyright © 2016 MASTERSYSTEM INFOTAMA. All rights reserved.
Implementation Document
ii
Confidential
FORM-SE-15
Daftar Isi
KONTROL DOKUMEN ............................................................................................................................. I
DAFTAR ISI............................................................................................................................................. III
DAFTAR GAMBAR ................................................................................................................................. IV
DAFTAR TABEL ...................................................................................................................................... V
1 PENJELASAN DOKUMEN ............................................................................................................... 1
1.1 Pendahuluan......................................................................................................................... 1
1.2 Objektif.................................................................................................................................. 1
1.3 Ruang Lingkup ..................................................................................................................... 1
2 DESAIN AKHIR PERANGKAT ......................................................................................................... 2

2.1 Desain Akhir ......................................................................................................................... 2
2.1.1 Topologi High Level Network ............................................................................................... 2
2.1.2 Topologi Fisik dan Logik Network ........................................................................................ 3
2.1.3 Topologi Fortigate 200E ..................................................................................................... 14
2.2 Daftar Perangkat yang Diimplementasi .............................................................................. 15
3 KONFIGURASI PERANGKAT ........................................................................................................ 16

3.1 Konfigurasi Perangkat Network .......................................................................................... 16
3.2 Konfigurasi Perangkat Firewall ........................................................................................... 40
3.2.1 Network Interfaces ............................................................................................................. 40
3.2.2 SD-WAN ............................................................................................................................. 40
3.2.3 Routing ............................................................................................................................... 41
3.2.4 AntiVirus ............................................................................................................................. 41
3.2.5 Web Filter Profiles .............................................................................................................. 41
3.2.6 Application Control Profiles ................................................................................................ 42
3.2.7 Intrusion Prevention System (IPS) Profiles ........................................................................ 42
3.2.8 Address Object and Group ................................................................................................. 42
3.2.9 Virtual IP ............................................................................................................................. 45
3.2.10 Traffic Shaper Policy (QoS) ............................................................................................... 45
3.2.11 IPv4 DoS Policy ................................................................................................................. 46
3.2.12 IPv4 Policy ......................................................................................................................... 46
LAMPIRAN 1 - REFERENSI .................................................................................................................. 49
iii
Confidential
FORM-SE-15
Daftar Gambar
Figure 2-1 High Level Design (HLD) Network PT Fast Food Indonesia, Tbk ......................................... 2
Figure 2-2 Koneksi Core – Server Farm Switch ..................................................................................... 3
Figure 2-3 Koneksi Fisik Dari Core Switch Ke Access Switch ................................................................ 4
Figure 2-4 DMZ Switch ke Perangkat – Perangkat yang Terkoneksi ..................................................... 6
Figure 2-5 Koneksi Fisik Dari Server Farm Switch ke arah Server & Server Farm Firewall ................. 7
Figure 2-6 Traffic Flow Network di PT. Fast Food Indonesia ............................................................... 11
Figure 2-7 Topologi Logik yang Diimplementasi di PT Fast Food Indonesia ....................................... 12
Figure 2-8 Topologi FortiGate 200E (INET-FW-KFC) .......................................................................... 14
Figure 3-1 Flow-Chart Policy “Accept” .................................................................................................. 46
Figure 3-2 Flow-Chart Policy “Deny” ..................................................................................................... 46
iv
Confidential
FORM-SE-15
Daftar Tabel
Table 1 Port Mapping dari Core Switch ke Remote Device .................................................................... 3

Table 2 Port Mapping Dari Core Switch Ke Access Switch .................................................................... 5
Table 3 Port Mapping DMZ Switch ke Perangkat – Perangkat yang Terkoneksi ................................... 7
Table 4 Port Mapping Koneksi Fisik Server Farm Switch ke Server dan Server Farm Firewall .......... 10
Table 5 Summary Port Mapping Table pada Access Switch ................................................................ 10
Table 6 List IP Address ......................................................................................................................... 13
Table 7 List IP Management Perangkat ................................................................................................ 13
Table 8 Bill of Quantity .......................................................................................................................... 15
Table 9 Network Interfaces ................................................................................................................... 40
Table 10 SD-WAN................................................................................................................................. 40
Table 11 Routing ................................................................................................................................... 41
Table 12 Anti Virus ................................................................................................................................ 41
Table 13 Web Filter Profiles .................................................................................................................. 41
Table 14 Application Control ................................................................................................................. 42
Table 15 Intrusion Prevention System (IPS) Profiles ............................................................................ 42
Table 16 Address Object....................................................................................................................... 43
Table 17 Address Group ....................................................................................................................... 45
Table 18 Virtual IP ................................................................................................................................. 45
Table 19 QoS Policies ........................................................................................................................... 45
Table 20 DoS Policies ........................................................................................................................... 46
Table 21 IPv4 Policies ........................................................................................................................... 48
v
Confidential
FORM-SE-15
Penjelasan Dokumen
1 Penjelasan Dokumen
1.1 Pendahuluan
PT Fast Food Indonesia berencana untuk meningkatkan kualitas network infrastruktur dan
firewall serta melakukan replacement pada perangkat. Hal ini dilakukan untuk mendukung system
design network dan firewall yang lebih reliable. Untuk memenuhi standard tersebut, dilakukan
pergantian perangkat baru.
1.2 Objektif
Maksud dan tujuan dari proyek ini adalah untuk melakukan implementasi project peremajaan
perangkat sesuai dengan kesepakatan dengan PT. Fast Food Indonesia, Tbk dan PT. Mastersystem
Infotama
1.3 Ruang Lingkup

Melakukan implementasi dan migrasi sesuai dengan bill of quantity.
1
Confidential
FORM-SE-15
Desain Akhir Perangkat
2 Desain Akhir Perangkat

2.1 Desain Akhir
2.1.1 Topologi High Level Network
Berikut ini merupakan topologi High Level Design yang telah diimplementasi pada PT Fast Food
Indonesia, Tbk.
Figure 2-1 High Level Design (HLD) Network PT Fast Food Indonesia, Tbk
2
Confidential
FORM-SE-15
2.1.2 Topologi Fisik dan Logik Network
Pada bagian ini akan dijelaskan mengenai topology fisik dan logical yang terhubung dan telah
implementasi pada jaringan IT PT Fast Food Indonesia.
2.1.2.1 Topologi Fisik Core Router
Berikut ini adalah topologi fisik yang menjelaskan interkoneksi dari Core Router ke WAN, Core
Switch, dan DMZ Switch yang terdiri dari gambar dan table port mapping.
Figure 2-2 Koneksi Core – Server Farm Switch
Tabel port mapping dari core switch ke remote device :
No. Switch Interface Remote Switch Remote Interface IF Type Local IP Address Remote IP Address
1 Ge 0/0 Router LA Ge 0/0 L3 IP 10.10.100.254/30 10.10.100.253/30
2 Ge 0/1 Router Telkom Ge 0/0 L3 IP 1.2.60.1/30 1.2.60.2/30
3 Ge 0/2 Router CBN Ge 0/0 L3 IP 1.2.70.1/30 1.2.70.2/30
4 RTR01-KFC-LT3 Ge 3/0 CSW01-KFC-LT3 Ge 1/24 L3 IP 172.16.1.6/30 172.16.1.5/30
5 Ge 3/1 CSW01-KFC-LT3 Ge 1/24 L3 IP 172.16.1.2/30 172.16.1.1/30
6 Ge 3/2
7 Ge 3/3
Table 1 Port Mapping dari Core Switch ke Remote Device
3
Confidential
FORM-SE-15
2.1.2.2 Topologi Fisik Core Switch
Berikut ini adalah koneksi fisik dari Core Switch ke Access Switch di setiap lantai dan ke arah
Server Farm Switch, yang terdiri dari gambar dan port mapping :
Figure 2-3 Koneksi Fisik Dari Core Switch Ke Access Switch
Tabel port mapping dari core switch ke access switch :

Remote
No. Switch Interface Remote Switch IF Type Local IP Address Remote IP Address
Interface
1 Ge 1/1 ASW01-KFC-LT2 Ge 0/24 L2 TRUNK 172.16.24.254/24 172.16.24.1/24
CSW01-KFC-LT3
15 Ge 1/15
16 Ge 1/16
17 Ge 1/17
18 Ge 1/18
4
Confidential
FORM-SE-15
19 Ge 1/19
20 Ge 1/20
172.16.1.9/30 172.16.1.10/30
21 Ge 1/21 DMZSW01-KFC-LT3 Ge 0/23 L2 TRUNK 172.16.1.25/30 172.16.1.26/30
172.16.1.13/30 172.16.1.14/30
22 Ge 1/A1 SSW01-KFC-LT3 Ge 1/24 L2 TRUNK 172.16.1.17/30 172.16.1.18/30
172.16.1.13/30 172.16.1.14/30
24 Ge 1/A3 RTR01-KFC-LT3 Ge 3/2 L3 IP 172.16.1.1/30 172.16.1.2/30
39 Ge 2/15
40 Ge 2/16
41 Ge 2/17
42 Ge 2/18
43 Ge 2/19
44 Ge 2/20
172.16.1.9/30 172.16.1.10/30
45 Ge 2/21 DMZSW01-KFC-LT3 Ge 0/24 L2 TRUNK 172.16.1.25/30 172.16.1.26/30
172.16.1.13/30 172.16.1.14/30
172.16.1.13/30 172.16.1.14/30
48 Ge 2/A3 RTR01-KFC-LT3 Ge 3/3 L3 IP 172.16.1.5/30 172.16.1.6/30
Table 2 Port Mapping Dari Core Switch Ke Access Switch
5
Confidential
FORM-SE-15
2.1.2.3 Topologi Fisik DMZ Switch
Berikut ini adalah topologi fisik yang mejelaskan interkoneksi dari DMZ Switch ke perangkat –
perangkat yang terkoneksi, terdiri dari gambar dan table port mapping.
Figure 2-4 DMZ Switch ke Perangkat – Perangkat yang Terkoneksi
Tabel port mapping dari DMZ switch ke perangkat – perangkat yang terkoneksi :
Remote Local IP Remote IP

No. Switch Interface Remote Switch IF Type
Interface Address Address
L2
1 Ge 0/1 ALOKASI SERVER DMZ Ge 0/0 ACCESS
L2
L2
L2
L2
L2
L2
L2
L2
L2
6
Confidential
FORM-SE-15
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2
L2 172.16.1.21/30 172.16.1.22/30
21 Ge 0/21 INET FW Ge 0/1 ACCESS
L2 172.16.1.21/30 172.16.1.22/30
22 Ge 0/22 INET FW Ge 0/1 ACCESS
L2 172.16.1.10/30 172.16.1.9/30
23 Ge 0/23 CSW01-KFC-LT3 Ge 1/21 ACCESS 172.16.1.26/30 172.16.1.25/30
L2 172.16.1.10/30 172.16.1.9/30
24 Ge 0/24 CSW01-KFC-LT3 Ge 2/21 ACCESS 172.16.1.26/30 172.16.1.25/30
Table 3 Port Mapping DMZ Switch ke Perangkat – Perangkat yang Terkoneksi
2.1.2.4 Topologi Fisik Server Farm Switch
Berikut ini adalah koneksi fisik dari Server Farm Switch ke arah Server dan Server Farm Firewall,
yang terdiri dari gambar dan port mapping :
Figure 2-5 Koneksi Fisik Dari Server Farm Switch ke arah Server & Server Farm Firewall
7
Confidential
FORM-SE-15
Tabel Port Mapping dari Server Farm Switch ke Server dan Server Farm Firewall :
Remote Local IP Remote IP
No. Switch Interface Remote Switch Interface IF Type Address Address
1 Te 1/0/1 SERVER PORT Ge 0/0 L2 ACCESS
8
Confidential
FORM-SE-15

172.16.1.18/30 172.16.1.17/30
47 Te 1/0/47 CSW01-KFC-LT3 Ge 1/A1 L2 TRUNK 172.16.1.14/30 172.16.1.13/30
172.16.1.18/30 172.16.1.17/30
9
Confidential
FORM-SE-15

172.16.1.18/30 172.16.1.17/30
172.16.1.18/30 172.16.1.17/30
Table 4 Port Mapping Koneksi Fisik Server Farm Switch ke Server dan Server Farm Firewall
2.1.2.5 Port Mapping Switch Access
Berikut merupakan summary port mapping table pada setiap Access Switch yang berada di
setiap lokasi :
IP
No. Host Name Port Mapping Vlan Mapping Type
Management
Vlan store development 172.16.24.1/24
1 ASW01-KFC-LT2 Ge 1 – 24, 25-46 (13), Vlan QA (15) L2 ACCESS
Vlan Marketing (10), 172.16.24.2/24
2 ASW02-KFC-LT2 Ge 1 – 24, 25-46 Vlan Operational (11) L2 ACCESS
3 ASW03-KFC-LT4 Ge 1 – 24, 25-46 Vlan Internal Audit (27) L2 ACCESS 172.16.24.3/24
Vlan 24 (FPC), VLan 26 172.16.24.4/24
4 ASW04-KFC-LT3 Ge 1 – 24, 25-46 (Tax) L2 ACCESS
5 ASW05-KFC-LT3 Ge 1 - 48 Vlan 21 (Logistik) L2 ACCESS 172.16.24.5/24
6 ASW06-KFC-LT3 Ge 1 - 48 Vlan IT (16) L2 ACCESS 172.16.24.6/24
7 ASW07-KFC-LT3 Ge 1 - 48 Vlan IT (16) L2 ACCESS 172.16.24.7/24
8 ASW08-KFC-LT3 Ge 1 - 48 Vlan Accounting (19) L2 ACCESS 172.16.24.8/24
9 ASW09-KFC-LT3 Ge 1 - 48 Vlan Finance (20) L2 ACCESS 172.16.24.9/24
Vlan 22 (GA), Vlan 25 172.16.24.10/24
10 ASW10-KFC-LT3 Ge 1 – 24, 25-46 (Legal) L2 ACCESS
11 ASW11-KFC-LT3 Ge 1 - 48 Vlan 23 (Payroll) L2 ACCESS 172.16.24.11/24
12 ASW12-KFC-LT4 Ge 1 - 48 Vlan HR (28) L2 ACCESS 172.16.24.12/24
Vlan Internal 172.16.24.13/24
Communication (30),
13 ASW13-KFC-LT5 Ge 1 – 24, 25-46 Vlan Traveldesk (31) L2 ACCESS
Vlan Procurement (29), 172.16.24.14/24
14 ASW14-KFC-LT5 Ge 1 – 24, 25-46 Vlan BUD (32) L2 ACCESS
Table 5 Summary Port Mapping Table pada Access Switch
10
Confidential
FORM-SE-15
2.1.2.6 Flow Traffic dan Topologi Logik
Berikut merupakan traffic flow network di PT. Fast Food Indonesia.
Figure 2-6 Traffic Flow Network di PT. Fast Food Indonesia
1. Segment Server Farm

Gateway Server Farm Switch ke arah Core Switch menggunakan L3 (OSPF network point to
point), gateway Server Farm berada di Server Farm Switch.
Semua traffic IN dan OUT ke arah Server farm akan melalui server farm switch dan akan
diinspect oleh Server Farm Switch.
2. Segment User LAN

Gateway user LAN akan berada di Core Switch, koneksi antara Core Switch ke Access Switch
menggunakan L2 Trunk, Vlan akan diallow ke arah Access Switch berdasarkan tabel Vlan
Mapping dan Port Mapping yang di definisikan pada Low Level Desain ini. Vlan ID pada setiap
lokasi berbeda – beda. Untuk mempermudah segmentasi ke arah User, pada Access Switch
akan diaktifkan hybrid port dimana Vlan voice dan Vlan data dapat digunakan pada 1 port
bersamaan sehingga dari IP Phone dapat extend koneksi ke arah PC/user.
3. Segment DMZ
Gateway server – server DMZ akan berada di DMZ Firewall / Internet Firewall, dimana setiap
traffic dari arah external network yang akan mengakses ke DMZ Server akan diinspect terlebih
dahulu oleh DMZ Firewall. DMZ Firewall akan melakukan full inspect untuk traffic yang
mengarah ke segment DMZ dan intranet.
4. Internet dan MPLS

Koneksi ke arah internet dan MPLS akan diterminasi pada Core Router, default router ke arah
internet akan diadvertise oleh Core Router ke arah segment user, routing ke arah MPLS /
Branch office akan di arahkan via Core Router dari arah segment user.
11
Confidential
FORM-SE-15
Berikut ini merupakan topologi logik yang telah diimplementasikan di PT Fast Food Indonesia :
Figure 2-7 Topologi Logik yang Diimplementasi di PT Fast Food Indonesia
1. WAN Router
Koneksi ke arah Branch Office dan Store terdiri dari 3 provider, yaitu Lintas Artha (LA), Telkom,
dan CBN.
Koneksi ke LA menggunakan routing protocol BGP, koneksi ke Telkom dan CBN menggunakan
static route.
Koneksi ke arah HO menggunakan OSPF area 0.
2. Core Switch
Koneksi ke arah HO menggunakan OSPF area 0, koneksi ke arah WAN Router menggunakan
OSPF area 0.
2.1.2.7 Skema Alokasi IP Address
Berikut ini merupakan skema alokasi IP address yang akan digunakan pada network PT. Fast
Food Indonesia :
/24 Allocation Vlan ID

172.16.1.0 IP PTP 8
172.16.2.0 Vlan Voice 9
172.16.3.0 Vlan Marketing 10
172.16.4.0 Vlan Operational 11
172.16.5.0 Vlan Market Development 12
172.16.6.0 Vlan Store Development 13
172.16.7.0 Vlan Business Development 14
172.16.8.0 Vlan Quality Assurance 15
172.16.9.0 Vlan IT 16
12
Confidential
FORM-SE-15
192.168.8.0/22 Vlan Server 1

172.16.10.0 Vlan Accounting 19
172.16.11.0 Vlan Finance 20
172.16.12.0 Vlan Logistik 21
172.16.13.0 Vlan GA 22
172.16.14.0 Vlan Payroll 23
172.16.15.0 Vlan FPC 24
172.16.16.0 Vlan Legal 25
172.16.17.0 Vlan Tax 26
172.16.18.0 Vlan Internal Audit 27
172.16.19.0 Vlan HR 28
172.16.20.0 Vlan Procurment 29
172.16.21.0 Vlan Internal Communication 30
172.16.22.0 Vlan Traveldesk 31
172.16.23.0 Vlan BUD 32
Vlan IP Management Switch
172.16.24.0 33
Access
172.16.25.0
172.16.26.0
172.16.27.0
Table 6 List IP Address
List IP Management Perangkat
Hostname IP Address
RTR01-KFC-LT3 172.16.1.2
CSW01-KFC-LT3 172.16.1.1
SSW01-KFC-LT3 172.16.1.18
DMZ01-KFC-LT3 172.16.1.10
ASW01-KFC-LT2 172.16.24.1
ASW02-KFC-LT2 172.16.24.2
ASW03-KFC-LT4 172.16.24.3
ASW04-KFC-LT3 172.16.24.4
ASW05-KFC-LT3 172.16.24.5
ASW06-KFC-LT3 172.16.24.6
ASW07-KFC-LT3 172.16.24.7
ASW08-KFC-LT3 172.16.24.8
ASW09-KFC-LT3 172.16.24.9
ASW10-KFC-LT3 172.16.24.10
ASW11-KFC-LT3 172.16.24.11
ASW12-KFC-LT4 172.16.24.12
ASW13-KFC-LT5 172.16.24.13
ASW14-KFC-LT5 172.16.24.14
Table 7 List IP Management Perangkat
13
Confidential
FORM-SE-15
2.1.3 Topologi Fortigate 200E
CBN LINTASARTA INDONET ASTINET
Port 2
Port 3
Port 5
Port 4
INET-FW-KFC
(FortiGate 200E)
Port 13
Port 14
172.16.1.22/30
LACP
172.16.1.21/30
DMZ01-KFC-LT3
(Aruba Switch)
LAN
Figure 2-8 Topologi FortiGate 200E (INET-FW-KFC)
14
Confidential
FORM-SE-15
2.2 Daftar Perangkat yang Diimplementasi
Tujuan proyek ini adalah untuk mengimplementasikan Project Peremajaan Perangkat Core,
Server Farm Switch, Access Switch, dan Firewall sesuai dengan Bill of Quantity (BoQ) yang telah
disepakati oleh PT Fast Food Indonesia, Tbk dengan PT Mastersystem Infotama.
Di bawah ini adalah Bill Of Quantity :
Table 8 Bill of Quantity
15
Confidential
FORM-SE-15
Konfigurasi Perangkat
3 Konfigurasi Perangkat
3.1 Konfigurasi Perangkat Network
WAN Router (RTR01-KFC-LT3)
#
version 7.1.064, Release 0615P16
#
sysname RTR01-KFC-LT3
#
telnet server enable
#
ospf 1
import-route static type 2
import-route bgp allow-ibgp
area 0.0.0.0
network 1.2.60.0 0.0.0.3
network 1.2.70.0 0.0.0.3
network 10.10.100.101 0.0.0.0
#
ip redirects enable
ip ttl-expires enable
ip icmp error-interval 0
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
controller Cellular0/0
#
controller Cellular0/1
#
interface Aux0
#
interface Virtual-Template0
#
interface NULL0
#
interface LoopBack0
ip address 10.10.100.101 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
description TO LINTASARTA
combo enable copper
ip address 10.10.100.254 255.255.255.252
ospf network-type p2p
ospf 1 area 0.0.0.0
#
16
Confidential
FORM-SE-15
description TO TELKOM
ip address 1.2.60.1 255.255.255.252
#
description TO CBN
ip address 1.2.70.1 255.255.255.252
#
description TO CSW01-KFC-LT.3 PORT 2/A3
ip address 172.16.1.6 255.255.255.252
ospf cost 100
ospf 1 area 0.0.0.0
#
description TO CSW01-KFC-LT.3 PORT 1/A3
ip address 172.16.1.2 255.255.255.252
ospf 1 area 0.0.0.0
#
#
port link-mode bridge
#
bgp 64999
router-id 10.10.100.101
peer 10.10.100.102 as-number 64999
peer 10.10.100.102 connect-interface LoopBack0
#
address-family ipv4 unicast
balance eibgp 8
import-route direct
import-route static
import-route ospf 1
peer 10.10.100.102 enable
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
#
scheduler logfile size 16
#
17
Confidential
FORM-SE-15
line class aux
authentication-mode password
user-role network-admin
set authentication password hash
$h$6$1LBu6zZ+3jqJ0xkY$bnqwhiPLNBPsBaHWHMJl30q3Avi2DNaNt+Wdq9fEXiMLhypAVO6aPCsFpo
TRCgoocVafuJclGGWe8j8hgT0pvg==
#
line class tty
user-role network-operator
#
line class vty
authentication-mode scheme
$h$6$iP+TfXm20Q4DWzt3$hnVc0C3028bwASI7wA4RFiqUu7bU7i3L31lvlLMaI9h4R9qZcVq+XK6Xj+N
EnXT9AD49i37o7BQNfEmPpMvEdA==
#
line aux 0
#
line vty 0 10
#
line vty 11 63
$h$6$qVQ/csmvbxGneXOc$370s8TrpAud9Cp+TNOtlQ6pfCFscocVaByn0LbcKTbugRBjvGYaUa+7aLW
zzmfaOPm3cNs/GYWk1bEAxQ1bE/A==
#
ip route-static 1.2.50.0 30 1.2.60.2
ip route-static 10.10.10.128 25 1.2.60.2 description Link_Telkom_Sigma
ip route-static 10.10.165.0 30 1.2.60.2 description LAN-BARU-TLKM
ip route-static 10.11.92.0 24 1.2.60.2
ip route-static 10.12.50.0 24 1.2.60.2
ip route-static 10.13.92.0 24 1.2.60.2
ip route-static 10.14.92.0 24 1.2.60.2
ip route-static 10.15.92.0 24 1.2.60.2
ip route-static 10.16.92.0 24 1.2.60.2
ip route-static 10.17.92.0 24 1.2.60.2
ip route-static 10.165.177.0 24 1.2.60.2
ip route-static 10.165.178.0 24 1.2.60.2
ip route-static 10.165.179.0 29 1.2.60.2
ip route-static 10.165.180.0 24 1.2.60.2
ip route-static 10.165.190.0 24 1.2.60.2
ip route-static 117.54.9.179 32 172.16.1.1
ip route-static 172.10.0.0 16 1.2.70.2 description Link-to-CBN
ip route-static 172.17.0.0 16 1.2.60.2 description LINK_LAN_TELKOM
ip route-static 172.17.15.0 24 1.2.60.2
18
Confidential
FORM-SE-15
#
ssh server enable
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
#
role name level-2
#
role name level-3
#
role name level-4
#
role name level-5
#
role name level-6
#
role name level-7
#
role name level-8
#
role name level-9
#
role name level-10
#
role name level-11
#
role name level-12
#
role name level-13
#
role name level-14
19
Confidential
FORM-SE-15
#
user-group system
#
local-user kfcadmin class manage
password hash
$h$6$2r5CGpkgFam5lVVO$e5m6WXFHOV9Si1oVOeC1hCvsX2swAYlXOKdr/WE2UYdhkks8O+BHP8
M+dwid4+0JTy+KNb0VAGfJK0Kq1g70nQ==
service-type ssh telnet terminal http https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
cwmp
cwmp enable
#
ip http enable
ip https enable
#
ips signature auto-update-url https://tmc.tippingpoint.com/TMC/msrIPSDVInfo
#
Core Switch (CSW01-KFC-LT.3)
Running configuration:
; hpStack_KB Configuration Editor; Created on release #KB.16.07.0002

; Ver #14:01.4f.f8.1d.fb.7f.bf.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:4e
stacking
member 1 type "JL071A" mac-address 089734-ff1380
member 1 priority 255
member 1 flexible-module A type JL081A
member 2 type "JL071A" mac-address 089734-ff2000
member 2 flexible-module A type JL081A
exit
hostname "CSW01-KFC-LT.3"
console idle-timeout 60
console idle-timeout serial-usb 60
trunk 1/21,2/21 trk1 lacp
trunk 1/A1-1/A2,2/A1-2/A2 trk4 lacp
20
Confidential
FORM-SE-15
ip route 117.54.9.179 255.255.255.255 172.16.1.10
ip router-id 172.16.1.254
ip routing
interface loopback 0
ip address 172.16.1.254
exit
snmp-server community "public" unrestricted
oobm
ip address dhcp-bootp
member 1
exit
member 2
exit
exit
router ospf
area backbone
redistribute connected
enable
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 1/15,1/A3,2/A3
untagged 1/16-1/20,1/24,1/A4,2/15-2/20,2/24,2/A4,Trk1-Trk4,Trk11-Trk24
no ip address
exit
vlan 2
name "VLAN2"
tagged Trk1
ip address 172.16.1.25 255.255.255.252
ip ospf 172.16.1.25 area backbone
ip ospf 172.16.1.25 network-type point-to-point
jumbo
exit
vlan 4
name "VLAN4"
tagged Trk4
ip address 172.16.1.17 255.255.255.252
exit
vlan 5
name "VLAN5"
tagged Trk4
ip address 172.16.1.13 255.255.255.252
exit
21
Confidential
FORM-SE-15
vlan 6
name "VLAN6"
tagged Trk1
ip address 172.16.1.9 255.255.255.252
jumbo
exit
vlan 7
name "VLAN7"
untagged 2/A3
ip address 172.16.1.5 255.255.255.252
ip ospf 172.16.1.5 cost 100
exit
vlan 8
name "VLAN8"
untagged 1/A3
tagged Trk17
ip address 172.16.1.1 255.255.255.252
jumbo
exit
vlan 9
name "VLAN9"
tagged Trk11-Trk24
ip address 172.16.2.1 255.255.255.0
ip helper-address 192.168.10.18
exit
vlan 10
name "VLAN10"
tagged Trk11-Trk24
ip address 172.16.3.1 255.255.255.0
exit
vlan 11
name "VLAN11"
tagged Trk11-Trk24
ip address 172.16.4.1 255.255.255.0
exit
vlan 12
name "VLAN12"
tagged Trk11-Trk24
ip address 172.16.5.1 255.255.255.0
exit
vlan 13
name "VLAN13"
tagged Trk11-Trk24
ip address 172.16.6.1 255.255.255.0
22
Confidential
FORM-SE-15
exit
vlan 14
name "VLAN14"
tagged Trk11-Trk24
ip address 172.16.7.1 255.255.255.0
exit
vlan 15
name "VLAN15"
tagged Trk11-Trk24
ip address 172.16.8.1 255.255.255.0
exit
vlan 16
name "VLAN16"
untagged 1/15
tagged Trk11-Trk24
ip address 172.16.9.1 255.255.255.0
exit
vlan 17
name "VLAN17"
no ip address
exit
vlan 18
name "VLAN18"
no ip address
exit
vlan 19
name "VLAN19"
tagged Trk11-Trk24
ip address 172.16.10.1 255.255.255.0
exit
vlan 20
name "VLAN20"
tagged Trk11-Trk24
ip address 172.16.11.1 255.255.255.0
exit
vlan 21
name "VLAN21"
tagged Trk11-Trk24
ip address 172.16.12.1 255.255.255.0
exit
vlan 22
name "VLAN22"
tagged Trk11-Trk24
ip address 172.16.13.1 255.255.255.0
exit
23
Confidential
FORM-SE-15
vlan 23
name "VLAN23"
tagged Trk11-Trk24
ip address 172.16.14.1 255.255.255.0
exit
vlan 24
name "VLAN24"
tagged Trk11-Trk24
ip address 172.16.15.1 255.255.255.0
exit
vlan 25
name "VLAN25"
tagged Trk11-Trk24
ip address 172.16.16.1 255.255.255.0
exit
vlan 26
name "VLAN26"
tagged Trk11-Trk24
ip address 172.16.17.1 255.255.255.0
exit
vlan 27
name "VLAN27"
tagged Trk11-Trk24
ip address 172.16.18.1 255.255.255.0
exit
vlan 28
name "VLAN28"
tagged Trk11-Trk24
ip address 172.16.19.1 255.255.255.0
exit
vlan 29
name "VLAN29"
tagged Trk11-Trk24
ip address 172.16.20.1 255.255.255.0
exit
vlan 30
name "VLAN30"
tagged Trk11-Trk24
ip address 172.16.21.1 255.255.255.0
exit
vlan 31
name "VLAN31"
tagged Trk11-Trk24
ip address 172.16.22.1 255.255.255.0
24
Confidential
FORM-SE-15
exit
vlan 32
name "VLAN32"
tagged Trk11-Trk24
ip address 172.16.23.1 255.255.255.0
exit
vlan 33
name "VLAN33"
tagged Trk11-Trk24
ip address 172.16.24.254 255.255.255.0
exit
spanning-tree
spanning-tree Trk1 priority 4
spanning-tree priority 0
allow-unsupported-transceiver
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
Server Farm Switch (SSW01-KFC-LT3)

#
version 7.1.070, Release 2510P02
#
sysname SSW01-KFC-LT3
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
25
Confidential
FORM-SE-15
irf member 1 priority 32
irf member 2 priority 31
#
router id 172.16.1.252
#
ospf 1
import-route direct
area 0.0.0.0
network 172.16.1.252 0.0.0.0
#
ip redirects enable
ip ttl-expires enable
ip icmp error-interval 0
#
lldp global enable
#
system-working-mode standard
fan prefer-direction slot 1 port-to-power
fan prefer-direction slot 2 port-to-power
password-recovery enable
#
vlan 1
#
vlan 4 to 5
#
irf-port 1/1
port group interface FortyGigE1/0/49
#
irf-port 1/2
#
irf-port 2/1
#
irf-port 2/2
#
stp instance 0 priority 40960
stp global enable
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 1 4 to 5
link-aggregation mode dynamic
#
interface NULL0
#
interface LoopBack0
ip address 172.16.1.252 255.255.255.255
#
interface Vlan-interface1
description TO LAN KFC
26
Confidential
FORM-SE-15
ip address 192.168.10.3 255.255.252.0
ospf 1 area 0.0.0.0
#
ip address 172.16.1.18 255.255.255.252
ospf 1 area 0.0.0.0
#
ip address 172.16.1.14 255.255.255.252
ospf 1 area 0.0.0.0
#
interface FortyGigE1/0/51
#
#
#
#
#
#
#
#
#
#
#
#
interface M-GigabitEthernet0/0/0
#
interface M-GigabitEthernet0/0/1
#
interface Ten-GigabitEthernet1/0/1
#
27
Confidential
FORM-SE-15
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
28
Confidential
FORM-SE-15
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
29
Confidential
FORM-SE-15
#
#
#
#
#
#
#
#
#
#
#
port link-aggregation group 1
#
#
#
#
#
30
Confidential
FORM-SE-15
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
31
Confidential
FORM-SE-15
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
32
Confidential
FORM-SE-15
#
#
#
#
#
#
#
#
#
#
#
scheduler logfile size 16
#
line class aux
authentication-mode password
$h$6$4uXzKNpTZrHI/kIK$gnLckuAbDnYeVqm4Jcg6r1bL6dMaNNgz0Ge4mEKVj9YiYrkXdrZ+6dXWoak
xDG7oyYSOHnVCqKoGhSu47qMtwQ==
#
line class vty
#
line aux 0 1
33
Confidential
FORM-SE-15
$h$6$C/DybLi9T93nG/9C$hokZ42fCcEoGw53OFp0nYyvLb8XEMj5aWmKDVkj6zQl28AwcYWPbgEsLe
OpdiBZE2UzEb6fUPUpShNOOKEyRIw==
#
line vty 0 10
#
line vty 11 63
$h$6$DWejXDjb0bTCWzBD$/r3iyauHHxGTuGcz21+9o0fL6f5dSYDwT6MANDKVs6ZQcU4GC8gTw7h
XyxCbeLM33NbywO1hQNbUg1sEhz4PSw==
#
snmp-agent
snmp-agent local-engineid 800063A280EC9B8B88FB8900000001
snmp-agent sys-info version v3
#
ssh server enable
#
radius scheme system
user-name-format without-domain
#
domain system
#
domain default enable system
#
role name level-0
#
role name level-1
#
role name level-2
#
role name level-3
#
role name level-4
#
role name level-5
#
role name level-6
#
role name level-7
34
Confidential
FORM-SE-15
#
role name level-8
#
role name level-9
#
role name level-10
#
role name level-11
#
role name level-12
#
role name level-13
#
role name level-14
#
user-group system
#
local-user kfcadmin class manage
password hash
$h$6$AJ8LW60OP6uib7Sc$Dm6JMSAIjEfsyXKmub6CCEDkd4aU+F0S1/n2p98koto2gien/2+oFY0q2W
HpWESIif4vLAA6b1xXIAxAcj4H1A==
service-type telnet http https ssh terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ip http enable
ip https enable
#
Return
DMZ Switch (DMZSW01-KFC-LT3)

; JL259A Configuration Editor; Created on release #WC.16.05.0007

; Ver #12:08.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:ba
hostname "DMZSW01-KFC-LT3"
module 1 type jl259a
console idle-timeout 60
console idle-timeout serial-usb 60
trunk 23-24 trk1 lacp
trunk 21-22 trk2 lacp
ip route 0.0.0.0 0.0.0.0 172.16.1.22
ip route 10.121.134.0 255.255.255.0 172.16.1.22
ip route 10.212.134.0 255.255.255.0 172.16.1.22
35
Confidential
FORM-SE-15
ip route 10.242.1.0 255.255.255.0 172.16.1.22
ip route 117.54.9.179 255.255.255.255 172.16.1.22
ip router-id 172.16.1.253
ip routing
interface loopback 0
ip address 172.16.1.253
exit
router ospf
area backbone
redistribute connected
redistribute static
enable
exit
vlan 1
name "DEFAULT_VLAN"
untagged 1-20,25-28,Trk1-Trk2
no ip address
exit
vlan 2
name "VLAN2"
tagged Trk1
ip address 172.16.1.26 255.255.255.252
jumbo
exit
vlan 3
name "VLAN3"
tagged Trk2
ip address 172.16.1.21 255.255.255.252
exit
vlan 6
name "VLAN6"
tagged Trk1
ip address 172.16.1.10 255.255.255.252
jumbo
exit
spanning-tree
no tftp server
no autorun
no dhcp tr69-acs-url
password manager
password operator
36
Confidential
FORM-SE-15
Access Switch (ASW01-KFC-LT2)
; JL262A Configuration Editor; Created on release #WC.16.05.0007

; Ver #12:08.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:ba
hostname "ASW01-KFC-LT2"
module 1 type jl262a
trunk 47 trk1 lacp
trunk 48 trk2 lacp
ip default-gateway 172.16.24.254
vlan 1
name "DEFAULT_VLAN"
no untagged 1-46
untagged 49-52,Trk1-Trk2
exit
vlan 9
name "VLAN9"
no ip address
exit
vlan 10
name "VLAN10"
tagged Trk1-Trk2
no ip address
exit
vlan 11
name "VLAN11"
tagged Trk1-Trk2
no ip address
exit
vlan 12
name "VLAN12"
no ip address
exit
vlan 13
name "VLAN13"
untagged 1-24
tagged Trk1-Trk2
exit
vlan 14
name "VLAN14"
no ip address
exit
vlan 15
name "VLAN15"
untagged 25-46
tagged Trk1-Trk2
no ip address
exit
vlan 16
37
Confidential
FORM-SE-15
name "VLAN16"
no ip address
exit
vlan 17
name "VLAN17"
no ip address
exit
vlan 18
name "VLAN18"
no ip address
exit
vlan 19
name "VLAN19"
no ip address
exit
vlan 20
name "VLAN20"
no ip address
exit
vlan 21
name "VLAN21"
no ip address
exit
vlan 22
name "VLAN22"
no ip address
exit
vlan 23
name "VLAN23"
no ip address
exit
vlan 24
name "VLAN24"
no ip address
exit
vlan 25
name "VLAN25"
no ip address
exit
vlan 26
name "VLAN26"
no ip address
exit
vlan 27
name "VLAN27"
no ip address
exit
vlan 28
name "VLAN28"
no ip address
exit
vlan 29
38
Confidential
FORM-SE-15
name "VLAN29"
no ip address
exit
vlan 30
name "VLAN30"
no ip address
exit
vlan 31
name "VLAN31"
no ip address
exit
vlan 32
name "VLAN32"
no ip address
exit
vlan 33
name "VLAN33"
tagged Trk1-Trk2
ip address 172.16.24.1 255.255.255.0
exit
spanning-tree
no tftp server
loop-protect 1-46
loop-protect 1-46 receiver-action send-recv-dis
loop-protect trap loop-detected
loop-protect disable-timer 60
no autorun
no dhcp tr69-acs-url
password manager
39
Confidential
FORM-SE-15
3.2 Konfigurasi Perangkat Firewall
3.2.1 Network Interfaces
No Interface Type IP Address Link Type Comment Bandwidth (kbps)

1 HA HA Link 1G UTP -
2 MGMT Physical 10.17.8.1/24 1G UTP -
3 port1 Physical - 1G UTP
4 port2 Physical 202.158.91.204/29 1G UTP ISP CBN 100000/100000
5 port3 Physical 202.152.20.186/29 1G UTP ISP Lintasarta 15000/15000
6 port4 Physical 202.53.236.153/29 1G UTP ISP Indonet 15000/15000
7 port5 Physical 10.191.12.2/30 1G UTP ISP Astinet 20000/20000
8 port6-port12 Physical - 1G UTP -
9 port13 Physical 1G UTP
LACP LAN/DMZ 2Gbps/2Gbps
10 port14 Physical 1G UTP
11 port15-port18 Physical - 1G UTP -
12 wan1 Physical - 1G UTP -
13 wan2 Physical - 1G UTP -
14 LACP_Internal Virtual 172.16.1.22/30 2G UTP P2P_DMZ (VID: 3) 2Gbps/2Gbps
Table 9 Network Interfaces
3.2.2 SD-WAN
No. Name Interface Member Gateway Volume

ISP CBN 202.158.91.201 1
SD- ISP Lintas Arta 202.152.20.185 1
1
WAN ISP Indonet 202.53.236.157 9
ISP Astinet 10.191.12.1 9
Table 10 SD-WAN
40
Confidential
FORM-SE-15
3.2.3 Routing
No Destination Next Hop IP Address Port Comment

1 0.0.0.0/0 10.100.0.1 SD-WAN Default Route Management
2 172.16.0.0/16 172.16.1.21 P2P_DMZ VLAN HO
3 172.17.0.0/16 172.16.1.21 P2P_DMZ Branch Network
10 192.168.8.0/22 172.16.1.21 P2P_DMZ Server Farm HO
Table 11 Routing
3.2.4 AntiVirus
AntiVirus Profiles
No. Name
1 default
2 wifi-default
Table 12 Anti Virus
3.2.5 Web Filter Profiles
Web Filter Profiles

No. Name
1 Allow Social Media
2 Block All
3 Call Center
4 IT Web Filter
5 Normal User
6 Sunfish
7 VIP
8 WF_KFC_AnyTime
9 WF_KFC_Break
10 Default
11 Ebanking
12 Monitor-all
13 Wifi-default
Table 13 Web Filter Profiles
41
Confidential
FORM-SE-15
3.2.6 Application Control Profiles
Application Control Profiles

No. Name
1 Application Control KFC
2 block-high-risk
3 default
4 wifi-default
Table 14 Application Control
3.2.7 Intrusion Prevention System (IPS) Profiles
IPS Profiles
No. Name
1 all_default
2 all_default_pass
3 default
4 high_security
5 protect_client
6 protect_email_server
7 protect_http_server
8 wifi-default
Table 15 Intrusion Prevention System (IPS) Profiles
3.2.8 Address Object and Group
- Object
Addresses
No. Name Network/IP Range/ FQDN Comment Associated Interface
1 HO-VLAN-MGMT 172.16.1.0 255.255.255.0 Any
2 HO_VLAN_BUD 172.16.23.0 255.255.255.0 Any
3 HO-VLAN-VOICE 172.16.2.0 255.255.255.0 Any
4 HO-VLAN-MARKETING 172.16.3.0 255.255.255.0 Any
5 HO-VLAN-OPERATIONAL 172.16.4.0 255.255.255.0 Any
6 HO_VLAN_TRAVELDESK 172.16.22.0 255.255.255.0 Any
7 HO-VLAN-MARKET-DEV 172.16.5.0 255.255.255.0 Any
8 HO-VLAN-STORE-DEV 172.16.6.0 255.255.255.0 Any
9 HO-VLAN-BUSINESS-DEV 172.16.7.0 255.255.255.0 Any
10 HO-VLAN-QUALITY-ASSRNC 172.16.8.0 255.255.255.0 Any
11 HO-VLAN-IT 172.16.9.0 255.255.255.0 Any
12 HO-VLAN-SERVER-DEV 192.168.9.0 255.255.255.0 Any
13 HO-VLAN-SERVER-PROD 192.168.8.0 255.255.252.0 Any
14 HO-VLAN-ACCOUNTING 172.16.10.0 255.255.255.0 Any
42
Confidential
FORM-SE-15
15 HO-VLAN-FINANCE 172.16.11.0 255.255.255.0 Any

16 HO-VLAN-LOGISTIK 172.16.12.0 255.255.255.0 Any
17 HO-VLAN-GA 172.16.13.0 255.255.255.0 Any
18 HO-VLAN-PAYROLL 172.16.14.0 255.255.255.0 Any
19 HO-VLAN-FPC 172.16.15.0 255.255.255.0 Any
20 HO-VLAN-LEGAL 172.16.16.0 255.255.255.0 Any
21 HO-VLAN-TAX 172.16.17.0 255.255.255.0 Any
22 HO-VLAN-INT-AUDIT 172.16.18.0 255.255.255.0 Any
23 HO-VLAN-HR 172.16.19.0 255.255.255.0 Any
24 HO-VLAN-PROCURMENT 172.16.20.0 255.255.255.0 Any
25 HO-VLAN-INT-COMM 172.16.21.0 255.255.255.0 Any
26 HO-VLAN-TRAVELDESK 172.16.22.0 255.255.255.0 Any
27 HO-VLAN-BUD 172.16.23.0 255.255.255.0 Any
28 VPN_PPTP_POOL 10.242.1.0 255.255.255.0 Any
29 AD_DNS_SERVER 192.168.10.18 255.255.255.255 Any
30 BRANCH-172.17.0.0 172.17.0.0 255.255.0.0 Any
31 BRANCH-172.18.0.0 172.18.0.0 255.255.0.0 Any
32 BRANCH-172.19.0.0 172.19.0.0 255.255.0.0 Any
33 BRANCH-172.10.0.0 172.10.0.0 255.255.0.0 Any
34 BRANCH-192.167.0.0 192.167.0.0 255.255.0.0 Any
35 BRANCH-192.168.0.0 192.168.0.0 255.255.0.0 Any
36 BRANCH-192.169.0.0 192.169.0.0 255.255.0.0 Any
37 IT_SSL 10.212.134.0 255.255.255.0 Any
Table 16 Address Object
- Group
Address Group
No. Name Members
HO-VLAN-ACCOUNTING, HO-VLAN-BUSINESS-DEV, HO-VLAN-
1 HO-GROUP-LT.2 MARKET-DEV, HO-VLAN-MARKETING, HO-VLAN-OPERATIONAL,
HO-VLAN-QUALITY-ASSRNC, HO-VLAN-STORE-DEV
HO-VLAN-ACCOUNTING, HO-VLAN-FINANCE, HO-VLAN-FPC,
2 HO-GROUP-LT.3 HO-VLAN-GA, HO-VLAN-LEGAL, HO-VLAN-LOGISTIK, HO-VLAN-
PAYROLL, HO-VLAN-TAX
3 HO-GROUP-LT.4 HO-VLAN-HR, HO-VLAN-INT-AUDIT
HO-VLAN-BUD, HO-VLAN-INT-COMM, HO-VLAN-PROCURMENT,
4 HO-GROUP-LT.5
HO-VLAN-TRAVELDESK
HO-VLAN-ACCOUNTING, HO-VLAN-IT, HO-VLAN-MGMT, HO-
5 HO-GROUP-IT
VLAN-VOICE
6 HO-GROUP-SERVER HO-VLAN-SERVER-DEV, HO-VLAN-SERVER-PROD
HO-VLAN-ACCOUNTING, HO-VLAN-BUD, HO-VLAN-BUSINESS-
DEV, HO-VLAN-FINANCE, HO-VLAN-FPC, HO-VLAN-GA, HO-
7 HO-GROUP-ALL-KFC VLAN-HR, HO-VLAN-INT-AUDIT, HO-VLAN-INT-COMM, HO-VLAN-
IT, HO-VLAN-LEGAL, HO-VLAN-LOGISTIK, HO-VLAN-MARKET-
DEV, HO-VLAN-MARKETING, HO-VLAN-MGMT, HO-VLAN-
43
Confidential
FORM-SE-15
OPERATIONAL, HO-VLAN-PAYROLL, HO-VLAN-PROCURMENT,

HO-VLAN-QUALITY-ASSRNC, HO-VLAN-SERVER-DEV, HO-
VLAN-SERVER-PROD, HO-VLAN-STORE-DEV, HO-VLAN-TAX,
HO-VLAN-TRAVELDESK, HO-VLAN-VOICE, HO_VLAN_BUD,
HO_VLAN_TRAVELDESK
8 COUNTRY_BLOCK China, Russia
BRANCH-172.10.0.0, BRANCH-172.17.0.0, BRANCH-172.18.0.0,
9 BRANCH-GROUP-KCF BRANCH-172.19.0.0, BRANCH-192.167.0.0, BRANCH-192.168.0.0,
BRANCH-192.169.0.0
BALDC001, BALDJ001, BALDJ002, eko 20, eko lan, eko wifi, ewi
10 IT Bali
ayu, ida ayu purnama sari, ida ayu putu kartika, sofyan ali
Ahda, Ali komarudin, audit1, audit2, bayu BUD, dewi kasir, Edi
Wahyudin, ibu elsa, ibu ninik, ibu wayan, ida ayu putu kartika,
11 Admin_SRC jx.nandes, laptop-yohan, lupy-Bali, meilia, Ninik TAX, Nurhasanah,
Poppy, qa2, rulli, Sahrul, Septi_Audit, tatiek, Tedy Rom, theresia,
tyas, Utrie, yusi
12 IT Bandung BDG, DC, SEP
13 IT Batam adjie, eddy aldian
14 IT Makassar mksdc001, MKSSV002, mkssv004
abi, Andri, Anteng, Atha, ayu, bachtiar, BODlt4, cahyadi, Elly, hasim,
henda, HQ Report Server, Ismi, it-plg2, jktbc001, JKTDC001,
jktdi012, JKTDI034, JKTVT001, JKTWS003, JKTWS004, jktws005,
15 IT Jakarta
jktws017, jktws018, kurrniawan, mail.ffi.co.id, Oki, Pandu-Platinum,
plg, Putri, Rachman, ryan, Server HQ Report, service desk_3, svr1-
jkt, svr2-jkt, Ulfa, Ulke, vacant it, YohanMarda, Yosephine, zulmi
16 IT Palembang ikhsan-PLG, kurmaini, kurmaini-laptop, PLGDC001, PLGSV004
17 IT Semarang Gatot Laptop, gatot semarang
18 IT Surabaya budi sby, wulan_audit
BPNDC001, BPNSV002, BPNSV003, BTADC001, BTASV002,
BTASV003, ftp 2, ftpabsen, JKTSV002, JKTSV003, JKTSV007,
19 Servers MDNDC001, MDNSV002, MDNSV003, SBYDC001, SBYSV002,
SBYSV003, servicedesk, SMGDC001, SMGSV004, SVR-Absensi,
WebApps
budhi, christine hutajulu, FFI-2, Roy IT, Admin_SRC, IT Bali, IT
20 IT USERS Bandung, IT Batam, IT Jakarta, IT Makassar, IT Palembang, IT
Semarang, IT Surabaya, Servers
aguk budi wiyono, Andi GA, balsv002, bdgsv002, Chandra Eva,
Christine Purchasing, Christine Sihombing, eddie lee, Fikri,
FITRI_PC, Fonny, ftp.ffi.co.id, Gatot, giokyen, handi, Hari Santoso,
Henly, henny, Hermansyah, ibu Poppy, Iman, Indra, Indratno, Irwan
Kurniawan, JKTSV005, Joice Siahaan, linda, Lucia Erawati, M.
21 VIP User Group
Cahya Nurjaman, NMS, nunung fsd, pak chandra, Pak Gandhi, Pak
Gandhi Wireless, reni, ria_laras, Robert SK, Rulianto, server
webapp, sherly E, shirley, Suarman, Tonggo Sirait, Tony BUD, tulus
hasibuan, Vivian, Wahyu, wahyu hidayat, Wahyu Santoso,
Yosephine, Yulius
192.168.128.0/17, 192.168.19.0, 192.168.206.0, 192.168.64.0/18,
192.169.0.0/16, Bali Network, Balikpapan Network, Bandung
Network, Gudang Ciracas, LAN, Medan Network, Palembang
22 ALL VPN
Network, Semarang Network, Surabaya Network, VPN Pool Cisco,
VPN Pool IPsec, VPN Pool L2TP, VPN Pool PPTP, VPN Pool SSL,
XL
44
Confidential
FORM-SE-15
192.168.19.0, Bali Network, Balikpapan Network, Bandung Network,

23 REDS Batam Network, Ciracas Network, Medan Network, Palembang
Network, Semarang Network, Surabaya Network
24 Deny All RSC Jakarta, ALL VPN, REDS
euis cahyati, Farida, Hesti, jktdf042, Kasto, Novita, rio-finance,
25 ebanking-group
srihayati, Teguh, Yanti, Yosephine
JKTDC002, JKTSV007, Lian, Maman Sudarisman, Roy IT, sherley,
26 VIP Users
Sridhar, Tes_Pajak, VIP User Group
act, activasi, Addy Kurniawan, Adelia, admin henk, Alvi-Market-dev,
andi, arif HRA, artha rnd, bakery, Bintang, Boy Kartin, devi, Dipo,
ditha, Dyah Internal, Edi-Lee, Efriyanto, endang wijaya, erwin legal,
fatimah, Febrina, feny rnd, ganis, hastuti, Hengky, henk, Heri TS,
Irena, isna, iwan audit, Jeffry ninkeula, jktdb018 Rida, JKTDB027
Ana, Joko AUdit, kristiwi PC, Laotop Ulil, laptop-pak agung,
27 Users Group
Marketing, mega QA, nurdin laptop, PDO-02, puji, QA syaharudin,
Rahma, Rahma Meiris, rahmadi QA, Rahmadi QA, Reza QA temp,
Rita, Rosa, Rosdiana, Rudi Sunarto, rushda, Ruslan, santi wijaya,
Sec-Purchasing, server HQ, sopyan ali, Suhadi mkt, Sukma,
supriatna, Sylvia Yohan, Taryono, tintin, wahyu hidayat, yohan, Yuli
Project, Yulidar
28 VPN LA 192.168.128.0/17, 192.168.64.0/18, 192.169.0.0/16
29 Sosial Media Bandung irsan
Ani Mkt, Arry, Denny, ervina, laptop agung, Maman Sudarisman,
30 Sosial Media group
Rosa, Sopyan, Suhadi
31 Sosial Media semarang marketing semarang, yuli widayanti
Table 17 Address Group
3.2.9 Virtual IP
Virtual IP
No Name Public IP Private IP
1 VIP_servicedesk.ffi.co.id 202.152.20.189 192.168.10.179
2 VIP_nagios 202.158.91.203 192.168.10.100
3 VIP_ftp.ffi.co.id 202.53.236.154 192.168.10.10
Table 18 Virtual IP
3.2.10 Traffic Shaper Policy (QoS)
Outgoing Shared Reverse Per-IP

No. Source Destination Schedule Status
Interface Shaper Shaper Shaper
guarantee- guarantee-
1 HO-VLAN-IT all SD-WAN - - Enabled
10Mbps 10Mbps
HO-GROUP- guarantee- guarantee-
2 all SD-WAN - - Enabled
SERVER 10Mbps 10Mbps
Table 19 QoS Policies
45
Confidential
FORM-SE-15
3.2.11 IPv4 DoS Policy
Source Destination L3 Anomalies L4 Anomalies

ID Interface Service Comment
Address Address (Block) (Block)
Protect DDoS
ISP CBN INTERNET
1 all ALL Inbound from
(port2) IPV4
CBN
tcp_syn_flood, Protect DDoS
ISP Lintas INTERNET
2 all ALL tcp_port_scan, Inbound from
Arta (port3) IPV4
udp_flood, Lintas Arta
ip_src_session udp_scan, Protect DDoS
ISP Indonet INTERNET
3 all ALL ip_dst_session icmp_flood, Inbound from
(port4) IPV4
icmp_sweep, Indonet
sctp_flood, Protect DDoS
ISP Astinet INTERNET
4 all ALL sctp_scan Inbound from
(port5) IPV4
Astinet
INSIDE INTERNET Protect DDoS
5 all ALL
(LACP) IPV4 Inbound from LAN
Table 20 DoS Policies
3.2.12 IPv4 Policy
- Flow Chart (Accept)
Figure 3-1 Flow-Chart Policy “Accept”
- Flow Chart (Deny)
Figure 3-2 Flow-Chart Policy “Deny”
46
Confidential
FORM-SE-15
- Policies
No. ID Name Incoming Interface Outgoing Interface Source Network Destination Network Schedule Services Action NAT Security Profiles
1 26 COUNTRY_BLOCK SD-WAN INSIDE COUNTRY_BLOCK all always ALL DENY - -
AntiVirus: default
2 9 SD-WAN_to_servicedesk.ffi.co.id SD-WAN INSIDE all VIP_servicedesk.ffi.co.id always VIP_Services ACCEPT Disabled
IPS: default
AntiVirus: default
3 21 SD-WAN_to_Nagios SD-WAN INSIDE all VIP_nagios always VIP_Services ACCEPT Disabled
IPS: default
AntiVirus: default
4 22 SD-WAN_to_ftp.ffi.co.id SD-WAN INSIDE all VIP_ftp.ffi.co.id always VIP_Services ACCEPT Disabled
IPS: default
AntiVirus: default
5 29 PPTP_to_INSIDE_HO SD-WAN INSIDE VPN_PPTP_POOL HO-GROUP-ALL-KFC always all ACCEPT Disabled
IPS: default
AntiVirus: default
6 30 PPTP_to_INSIDE_BRANCH SD-WAN INSIDE VPN_PPTP_POOL BRANCH-GROUP-KFC always all ACCEPT Disabled
IPS: default
7 25 INSIDE_to_SD-WAN_AD-DNS INSIDE SD-WAN AD_DNS_SERVER all always DNS ACCEPT Enabled AntiVirus: default
AntiVirus: default
8 16 INSIDE_to_SD-WAN_VIP INSIDE SD-WAN aron, Roy IT, VENDOR all always Internet_Services ACCEPT Enabled Web Filter: default
IPS: default
AntiVirus: default
Web Filter: IT Web Filter
9 15 INSIDE_to_SD-WAN_IT INSIDE SD-WAN HO-GROUP-IT all always Internet_Services ACCEPT Enabled Apps Control: Application Control
KFC
IPS: default
AntiVirus: default
10 14 INSIDE_to_SD-WAN_SERVER INSIDE SD-WAN HO-GROUP-SERVER all always Internet_Services ACCEPT Enabled
IPS: default
AntiVirus: default
Web Filter: WF_KFC_Break
11 17 INSIDE_to_SD-WAN_LT.2_(Break) INSIDE SD-WAN HO-GROUP-LT.2 all Work_Hour_KFC_Break Internet_Services ACCEPT Enabled Apps Control: Application Control
KFC
IPS: default
AntiVirus: default
Web Filter: WF_KFC_Anytime
12 10 INSIDE_to_SD-WAN_LT.2_(Anytime) INSIDE SD-WAN HO-GROUP-LT.2 all always Internet_Services ACCEPT Enabled Apps Control: Application Control
KFC
IPS: default
AntiVirus: default
KFC
IPS: default
AntiVirus: default
KFC
IPS: default
AntiVirus: default
KFC
IPS: default
AntiVirus: default
KFC
IPS: default
AntiVirus: default
KFC
IPS: default
AntiVirus: default
KFC
IPS: default
AntiVirus: default
19 31 SD-WAN_to_SD-WAN_PPTP-INTERNET SD-WAN SD-WAN VPN_PPTP_POOL all always Internet_Services ACCEPT Enabled Apps Control: Application Control
KFC
IPS: default
AntiVirus: default
Web Filter: IT Web Filter
20 1 IT_USERs_to_SD_WAN INSIDE SD-WAN IT USERS all always Internet_Services ACCEPT Enabled Apps Control: Application Control
KFC
IPS: default
AntiVirus: default
Web Filter: VIP
21 2 VIP_USERs_to_SD-WAN INSIDE SD-WAN VIP Users all always Internet_Services ACCEPT Enabled Apps Control: Application Control
KFC
IPS: default
47
Confidential
FORM-SE-15
AntiVirus: default
Web Filter: Normal User
22 3 Normal_Users_to_SD-WAN INSIDE SD-WAN Riyani, TAX, Users Group all always Internet_Services ACCEPT Enabled Apps Control: Application Control
KFC
IPS: default
AntiVirus: default
Web Filter: Call Center
23 4 Call_Center_to_SD-WAN INSIDE SD-WAN Andri, mahipal, Wahab all always Internet_Services ACCEPT Enabled Apps Control: Application Control
KFC
IPS: default
AntiVirus: default
Web Filter: ebanking
24 5 E-Banking_to_SD-WAN INSIDE SD-WAN ebanking-group all always Internet_Services ACCEPT Enabled Apps Control: Application Control
KFC
IPS: default
AntiVirus: default
Web Filter: ebanking
25 6 Sunfish_to_SD-WAN INSIDE SD-WAN Ciracas Network, XL all always Internet_Services ACCEPT Enabled Apps Control: Application Control
KFC
IPS: default
AntiVirus: default
Web Filter: Allow Social Media
26 7 Social_Media_to_SD-WAN INSIDE SD-WAN update.microsoft.com all always Internet_Services ACCEPT Enabled Apps Control: Application Control
KFC
IPS: default
SSLVPN_TUNNEL_ADDR
27 23 SSL_VPN_IT_to_INSIDE_HO SSL-VPN INSIDE HO-GROUP-ALL-KFC always ALL ACCEPT Enabled -
1, SSL_VPN_IT
SSLVPN_TUNNEL_ADDR
28 27 SSL_VPN_IT_to_INSIDE_BRANCH SSL-VPN INSIDE BRANCH-GROUP-KFC always ALL ACCEPT Enabled -
1, SSL_VPN_IT
SSLVPN_TUNNEL_ADDR
29 24 SSL_VPN_BRANCH_to_INSIDE_HO SSL-VPN INSIDE HO-GROUP-ALL-KFC always ALL ACCEPT Enabled -
1, SSL_VPN_BRANCH
SSLVPN_TUNNEL_ADDR
30 28 SSL_VPN_BRANCH_to_INSIDE_BRANC SSL-VPN INSIDE BRANCH-GROUP-KFC always ALL ACCEPT Enabled -
1, SSL_VPN_BRANCH
SSLVPN_TUNNEL_ADDR
31 32 SSL_VPN to SSL_VPN SSL-VPN SSL-VPN SSLVPN_TUNNEL_ADDR1 always ALL ACCEPT Enabled -
1, SSL_VPN_IT
32 0 Implicit Deny all all all all always ALL DENY - -
Table 21 IPv4 Policies
48
Confidential
FORM-SE-15
Lampiran 1 - Referensi
49
Confidential
FORM-SE-15

Implementation Document - Pengadaan Perangkat HPE Aruba Dan Fortinet + Implementasi

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Implementation Document - Pengadaan Perangkat HPE Aruba Dan Fortinet + Implementasi

Uploaded by

Copyright:

Available Formats

Pengadaan Perangkat HPE Aruba

dan Fortinet + Implementasi

Copyright © 2016 MASTERSYSTEM INFOTAMA. All rights reserved.

2 DESAIN AKHIR PERANGKAT ......................................................................................................... 2

3 KONFIGURASI PERANGKAT ........................................................................................................ 16

Table 1 Port Mapping dari Core Switch ke Remote Device .................................................................... 3

1.3 Ruang Lingkup

2 Desain Akhir Perangkat

2.1.1 Topologi High Level Network

2.1.2 Topologi Fisik dan Logik Network

2.1.2.1 Topologi Fisik Core Router

Figure 2-2 Koneksi Core – Server Farm Switch

Tabel port mapping dari core switch ke remote device :

2.1.2.2 Topologi Fisik Core Switch

Figure 2-3 Koneksi Fisik Dari Core Switch Ke Access Switch

Tabel port mapping dari core switch ke access switch :

2.1.2.3 Topologi Fisik DMZ Switch

Figure 2-4 DMZ Switch ke Perangkat – Perangkat yang Terkoneksi

Remote Local IP Remote IP

Table 3 Port Mapping DMZ Switch ke Perangkat – Perangkat yang Terkoneksi

2.1.2.4 Topologi Fisik Server Farm Switch

44 Te 1/0/44 SERVER PORT Ge 0/0 L2 ACCESS

89 Te 2/0/41 SERVER PORT Ge 0/0 L2 ACCESS

2.1.2.5 Port Mapping Switch Access

2.1.2.6 Flow Traffic dan Topologi Logik

Berikut merupakan traffic flow network di PT. Fast Food Indonesia.

Figure 2-6 Traffic Flow Network di PT. Fast Food Indonesia

1. Segment Server Farm

2. Segment User LAN

4. Internet dan MPLS

Figure 2-7 Topologi Logik yang Diimplementasi di PT Fast Food Indonesia

2.1.2.7 Skema Alokasi IP Address

/24 Allocation Vlan ID

192.168.8.0/22 Vlan Server 1

List IP Management Perangkat

2.1.3 Topologi Fortigate 200E

CBN LINTASARTA INDONET ASTINET

Figure 2-8 Topologi FortiGate 200E (INET-FW-KFC)

2.2 Daftar Perangkat yang Diimplementasi

Table 8 Bill of Quantity

; hpStack_KB Configuration Editor; Created on release #KB.16.07.0002

Server Farm Switch (SSW01-KFC-LT3)

DMZ Switch (DMZSW01-KFC-LT3)

; JL259A Configuration Editor; Created on release #WC.16.05.0007

; JL262A Configuration Editor; Created on release #WC.16.05.0007

3.2 Konfigurasi Perangkat Firewall

3.2.1 Network Interfaces

No Interface Type IP Address Link Type Comment Bandwidth (kbps)

No. Name Interface Member Gateway Volume

No Destination Next Hop IP Address Port Comment

3.2.5 Web Filter Profiles

Web Filter Profiles

3.2.6 Application Control Profiles

Application Control Profiles

3.2.7 Intrusion Prevention System (IPS) Profiles

3.2.8 Address Object and Group

15 HO-VLAN-FINANCE 172.16.11.0 255.255.255.0 Any

OPERATIONAL, HO-VLAN-PAYROLL, HO-VLAN-PROCURMENT,

192.168.19.0, Bali Network, Balikpapan Network, Bandung Network,

3.2.10 Traffic Shaper Policy (QoS)

Outgoing Shared Reverse Per-IP

3.2.11 IPv4 DoS Policy

Source Destination L3 Anomalies L4 Anomalies

3.2.12 IPv4 Policy