Skip to main content
burtmianus
burtmianus
New Member
March 17, 2017
Question

Azure Fortigate Configuration

  • March 17, 2017
  • 1 reply
  • 5360 views

Hola,

 

So we're about to buy 3 x 4-core Fortigate VMs in Azure (I have the custom json file to make the right ones as it's not a azure Marketplace option yet), and have ninja'd a 30 day license off our SE (in fact this is my third).

 

It seems that my first attempt at deploying these things was a fluke, as my latest attempt has turned into a failure.... so I am hoping that someone out there has had success in using Azure and Fortigate together....

 

Here's what I'm doing:

 

Have deployed the Fortigate VM in Azure using the defaults that you get given (load balancer, 2 public IPs [linux machine and load balancer front end], linux vm, NICs, user defined routing etc.) and i have logged in, changed admin port, successfully added it to our fortimanager and imported a rudminetary policy.

 

I then tried to add it to our VPN Mesh, this is where it fell over - something in the Azure half of this is confusing the hell out of me, so what I am looking for is someone who has used Fortigate Azure VM to VPN to another Fortigate and knows the nuances that using Azure's platform provides (i.e. the NICs are DHCP, which public IP to use, what IP to set as local gateway in the vpn config etc.).

 

So if you can help please do, don't just point me to the "VPN to Azure" article as that isn't it!

 

Thanks

 

Chris

 

    1 reply

    emnoc
    emnoc
    New Member
    March 18, 2017

    Will if you gotten this far you should be almost at home base. Lesson I learned build site2site to azure non-FGT

     

    IKEv2 baby yes IKEv2

     if your doing ipsec LAN2LAN  ( assumption you are ) than you need to  t-shoot the proposal and negoiation with  the remote-peer

     

    It ( AzueFGT-VM ) is pretty much the same as any FGT, you should not have the many obstacles imho. The portal for native  IPSEC  is very basic , as much so as GOOG compute.

     

    set and define your phase1/2 ( 0.0.0.0/0:0 )  and fwpolices

     

     

    Here's what I configured on the  headend  FGT that was nailed to azure instance.

     

     

    config vpn ipsec phase1-interface      edit  FGT2AZURE                     set interface wan1                          set ike-version 2          set dhgrp 2          set proposal aes128-sha1 aes256-sha1          set remote-gw <x.x.x.)          set psksecret ourstrongkeyhere      next  end onfig vpn ipsec phase2-interface      edit  FGT2AZUREP2              set keepalive enable          set keylife-type both          set pfs disable          set phase1name FGT2AZURE          set proposal aes128-sha1 aes256-sha1          set keylifeseconds 3600      next  end ( don't forget static routes and +fwpolicies )

     

    On the  MS AZURE side we used the following;

     

    https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

     

    So you will have to extract that howto to apply on the FGT in azure.

     

     

     

    Terms & ConditionsAccessibility statement