Alan_Chen
Staff
Staff

Feature Introduction

AWS Cloud WAN

AWS Cloud WAN provides a central dashboard for making connections between your branch offices, data centers, and Amazon Virtual Private Clouds (Amazon VPCs)—building a global network with only a few clicks. You use network policies to automate network management and security tasks in one location. Cloud WAN generates a complete view of your on-premises and AWS networks to help you monitor network health, security, and performance.

 

Fortinet SD-WAN

Fortinet SDWAN (software-defined wide-area network) solution enables enterprises to transform and secure all WAN edges. Leveraging the Security-driven Networking approach that uses one operating system and one centralized management console, enterprises realize superior user experience, enhanced security posture effectiveness with converged networking and security, and achieve operational continuity and efficiency. Fortinet FortiGate delivers fast, scalable, and flexible Secure SD-WAN for cloud-first, security-sensitive, and global enterprises. Our Security-Driven Networking approach consolidates SD-WAN, next-generation firewall (NGFW), and advanced routing.

 

Zero Trust Network AccessZTNA

ZTNA is a capability within Zero Trust Access (ZTA) that controls access to applications. It extends the principles of ZTA to verify users and devices before every application session. ZTNA confirms that they meet the organization’s policy to access that application. Our unique approach, delivering Universal ZTNA as part of our FortiGate makes it uniquely flexible, covering users when they are remote or in the office.  

 

Example Description

In the previous example, we use the integration of AWS Cloud-WAN and Fortinet SD-WAN to achieve cloud-network convergence of enterprise services, so that enterprise employees can quickly access internal applications deployed on AWS in any branch office.

For details, see:

https://fusecommunity.fortinet.com/blogs/alan/2022/10/08/aws-cloud-wan-integration-fortinet-sd-wan-1

 

In this example, many employees are working remotely due to COVID-19 and need anytime, anywhere access to business systems in Frankfurt, and the security department wants to meet demand while protecting business systems with a Zero Trust architecture that only allows users and compliance to use zero trust Policy devices access business system applications.

 

Architecture:

MessageImages_d09845b897b84d61a70b7b8cb55c03d5.png

Configuration Instructions

1Deploy FortiClient EMS and configuration Zero Trust rules

  • Login to FortiCloud and enable FortiClient EMS Cloud in the Services menu

MessageImages_2c98c308449c45948d668af4637a5341.png

  • Configure Zero Trust policy rules through FortiClient EMS Cloud, and according to the business requirements of this example, we add a configuration of a Zero Trust tag [Business_ZTNA_Trust]. Detailed description of the reference documentation: Zero Trust Tagging Rules

MessageImages_973699de949040f2b7cfe403e2325b26.png

2Configure FortiGate for Fortinet-VPC and enable ZTNA

  • Configure FortiClient EMS in Fabric Connectors to connect to the FortiClient EMS Cloud

MessageImages_7e733769502b4eb5b91ac207ec94181c.png

  • Configure Zero Trust to protect Frankfurt's business system applications with ZTNA Server

MessageImages_b11f6295c1ac40a1a18dbba92a7f5b51.png

  • Configure Zero Trust access rules in ZTNA Rules to allow only users and devices with both [Employee] and [Business_ZTNA_Trust] two ZTNA Tags to access the protected Frankfurt's business system applications.

MessageImages_be93fad2151b4ff59e557a6e13b427af.png 

3Install FortiClient on the user device and connect to FortiClient EMS to obtain the Zero Trust policy identity

MessageImages_6a45f093f096409b93c3abb7787f4d29.png

  • Click the avatar to enter the user information page and confirm the identity status of the Zero Trust policy of the current user device

MessageImages_a9d52e4f91c04eda97bcfd96a8662224.png

Verify

1、When users and devices comply with the Zero Trust rules, Frankfurt's business system applications can be accessed from anywhere.

MessageImages_60c7f2a334294ad6b26fd26e358b3a3f.png

2、When users and devices don't comply with the Zero Trust rules, they can't access Frankfurt's business system applications.

MessageImages_914793e864c84e71b9252eaded03f212.png

3、When users and devices don't comply with the Zero Trust rules, Frankfurt's business system applications are not accessible even in the office.
MessageImages_0721f9357d454284b8b96cd5bafb5822.png