Blogs
lmomesso
Staff
Staff

A prominent US-based specialty engineering and construction company faced challenges centralizing security controls, gaining visibility into traffic patterns and intrusion attempts, and applying policies at the application level within their cloud infrastructure. They turned to Fortinet Cloud Consulting Services to develop a comprehensive cloud network security design tailored to their unique requirements to ensure top-tier security and operational efficiency on AWS.

 

Guided Expertise in Selecting the Right Cloud Architecture

 

The Fortinet Cloud Consulting Services team worked closely with the customer to create an architecture that emphasized scalability, reliability, and robustness. The Fortinet consultants outlined multiple options, highlighting their unique benefits and potential challenges. This in-depth analysis enabled the customer to make informed decisions, ensuring their infrastructure not only satisfied current needs but was also adaptable for future advancements, facilitating a smooth migration.

 

Centralized Firewall Policy Management and Full Visibility of Network Traffic

 

Fortinet’s FortiGate Next-Generation Firewall is at the core of the customer’s security Virtual Private Cloud (VPC). Running the same OS as FortiGate hardware appliances, FortiGate-VMs enable you to enforce consistent security policies across any private or public cloud. Powered by AI-driven threat intelligence, FortiGate VMs provide proven threat protection at scale.

 

A pivotal aspect of the solution was the integration of FortiGate-VMs with the AWS Gateway Load Balancer (GWLB) in combination with AWS Transit Gateway, which was instrumental in achieving granular inspection of all the flows in the customer environment. The customer had public-facing workloads fronted by AWS Application Load Balancer (ALB), private workloads without an elastic IP that still needed to access the Internet, inter-VPC flows, and traffic between their on-premises data center and AWS. All these flows are now inspected by FortiGate-VMs for compliance with business policies. This setup not only enhanced the security posture but also improved network visibility, offering a scalable and resilient architecture that could adapt to the evolving demands of the digital landscape. The figure below shows the architectural implementation.

 

image.png

 

Further enhancing this security solution, the Fortinet team also integrated centralized firewall policy management with FortiManager. This allows for streamlined and consistent policy administration across the customer's entire network landscape, significantly simplifying the management of security policies. Additionally, with the integration of FortiAnalyzer, the customer gained full visibility into network traffic. This tool provided comprehensive logging, analysis, and reporting capabilities, enabling the customer to monitor, understand, and respond to network activities effectively. These additions were crucial in achieving a holistic security stance, offering the customer an unparalleled level of control and insight into their network security.

 
GuardDuty Feeds Threat Intelligence on FortiGate
 
AWS GuardDuty is a managed service that detects threats by monitoring for suspicious or unauthorized activity on AWS resources. It provides detailed incident logs called 'findings.' Fortinet Cloud Consulting has created a Lambda script, 'aws-lambda-guardduty', that processes these findings to identify malicious IP addresses, which are then stored in an S3 bucket. The FortiGate-VM can retrieve the list of external IP as an external threat feed by linking to its URL. To enable this integration, customer needs to enable GuardDutyCloudWatch, and S3 services.
The figure below shows the architectural diagram of the integration.

 

GuardDuty_Integragion.PNG

 

Moreover, the Fortinet team built and packaged all necessary deployment scripts, which streamlined the migration process and minimized potential disruptions. Recognizing the importance of ongoing knowledge and self-sufficiency, Fortinet’s experts provided comprehensive training on all components of the solution and best practices. This educational effort ensured that the customer's engineering staff were not just passive recipients of a new system but active participants in its operation and future development.

 

To learn more about Fortinet Cloud Consulting Services for AWS, visit here.

 

1 Comment
Inugakoo
New Contributor

Their integration of FortiGate-VMs with AWS services like the Gateway Load Balancer and Transit Gateway is a smart move for centralized control and consistent policy enforcement.