Azure virtual network terminal access point (TAP) provides the capability to encapsulate and mirror traffic to a network interface of an appliance or a load balancer fronting an appliance. For workloads deployed in Azure, where traffic inspection via a stateful device like an NGFW (Next-Generation Firewall) isn’t in place or isn’t feasible, leveraging the virtual network TAP solution provides visibility into network traffic without the need to rearchitect or reroute production traffic.

 

Leveraging virtual network TAP with FortiGate VM enables the following use cases:

 

• Network visibility into the traffic that is sent and received by your workloads in Azure. Leveraging the IDS (intrusion detection system) capability on FortiGate VM helps detect network-based attacks such as DoS, DDoS, and port scanning, as well as malware and virus detection, ransomware, and data exfiltration.

• The capability to send these traffic logs to a centralized place, like FortiAnalyzer, to run analytics and generate reports.

High-Level Architecture Diagram for a 3-Tier Web App Leveraging virtual network TAP

 

 

This article explains how to integrate virtual network TAP with FortiGate to provide IDS functionality for workloads hosted in Azure.

 

FortiGate Integration with virtual network TAP

 

In this setup, we will create a virtual network TAP instance and leverage a pair of Ubuntu VMs acting as client and server. This setup simulates a workload sending its network traffic to a FortiGate instance hosted in the same region, fronted by an internal load balancer. The FortiGate instance will perform IDS on this traffic and evaluate it against the security profiles configured.

 

Note: virtual network TAP also provides the capability to send traffic directly to the VNI (Virtual Network Interface) of an appliance. This can be leveraged when you have a single FortiGate instance deployed. In scenarios where FortiGate is deployed as a cluster, it is recommended to use the ILB (Internal Load Balancer) to send traffic to FortiGate and it can also be used with single FortiGate instance.

 

 

Virtual network TAP and VXLAN 

 

Virtual network TAP leverages VXLAN to tunnel traffic from the source to the desired target using a VNI of 27. A FortiGate VM will be configured to enable the VXLAN tunnel setup.

 

Prerequisites: 

 

• Two Ubuntu VMs, an internal load balancer, and a FortiGate VM instance deployed as part of a subnet within a VNET.

• The FortiGate VM instance is configured as a load balancer backend.

• The FortiGate VM instance should be running FortiOS version 7.4 or higher.

Setup:

 

1. Set up the ILB:

• Create a HA (high availability) rule on the ILB with the FortiGate VM as the backend instance. Ensure that an appropriate health check is applied for monitoring and disable the floating IP.

2. Deploy and configure the virtual network TAP Resource:

• Deploy the virtual network TAP following the steps provided here: Deploy vTAP 
  
  
• Ensure the destination and sources are configured as follows:
  
  
• Destination: Load balancer, selecting the frontend of the ILB.

 

• Sources: IP addresses of the client and server Ubuntu VMs.

 

 

3. Configuring the FortiGate VM:
   

• Set up VXLAN on the FortiGate VM:

config system vxlan

    edit "vxlan1"

        set interface "port2"

        set vni 27

        set remote-ip "172.16.20.69" "172.16.20.70"

    next

end

 

Interface: select the port on the FortiGate VM to which ILB is sending traffic.

Remote IP: IP address of the Ubuntu VM which are configured as sources in virtual network TAP.

 

• Setting up IDS/One-Arm Sniffer on the VXLAN Interface: 

From the GUI, navigate to Network > Interfaces > VXLAN1, and configure it as needed.

 

 

 

Note: The security profiles can be customized per requirements. More details can be obtained at FortiGate One-Arm Sniffer.

 

Make sure probe response is enabled on the FortiGate VM interface which will receive health checks from the Azure Load Balancer, and that it has the static route configured to respond to the health checks. Additionally, ensure that routing is in place for the FortiGate VM to send traffic to the source VMs.

 

4. Verification

• From the GUI, navigate to Log & Report > Sniffer Traffic.

• Here, you will see all the traffic mirrored to the FortiGate VM from the sources configured in virtual network TAP. For simplicity, this is filtered to only show ping traffic between the two VMs.

 

 

Conclusion

 

This integration between Fortinet and Microsoft delivers network visibility for workloads hosted in Azure by mirroring the traffic to the FortiGate VM, which can monitor and alert on suspicious traffic based on the configured security profiles.

 

In conclusion, this article provides useful information for those seeking to understand and leverage Fortinet's solutions in Azure. These insights, tips, and best practices offer a foundation for testing and familiarizing oneself with the capabilities of Fortinet's products. It is essential to emphasize that the guidance shared here is intended exclusively for lab and testing purposes. For deploying these solutions in a production environment, or implementing advanced configurations tailored to the unique needs of your organization, it is strongly recommended to reach out to Fortinet's Cloud Consulting Services team at consulting@fortinet.com.

 

Fortinet’s Cloud Consulting experts bring extensive experience and expertise to ensure that cloud security solutions are deployed securely, optimized for peak performance, and configured for maximum efficiency.