FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
config firewall address edit "MyAzureNetwork" set subnet 192.168.10.0 255.255.255.0 next edit "MyPrivateLAN" set associated-Interface "internal" set subnet 192.168.0.0 255.255.255.0 next end
NOTE: Be aware that the associated interface for the private segment might be different than internal (i.e. port1, lan, internal1, etc).
2. Create the phase1 (ipsec interface mode)
config vpn ipsec phase1-interface edit "ToAzure" set interface "wan1" set proposal aes256-sha1 set dhgrp 2 set keylife 28800 set remote-gw 22.214.171.124 set psksecret ENC eXcOpXVMlNs8ikaCME1pNCdQFE1W82Dy set dpd enable next end
NOTE: Be aware that the remote.gw must be the Azure gateway you got from Azure's configuration environment.
3. Create the phase2
config vpn ipsec phase2-interface edit "P2-Azure" set phase1name "ToAzure" set keepalive enable set keylife-type both set keylifeseconds 3600 set keylifekbs 102400000 set proposal aes128-sha1 set ( src-addr-type name | src-subnet 192.168.0.0 255.255.255.0 ) set ( dst-addr-type name | dst-subnet 192.168.10.0 255.255.255.0 ) next end
NOTE: Be aware that the information in brackets [ ] means you must choose either name or defining the subnet.
4. Add a static route
config router static edit 21 set device "ToAzure" set dst 192.168.10.0 255.255.255.0 next end
5. Create firewall security policies
config firewall policy edit 5 set srcintf "internal" set dstintf "ToAzure" set srcaddr "MyPrivateLAN" set dstaddr "MyAzureNetwork" set action accept set schedule "always" set service "ANY" set logtraffic enable next edit 6 set srcintf "ToAzure" set dstintf "internal" set srcaddr "MyAzureNetwork" set dstaddr "MyPrivateLAN" set action accept set schedule "always" set service "ANY" set logtraffic enable next end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.