|
For the purpose of this article, a simple IPsec configuration is used between 2 FortiGates and BGP over this tunnel.
IPsec configuration and BGP configuration:
edit "VPN2"
set type dynamic
set interface "port3"
set ike-version 2
set peertype any
set net-device disable
set exchange-interface-ip enable
set exchange-ip-addr4 192.168.99.9
set proposal aes128-sha256
set add-route disable
set dpd on-idle
set network-overlay enable
set network-id 222
set psksecret ENC xxxxxx
set dpd-retryinterval 60
next
config router bgp
set as 65551
config neighbor
edit "192.168.99.1"
set interface "VPN2"
set remote-as 65551
set update-source "VPN2"
set password ENC xxxxxx
next
end
An automation stitch can be configured only based on the following events, but not for two or more at the same time:
- Fabric Connector Event.
- FortiAnalyzer Event Handler.
- FortiOS Event Log.
- Incoming Webhook.
- Schedule.
For example, it is not possible to combine 'Schedule' and 'FortiOS Event Log'. The example below shows how it is possible to configure an Automation Stitch which will be enabled and disabled outside of business hours. If BGP goes down during the configured timeframe, an Automation Stitch will disable and re-enable the IPsec tunnel.
Automation Stitch which monitors the BGP over the IPsec and when BGP is down, IPsec is restarted (disable and enable the IPsec tunnel interface with 10 seconds delay between both actions).
Trigger condition, when the BGP is down:
config system automation-trigger
edit "BGP_status_down"
set event-type event-log
set logid 20300
next
end
The automation stitch will be triggered when the BGP is down, as per the actions configured in the CLI cli-script:
config system automation-stitch
edit "VPN_restart_BGP"
set description "Restart IPSec when BGP is down"
set status disable
set trigger "BGP_status_down"
config actions
edit 1
set action "Restart_VPN_Down"
set required enable
next
edit 2
set action "Restart_VPN_UP"
set delay 10
set required enable
next
end
next
end
CLI script to bring down the IPsec:
config system automation-action
edit "Restart_VPN_Down"
set description ''
set action-type cli-script
set minimum-interval 0
set script "config system interface
edit VPN2
set status down
end"
end"
set accprofile "super_admin"
next
CLI script to bring up the IPsec:
config system automation-action
edit "Restart_VPN_UP"
set action-type cli-script
set script "config system interface
edit VPN2
set status up
end"
end"
set accprofile "super_admin"
next
Because the scheduled automation stitch supports only trigger at specific time, 2 scheduled automation stitches are needed. One will enable the 'VPN_restart_BGP' at the beginning of a specific time, and another one will disable it .
Scheduled automation stitch which enables the 'VPN_restart_BGP' stitch every day at 18:00 FW time:
config system automation-stitch
edit "Activate_stitch_BGP"
set trigger "Activate_Stitch_BGP"
config actions
edit 1
set action "Activate_BGP_Stitch"
set required enable
next
end
next
end
Scheduled automation stitch which disables the 'VPN_restart_BGP' stitch every day at 8:30 FW time:
config system automation-stitch
edit "Deactivate_stitch_BGP"
set description "deactivate stitch BGP during working hours"
set trigger "Deactivate_Stitch_BGP"
config actions
edit 1
set action "Deactivate_BGP_Stitch"
set required enable
next
end
next
end
config system automation-trigger
edit "Activate_Stitch_BGP"
set description "Activate BGP-IPSEC stitch every day after working hours"
set trigger-type scheduled
set trigger-hour 18 <----- Activated at 18:00 PM FW time.
next
edit "Deactivate_Stitch_BGP"
set description "deactivate BGP stitch during working hours"
set trigger-type scheduled
set trigger-hour 8 <----- Deactivated at 8:30 AM FW time.
set trigger-minute 30
next
end
|
