Description

This article describes how to deploy FortiGate CNF (Cloud Native Firewall) and associate it with an AWS account and VPC.

It is a managed firewall service that allows to offload security infrastructure maintenance, get deep visibility, apply robust controls, and optimize cloud security spend. It uses APIs to make changes to the AWS cloud infrastructure and fetch data.

Scope

Some pre-requisites before following the article:

- VPC is already created inside an AWS. If not already done, follow the links below to complete this step:
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/gsg_create_vpc.html

- Route tables and subnets created:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html

- Internet Gateway in VPC created:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html

Solution

1) Select the link:  
https://aws.amazon.com/marketplace/pp/prodview-vtjjha5neo52i

Select 'View Purchase Options' and select 'Subscribe'.

Then select 'Set up your account' at the top of the screen:

2) This will redirect to a FortiCloud login page where it is necessary to either register (if new to FortiCloud) or Log-In (if there is already an account).

Once logged into the FortiCloud, it will be presented with:

Select the entry and the user will be logged into the Fortigate CNF GUI page

3) To manage an AWS account, the account needs to be attached to the FortiGate CNF. Browse to the AWS accounts section on the GUI and select '+New':

After that, fill in the AWS account ID information and select 'Launch Cloud Formation Template'. It is possible to get the AWS account ID information by following the below link:
https://docs.aws.amazon.com/signin/latest/userguide/console_account-alias.html

This will redirect to an AWS cloud formation console. Make sure to checkmark 'I acknowledge that AWS Cloud Formation might create IAM users' and select 'CREATE STACK'.

Wait for the STATUS on the AWS cloud-formation console to show 'CREATE_COMPLETE'.

Now the FORTIGATE-CNF GUI page should show the status as success. This means that FortiGate-CNF has successfully attached the AWS account and can make changes to any VPC’s, subnets, and other network-related services inside the AWS account.

4) Now, it is necessary to deploy a CNF-INSTANCE. Go to 'CNF INTANCES' in the FORTIGATE-CNF GUI and select 'New'.

Choose the region to deploy it in (Make sure it is in the same region as the VPCs to manage) and choose the logging method according to the needs (S3 Buckets/FAZ/SYSLOG). Select 'OK'.

It will take a few minutes to become active and synchronized. The GUI should look like this after a successful deployment:

5) Once the instance is deployed, endpoints need to be created. Select the entry inside 'CNF Instances' and select 'new' under the endpoints section.

Fill in the VPC and the SUBNET to manage using the FORTIGATE-CNF. The point to be noted is that the subnet that can connect needs to have a TAG with the following field: Key="fortigatecnf_subnet_type" and Value="endpoint".

Once implemented in the AWS subnet, choose the same subnet in the Wizard on FORTIGATE-CNF and select 'OK'.

This will create a Gateway-Load-Balancer in AWS VPC and associate it to that subnet. This will now act as a proxy for the traffic traversing through that subnet in the VPC to the internet and back-forth. This is achieved by API push using the management access obtained through step 3.

This can be verified by going to System-> AUDIT LOG.

6) Once the Gateway Load balancer is deployed, it is necessary to create 3 routes in AWS.

a) Route traffic from the subnet with resources (EC2/lambda/etc) to the VPCe (Gateway-load-balancer endpoint created in step 5). Make sure to choose the gateway load balancer endpoint while adding routes in AWS VPC).

b) Using the same method as in step a), need to create a route-table from local to local in the routing-table

c) Lastly, create a route-table to 0.0.0.0/0 connected to the Internet Gateway in VPC.

Usage:

1) Address Objects and services:
Address objects and services can be created and stored in a Fortigate-CNF and used in firewall rules. This is available under the 'Configuration' section:

2) UTM:
It is possible to take use of the FortiGuard Block list along with DNS filtering in the Security Profile section. It is possible to create a profile to be used inside the firewall policies.

3) Policies:
Policies to narrow down traffic can be created just like in a FortiGate. Go to 'Policy Sets'.

In this section, policies can be created as a package under a policy set. Select a pre-existing one or create-a-new one.

Address objects, services, and UTM (explained above) can be used in the firewall rules along with features like packet captures, and logging.

This policy set can then be attached to a CNF-Instance. So the endpoints in that instance will inherit the UTM, policies from the policy set and implement it into the AWS VPC.

Very Important thing to note is that a FortiGate VM is never deployed, the CNF is a managing tool that pushes API requests and optimizes the AWS VPC natively to change its settings to match the rules defined in the policy sets.

5) Billing:
This section can be used to monitor the cost of the AWS services managed by the FORTIGATE-CNF. It is possible to even download the usage as a CSV file:

6) Logs:
Logs can be viewed under System -> Audit Logs. This displays the changes made by the CNF to the AWS environment:

Follow the cookbook to understand in detail the functionality of the FORTIGATE-CNF:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/bbdfe5cd-e608-11ed-8e6d-fa163e...