Technical Tip: Redundant Policy Based VPN using the Automation Stitch

• The network comprises of a data center (DC) and two sites called Site-A and Site-B. Below is a network diagram of the setup. The DC firewall connects to Site-A and Site-B using the same egress interface as shown in the diagram.
  
  
• There are 2 VPNs created as the remote gateways are different. Below is the phase 1 configuration. 
  
  

Hub # show vpn ipsec phase1
config vpn ipsec phase1
    edit "Site-A"
        set interface "port2"
        set ike-version 2
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set dpd on-idle
        set remote-gw 10.8.11.129
        set psksecret ENC <PSK>
    next
    edit "Site-B"
        set interface "port2"
        set ike-version 2
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set dpd on-idle
        set remote-gw 10.8.11.132
        set psksecret ENC <PSK>
    next
end

• The Egress interface for the VPN is port2 which is part of the Untrust zone. There are 2 Policies created for each site. Below is the Policy Configuration.
  
  

Hub # show firewall policy
config firewall policy
    edit 1
        set name "Site-A"
        set uuid 6646e208-1030-51ef-6c5d-b7df2786104d
        set srcintf "Internal"
        set dstintf "Untrust"
        set action ipsec
        set srcaddr "DC_Subnet"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set inbound enable
        set vpntunnel "Site-A"
    next
    edit 2
        set name "Site-B"
        set uuid 81208dbe-1287-51ef-b632-4c3da41aa5cf
        set srcintf "Internal"
        set dstintf "Untrust"
        set action ipsec
        set srcaddr "DC_Subnet"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set inbound enable
        set vpntunnel "Site-B"
    next
end

• The primary VPN in this scenario is toward Site-A and the backup VPN is toward Site-B. The below screenshot of the policy in GUI shows the order of policy in the Firewall.
  
  
• The below output indicates that, currently, the VPN to both locations is up. However, as per the order of the Policy, the traffic will always match the Site-A policy and go to the Site-A location.
  
  
• Configure an automation trigger in the firewall to track the event ID for VPN tunnel-down action. Navigate to Security Fabric -> Automation -> Trigger -> Create New -> Miscellaneous -> FortiOS Event Log.
  Below is a sample configuration of the trigger in CLI and GUI. The value 'remip' indicates the remote side gateway IP address of Site-A. There are two triggers created. One of them is a trigger for VPN UP status and another one is for VPN down status.

config system automation-trigger
    edit "VPN Down"
        set event-type event-log
        set logid 37138
            config fields
                edit 1
                    set name "action"
                    set value "tunnel-down"
                next
                edit 2
                    set name "remip"
                    set value "10.8.11.129"
                next
            end
    next

    edit "VPN_Up"
        set event-type event-log
        set logid 37138
            config fields
                edit 1
                    set name "action"
                    set value "tunnel-up"
                next
                edit 2
                    set name "remip"
                    set value "10.8.11.129"
                next
            end
    next​

• Configure automation action in the Firewall. Navigate to Security Fabric -> Automation -> Action -> Create New -> General -> CLI Script. Using the automation script when the Primary VPN which is VPN to Site-A is down the Policy will be moved down the order so that the policy that directs the traffic to Site B will be first in the order of policy lookup. Below are the sample configurations in CLI and GUI.
  
  

config system automation-action
    edit "Policy_down"
        set action-type cli-script
        set script "config firewall policy
        move 2 before 1
    next
end"
       set accprofile "super_admin"
    next
    edit "Policy_Up"
       set action-type cli-script
       set script "config firewall policy
       move 1 before 2
    next
end"
        set accprofile "super_admin"
    next
end

• Configure the automation stitch to call the automation to trigger an automation action in the firewall. Navigate to Security Fabric -> Automation -> Stitch -> Create New. Below is a sample configuration in CLI and GUI.
  
  

config system automation-stitch
    edit "Move_policy_down"
        set trigger "VPN Down"
            config actions
                edit 1
                    set action "Policy_down"
                    set required enable
                next
            end
    next
    edit "Move_policy_up"
        set trigger "VPN_Up"
            config actions
                edit 1
                    set action "Policy_Up"
                    set required enable
                next
            end
    next

• Now when the VPN to Site-A goes down the Firewall will move the policy to Site-A below the Site-B policy. Due to this traffic will match the Site-B policy and forward to the Site-B location. The below screenshots show the status of the VPN, an event log that indicates the trigger of the automation stitch, and the order of the policy after the event.
  
  

• When the VPN to Site-A comes up due to an automation stitch the policy to Site-A will move up and traffic will be forwarded to Site-A. The below screenshots show the status of the VPN, an event log that indicates the trigger of the automation stitch, and the order of the policy after the event.