FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gakshay
Staff
Staff
Article Id 196719

Description

 

This article describes how to configure security fabric over IPsec VPN.

 

Scope

 

FortiGate.

Solution

 

This sample topology shows a downstream FortiGate (HQ2) connected to the root FortiGate (HQ1) over IPsec VPN to join the Security Fabric:



 

 
Sample configuration.

To configure the root FortiGate (HQ1):
 
  1. Configure interface:
  • In the root FortiGate (HQ1), go to Network -> Interfaces.
  • Edit port2:
    • Set Role to WAN.
    • For the interface connected to the Internet, set the IP/Network Mask to 10.2.200.1/255.255.255.0
  • Edit port6:
    • Set Role to DMZ.
    • For the interface connected to FortiAnalyzer, set the IP/Network Mask to 192.168.8.250/255.255.255.0
 
  1. Configure the static route to connect to the Internet:\
  • Go to Network -> Static Routes and select 'Create New'.
    • Set Destination to 0.0.0.0/0.0.0.0.
    • Set Interface to port2.
    • Set Gateway Address to 10.2.200.2.
  1. Configure IPsec VPN:
  • Go to VPN -> IPsec Wizard.
    • Set VPN Name to To-HQ2.
    • Set Template Type to Custom.
    • Select 'Next'.
    • Set Authentication to Method.
    • Set Pre-shared Key to 123456.
  • Leave all other fields in their default values and select OK.

 

Note:

When enabling Security Fabric over an existing IPsec tunnel, it is important to make sure that the IP addresses of the tunnel interfaces are included in the phase2 selectors of both FortiGates. In the example below, they are 10.10.10.1 and 10.10.10.3. 

 
  1. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
  • Go to Network -> Interfaces.
  • Edit To-HQ2:
    • Set Role to LAN.
    • Set the IP/Network Mask to 10.10.10.1/255.255.255.255.
    • Set Remote IP/Network Mask to 10.10.10.3/255.255.255.0.
 
  1. Configure IPsec VPN local and remote subnet:
  • Go to Policy & Objects -> Addresses.
    • Select 'Create New'.
    • Set Name to To-HQ2_local_subnet_1.
    • Set Type to Subnet.
    • Set IP/Network Mask to 192.168.8.0/24.
    • Select 'OK'.
    • Select  'Create New'.
    • Set Name to To-HQ2_remote_subnet_1.
    • Set Type to Subnet.
    • Set IP/Network Mask to 10.1.100.0/24.
    • Select 'OK'.
    • Select 'Create New'.
    • Set Name to To-HQ2_remote_subnet_2.
    • Set Type to Subnet.
    • Set IP/Network Mask to 10.10.10.3/32.
    • Select 'OK'.
 
  1. Configure IPsec VPN static routes:
  • Go to Network -> Static Routes and select 'Create New'.
    • For Named Address, select Type and select To-HQ2_remote_subnet_1.
    • Set Interface to To-HQ2.
    • Select 'OK'.
  • Select 'Create New'.
    • For Named Address, select Type and select To-HQ2_remote_subnet_1.
    • Set Interface to Blackhole.
    • Set Administrative Distance to 254.
    • Select 'OK'.
  1. Configure IPsec VPN policies:
  • Go to Policy & Objects -> IPv4 Policy and select 'Create New'.
    • Set Name to vpn_To-HQ2_local.
    • Set Incoming Interface to port6.
    • Set Outgoing Interface to To-HQ2.
    • Set Source to To-HQ2_local_subnet_1.
    • Set Destination to To-HQ2_remote_subnet_1.
    • Set Schedule to Always.
    • Set Service to All.
    • Disable NAT.
  • Select 'Create New'.
    • Set Name to vpn_To-HQ2_remote.
    • Set Incoming Interface to To-HQ2.
    • Set Outgoing Interface to port6.
    • Set Source to To-HQ2_remote_subnet_1, To-HQ2_remote_subnet_2.
    • Set Destination to To-HQ2_local_subnet_1.
    • Set Schedule to Always.
    • Set Service to All.
    • Enable NAT.
    • Set IP Pool Configuration to Use Outgoing Interface Address.
  1. Configure Security Fabric:
  • Go to Security Fabric -> Settings.
    • Enable FortiGate Telemetry.
    • Set Group name to Office-Security-Fabric.
    • In FortiTelemetry enabled interfaces, add VPN interface To-HQ2.
    • Set IP address to the FortiAnalyzer IP of 192.168.8.250.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging and Upload is set to Real Time.

To configure the downstream FortiGate (HQ2):
 
  1. Configure interface:
  • Go to Network -> Interfaces.
  • Edit interface wan1:
    • Set Role to WAN.
    • For the interface connected to the Internet, set the IP/Network Mask to 192.168.7.3/255.255.255.0.
  • Edit interface vlan20:
    • Set Role to LAN.
    • For the interface connected to local endpoint clients, set the IP/Network Mask to 10.1.100.3/255.255.255.0.
  1. Configure the static route to connect to the Internet:
  • Go to Network -> Static Routes and select 'Create New'.
    •    Set Destination to 0.0.0.0/0.0.0.0.
    •    Set Interface to wan1.
    •    Set Gateway Address to 192.168.7.2.
  1. Configure IPsec VPN:
  • Go to VPN -> IPsec Wizard.
    • Set VPN Name to To-HQ1.
    • Set Template Type to Custom.
    • Select 'Next'.
    • In the Network IP Address, enter 10.2.200.1.
    • Set Interface to wan1.
    • Set Authentication to Method.
    • Set Pre-shared Key to 123456.
  • Leave all other fields in their default values and click OK.
  1. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
  • Go to Network -> Interfaces.
  • Edit To-HQ1:
    • Set Role to WAN.
    • Set the IP/Network Mask to 10.10.10.3/255.255.255.255.
    • Set Remote IP/Network Mask to 10.10.10.1/255.255.255.0.0.
  1. Configure IPsec VPN local and remote subnet:
  • Go to Policy & Objects -> Addresses.
    • Select 'Create New'.
    • Set Name to To-HQ1_local_subnet_1.
    • Set Type to Subnet.
    • Set IP/Network Mask to 10.1.100.0/24.
    • Select 'OK'.
    • Select 'Create New'.
    • Set Name to To-HQ1_remote_subnet_1.
    • Set Type to Subnet.
    • Set IP/Network Mask to 192.168.8.0/24.
    • Select 'OK'.
  1. Configure IPsec VPN static routes:
  • Go to Network -> Static Routes and select 'Create New'.
    • For Named Address, select Type and select To-HQ1_remote_subnet_1.
    • Set Interface to To-HQ1.
    • Select 'OK'.
  • Select 'Create New'.
    • For Named Address, select Type and select To-HQ1_remote_subnet_1.
    • Set Interface to Blackhole.
    • Set Administrative Distance to 254.
    • Select 'OK'.
  1. Configure IPsec VPN policies:
  • Go to Policy & Objects -> IPv4 Policy and select 'Create New'.
    • Set Name to vpn_To-HQ1_local.
    • Set Incoming Interface to vlan20.
    • Set Outgoing Interface to To-HQ1.
    • Set Source to To-HQ1_local_subnet_1.
    • Set Destination to To-HQ1_remote_subnet_1.
    • Set Schedule to Always.
    • Set Service to All.
    • Disable NAT.
  • Select 'Create New'.
    • Set Name to vpn_To-HQ1_remote.
    • Set Incoming Interface to To-HQ1.
    • Set Outgoing Interface to vlan20.
    • Set Source to To-HQ1_remote_subnet_1.
    • Set Destination to -HQ1_local_subnet_1.
    • Set Schedule to Always.
    • Set Service to All.
    • Disable NAT.
  1. Configure Security Fabric:
  • Go to Security Fabric -> Settings.
    • Enable FortiGate Telemetry.
    • Enable Connect to upstream FortiGate.
    • Set FortiGate IP to 10.10.10.1. This can be the root's internal IP address that is allowed to traverse through the tunnel. 

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables login.

 
Settings for the FortiAnalyzer are retrieved from the downstream FortiGate (HQ2) when it connects to the root FortiGate (HQ1).
To authorize the downstream FortiGate (HQ2) on the root FortiGate (HQ1):
 
  • In the root FortiGate (HQ1), go to Security Fabric -> Settings.
    The Topology field highlights the connected FortiGate (HQ2)with the serial number and ask the authorization to highlight the unit.
  • Select the highlighted FortiGate and select 'Authorize'.
    After authorization, the downstream FortiGate (HQ2) appears in the Topology field in Security Fabric -> Settings. T
    his means the downstream FortiGate (HQ2) has successfully joined the Security Fabric.
 
To check Security Fabric over IPsec VPN.
 
  1. On the root FortiGate (HQ1), go to Security Fabric -> Physical Topology.
    The root FortiGate (HQ1) is connected by the downstream FortiGate (HQ2) with VPN icon in the middle.
 
 
 
  1. On the root FortiGate (HQ1), go to Security Fabric -> Logical Topology.
    The root FortiGate (HQ1) VPN interface To-HQ2 is connected by downstream FortiGate
    .
 
 
 
 
To run diagnose commands.
 
  1. Run the diagnose sys csf authorization pending-list command in the root FortiGate (HQ1) to show the downstream FortiGate pending for root FortiGate authorization:
  • HQ1:

diagnose sys csf authorization pending-list

 
Serial                  IP Address      HA-Members                                      Path
------------------------------------------------------------------------------------
FG101ETK1-----87        0.0.0.0                                                         FG3H1E5------718:FG101ET-------87
 
  1. Run the diagnose sys csf downstream command in the root FortiGate (HQ1) to show the downstream FortiGate (HQ2) after it joins Security Fabric:
  • HQ1:

diagnose sys csf downstream

FG101ETK-------87 (10.10.10.3) Management-IP: 0.0.0.0 Management-port:0 parent: FG3H1E-------18

path:FG3-------18:FG101ETK-------87

data received: Y downstream intf:To-HQ1 upstream intf:To-HQ2 admin-port:443

authorizer:FG3H-------8

 
  1. Run the diagnose sys csf upstream command in the downstream FortiGate (HQ2) to show the root FortiGate (HQ1) after the downstream FortiGate joins Security Fabric:
  • HQ2:

diagnose sys csf upstream

Upstream Information:

Serial Number:FG3-------18
    IP:10.10.10.1

Connecting interface:To-HQ1
Connection status:Authorized

 

For setup with redundant IPsec tunnels:

  • Make sure the tunnel IP are assigned on each tunnel interfaces on both root and downstream device. Configure/add phase2 with local and remote subnets to be the tunnel subnet and the routes to the tunnel subnet to allow it traversing through the tunnel.
  • When adding downstream device to the Security Fabric, as mentioned above, it should be possible to configure the root's internal IP address that is allowed to go through the tunnel. It is not necessary to put the tunnel IP address of the root.
  • (Optional, not recommended): To simplify the setup wby only having one tunnel subnet across redundant tunnels, enable overlapping subnet by following this article: Technical Tip: Enable subnet overlap to set IP add... - Fortinet Community. Be sure the tunnel IP is the same on all of the tunnel interfaces for each FortiGate in the Security Fabric.