Multiregion FortiGate-VM deployment with FortiSASE
This deployment uses AWS gateway load balancer (GWLB) and FortiSASE secure private access (SPA) to extend and secure one region into a multiregion AWS infrastructure. This deployment suits an organization where many users are remote, as it secures the remote workforce while allowing users to securely access resources inside the organization's cloud data center.
This deployment uses a hub and spoke design, with one spoke in each region where the organization has workloads. This central hub architecture can leverage AWS transit gateway (TGW) seamlessly as well.
The following provides the topology for this deployment:
This deployment uses the following virtual private clouds (VPC). Each region contains the following VPCs:
|
VPC name |
Description |
|---|---|
|
Central inspection |
Central hub dedicated for security inspection inside the AWS environment. Traffic to any VPC goes through the central inspection VPC. Contains two FortiGate next generation firewalls (NGFW) attached to a GWLB via a tunnel using the GENEVE protocol, and GWLB endpoint (GWLBe). The FortiGates are in an active-active high availability (HA) pair. The FortiGates are in different availability zones (AZ). |
|
VPN to FortiSASE |
Provides IPsec VPN connectivity to FortiSASE. Allows a remote user connected to FortiSASE to access internal AWS workload by using FortiSASE SPA. Contains two FortiGate NGFWs in an active-passive (A-P) HA cluster. The FortiGates are in different AZs. |
|
Normal spoke |
Spoke with private subnet only. Contains private instances that are not exposed to the internet. This deployment allows the following traffic:
This deployment attaches a normal spoke VPC to the TGW via a VPC attachment with a dedicated spoke routing table inside the TGW. |
This deployment dedicates a spoke VPC to security operations containing FortiManager and FortiAnalyzer.
This deployment considers FortiSASE an external remote site where remote users connect to AWS regional workloads. This deployment leverages FortiSASE SPA to dynamically connect AWS with FortiSASE. This deployment considers FortiSASE as an ADVPN dialup client for each regional FortiGate A-P VPN cluster acting as an SD-WAN hub.
The following instructions assume that you are familiar with configuring a FortiGate-VM on AWS. Only instructions for configurations specific to this deployment are provided.
- Configure the FortiGates in the central inspection VPC. See Configuring the FortiGates in the central inspection VPC.
- Configure the FortiGate in the VPN to FortiSASE VPC. See Configuring the FortiGates in the VPN to FortiSASE VPC.
- Configure FortiSASE. See Configuring FortiSASE.
Configuring the FortiGates in the central inspection VPC
These FortiGates provide east-west and egress filtering.
To configure the FortiGates in the central inspection VPC:
- In the FortiOS CLI, configure static routing and a dedicated management interface. This configuration uses the dedicated management interface for external HTTPS access to manage each FortiGate in the central inspection VPC and as the default interface for FortiAnalyzer and FortiManager:
config router static
edit 1
set device "port1"
set gateway X.X.X.X
next
edit 2
set device "gwlbprivateaz1"
set dst 10.0.0.0 255.0.0.0
next
edit 3
set device "gwlbprivateaz1"
set dst 192.168.0.0 255.255.0.0
next
edit 4
set device "gwlbprivateaz2"
set dst 192.168.0.0 255.255.0.0
next
edit 5
set device "gwlbprivateaz2"
set dst 10.0.0.0 255.0.0.0
next
edit 6
set device "port2"
set dst 10.30.20.64/27
set gateway X.X.X.X
next
edit 7
set device "gwlbprivateaz1"
set priority 500
next
edit 8
set device "gwlbprivateaz2"
set priority 500
next
edit 9
set device “port3”
set priority 500
next
end
- Configure the GENEVE tunnel:
config system GENEVE
edit "<Name of the GENEVE interface in AZ1>"
set interface "port2"
set type ppp
set remote-ip <IP address of GWLB interface in AZ1>
next
edit "<Name of the GENEVE interface in AZ2>"
set interface "port2"
set type ppp
set remote-ip <IP address of GWLB interface in AZ2>
next
end
- Create a zone that combines the two GENEVE tunnels. The zone will be used in the firewall policy:
config system zone
edit "<Name of the GENEVE zone to be used in firewall policy>"
set interface "<Name of the GENEVE interface in AZ1>" “<Name of the GENEVE interface in AZ2>”
next
end
- This configuration uses policy-based routing to maintain symmetry regarding the traffic received via the GENEVE tunnel. This deployment uses RFC1918 only as 0.0.0.0 handles the regular routing table via port1:
config router policy
edit 1
set input-device "<Name of the GENEVE interface in AZ1>"
set srcaddr “all”
set dst "10.0.0.0/255.0.0.0" “192.168.0.0/255.255.0.0” “172.16.0.0/255.240.0.0”
set output-device "<Name of the GENEVE interface in AZ1>""
next
edit 2
set input-device "<Name of the GENEVE interface in AZ2>"
set srcaddr “all”
set dst "10.0.0.0/255.0.0.0" “192.168.0.0/255.255.0.0” “172.16.0.0/255.240.0.0”
set output-device "<Name of the GENEVE interface in AZ2>"
next
end
Configuring the FortiGates in the VPN to FortiSASE VPC
This deployment configures the FortiGate-VM in the A-P HA pair as an SD-WAN/ADVPN hub to allow connectivity with FortiSASE SPA. This is accomplished in two main steps:
- ADVPN hub configuration
- BGP configuration to advertise the regional AWS CIDR range to FortiSASE
To configure the FortiGates in the VPN to FortiSASE VPC:
- Configure the FortiGate as an ADVPN hub:
config vpn ipsec phase1-interface
edit FortiSASE
set type dynamic
set interface port1
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set dhgrp 21 14 5
set auto-discovery-sender enable
set network-overlay enable
set network-id 1
set ipv4-start-ip 10.132.0.33
set ipv4-end-ip 10.132.0.40
set ipv4-netmask 255.255.255.224
set psksecret putasecret
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit FortiSASE
set phase1name FortiSASE
set proposal aes256-sha256
next
end
config system interface
edit "FortiSASE"
set vdom "root"
set ip 10.132.0.62 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.132.0.61 255.255.255.224
set interface "port1"
next
end
config system interface
edit "Lo-FGT-Region1"
set vdom "root"
set ip 10.132.0.1 255.255.255.224
set allowaccess ping
set type loopback
next
end
- Configure BGP:
config router bgp
set as 65001
set ibgp-multipath enable
set additional-path enable
set graceful-restart enable
set additional-path-select 4
config neighbor-group
edit "FortiSASE"
set capability-graceful-restart enable
set link-down-failover enable
set next-hop-self enable
set remote-as 65001
set additional-path both
set adv-additional-path 4
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.132.0.32 255.255.255.224
set neighbor-group "FortiSASE"
next
end
config network
edit 0
set prefix 10.110.0.0 255.255.0.0
next
edit 0
set prefix 10.111.0.0 255.255.0.0
next
end
end
config router bgp
config neighbor-group
edit "FortiSASE"
set link-down-failover enable
set additional-path both
set adv-additional-path 4
next
end
end
Configuring FortiSASE
To configure FortiSASE:
- In FortiSASE, configure the network connection:
- Go to Network > Secure Private Access > Network Connection.
- In the BGP router ID subnet field, enter 10.132.0.64/27.
- In the Autonomous system number (ASN) field, enter 65001.
- In the Health check IP address field, enter the region 1 FortiGate system interface IP address configured on the FortiGate in the VPN to FortiSASE VPC. In this example, it is 10.132.0.1.
- Configure other fields as desired.
- Configure the service connection:
- Go to Service Connection.
- Click Create.
- In the Remote gateway field, enter the region 1 FortiGate public IP address.
- For Authentication method, select Pre-shared key.
- In the Pre-shared key field, define the desired key.
- In the BGP peer IP address field, enter the FortiSASE system interface IP address configured on the FortiGate in the VPN to FortiSASE VPC. In this example, it is 10.132.0.62.
- In the Network overlay ID field, enter 1.
- Save.
- Distribute FortiClient installers to end users so that they can connect to FortiSASE. You can complete this through FortiSASE. See Managed endpoint client onboarding. You can also use a mobile device management platform such as Intune. See FortiClient Intune Deployment Guide.