Fortinet Test Drive Guide · PDF filefortinet test drive guide - fortigate ngfw for high availability in aws preface 3 document versions 3 contact us 3 how to sign up for the lab 4

Fortinet Test Drive GuideFortiGate NGFW for High Availability in Amazon Web Services

FORTINET TEST DRIVE GUIDE - FORTIGATE NGFW FOR HIGH AVAILABILITY IN AWS

PREFACE 3

DOCUMENT VERSIONS 3

CONTACT US 3

HOW TO SIGN UP FOR THE LAB 4

HOW TO LAUNCH AND WALK THROUGH THE LAB 5

TESTING 9

Contents

2


VERSIONS

Version numbers and changes to this lab manual are as follows:

Version Date Modified Changes Made

1.1 7/7/2105 Update to Lab 1, Step 5 (page 11)

1.0 5/11/2015 First version

CONTACT US

For general questions about Fortinet, please visit our web page for contact information and to request additional details: http://www.fortinet.com/con-tact_us/index.html

PREFACE

This Test Drive enables customers to rapidly try FortiGate Next-Generation Firewall features using Amazon Web Services (AWS) cloud infrastructure services. The key use cases include building secure isolated virtual networks with their own IP addresses, hybrid cross premises networking / hybrid networking and site-to-site or point-to-site VPN. This Test Drive focuses on demonstrating how High Availability with hot-standby can pass traffic simultaneously or via a dedicated route in AWS with FortiGate security appliances.

3


SIGNING UP FOR THE TEST DRIVE

1. Navigate to the test drive on the AWS or go directly to Fortinet’s landing page http://aws.amazon.com/testdrive/

2. Click the “Try it Now Free” button, which will take you to the landing page.

3. Input the necessary information in the Signup sheet to register.

4. Once you have successfully signed up, you will receive an email address providing you with your account name and password (typically the credentials you signed up with). You can now log into the lab.

4


LAUNCHING & WALKING THROUGH THE LAB

1. After logging in, click enter to access the lab. 2. You will then see this screen, where you can click “Launch Test Drive” and begin the lab. It should take the lab approximately ten minutes to be spun up.

5


3. After it launches, you will then receive an email giving you your account credentials and a DNS link. You can also view this information at the bottom right of the environment under “Outputs.”

6


TO LOG IN TO THE TEST DRIVE SERVER

4. Click the DNS link provided for you in the email (Note: if you receive a warning saying the connection is not private, proceed and continue to the site).

5. Enter the credentials you received from the email.

6. You will then be taken to the FortiGate GUI for configuration.

7


INTRODUCTION

This lab guide provides a step-by-step walk-through of the common use case set-up and is not intended to be used as a product user guide. This Test Drive is a great stage for companies interested in exploring advanced security and High Availability practices in Cloud environments.

For more details on Fortinet products and documentation, please visit http://docs.fortinet.com/fortigate/admin-guides

Fortinet provides a broad range of NGFW and UTM solutions in the AWS Marketplace.

LICENSING OPTIONS ■ 15-Day Free Trial ■ License ■ Hourly ■ Annually

For the basic AWS installation guide, please visit http://docs.fortinet.com/uploaded/files/2082/fortigate-aws-deployment.pdf

For a direct screen-by-screen configuration for FortiGate appliance in AWS, visit Fortinet Cookbook http://cookbook.fortinet.com/?s=aws

Note: You will need at least an FG-VM01 license for the m3.medium instance type in AWS and a maximum of two (2) vNICs available.

8


GET STARTED WITH FORTINET TEST DRIVE IN AWS

This Test Drive consists of three focused lab exercises.

The key objectives are:

1. Configuring High Availability in AWS with the FortiGate next-generation firewall

2. Blocking web traffic flow using FortiGate

3. Configuring a Site-to-Site VPN for both on premise and cloud instances

LAB DURATION: 45 MINS

LAB 1

Hot Standby configuration using FortiGate firewalls in AWS.

This explains the test drive itself and what gets created during the test drive launch.

9


EC2 INSTANCES LAUNCH

After the VPC and its components are created, we launch the instances in the appropriate Availability Zones. In the test drive, there are 2 FortiGate On-Demand Instances in 2 Availability Zones with 2 interfaces. The internal interfaces (eth1) for these needs to be modified to not perform the src/dst check. The Elastic IPs reserved in step1 are assigned to the eth0 which is the internet-facing public interface.

2ROUTE TABLE ENTRIES FOR INTERNAL SUBNETS

After step 2, we need to update the route tables for the internal subnets in each Availability Zone with the following route:

Destination Gateway

0.0.0.0/0 (eth1 of the FGT-VM)

3VPC CREATION COMPONENTS

The first step is creating the VPC, with the right CIDR, while also creating all required subnets. Additional components include: Elastic IPs, the Internet Gateway for the VPC and route tables. The route table for the public-facing subnet should be associated with the Internet Gateway.

1

10


FIREWALL LOGIN AND WEBFILTER LICENSING

After the test drive is launched, we receive a URL to the firewall containing the username and password credentials to log in. After logging into the firewall, we have to make sure that the port2 has an IP address and has a status of up. It should get an IP address automatically after you reboot the firewall and the port will be up as well. To reboot, System > Dashboard > Status > System Resources, you would see a reboot option. Reboot the firewall.

To check for the IP address of port2, go to System > Network > Interfaces. Navigate to Policy & Objects > Policy > IPv4 and make sure that there is a policy from port2 to port1.

For Web Filter Licensing, navigate to System > Config > FortiGuard. The page will take a while to fully load. Once it loads, click on Web Filtering and Email Filtering Options and click on Test Availability. Click OK on the pop up that comes up. When the page reloads, we will have the proper licensing for the firewall.

5ROUTE53 CONFIGURATION

There are 2 firewalls in 2 Availability Zones. This is an Active-Standby environment. At any given time, we will be passing traffic through only one firewall. The active firewall is accessed by a DNS name that is provided by Route53.

In Route53, we will have record sets for each firewall’s public-facing interface. The desired Active firewall will be set as the primary in the Failover record type and the other firewall as secondary. The method of routing policy associated with the record sets would be failover.

The ttl and the health check Request Interval, Failure Threshold should be adjusted in order for the failover to occur as per the requirements.

4

11


STATIC ROUTES IN THE FIREWALLS

On each of the firewalls, we already have the static route for the internal subnets in the other Availability Zone. For example, see the following static route created for 10.0.4.0/24 network from the CLI:

config router static edit 1 set dst 10.0.4.0 255.255.255.0 set gateway 10.0.3.1 set device “port2” next end

8TESTING INTERNET

After logging into the instance through remote desktop, test the Internet connectivity by pinging www.fortinet.com and you will get ping replies.

7INSTANCE LOGIN

In order to log in to the instance that is in the internal subnet, use a remote desktop client to connect to the same URL as the firewall. The test drive comes with a Virtual IP to the internal subnet and a policy that allows the Virtual IP to the instance in the internal subnet.

6

12


LAB 2

URL Filtering - Blocking Facebook Traffic

Applying Web filtering to the outgoing traffic through FortiGate Cluster

The FortiGuard Web Filtering Service provides Web URL filtering for the subnets behind the FortiGates in any size AWS environment. It enables FortiGate-VMs to block harmful, inappropriate, and dangerous websites that may contain phishing/pharming attacks, malware such as spyware, or objectionable content. Based on automatic research tools and targeted research analysis, real-time updates enable you to apply highly granular policies that filter web access based on more than 75 web content categories, and more than 47 million rated websites – which are all continuously updated via the FortiGuard Network.

FortiGuard® Web Filtering Service Benefits

■ Automated updates keep defenses up to date with the latest website ratings. ■ Granular blocking and filtering provides policy-based access control based on categories, websites, and

individual pages. ■ URL database with more than 75 categories and more than 47 million rated websites. ■ Device-based licensing eliminates per-user fees to significantly lower entry cost and ongoing

maintenance costs. ■ Push and pull update options provide the fastest possible update times. ■ Extensive coverage helps attain CIPA (US HR4577) and BECTA (UK) compliance.

Let’s look at how to configure a Web filter policy for the subnets behind the FortiGate firewall in AWS and also see how it works. The FortiGate instances that get created with the test drive come with a firewall policy that allows for Internet access for the internal subnet but does not have any security policies applied to it.

TEST AND RESULTS

To simulate a failover, shutdown the firewall that you are logged in. After a couple of minutes, the backup firewall in the other Availability Zone will start responding to the URL. We can login to the instance through remote desktop and check Internet connectivity by pinging www.fortinet.com.

9

13


VERIFYING FORTIGUARD SERVICES SUBSCRIPTION

Go to System > Dashboard > Status. In the License Information widget, verify that you have an active subscription to FortiGuard Web Filtering. If you have a subscription, the service will have a green checkmark beside it.1EDITING THE WEB FILTER PROFILE

Go to Security Profiles > Web Filter and edit the default Web Filter profile.

Set Inspection Mode to Proxy.

Enable the FortiGuard Categories that allow, block, monitor, warn, or authenticate depending on the type of content.

Under FortiGuard Categories, go to General Interest – Personal. Right click on the Social Networking subcategory and ensure it is set to Allow.

To prohibit visiting one particular social networking site in that category, go to Static URL filter, select Enable URL Filter, and then click Create New.

For your new web filter, enter the URL of the website you are attempting to block. If you want to block all of the subdomains for that website, omit the protocol in the URL and enter an asterisk (*). For this example, enter: *facebook.com

Set Type to Wildcard, set Action to Block, and set Status to Enable.

2

MODIFYING THE SECURITY POLICY

Go to Policy & Objects > Policy > IPv4 and edit the policy for the outbound traffic.

Under Security Profiles, enable Web Filter and select the default web filter.

This automatically enables SSL/SSH Inspection. Select certificate-inspection from the dropdown menu. This profile allows the FortiGate to inspect and apply web filtering to HTTPS traffic.

Ensure that it is at the top of the policy list. To move your policy up or down, click and drag the far left column of the policy.

314


RESULTS

From the instance in the internal subnet, visit the following sites to verify that your web filter is blocking websites ending in facebook.com:

facebook.com

attachments.facebook.com

camdencc.facebook.com

mariancollege.facebook.com

A FortiGuard Web Page Blocked! page should appear.

Visit https://www.facebook.com to verify that HTTPS protocol is blocked.

A Web Page Blocked! page should appear.

4

LAB 3

Creating a site to site IPSec VPN from the FortiGate in AWS and a physical device.

This use case demonstrates transparent communication using route-based IPsec VPNs between two networks. Network-1 (AWS) is located in the AWS environment and Network-2 (HQ) is located in an Office HQ/Branch Office behind a physical FortiGate. This use case is applicable to companies in pure-cloud or hybrid-cloud environments connecting from an on-prem FortiGate appliance to a virtual appliance in the Amazon VPC.

On test drive launch, 2 instances of the firewall are running in 2 AZs to accommodate for an AZ failover incident response.

At any given time, one firewall instance is active and can be reached by a DNS name provided by Amazon’s Route53. The VPN needs to be created on both sides; however, we’re focusing on one firewall in the test drive. It’s important to remember that the same steps should be replicated on the other firewall in AWS AZ for the traffic to flow during a failover.

Wikipedia Note: Amazon Virtual Private Cloud (VPC) is a commercial cloud computing service that provides users a virtual private cloud, by “provision[ing] a logically isolated section of Amazon Web Services (AWS) Cloud”

Wikipedia Note: Amazon Route 53 (Route 53) is part of Amazon.com’s cloud computing platform, Amazon Web Services (AWS). Route 53 provides scalable and highly available Domain Name System (DNS). The name (Route 53) is a reference to TCP or UDP port 53, where DNS server requests are addressed.

15


CONFIGURING THE HQ IPSEC VPN

On the HQ FortiGate, go to VPN > IPsec > Wizard and select Site to Site – FortiGate.

In the Authentication step, set the AWS FortiGate’s IP as the Remote Gateway. After you enter the gateway, an available interface will be as-signed as the Outgoing Interface. If you wish to use a different interface, select Change.

Set a secure Pre-shared Key.

In the Policy & Routing section, set Local Interface to your LAN interface. The Local Subnet will be added automatically. Set Remote Subnets to the Branch FortiGate’s local subnet.

A summary page shows the configuration created by the wizard, including firewall addresses, firewall address groups, a static route, and security policies.

1

CONFIGURING THE AWS IPSEC VPN

On the AWS FortiGate, go to VPN > IPsec > Wizard and select Site to Site – FortiGate.

In the Authentication step, set the HQ FortiGate’s IP as the Remote Gateway. After you enter the gateway, an available interface will be as-signed as the Outgoing Interface. If you wish to use a different interface, select Change.

Set the same Pre-shared Key that was used for HQ’s VPN.

In the Policy & Routing section, set Local Interface to your port2 interface. The Local Subnet will be added automatically. Set Remote Subnets to the HQ FortiGate’s local subnet.

A summary page shows the configuration created by the wizard, including firewall addresses, firewall address groups, a static route, and security policies.

2

16


RESULTS

A user on either of the office networks should be able to connect to any address on the other office network transparently.

If you need to generate traffic to test the connection, ping the Branch FortiGate’s internal interface from the HQ’s internal network.

Go to VPN > Monitor > IPsec Monitor to verify the status of the VPN tunnel. Ensure that its Status is Up and that traffic is flowing.3

FEEDBACK

If you have any questions regarding installation or configuration, please contact [email protected].

If you have any questions regarding AWS Marketplace pricing, please contact [email protected].

FortiGate Free Trials can be accessed via the AWS Marketplace.

FortiWeb Free Trials can be accessed via the AWS Marketplace.

FortiGate VMs can be purchased via the AWS Marketplace.

FortiWeb VMs can be purchased via the AWS Marketplace.

Copyright © 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners.

v1.1 07.08.15

www.fortinet.com17

https://aws.amazon.com/marketplace/pp/B00PCZSWDA/ref=sp_mpg_product_title?ie=UTF8&sr=0-4

https://aws.amazon.com/marketplace/pp/B00L9JODAE/ref=sp_mpg_product_title?ie=UTF8&sr=0-6

https://aws.amazon.com/marketplace/pp/B00PCZSWDA/ref=sp_mpg_product_title?ie=UTF8&sr=0-4

https://aws.amazon.com/marketplace/pp/B00L9JODAE/ref=sp_mpg_product_title?ie=UTF8&sr=0-6

Documents

Fortinet Test Drive Guide · PDF filefortinet test drive guide - fortigate ngfw for high availability in aws preface 3 document versions 3 contact us 3 how to sign up for the lab 4