Fortinet Security Fabric over IPsec VPN

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe, you add FortiTelemetry traffic to an existing IPsec VPN site-to-site tunnel between two FortiGate devices, in order to add a remote FortiGate to the Security Fabric. You also allow the remote FortiGate to access the FortiAnalyzer for logging.

If you do not already have a site-to-site VPN created, see Site-to-site IPsec VPN with two FortiGates.

This recipe is in the Fortinet Security Fabric Collection. You can also use it as a standalone recipe.

In this example, an HA cluster called Edge is the root FortiGate in the Security Fabric and a FortiGate called Branch is the remote FortiGate.

1. Configuring the tunnel interfaces

To configure Edge to listen for FortiTelemetry traffic over the VPN, connect to Edge, go to Network > Interfaces, and edit the tunnel interface.

Set IP to the local IP address for this interface (10.10.10.1) and Remote IP/Network mask to the IP address for the Branch tunnel interface (10.10.10.2/32).

Under Administrative Access, enable FortiTelemetry.

Connect to Branch, go to Network > Interfaces, and edit the tunnel interface.

Set IP to the local IP address for this interface (10.10.10.2) and Remote IP/Network mask to the IP address for the Edge tunnel interface (10.10.10.1/32).

2. Adding the tunnel interfaces to the VPN

To create an address for the Edge tunnel interface, connect to Edge, go to Policy & Objects > Addresses, and create a new address.

Set Category to Address and set Subnet/IP Range to the IP address for the Edge tunnel interface (10.10.10.1/32).

Create a second address for the Branch tunnel interface. For this address, enable Static Route Configuration.

To allow VPN traffic between the Edge tunnel interface and the Branch tunnel interface, go to VPN > IPsec Tunnels, and edit the VPN tunnel. Select Convert To Custom Tunnel.

Under Phase 2 Selectors, create a new Phase 2. Set Local Address to use a Named Address and select the address for the Edge tunnel interface. Set Remote Address to use a Named Address, and select the address for the Branch tunnel interface.

To route traffic to the Branch tunnel interface, go to Network > Static Routes, and create a new route.

Set Destination to Named Address, and select the address for the Branch tunnel interface. Set Device to the tunnel interface.

To allow traffic between the tunnel interfaces, go to Policy & Objects > IPv4 Policy and edit the policy allowing local VPN traffic.

Set Source to include the Edge tunnel interface and Destination to include the Branch tunnel interface.

Edit the policy allowing remote VPN traffic to include the tunnel interfaces.

On Branch, repeat this step to include the following:

  • Addresses for both tunnel interfaces (enable Static Route Configuration for the Branch tunnel interface address)
  • A Phase 2 that allows traffic between the Branch tunnel interface and the Edge tunnel interface
  • A static route to the Edge tunnel interface
  • Edited policies that allow traffic to flow between the tunnel interfaces

To allow the new phase 2 to take effect, go to Monitor > IPsec Monitor, and restart the VPN tunnel.

3. Authorizing Branch for the Security Fabric

You can authorize a FortiGate, FortiAP, or FortiSwitch to join the Security Fabric by using the device’s serial number, rather than sharing the password for the Security Fabric.

To authorize Branch, connect to Edge, and enter the following CLI command:

config system csf
  config trusted-list
    edit <serial_number>
  end
end

To add Branch to the Security Fabric, connect to Branch, and go to Security Fabric > Settings

Enable FortiGate Telemetry. Set the Group name. Leave Group password blank. Enable Connect to upstream FortiGate. Set FortiGate IP to the IP address of the Edge tunnel interface.

To verify that Branch is now part of the Security Fabric, connect to Edge, and go to Security Fabric > Settings. Branch appears in the Topology.

4. Allowing Branch to access the FortiAnalyzer

To create an address for the FortiAnalyzer, connect to Branch, go to Policy & Objects > Addresses, and create a new address. Enable Static Route Configuration.

To allow VPN traffic between the FortiAnalyzer and the Branch tunnel interface, go to VPN > IPsec Tunnels, and create a new Phase 2.

To route traffic to the FortiAnalyzer, go to Network > Static Routes, and create a new route.

On Edge, repeat this step to create an address for FortiAnalyzer and a new Phase 2 that allows traffic between the FortiAnalyzer and the Branch tunnel interface. Edge doesn’t require a new static route.

 

To allow traffic between Branch and the FortiAnalyzer, go to Policy & Objects > IPv4 Policy, and create a new policy.

Set Incoming Interface to the VPN interface, and set Outgoing Interface to the interface that connects to the FortiAnalyzer (in the example, port16). Set Source to the Branch tunnel interface, and set Destination to the FortiAnalyzer.

Enable NAT for this policy.

 

To authorize the Branch FortiGate on the FortiAnalyzer, connect to the FortiAnalyzer, and go to Device Manager > Unregistered.

Select Branch, then select +Add to register Branch.

Branch now appears as Registered.

5. Results

To view Branch as part of the Security Fabric topology, connect to Edge and go to Security Fabric > Logical Topology. Branch is shown as part of the Security Fabric, connecting over the IPsec VPN tunnel.

6. Desynchronizing Branch from the FortiAnalyzer, FortiSandbox, and FortiManager (optional)

If you don’t want Branch to automatically use the settings that Edge pushes for the FortiAnalyzer, FortiSandbox, and FortiManager, use the following CLI command to configure these settings locally:

config system csf
  set configuration-sync local
end

Go to Security Fabric > Settings. You can now configure the settings for FortiAnalyzer logging, Central Management, and Sandbox Inspection. You can also choose to use local logging rather than sending logs to a FortiAnalyzer.

This option is available for all FortiGate devices in the Security Fabric, except for the root FortiGate.

For further reading, check out Configuring the Security Fabric in the FortiOS 6.0 Online Help.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
  • Was this helpful?
  • Yes   No
To configure this, you must have Multiple Interface Policies enabled. If you have not done this already, go to System > Feature Visibility.