Security Fabric over IPsec VPN

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will add FortiTelemetry traffic to an existing IPsec VPN site-to-site tunnel between two FortiGates, in order to add a remote FortiGate to your Security Fabric. You will also allow the remote FortiGate to access the FortiAnalyzer for logging.

If you do not already have an IPsec VPN tunnel configured, see Site-to-site IPsec VPN with two FortiGates.

This recipe requires FortiOS 5.6.1 or higher.

This recipe is in the Security Fabric Collection. It can also be used as a standalone recipe.

In this example, the root FortiGate in the Security Fabric is an HA cluster called External and the remote FortiGate is called Branch.

1. Configuring the tunnel interfaces

In order for FortiTelemetry traffic to flow securely through the IPsec VPN, FortiTelemetry traffic must travel between the tunnel interfaces, with the interface on External listening for this traffic.

The tunnel interfaces require IP addresses. In this example, the External tunnel interface is assigned the IP address 1.1.1.1 and the Branch tunnel interface is assigned the IP address 1.1.1.2.

On External, go to Network > Interfaces and edit the tunnel interface.

Set IP to the local IP address for this interface (1.1.1.1) and Remote IP to the local IP address for the Branch tunnel interface (1.1.1.2).

Under Administrative Access, enable FortiTelemetry.

 

On Branch, go to Network > Interfaces and edit the tunnel interface.

Set IP to the local IP address for this interface (1.1.1.2) and Remote IP to the local IP address for the External tunnel interface (1.1.1.1). 

 

2. Adding the tunnel interfaces to the VPN

On External, go to Policy & Objects > Addresses and create an address for the External tunnel interface.

Create a second address for the Branch tunnel interface.

For this address, enable Static Route Configuration.

Go to VPN > IPsec Tunnels and edit the VPN tunnel. Select Convert To Custom Tunnel.

Under Phase 2 Selectors, create a second Phase 2 allowing traffic between the External tunnel interface to the Branch tunnel interface.

 

Go to Network > Static Routes and create a route to the Branch tunnel interface.

Set Destination to Named Address and select the firewall address. Set Device to the tunnel interface.

 

Go to Policy & Objects > IPv4 Policy and edit the policy allowing local VPN traffic.

Set Source to include the External tunnel interface and Destination to include the Branch tunnel interface.

 
Edit the policy allowing remote VPN traffic to include the tunnel interfaces.

On Branch, repeat this step to include the following:

  • Addresses for both tunnel interfaces (the address for the Branch tunnel interface must have Static Route Configuration enabled)
  • A Phase 2 allowing traffic between the Branch tunnel interface and the External tunnel interface
  • A static route to the External tunnel interface
  • Edited policies that allow traffic to flow between the tunnel interfaces

Go to Monitor > IPsec Monitor and restart the VPN tunnel, allowing the new phase 2 to take effect.

3. Adding Branch to the Security Fabric

On Branch, go to Security Fabric > Settings and enable FortiGate Telemetry. Set the Group name and Group password of the Security Fabric.

 

Enable Connect to upstream FortiGate and set FortiGate IP to the IP address of the External tunnel interface.

Add lan to the list of FortiTelemetry enabled interfaces.

Go to Security Fabric > Logical Topology. Branch is shown connecting to External (identified by serial number in the screenshot) over the IPsec VPN tunnel. 

4. Allowing Branch to access the FortiAnalyzer

On Branch, go to Policy & Objects > Addresses and create an address for the FortiAnalyzer.

Enable Static Route Configuration.

Go to VPN > IPsec Tunnels and create a Phase 2 allowing traffic between the Branch tunnel interface and the FortiAnalyzer.

 

Go to Network > Static Routes and create a route to the FortiAnalyzer.

 
On External, go to Policy & Objects > Addresses and create an address for the FortiAnalyzer.
Go to VPN > IPsec Tunnels and create a Phase 2 allowing traffic between the FortiAnalyzer and the Branch tunnel interface.

Go to Policy & ObjectsIPv4 Policy and create a policy allowing traffic from the VPN tunnel to the FortiAnalyzer.

Enable NAT for this policy.

On Branch, go to Security Fabric > Settings. Under FortiAnalyzer Logging, an error appears because Branch is not yet authorized on the FortiAnalyzer.
On the FortiAnalyzer, go to Device Manager > Unregistered. Select Branch, then select +Add to register Branch.
Branch now appear as Registered.

5. Results

On External, go to Security Fabric > Logical Topology. Branch is shown as part of the Security Fabric, connecting over the IPsec VPN tunnel. 

6. (Optional) Using local logging for Branch

If you would prefer to use local logging for Branch, rather than sending logs to a remote FortiAnalyzer, you can do so using the following CLI command:

config system csf
  set logging-mode local
end

You can then go to Log & Report > Log Settings and configure local logging as required.

This option is available for all FortiGates in the Security Fabric, except for the root FortiGate.

 

 

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No
To configure this, you must have Multiple Interface Policies enabled. If you have not done this already, go to System > Feature Visibility.
  • Johnny Wahlen

    Looking to do this but it’s not working… What do I have to do to get a remote firewall in the fabric?

    • Victoria Martin

      Hi Johnny,

      I’m still working on this recipe but I can tell you the basics: you need to use FortiOS 5.6.1 or higher, so that the root FortiGate can have FortiTelemetry access allowed on the tunnel interface. Both tunnel interfaces will also require IP addresses and you will need a phase 2 allowing access between the tunnel interfaces.

      • Johnny Wahlen

        Thanks that worked!!

  • Hans Voggenauer

    Hi Mrs Martin,
    how long does it take to publish this article?
    Thank You

    • Victoria Martin

      Hello Hans,

      This recipe is still being worked on and I hope to have it published soon.

    • Victoria Martin

      Hello Hans, I just wanted to let you know that the recipe is now available.

  • Jean-Baptiste Billet

    Hello,

    How is it possible to get a password for this article ?

    Thank you

    • Victoria Martin

      Hello Jean-Baptiste,

      This recipe is still in-the-works, once it is ready it will be published without a password.

      • Jean-Baptiste Billet

        Thank you

        • Victoria Martin

          Hello Jean-Baptiste,I just wanted to let you know that the recipe is now available.