Fortinet Security Fabric over IPsec VPN

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe, you will add FortiTelemetry traffic to an existing IPsec VPN site-to-site tunnel between two FortiGates, in order to add a remote FortiGate to the Fortinet Security Fabric. You will also allow the remote FortiGate to access the FortiAnalyzer for logging.

If you do not already have an IPsec VPN tunnel configured, see Site-to-site IPsec VPN with two FortiGates.

This recipe requires FortiOS 5.6.1 or higher.

This recipe is in the Fortinet Security Fabric Collection. You can also use it as a standalone recipe.

In this example, the root FortiGate in the Security Fabric is an HA cluster called External and the remote FortiGate is called Branch.

1. Configuring the tunnel interfaces

In order for FortiTelemetry traffic to flow securely through the IPsec VPN, FortiTelemetry traffic must travel between the tunnel interfaces, with the interface on External listening for this traffic.

The tunnel interfaces require IP addresses. In this example, the External tunnel interface is assigned the IP address 1.1.1.1 and the Branch tunnel interface is assigned the IP address 1.1.1.2.

On External, go to Network > Interfaces and edit the tunnel interface.

Set IP to the local IP address for this interface (1.1.1.1) and Remote IP to the local IP address for the Branch tunnel interface (1.1.1.2).

Under Administrative Access, enable FortiTelemetry.

 

On Branch, go to Network > Interfaces and edit the tunnel interface.

Set IP to the local IP address for this interface (1.1.1.2) and Remote IP to the local IP address for the External tunnel interface (1.1.1.1). 

 

2. Adding the tunnel interfaces to the VPN

On External, go to Policy & Objects > Addresses and create an address for the External tunnel interface.

Create a second address for the Branch tunnel interface.

For this address, enable Static Route Configuration.

Go to VPN > IPsec Tunnels and edit the VPN tunnel. Select Convert To Custom Tunnel.

Under Phase 2 Selectors, create a second Phase 2 allowing traffic between the External tunnel interface to the Branch tunnel interface.

 

Go to Network > Static Routes and create a route to the Branch tunnel interface.

Set Destination to Named Address and select the firewall address. Set Device to the tunnel interface.

 

Go to Policy & Objects > IPv4 Policy and edit the policy allowing local VPN traffic.

Set Source to include the External tunnel interface and Destination to include the Branch tunnel interface.

 
Edit the policy allowing remote VPN traffic to include the tunnel interfaces.

On Branch, repeat this step to include the following:

  • Addresses for both tunnel interfaces (the address for the Branch tunnel interface must have Static Route Configuration enabled)
  • A Phase 2 allowing traffic between the Branch tunnel interface and the External tunnel interface
  • A static route to the External tunnel interface
  • Edited policies that allow traffic to flow between the tunnel interfaces

Go to Monitor > IPsec Monitor and restart the VPN tunnel, allowing the new phase 2 to take effect.

3. Adding Branch to the Security Fabric

On Branch, go to Security Fabric > Settings and enable FortiGate Telemetry. Set the Group name and Group password of the Security Fabric.

 

Enable Connect to upstream FortiGate and set FortiGate IP to the IP address of the External tunnel interface.

Add lan to the list of FortiTelemetry enabled interfaces.

Go to Security Fabric > Logical Topology. Branch is shown connecting to External (identified by serial number in the screenshot) over the IPsec VPN tunnel. 

4. Allowing Branch to access the FortiAnalyzer

On Branch, go to Policy & Objects > Addresses and create an address for the FortiAnalyzer.

Enable Static Route Configuration.

Go to VPN > IPsec Tunnels and create a Phase 2 allowing traffic between the Branch tunnel interface and the FortiAnalyzer.

 

Go to Network > Static Routes and create a route to the FortiAnalyzer.

 
On External, go to Policy & Objects > Addresses and create an address for the FortiAnalyzer.
Go to VPN > IPsec Tunnels and create a Phase 2 allowing traffic between the FortiAnalyzer and the Branch tunnel interface.

Go to Policy & ObjectsIPv4 Policy and create a policy allowing traffic from the VPN tunnel to the FortiAnalyzer.

Enable NAT for this policy.

On Branch, go to Security Fabric > Settings. Under FortiAnalyzer Logging, an error appears because Branch is not yet authorized on the FortiAnalyzer.
On the FortiAnalyzer, go to Device Manager > Unregistered. Select Branch, then select +Add to register Branch.
Branch now appear as Registered.

5. Results

On External, go to Security Fabric > Logical Topology. Branch is shown as part of the Security Fabric, connecting over the IPsec VPN tunnel. 

6. (Optional) Using local logging for Branch

If you would prefer to use local logging for Branch, rather than sending logs to a remote FortiAnalyzer, you can do so using the following CLI command:

config system csf
  set logging-mode local
end

You can then go to Log & Report > Log Settings and configure local logging as required.

This option is available for all FortiGates in the Security Fabric, except for the root FortiGate.

 

 

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
To configure this, you must have Multiple Interface Policies enabled. If you have not done this already, go to System > Feature Visibility.