Security Fabric over IPsec VPN – FortiOS 6.2

Security Fabric over IPsec VPN

This recipe provides an example of configuring Security Fabric over IPsec VPN.

The following sample topology shows a downstream FortiGate (HQ2) connected to the root FortiGate (HQ1) over IPsec VPN to join Security Fabric.

 

configure      root FortiGate (HQ1):

Configure interface:

  1. In the root FortiGate (HQ1), go to Network > Interfaces.
  2. Edit port2: l Set Role to WAN.
    • For the interface connected to the Internet, set the IP/Network Mask to 2.200.1/255.255.255.0 c. Edit port6:
    • Set Role to DMZ.
    • For the interface connected to FortiAnalyzer, set the IP/Network Mask to 168.8.250/255.255.255.0
  3. Configure the static route to connect to the Internet:
  4. Go to Network > Static Routes and click Create New.
    • Set Destination to 0.0.0/0.0.0.0.
    • Set Interface to port2.
    • Set Gateway Address to 2.200.2.
  5. Configure IPsec VPN:
  6. Go to VPN > IPsec Wizard. l Set VPN Name to To-HQ2. l Set Template Type to Custom.
    • Click Next.
    • Set Authentication to Method. l Set Pre-shared Key to 123456.
  1. Leave all other fields in their default values and click OK.
  1. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
    1. Go to Network > Interfaces.
    2. Edit To-HQ2:
      • Set Role to LAN.
      • Set the IP/Network Mask to 10.10.1/255.255.255.255. l Set Remote IP/Network Mask to 10.10.10.3/255.255.255.0.
    3. Configure IPsec VPN local and remote subnet:
    4. Go to Policy & Objects > Addresses.
      • Click Create New l Set Name to To-HQ2_local_subnet_1.
      • Set Type to Subnet. l Set IP/Network Mask to 168.8.0/24.
      • Click OK.
      • Click Create New l Set Name to To-HQ2_remote_subnet_1.
      • Set Type to Subnet. l Set IP/Network Mask to 1.100.0/24. l Click OK.
      • Click Create New l Set Name to To-HQ2_remote_subnet_2.
      • Set Type to Subnet. l Set IP/Network Mask to 10.10.3/32.
      • Click OK.
    5. Configure IPsec VPN static routes:
    6. Go to Network > Static Routes and click Create New.
      • For Named Address, select Type and select To-HQ2_remote_subnet_1. l Set Interface to To-HQ2.
      • Click OK.
  1. Click Create New.
  • For Named Address, select Type and select To-HQ2_remote_subnet_1. l Set Interface to Blackhole.
  • Set Administrative Distance to 254.
  • Click OK.
  1. Configure IPsec VPN policies:
  2. Go to Policy & Objects > IPv4 Policy and click Create New.
    • Set Name to vpn_To-HQ2_local. l Set Incoming Interface to port6. l Set Outgoing Interface to To-HQ2. l Set Source to To-HQ2_local_subnet_1.
    • Set Destination to To-HQ2_remote_subnet_1. l Set Schedule to Always. l Set Service to All. l Disable NAT.
  1. Click Create New.
  • Set Name to vpn_To-HQ2_remote. l Set Incoming Interface to To-HQ2. l Set Outgoing Interface to port6. l Set Source to To-HQ2_remote_subnet_1, To-HQ2_remote_subnet_2.
  • Set Destination to To-HQ2_local_subnet_1. l Set Schedule to Always. l Set Service to All. l Enable NAT.
  • Set IP Pool Configuration to Use Outgoing Interface Address.
  1. Configure Security Fabric:
  2. Go to Security Fabric > Settings.
    • Enable FortiGate Telemetry.
    • Set Group name to Office-Security-Fabric. l In FortiTelemetry enabled interfaces, add VPN interface To-HQ2. l Set IP address to the FortiAnalyzer IP of 168.8.250.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging and Upload is set to Real Time.

configure      downstream FortiGate (HQ2):

Configure interface:

  1. Go to Network > Interfaces.
  2. Edit interface wan1: l Set Role to WAN. l For the interface connected to the Internet, set the IP/Network Mask to 168.7.3/255.255.255.0. c. Edit interface vlan20: l Set Role to LAN.

l For the interface connected to local endpoint clients, set the IP/Network Mask to

10.1.100.3/255.255.255.0.

  1. Configure the static route to connect to the Internet:
    1. Go to Network > Static Routes and click Create New.
      • Set Destination to 0.0.0/0.0.0.0.
      • Set Interface to wan1.
      • Set Gateway Address to 168.7.2.
    2. Configure IPsec VPN:
      1. Go to VPN > IPsec Wizard. l Set VPN Name to To-HQ1. l Set Template Type to Custom. l Click Next. l In the Network IP Address, enter 2.200.1.
        • Set Interface to wan1.
        • Set Authentication to Method. l Set Pre-shared Key to 123456.
      2. Leave all other fields in their default values and click OK.
    3. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
      1. Go to Network > Interfaces.
      2. Edit To-HQ1:
        • Set Role to WAN. l Set the IP/Network Mask to 10.10.3/255.255.255.255. l Set Remote IP/Network Mask to 10.10.10.1/255.255.255.0.0.
      3. Configure IPsec VPN local and remote subnet:
        1. Go to Policy & Objects > Addresses.
          • Click Create New l Set Name to To-HQ1_local_subnet_1.
          • Set Type to Subnet. l Set IP/Network Mask to 1.100.0/24.
          • Click OK.
          • Click Create New l Set Name to To-HQ1_remote_subnet_1. l Set Type to Subnet.
          • Set IP/Network Mask to 168.8.0/24.
          • Click OK.
        2. Configure IPsec VPN static routes:
          1. Go to Network > Static Routes and click Create New.
            • For Named Address, select Type and select To-HQ1_remote_subnet_1. l Set Interface to To-HQ1.
            • Click OK.
          2. Click Create New.
            • For Named Address, select Type and select To-HQ1_remote_subnet_1. l Set Interface to Blackhole. l Set Administrative Distance to 254.
            • Click OK.
          3. Configure IPsec VPN policies:
            1. Go to Policy & Objects > IPv4 Policy and click Create New.
              • Set Name to vpn_To-HQ1_local. l Set Incoming Interface to vlan20. l Set Outgoing Interface to To-HQ1. l Set Source to To-HQ1_local_subnet_1.
              • Set Destination to To-HQ1_remote_subnet_1. l Set Schedule to Always. l Set Service to All. l Disable NAT.
            2. Click Create New.
              • Set Name to vpn_To-HQ1_remote. l Set Incoming Interface to To-HQ1. l Set Outgoing Interface to vlan20. l Set Source to To-HQ1_remote_subnet_1. l Set Destination to -HQ1_local_subnet_1.
              • Set Schedule to Always. l Set Service to All. l Disable NAT.
            3. Configure Security Fabric:
              1. Go to Security Fabric > Settings.
                • Enable FortiGate Telemetry.
                • Enable Connect to upstream FortiGate. l Set FortiGate IP to 10.10.1.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the FortiAnalyzer are retrieved from the downstream FortiGate (HQ2) when it connects to the root FortiGate (HQ1).

authorize      downstream FortiGate (HQ2) on the root FortiGate (HQ1):

In the root FortiGate (HQ1), go to Security Fabric > Settings.

The Topology field highlights the connected FortiGate (HQ2)with the serial number and asks you to authorize the highlighted device.

  1. Select the highlighted FortiGate and select Authorize.

After authorization, the downstream FortiGate (HQ2) appears in the Topology field in Security Fabric > Settings. This means the downstream FortiGate (HQ2) has successfully joined the Security Fabric.

To check Security Fabric over IPsec VPN:

  1. On the root FortiGate (HQ1), go to Security Fabric > Physical Topology.

The root FortiGate (HQ1) is connected by the downstream FortiGate (HQ2) with VPN icon in the middle.

  1. On the root FortiGate (HQ1), go to Security Fabric > Logical Topology.

The root FortiGate (HQ1) VPN interface To-HQ2 is connected by downstream FortiGate (HQ2) VPN interface ToHQ1 with VPN icon in the middle.

To run diagnose commands:

  1. Run the diagnose sys csf authorization pending-list command in the root FortiGate (HQ1) to show the downstream FortiGate pending for root FortiGate authorization:

HQ1 # diagnose sys csf authorization pending-list

Serial                  IP Address      HA-Members

Path

————————————————————————————

FG101ETK18002187        0.0.0.0

FG3H1E5818900718:FG101ETK18002187

  1. Run the diagnose sys csf downstream command in the root FortiGate (HQ1) to show the downstream

FortiGate (HQ2) after it joins Security Fabric:

HQ1 # diagnose sys csf downstream

1:    FG101ETK18002187 (10.10.10.3) Management-IP: 0.0.0.0 Management-port:0 parent:

FG3H1E5818900718 path:FG3H1E5818900718:FG101ETK18002187

data received: Y downstream intf:To-HQ1 upstream intf:To-HQ2 admin-port:443 authorizer:FG3H1E5818900718

  1. Run the diagnose sys csf upstream command in the downstream FortiGate (HQ2) to show the root FortiGate (HQ1) after the downstream FortiGate joins Security Fabric:

HQ2 # diagnose sys csf upstream Upstream Information:

Serial Number:FG3H1E5818900718

IP:10.10.10.1

Connecting interface:To-HQ1

Connection status:Authorized

Viewing and controlling network risks via topology view

This recipe shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security Fabric > Logical Topology view.

In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another FortiSwitch (Access).

This recipe consists of the following steps:

  1. Configure the root FortiGate.
  2. Configure the downstream FortiGate.
  3. Authorize the downstream FortiGate on the root FortiGate. Authorize Security Fabric FortiGates on the FortiAnalyzer.
  4. View the compromised endpoint host.
  5. Quarantine the compromised endpoint host.
  6. Run diagnose

To configure the root FortiGate:

  1. Configure the interface:
    1. In FortiOS on the downstream FortiGate, go to Network > Interfaces.
    2. Edit port4. Set the role to WAN and set the IP/Network Mask to 192.168.5.2/255.255.255.0 for the interface that is connected to the Internet.
    3. Edit port6. Set the role to DMZ and set the IP/Network Mask to 192.168.8.2/255.255.255.0 for the interface which is connected to FortiAnalyzer.
    4. Edit port5. Set the Addressing mode to Dedicated to the FortiSiwitch for the interface which is connected to the Distribution FortiSwitch.
    5. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan70, Type to VLAN, Interface to port5, VLAN ID to 70, Role to LAN, and IP/Network Mask to 192.168.7.2/255.255.255.0
  2. Authorize the Distribution FortiSwitch:
    1. Go to WiFi & Switch Controller> Managed FortiSwitch.
    2. Click the FortiGate icon, then click Edit. Set the Name to Distribution-Switch, enable the Authorized option, then click OK.
    3. Click the FortiSwitch port1 icon. For port1’s Native VLAN, select vlan70.

 

  1. Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the Destination to 0.0.0.0/0.0.0.0, select port4 as the Interface, and set the Gateway Address as 192.168.5.254.
  2. Configure the Security Fabric:
  3. Go to Security Fabric > Settings.
  4. Enable FortiGate Telemetry.
  5. Configure a group name.
  6. In FortiTelemetry enabled interfaces, add vlan70.
  7. FortiAnalyzer logging is enabled and the Upload option is set to Real Time after FortiGate Telemetry is enabled. Set the IP address to the FortiAnalyzer IP address, which in this example is 192.168.8.250. FortiAnalyzer settings will be retrieved when the downstream FortiGate connects to the root FortiGate.
  8. Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the policy as follows:
    1. Set the Name to Access-internet1.
    2. Set the Source Interface to vlan70 and the Destination Interface to port4.
    3. Set the Source Address to all and the Destination Address to all.
    4. Set the Action to ACCEPT.
    5. Set the Schedule to Always.
    6. Set the Service to ALL.
    7. Enable NAT.
    8. Set the IP Pool Configuration to Use Outgoing Interface Address.
  9. Create an address for the FortiAnalyzer:
    1. Go to Policy & Objects > Addresses. Click Create New, then Address.
    2. Set the Name to FAZ-addr.
    3. Set the Type to Subnet.
    4. Set the Subnet/IP Range to 192.168.8.250/32.
    5. Set the Interface to Any.
  10. Create a policy for the downstream FortiGate to access the FortiAnalyzer. Go to Policy & Objects > IPv4 Policy.

Click Create New, and configure the policy as follows: a. Set the Name to Access-Resources.

  1. Set the Source Interface to vlan70 and the Destination Interface to port6.
  2. Set the Source Address to all and the Destination Address to FAZ-addr.
  3. Set the Action to ACCEPT.
  4. Set the Schedule to Always.
  5. Set the Service to ALL.
  6. Enable NAT.
  7. Set the IP Pool Configuration to Use Outgoing Interface Address.

To configure the downstream FortiGate:

  1. Configure the interface:
    1. In FortiOS on the downstream FortiGate, go to Network > Interfaces.
    2. Edit wan1. Set the role to WAN and set the IP/Network Mask to 192.168.7.3/255.255.255.0 for the interface that is connected to the root FortiGate.
    3. Edit wan2. Set the Addressing mode to Dedicated to the FortiSiwitch for the interface which is connected to the Access FortiSwitch.
    4. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan20, Type to VLAN, Interface to wan2, VLAN ID to 20, Role to LAN, and IP/Network Mask to 10.1.100.3/255.255.255.0.
  2. Authorize the Access FortiSwitch:
    1. Go to WiFi & Switch Controller> Managed FortiSwitch.
    2. Click the FortiGate icon, then click Edit. Set the Name to Access-Switch, enable the Authorized option, then click OK.
    3. Click the FortiSwitch port2 icon. For port2’s Native VLAN, select vlan20.
  3. Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the Destination to 0.0.0.0/0.0.0.0, select wan1 as the Interface, and set the Gateway Address as 192.168.7.2.
  4. Configure the Security Fabric:
    1. Go to Security Fabric > Settings.
    2. Enable FortiGate Telemetry.
    3. Under FortiGate Telemetry, enable Connect to upstream FortiGate.
    4. Configure the FortiGate IP to 192.168.7.2.
    5. In FortiTelemetry enabled interfaces, add vlan20.
    6. FortiAnalyzer logging is enabled after FortiGate Telemetry is enabled. FortiAnalyzer settings will be retrieved when the downstream FortiGate connects to the root FortiGate.
  5. Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the policy as follows:
    1. Set the Name to Access-internet2.
    2. Set the Source Interface to vlan20 and the Destination Interface to wan1..
    3. Set the Source Address to all and the Destination Address to all.
    4. Set the Action to ACCEPT.
    5. Set the Schedule to Always.
    6. Set the Service to ALL.
    7. Enable NAT.
    8. Set the IP Pool Configuration to Use Outgoing Interface Address.
    9. Choose the default Web Filter profile.

To authorize the downstream FortiGate on the root FortiGate:

  1. In FortiOS on the root FortiGate, go to Security Fabric > Settings. In the Topology field, a highlighted FortiGate with a serial number is connecting to the root FortiGate, and a highlighted warning asks for authorization of the highlighted device.
  2. Click the highlighted FortiGate, then select Authorize. After authorization, the downstream FortiGate appears in the Topology field in Security Fabric > Settings, meaning that the downstream FortiGate joined the Security Fabric successfully.

To authorize Security Fabric FortiGates on the FortiAnalyzer:

  1. Ensure that the FortiAnalyzer firmware is 6.2.0 or a later version.
  2. In FortiAnalyzer, go to Device Manager> Unauthorized. All FortiGates are listed as unauthorized. Select all FortiGates, then select authorize. The FortiGates now appear as authorized.
  3. After a moment, a warning icon appears beside the root FortiGate since the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric. Click the warning icon, then enter the admin user and password for the root FortiGate.

To view the compromised endpoint host:

  1. Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering a malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the website.
  2. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.
  3. Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.

To quarantine the compromised endpoint host:

  1. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.
  2. Right-click the endpoint host and select Quarantine Host. Click OK to confirm the confirmation dialog.
  3. Go to Monitor> Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The quarantined endpoint host displays in the content pane.
  4. On the endpoint host, open a browser and visit a website such as https://fortinet.com. If the website cannot be accessed, this confirms that the endpoint host is quarantined.

To run diagnose commands:

  1. To show the downstream FortiGate after it joins the Security Fabric, run the diagnose sys csf downstream command in the root FortiGate (Edge) CLI. The output should resemble the following: Edge # diagnose sys csf downstream

1: FG101ETK18002187 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent:

FG201ETK18902514 path:FG201ETK18902514:FG101ETK18002187

data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443 authorizer:FG201ETK18902514

  1. To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the diagnose sys csf upstream command in the downstream FortiGate (Marketing) CLI. The output should resemble the following:

Marketing # diagnose sys csf upstream Upstream Information:

Serial Number:FG201ETK18902514

IP:192.168.7.2

Connecting interface:wan1

Connection status:Authorized

  1. To show the quarantined endpoint host in the connected FortiGate, run the following commands in the downstream FortiGate (Marketing) CLI:

Marketing # show user quarantine config user quarantine config targets edit “PC2” set description “Manually quarantined” config macs edit 00:0c:29:3d:89:39 set description “manual-qtn Hostname: PC2”

next

end

next

end end

 

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.