Fortinet black logo

Administration Guide

Configuring trunk ports on FortiDeceptor VM

Copy Link
Copy Doc ID 63cab9f6-5858-11ec-bdf2-fa163e15d75b:737563
Download PDF

Configuring trunk ports on FortiDeceptor VM

This section describes how to configure trunk ports to extend VLANs between FortiDeceptor VM and ESXi vSwitch using a single interface.

This setup requires FortiDeceptor VM v3.1 build 0061 and vSwitch ESXi v6.7.0 build 13006603.

Set up a single ESXi host with the following workloads.

  • 1 FortiDeceptor VM with one decoy monitoring two network segments.
  • 2 web servers in different VLANs / network segments.
  • 1 vSwitch dedicated to connecting the FortiDeceptor decoy to the network segments.

FortiDeceptor VM has internal network ports. Set up FortiDeceptor VM with the following.

  • Reserve port1 for device management.
  • Use the other ports to deploy deception decoys.

When you initially set up FortiDeceptor, the interface configuration in Network > Interfaces is provisioned automatically. You do not need to change this section as these network settings are just for internal use. The actual deception network interfaces that connect to the monitored segments are configured under Deception > Deployment Network.

In this environment, port3 is used to deploy a Linux-based deception VM (decoy). The goal is to monitor network activity in two different VLANs where the production servers reside: WebServer-1 (192.168.11.11/24) in VLAN11 and WebServer-2 (192.168.21.21/24) in VLAN21.

The deception VM has a single network interface to monitor two different VLANs so it is necessary to configure VLAN trunking between port3 and the ESXi vSwitch port. There is only one vSwitch to connect all the devices together using different virtual ports for each device.

Configuring FortiDeceptor

Configure FortiDeceptor to monitor the subnet networks, one for each VLAN, using the same network port3.

To configure FortiDeceptor:
  1. Go to Deception > Deployment Network and click Add New Vlan / Subnet to add the monitored segments.

  2. Use the VLAN tag for each monitored subnet so that FortiDeceptor can differentiate the traffic between them.

    Verify that both VLANs use port3.

  3. Specify the Deploy Network IP/Mask that the deception VM use to monitor its decoys on each segment.

    Ensure these IP addresses are unique and belong to the monitored subnets.

  4. Go to Deception > Deployment Wizard to deploy the actual deception VM and attach the monitored segments.

  5. Specify the network settings for the decoys.

    FortiDeceptor automates the creation of deception VMs and decoy services to lure and expose attackers; so decoy services on each segment require dedicated IP addresses to interact with attackers.

    If you want to use a static IP address for the decoy services, click Static, then specify a single IP address or IP address range in IP Ranges.

  6. After completing VM deployment, go to Decoy & Lure Status to validate the configuration.

  7. Test connectivity by pinging the decoy and the monitoring IP addresses and verify that they are reachable.

    The web servers are not reachable as ESXi is not configured yet.

From the networking perspective, FortiDeceptor is ready to monitor both VLANs over port3. However, to activate the logical trunk interface, FortiDeceptor needs to receive VLAN trunking traffic from the vSwitch port.

If you have a physical switch connected to the ESXi host, you must configure 802.1Q on the switch port that is connected to the host uplink.

Configuring the vSwitch

To simplify configuration, we recommend using a dedicated vSwitch for the decoy and monitored segments.

The following diagram shows the vSwitch ports relationship.

On ESXi, configure the vSwitch_ FDC_Decoys vSwitch to connect both VLANs to FortiDeceptor. Then configure three network port-groups:

  1. FDC_Trunk – Port-group for the actual trunk interface between FortiDeceptor and vSwitch.
  2. VLAN11 – Port-group to connect VLAN11 to vSwitch.
  3. VLAN21 – Port-group to connect VLAN21 to vSwitch.
To configure the vSwitch:
  1. On the ESXi client, go to Networking > Virtual Switches and add a standard virtual switch.

    Just configure the vSwtich Name, remove the uplink (unless you need it), and use default values for the other options.

  2. Go to Networking > Port groups and add the port groups.

    Port groups for VLAN11 and VLAN21 are similar. For each port group, specify a Name, configure the VLAN ID, and select the Virtual switch.

  3. For the FDC Trunk port, configure a special port-group.

    On ESXi, you do not need to configure 802.1Q. You only need to set the port group to be a promiscuous interface and specify 4095 for the VLAN ID so the vSwitch can send and receive traffic from the VLANs configured on FortiDeceptor.

    Select the Virtual switch and set all Security options to Accept.

  4. To verify the configuration, check the vSwitch topology and ensure all devices are connected to this switch.

  5. Test connectivity from FortiDeceptor to the web servers, and from each web server to the decoys connected to the same VLAN.
    • From FortiDeceptor.

    • From web server 1.

Configuring trunk ports on FortiDeceptor VM

This section describes how to configure trunk ports to extend VLANs between FortiDeceptor VM and ESXi vSwitch using a single interface.

This setup requires FortiDeceptor VM v3.1 build 0061 and vSwitch ESXi v6.7.0 build 13006603.

Set up a single ESXi host with the following workloads.

  • 1 FortiDeceptor VM with one decoy monitoring two network segments.
  • 2 web servers in different VLANs / network segments.
  • 1 vSwitch dedicated to connecting the FortiDeceptor decoy to the network segments.

FortiDeceptor VM has internal network ports. Set up FortiDeceptor VM with the following.

  • Reserve port1 for device management.
  • Use the other ports to deploy deception decoys.

When you initially set up FortiDeceptor, the interface configuration in Network > Interfaces is provisioned automatically. You do not need to change this section as these network settings are just for internal use. The actual deception network interfaces that connect to the monitored segments are configured under Deception > Deployment Network.

In this environment, port3 is used to deploy a Linux-based deception VM (decoy). The goal is to monitor network activity in two different VLANs where the production servers reside: WebServer-1 (192.168.11.11/24) in VLAN11 and WebServer-2 (192.168.21.21/24) in VLAN21.

The deception VM has a single network interface to monitor two different VLANs so it is necessary to configure VLAN trunking between port3 and the ESXi vSwitch port. There is only one vSwitch to connect all the devices together using different virtual ports for each device.

Configuring FortiDeceptor

Configure FortiDeceptor to monitor the subnet networks, one for each VLAN, using the same network port3.

To configure FortiDeceptor:
  1. Go to Deception > Deployment Network and click Add New Vlan / Subnet to add the monitored segments.

  2. Use the VLAN tag for each monitored subnet so that FortiDeceptor can differentiate the traffic between them.

    Verify that both VLANs use port3.

  3. Specify the Deploy Network IP/Mask that the deception VM use to monitor its decoys on each segment.

    Ensure these IP addresses are unique and belong to the monitored subnets.

  4. Go to Deception > Deployment Wizard to deploy the actual deception VM and attach the monitored segments.

  5. Specify the network settings for the decoys.

    FortiDeceptor automates the creation of deception VMs and decoy services to lure and expose attackers; so decoy services on each segment require dedicated IP addresses to interact with attackers.

    If you want to use a static IP address for the decoy services, click Static, then specify a single IP address or IP address range in IP Ranges.

  6. After completing VM deployment, go to Decoy & Lure Status to validate the configuration.

  7. Test connectivity by pinging the decoy and the monitoring IP addresses and verify that they are reachable.

    The web servers are not reachable as ESXi is not configured yet.

From the networking perspective, FortiDeceptor is ready to monitor both VLANs over port3. However, to activate the logical trunk interface, FortiDeceptor needs to receive VLAN trunking traffic from the vSwitch port.

If you have a physical switch connected to the ESXi host, you must configure 802.1Q on the switch port that is connected to the host uplink.

Configuring the vSwitch

To simplify configuration, we recommend using a dedicated vSwitch for the decoy and monitored segments.

The following diagram shows the vSwitch ports relationship.

On ESXi, configure the vSwitch_ FDC_Decoys vSwitch to connect both VLANs to FortiDeceptor. Then configure three network port-groups:

  1. FDC_Trunk – Port-group for the actual trunk interface between FortiDeceptor and vSwitch.
  2. VLAN11 – Port-group to connect VLAN11 to vSwitch.
  3. VLAN21 – Port-group to connect VLAN21 to vSwitch.
To configure the vSwitch:
  1. On the ESXi client, go to Networking > Virtual Switches and add a standard virtual switch.

    Just configure the vSwtich Name, remove the uplink (unless you need it), and use default values for the other options.

  2. Go to Networking > Port groups and add the port groups.

    Port groups for VLAN11 and VLAN21 are similar. For each port group, specify a Name, configure the VLAN ID, and select the Virtual switch.

  3. For the FDC Trunk port, configure a special port-group.

    On ESXi, you do not need to configure 802.1Q. You only need to set the port group to be a promiscuous interface and specify 4095 for the VLAN ID so the vSwitch can send and receive traffic from the VLANs configured on FortiDeceptor.

    Select the Virtual switch and set all Security options to Accept.

  4. To verify the configuration, check the vSwitch topology and ensure all devices are connected to this switch.

  5. Test connectivity from FortiDeceptor to the web servers, and from each web server to the decoys connected to the same VLAN.
    • From FortiDeceptor.

    • From web server 1.