Fortinet white logo
Fortinet white logo

Azure vWAN SD-WAN NGFW Deployment Guide

7.2.0

Policy deployment

Policy deployment

Note

This section assumes that you configured the optional policy and objects in (Optional) Creating policy packages.

Following is an overview of how to deploy policies:

  1. Normalize VXLAN interfaces. See Normalizing VXLAN interfaces
  2. Create firewall policies for the following interfaces, and install them:
    • port2 to VXLAN
    • VXLAN to port2
    • port2 to branches
    • branches to VXLAN

    See Creating and installing firewall policies.

  3. Select a security profile on Hub firewall policies for traffic from branches. See Selecting a security profile on Hub firewall policies for traffic from branches .

Normalizing VXLAN interfaces

To normalize VXLAN interfaces:
  1. In FortiManager, go to Policy & Objects > Normalized Interface, and click Create New.

  2. Set Name to the name of the interface, for example VXLAN.

  3. Create a new per-device mapping for Hub1:

    1. Expand Per-Device Mapping, and click Create New.

    2. Set Mapped Device to Hub1.

    3. Set Mapped Interface Name to VXLAN-to-Hub2.

    4. Click OK to save the device mapping.

  4. Create a per-device mapping for Hub2:

    1. Under Per-Device Mapping, click Create New.

    2. Set Mapped Device to Hub2.

    3. Set Mapped Interface Name to VXLAN-to-Hub1.

    4. Click OK to save the device mapping.

  5. Under Revision, add a change note.

  6. Click OK.

Creating and installing firewall policies

To create a firewall policy for port2 to VXLAN:
  1. Go to Policy & Objects > Policy Packages.

  2. For your hub, select Firewall Policy, and click Create New > Create New.

  3. Set Name to Port2-VXLAN.

  4. Set Incoming Interface to port2.

  5. Set Outgoing Interface to VXLAN.

  6. Specify Source, Destination, Service, Schedule, and Security Profiles according to your security policy.

  7. Set Action to Accept.

  8. Under Revision, add a change note.

  9. Click OK.

To create a firewall policy for VXLAN to port2:
  1. Right click your new policy and select Clone Reverse. The cloned firewall policy is displayed without a name.

  2. Hover over the empty name cell to click the Edit icon and set a name, such as, VXLAN-Port2.

To create a firewall policy for port2 to branches:
  1. Click Create New > Create New again.

  2. Set Name to VXLAN-Branches.

  3. Set Incoming Interface to port2.

  4. Set Outgoing Interface to Branches.

  5. Specify Source, Destination, Service, Schedule, and Security Profiles according to your security policy.

  6. Set Action to Accept.

  7. Under Revision, add a change note.

  8. Click OK.

To create a firewall policy for Branches to VXLAN:
  1. Right click your new policy and select Clone Reverse. The cloned firewall policy is displayed without a name.

  2. Hover over the empty name cell to click the Edit icon and set a name, such as, Branches-VXLAN.

To install firewall policies:
  1. At the top of the pane, click Install Wizard.

  2. Select Hub policy package, and click Next.

  3. Ensure that your hub device group is selected.

  4. Click Next again.

  5. If not already done, map port2 to the device interface port2.

  6. Click Install.

Selecting a security profile on Hub firewall policies for traffic from branches

In this scenario where all tunnels are down on one of the Hub FortiGates in Azure vWAN, traffic initiated from the branch, traversing to the other hub will not experience the exact same problem. However, if the Azure load balancer returns traffic to the FortiGate that doesn’t have a tunnel, FGSP will be unable to forward asymmetrically. However, rerouting through the FGSP UTM Inspection mechanism (See the FortiOS 7.4 Administration Guide) functions as expected. To engage this feature, the hub firewall policies on traffic from the branches must have a deep packet inspection security profile enabled. In the following example, Profile Type is set to Use Standard Security Profiles, and the default security profile is selected.

Policy deployment

Policy deployment

Note

This section assumes that you configured the optional policy and objects in (Optional) Creating policy packages.

Following is an overview of how to deploy policies:

  1. Normalize VXLAN interfaces. See Normalizing VXLAN interfaces
  2. Create firewall policies for the following interfaces, and install them:
    • port2 to VXLAN
    • VXLAN to port2
    • port2 to branches
    • branches to VXLAN

    See Creating and installing firewall policies.

  3. Select a security profile on Hub firewall policies for traffic from branches. See Selecting a security profile on Hub firewall policies for traffic from branches .

Normalizing VXLAN interfaces

To normalize VXLAN interfaces:
  1. In FortiManager, go to Policy & Objects > Normalized Interface, and click Create New.

  2. Set Name to the name of the interface, for example VXLAN.

  3. Create a new per-device mapping for Hub1:

    1. Expand Per-Device Mapping, and click Create New.

    2. Set Mapped Device to Hub1.

    3. Set Mapped Interface Name to VXLAN-to-Hub2.

    4. Click OK to save the device mapping.

  4. Create a per-device mapping for Hub2:

    1. Under Per-Device Mapping, click Create New.

    2. Set Mapped Device to Hub2.

    3. Set Mapped Interface Name to VXLAN-to-Hub1.

    4. Click OK to save the device mapping.

  5. Under Revision, add a change note.

  6. Click OK.

Creating and installing firewall policies

To create a firewall policy for port2 to VXLAN:
  1. Go to Policy & Objects > Policy Packages.

  2. For your hub, select Firewall Policy, and click Create New > Create New.

  3. Set Name to Port2-VXLAN.

  4. Set Incoming Interface to port2.

  5. Set Outgoing Interface to VXLAN.

  6. Specify Source, Destination, Service, Schedule, and Security Profiles according to your security policy.

  7. Set Action to Accept.

  8. Under Revision, add a change note.

  9. Click OK.

To create a firewall policy for VXLAN to port2:
  1. Right click your new policy and select Clone Reverse. The cloned firewall policy is displayed without a name.

  2. Hover over the empty name cell to click the Edit icon and set a name, such as, VXLAN-Port2.

To create a firewall policy for port2 to branches:
  1. Click Create New > Create New again.

  2. Set Name to VXLAN-Branches.

  3. Set Incoming Interface to port2.

  4. Set Outgoing Interface to Branches.

  5. Specify Source, Destination, Service, Schedule, and Security Profiles according to your security policy.

  6. Set Action to Accept.

  7. Under Revision, add a change note.

  8. Click OK.

To create a firewall policy for Branches to VXLAN:
  1. Right click your new policy and select Clone Reverse. The cloned firewall policy is displayed without a name.

  2. Hover over the empty name cell to click the Edit icon and set a name, such as, Branches-VXLAN.

To install firewall policies:
  1. At the top of the pane, click Install Wizard.

  2. Select Hub policy package, and click Next.

  3. Ensure that your hub device group is selected.

  4. Click Next again.

  5. If not already done, map port2 to the device interface port2.

  6. Click Install.

Selecting a security profile on Hub firewall policies for traffic from branches

In this scenario where all tunnels are down on one of the Hub FortiGates in Azure vWAN, traffic initiated from the branch, traversing to the other hub will not experience the exact same problem. However, if the Azure load balancer returns traffic to the FortiGate that doesn’t have a tunnel, FGSP will be unable to forward asymmetrically. However, rerouting through the FGSP UTM Inspection mechanism (See the FortiOS 7.4 Administration Guide) functions as expected. To engage this feature, the hub firewall policies on traffic from the branches must have a deep packet inspection security profile enabled. In the following example, Profile Type is set to Use Standard Security Profiles, and the default security profile is selected.