Fortinet white logo
Fortinet white logo

GCP Administration Guide

Creating VPC networks and firewall rules

Creating VPC networks and firewall rules

This deployment requires four networks which you must create prior to deploying the FortiGates:

Network

Description

unprotected-network

Treated as unsafe and directly attached to the Internet.

protected-network

Commonly referred to as LAN in traditional physical network architectures.

ha-sync-network

All HA functionality, such as session and configuration synchronization, communicates with this network.

mgmt-network

Out of band management network. For A-P HA to properly manage IP addresses and route tables, the HA cluster must have a public IP address assigned to the HA mgmt interface. Without this configuration, failover does not complete successfully and results in failure of the cluster.

Additionally, you must set up the route tables and GCP firewall rules necessary to allow traffic flow through the FortiGates. The route tables and firewall rules are separate from those that you configure on the FortiGates. Name the GCP route tables and firewall rules according to the associated network and functionality.

To create VPC networks:
  1. In the GCP console, go to VPC Networks, then click CREATE VPC NETWORK.
  2. In the Name field, enter the desired name.
  3. From the Region dropdown list, select the region appropriate for your deployment. All four networks must be in the same region.
  4. From the IP address range field, enter the first network's subnet in CIDR format, such as 10.0.1.0/24.
  5. Leave all other settings as-is, then click Create.
  6. Repeat steps 1-5 to create the remaining three networks in your VPC.

GCP firewall rules are stateful, meaning that you only need to create one rule for the originating traffic. However, you may have traffic originate from both the Internet and your GCP resources. This requires you to create both an egress and ingress rule for each VPC network.

To create ingress rules:
  1. In the GCP console, go to VPC networks > Firewall Rules. Click Create Firewall Rule.
  2. In the Name field, enter the desired name.
  3. From the Network dropdown list, select the desired network to associate with this firewall rule.
  4. For Direction of Traffic, select Ingress.
  5. For Action on match, select Allow.
  6. From the Targets dropdown list, select All instances in the network.
  7. In the Source IP ranges field, enter 0.0.0.0/0.
  8. For Protocols and ports, click Allow all, then click Create.
  9. Repeat steps 1-8 for the remaining three networks in your VPC.
To create egress rules:
  1. In the GCP console, go to VPC networks > Firewall Rules. Click Create Firewall Rule.
  2. In the Name field, enter the desired name.
  3. From the Network dropdown list, select the desired network to associate with this firewall rule.
  4. For Direction of Traffic, select Egress.
  5. For Action on match, select Allow.
  6. From the Targets dropdown list, select All instances in the network.
  7. In the Source IP ranges field, enter 0.0.0.0/0.
  8. For Protocols and ports, click Allow all, then click Create.
  9. Repeat steps 1-8 for the remaining three networks in your VPC.

There should be a total of eight GCP firewall rules.

Creating VPC networks and firewall rules

Creating VPC networks and firewall rules

This deployment requires four networks which you must create prior to deploying the FortiGates:

Network

Description

unprotected-network

Treated as unsafe and directly attached to the Internet.

protected-network

Commonly referred to as LAN in traditional physical network architectures.

ha-sync-network

All HA functionality, such as session and configuration synchronization, communicates with this network.

mgmt-network

Out of band management network. For A-P HA to properly manage IP addresses and route tables, the HA cluster must have a public IP address assigned to the HA mgmt interface. Without this configuration, failover does not complete successfully and results in failure of the cluster.

Additionally, you must set up the route tables and GCP firewall rules necessary to allow traffic flow through the FortiGates. The route tables and firewall rules are separate from those that you configure on the FortiGates. Name the GCP route tables and firewall rules according to the associated network and functionality.

To create VPC networks:
  1. In the GCP console, go to VPC Networks, then click CREATE VPC NETWORK.
  2. In the Name field, enter the desired name.
  3. From the Region dropdown list, select the region appropriate for your deployment. All four networks must be in the same region.
  4. From the IP address range field, enter the first network's subnet in CIDR format, such as 10.0.1.0/24.
  5. Leave all other settings as-is, then click Create.
  6. Repeat steps 1-5 to create the remaining three networks in your VPC.

GCP firewall rules are stateful, meaning that you only need to create one rule for the originating traffic. However, you may have traffic originate from both the Internet and your GCP resources. This requires you to create both an egress and ingress rule for each VPC network.

To create ingress rules:
  1. In the GCP console, go to VPC networks > Firewall Rules. Click Create Firewall Rule.
  2. In the Name field, enter the desired name.
  3. From the Network dropdown list, select the desired network to associate with this firewall rule.
  4. For Direction of Traffic, select Ingress.
  5. For Action on match, select Allow.
  6. From the Targets dropdown list, select All instances in the network.
  7. In the Source IP ranges field, enter 0.0.0.0/0.
  8. For Protocols and ports, click Allow all, then click Create.
  9. Repeat steps 1-8 for the remaining three networks in your VPC.
To create egress rules:
  1. In the GCP console, go to VPC networks > Firewall Rules. Click Create Firewall Rule.
  2. In the Name field, enter the desired name.
  3. From the Network dropdown list, select the desired network to associate with this firewall rule.
  4. For Direction of Traffic, select Egress.
  5. For Action on match, select Allow.
  6. From the Targets dropdown list, select All instances in the network.
  7. In the Source IP ranges field, enter 0.0.0.0/0.
  8. For Protocols and ports, click Allow all, then click Create.
  9. Repeat steps 1-8 for the remaining three networks in your VPC.

There should be a total of eight GCP firewall rules.