Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • AWS Administration Guide

    Home FortiGate Public Cloud 7.6.0 AWS Administration Guide
    7.6.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Multiregion FortiGate-VM deployment with FortiSASE

    Multiregion FortiGate-VM deployment with FortiSASE

    This deployment uses AWS gateway load balancer (GWLB) and FortiSASE secure private access (SPA) to extend and secure one region into a multiregion AWS infrastructure. This deployment suits an organization where many users are remote, as it secures the remote workforce while allowing users to securely access resources inside the organization's cloud data center.

    This deployment uses a hub and spoke design, with one spoke in each region where the organization has workloads. This central hub architecture can leverage AWS transit gateway (TGW) seamlessly as well.

    The following provides the topology for this deployment:

    This deployment uses the following virtual private clouds (VPC). Each region contains the following VPCs:

    VPC name

    Description

    Central inspection

    Central hub dedicated for security inspection inside the AWS environment. Traffic to any VPC goes through the central inspection VPC.

    Contains two FortiGate next generation firewalls (NGFW) attached to a GWLB via a tunnel using the GENEVE protocol, and GWLB endpoint (GWLBe). The FortiGates are in an active-active high availability (HA) pair. The FortiGates are in different availability zones (AZ).

    VPN to FortiSASE

    Provides IPsec VPN connectivity to FortiSASE. Allows a remote user connected to FortiSASE to access internal AWS workload by using FortiSASE SPA.

    Contains two FortiGate NGFWs in an active-passive (A-P) HA cluster. The FortiGates are in different AZs.

    Normal spoke

    Spoke with private subnet only. Contains private instances that are not exposed to the internet.

    This deployment allows the following traffic:

    • Spoke-to-spoke
    • Spoke-to-internet
    • Spoke-to-FortiSASE

    This deployment attaches a normal spoke VPC to the TGW via a VPC attachment with a dedicated spoke routing table inside the TGW.

    This deployment dedicates a spoke VPC to security operations containing FortiManager and FortiAnalyzer.

    This deployment considers FortiSASE an external remote site where remote users connect to AWS regional workloads. This deployment leverages FortiSASE SPA to dynamically connect AWS with FortiSASE. This deployment considers FortiSASE as an ADVPN dialup client for each regional FortiGate A-P VPN cluster acting as an SD-WAN hub.

    The following instructions assume that you are familiar with configuring a FortiGate-VM on AWS. Only instructions for configurations specific to this deployment are provided.

    1. Configure the FortiGates in the central inspection VPC. See Configuring the FortiGates in the central inspection VPC.
    2. Configure the FortiGate in the VPN to FortiSASE VPC. See Configuring the FortiGates in the VPN to FortiSASE VPC.
    3. Configure FortiSASE. See Configuring FortiSASE.

    Configuring the FortiGates in the central inspection VPC

    These FortiGates provide east-west and egress filtering.

    To configure the FortiGates in the central inspection VPC:
    1. In the FortiOS CLI, configure static routing and a dedicated management interface. This configuration uses the dedicated management interface for external HTTPS access to manage each FortiGate in the central inspection VPC and as the default interface for FortiAnalyzer and FortiManager:

      config router static

      edit 1

      set device "port1"

      set gateway X.X.X.X

      next

      edit 2

      set device "gwlbprivateaz1"

      set dst 10.0.0.0 255.0.0.0

      next

      edit 3

      set device "gwlbprivateaz1"

      set dst 192.168.0.0 255.255.0.0

      next

      edit 4

      set device "gwlbprivateaz2"

      set dst 192.168.0.0 255.255.0.0

      next

      edit 5

      set device "gwlbprivateaz2"

      set dst 10.0.0.0 255.0.0.0

      next

      edit 6

      set device "port2"

      set dst 10.30.20.64/27

      set gateway X.X.X.X

      next

      edit 7

      set device "gwlbprivateaz1"

      set priority 500

      next

      edit 8

      set device "gwlbprivateaz2"

      set priority 500

      next

      edit 9

      set device “port3”

      set priority 500

      next

      end

    2. Configure the GENEVE tunnel:

      config system GENEVE

      edit "<Name of the GENEVE interface in AZ1>"

      set interface "port2"

      set type ppp

      set remote-ip <IP address of GWLB interface in AZ1>

      next

      edit "<Name of the GENEVE interface in AZ2>"

      set interface "port2"

      set type ppp

      set remote-ip <IP address of GWLB interface in AZ2>

      next

      end

    3. Create a zone that combines the two GENEVE tunnels. The zone will be used in the firewall policy:

      config system zone

      edit "<Name of the GENEVE zone to be used in firewall policy>"

      set interface "<Name of the GENEVE interface in AZ1>" “<Name of the GENEVE interface in AZ2>”

      next

      end

    4. This configuration uses policy-based routing to maintain symmetry regarding the traffic received via the GENEVE tunnel. This deployment uses RFC1918 only as 0.0.0.0 handles the regular routing table via port1:

      config router policy

      edit 1

      set input-device "<Name of the GENEVE interface in AZ1>"

      set srcaddr “all”

      set dst "10.0.0.0/255.0.0.0" “192.168.0.0/255.255.0.0” “172.16.0.0/255.240.0.0”

      set output-device "<Name of the GENEVE interface in AZ1>""

      next

      edit 2

      set input-device "<Name of the GENEVE interface in AZ2>"

      set srcaddr “all”

      set dst "10.0.0.0/255.0.0.0" “192.168.0.0/255.255.0.0” “172.16.0.0/255.240.0.0”

      set output-device "<Name of the GENEVE interface in AZ2>"

      next

      end

    Configuring the FortiGates in the VPN to FortiSASE VPC

    This deployment configures the FortiGate-VM in the A-P HA pair as an SD-WAN/ADVPN hub to allow connectivity with FortiSASE SPA. This is accomplished in two main steps:

    • ADVPN hub configuration
    • BGP configuration to advertise the regional AWS CIDR range to FortiSASE
    To configure the FortiGates in the VPN to FortiSASE VPC:
    1. Configure the FortiGate as an ADVPN hub:

      config vpn ipsec phase1-interface

      edit FortiSASE

      set type dynamic

      set interface port1

      set ike-version 2

      set peertype any

      set net-device disable

      set mode-cfg enable

      set proposal aes256-sha256

      set add-route disable

      set dpd on-idle

      set dhgrp 21 14 5

      set auto-discovery-sender enable

      set network-overlay enable

      set network-id 1

      set ipv4-start-ip 10.132.0.33

      set ipv4-end-ip 10.132.0.40

      set ipv4-netmask 255.255.255.224

      set psksecret putasecret

      set dpd-retryinterval 60

      next

      end

      config vpn ipsec phase2-interface

      edit FortiSASE

      set phase1name FortiSASE

      set proposal aes256-sha256

      next

      end

      config system interface

      edit "FortiSASE"

      set vdom "root"

      set ip 10.132.0.62 255.255.255.255

      set allowaccess ping

      set type tunnel

      set remote-ip 10.132.0.61 255.255.255.224

      set interface "port1"

      next

      end

      config system interface

      edit "Lo-FGT-Region1"

      set vdom "root"

      set ip 10.132.0.1 255.255.255.224

      set allowaccess ping

      set type loopback

      next

      end

    2. Configure BGP:

      config router bgp

      set as 65001

      set ibgp-multipath enable

      set additional-path enable

      set graceful-restart enable

      set additional-path-select 4

      config neighbor-group

      edit "FortiSASE"

      set capability-graceful-restart enable

      set link-down-failover enable

      set next-hop-self enable

      set remote-as 65001

      set additional-path both

      set adv-additional-path 4

      set route-reflector-client enable

      next

      end

      config neighbor-range

      edit 1

      set prefix 10.132.0.32 255.255.255.224

      set neighbor-group "FortiSASE"

      next

      end

      config network

      edit 0

      set prefix 10.110.0.0 255.255.0.0

      next

      edit 0

      set prefix 10.111.0.0 255.255.0.0

      next

      end

      end

      config router bgp

      config neighbor-group

      edit "FortiSASE"

      set link-down-failover enable

      set additional-path both

      set adv-additional-path 4

      next

      end

      end

    Configuring FortiSASE

    To configure FortiSASE:
    1. In FortiSASE, configure the network connection:
      1. Go to Network > Secure Private Access > Network Connection.
      2. In the BGP router ID subnet field, enter 10.132.0.64/27.
      3. In the Autonomous system number (ASN) field, enter 65001.
      4. In the Health check IP address field, enter the region 1 FortiGate system interface IP address configured on the FortiGate in the VPN to FortiSASE VPC. In this example, it is 10.132.0.1.
      5. Configure other fields as desired.
    2. Configure the service connection:
      1. Go to Service Connection.
      2. Click Create.
      3. In the Remote gateway field, enter the region 1 FortiGate public IP address.
      4. For Authentication method, select Pre-shared key.
      5. In the Pre-shared key field, define the desired key.
      6. In the BGP peer IP address field, enter the FortiSASE system interface IP address configured on the FortiGate in the VPN to FortiSASE VPC. In this example, it is 10.132.0.62.
      7. In the Network overlay ID field, enter 1.
      8. Save.
    3. Distribute FortiClient installers to end users so that they can connect to FortiSASE. You can complete this through FortiSASE. See Managed endpoint client onboarding. You can also use a mobile device management platform such as Intune. See FortiClient Intune Deployment Guide.
    Previous
    Next

    Multiregion FortiGate-VM deployment with FortiSASE

    Multiregion FortiGate-VM deployment with FortiSASE

    This deployment uses AWS gateway load balancer (GWLB) and FortiSASE secure private access (SPA) to extend and secure one region into a multiregion AWS infrastructure. This deployment suits an organization where many users are remote, as it secures the remote workforce while allowing users to securely access resources inside the organization's cloud data center.

    This deployment uses a hub and spoke design, with one spoke in each region where the organization has workloads. This central hub architecture can leverage AWS transit gateway (TGW) seamlessly as well.

    The following provides the topology for this deployment:

    This deployment uses the following virtual private clouds (VPC). Each region contains the following VPCs:

    VPC name

    Description

    Central inspection

    Central hub dedicated for security inspection inside the AWS environment. Traffic to any VPC goes through the central inspection VPC.

    Contains two FortiGate next generation firewalls (NGFW) attached to a GWLB via a tunnel using the GENEVE protocol, and GWLB endpoint (GWLBe). The FortiGates are in an active-active high availability (HA) pair. The FortiGates are in different availability zones (AZ).

    VPN to FortiSASE

    Provides IPsec VPN connectivity to FortiSASE. Allows a remote user connected to FortiSASE to access internal AWS workload by using FortiSASE SPA.

    Contains two FortiGate NGFWs in an active-passive (A-P) HA cluster. The FortiGates are in different AZs.

    Normal spoke

    Spoke with private subnet only. Contains private instances that are not exposed to the internet.

    This deployment allows the following traffic:

    • Spoke-to-spoke
    • Spoke-to-internet
    • Spoke-to-FortiSASE

    This deployment attaches a normal spoke VPC to the TGW via a VPC attachment with a dedicated spoke routing table inside the TGW.

    This deployment dedicates a spoke VPC to security operations containing FortiManager and FortiAnalyzer.

    This deployment considers FortiSASE an external remote site where remote users connect to AWS regional workloads. This deployment leverages FortiSASE SPA to dynamically connect AWS with FortiSASE. This deployment considers FortiSASE as an ADVPN dialup client for each regional FortiGate A-P VPN cluster acting as an SD-WAN hub.

    The following instructions assume that you are familiar with configuring a FortiGate-VM on AWS. Only instructions for configurations specific to this deployment are provided.

    1. Configure the FortiGates in the central inspection VPC. See Configuring the FortiGates in the central inspection VPC.
    2. Configure the FortiGate in the VPN to FortiSASE VPC. See Configuring the FortiGates in the VPN to FortiSASE VPC.
    3. Configure FortiSASE. See Configuring FortiSASE.

    Configuring the FortiGates in the central inspection VPC

    These FortiGates provide east-west and egress filtering.

    To configure the FortiGates in the central inspection VPC:
    1. In the FortiOS CLI, configure static routing and a dedicated management interface. This configuration uses the dedicated management interface for external HTTPS access to manage each FortiGate in the central inspection VPC and as the default interface for FortiAnalyzer and FortiManager:

      config router static

      edit 1

      set device "port1"

      set gateway X.X.X.X

      next

      edit 2

      set device "gwlbprivateaz1"

      set dst 10.0.0.0 255.0.0.0

      next

      edit 3

      set device "gwlbprivateaz1"

      set dst 192.168.0.0 255.255.0.0

      next

      edit 4

      set device "gwlbprivateaz2"

      set dst 192.168.0.0 255.255.0.0

      next

      edit 5

      set device "gwlbprivateaz2"

      set dst 10.0.0.0 255.0.0.0

      next

      edit 6

      set device "port2"

      set dst 10.30.20.64/27

      set gateway X.X.X.X

      next

      edit 7

      set device "gwlbprivateaz1"

      set priority 500

      next

      edit 8

      set device "gwlbprivateaz2"

      set priority 500

      next

      edit 9

      set device “port3”

      set priority 500

      next

      end

    2. Configure the GENEVE tunnel:

      config system GENEVE

      edit "<Name of the GENEVE interface in AZ1>"

      set interface "port2"

      set type ppp

      set remote-ip <IP address of GWLB interface in AZ1>

      next

      edit "<Name of the GENEVE interface in AZ2>"

      set interface "port2"

      set type ppp

      set remote-ip <IP address of GWLB interface in AZ2>

      next

      end

    3. Create a zone that combines the two GENEVE tunnels. The zone will be used in the firewall policy:

      config system zone

      edit "<Name of the GENEVE zone to be used in firewall policy>"

      set interface "<Name of the GENEVE interface in AZ1>" “<Name of the GENEVE interface in AZ2>”

      next

      end

    4. This configuration uses policy-based routing to maintain symmetry regarding the traffic received via the GENEVE tunnel. This deployment uses RFC1918 only as 0.0.0.0 handles the regular routing table via port1:

      config router policy

      edit 1

      set input-device "<Name of the GENEVE interface in AZ1>"

      set srcaddr “all”

      set dst "10.0.0.0/255.0.0.0" “192.168.0.0/255.255.0.0” “172.16.0.0/255.240.0.0”

      set output-device "<Name of the GENEVE interface in AZ1>""

      next

      edit 2

      set input-device "<Name of the GENEVE interface in AZ2>"

      set srcaddr “all”

      set dst "10.0.0.0/255.0.0.0" “192.168.0.0/255.255.0.0” “172.16.0.0/255.240.0.0”

      set output-device "<Name of the GENEVE interface in AZ2>"

      next

      end

    Configuring the FortiGates in the VPN to FortiSASE VPC

    This deployment configures the FortiGate-VM in the A-P HA pair as an SD-WAN/ADVPN hub to allow connectivity with FortiSASE SPA. This is accomplished in two main steps:

    • ADVPN hub configuration
    • BGP configuration to advertise the regional AWS CIDR range to FortiSASE
    To configure the FortiGates in the VPN to FortiSASE VPC:
    1. Configure the FortiGate as an ADVPN hub:

      config vpn ipsec phase1-interface

      edit FortiSASE

      set type dynamic

      set interface port1

      set ike-version 2

      set peertype any

      set net-device disable

      set mode-cfg enable

      set proposal aes256-sha256

      set add-route disable

      set dpd on-idle

      set dhgrp 21 14 5

      set auto-discovery-sender enable

      set network-overlay enable

      set network-id 1

      set ipv4-start-ip 10.132.0.33

      set ipv4-end-ip 10.132.0.40

      set ipv4-netmask 255.255.255.224

      set psksecret putasecret

      set dpd-retryinterval 60

      next

      end

      config vpn ipsec phase2-interface

      edit FortiSASE

      set phase1name FortiSASE

      set proposal aes256-sha256

      next

      end

      config system interface

      edit "FortiSASE"

      set vdom "root"

      set ip 10.132.0.62 255.255.255.255

      set allowaccess ping

      set type tunnel

      set remote-ip 10.132.0.61 255.255.255.224

      set interface "port1"

      next

      end

      config system interface

      edit "Lo-FGT-Region1"

      set vdom "root"

      set ip 10.132.0.1 255.255.255.224

      set allowaccess ping

      set type loopback

      next

      end

    2. Configure BGP:

      config router bgp

      set as 65001

      set ibgp-multipath enable

      set additional-path enable

      set graceful-restart enable

      set additional-path-select 4

      config neighbor-group

      edit "FortiSASE"

      set capability-graceful-restart enable

      set link-down-failover enable

      set next-hop-self enable

      set remote-as 65001

      set additional-path both

      set adv-additional-path 4

      set route-reflector-client enable

      next

      end

      config neighbor-range

      edit 1

      set prefix 10.132.0.32 255.255.255.224

      set neighbor-group "FortiSASE"

      next

      end

      config network

      edit 0

      set prefix 10.110.0.0 255.255.0.0

      next

      edit 0

      set prefix 10.111.0.0 255.255.0.0

      next

      end

      end

      config router bgp

      config neighbor-group

      edit "FortiSASE"

      set link-down-failover enable

      set additional-path both

      set adv-additional-path 4

      next

      end

      end

    Configuring FortiSASE

    To configure FortiSASE:
    1. In FortiSASE, configure the network connection:
      1. Go to Network > Secure Private Access > Network Connection.
      2. In the BGP router ID subnet field, enter 10.132.0.64/27.
      3. In the Autonomous system number (ASN) field, enter 65001.
      4. In the Health check IP address field, enter the region 1 FortiGate system interface IP address configured on the FortiGate in the VPN to FortiSASE VPC. In this example, it is 10.132.0.1.
      5. Configure other fields as desired.
    2. Configure the service connection:
      1. Go to Service Connection.
      2. Click Create.
      3. In the Remote gateway field, enter the region 1 FortiGate public IP address.
      4. For Authentication method, select Pre-shared key.
      5. In the Pre-shared key field, define the desired key.
      6. In the BGP peer IP address field, enter the FortiSASE system interface IP address configured on the FortiGate in the VPN to FortiSASE VPC. In this example, it is 10.132.0.62.
      7. In the Network overlay ID field, enter 1.
      8. Save.
    3. Distribute FortiClient installers to end users so that they can connect to FortiSASE. You can complete this through FortiSASE. See Managed endpoint client onboarding. You can also use a mobile device management platform such as Intune. See FortiClient Intune Deployment Guide.
    Previous
    Next