Configuring the FortiGate 3600-2
The FG-3600-2 is running FortiOS 6.4.0 (build 1572) and has the following local topology:
Configured VDOMs:
Configuring BGP
To configure the root VDOM:
config router prefix-list edit "allroutes" config rule edit 1 set prefix 0.0.0.0 0.0.0.0 unset ge unset le next end next edit "Subnet_192.168.254" config rule edit 1 set prefix 192.168.254.0 255.255.255.0 unset ge unset le next end next edit "Subnet_172.26" config rule edit 1 set prefix 172.26.1.0 255.255.255.0 unset ge unset le next edit 2 set prefix 172.26.2.0 255.255.255.0 unset ge unset le next end next edit "Subnet_192_168_255_128" config rule edit 1 set prefix 192.168.254.0 255.255.254.0 unset ge unset le next end next edit "Subnet_192_168_255_0" config rule edit 1 set prefix 192.168.255.0 255.255.255.0 unset ge unset le next end next edit "CORP_LAN" config rule edit 1 set prefix 192.168.2.0 255.255.255.0 unset ge unset le next end next end
config router route-map edit "allroutes" config rule edit 1 set match-ip-address "allroutes" set set-aspath "65001" next end next edit "To_CORP" config rule edit 1 set match-ip-address "Subnet_172.26" set set-aspath "65001" "65002" next edit 2 set match-ip-address "Subnet_192.168.254" set set-aspath "65001" "65002" next end next edit "Subnet_192.168.254" config rule edit 1 set match-ip-address "Subnet_192.168.254" next end next edit "To_Cust_VDOM" config rule edit 1 set match-ip-address "Subnet_192_168_255_0" set set-aspath "65001" "65002" next end next edit "CORP_LAN_ToCloud" config rule edit 1 set match-ip-address "CORP_LAN" set set-aspath "65001 65001" next end next end
config router bgp set as 64532 set keepalive-timer 1 set holdtime-timer 3 set network-import-check disable config neighbor edit "10.100.253.254" set remote-as 64533 set route-map-out "CORP_LAN_ToCloud" next edit "10.101.253.254" set remote-as 64534 set route-map-out "CORP_LAN_ToCloud" next edit "10.102.253.254" set remote-as 64535 set route-map-out "To_Cust_VDOM" next edit "192.168.1.1" set remote-as 64530 set route-map-out "To_CORP" next end config network edit 1 set prefix 192.168.255.0 255.255.255.0 next end end
To configure the Azure VDOM:
config router bgp set as 64533 set keepalive-timer 1 set holdtime-timer 3 config neighbor edit "10.100.253.253" set remote-as 64532 next edit "172.16.2.1" set remote-as 64516 next end end
To configure the AWS VDOM:
config router bgp set as 64534 set keepalive-timer 1 set holdtime-timer 3 config neighbor edit "10.101.253.253" set remote-as 64532 next edit "172.16.1.1" set remote-as 64517 next end end
To configure the Customer VDOM:
config router prefix-list edit "Subnet_192_168_255_0" config rule edit 1 set prefix 192.168.255.0 255.255.255.0 unset ge unset le next end next edit "Subnet_192_168_254_0" config rule edit 1 set prefix 192.168.254.0 255.255.255.0 unset ge unset le next end next end
config router route-map edit "To_CORP_Side" config rule edit 1 set match-ip-address "Subnet_192_168_254_0" next end next edit "To_Cust_Side" config rule edit 1 set match-ip-address "Subnet_192_168_255_0" set set-aspath "65002" "65003" next end next end
config router static edit 1 set dst 10.200.255.252 255.255.255.252 set gateway 172.16.1.1 set device "VLAN_Cust" next end
config router bgp set as 64535 set keepalive-timer 1 set holdtime-timer 3 set network-import-check disable config neighbor edit "10.102.253.253" set remote-as 64532 set route-map-out "To_CORP_Side" next edit "10.203.255.254" set remote-as 64518 set route-map-out "To_Cust_Side" next end config network edit 1 set prefix 192.168.254.0 255.255.255.0 next edit 2 set prefix 192.168.254.128 255.255.255.128 next end end
Configuring the policies
To configure the root VDOM:
config firewall ippool edit "Pool" set startip 192.168.255.1 set endip 192.168.255.127 next end
config firewall vip edit "VIPCust" set extip 192.168.255.129-192.168.255.254 set extintf "Root_Cust" set color 7 set mappedip "192.168.2.129-192.168.2.254" next end config firewall policy edit 2 set name "VIP_2_CORP" set srcintf "Root_Cust" set dstintf "CORP_LAN" set srcaddr "all" set dstaddr "VIPCust" set action accept set schedule "always" set service "ALL" set logtraffic all next edit 3 set name "CORP_2_Customer" set srcintf "CORP_LAN" set dstintf "Root_Cust" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set ippool enable set poolname "Pool" set nat enable next edit 1 set name "policy" set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all next end
To configure the Azure VDOM:
config firewall policy edit 1 set name "policy" set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable next end
To configure the AWS VDOM:
config firewall policy edit 1 set name "policy" set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable next end
To configure the Customer VDOM:
config firewall ippool edit "Pool" set startip 192.168.254.1 set endip 192.168.254.127 next end
config firewall vip edit "VIP_2Customer" set extip 192.168.254.129-192.168.254.254 set extintf "Cust_Root" set mappedip "192.168.2.129-192.168.2.254" next end config firewall policy edit 3 set name "toCORPNetwork" set srcintf "to_Customer" set dstintf "Cust_Root" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set ippool enable set poolname "Pool" set nat enable next edit 2 set name "VIP" set srcintf "Cust_Root" set dstintf "to_Customer" set srcaddr "all" set dstaddr "VIP_2Customer" set action accept set schedule "always" set service "ALL" set logtraffic all next edit 1 set name "policy" set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all next end