Category Archives: Palo Alto

Set up VPN IPSEC site-to-site between Palo Alto in AWS and FortiGate in premises

This is a diagram that I have used for this lab.

Understanding on deploying Palo Alto instance in AWS is necessary for this lab (https://tungle.ca/?p=3979).

On PA, Configure a tunnel.

Add a new static route into PA Virtual Route to allow traffic from the Private subnet to a LAN subnet in FortiGate.

Create IKE Crypto.
Create IPSEC Crypto.
Create an IKE Gateway.

Create an IPSEC tunnel.

Create PA-LAN and FG-LAN network.
Create both Security rules to allow traffic from PA-LAN to FG-LAN and vice versa.
Back to AWS – Route tables. Add a new static route on the Private Route.

Add 192.168.10.0/24 into the routes and select “Private Interface” on the target.

Move on to FortiGate.

Configure interfaces.

Configure default routes on FG.

Configure IPSEC VPN on FG.

Create a FG-LAN and PA-LAN address.
Set up a new static route to allow traffic from FG-LAN subnet in FG to PA-LAN subnet in AWS.
Create Security Polices to allow traffic from FG-LAN to PA-LAN and vice versa.
Setup IP address on Kali machine.

Ping from Kali machine to Windows instance (10.0.3.134).

Ping from Windows instance to Kali machine (192.168.10.2).

Check Security Policy status.
The FortiGate IPSEC tunnel is UP.

Back to Palo Alto in AWS. We can see the traffic from PA-LAN to FG-LAN and vice versa.

The Palo Alto IPSEC tunnel is UP.

Deploying Palo Alto Firewall in Amazon AWS

This is a diagram that is used to deploy this lab.

Below are a couple of steps to deploy Palo Alto on AWS

  • Create a key pair, VPC, subnets, Internet Gateway, Route tables
  • Create a Palo Alto instance on AWS
  • Create Elastic IP addresses for Management and Public interface
  • Create a Windows VM on private subnet
  • Modify Security Group to allow traffic from the Internet to PA and Windows VM
  • Configure a Security Policy, NAT to allow traffic from the Internet to the Windows VM via RDP

Create a key pair.

Create a VPC.
Create a management subnet.

Create a Public subnet on availability zone US-East-1a. I got an error that I cannot create a Palo Alto if my VPC is randomly used US-East-1e.

Create a Private subnet.

There are 3 subnets on AWS Subnet VPC.

Create a Internet Gateway and attach it into your VPC.
Rename Route table to Private Route

Create a Public Route table.

Associate Management and Public Subnet to Public Route table.

Launch a Palo Alto Firewall on AWS.

Select “Management Subnet” in the Subnet setting.

Leave “Add Storage” and Tags as default.

Use a Security Group that has been generated automatically when creating the PA VM.

Actions – Monitor – get instance screenshot.

Go to EC2 – Network interfaces. Rename a name of the “-” to “Management interface”.

Create a Public interface of PA and link it to the “Public Subnet”.

Rename a name of the “-” to “Public interface”.

Attach it into PA.

Create a Private interface of PA and link it to the “Private Subnet”.

Rename a name of the “-” to “Private interface”.

Attach the Private interface into PA.

Disable “Change source/dest. check” in all interfaces.

Assign two Elastic IP addresses for Public interface.
Associate EIP to Public interface.

Select “Public interface”

Rename “-” to Public EIP.

Back to Route table,

Create a default route via Internet Gateway.

Back to PA instance, rename it into PaloAltoVM.

Access SSH to Palo Alto instance.

Change password of user admin.

Log into PA via a web browser.

Back to EC2 – EIP. Assign a permanent Elastic IP address (IP address does not change when the instance is stopped) for Management interface to and rename “-” to Mgmt EIP.

Access the PA via Elastic IP address.

Configure the Public interface (e1/1) of PA.

Configure the Private interface (e1/2) of PA.

Commit the settings.

Create a default route via the Public interface.

Create a local route to allow traffic from the PVC network via the Private interface.

Back to VPC, edit routes in “Private route”.

Add a default route via “Private network”.

Back to EC2 – instances, create a new Windows VM in the Private network.

Select “Private Subnet” in Subnet setting and Disable in “Auto-assign Public IP”.

Add the ICMP line to allow ICMP traffic in this Security Group.

Move to PA, create 2 security polices to allow traffic from Private Zone to Public Zone and vice versa.

Create a SNAT and DNAT to allow traffic from Windows VM to the Internet and RDP traffic from Internet to Windows VM in Private subnet.

SNAT.

DNAT.

Back to AWS – EC2 – Security Group, add RDP and ICMP into the following Security Group.

Add RDP and ICMP into this Security Group.

Now access RDP to Windows VM via Public EIP.

Disable Windows Firewall.

Ping 8.8.8.8 from Windows instance.

Implementing VPN site-to-site between Palo Alto on-prem and Palo Alto on the Google Cloud Platform

This is a diagram that I have used for this lab.

I have set up the first part for Palo Alto on GCP (https://tungle.ca/?p=3760). Now, I go to set up the VPN site-to-site between Palo Alto on-prem and Palo Alto on GCP.

On Palo Alto on-prem.

Setup DHCP service on the e1/2 interface.

Set the default route on Palo Alto.

Create a tunnel 1 on Palo Alto.

Create an IKECrypto.

Create an IPSECCrypto.

Create an IKEGateway.

Create an IPSECTunnel.

Create network objects for LAN subnets of Palo Alto on-prem and on GCP.

Create both security policies to allow traffic from LAN subnets on Palo Alto – GCP to LAN subnets on Palo Alto on-prem and vice versa.

Create a static route to allow traffic from LAN subnets of Palo Alto on-prem to LAN subnets of Palo Alto on the cloud.

Create SNAT to allow the local network to access the Internet.

Create another access rule to allow traffic from the LAN network to access the Internet.

The Kali machine on the LAN network is able to access the Internet.

Back to Palo Alto on GCP.

Create a tunnel 1 on Palo Alto.

Create an IKECrypto.

Create an IPSECCrypto.

Create an IKEGateway.

Create an IPSEC tunnel.

Create network objects for LAN subnets for Palo Alto on-prem and on the cloud.

Create both security policies to allow traffic from LAN subnets on Palo Alto on GCP to LAN subnets on Palo Alto on-prem and vice versa.

Create a static route to allow traffic from LAN subnets of Palo Alto on the cloud to LAN subnets of Palo Alto on-prem.

Go to the vpc-inside network, and create “Add route” to add a new route to LAN subnets of Palo Alto on-prem.

Ping Kali’s machine from Windows 2016 VM on GCP.

Ping the Windows 2016 VM on Kali’s machine.

The IPSEC tunnel is up on Palo Alto on-prem.

The IPSEC tunnel is up in Palo Alto on GCP.

Deploying Palo Alto Firewall on Google Cloud Platform

This is a diagram that I have used in this lab.

Below are several main steps in this lab:

  • Create 3 vpc networks: vpc-mgmt (10.0.0.0/24), vpc-outside (10.0.1.0/24), and vpc-inside (10.0.2.0/24) on GCP.
  • Create ingress/egress Firewall rules on the vpc networks.
  • Launch Palo Alto instance on GCP.
  • Launch Windows 2016 instance on the inside network.
  • Create a default route, security rules, SNAT, and DNAT for RDP traffic from the Internet to Windows 2016 instance via Palo Alto.
  • Modify the default route for the inside network to use the Palo Alto instance.

VPC Network – Route tables.

Go to VPC network – Firewall – Create a firewall rule for ingress/egress traffic from and to the network 0.0.0.0/0.

The ingress-mgmt rule.

The egress-mgmt rule.

The ingress-outside rule.

The egress-outside rule.

The ingress-inside rule.

The egress-inside rule.

Go to Compute Engine – Create an instance – Marketplace – enter “Palo Alto” – select “VM-series Next-Generation Firewall (Bundle 1)” – click launch.

Click Enable on the Required APIs.

Back to create Palo Alto VM.

Using the puttygen to generate an SSH key pair. Click to save the public and private keys.

This is a public key that you need to submit when creating the Palo Alto VM on GCP.

Copy the key and pass it into the SSH key.

Select the interfaces like the following screenshot. Then, click “Deploy”.

Wait a couple of minutes to see the “Palo Alto has been deployed” notification.

Get the external IP address of mgmt and outside interfaces.

Compute Engine – VM instances – paloalto-vm1.

Click Edit.

Reserve the static IP address 10.0.0.2, 10.0.1.2 and 10.0.2.2 for mgmt, outside and inside network on Palo Alto.

Open Putty and load the private key that you have saved in the previous step.

Set password for the admin user and commit.
configure
set mgt-config users admin password
commit

Open your web browser and enter https://35.223.135.68.

Create a default route on Palo Alto.

Go to Compute Engine – Create a new Windows 2016 VM.

On External IP address, change from ephemeral to None. Then, click to create a VM.

Back to the VPC network – Routes to change the default route of the inside network to the Palo Alto instance. Delete the highlighted route as the screenshot below.

Create a new default route, and change the next hop instance from the internet gateway to use the Palo Alto instance.

Create a new Windows 2016 instance object on Palo Alto.

Create both access rules to allow traffic from the inside network to the outside, and from the Internet to the Windows 2016 VM.

The outside network to RDP service on the inside network.

Create SNAT to allow traffic from the inside network to the outside network via the Palo Alto.

Create a DNAT rule to allow RDP traffic from the Internet to Palo Alto and DNAT to Windows 2016 instance.

Click commit.

Open RDP on a Windows machine and enter the public IP address of the vpc-outside network on Palo Alto.

Enter your username and password.

We can see the RDP traffic in Palo Alto.

The Windows instance is able to access the Internet via Palo Alto.

Deploy an IPSEC VPN site-to-site between Palo Alto on-prem and Virtual Private Gateway on GCP

This is a diagram that I have used for the lab.

Create a new VPC network on GCP.

Search VPN keyword on the search function.

Click “Create VPN connection”.

Select Classic VPN.

Select tung-vpc on the network setting.

Create a new static IP address for your VPC.

Delete tunnel 2 because I have only used tunnel 1 in this lab. Then click Create.

Click gpc-pa-tunnel-1.

Edit the Routes to allow traffic from my tung-vpc network to the Internet via the Default Internet gateway.

We can see the static route from privatesubnet on GCP to the LAN subnets on Palo Alto has been created on the Routes section.

Check the Firewall and allow SSH from the Internet to Linux instance on the “privatesubnet”.

I have used “Allow all” to allow SSH from the Internet to Linux instance, We are able to change to only allow SSH protocol or port 22. Click Create.

Search “compute engine”, and click create an instance.

On network interfaces.

Click create.

Open SSH in browser windows on the Linux instance.

Back to Palo Alto.

IKECrypto.

IPSECCrypto.

IPSECTunnel.

Create both network objects for the Palo Alto-LAN subnet and GCP-LAN subnet

Create both access rules to allow traffic from Palo Alto LAN subnets to GCP privatesubnet.

This is the network interface on PA.

Create a new static route to allow traffic from PA LAN subnets to GCP privatesubnet.

Then, click commit.

Back to GCP.

Ping Kali machine on PA LAN subnet from the Linux instance on GCP.

On Kali machine, ping Linux instance on GCP.

The Palo Alto VPN site-to-site tunnel with GCP is up.

The IPSEC VPN site-to-site tunnel is up on GCP as well.

Set up an IPSEC VPN site-to-site between Palo Alto on-prem and Microsoft Azure

This is a diagram that I have used for the lab.

Create a new virtual network is Azure-PA.

Change default network to PrivateSubnet is 10.0.1.0.

A subnet address range is 10.0.1.0/24

Click Create.

Create a new subnet.

A subnet address range is 10.0.0.0/24

Go to “Virtual network gateway” to create a new virtual network gateway.

Virtual network: Azure-PA.

Subnet: Gatewaysubnet 10.0.0.0/24

Public IP address name: VPNIP

Click Create.

Wait around from 20 to 30 minutes to see if the Deployment is done.

Go to “Local network gateway” and create a new local network gateway.

An IP address is a public IP address of the Palo Alto firewall.

Address space is Palo Alto’s LAN subnets.

Click create.

Go to “Virtual network gateways”, and select the virtual network gateways that we have created in the previous step.

Go to “Connections” – Add.

Enter a shared key (PSK) for VPN site-to-site.

Take note of the IP address of Azure VPN.

On Palo Alto on-prem.

Interface tunnel1.

Create an IKE Crypto.

IPSEC Crypto.

According to Azure, we will use 27000 seconds for the key lifetime.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto#:~:text=IKEv2%20Main%20Mode%20SA%20lifetime,KBytes%20(102GB)%20are%20used.

  • IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways.
  • QM SA Lifetimes are optional parameters. If none was specified, default values of 27,000 seconds (7.5 hrs) and 102400000 KBytes (102GB) are used.

Create a new IKE Gateways.

The peer address is the Azure VPN gateway.

Create an IPSEC tunnel.

Create astatic routes to PrivateSubnet on Azure.

Create both access rules to allow traffic from PA LAN subnets to private subnet on Azure and vice versa.

Click “Commit”.

Back to Azure, the VPN site-to-site connection is still not connected.

Create a new Windows 2016 virtual machine (Size is B1s).

Get the Public IP address of the Windows 2016 virtual machine.

Download RDP file.

Disable Windows Firewall, and ping the IP address of Palo Alto LAN subnets

Back to VPN2S, we can see the VPN status connection is “Connected”.

Microsoft Azure seems to not support many customer devices as Amazon AWS.

On Kali machine, pings Windows 2016 VM on Azure.

The IPSEC VPN site-to-site tunnel is up as well in Palo Alto.

Send Palo Alto logs on-prem to Splunk on AWS via VPN site-to-site

This is a diagram that I have used to deploy this lab.

We need to deploy a VPN site to site between Palo Alto on-prem and AWS.

On AWS.

On Palo Alto.

Pings Splunk instance (10.0.0.110) via ethernet 1/2 interface.

The VPN site-to-site tunnel is up in Palo Alto.

Set up a new Windows 2016 instance with 4 GB memory to run Splunk Enterprise on AWS.

RDP to the instance and install Splunk Enterprise. Then, add Splunk for Palo Alto on this instance.

Configure Splunk to get Palo Alto logs via UDP port 514.

Check the UDP 514 port is running on the Splunk instance.

Go to Palo Alto, and configure Syslog to send logs to Splunk.

By default, Palo Alto uses a management interface to send logs. We need to change the interface to allow Palo Alto to send logs via ethernet1/2 (LAN interface).

Log on PA console, type configure, and the command below to change the interface to send logs.

set deviceconfig system route service syslog source interface e1/2

Also, we can go to Device – Setup – Service Route Configuration – Syslog. Configure the source interface and source IP address like the following screenshot.

Configure Syslog on Palo Alto.

IP address: 10.0.0.110 (Splunk instance)

Port: 514 UDP

Log off and enter the wrong password on Palo Alto. Log back into Palo Alto to generate logs to send to Splunk.

We can see “failed authentication log” events have been generated on Splunk.

Deploy VPN site-to-site between Palo Alto on-prem and AWS. Setup OpenVPN and additional Domain Controller on AWS

This is the diagram is used to deploy this lab.

In this lab.

  • Configure VPN site to site IKEv2 between Palo Alto and Virtual Private Gateway on AWS.
  • Implementing multi-master domain controllers on-prem and AWS.
  • Authenticating OpenVPN tunnel via LDAP to support people working from home to access corporate servers on AWS.
  • Disconnect the domain controller on-prem to simulate migrating corporate servers to AWS in the near future.

Core Switch configuration.

CoreSW
conf t
hostname CoreSW
ip routing
ip dhcp excluded-address 172.16.10.1 172.16.10.10
!
ip dhcp pool VLAN10
 network 172.16.10.0 255.255.255.0
 default-router 172.16.10.1
 dns-server 172.16.20.12

interface GigabitEthernet0/0
 no switchport
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 switchport trunk allowed vlan 10,20,99
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 99
 switchport mode trunk
 negotiation auto
!
interface GigabitEthernet0/2
 switchport trunk allowed vlan 10,20,99
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 99
 switchport mode trunk

interface Vlan10
 ip address 172.16.10.1 255.255.255.0
!
interface Vlan20
 ip address 172.16.20.1 255.255.255.0
!
router ospf 1
 router-id 1.1.1.1
 network 172.16.0.0 0.0.255.255 area 0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.254

--- 
SWCore#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/3, Gi1/0, Gi1/1, Gi1/2
                                                Gi1/3, Gi2/0, Gi2/1, Gi2/2
                                                Gi2/3, Gi3/0, Gi3/1, Gi3/2
                                                Gi3/3
10   End users                        active
20   Servers                          active
99   Native VLAN                      active

Check Kali VM., start SSH and Apache service on this machine.

On Palo Alto.

LAN interface.

e1/1 belongs to the VPN zone, and e1/2 belongs to the LAN zone, respectively.

Create a new network object for the PA LAN subnet.

Configure SNAT to allow traffic from the PA LAN subnet to access the Internet.

Configure a default route.

Configure OSPF on PA.

Allow ICMP on the Mgmt interface to troubleshoot.

Ping from PA.

Ping from a VM on the PA LAN subnet.

+ Create a new VPC.

Create a private subnet.

Create and attach Internet gateway to your VPC.

Route table.

Add a new route to your Internet Gateway.

Go to VPN, create a customer gateway.

Create a new VPN gateway.

Attach it to your VPC.

Create a VPN site to site.

Go to the Route table and add a new route to PA LAN subnet.

Click Download Configuration and select information as the following screenshot.

Open the file to use for configuring PA.

Configure IKECrypto.

Configure IPSECCrypto.

Configure IKE Gateway.

Create a new interface tunnel 1 for VPN IPSEC site to site between FG on AWS and PA.

Configure IPSEC Tunnel.

On Virtual Routers, add an interface tunnel 1 on the router settings.

Create a new static route to the AWS LAN subnet.

New address object.

Create both Security policies to allow traffic from LAN to VPN.

+ Back to AWS, create a new Linux and Windows instance on AWS.

Create a new key pair on AWS.

Allow HTTP, SSH, and ICMP on Security Group.

Back to GNS3, configure a new Windows 2016 server VM.

Takes notes of IP address of Linux instance on AWS.

Ping the Linux instance on AWS LAN subnet from PA LAN subnet.

The tunnel is up on PA

On AWS, the tunnel is up as well.

Configure Windows 2016 on GNS3.

Install Windows 2016.

On Kali, access SSH to Linux VM instance on AWS>

Website on-prem.

Website on AWS.

Change computer name to DC1 and promote it to a domain controller.

Create a new Windows VM on AWS.

Create a new OpenVPN server instance on AWS.

Access the OpenVPN server via SSH. Use openvpnas as a user to log in.

Check the private subnet on OpenVPN is matching with the private subnet on AWS.

Change the password of openvpn.

From Windows 2016 VM on GNS3, access RDP to Windows instance on AWS. Change DNS setting to DC1 on-prem.

Join the machine to domain on-prem and promote it to become additional domain controller.

Create a couple of users to test: tung, kevin, test on domain controllers.

On OpenVPN.

Change the setting to authenticate the OpenVPN tunnel via LDAP. We use both LDAP servers on AWS and on-prem.

Configure LDAP settings to query the corresponding information on domain controllers.

Access to OpenVPN mgmt interface.

Using a kevin user to log in.

Access a web server on a private subnet on AWS.

RDP to a private IP address on Windows DC2 on AWS.

Monitor Security traffic on PA.

Join Windows 10 to the domain.

Disconnect interface from DC1 to SW2 to simulate migrating servers to AWS cloud.

Windows 10 is still accessible to the domain on DC2 on AWS.

Access RDP to DC2 and a web server on AWS.

Domain users are able to access a domain controller on AWS and a web server on AWS when the domain controller on-prem was down.

Deploy IPSEC VPN site-to-site between FortiGate on AWS and Palo Alto on premises

This is a diagram to show how to create a VPN site to site connection from PA on-prem and FG on AWS.

In this lab:

  • Create a VPC, subnets, Internet gateway, route tables.
  • Create a FortiGate VM and Windows 2016 instance on AWS
  • Configure Palo Alto
  • Create VPN site to site between both sites PA and FortiGate
  • Allow Windows 2016 instance to access the Internet via FortiGate. Also, allow RDP to this machine via the Internet by using FortiGate.
  • Test ping traffic between both sites.
  • Allow a machine on the PA LAN subnet to access the Internet and the Windows 2016 instance on AWS.
  • Create a new SSLVPN portal on AWS and test to access the portal via SSLVPN.

+ Below are a couple of steps to deploy FortiGate on AWS.

Create a new VPC.

Create a public subnet.

Create a private subnet.

Create an Internet gateway.

Attach the gateway to your VPC.

Edit Route table, change default Route table to Private Route.

Create a Public Route Table.

Link the Public Subnet to the Public Route.

Add a new route 0.0.0.0/0 to your Internet gateway.

Create a new key pair.

+ Go to EC2, and deploy Fortinet on AWS.

Select your VPC, the subnet belongs to Lab Public Subnet. Also, changing the Auto-assign Public IP is Enable.

On the Security Group tab, add new two lines at the end of Security Group as a screenshot below. This allows to ping and RDP to the Windows 2016 machine on a private subnet later on.

Go to Network interfaces, change the interface to FG Public Interface.

Create a new FG Private interface. Links to the private subnet and FortiGate Security Group.

Change to FG Private Interface.

Select the FG private interface, choose Action on the top right-hand side and Attach this network interface to Fortinet EC2.

Right-click on both FG Public and Private interfaces, and disable “Change source/dest check” on both interfaces to allow NAT traffic on these interfaces.

Create a new Elastic IP address.

Change to Fortinet EIP.

Associate this Elastic IP address to Fortinet EC2.

Back to Route tables, add a new route 0.0.0.0/0 to FG private interface.

Now, Fortinet has two interfaces. One is Private, and another one is Public.

Copy the Elastic IP address and paste it to your web browser to access the FortiGate management interface.

Access Fortinet via the Internet.

+ Launch a new Windows VM EC2 instance on your VPC.

Network: Your VPC

Subnet: Private subnet

Auto-assign Public IP: Disabled. We will access RDP to the machine via DNAT on FortiGate.

On the Security Group setting, add two lines to allow RDP and ICMP traffic to the machine.

+ Login to Fortinet.

Copy the FG instance and paste it to password login.

Change the password to login to Fortinet.

Edit WAN and LAN interface setting.

Back to Fortinet to configure Firewall Policy to allow RDP traffic from the Internet to the Windows VM machine.

Configure port forwarding to allow traffic from the Internet to Windows 2016 VM instance on AWS.

External IP address: IP address of FG on the public subnet

Map to IPv4 address on the private subnet is IP address of Windows VM computer.

The external service port and map to IPv4 port is 3389.

Allow inbound traffic from WAN to this machine.

Create both static routes to allow a private subnet to access outside.

Creating new static routes for the private subnet from 10.0.0.0/16 to 10.0.1.1 that is the default gateway on the private subnet.

Try to access the machine.

Load private key to decrypt Windows password.

Access RDP to Windows 2016 instance on AWS.

Now we can see the RDP traffic via Fortinet.

Disable Windows Firewall to allow ICMP traffic to that machine on Palo Alto private subnet.

Configure IPSEC site to site wizard. Choose Custom.

Enter IP address of public interface of PA. Disable NAT traversal, enter the pre-shared key and choose the IKE v2.

Phase 1 and Phase 2 settings need to match with the Palo Alto setting.

Local Address: the private subnet of FG: 10.0.1.0/24

Remote Address: PA LAN subnets: 172.16.0.0/16

Click the Advanced tab. Change the setting to match with PA Phase 2 setting

Create Fortinet LAN and PA LAN subnet network addresses.

Create a static route on Fortinet to allow private subnet traffic to the Palo Alto LAN subnet.

Create a Security Policy to allow traffic from the Fortinet LAN subnet to the PA LAN subnet. Remember to uncheck NAT setting on access rules from AWS LAN to PA LAN and vice versa.

PA LAN subnet to AWS LAN subnet.

AWS LAN subnet to PA LAN subnet.

Create a new access rule to allow the FG LAN subnet to access the Internet.

Ping 8.8.8.8 from Windows 2016 VM instance.

+ Configure PA.

Setting the IP address for e1/1 is DHCP, and assign an IP address for e1/2 is 172.16.1.254/24

Create a tunnel interface: tunnel 1.

Create network objects for FortiGate, PA LAN, and AWS LAN.

Create IKEC Crypto.

Create an IPSEC Crypto.

IKE Gateway.

IPSEC tunnel.

On Proxy ID tab.

Local: PA LAN subnets.

Remote: AWS LAN subnet.

Create a Static Route from PA LAN to Fortinet LAN on AWS.

Create both Security Policies to allow traffic from PA LAN subnet to AWS LAN subnet.

Remember to click “Commit” button to apply the new settings on PA.

From Windows 2016 VM instance, pings a machine on PA LAN subnet.

+ Pings from PA LAN subnet to AWS LAN subnet.

On PA, a tunnel is up.

Monitoring to see the traffic on both sites.

On FortiGate.

An IPSEC VPN site-to-site tunnel is up.

diagnose vpn tunnel list

Click on the log and Report to see events that are related to VPN.

+ Back to PA to create another static route to allow the PA LAN subnet to access the Internet.

A next hop is the default gateway of the PA public subnet.

Create a SNAT policy to allow traffic from the PA LAN subnet to the Internet.

On the Destination interface, should choose e1/1. This is because VPN site-to-site traffic does not use NAT.

Ping 8.8.8.8 from PA LAN subnet.

+ Create an SSLVPN portal on FortiGate to allow to access FG private subnet on the SSLVPN zone.

RDP to Windows 2016 instance private subnet on AWS is 10.0.1.42

On SSLVPN setting, enable SSLVPN via 44333 port.

Create a new username and password to access SSLVPN.

Then assign this user to the portal that we have created on previous step.

Edit the Security Group to allow Internet traffic to SSLVPN port is 44333.

From a Windows machine, access SSLVPN portal on FG.

Also, we can use Forticlient to access if we have a license.

Send Palo Alto, FortiGate, Cisco Router, and Linux Server logs to Splunk

This is a diagram that I have used to deploy this lab.

Log in to Splunk, and download Cisco Suite for Splunk, Fortigate, and Palo Alto app for Splunk.

Click Install app from file.

On Splunk.

+ Palo Alto

Go to Settings – Data inputs – New Local UDP.

Enter the port 5514 on the Port setting

Source type: pan_log

App Control: Palo Alto Networks

Method: IP

Index: Default

On Palo Alto, configure to send logs to Splunk server with destination port is 5514.

Commit, log off and log on to generate logs.

Back to Splunk.

Click Palo Alto App – Operations – Real-time Event Feed.

+ Cisco Router R1.

conf t
logging trap informational
logging host 142.232.197.8 transport udp port 5515 

On Splunk.

Port 5515

Source type: cisco:asa

App Context: Cisco Suite for Splunk

Method: IP

Index: default.

Back to Router, send sample logs to Splunk.

end
send log "Tung Le"
send log "Tung Le"

+ On Kali Linux.

sudo su
nano /etc/rsyslog.conf
##Add the following line to the end of the file. The listening port is 5516.
*.*                @142.232.198.8:5516

Restart rsyslog service.

systemctl restart rsyslog
systemctl status rsyslog

Back to Splunk, configure the listening port for the Linux server is 5516

source type: Syslog

app context: Apps Browser

Back to Kali, type the command below to generate logs to Splunk.

logger "Tung Le"

+ FortiGate:

Configure FortiGate to send logs to Splunk via the UDP port 5517.

config log syslogd setting
set status enable
set server 142.232.197.8
set port 5517
end 

Log into FortiGate, and enable the setting below to send logs to Splunk.

On Splunk, configure port is 5517.

Source type: fgt_log

App Context: FortiGate

Method: IP

Index: Default

Log off FortiGate, type w wrong password to generate logs.