This is a diagram that I have used for the lab. I have used the same topology to deploy VPN site to site between Azure and Palo Alto firewall on-prem (https://tungle.ca/?p=3338). Basically I removed the Palo Alto firewall and put FortiGate in the diagram.
Create a new virtual network is Azure-PA.
Change default network to PrivateSubnet is 10.0.1.0.
A subnet address range is 10.0.1.0/24
Create a new subnet.
A subnetwork address range is 10.0.0.0/24
Go to “Virtual network gateway” to create a new virtual network gateway.
Virtual network: Azure-PA.
Subnet: Gatewaysubnet 10.0.0.0/24
Public IP address name: VPNIP
Wait around from 20 to 30 minutes to see if the Deployment will be done.
Go to “Local network gateway” and create a new local network gateway.
An IP address is a public IP address of the Palo Alto firewall.
Address space is Palo Alto’s LAN subnets.
Go to “Virtual network gateways”, and select the virtual network gateways that we have created in the previous step.
Go to “Connections” – Add.
Enter a shared key (PSK) for VPN site-to-site.
Take note of the IP address of Azure VPN.
On FortiGate on-prem.
Create a static default route.
Configure an IPSEC Tunnel.
Create a new network object for FortiGate.
Create both access rules to allow traffic from FortiGate LAN subnets to your Azure VPN private subnets. Remember “Disable NAT” on these rules.
Create a static route to allow traffic from FortiGate LAN subnets to your Azure private subnets via the IPSEC VPN site-to-site IKEv2 tunnel.
Ping from Kali machine to Windows 2016 on Azure.
The tunnel is up on FortiGate.
Ping a Kali machine on FortiGate LAN subnet from Azure.
Back to VPN2S, we can see the VPN status connection is “Connected”.
This is a diagram that I have used for this demonstration.
Create your VPC.
Create a private subnet.
Create a new Internet Gateway and attach it to your VPC.
Create a new route to 0.0.0.0/0 to your Internet gateway.
Create a new Customer gateway with the public IP address of FortiGate.
Create a new Virtual Private Gateway and attach it to your VPC.
Create a new VPN site-to-site.
Click Download Configuration to configure on your FortiGate.
Log into FortiGate.
Copies these commands and pastes them into FortiGate. Notes the set “mtu 1427” and set “mtu-override enable” does not available on FortiGate 6.2
Back to AWS and launch a new Linux VM instance. This machine is used to test VPN site-to-site.
Configure a new static route to allow LAN subnets on AWS to access LAN subnets on FortiGate.
On FortiGate, configure a new static route to AWS LAN subnets.
Configure access rules to allow FortiGate LAN subnets to communicate with AWS LAN subnets.
Pings from Kali machine to the Linux VM instance on AWS.
The IPSEC tunnel in FortiGate is up.
Back to AWS, the VPN tunnel is up.
Launches a new Windows 2016 VM instance to install Splunk.
On Security Group, add a couple of rules to allow ICMP and all traffic on FortiGate LAN subnets to access this instance.
RDP to Windows instance and disable Firewall to send logs from FortiGate.
Download Splunk Enterprise for Windows and install it into this instance.
Install FortiGate App for Splunk and Fortinet FortiGate Add on Splunk.
Click on the Settings tab and configure Splunk to get FortiGate logs. Select new Local UDP.
Enter 514 on the port setting. Be default, FortiGate is using UDP port 514 to send log to Syslog.
App Context: Fortinet FortiGate App for Splunk
Check the UDP 514 port is running in the instance.
Back to FortiGate, configure Fortigate to send logs to Splunk on AWS. Enter the IP address of Splunk on the IP Address setting, and click choose All for “Event Logging” and “Local Logging”. Then, click Apply.
Log out of FortiGate and log back in to generate logs. If we may not see FortiGate logs on Splunk, we need to type the commands below to change the source-ip address to send log from using the “management interface” to using the LAN interface “172.16.1.254”
config log syslogd setting
set status enable
set mode udp
set port 514
set server "10.0.0.48"
set source-ip "172.16.1.254"
Also, enable PING Access, HTTP, and HTTPS on tunnel 1 interface of FortiGate.
Splunk is able to ping the FortiGate LAN interface.
Back to the Splunk instance, now we are able to see logs from FortiGate.