This is a diagram that I have used for the lab. I have used the same topology to deploy VPN site to site between Azure and Palo Alto firewall on-prem (https://tungle.ca/?p=3338). Basically I removed the Palo Alto firewall and put FortiGate in the diagram.
Create a new virtual network is Azure-PA.
Change default network to PrivateSubnet is 10.0.1.0.
A subnet address range is 10.0.1.0/24
Click Create.
Create a new subnet.
A subnetwork address range is 10.0.0.0/24
Go to “Virtual network gateway” to create a new virtual network gateway.
Virtual network: Azure-PA.
Subnet: Gatewaysubnet 10.0.0.0/24
Public IP address name: VPNIP
Click Create.
Wait around from 20 to 30 minutes to see if the Deployment will be done.
Go to “Local network gateway” and create a new local network gateway.
An IP address is a public IP address of the Palo Alto firewall.
Address space is Palo Alto’s LAN subnets.
Clock create.
Go to “Virtual network gateways”, and select the virtual network gateways that we have created in the previous step.
Go to “Connections” – Add.
Enter a shared key (PSK) for VPN site-to-site.
Take note of the IP address of Azure VPN.
On FortiGate on-prem.
Create a static default route.
Configure an IPSEC Tunnel.
Phase 1.
Phase 2.
Create a new network object for FortiGate.
FG-LAN: 172.16.0.0/16
Azure-LAN: 10.0.0.0/16.
Create both access rules to allow traffic from FortiGate LAN subnets to your Azure VPN private subnets. Remember “Disable NAT” on these rules.
Create a static route to allow traffic from FortiGate LAN subnets to your Azure private subnets via the IPSEC VPN site-to-site IKEv2 tunnel.
Ping from Kali machine to Windows 2016 on Azure.
The tunnel is up on FortiGate.
Ping a Kali machine on FortiGate LAN subnet from Azure.
Back to VPN2S, we can see the VPN status connection is “Connected”.
This is a diagram that I have used for this demonstration.
Create your VPC.
Create a private subnet.
Create a new Internet Gateway and attach it to your VPC.
Create a new route to 0.0.0.0/0 to your Internet gateway.
Create a new Customer gateway with the public IP address of FortiGate.
Create a new Virtual Private Gateway and attach it to your VPC.
Create a new VPN site-to-site.
Click Download Configuration to configure on your FortiGate.
Log into FortiGate.
Interfaces.
Copies these commands and pastes them into FortiGate. Notes the set “mtu 1427” and set “mtu-override enable” does not available on FortiGate 6.2
Back to AWS and launch a new Linux VM instance. This machine is used to test VPN site-to-site.
Configure a new static route to allow LAN subnets on AWS to access LAN subnets on FortiGate.
On FortiGate, configure a new static route to AWS LAN subnets.
Configure access rules to allow FortiGate LAN subnets to communicate with AWS LAN subnets.
Pings from Kali machine to the Linux VM instance on AWS.
The IPSEC tunnel in FortiGate is up.
Back to AWS, the VPN tunnel is up.
Launches a new Windows 2016 VM instance to install Splunk.
On Security Group, add a couple of rules to allow ICMP and all traffic on FortiGate LAN subnets to access this instance.
RDP to Windows instance and disable Firewall to send logs from FortiGate.
Download Splunk Enterprise for Windows and install it into this instance.
Install FortiGate App for Splunk and Fortinet FortiGate Add on Splunk.
Click on the Settings tab and configure Splunk to get FortiGate logs. Select new Local UDP.
Enter 514 on the port setting. Be default, FortiGate is using UDP port 514 to send log to Syslog.
Select: fgt_log
App Context: Fortinet FortiGate App for Splunk
Method: IP
Index: Default
Check the UDP 514 port is running in the instance.
Back to FortiGate, configure Fortigate to send logs to Splunk on AWS. Enter the IP address of Splunk on the IP Address setting, and click choose All for “Event Logging” and “Local Logging”. Then, click Apply.
Log out of FortiGate and log back in to generate logs. If we may not see FortiGate logs on Splunk, we need to type the commands below to change the source-ip address to send log from using the “management interface” to using the LAN interface “172.16.1.254”
config log syslogd setting
set status enable
set mode udp
set port 514
set server "10.0.0.48"
set source-ip "172.16.1.254"
end
Also, enable PING Access, HTTP, and HTTPS on tunnel 1 interface of FortiGate.
Splunk is able to ping the FortiGate LAN interface.
Back to the Splunk instance, now we are able to see logs from FortiGate.
This is a diagram that is used to deploy this lab.
In this lab, we will use Elastic Load Balancer to distribute RDP traffic via Windows 2016 VM instances among the FortiGate in different AZs on AWS.
Below are a couple of steps that are used to deploy this lab.
Create your VPC, subnets, and route tables.
Launch FortiGate 1 on AZ 1 and FortiGate 2 on AZ 2.
Create both Windows 2016 VM on AZ 1 and AZ 2.
Configure DNAT to allow RDP traffic from the Internet to Windows Server 2016 instance on each AZ.
Configure Elastic Network Load Balancing on both FortiGates on multiple AZ.
RDP traffic has been distributed to Windows 2016 VM1 and VM2 via Elastic Network Load Balancing
Create a new VPC.
Create new both Public subnet 2 and Private subnet 2 on the Availability zone 2
Create 4 route tables as in the diagram above.
Link the subnets to corresponding route tables.
Create a new FortiGate on AZ 1.
Create a new Elastic IP address and associate for the first FortiGate.
Launch the new FortiGate instance on AZ 2.
Rename to Fortinet Zone 1 Public subnet and Fortinet Zone 2 Public Subnet.
Create a new Fortinet Zone 1 Private subnet.
Attach this into the first FortiGate.
Create a new Fortinet Zone 2 Private subnet and attach it to FortiGate 2.
Uncheck “Change source/destination check” on all FortiGate interfaces.
Back to Route tables.
Create a new route 0.0.0.0/0 on Public Route table 1 via Fortinet Zone 1 Public subnet interface.
Create a new route 0.0.0.0/0 on Public Route table 2 via Fortinet Zone 2 Public subnet interface.
Create a new route 0.0.0.0/0 on Private Route table 1 via Fortinet Zone 1 Private subnet interface.
Create a new route 0.0.0.0/0 on Private Route table subnet 2 via Fortinet Zone 2 Private subnet interface.
Access FortiGate management interface.
The FortiGate 1.
Change the LAN setting for port 2.
Do the same with FortiGate 2.
Create two new Windows Server 2016 instances on AZ1 and AZ2.
Windows Security Group.
Launch the new one.
Go to FortiGate 1, and DNAT port 3389 to Windows Server 2016 VM 1 instance.
Create a new inbound policy to allow traffic from the Internet to Windows 2016 instance.
On FortiGate 2.
Create a new Firewall Policy.
Edit the Security Group to allow RDP to Windows 2016 VM 2 instance.
Access Windows VM 1.
Create Network Load Balancer on AWS for RDP traffic to Windows Server 2016 instance.
Select “IP address”.
Add IP addresses on the public subnet of both FortiGates on “register targets”.
Click Register targets.
Wait until the health states on both IP addresses are healthy.
Right-click on FortiGate-NLB-RDP and enable “Cross zone load balancing” to allow load balancing on multiple AZ.
Set the same Windows password for both Windows 2016 instances.
Access RDP to the highlighted DNS name on NLB.
An RDP session will access Windows Server VM 1 or VM 2 via Elastic Load Balancing.
We are able to configure both web servers on Windows server 2016 VMs and distribute web traffic via Windows 2016 VM instances among the FortiGate in different AZs on AWS.