Tag Archives: Fortinet

Deploy VPN site-to-site between Palo Alto on-prem and AWS. Setup OpenVPN and additional Domain Controller on AWS

This is the diagram is used to deploy this lab.

In this lab.

  • Configure VPN site to site IKEv2 between Palo Alto and Virtual Private Gateway on AWS.
  • Implementing multi-master domain controllers on-prem and AWS.
  • Authenticating OpenVPN tunnel via LDAP to support people working from home to access corporate servers on AWS.
  • Disconnect the domain controller on-prem to simulate migrating corporate servers to AWS in the near future.

Core Switch configuration.

CoreSW
conf t
hostname CoreSW
ip routing
ip dhcp excluded-address 172.16.10.1 172.16.10.10
!
ip dhcp pool VLAN10
 network 172.16.10.0 255.255.255.0
 default-router 172.16.10.1
 dns-server 172.16.20.12

interface GigabitEthernet0/0
 no switchport
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 switchport trunk allowed vlan 10,20,99
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 99
 switchport mode trunk
 negotiation auto
!
interface GigabitEthernet0/2
 switchport trunk allowed vlan 10,20,99
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 99
 switchport mode trunk

interface Vlan10
 ip address 172.16.10.1 255.255.255.0
!
interface Vlan20
 ip address 172.16.20.1 255.255.255.0
!
router ospf 1
 router-id 1.1.1.1
 network 172.16.0.0 0.0.255.255 area 0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.254

--- 
SWCore#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/3, Gi1/0, Gi1/1, Gi1/2
                                                Gi1/3, Gi2/0, Gi2/1, Gi2/2
                                                Gi2/3, Gi3/0, Gi3/1, Gi3/2
                                                Gi3/3
10   End users                        active
20   Servers                          active
99   Native VLAN                      active

Check Kali VM., start SSH and Apache service on this machine.

On Palo Alto.

LAN interface.

e1/1 belongs to the VPN zone, and e1/2 belongs to the LAN zone, respectively.

Create a new network object for the PA LAN subnet.

Configure SNAT to allow traffic from the PA LAN subnet to access the Internet.

Configure a default route.

Configure OSPF on PA.

Allow ICMP on the Mgmt interface to troubleshoot.

Ping from PA.

Ping from a VM on the PA LAN subnet.

+ Create a new VPC.

Create a private subnet.

Create and attach Internet gateway to your VPC.

Route table.

Add a new route to your Internet Gateway.

Go to VPN, create a customer gateway.

Create a new VPN gateway.

Attach it to your VPC.

Create a VPN site to site.

Go to the Route table and add a new route to PA LAN subnet.

Click Download Configuration and select information as the following screenshot.

Open the file to use for configuring PA.

Configure IKECrypto.

Configure IPSECCrypto.

Configure IKE Gateway.

Create a new interface tunnel 1 for VPN IPSEC site to site between FG on AWS and PA.

Configure IPSEC Tunnel.

On Virtual Routers, add an interface tunnel 1 on the router settings.

Create a new static route to the AWS LAN subnet.

New address object.

Create both Security policies to allow traffic from LAN to VPN.

+ Back to AWS, create a new Linux and Windows instance on AWS.

Create a new key pair on AWS.

Allow HTTP, SSH, and ICMP on Security Group.

Back to GNS3, configure a new Windows 2016 server VM.

Takes notes of IP address of Linux instance on AWS.

Ping the Linux instance on AWS LAN subnet from PA LAN subnet.

The tunnel is up on PA

On AWS, the tunnel is up as well.

Configure Windows 2016 on GNS3.

Install Windows 2016.

On Kali, access SSH to Linux VM instance on AWS>

Website on-prem.

Website on AWS.

Change computer name to DC1 and promote it to a domain controller.

Create a new Windows VM on AWS.

Create a new OpenVPN server instance on AWS.

Access the OpenVPN server via SSH. Use openvpnas as a user to log in.

Check the private subnet on OpenVPN is matching with the private subnet on AWS.

Change the password of openvpn.

From Windows 2016 VM on GNS3, access RDP to Windows instance on AWS. Change DNS setting to DC1 on-prem.

Join the machine to domain on-prem and promote it to become additional domain controller.

Create a couple of users to test: tung, kevin, test on domain controllers.

On OpenVPN.

Change the setting to authenticate the OpenVPN tunnel via LDAP. We use both LDAP servers on AWS and on-prem.

Configure LDAP settings to query the corresponding information on domain controllers.

Access to OpenVPN mgmt interface.

Using a kevin user to log in.

Access a web server on a private subnet on AWS.

RDP to a private IP address on Windows DC2 on AWS.

Monitor Security traffic on PA.

Join Windows 10 to the domain.

Disconnect interface from DC1 to SW2 to simulate migrating servers to AWS cloud.

Windows 10 is still accessible to the domain on DC2 on AWS.

Access RDP to DC2 and a web server on AWS.

Domain users are able to access a domain controller on AWS and a web server on AWS when the domain controller on-prem was down.

Deploying FortiGate HA by using CloudFormation on AWS

This is a diagram to deploy FortiGate HA by using CloudFormation on AWS.

Create a new VPC.

Create a public subnet.

Create a private subnet.

Create a subnet for Synchronization between both FGs.

Create a new subnet for FortiGate management.

Public subnet: 10.0.0.0/24

Private subnet: 10.0.1.0/24

FGSync subnet: 10.0.3.0/24

FGHA mgmt subnet: 10.0.4.0/24

Create a new Internet gateway, and attach it to your VPC.

Create a new public route.

Edit the public route, and add a new default route to your internet gateway.

Associate both public and HAmgmt subnet into the public route.

Create a new key pair.

Create a new bucket, and leave the settings by default.

Go to the GitHub of Fortinet, and download a json file for the existing VPC as a screenshot below.

https://github.com/fortinet/aws-cloudformation-templates/tree/main/FGCP/7.0/SingleAZ
Go to CloudFormation on AWS, click to create a new stack to deploy FortiGate HA.

Upload the template into this stack.

Enter your stack name, VPCID, VPCCIDR, and link public, private, sync, HAmgmt to corresponding subnets.

Will choose the minimize instance type for the lab is c5.xlarge.

Copy Public route table ID into the publicsubnetroutetableID.

The license is PAYG.

Click Next and accept the settings by default.

Click create stack. It will take a couple of minutes to complete.

On Output, copy all information to notepad to keep track.

There are three Elastic IP addresses that have been created on your VPC.

This is a master FG.

It will link to a default Security Group that has been created when creating a stack.

Wait until both FGs are checked passed.

Access the Primary HA FG via cluster IP address.

Both access rules have been automatically created when creating a stack.

Access the FG1, FG2 via mgmt IP address.

Check HA status.

FG1.

On FG2, there is only an elastic IP address.

Update the Elastic IP address.

Notes Network interface ID of FortiGate.

Edit and add a new route on the private subnet route to route all traffic on the subnet to network interface of the master FG

On FG2, open the console and type the command below.

diagnose debug application awsd -1
diagnose debug enable

On FG1, click instance state and stop the instance.

The Cluster IP address has been successfully moved to FG2.

On S3 bucket, we can see there are two config files for FG1 and FG2 have been created when installing a stack.

It only supports unicast for a heartbeat on AWS.

Refresh the cluster IP management access.

FG2 has become the Primary for HA.

The route has been updated to use a private network instance on FG2.

Also, we can see all interfaces have been disabled for “Change source/destination check”.

To terminate the lab, go to stack and delete the stack that has been created for the lab.

Deploy IPSEC VPN site-to-site between FortiGate on AWS and Palo Alto on premises

This is a diagram to show how to create a VPN site to site connection from PA on-prem and FG on AWS.

In this lab:

  • Create a VPC, subnets, Internet gateway, route tables.
  • Create a FortiGate VM and Windows 2016 instance on AWS
  • Configure Palo Alto
  • Create VPN site to site between both sites PA and FortiGate
  • Allow Windows 2016 instance to access the Internet via FortiGate. Also, allow RDP to this machine via the Internet by using FortiGate.
  • Test ping traffic between both sites.
  • Allow a machine on the PA LAN subnet to access the Internet and the Windows 2016 instance on AWS.
  • Create a new SSLVPN portal on AWS and test to access the portal via SSLVPN.

+ Below are a couple of steps to deploy FortiGate on AWS.

Create a new VPC.

Create a public subnet.

Create a private subnet.

Create an Internet gateway.

Attach the gateway to your VPC.

Edit Route table, change default Route table to Private Route.

Create a Public Route Table.

Link the Public Subnet to the Public Route.

Add a new route 0.0.0.0/0 to your Internet gateway.

Create a new key pair.

+ Go to EC2, and deploy Fortinet on AWS.

Select your VPC, the subnet belongs to Lab Public Subnet. Also, changing the Auto-assign Public IP is Enable.

On the Security Group tab, add new two lines at the end of Security Group as a screenshot below. This allows to ping and RDP to the Windows 2016 machine on a private subnet later on.

Go to Network interfaces, change the interface to FG Public Interface.

Create a new FG Private interface. Links to the private subnet and FortiGate Security Group.

Change to FG Private Interface.

Select the FG private interface, choose Action on the top right-hand side and Attach this network interface to Fortinet EC2.

Right-click on both FG Public and Private interfaces, and disable “Change source/dest check” on both interfaces to allow NAT traffic on these interfaces.

Create a new Elastic IP address.

Change to Fortinet EIP.

Associate this Elastic IP address to Fortinet EC2.

Back to Route tables, add a new route 0.0.0.0/0 to FG private interface.

Now, Fortinet has two interfaces. One is Private, and another one is Public.

Copy the Elastic IP address and paste it to your web browser to access the FortiGate management interface.

Access Fortinet via the Internet.

+ Launch a new Windows VM EC2 instance on your VPC.

Network: Your VPC

Subnet: Private subnet

Auto-assign Public IP: Disabled. We will access RDP to the machine via DNAT on FortiGate.

On the Security Group setting, add two lines to allow RDP and ICMP traffic to the machine.

+ Login to Fortinet.

Copy the FG instance and paste it to password login.

Change the password to login to Fortinet.

Edit WAN and LAN interface setting.

Back to Fortinet to configure Firewall Policy to allow RDP traffic from the Internet to the Windows VM machine.

Configure port forwarding to allow traffic from the Internet to Windows 2016 VM instance on AWS.

External IP address: IP address of FG on the public subnet

Map to IPv4 address on the private subnet is IP address of Windows VM computer.

The external service port and map to IPv4 port is 3389.

Allow inbound traffic from WAN to this machine.

Create both static routes to allow a private subnet to access outside.

Creating new static routes for the private subnet from 10.0.0.0/16 to 10.0.1.1 that is the default gateway on the private subnet.

Try to access the machine.

Load private key to decrypt Windows password.

Access RDP to Windows 2016 instance on AWS.

Now we can see the RDP traffic via Fortinet.

Disable Windows Firewall to allow ICMP traffic to that machine on Palo Alto private subnet.

Configure IPSEC site to site wizard. Choose Custom.

Enter IP address of public interface of PA. Disable NAT traversal, enter the pre-shared key and choose the IKE v2.

Phase 1 and Phase 2 settings need to match with the Palo Alto setting.

Local Address: the private subnet of FG: 10.0.1.0/24

Remote Address: PA LAN subnets: 172.16.0.0/16

Click the Advanced tab. Change the setting to match with PA Phase 2 setting

Create Fortinet LAN and PA LAN subnet network addresses.

Create a static route on Fortinet to allow private subnet traffic to the Palo Alto LAN subnet.

Create a Security Policy to allow traffic from the Fortinet LAN subnet to the PA LAN subnet. Remember to uncheck NAT setting on access rules from AWS LAN to PA LAN and vice versa.

PA LAN subnet to AWS LAN subnet.

AWS LAN subnet to PA LAN subnet.

Create a new access rule to allow the FG LAN subnet to access the Internet.

Ping 8.8.8.8 from Windows 2016 VM instance.

+ Configure PA.

Setting the IP address for e1/1 is DHCP, and assign an IP address for e1/2 is 172.16.1.254/24

Create a tunnel interface: tunnel 1.

Create network objects for FortiGate, PA LAN, and AWS LAN.

Create IKEC Crypto.

Create an IPSEC Crypto.

IKE Gateway.

IPSEC tunnel.

On Proxy ID tab.

Local: PA LAN subnets.

Remote: AWS LAN subnet.

Create a Static Route from PA LAN to Fortinet LAN on AWS.

Create both Security Policies to allow traffic from PA LAN subnet to AWS LAN subnet.

Remember to click “Commit” button to apply the new settings on PA.

From Windows 2016 VM instance, pings a machine on PA LAN subnet.

+ Pings from PA LAN subnet to AWS LAN subnet.

On PA, a tunnel is up.

Monitoring to see the traffic on both sites.

On FortiGate.

An IPSEC VPN site-to-site tunnel is up.

diagnose vpn tunnel list

Click on the log and Report to see events that are related to VPN.

+ Back to PA to create another static route to allow the PA LAN subnet to access the Internet.

A next hop is the default gateway of the PA public subnet.

Create a SNAT policy to allow traffic from the PA LAN subnet to the Internet.

On the Destination interface, should choose e1/1. This is because VPN site-to-site traffic does not use NAT.

Ping 8.8.8.8 from PA LAN subnet.

+ Create an SSLVPN portal on FortiGate to allow to access FG private subnet on the SSLVPN zone.

RDP to Windows 2016 instance private subnet on AWS is 10.0.1.42

On SSLVPN setting, enable SSLVPN via 44333 port.

Create a new username and password to access SSLVPN.

Then assign this user to the portal that we have created on previous step.

Edit the Security Group to allow Internet traffic to SSLVPN port is 44333.

From a Windows machine, access SSLVPN portal on FG.

Also, we can use Forticlient to access if we have a license.

Deploy VPN IPSEC site-to-site between FortiGate on-prem and AWS

This is a topology that is used to deploy this lab.

+ Configure FortiGate on AWS.

Create a new VPC with a CIDR network is 10.0.0.0/16. Then, create both Lab Public subnet and :ab Private subnet on AWS.

Create a new Internet gateway and attach to your VPC.

Create route tables.

Add a new route to the public Route table.

Associate the public subnet to the Public Route table.

Go to EC2 and create a new FortiGate instance.

Create a new private interface for FortiGate.

Attach the interface to FortiGate.

Disable “Source and destination check” on both Public and Private FortiGate interfaces.

Create a new Elastic IP address and assign it to your FortiGate instance.

Assign the Elastic IP address to public FortiGate interface.

Access FortiGate management interface.

Add a new route on a Private Route table to the Private FortiGate interface.

Create a new Windows instance on AWS.

Security Group.

Modify Windows Security Group to allow ICMP traffic.

Configure VPN site to site.

There are two routes that have been automatically created on FortiGate on the static routes setting.

+ Configure FortiGate on-prem.

Configure a default route on FortiGate.

Configure VPN site to site between both FortiGate.

+ Pings a Windows instance on AWS from a machine on FortiGate on-prem. Remember to access RDP to the machine and disable Windows Firewall to allow ICMP traffic from on-prem to that machine.

The IPSEC tunnel is up.

Pings from Windows instance on AWS to a computer on FortiGate LAN subnet on-prem.

The IPSEC tunnel on-prem is up.

+ Configure SSLVPN portal on FortiGate on AWS.

Deploying FortiGate on Amazon AWS

Diagram.

Below are a couple of steps to deploy Fortinet on AWS.

Create a new VPC.

Create a public subnet.

Create a private subnet.

Create an Internet gateway.

Attach the gateway to your VPC.

Edit Route table, change default Route table to Private Route Table.

Create a Public Route Table.

Edit the route and route all traffic to Internet Gateway.

Link Lab Public Subnet to Public Route Table.

Create a new key pair.

Go to EC2, and deploy Fortinet on AWS.

Select your VPC, the subnet belongs to Lab Public Subnet. Also Auto-assign Public IP is Enable.

Security Group.

Go to Network interfaces. Change the interface to Fortinet Public Subnet.

Create a new Fortinet Private subnet.

Attach this network interface to Fortinet EC2.

Create a new Elastic IP address.

Change to Fortinet EIP.

Associate this Elastic IP address to Fortinet EC2.

Now, Fortinet has two interfaces. One is Private, and another one is Public.

Access Fortinet via the Internet.

Login to Fortinet.

Change password to login to Fortinet.

Edit interfaces.

WAN interface.

LAN interface.

Edit Security Group to allow to ping Fortinet.

Disable Source and Destination Check on “Fortinet Private subnet”.

Now, change the route to route private subnet traffic via Fortinet Private subnet interface.

Create a new Windows 2016 VM EC2. The machine is belonged to “Lab private Subnet”.

Create a new Windows Security Group to allow HTTP and RDP traffic.

Back to Fortinet to configure FIrewall Policy to allow traffic from Fortinet Private subnet to access the Internet.

Configure port forwarding to allow traffic.

Allow inbound traffic from WAN to this machine.

Try to access the machine.

Sniffer traffic on Fortinet.

Modify the Security group to allow RDP.

Load private key to decrypt Windows password.

Access RDP to Windows 2016 instance on AWS.

Now we can see the RDP traffic via Fortinet.

diagnose sniffer packet port1 "port 3389"

The Windows machine is able to access the Internet.

Send Palo Alto, FortiGate, Cisco Router, and Linux Server logs to Splunk

This is a diagram that I have used to deploy this lab.

Log in to Splunk, and download Cisco Suite for Splunk, Fortigate, and Palo Alto app for Splunk.

Click Install app from file.

On Splunk.

+ Palo Alto

Go to Settings – Data inputs – New Local UDP.

Enter the port 5514 on the Port setting

Source type: pan_log

App Control: Palo Alto Networks

Method: IP

Index: Default

On Palo Alto, configure to send logs to Splunk server with destination port is 5514.

Commit, log off and log on to generate logs.

Back to Splunk.

Click Palo Alto App – Operations – Real-time Event Feed.

+ Cisco Router R1.

conf t
logging trap informational
logging host 142.232.197.8 transport udp port 5515

On Splunk.

Port 5515

Source type: cisco:asa

App Context: Cisco Suite for Splunk

Method: IP

Index: default.

Back to Router, send sample logs to Splunk.

end
send log "Tung Le"
send log "Tung Le"

+ On Kali Linux.

sudo su
nano /etc/rsyslog.conf
##Add the following line to the end of the file. The listening port is 5516.
*.*                @142.232.198.8:5516

Restart rsyslog service.

systemctl restart rsyslog
systemctl status rsyslog

Back to Splunk, configure the listening port for the Linux server is 5516

source type: Syslog

app context: Apps Browser

Back to Kali, type the command below to generate logs to Splunk.

logger "Tung Le"

+ FortiGate:

Configure FortiGate to send logs to Splunk via the UDP port 5517.

config log syslogd setting
set status enable
set server 142.232.197.8
set port 5517
end

Log into FortiGate, and enable the setting below to send logs to Splunk.

On Splunk, configure port is 5517.

Source type: fgt_log

App Context: FortiGate

Method: IP

Index: Default

Log off FortiGate, type w wrong password to generate logs.

Create an IPSEC site-to-site tunnel between Palo Alto And FortiGate.

This is the lab to use to set up the IPSEC site-to-site tunnel between both devices.

On Palo Alto.

IKE Crypto.

IPSEC Crypto.

IKE Gateway.

IPSec tunnel.

Create a virtual route from PA to Fortinet.

Create two Security Policies to allow traffic from the “Trusted Zone” of PA to the “Trusted Zone” of Fortinet.

Configure Fortinet.

config system interface
edit port1
set mode dhcp
set allowaccess ping httpd http fgfm
next
end
show system interface 
# show system interface to get IP Address from DHCP

Go to Webterm to configure Fortinet.

Configure a custom VPN Tunnel with the following information.

Configure a static route to allow traffic from Trusted Zone (192.168.20.0/24) on Fortinet to the Trusted Zone (192.168.10.0/24) on PA.

Create two Security policies to allow traffic from VPN to Trusted Zone and vice versa.

Ping and traceroute from a VM on Fortinet to another VM on Palo Alto.

Monitor IPSEC tunnel on Fortinet.

Monitor IPSEC tunnel on PA.

Configure host-check for SSLVPN connections on FortiGate

This is a diagram to do a host-check SSLVPN connections lab.

Enable tunnel-mode SSLVPN

Enable host-check for Antivirus and Firewall enabled on Fortinet.

Windows machine is up to date and Windows Firewall is enabled.

Setup Forticlient on Windows machine.

Move to unpatched and disabled Windows firewall’s machine.

SSLVPN connection is failed.

Enabled Windows Firewall

Windows OS is not up to date.

Creating an SSLVPN connection again, it was failed.

Checking on Forticlient log and Fortinet Web management console.

Configure DoS Policy on FortiGate

This is a diagram to do a Fortinet Dos Lab.

Fortinet – Policy and Objects – IPv4 DoS Policy.

Change TCP_port_scan setting to 5 and ICMP_flood setting to 4.

Configure quarantine setting on the Fortinet DoS Policy.

config firewall DoS-policy

    edit 1

        set interface “port1”

        set srcaddr “all”

        set dstaddr “all”

        set service “ALL”

        config anomaly

            edit “icmp_flood”

                set status enable

                set log enable

                set quarantine attacker

                set quarantine-expiry 5m 

                set quarantine-log disable

                set threshold 4

            next

        config anomaly

            edit “tcp_port_scan”

                set status enable

                set log enable

                set quarantine attacker

                set quarantine-expiry 5m 

                set quarantine-log disable

                set threshold 5

            next

Sending 5 packets per second, Fortinet starts to block the excessive ICMP packets.

Check Fortinet Anomaly log.

Fortinet Fortiview.

Fortinet Monitor – Banned IP. AT IP Address was blocked by Fortinet Firewall.

Doing port scan on Kali machine by using Nmap command.

Fortinet was blocked port scan on the opened port 80.