-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
#870 - port 40net-cloud/fortinet-gcp-solutions
- Loading branch information
1 parent
d8ec3b3
commit b8022eb
Showing
94 changed files
with
5,670 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
# Deployment templates for FortiGate in Google Cloud | ||
|
||
In this directory you will find templates and reference architectures for running a FortiGate Next-Generation Firewall VM in Google Cloud (GCE). | ||
|
||
Hint: architectures are marked with "100", "200", "300" to indicate their level of complexity and possible dependencies ("200" architectures make use of "100" and "300" architectures of "200"). | ||
|
||
## Common Architectures | ||
|
||
### [Active-Passive HA in Load Balancer Sandwich](architectures/200-ha-active-passive-lb-sandwich/) | ||
This design will deploy 2 FortiGate VMs in 2 zones, preconfigure an Active/Passive cluster using unicast FGCP HA protocol, and place them between a pair of external and internal load balancers. On failover load balancers will detect failure of the primary instance using active probes on port 8008 and will switch traffic to the secondary instance. The failover time is noticeably faster than using Fabric Connector and is configurable in Health Check settings. This design supports multiple public IPs. | ||
This design is subject to 99.98% GCP Compute SLA. | ||
|
||
<p align="center"> | ||
<img width="550px" src="https://lucid.app/publicSegments/view/a05034a9-be24-423d-b307-cf3b4efd1a0e/image.png" alt="FortiGaste A-P HA in LB Sandwich"> | ||
</p> | ||
|
||
### [Peered Security Services Hub](architectures/300-peered-security-hub/) | ||
GCP limitations related to deployment of multi-NIC instances make the usual architecture for deploying firewalls very static and costly (a classic 3-tier application would require an 8-core FGT instances). Peered Security Hub architecture provides flexibility of securing up to 25 LAN segments using a single internal NIC. | ||
|
||
<p align="center"> | ||
<img width="550px" src="https://lucid.app/publicSegments/view/cdc1dc90-2ab4-4488-841a-92e2795ea630/image.png" alt="FortiGate Hub and Spoke"> | ||
</p> | ||
|
||
## Other Architectures | ||
|
||
### [Single VM](architectures/100-single-vm/) | ||
A single FortiGate VM will process all the traffic. This design introduces a single point of failure, which will make some operations (e.g. upgrades) disruptive. Also, due to lower SLA (99.5%) it's rarely used as a standalone solution in production. This design can be used though as a building block for more advanced architectures. | ||
|
||
![FGT Single VM details](https://lucid.app/publicSegments/view/4e56ef05-671c-47f3-a2cd-65cca6185f20/image.png) | ||
|
||
### [Active-Passive HA Cluster with SDN Connector Failover](architectures/200-ha-active-passive-sdn/) | ||
This design deploys 2 FortiGate VMs in 2 zones and preconfigure an Active/Passive cluster using unicast FGCP HA protocol. FGCP synchronizes the configuration and session table. One (directly) or more (using Protocol Forwarding) External IP addresses can be assigned to the cluster. On failover the newly active FortiGate takes control and issues API calls to GCP Compute API to shift the External IPs and update the route(s) to itself. Shifting the EIPs and routes takes about 30 seconds, but preserves existing connections. | ||
|
||
Note: multiple IPs are available in this design with FortiGate version 7.0.2 and later. | ||
This design is subject to 99.99% GCP Compute SLA. | ||
|
||
<p align="center"> | ||
<img width="700px" src="https://lucid.app/publicSegments/view/09e00569-7fab-4e9f-92f1-de8fd9148623/image.png" alt="FortiGate A-P HA with SDN Connector"> | ||
</p> | ||
|
||
### [Active-Active FGSP group](architectures/200-lb-active-active) | ||
Active-Active design uses multiple appliances actively processing streams of data. Load balancers are used in front of each interface group to dispatch the traffic and detect unhealthy instances. Flow asymmetry impairing threat inspection can be mitigated using source NAT or FGSP L3 UTM sync feature. Connections forwarded without inspection are handled using FGSP session sync feature. Note that crash of any of the group members will cause drops of some of the existing connections. | ||
|
||
![](https://lucid.app/publicSegments/view/e9c7ba47-30ae-43aa-b32a-bba738bedf9d/image.png) | ||
|
||
### [IDS with Packet Mirroring](ids-packet-mirroring/) | ||
FortiGate virtual appliances are capable of detecting and blocking threats using the FortiLabs-powered IDS/IPS system as well as the built-in antivirus engine. While it is recommended to deploy FortiGates inline, so the threats can be blocked as soon as they are detected, it is not possible to do so for the network traffic inside a Google Cloud VPC Network. In this case, one can utilize GCP Packet Mirroring feature together with FortiGate one-arm-sniffer mode to detect malicious or infected traffic and alert the administrators. For multiple sensors it's best to use FortiAnalyzer as the correlation and aggregation engine providing single pane of glass insights into the traffic patterns as well as detected threats or compromised VMs. | ||
![](https://lucid.app/publicSegments/view/5ac9e8fb-7f7f-4077-81e8-2c1e4dc6cf51/image.png) | ||
|
||
### [Network Connectivity Center](network-connectivity-center/) | ||
/upcoming/ | ||
|
||
## Choosing HA Architecture | ||
Fortinet recommends two base building blocks when designing GCP network with an Active-Passive FortiGate cluster: | ||
1. [A-P HA with SDN Connector](architectures/200-ha-active-passive-sdn/) | ||
2. [A-P HA in LB Sandwich](architectures/200-ha-active-passive-lb-sandwich/) | ||
|
||
Make sure you understand differences between them and choose your architecture properly. Also remember that templates and designs provided here are the base building blocks and you can modify or mix them to match your individual use case. | ||
|
||
| Feature | with SDN Connector | in LB Sandwich | | ||
| --------|--------------------|----------------| | ||
| Failover time | 30-40 secs | ~10 secs | | ||
| Protocols supported | UDP, TCP, ICMP, ESP, AH, SCTP | TCP, UDP, ESP, GRE, ICMP, ICMPv6 | | ||
| Max. external addresses | hundreds* (ver. 7.0.2+) / 1 (ver. 7.0.1 and earlier) | hundreds* | | ||
| Tag-based internal GCP routes| supported | supported | | ||
| Preserves connections during failover | yes | yes | | ||
| SDN Connector privileges | read-write | none | | ||
|
||
\* - subject to external forwarding rules quota per GCP project and set of forwarded protocols | ||
|
||
## How to Deploy... | ||
- [...using Deployment Manager](../howto-dm.md) | ||
- [...using Terraform](../howto-tf.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Single FortiGate VM | ||
|
||
Single VM is a basic setup good to start exploring capabilities of the next-generation firewall and a base layer for more advanced architectures. It will allow you to protect your workloads running in Google Cloud as well as inspect the outbound traffic, but - as a single VM is subject to lower GCP Compute SLA (99.5%) - it is very rarely used as a production architecture. | ||
|
||
## Design | ||
|
||
![FGT Single VM details](https://lucid.app/publicSegments/view/4e56ef05-671c-47f3-a2cd-65cca6185f20/image.png) | ||
|
||
A single FortiGate VM instance with 2 network interfaces in external and internal VPC. Although it is technically possible to deploy with just one NIC, Fortinet recommends using port1 as external interface and port2 as internal for convenience. | ||
|
||
External NIC (port1) is connected to Internet using its public IP address and optionally can use protocol forwarding to utilize more external addresses. It is the primary network interface from the point of view of the cloud and will be also used for communication with Google Cloud metadata server (169.254.169.254) | ||
|
||
Internal NIC (port2) is configured as target for a custom route added to internal VPC Network, which causes all outbound traffic to be routed via FortiGate appliance. | ||
|
||
## Deploying a single FortiGate VM | ||
|
||
- [with Deployment Manager](deployment-manager/) | ||
- [with Terraform](terraform/) | ||
- [with gcloud utility](deploy-gcloud.md) |
167 changes: 167 additions & 0 deletions
167
terraform/FortiGate/architectures/100-single-vm/deploy-gcloud.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,167 @@ | ||
# Single FortiGate VM | ||
## How to deploy using gcloud | ||
|
||
### Prerequisites | ||
Before you deploy a FortiGate instance, you need to create | ||
- 2 VPC Networks (external and internal) | ||
- with 1 subnet in each | ||
|
||
Note: subnets must be in the same region where you plan to deploy your FortiGate instance. | ||
|
||
You also must know the following values: | ||
1. URLs of external VPC and subnet | ||
1. URLs of internal VPC and subnet | ||
1. URL of image you're going to deploy (see [below](#how-to-find-the-image) for more details) | ||
1. zone where you want to create your FortiGate VM | ||
|
||
it's a good idea to save these values in shell variables. See the example below: | ||
|
||
``` | ||
VPC_EXT_NAME=vpc-external | ||
SB_EXT_NAME=sb-external-euwest1 | ||
VPC_INT_NAME=vpc-internal | ||
SB_INT_NAME=sb-internal-euwest1 | ||
# find newest BYOL image | ||
FGT_IMG_URL=$(gcloud compute images list --project fortigcp-project-001 --filter="name ~ fortinet-fgt- AND status:READY" --format="get(selfLink)" | sort -r | head -1) | ||
ZONE=europe-west1-c | ||
``` | ||
|
||
### Deploy | ||
The commands below will deploy a FortiGate instance with 2 NICs, a 100GB logdisk and a single (ephemeral) external IP | ||
|
||
``` | ||
# create log disk | ||
gcloud compute disks create my-fgt-logdisk --size=100 --type=pd-ssd --zone=$ZONE | ||
# create FortiGate instance | ||
gcloud compute instances create my-fortigate --zone=$ZONE \ | ||
--machine-type=e2-standard-2 \ | ||
--image=$FGT_IMG_URL --can-ip-forward \ | ||
--network-interface="network=$VPC_EXT_NAME,subnet=$SB_EXT_NAME" \ | ||
--network-interface="network=$VPC_INT_NAME,subnet=$SB_INT_NAME,no-address" | ||
--disk="auto-delete=yes,boot=no,device-name=my-fgt-logdisk,mode=rw,name=my-fgt-logdisk" | ||
``` | ||
|
||
To use a static EIP, create address as a separate resource and refer it when creating the FortiGate instance: | ||
|
||
``` | ||
gcloud compute addresses create my-fortigate-eip --region=europe-west1 | ||
gcloud compute instances create my-fortigate --zone=$ZONE \ | ||
--machine-type=e2-standard-2 \ | ||
--image=$FGT_IMG_URL --can-ip-forward \ | ||
--network-interface="network=$VPC_EXT_NAME,subnet=$SB_EXT_NAME,address=my-fortigate-eip" \ | ||
--network-interface="network=$VPC_INT_NAME,subnet=$SB_INT_NAME,no-address" | ||
--disk="auto-delete=yes,boot=no,device-name=my-fgt-logdisk,mode=rw,name=my-fgt-logdisk" | ||
``` | ||
|
||
Route traffic from internal VPC via FortiGate by creating a custom default route: | ||
``` | ||
gcloud compute routes create default-via-my-fortigate \ | ||
--network=$VPC_INT_NAME \ | ||
--destination-range="0.0.0.0/0" \ | ||
--next-hop-instance=my-fortigate \ | ||
--next-hop-instance-zone=$ZONE \ | ||
--priority=100 | ||
``` | ||
|
||
*Note:* by default, the internal VPC already includes a default route with priority 1000 via Default Internet Gateway. You must create a custom route with lower priority number or delete the built-in default route. | ||
|
||
To make the traffic flow via FortiGate instance, you have to create Cloud Firewall rules that allow it: | ||
``` | ||
gcloud compute firewall-rules create allow-external-to-fgt \ | ||
--allow=all \ | ||
--network=$VPC_EXT_NAME | ||
gcloud compute firewall-rules create allow-internal-to-fgt \ | ||
--allow=all \ | ||
--network=$VPC_INT_NAME | ||
``` | ||
|
||
*Complete example:* | ||
``` | ||
VPC_EXT_NAME=vpc-external | ||
SB_EXT_NAME=sb-external-euwest1 | ||
VPC_INT_NAME=vpc-internal | ||
SB_INT_NAME=sb-internal-euwest1 | ||
# find newest BYOL image | ||
FGT_IMG_URL=$(gcloud compute images list --project fortigcp-project-001 --filter="name ~ fortinet-fgt- AND status:READY" --format="get(selfLink)" | sort -r | head -1) | ||
ZONE=europe-west1-c | ||
# create log disk | ||
gcloud compute disks create my-fgt-logdisk --size=100 --type=pd-ssd --zone=$ZONE | ||
# create static external IP | ||
gcloud compute addresses create my-fortigate-eip --region=europe-west1 | ||
#create FortiGate instance | ||
gcloud compute instances create my-fortigate --zone=$ZONE \ | ||
--machine-type=e2-standard-2 \ | ||
--image=$FGT_IMG_URL --can-ip-forward \ | ||
--network-interface="network=$VPC_EXT_NAME,subnet=$SB_EXT_NAME,address=my-fortigate-eip" \ | ||
--network-interface="network=$VPC_INT_NAME,subnet=$SB_INT_NAME,no-address" | ||
--disk="auto-delete=yes,boot=no,device-name=my-fgt-logdisk,mode=rw,name=my-fgt-logdisk" | ||
gcloud compute routes create default-via-my-fortigate \ | ||
--destination-range="0.0.0.0/0" \ | ||
--next-hop-instance=my-fortigate \ | ||
--next-hop-instance-zone=$ZONE \ | ||
--priority=100 | ||
gcloud compute firewall-rules create allow-external-to-fgt \ | ||
--allow=all \ | ||
--network=$VPC_EXT_NAME | ||
gcloud compute firewall-rules create allow-internal-to-fgt \ | ||
--allow=all \ | ||
--network=$VPC_INT_NAME | ||
``` | ||
|
||
### [optional] Additional external IP addresses | ||
|
||
[Protocol Forwarding](https://cloud.google.com/load-balancing/docs/protocol-forwarding) is a GCP feature, which allows attaching additional external addresses to a VM. Before creating and attaching an address, a targetInstance resource must be created: | ||
|
||
``` | ||
gcloud compute target-instance create my-fgt-target \ | ||
--instance=my-fortigate --zone=$ZONE | ||
``` | ||
|
||
Next, a forwarding rule can be added: | ||
``` | ||
gcloud compute forwarding-rules create my-fwd-rule \ | ||
--target-instance=my-fgt-target \ | ||
--target-instance-zone=$ZONE \ | ||
--ip-protocol=TCP \ | ||
--ports=ALL | ||
``` | ||
|
||
### SDN Connector account | ||
If you plan to use dynamic address objects with SDN Connector please read also [this article](../../docs/sdn_privileges.md) | ||
|
||
## How to find the image | ||
You can either deploy one of the official images published by Fortinet or create your own image with disk image downloaded from [support.fortinet.com](https://support.fortinet.com). We recommend you use official images unless you need to deploy a custom image. | ||
|
||
Fortinet publishes official images in *fortigcp-project-001* project. This is a special public project and every GCP user can list images available there using command | ||
|
||
`gcloud compute images list --project fortigcp-project-001` | ||
|
||
Official images for FortiGate have names starting with *fortinet-fgt-[VERSION]* (BYOL images) or *fortinet-fgtondemand-[VERSION]*. It is your responsibility to select the correct image if deploying using gcloud or templates (Deployment Manager templates in this repository automatically find image name based on version and licenses properties). Use filter and format options of gcloud command to get a clean list, eg. | ||
`gcloud compute images list --project fortigcp-project-001 --filter="name ~ fortinet-fgtondemand AND status:READY" --format="get(selfLink)"` | ||
|
||
will get you a list of image URLs for FortiGate PAYG, and | ||
|
||
`FGT_IMG=$(gcloud compute images list --project fortigcp-project-001 --filter="name ~ fortinet-fgt- AND status:READY" --format="get(selfLink)" | sort -r | head -1)` | ||
|
||
will save the URL of the newest BYOL image into FGT_IMG variable | ||
|
||
## References | ||
- [gcloud compute addresses create](https://cloud.google.com/sdk/gcloud/reference/compute/addresses/create) | ||
- [gcloud compute disks create](https://cloud.google.com/sdk/gcloud/reference/compute/disks/create) | ||
- [gcloud compute instances create](https://cloud.google.com/sdk/gcloud/reference/compute/instances/create) | ||
- [gcloud compute routes create](https://cloud.google.com/sdk/gcloud/reference/compute/routes/create) | ||
- [gcloud compute firewall-rules create](https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create) | ||
- [Protocol Forwarding](https://cloud.google.com/load-balancing/docs/protocol-forwarding) |
1 change: 1 addition & 0 deletions
1
terraform/FortiGate/architectures/100-single-vm/terraform/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
coming soon... |
15 changes: 15 additions & 0 deletions
15
...FortiGate/architectures/100-single-vm/terraform/single-vm-from-family/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# single-vm-from-family | ||
|
||
Basic example of creating a single FortiGate instance using image family rather than image URL. | ||
|
||
To deploy simply run | ||
``` | ||
terraform init | ||
terraform apply | ||
``` | ||
|
||
You will be asked about project, region, zone and prefix. | ||
|
||
You can also use `deploy.sh` script to deploy with project, zone and region imported from your gcloud settings. | ||
|
||
See also: [Getting started with Terraform](../../../../../howto-tf.md) |
10 changes: 10 additions & 0 deletions
10
terraform/FortiGate/architectures/100-single-vm/terraform/single-vm-from-family/deploy.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
export TF_VAR_GCP_PROJECT=`gcloud config get-value project` | ||
export TF_VAR_GCE_REGION=`gcloud config get-value compute/region` | ||
export TF_VAR_GCE_ZONE=`gcloud config get-value compute/zone` | ||
|
||
|
||
echo "Resources will be deployed into $TF_VAR_GCP_PROJECT project" | ||
echo "Your default region/zone are: $TF_VAR_GCE_REGION/$TF_VAR_GCE_ZONE" | ||
|
||
terraform init | ||
terraform apply -var="prefix=$prefix" |
46 changes: 46 additions & 0 deletions
46
terraform/FortiGate/architectures/100-single-vm/terraform/single-vm-from-family/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
module "sample_networks" { | ||
source = "./sample-networks" | ||
|
||
networks = ["external","internal"] | ||
prefix = var.prefix | ||
} | ||
|
||
################################################################################ | ||
|
||
data "google_compute_image" "fgt_image" { | ||
project = "fortigcp-project-001" | ||
family = "fortigate-64-byol" | ||
} | ||
|
||
resource "google_compute_instance" "fgt-vm" { | ||
name = "${var.prefix}-fgt" | ||
machine_type = "e2-standard-2" | ||
can_ip_forward = true | ||
tags = ["fgt"] | ||
|
||
boot_disk { | ||
initialize_params { | ||
image = data.google_compute_image.fgt_image.self_link | ||
} | ||
} | ||
|
||
network_interface { | ||
network = module.sample_networks.vpcs[0] | ||
subnetwork = module.sample_networks.subnets[0] | ||
access_config { | ||
} | ||
} | ||
|
||
network_interface { | ||
network = module.sample_networks.vpcs[1] | ||
subnetwork = module.sample_networks.subnets[1] | ||
} | ||
} | ||
|
||
output "fgt-vm-eip" { | ||
value = google_compute_instance.fgt-vm.network_interface[0].access_config[0].nat_ip | ||
} | ||
|
||
output "default_password" { | ||
value = google_compute_instance.fgt-vm.instance_id | ||
} |
1 change: 1 addition & 0 deletions
1
...orm/FortiGate/architectures/100-single-vm/terraform/single-vm-from-family/sample-networks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../../../../modules-tf/sample-networks |
25 changes: 25 additions & 0 deletions
25
terraform/FortiGate/architectures/100-single-vm/terraform/single-vm-from-family/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
variable GCP_PROJECT { | ||
type = string | ||
description = "GCP project id" | ||
} | ||
|
||
variable GCE_ZONE { | ||
type = string | ||
description = "GCE zone to use" | ||
} | ||
|
||
variable GCE_REGION { | ||
type = string | ||
description = "GCE region to use" | ||
} | ||
|
||
variable "prefix" { | ||
type = string | ||
description = "Prefix to be added to the names of all created resources" | ||
} | ||
|
||
provider "google" { | ||
project = var.GCP_PROJECT | ||
region = var.GCE_REGION | ||
zone = var.GCE_ZONE | ||
} |
22 changes: 22 additions & 0 deletions
22
...te/architectures/100-single-vm/terraform/single-vm/examples/firmware_image_family/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
module "fgt" { | ||
source = "../.." | ||
|
||
subnets = [ | ||
"external", | ||
"internal" | ||
] | ||
zone = "us-central1-c" | ||
|
||
# automatically select the latest PAYG image from 7.4 branch | ||
image = { | ||
family = "fortigate-74-payg" | ||
} | ||
} | ||
|
||
output "mgmt_ip" { | ||
value = module.fgt.ext_ips["port1"] | ||
} | ||
|
||
output "initial_password" { | ||
value = module.fgt.instance_id | ||
} |
Oops, something went wrong.