Deploying Fortinet FortiGate HA (HAVIP) on Alibaba Cloud

Setup Virtual Private Cloud (VPC)

1. Assume this is the new environment, now let’s create the VPC first

Image for post
Image for post

2. The VPC named TP_FortiVPC

Image for post
Image for post

3. We will need at least three VSwitches, one for the ECS, one for the FortiGate VM Inbound/Outbound interface, and one for FortiGate VM HA interface, let’s create the ECS VSwitch first (you can create the fourth VSwitch for FortiGate reversed management interface)

Image for post
Image for post

4. And this is the VSwitch for keeping the FortiGate VM Inbound/Outbound interface

Image for post
Image for post

5. And this is the VSwitch for keeping the FortiGate VM HA interface

Image for post
Image for post

6. The VPC is now ready, next section we will subscribe the FortiGate VM

Image for post
Image for post

7. (optional) Create one more VSwitch for FortiGate Reserved Management interface.

Image for post
Image for post

Subscribe to the Fortinet VM in Marketplace

8. Access to our marketplace : https://marketplace.alibabacloud.com/ , and search for Fortinet

Image for post
Image for post

9. If customer has their own FortiGate license they can choose the BYOL image, otherwise they can use On-Demand image offered

Image for post
Image for post

10. Click “Choose Your Plan” to continue

Image for post
Image for post

11. In this case I’ll use PAYG, select China East 1 (Hangzhou) and Zone F ( Where the VPC and VSwitches located ), and then click the link “ECS Advance Purchase page” because I want to customize the Data disk and VPC information

Image for post
Image for post

12. Click 4 vCPU ECS type to launch the FortiGate instance (4 vCPU ECS can support maximum 3 NIC, 2 vCPU can support 2 NIC, so if you need FortiGate reserved management interface, please select 4 vCPU ECS type.)

Image for post
Image for post

13. Add a data disk for the Log (Suggest to use SSD for better performance)

Image for post
Image for post

14. Choose the TP_FortiVPC and FortiGate_internet_SW in Network section, also assign the Public IP to the image, this NIC will be port1 on FortiGate_VM, the default ENI.

Image for post
Image for post

15. Leave HTTPS/ICMP/SSH ports open to allow connect, and add one more ENI which is on ‘FortiGate_HA_SW’ this ENI will be port2 on FortiGate.

Image for post
Image for post

16. Set the ‘Host’ as the hostname on FortiGate

Image for post
Image for post

17. Click ‘ECS Service Terms’

Image for post
Image for post

18. Click Console and back to the ECS instance list

Image for post
Image for post

19. You will see the VM created, mark down the Public IP and the instance ID (this will be FortiGate default password) and you will use later

20. Please repeat step 7–17 to create one more FortiGate instance, which name is FGT-Slave.

Image for post
Image for post

21. (Optional) Stop those two FortiGate instances

Image for post
Image for post

22. (Optional) Go to ‘Networks Interfaces’ page to create two ENI, and then attach the ENI on each FortiGate instance.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

23. (Optional) Attach those two new ENI to two FortiGate.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

24. (Optional) Restart two FortiGate instance

Image for post
Image for post

25. Then we will be able to reach the Fortinet Web GUI by user admin/<instanceid>

Image for post
Image for post

26. Set the ip address on three interfaces on FortiGate.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Setting Up the HAVIP on Alibaba Cloud Web Console

27. Create a new HAVIP address, select the VPC and FortiGate Port1 VSwitch, and set the HAVIP address.

Image for post
Image for post
Image for post
Image for post

28. Set the HA configuration on FortiGate via VNC console on Alibaba Cloud’s web GUI, or via SSH.

FortiGate-Master:

config system ha
set group-name "ha"
set mode a-p
set hbdev "port2" 0
set session-pickup enable
set ha-mgmt-status enable
config ha-mgmt-interface
edit 1
set interface "port3"
set gateway 192.168.3.253 --- gateway on vswitch
next
end
set priority 200 --- the higher value will be Master
set monitor "port1"
set unicast-hb enable
set unicast-hb-peerip 192.168.1.250 --- IP address on FGT-Slave port2
end

FortiGate-Slave:

config system ha
set group-name "ha"
set mode a-p
set hbdev "port2" 0
set session-pickup enable
set ha-mgmt-status enable
config ha-mgmt-interface
edit 1
set interface "port3"
set gateway 192.168.3.253 --- gateway on vswitch
next
end
set priority 100
set monitor "port1"
set unicast-hb enable
set unicast-hb-peerip 192.168.1.249 --- IP address on FGT-Master port2
end

Then reboot two FortiGate.

Check the status of HA using ‘diagnose sys ha status’ in CLI, it shows following:

Image for post
Image for post

29. Set the HAVIP address to port1 secondary ip address on two FortiGate.

On both FGT-Master and FGT-Slave:

config system interface
edit "port1"
set secondary-IP enable
config secondaryip
edit 1
set ip 192.168.0.252 255.255.255.0 --- this ip address should be same with HAVIP address
set allowaccess ping https ssh
next
end
next
end

30. Bind ‘Elastic IP’ and two FortiGate ECS to HAVIP

Create a new EIP

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Bind EIP to HAVIP,

Image for post
Image for post

Bind two FortiGate to HAVIP,

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

31. Also we need to add the route entry to FortiGate, this make sure all out-going traffic from ECS will go through Fortinet

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Configure Fortinet Firewall

32. You can change password here after logging in

Image for post
Image for post
Image for post
Image for post

33. After logging in again by new password, you can change the time zone and language as well in System -> Settings

Image for post
Image for post

34. Now we need to add the IPv4 Policy for the outbound traffic

Image for post
Image for post

35. Specific the following “ToInternet” policy, let’s enabled the AntiVirus and Application Control here for Demo, also enabled All Sessions log too, then click “OK”

Image for post
Image for post

Add ECS Worker VMs for Testing

36. Just create ECS as usual

Image for post
Image for post

37. Remember, cannot use the same VSwitch of the Fortinet, in this case I selected the ECS Vswitch. And don’t need to assign public IP because ECS with Public IP will not route through Fortinet

Image for post
Image for post

38. Confirm and create the instance

Image for post
Image for post

39. Then reset the VNC password, login password and restart the instance

Image for post
Image for post

40. Then connect to the VNC, login to the Windows

Image for post
Image for post
Image for post
Image for post

41. You should find it is able to connect internet through the Fortinet

Image for post
Image for post

42. You should also find the detail log information in the Fortinet as well!

Image for post
Image for post
Image for post
Image for post

Verify the Security Capabilities of the Fortinet

Demonstrate the Anti-Virus Feature

43. In the ECS, visit the website http://metal.fortiguard.com/tests/

44. Click the run tests, if there is no Firewall Antivirus protection the test will fail

Image for post
Image for post

45. As the ECS is protected by Fortinet, you will see it is blocked

Image for post
Image for post

To have the best Anti-Virus scanning capabilities, make sure the anti-virus definition is up-to-update in Fortinet

46. And we also can see the Threats in Fortinet console

Image for post
Image for post

Demonstrate the Application Control Access Feature

47. Go to Security Profiles -> Application Control, let’s select to block the Video/Audio and Social Media. And click Apply

Image for post
Image for post

48. Then try to access facebook and youtube in the ECS, you will see they are not able to connect

Image for post
Image for post
Image for post
Image for post

49. In the Fortinet console, we will see which clients trying to connect to facebook as well

Image for post
Image for post

Enable NAT Inbound Protection in Fortinet

In this sample, I’ll try to enable the Fortinet to protect inbound RDP traffic, the same concept can be applied to HTTP/HTTPS and other services too, this is very useful because most customers want Fortinet to monitor both inbound and outbound traffic

50. Setup the NAT and point to the RDP address of the ECS, Click Virtual IPs under Policy&Objects

Image for post
Image for post

51. We map the 3389 port of the Fortinet to the ECS 192.168.1.36

Image for post
Image for post

52. Can see the Virtual IP there now

Image for post
Image for post

53. Now we will configure the inbound policy for the RDP redirection

Image for post
Image for post

54. Name the rule and then choose the Virtual IP we created as the destination

Image for post
Image for post

55. Similarly, enable the security profiles you want, and then use All Sessions as Log allowed traffic for demo purpose.

Image for post
Image for post

56. The inbound rule is created successfully

Image for post
Image for post

57. And now you should be able to use the Fortinet Public IP address to RDP the ECS

Image for post
Image for post

58. Logs and sessions information can also be viewed in Fortinet

Image for post
Image for post

Conclusion

Fortinet is a powerful software that widely used by many international customers, financial and securities industries as well. By leveraging this VM, we should be able to strengthen the confidence of customer for using Cloud.

Reference:https://www.alibabacloud.com/blog/deploying-fortinet-fortigate-ha-havip-on-alibaba-cloud_594487?spm=a2c41.12584265.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store