In this recipe, you will add FortiTelemetry traffic to an existing IPsec VPN site-to-site tunnel between two FortiGates, in order to add a remote FortiGate to your Security Fabric. You will also allow the remote FortiGate to access the FortiAnalyzer for logging.
If you do not already have an IPsec VPN tunnel configured, see Site-to-site IPsec VPN with two FortiGates.
This recipe requires FortiOS 5.6.1 or higher.
This recipe is in the Security Fabric Collection. It can also be used as a standalone recipe.
In this example, the root FortiGate in the Security Fabric is an HA cluster called External and the remote FortiGate is called Branch.
1. Configuring the tunnel interfaces |
|
|
In order for FortiTelemetry traffic to flow securely through the IPsec VPN, FortiTelemetry traffic must travel between the tunnel interfaces, with the interface on External listening for this traffic. The tunnel interfaces require IP addresses. In this example, the External tunnel interface is assigned the IP address 1.1.1.1 and the Branch tunnel interface is assigned the IP address 1.1.1.2. |
|
|
On External, go to Network > Interfaces and edit the tunnel interface. Set IP to the local IP address for this interface (1.1.1.1) and Remote IP to the local IP address for the Branch tunnel interface (1.1.1.2). Under Administrative Access, enable FortiTelemetry. |
 |
|
On Branch, go to Network > Interfaces and edit the tunnel interface. Set IP to the local IP address for this interface (1.1.1.2) and Remote IP to the local IP address for the External tunnel interface (1.1.1.1). |
 |
2. Adding the tunnel interfaces to the VPN |
|
| On External, go to Policy & Objects > Addresses and create an address for the External tunnel interface. |  |
|
Create a second address for the Branch tunnel interface. For this address, enable Static Route Configuration. |
 |
|
Go to VPN > IPsec Tunnels and edit the VPN tunnel. Select Convert To Custom Tunnel. Under Phase 2 Selectors, create a second Phase 2 allowing traffic between the External tunnel interface to the Branch tunnel interface. |
 |
|
Go to Network > Static Routes and create a route to the Branch tunnel interface. Set Destination to Named Address and select the firewall address. Set Device to the tunnel interface. |
 |
|
Go to Policy & Objects > IPv4 Policy and edit the policy allowing local VPN traffic. Set Source to include the External tunnel interface and Destination to include the Branch tunnel interface. |
 |
| Edit the policy allowing remote VPN traffic to include the tunnel interfaces. |  |
|
On Branch, repeat this step to include the following:
|
|
|
Go to Monitor > IPsec Monitor and restart the VPN tunnel, allowing the new phase 2 to take effect. |
|
3. Adding Branch to the Security Fabric |
|
|
On Branch, go to Security Fabric > Settings and enable FortiGate Telemetry. Set the Group name and Group password of the Security Fabric. |
 |
|
Enable Connect to upstream FortiGate and set FortiGate IP to the IP address of the External tunnel interface. Add lan to the list of FortiTelemetry enabled interfaces. |
|
| Go to Security Fabric > Logical Topology. Branch is shown connecting to External (identified by serial number in the screenshot) over the IPsec VPN tunnel. |  |
4. Allowing Branch to access the FortiAnalyzer |
|
|
On Branch, go to Policy & Objects > Addresses and create an address for the FortiAnalyzer. Enable Static Route Configuration. |
 |
|
Go to VPN > IPsec Tunnels and create a Phase 2 allowing traffic between the Branch tunnel interface and the FortiAnalyzer. |
 |
|
Go to Network > Static Routes and create a route to the FortiAnalyzer. |
 |
| On External, go to Policy & Objects > Addresses and create an address for the FortiAnalyzer. |  |
| Go to VPN > IPsec Tunnels and create a Phase 2 allowing traffic between the FortiAnalyzer and the Branch tunnel interface. |  |
|
Go to Policy & Objects > IPv4 Policy and create a policy allowing traffic from the VPN tunnel to the FortiAnalyzer. Enable NAT for this policy. |
 |
| On Branch, go to Security Fabric > Settings. Under FortiAnalyzer Logging, an error appears because Branch is not yet authorized on the FortiAnalyzer. |  |
| On the FortiAnalyzer, go to Device Manager > Unregistered. Select Branch, then select +Add to register Branch. |  |
| Branch now appear as Registered. |  |
5. Results |
|
| On External, go to Security Fabric > Logical Topology. Branch is shown as part of the Security Fabric, connecting over the IPsec VPN tunnel. |  |
6. (Optional) Using local logging for Branch |
|
|
If you would prefer to use local logging for Branch, rather than sending logs to a remote FortiAnalyzer, you can do so using the following CLI command: config system csf set logging-mode local end You can then go to Log & Report > Log Settings and configure local logging as required. This option is available for all FortiGates in the Security Fabric, except for the root FortiGate. |
|
The post Security Fabric over IPsec VPN appeared first on Fortinet Cookbook.