In this recipe, you add FortiTelemetry traffic to an existing IPsec VPN site-to-site tunnel between two FortiGate devices, in order to add a remote FortiGate to the Security Fabric. You also allow the remote FortiGate to access the FortiAnalyzer for logging.
If you do not already have a site-to-site VPN created, see Site-to-site IPsec VPN with two FortiGates.
This recipe is in the Fortinet Security Fabric Collection. You can also use it as a standalone recipe.
In this example, an HA cluster called Edge is the root FortiGate in the Security Fabric and a FortiGate called Branch is the remote FortiGate.
1. Configuring the tunnel interfaces |
|
|
To configure Edge to listen for FortiTelemetry traffic over the VPN, connect to Edge, go to Network > Interfaces, and edit the tunnel interface. Set IP to the local IP address for this interface (10.10.10.1) and Remote IP/Network mask to the IP address for the Branch tunnel interface (10.10.10.2/32). Under Administrative Access, enable FortiTelemetry. |
 |
|
Connect to Branch, go to Network > Interfaces, and edit the tunnel interface. Set IP to the local IP address for this interface (10.10.10.2) and Remote IP/Network mask to the IP address for the Edge tunnel interface (10.10.10.1/32). |
 |
2. Adding the tunnel interfaces to the VPN |
|
|
To create an address for the Edge tunnel interface, connect to Edge, go to Policy & Objects > Addresses, and create a new address. Set Category to Address and set Subnet/IP Range to the IP address for the Edge tunnel interface (10.10.10.1/32). |
 |
|
Create a second address for the Branch tunnel interface. For this address, enable Static Route Configuration. |
 |
|
To allow VPN traffic between the Edge tunnel interface and the Branch tunnel interface, go to VPN > IPsec Tunnels, and edit the VPN tunnel. Select Convert To Custom Tunnel. Under Phase 2 Selectors, create a new Phase 2. Set Local Address to use a Named Address and select the address for the Edge tunnel interface. Set Remote Address to use a Named Address, and select the address for the Branch tunnel interface. |
 |
|
To route traffic to the Branch tunnel interface, go to Network > Static Routes, and create a new route. Set Destination to Named Address, and select the address for the Branch tunnel interface. Set Device to the tunnel interface. |
 |
|
To allow traffic between the tunnel interfaces, go to Policy & Objects > IPv4 Policy and edit the policy allowing local VPN traffic. Set Source to include the Edge tunnel interface and Destination to include the Branch tunnel interface. |
 |
| Edit the policy allowing remote VPN traffic to include the tunnel interfaces. |  |
|
On Branch, repeat this step to include the following:
|
|
|
To allow the new phase 2 to take effect, go to Monitor > IPsec Monitor, and restart the VPN tunnel. |
|
3. Authorizing Branch for the Security Fabric |
|
|
You can authorize a FortiGate, FortiAP, or FortiSwitch to join the Security Fabric by using the device’s serial number, rather than sharing the password for the Security Fabric. To authorize Branch, connect to Edge, and enter the following CLI command: config system csf
config trusted-list
edit <serial_number>
end
end
|
|
|
To add Branch to the Security Fabric, connect to Branch, and go to Security Fabric > Settings. Enable FortiGate Telemetry. Set the Group name. Leave Group password blank. Enable Connect to upstream FortiGate. Set FortiGate IP to the IP address of the Edge tunnel interface. |
 |
|
To verify that Branch is now part of the Security Fabric, connect to Edge, and go to Security Fabric > Settings. Branch appears in the Topology. |
 |
4. Allowing Branch to access the FortiAnalyzer |
|
|
To create an address for the FortiAnalyzer, connect to Branch, go to Policy & Objects > Addresses, and create a new address. Enable Static Route Configuration. |
 |
|
To allow VPN traffic between the FortiAnalyzer and the Branch tunnel interface, go to VPN > IPsec Tunnels, and create a new Phase 2. |
 |
|
To route traffic to the FortiAnalyzer, go to Network > Static Routes, and create a new route. |
 |
|
On Edge, repeat this step to create an address for FortiAnalyzer and a new Phase 2 that allows traffic between the FortiAnalyzer and the Branch tunnel interface. Edge doesn’t require a new static route. |
|
|
To allow traffic between Branch and the FortiAnalyzer, go to Policy & Objects > IPv4 Policy, and create a new policy. Set Incoming Interface to the VPN interface, and set Outgoing Interface to the interface that connects to the FortiAnalyzer (in the example, port16). Set Source to the Branch tunnel interface, and set Destination to the FortiAnalyzer. Enable NAT for this policy. |
 |
|
To authorize the Branch FortiGate on the FortiAnalyzer, connect to the FortiAnalyzer, and go to Device Manager > Unregistered. Select Branch, then select +Add to register Branch. |
 |
| Branch now appears as Registered. |  |
5. Results |
|
|
To view Branch as part of the Security Fabric topology, connect to Edge and go to Security Fabric > Logical Topology. Branch is shown as part of the Security Fabric, connecting over the IPsec VPN tunnel. |
 |
6. Desynchronizing Branch from the FortiAnalyzer, FortiSandbox, and FortiManager (optional) |
|
|
If you don’t want Branch to automatically use the settings that Edge pushes for the FortiAnalyzer, FortiSandbox, and FortiManager, use the following CLI command to configure these settings locally: config system csf set configuration-sync local end Go to Security Fabric > Settings. You can now configure the settings for FortiAnalyzer logging, Central Management, and Sandbox Inspection. You can also choose to use local logging rather than sending logs to a FortiAnalyzer. This option is available for all FortiGate devices in the Security Fabric, except for the root FortiGate. |
|
For further reading, check out Configuring the Security Fabric in the FortiOS 6.0 Online Help.
The post Fortinet Security Fabric over IPsec VPN appeared first on Fortinet Cookbook.