Fortinet Fortigate FW

overview this document is designed to assist in the integration of fortigate next generation firewall (ngfw) in high availability (ha) with the nile service block (nsb) to allow traffic to flow from/to the nsb and devices behind it to the internet requirements fortigate version 7 2 2 or higher four (4) unique /30 subnets as point to point links to act as l3 transit subnets between the nsb activ active gateways and the pair of active passive fortigate firewalls note this document was validated using fortios 7 4 8 topology diagram note to span one isp physical connection to both fortigate firewalls, an intermediate switch is needed with two access ports on the same broadcast domain configuration there are several sections that need to be configured on the fortigate as follows interfaces wide area network (wan) interface(s) nile service block (nsb) interfaces routing static (wan) ospf (nsb) firewall policy high availability (ha) interfaces wan to set a wan interface, navigate to network > interfaces > \[wan interface], and fill in the following information name isp1 alias details of the isp vrf id default (0) role wan addressing mode manual ip/netmask ip address/netmask of wan interface (example used 10 1 251 234/27) administrative access allow the required ipv4 services status enabled click the “ok” button when done in case of a second isp connected to wan2 interface, configure that interface in a similar manner nsb interfaces two (2) physical interfaces will be used to connect the two nile gateways however, each fortigate interface will be configured with a primary and a secondary ip address the secondary ip will be automatically used on the passive firewall by ospf in case of a failover navigate to network > interfaces and select the first physical interface to be used (internal1 in this example) alias nsb1 vrf id 0 role lan addressing mode manual ip/netmask ip address/netmask of interface (example used 172 16 0 1/30) secondary ip address ip address to be used on passive fw ( example used 172 16 0 9/30) administrative access allow the required ipv4 services to include ping receive/transmit lldp enable status enabled click the “ok” button when done similarly, navigate to network > interfaces and select the second physical interface to be used (internal2 in this example) alias nsb2 vrf id 0 role lan addressing mode manual ip/netmask ip address/netmask of interface (example used 172 16 0 5/30) secondary ip address ip address to be used on passive fw (example used 172 16 0 13/30) administrative access allow the required ipv4 services to include ping receive/transmit lldp enable status enabled click the “ok” button when done nile zone to simplify policy rules, it may be useful to group both nsb interfaces into a single zone entity (nile in this document) while in the network > interfaces page, click create new > zone to create the nile zone, and add nsb1 and nsb2 as interface members if traffic flow within the zone is desired (east west traffic), leave the radio button block intra zone traffic unchecked routing static (wan) navigate to network > static routes > create new , and enter the destination > subnet 0 0 0 0/0 gateway address supplied by the isp (example used 10 1 251 225) interface select the wan interface connected to isp (wan1 in this example) administrative distance 5 (the lower the ad, the higher the priority) status enabled click the “ok” button when done in case of a second isp, this document covers the traditional wan failover , whereby a default route to isp2 is configured with a higher administrative distance (10) to make isp1 primary and isp2 secondary ospf (nsb) navigate to network > ospf router id use 0 0 0 1 and not any of the lan interfaces ip address areas create new ( area id 0 0 0 0 || type regular || authentication none) networks create new ( area 0 0 0 0 || ip/netmask 0 0 0 0 0 0 0 0) note this document adopted a tighter ospf networks control by using an aggregation of the four (4) uplink subnets 172 16 0 0/28 interfaces create new ( name nsb1 || interface nsb1(internal1) || cost 0 || authentication none || network type point to point || hello interval 1 || dead interval 4 similarly, create new ( name nsb2 || interface nsb2(internal2) || cost 0 || authentication none || network type point to point || hello interval 1 || dead interval 4 inject default route always then click the apply button to save the changes the ospf configuration used in this document is illustrated below firewall policy this section outlines the firewall policy requirements necessary to allow the nile service block (nsb) to communicate with the nile cloud and to enable both wired and wireless clients to access the internet firewall hardening and advanced security best practices are outside the scope of this document by default, the fortigate firewall applies an implicit deny rule to all traffic therefore, explicit security policies must be configured to permit the required traffic flows listed below nsb subnets – including uplink /30 networks, nsb infrastructure subnets, and sensor subnets, must be allowed outbound access to the internet for https, dns and ntp services nile wired and wireless client subnets – must be permitted outbound internet access nsb to server farm – the nsb must be allowed to communicate with the server farm for infrastructure services such as dhcp and radius, as required for illustration purposes, the following policy example allows any traffic from the nile zone to the internet navigate to policy & objects > firewall policy > create new name provide a name to the rule incoming interface select the ‘nile’ zone outgoing interface wan1 and wan2 source nsb infra, nsb sensors, nsb clients destination all schedule always service all action accept nat on ip pool configuration use outgoing interface address manage source port preserve source port high availability (ha) this section covers the fortigate active passive high availability (ha) fortigate ngfw has the following requirements for two units to be configured for high availability (ha) hardware match both units must be the same model with identical firmware versions heartbeat interfaces dedicated ports must be directly connected or isolated via dedicated vlan to synchronize session and configuration data this document uses a single heartbeat port on each fortigate unit with a direct connection between the two units primary fortigate navigate to system > ha and configure the following mode set to active passive device priority set it to a higher value (e g 200) than the secondary (default is 128) to dictate which becomes the primary cluster settings define a group id , group name and password these must be identical on both units heartbeat interfaces select the dedicated interface monitor interfaces could be defined once the ha is operational click the “ok” button when done secondary fortigate factory reset the secondary unit that will be in the cluster configure gui access and set the host name in system > settings to be different than the primary unit repeat steps 1, 3 and 4 outlined in the primary ha setup, omitting step 2 (device priority) connect the two fortigate units via their dedicated ha heartbeat ports the ha status can be viewed on the primary unit ha page