Fortinet Cloud Security for Azure Study Guide for FortiGate 7.0 and FortiWeb 6.3

Citation preview

DO NOT REPRINT © FORTINET

Cloud Security for Azure Study Guide for FortiGate 7.0 and FortiWeb 6.3

DO NOT REPRINT © FORTINET Fortinet Training https://training.fortinet.com Fortinet Document Library https://docs.fortinet.com Fortinet Knowledge Base https://kb.fortinet.com Fortinet Fuse User Community https://fusecommunity.fortinet.com/home Fortinet Forums https://forum.fortinet.com Fortinet Support https://support.fortinet.com FortiGuard Labs https://www.fortiguard.com Fortinet Network Security Expert Program (NSE) https://training.fortinet.com/local/staticpage/view.php?page=certifications Fortinet | Pearson VUE https://home.pearsonvue.com/fortinet Feedback Email: [email protected]

3/22/2022

DO NOT REPRINT © FORTINET

TABLE OF CONTENTS 01 Overview of Microsoft Azure 02 Fortinet Solutions for Microsoft Azure 03 Deployment of Simple Solutions in Azure 04 Deploying Dependable Solutions in Microsoft Azure 05 Deployment of VPN Fortinet Solutions in Microsoft Azure

4 43 56 77 90

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

In this lesson, you will learn general concepts about public clouds and Microsoft Azure.

Cloud Security 7.0 for Azure Study Guide

4

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

In this lesson, you will learn about the topics shown on this slide.

Cloud Security 7.0 for Azure Study Guide

5

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating a competent understanding of the fundamentals of public clouds, you will be able to understand how public cloud applies to your network.

Cloud Security 7.0 for Azure Study Guide

6

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

More and more, organizations of all sizes and industries are using some type of cloud service for their IT needs. But what is the cloud? In simple terms, a cloud can be described as a group of interconnected servers, located in one or more datacenters. Users and companies can access those servers through a secure connection, and benefit from those resources without the need to manage physical servers themselves.

Cloud Security 7.0 for Azure Study Guide

7

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

There are three main cloud deployment models to choose from: public cloud, private cloud and hybrid cloud (a mixture of public and private cloud). The characteristics of each type can be summarized as follows: • •

•

Public cloud: Public clouds are available to any organization, and a variety of well-known vendors including Microsoft, Amazon, Google, Oracle, and Alibaba provide these public cloud environments. Private cloud: As the name suggests, private clouds are designed to be visible only to the organization that creates them. Private clouds provide many of the same benefits that a public cloud does, and still allows you to maintain ownership of the data and equipment. A private cloud is essentially a private data center that an organization creates with stacks of servers all running virtual environments, providing a consolidated, efficient platform on which to run applications and store data. Hybrid cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private and public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability.

This course focuses on Azure, which is the public cloud offering from Microsoft. Note: Do not confuse Azure with Azure Stack, which is a hybrid cloud platform.

Cloud Security 7.0 for Azure Study Guide

8

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Cloud services are provided by companies that act as cloud providers. Common services include compute power, networking, and storage, among others. These services are available to clients over the internet, and come with many benefits, including but not limited to: • • • • •

No need to purchase and maintain expensive hardware You pay only for what you use On demand scalability and elasticity Quick provisioning of new services High availability and fault tolerance

Public clouds also have some disadvantages: • • •

Some security requirements may not be possible to implement Legal or industry requirements may not be met Lack of control over the underlay infrastructure used

Cloud Security 7.0 for Azure Study Guide

9

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

The table on the slide shows the most common service models available in a public cloud solution. •

Infrastructure as a service (IaaS): In an IaaS solution, some parts of networking and services are managed by the vendor, and other parts are managed by the customer. This, essentially, allows you to create, manage and customize virtual machines (VMs). You can select the operating system of your choice, from the list published by the provider, and manage all its settings.

•

Container as a service (CaaS): This model allows development teams to host and deploy containerized software packages, without the need of managing the container engines, orchestration and lower infrastructure components. Azure Kubernetes service (AKS) is an example of CaaS.

•

Platform as a service (PaaS): With this model the customer is responsible for programming applications and the data. The rest of the services are managed by the vendor. The deployment of a web application or a database, are examples of PaaS.

•

Function as a service (FaaS): This model is also known as serverless. It allows developers to upload their code and execute it without the need of managing any of the underlying infrastructure. Azure functions is an example of this service model.

•

Software as a service (SaaS): In this model, the customer is using the services as a consumer, for running applications. Some examples are Dropbox, Office365, and Salesforce.

Another model that has become popular in recent years is Security as a Service (SECaaS). This model provides cybersecurity services on solutions hosted by the providers, and it is offered on a subscription basis. Fortinet FortiCloud is an example of SECaaS.

Cloud Security 7.0 for Azure Study Guide

10

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

This slide shows the cloud security shared responsibility model. The lower stack includes the elements that are provided and, therefore, secured by the cloud service provider. Cloud customers are responsible for securing the remaining elements―network settings, applications, and data. The cloud security model is commonly broken down using the familiar OSI layers model; however, the OSI layers model doesn’t represent the security responsibility breakdown. In some cases, cloud users will build overlay networks on top of the cloud network, or layer additional services on top of existing infrastructure services. In cases like these, responsibility for the security of the modified infrastructure belongs to the customer. In short, you are responsible for the security of the elements you manage.

Cloud Security 7.0 for Azure Study Guide

11

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

This slide shows the three pillars of the Fortinet Security Fabric for the cloud, and the services and capabilities each pillar enables. Fortinet is investing in each of these pillars to provide native integration and capabilities across clouds. The Fortinet Security Fabric enables the following services and capabilities: • Seamless integration of separate cloud infrastructures, and use of native cloud services • Broad protection for each product, regardless of cloud platform—effectively running virtual versions of the enforcement products on each cloud • Management products that interact with, and manage the security of, the Fortinet products that run on each cloud

Cloud Security 7.0 for Azure Study Guide

12

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

It is important to know that the Fortinet cloud security solution is not a replacement for the existing cloud vendor security. It is just an extra layer of security in addition to the cloud vendor security solutions. The Fortinet cloud security solution provides more control and visibility, and delivers a highly optimized security solution beyond native cloud vendor security options.

Cloud Security 7.0 for Azure Study Guide

13

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Cloud Security 7.0 for Azure Study Guide

14

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Good job! You now understand the fundamental concepts of public clouds. Now, you will learn about important concepts in Microsoft Azure.

Cloud Security 7.0 for Azure Study Guide

15

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in the fundamentals of Azure, you will be able to understand the different components of Azure, as well as its networking and security features.

Cloud Security 7.0 for Azure Study Guide

16

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

You can create and manage your Azure services through the Azure portal or using the CLI. The portal is an intuitive web interface that allows you to perform the everyday tasks in your environment. This is the tool you will use in the labs and its available at https://portal.azure.com. The CLI is a very powerful management tool, especially when performing repetitive tasks. However, it has a steeper learning curve, and it will take you some time before you become fully proficient using it. While in the Azure portal, you can choose between two CLI environments: PowerShell and Azure CLI (Bash). You can also install these environments locally on your workstation. You will not be required to use the CLI in this course.

Cloud Security 7.0 for Azure Study Guide

17

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Azure operates in multiple data centers around the world. These data centers are grouped into geographic regions, giving you flexibility in choosing where to build your applications. Within each region, multiple data centers exist to provide for redundancy and availability. This approach gives you flexibility as you design applications to create VMs closest to your users and to meet any legal, compliance, or tax purposes. Region pairs: This approach allows for the replication of resources, such as VM storage, across a geography that should reduce the likelihood of natural disasters, civil unrest, power outages, or physical network outages affecting both regions at once. Feature availability: Some services or VM features are available only in certain regions, such as specific VM sizes or storage types. Global Azure services that do not require a particular region: Azure AD, Azure Traffic Manager, or Azure DNS do not require a specific region.

Cloud Security 7.0 for Azure Study Guide

18

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Azure availability zones is a high-availability offering that protects your applications and data from datacenter failures. Availability zones are unique physical locations within an Azure region. Each availability zone is made up of one or more data centers equipped with independent power, cooling, and networking. To ensure resiliency, there’s a minimum of three separate availability zones in all enabled regions. The physical separation of availability zones within a region protects applications and data from data center failures.

Cloud Security 7.0 for Azure Study Guide

19

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Azure availability sets are logical grouping of VMs that provide redundancy and availability within a datacenter. There is no extra cost for the use of availability sets. You only pay for the VMs you create. When you create two or more VMs within an availability set, Microsoft Azure offers a 99.95% SLA. In an availability set, each virtual machine is assigned to a fault domain and an update domain. VMs in a fault domain share the same power source and network connections. You can think of a fault domain as an individual rack in a datacenter. An update domain is a logical grouping of servers within a datacenter that will be rebooted at the same time when new updates are installed. Hence, VMs placed in the same update domain can be rebooted at the same time.

Cloud Security 7.0 for Azure Study Guide

20

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

As shown on this slide, you can choose your software needs from the Azure Marketplace website. The software listed in the Azure Marketplace is certified and optimized to run on Azure. For example, you can find a FortiGate active-passive template, as well as a single virtual machine. Note that only officially supported templates can be found on Azure Marketplace. Azure Marketplace enables startups and independent software vendors to offer their solutions to Azure customers around the world.

Cloud Security 7.0 for Azure Study Guide

21

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

At the top of the Azure hierarchy is the tenant. The tenant is the organization, or person, that owns and manages a specific instance of Azure Active Directory (Azure AD). Azure AD allow for the management of users, groups and permissions within a single domain. A single Azure AD can be associate with one or more subscriptions. A subscription is a logical container associated to a single Azure tenant. Each subscription is linked to a payment setup and results in a separate billing account. For example, you can create a subscription for each department, or project under the same company (tenant). Subscriptions contain resource groups. Resource groups are also logical containers where you deploy resources and services like virtual machines, virtual networks, and so on.

Cloud Security 7.0 for Azure Study Guide

22

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

This slide shows a graphical overview of a network with different subnets in Microsoft Azure and includes some of the network resources that will be described in this lesson, namely: • • • • • • • • •

Virtual network (VNET) Subnet Network interface Azure load balancer VM scales set Virtual network gateway Routing table ExpressRoute Network security group

You will use some most of these resources in the labs.

Cloud Security 7.0 for Azure Study Guide

23

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

The Azure VNET service securely connects Azure resources to each other. A VNET is a Layer 3 overlay network and represents your own network in the cloud. VNETs include one or more subnets and can be connected to your on-premises networks if needed. It is possible for a VNET to have more than one address space assigned to it. With dynamic assignment, addresses are automatically allocated by a DHCP server when the VM starts and may not remain the same when the VM reboots. Static assignment means that you can manually specify the address and it will be set as a reservation by DHCP. The public IP address of a VM exists as a network address translation (NAT) entry on the Azure fabric that gets mapped to the VM.

Cloud Security 7.0 for Azure Study Guide

24

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

There are multiple ways to connect VNETs to each other. Azure includes two choices: Azure VNET peering and Azure VPN gateways. You can also use FortiGate VMs with IPSec between two VNETs for this purpose.

Cloud Security 7.0 for Azure Study Guide

25

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

The Azure underlay network manages all ARP traffic through a service that performs both switching and routing operations, depending on the destination address. On the slide, this service is represented by the router icon at the center of the image. This service is completely managed by Azure to facilitate communication between VMs, and it is responsible of handling all ARP requests. To explain the ARP process, the term SDN virtual router will be used in the following example when referring to this service. When the VM with IP address 10.0.2.4 makes an ARP request, the SDN virtual router receives it, and replies with its own MAC address 12:34:56:78:9A:BC. The same process occurs for all destinations. If you check the ARP table on the VM, you will see the same MAC address for all the neighbors, which demonstrates that all VM traffic goes through the SDN virtual router. When a VM A wants to communicate with another VM, or go to the internet, it generates a unicast packet directed to the MAC address 12:34:56:78:9A:BC. The SDN virtual router then processes the traffic, adjusting the MAC address according to the original destination. Note that the SDN virtual router does not respond to ICMP requests.

Cloud Security 7.0 for Azure Study Guide

26

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Since you don’t have direct access to the underlay network, you need to take into consideration the implied restrictions. There is no broadcast or multicast traffic in cloud computing; only unicast traffic is allowed. This implies that, there shouldn’t be any traditional Layer 2 traffic, such as FortiGate clustering protocol, gratuitous ARP, instant IP failover and, so on. Also, Layer 2 modes, like transparent mode or virtual wire, are not allowed in Azure. An instance will receive the traffic only if the IP address is defined in Azure. If there are static or virtual IP addresses configured on the virtual machine, you must make sure that those IP addresses are configured also in Azure.

Cloud Security 7.0 for Azure Study Guide

27

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

By default, Azure creates route tables that enable resources connected to any subnet in a VNET to communicate with each other. You can implement user-defined routes or BGP routes to override the default routes Azure creates. It is important to know the route priority in Azure when more than one route has the same prefix. As shown on this slide, if all the routes in the route table are equally specific, then the preferred route is UDR followed by BGP, and then system routes. However, the most specific route always wins. For example, 10.0.3.0/24 system route would precede 10.0.0.0/16 BGP route. Azure recently released a new routing service; the Azure Route Server. This service simplifies dynamic routing between your network virtual appliances (FortiGate VM) and your virtual network, by allowing them to exchange BGP routing information directly with the Azure software defined network (SDN).

Cloud Security 7.0 for Azure Study Guide

28

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

By default, all VMs in Azure have access to internet through an SNAT service managed by Azure. To have a FortiGate VM inspect the traffic, an administrator must configure UDRs to force that traffic to go to the FortiGate VM instead. UDRs act in a way that is similar to the policy routes on FortiGate. For example, the slide shows two generic VMs, and one FortiGate VM. If the VM in subnet 3 needs to have its internet traffic inspected, the administrator must configure a UDR to force that traffic through the FortiGate first, and then from FortiGate to the internet. At the same time, the administrator can configure a route to inspect traffic going from one subnet to another. Traffic destined to subnet 2 from subnet 3 can be forced to go to FortiGate first then to subnet 2. If a VM has a public IP (PIP) assigned, it will use that IP to connect directly to internet. Additionally, public clients can connect directly to any services running on that VM using its public IP. Note that although it is not a solution that is commonly used, this slide shows that FortiGate can have a single interface for both incoming and outgoing traffic. You can create a policy from port1 to port1, source 10.0.3.0/24 and destination 0.0.0.0/0, to go to the internet.

Cloud Security 7.0 for Azure Study Guide

29

DO NOT REPRINT © FORTINET

Azure public IP addresses allow internet resources to communicate inbound to Azure resources. You can create public IP addresses with one of two SKUs: Basic and Standard. A basic public IP: • • •

Can be static or dynamic for IPv4, and dynamic for IPv6. Is open by default. It is recommended to use network security groups to restrict traffic. It can be upgraded to standard for IPv4.

A standard public IP: • • •

Can be static only. It is secure by default. Requires the configuration of network security groups to allow inbound traffic. Currently, it supports extra features like availability zones, routing preference, and global tier.

Note that a public IP SKU must match the SKU of the load balancer with which it is used. For a complete list of features for both SKUs, visit https://docs.microsoft.com/en-us/azure/virtual-network/ipservices/public-ip-addresses.

Cloud Security 7.0 for Azure Study Guide

30

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Azure load balancer can scale your applications and create high availability for your services. Azure load balancer supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all TCP and UDP applications. Azure load balancer can be configured to load balance incoming internet traffic to VMs, traffic between VMs in a virtual network, traffic between VMs in cloud services, or traffic between on-premises computers and VMs in a cross-premises virtual network. Azure load balancer can also be configured to forward external traffic to a specific VM.

Cloud Security 7.0 for Azure Study Guide

31

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

There are different types of load balancers. A standard load balancer can load balance traffic across multiple availability zones. A basic load balancer can load balance only inside the availability zone. It is recommended that you use standard load balancers since they include additional features like HA ports (when used as an internal balancer), HTTPS health probes, and offer a 99.99% SLA. This slide shows two load balancers, an external/public load balancer for applications, and an internal load balancer for the database subnet. The public load balancer has one or more public IP addresses. Direct server returns (or floating IP) is the Azure feature that prevents destination NAT (DNAT) from being translated. So, traffic received by the destination VM must reply directly to the source IP address. Basically, the destination VM does not send traffic back to the load balancer; the load balancer only redirects traffic. For back-end pool members, you can add VMs, and a scale set, or an availability set. Any devices that you add to the availability set are automatically added to the target members of the load balancer.

Cloud Security 7.0 for Azure Study Guide

32

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Autoscaling allows you to dynamically grow and shrink the number of FortiGate VMs to match the traffic and performance requirements. You can set a minimum and maximum number of FortiGate devices and scale out as needed. The main benefits of using autoscaling are fault tolerance, availability, and cost management.

Cloud Security 7.0 for Azure Study Guide

33

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

VPN gateways can be used to connect two VNETs, or to connect Azure VNETs with on-premises networks. In order to connect two VNETs together, you must create a VPN gateway in each VNET. VPN gateways always connect to a special subnet, called GatewaySubnet (this name is mandatory). To create a connection, specify the two VPN gateways and configure a shared key. You can also have FortiGate on one side and Azure VPN gateway on the other side.

Cloud Security 7.0 for Azure Study Guide

34

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

You can connect your on-premises network to a VNET using any combination of the following options: Point-to-site VPN: Established between a single PC connected to your network and the VNET. This connection type is great if you're just getting started with Azure, or for developers, because it requires few or no changes to your existing network. The connection uses the SSTP protocol to provide encrypted communication over the internet between the PC and the VNET. The latency for a point-to-site VPN is unpredictable and encrypted, because the traffic traverses the internet. Site-to-site VPN: Established between your VPN device and an Azure VPN Gateway. This connection type enables any on-premises resource you authorize to access a VNET. The connection is an IPSec/IKE VPN that provides encrypted communication over the internet between your on-premises device and the Azure VPN gateway. The latency for a site-to-site connection is unpredictable, because the traffic traverses the internet. Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic does not traverse the internet. The latency for an ExpressRoute connection is predictable, because traffic doesn't traverse the internet and isn't encrypted.

Cloud Security 7.0 for Azure Study Guide

35

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

You can filter network traffic between subnets using one or more of the following options: • • •

NSG Azure firewall NVA

Cloud Security 7.0 for Azure Study Guide

36

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Network security groups is a list of access control rules that permit or deny traffic based on various criteria. You can apply a network security group either at the NIC level or at the subnet level. Network security groups work only if a resource is connected to a VNET―they do not work for other resources (like PaaS services). Network security groups can be applied to network interfaces, or to a full subnet. Note that Network security groups are stateful and no bidirectional policies are needed. Misconfigured network security groups may block or allow unwanted traffic. Keep this in mind when troubleshooting network issues!

Cloud Security 7.0 for Azure Study Guide

37

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Azure Firewall is a managed network security service that offers a fully stateful firewall with built-in high availability and unrestricted cloud scalability. The service is fully integrated with Azure Monitor for logging and analytics, and you can create, enforce, and log application and network connectivity policies. Although Microsoft continues to improve the features included with Azure Firewall with every new release, you must verify they meet your security needs. For example, at the time of this writing, Azure Firewall premium didn’t include any data leak prevention (DLP) or SD-WAN capabilities.

Cloud Security 7.0 for Azure Study Guide

38

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

A network virtual appliance is a VM running software that performs a network function, such as FortiGate and FortiWeb. Network virtual appliances can provide WAN optimization and other network traffic functions. You can also use a network virtual appliance to filter traffic between VNETs, as well as to and from the internet. Network virtual appliances are typically used with UDRs or BGP.

Cloud Security 7.0 for Azure Study Guide

39

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Cloud Security 7.0 for Azure Study Guide

40

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.

Cloud Security 7.0 for Azure Study Guide

41

Overview of Microsoft Azure

DO NOT REPRINT © FORTINET

This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned important concepts about the public cloud and Microsoft Azure.

Cloud Security 7.0 for Azure Study Guide

42

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

In this lesson, you will learn about the Fortinet solutions available in Microsoft Azure.

Cloud Security 7.0 for Azure Study Guide

43

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

After completing this lesson, you should be able to achieve the objectives shown on this slide. By demonstrating a competent understanding of Fortinet solutions for Microsoft Azure, you will be able to identify and plan your Azure network using Fortinet solutions.

Cloud Security 7.0 for Azure Study Guide

44

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

Fortinet in constantly working on making its products available for cloud environments. The table on the slide shows the Fortinet products currently supported in Microsoft Azure. Keep in mind that the information shown can change at any time, based on the new support availability for Fortinet products. The table includes the product names, as well as the licensing and cloud service models available.

Cloud Security 7.0 for Azure Study Guide

45

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

All the available products can be located in the Azure Marketplace. The slide shows a search performed in the Marketplace, looking for the string fortinet, and filtering the results by the publisher name of Fortinet.

Cloud Security 7.0 for Azure Study Guide

46

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

FortiCloud is Fortinet’s solution for delivering security as-a-service. FortiCloud provides an easy way to connect, protect, and deliver data and applications both on-premises and in cloud providers like Microsoft Azure. It is a suite of cloud portals and services enabling customers to access and manage a range of Fortinet solutions and services—all from an easily accessible site. In addition, FortiCloud provides access to FortiCare for management of Fortinet devices and accounts. A FortiCloud account is free to customers and partners, but access to the FortiCloud offering suite requires a license for each solution. Some of the typical use cases for FortiCloud include: •

Protect Cloud-based applications, data, and services with Security as a Service with FortiWeb, FortiMail, FortiCWP and FortiCASB.

•

Centralize security management and analytics with FortiManager and FortiAnalyzer

•

Rapid deployment and management of FortiGate, FortiAP, and FortiSwitch

•

Managed Security Services for multitenant scenarios

Cloud Security 7.0 for Azure Study Guide

47

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

As previously mentioned, there are two different Fortinet licensing models to choose from: pay as you go (PAYG) and bring your own license (BYOL). The model selected depends on the customer requirements. With the PAYG model the customer pays for everything through the Microsoft Azure subscription. You are charged based on the running time of the service, plus the cost of the Azure infrastructure. This model is more cost effective for instances that are not running all the time or that have a short lifetime.

Cloud Security 7.0 for Azure Study Guide

48

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

The other licensing model available is bring your own license (BYOL). With BYOL, the customer pays Microsoft Azure for the resources used, namely compute, storage and network traffic, and pays Fortinet for the license and support. This model is recommended for VMs running all the time on the cloud. The customer gets Fortinet 24/7 support with the enterprise bundle. There are three BYOL versions available: perpetual, term (or subscription), and, for larger clients, Flex-VM.

Cloud Security 7.0 for Azure Study Guide

49

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

The simplest method to deploy new services in Azure is using Azure Marketplace. Simply search for the solution you want to deploy, choose the desired size or plan, and fill in all the details you want to apply to the VM or service. The amount of information that you must enter will vary depending on the service type. The last step verifies that you entered all the required information, and that the information that you entered is valid, before creating the resource. If an error occurs, details are provided so you can fix the issues detected.

Cloud Security 7.0 for Azure Study Guide

50

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

Fortinet GitHub is a Fortinet website where you can download various templates for your cloud security designs. You can visit the official Fortinet GitHub at the website shown on this slide. The Azure templates provided allow you to download pre-configured settings for your cloud security solutions. After you upload the desired template to Azure, the remaining steps are very similar to those you use when deploying directly from Azure Marketplace. Keep in mind that these templates include settings that might not work in your environment. For example, you may need to change the IP addresses used. Important: The scripts provided in the Fortinet GitHub page do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services.

Cloud Security 7.0 for Azure Study Guide

51

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

Fortinet expands its Security Fabric architecture through its Fabric connectors to extend security visibility and management to the cloud. Fabric connectors help customers maintain a consistent network security posture with centralized orchestration for users, applications, and data, across all cloud environments. They can also enable automation of workflows, SOC environments, threat feeds, and security policy automation as new services and applications are deployed, removing the need for manual intervention. Fabric connectors link into partner solutions through API integration points or through specialized engineering. The open design of the fabric connectors enables ongoing deep integration with a growing number of ecosystem components, and extends the Security Fabric capabilities into validated, third-party infrastructures. The slide shows the connectors currently available for public cloud providers, highlighting the one for Microsoft Azure, as well as the integration of automation stitches in FortiGate with Azure functions.

Cloud Security 7.0 for Azure Study Guide

52

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

With the configuration of public SDN connectors, Fortinet devices can be integrated and work with Azure services. For example, an SDN connector adds to FortiGate the ability to discover Azure objects dynamically, and use them in the existing firewall policies. As shown on this slide, you can use different parameters to connect, and obtain the IP addresses of virtual machines automatically through the connector. This allows you to keep the FortiGate configuration as dynamic as possible, without assigning parameters statically. You will use this capability in one the labs. For example, you can create a tag called Category, and set its value to Server. When a new server VM is deployed, you can apply it that tag. FortiGate automatically pulls the IP addresses related to the tag, that now includes the IP address of the new server VM, and add them to a firewall policy. The IP addresses of all VMs with the same tag will be included in the policy automatically, without making any changes to FortiGate. With service tag filters you can retrieve the IP addresses and ranges used for different Microsoft services using the Azure Service Tag Discovery API. For example, you can create a dynamic object containing all the IP ranges used for Azure SQL in a specific Azure region. The filters currently supported are shown on the slide. Note that you can use more than one filter type in an SDN connector.

Cloud Security 7.0 for Azure Study Guide

53

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

Cloud Security 7.0 for Azure Study Guide

54

Fortinet Solutions for Microsoft Azure

DO NOT REPRINT © FORTINET

This slide shows the objectives covered in this lesson. By mastering the objectives covered in this lesson, you learned about the Fortinet solutions available in Microsoft Azure, as well as the existing licensing and deployment options. You also learned how Fortinet solutions can be integrated to work with Azure through public SDN connectors.

Cloud Security 7.0 for Azure Study Guide

55

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

In this lesson, you will learn about the deployment of simple Fortinet solutions in Microsoft Azure.

Cloud Security 7.0 for Azure Study Guide

56

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

In this lesson, you will learn about the topics shown on this slide.

Cloud Security 7.0 for Azure Study Guide

57

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding the deployment options available, you will be able to deploy FortiWeb in Azure to meet your network requirements.

Cloud Security 7.0 for Azure Study Guide

58

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

FortiWeb is the Fortinet web application firewall (WAF) solution. You can deploy in Azure in two ways: as a virtual machine (VM), and as a SaaS subscription. Both options are available with BYOL and PAYG licensing, and provide a full web application and API protection (WAAP) solution.

Cloud Security 7.0 for Azure Study Guide

59

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

You can deploy FortiWeb from the Azure Marketplace. When you deploy FortiWeb as an IaaS instance you must select all the VM settings, including the network, number of vCPUs, and amount of RAM. For better performance, select a network location near the applications FortiWeb is protecting. In production environments, the FortiWeb VM should have at least two vCPUs and 8 GB of RAM. FortiWeb is available with BYOL and PAYG licensing. When using BYOL, the license determines the maximum number of vCPUs that can be used. You cannot use a license on a FortiWeb VM that has a greater number of vCPUs than the license specifies.

Cloud Security 7.0 for Azure Study Guide

60

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

The image on the slide shows the topology of a simple deployment of FortiWeb in Azure.

Cloud Security 7.0 for Azure Study Guide

61

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

You can also deploy FortiWeb in Azure using a SaaS subscription. This deployment option requires minimal initial configuration and management effort. It uses PAYG licensing by default: You pay based on the amount of traffic and the number of applications protected. Alternatively, you can purchase a BYOL license for a specific number of applications, and a maximum allowed bandwidth. Initially, you can take advantage of a 14-day free trial to get familiar with the product. One benefit of this option is that it can protect applications in your own network as well as applications located on any cloud platform. You can unsubscribe at any time. Fortinet keeps the data associated with your account for a week so you can resubscribe seamlessly.

Cloud Security 7.0 for Azure Study Guide

62

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

The process of subscribing to FortiWeb Cloud starts in the Azure Marketplace and ends in FortiCloud. You can use your existing FortiCloud account, or create a new one during the process. Your Azure subscription is automatically associated with the FortiCloud account you choose.

Cloud Security 7.0 for Azure Study Guide

63

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

After you finish the subscription process you can start onboarding applications from FortiCloud. Add the websites you want to protect by their domain names. You can add up to ten domains for each application, and you can use wildcards to include domains sharing the same namespace with a single entry. FortiCloud must be able to resolve the domain names you add. Keep in mind that the information for newly registered domains may take a few minutes to propagate through the global DNS servers.

Cloud Security 7.0 for Azure Study Guide

64

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

By default, FortiWeb Cloud chooses the closest region and scrubbing center where it is deployed based on: • • •

The IP address of the application The same cloud provider used by the application if hosted in Azure, AWS, OCI, or Google Cloud The closest AWS center (N. Virginia or Frankfurt) if the application uses any other hosting platform

You can enable content delivery network (CDN) to dynamically cache the application data in the scrubbing center nearest to users. When users request data from your application, they can be directed to the nearest scrubbing center and rendered with the requested data faster. Although you can enable CDN for free, its use may increase the costs due to the traffic expenses. This is not always the case, and it depends on the location of the users and the location of the data they access.

Cloud Security 7.0 for Azure Study Guide

65

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

To finish the onboarding process, you must create DNS records in the domain server that hosts your application. FortiCloud verifies those records exist so that the correct redirection takes place. As shown on the slide, the GUI provides all details about the records you must create. The GUI also displays and gives you an option for cases in which CNAME records are not allowed.

Cloud Security 7.0 for Azure Study Guide

66

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

Cloud Security 7.0 for Azure Study Guide

67

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

Good job! You now understand the different options available to deploy FortiWeb in Azure. Now, you will learn about options to deploy FortiGate in Azure.

Cloud Security 7.0 for Azure Study Guide

68

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding the deployment options available, you will be able to deploy FortiGate in Azure to meet your network requirements.

Cloud Security 7.0 for Azure Study Guide

69

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

You can deploy FortiGate from Azure Marketplace. You can choose one of the solutions listed, or deploy it using a custom ARM template. FortiGate deployments support both for compute optimized and general purpose Azure instances. Both BYOL and PAYG licensing models are available, but they are not interchangeable. Once you select a payment model, you cannot change it. To change the license type, you must deploy a new instance of FortiGate.

Cloud Security 7.0 for Azure Study Guide

70

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

The image on the slide shows the topology of a simple deployment of FortiGate in Azure.

Cloud Security 7.0 for Azure Study Guide

71

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

When you deploy a network device like FortiGate, it is important to have the correct IP forwarding settings on the virtual network card. Any network interface attached to a VM that forwards network traffic to an address other than its own must have the IP forwarding option enabled. The setting prevents Azure from checking the source and destination for a network interface. With IP forwarding enabled at its internal interface, a FortiGate VM can generate traffic using a source IP address that is different from the IP address assigned to the virtual network interface. IP forwarding is enabled by default when you deploy your VM from Azure Marketplace, or from a template in Fortinet GitHub. If IP forwarding is disabled, the packets are identified as spoofing packets. To prevent this situation, you must make sure that IP forwarding is enabled on the appropriate network interfaces.

Cloud Security 7.0 for Azure Study Guide

72

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

Before you deploy a FortiGate VM in Azure, consider the following aspects: • • • • •

Choose the correct licensing model since it cannot be changed after you deploy the VM. Verify you will get the support level needed because it depends on the license type. If you use PAYG licensing, you must register your VM before you can receive support from Fortinet Verify that the VM supports your needs. Do not overlook the number of virtual NICs required. Enable Accelerated Networking to increase the performance of your VMs.

Accelerated Networking is the name Microsoft uses for single root I/O virtualization (SR-IOV). This feature is supported by several general purpose and compute—optimized VMs with two vCPUs, but it is most often used in VMs with four or more vCPUs.

Cloud Security 7.0 for Azure Study Guide

73

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

Cloud Security 7.0 for Azure Study Guide

74

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.

Cloud Security 7.0 for Azure Study Guide

75

Deployment of Simple Solutions in Azure

DO NOT REPRINT © FORTINET

This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to deploy single FortiWeb and FortiGate instances in Azure.

Cloud Security 7.0 for Azure Study Guide

76

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

In this lesson, you will learn about the options available to deploy dependable Fortinet solutions in Azure.

Cloud Security 7.0 for Azure Study Guide

77

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

In this lesson, you will learn about the topic shown on this slide.

Cloud Security 7.0 for Azure Study Guide

78

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding the SLA levels offered by Microsoft Azure, and the options available to deploy dependable Fortinet solutions, you will be able to successfully design a reliable and resilient environment in the Azure cloud using FortiGate and FortiWeb.

Cloud Security 7.0 for Azure Study Guide

79

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

When designing a reliable architecture in Azure, you must take resiliency and high availability into account. You can achieve different levels of availability in Azure, depending on the deployment type you use. The following are the SLAs offered by Microsoft for VMs: •

•

• • •

For all VMs that have two or more instances deployed across two or more availability zones in the same Azure region, Microsoft guarantees you will have VM connectivity to at least one instance at least 99.99% of the time. For all VMs that have two or more instances deployed in the same availability set or in the same dedicated host group, Microsoft guarantees you will have VM connectivity to at least one instance at least 99.95% of the time. For any single instance VM using premium SSD or ultra disk for all operating system disks and data disks, Microsoft guarantees you will have VM connectivity of at least 99.9%. For any single Instance VM using standard SSD managed disks for operating system disk and data disks, Microsoft guarantees you will have VM connectivity of at least 99.5%. For any single Instance VM using standard HDD managed disks for operating system disks and data disks, Microsoft guarantees you will have VM connectivity of at least 95%.

For a complete list of SLAs offered by Microsoft Azure, visit: https://azure.microsoft.com/enus/support/legal/sla/.

Cloud Security 7.0 for Azure Study Guide

80

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

In Azure Marketplace, you can find different solutions to deploy highly available environments with FortiGate and FortiWeb. Several templates are also available in Fortinet GitHub. These templates offer the benefit of customization; however, keep in mind they are not supported by FortiCare Support services. The following solutions are available in Azure Marketplace: • • • •

FortiWeb - Active-Active Load balanced with ELB/ILB FortiGate - Active-Passive HA with Fabric Connector Failover FortiGate - Active-Passive HA with ELB/ILB FortiGate - Active-Active Load balanced with ELB/ILB

Cloud Security 7.0 for Azure Study Guide

81

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

This solution deploys an environment containing the following components: • • • •

An Azure load balancer with a public IP address Two FortiWeb VMs. The VMs are added in the backend pool of the load balancer An external subnet connecting the outgoing interface (port1) of the FortiWeb VMs to the load balancer An internal subnet

It is possible to use an existing VNET and public IP. In that case, the different subnets (external and internal) need to be created, or already exist in the VNET. This active-active pair of FortiWeb VMs communicates with each other, and the Azure fabric probes the systems for availability. This FortiWeb setup receives the traffic to be inspected using the public IP. The load balancer distributes traffic to the HA members. If an instance is down, it is ignored by the load balancer for traffic distribution. If the failed instances is the primary node, the secondary instance immediately assumes its role to become the new primary.

Cloud Security 7.0 for Azure Study Guide

82

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

This solution deploys an environment containing the following components: • • • •

Two FortiGate VMs in an active-passive deployment One VNET with one protected subnet, and four subnets required for the FortiGate deployment (external, internal, HA mgmt and HA sync). If using an existing VNET, it must already have all the subnets created. Three public IPs. The first public IP is for access through the active FortiGate. The other two IPs are for management access. User-defined routes (UDRs) for the protected subnets

The pair of FortiGate VMs communicates with each other and the Azure fabric to facilitate the failover. This FortiGate setup receives the traffic to be inspected using user-defined routes (UDRs) and public IPs. You can customize which traffic needs inspection, in any direction, by adapting the UDR routing. An SDN fabric connector is created automatically during deployment. The FortiGate VMs use managed identities for the SDN fabric connector. After deployment, you must apply the Reader role to the Azure Subscription you want to resolve Azure resources from. The two FortiGate VMs use unicast FortiGate Clustering Protocol (FGCP) HA to synchronize the configuration. On failover, the passive FortiGate takes control and issues API calls to Azure to shift the public IP address and update the internal user-defined routing to itself. Shifting the public IP address and gateway IP addresses of the routes takes time for Azure to complete. For this reason, this deployment option is not used very frequently. Because of its faster failover time, and easier management, the active-passive with the Azure load balancer is the preferred option.

Cloud Security 7.0 for Azure Study Guide

83

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

This solution deploys an environment containing the following components: • • • •

• •

Two FortiGate VMs in an active-passive deployment One external Azure standard load balancer for communication with the internet One internal Azure standard load balancer to receive all internal traffic and forward it to its destination One VNET with one protected subnet, and another four subnets required for the FortiGate VMs: external, internal, management and HA sync. If using an existing VNET, it must already have all the subnets created. Three public IPs. The first public IP is for access through the active FortiGate. This is for the data traffic. The other two IPs are for management access. UDRs for the protected subnets to redirect traffic to the internal load balancer

The public IP address used for data traffic is configured on the Azure load balancer. This FortiGate setup receives the traffic to be inspected using UDRs and public IPs. You can customize which traffic needs inspection, in any direction, by adapting the UDR routing. The FortiGate VMs communicates with each other using the unicast FGCP HA protocol, and the Azure load balancer handles traffic failover using a health probe sent to the FortiGate VMs. The failover times are based on the health probe: two failed attempts per five seconds, with a maximum of 15 seconds.

Cloud Security 7.0 for Azure Study Guide

84

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

This solution deploys an environment containing the following components: • • • • • •

Two independent FortiGate VMs One external Azure standard load balancer for communication with the internet One internal Azure standard load balancer to receive all internal traffic and forwarding it to its destination One VNET with three subnets One public IP for services and FortiGate management UDRs for the protected subnets to redirect traffic to the internal load balancer

This FortiGate setup receives the traffic to be inspected using UDRs and public IPs. You can customize which traffic needs inspection, in any direction, by adapting the UDR routing. It is possible to reference an existing VNET or public IP. In that case, the different subnets (external, internal, protected) need to be created, or exist in an existing VNET. In this setup, the Azure load balancer handles traffic failover using a health probe towards the FortiGate VMs. The public IP addresses are configured on the Azure load balancer and provide ingress and egress flows with inspection from the FortiGate. Each FortiGate VM is an independent instance, but you can synchronize their configurations in two ways: using FortiManager, and using the system autoscaling setup. To avoid asymmetric routing, it is recommended that you configure SNAT for the North-South traffic. Alternatively, you can configure FGSP for session synchronization, but this is not recommended, because it can potentially limit the visibility of IPS scans due to asymmetric traffic.

Cloud Security 7.0 for Azure Study Guide

85

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

You can deploy FortiGate VMs to support Azure Autoscale. This requires the deployment of one or more virtual machine scale sets (VMSSs) and network-related components, as well as Azure Function App scripts. Fortinet provides the FortiGate Autoscale for Azure deployment package to facilitate the deployment. To obtain the package go to https://github.com/Fortinet/fortigate-autoscale-azure. Multiple FortiGate-VM instances form a VMSS to provide highly efficient clustering at times of high workloads. FortiGate-VM instances are scaled out automatically according to predefined workload levels. Autoscaling is achieved by using FortiGate-native HA features such as config-sync, which synchronizes operating system (OS) configurations across multiple FortiGate-VM instances at the time of scale-out events. The Azure function app handles all the autoscaling features including primary and secondary role assignment, license distribution, and failover management. The tables in the Cosmos DB store the information about health check monitoring, primary device election and state transitions. The blob storage is used to keep the initial configuration to be used on new FortiGates VM instances, as well as the BYOL licenses. It is possible to use a combination of BYOL and PAYG for this deployment.

Cloud Security 7.0 for Azure Study Guide

86

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

Cloud Security 7.0 for Azure Study Guide

87

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.

Cloud Security 7.0 for Azure Study Guide

88

Deploying Dependable Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned about the deployment options available in Azure for dependable Fortinet solutions.

Cloud Security 7.0 for Azure Study Guide

89

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

In this lesson, you will learn about the Fortinet VPN solutions to connect to your Microsoft Azure environment.

Cloud Security 7.0 for Azure Study Guide

90

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

In this lesson, you will learn about the topics shown on this slide.

Cloud Security 7.0 for Azure Study Guide

91

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding the different connection options available between your onpremises and Azure environments, you will be able to successfully choose the one that meet your needs.

Cloud Security 7.0 for Azure Study Guide

92

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

You can use FortiGate to establish a site-to-site IPsec VPN with your Azure network. The two options available are: • •

FortiGate in your local network, and Azure VPN Gateway on the Azure side FortiGate in your local network, and FortiGate VM on the Azure side

You can obtain similar results with either option. However, it is recommended to use the solution with FortiGate on both ends to ensure the best protection and, at the same time, avoid the administrative burden of managing multiple VPN platforms. For scenarios that require high availability, you can deploy FortiGate HA clusters on either end of the connection.

Cloud Security 7.0 for Azure Study Guide

93

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

The image on the slide shows a sample site-to-site topology using a FortiGate device on the local network, and Azure VPN gateway on the other end. You must create and configure the components shown within the Azure cloud. They are explained in more detail later in this lesson. Although it may seem trivial, you must ensure there is connectivity between both sides. You must configure routing correctly on the local FortiGate. In many cases, static routes may suffice, but you can use BGP for more complex scenarios. Note: An Azure VPN gateway is one type of virtual network gateway. The other type, ExpressRoute, is not used in this course.

Cloud Security 7.0 for Azure Study Guide

94

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

With this option, you must configure the following components in Azure as part of the site-to site VPN implementation: • •

• •

Gateway subnet: This is a special subnet that is unique for each VNET that you cannot rename. The VPN gateway resides in this subnet. VPN gateway: A virtual network gateway of the type VPN. It includes the public IP address that FortiGate must use as its connection peer. For the scenario shown, you must set it to use a gateway type of VPN. You must also select the VPN type. The available types depend on the gateway SKU selected, and your connection requirements. If required, you can configure it to use BGP. It is important to keep in mind that it can take 45 minutes, or even more, for Azure to finish creating a VPN gateway. Local network gateway: Used to set the FortiGate external IP and the on-premises subnet (address space). This is indicated using the CIDR notation. VPN gateway connection: For this scenario, you must set it to the type Site-to-site(IPsec). You can create more than one connection for a single VPN gateway to support multiple endpoints. The shared key configured here must match the one used in the on-premises FortiGate.

Note: Azure offers several VPN gateways SKUs, with different capabilities, but that is outside of the objectives of this course.

Cloud Security 7.0 for Azure Study Guide

95

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

Consider the following when configuring the FortiGate end of the connection: • • • • •

The FortiGate configuration is similar to a standard site-to site implementation. The configuration includes the parameters for phase-1, phase-2, routing, and firewall policies. Always verify the parameters configured are supported by Azure. For example, at the time of this writing, not all DH groups supported by FortiGate are supported by Azure. If the FortiGate is behind NAT, use the command set local-gw to the FortiGate local private IP address. You may need to configure custom routing settings if, for example, you are using BGP between both sites.

Cloud Security 7.0 for Azure Study Guide

96

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

To verify if the VPN tunnel is established, and that traffic is being sent and received, access the IPsec Monitor widget in your FortiGate GUI. From here, you can also bring the tunnel up if needed. If you want to see more detailed information, you can use the CLI to execute the command: get vpn ike gateway. The following diagnostics commands can be useful when troubleshooting the creation of the VPN tunnel: #diagnose debug enable #diagnose debug application ike -1 Refer to the Azure documentation to troubleshoot the Azure side. The most common issues are usually due to one or more of the following: • • •

Misconfigured local gateway parameter Mismatched security proposals and protocols Mismatched source and destination subnets on phase 2

Cloud Security 7.0 for Azure Study Guide

97

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

The image on the slide shows a site-to-site topology using FortiGate on both sides of the VPN connection. This is the recommended topology to ensure the best protection. It also simplifies the administrative tasks since both sites are using FortiOS to create the VPN tunnel. For scenarios that require high availability, you can deploy FortiGate HA clusters on one or both ends of the connection. For these cases, it is recommended that you use an active-passive HA topology on the Azure side.

Cloud Security 7.0 for Azure Study Guide

98

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

The configuration for this option is essentially the same one used for a standard site-to site implementation with FortiGate devices. If the local FortiGate has an external public IP address, choose No NAT between sites in the NAT configuration field. The following are required when the local FortiGate is behind NAT: • On the local FortiGate, select: This site is behind NAT. • On the FortiGate VM in Azure, configure the tunnel interface with the command: set type dynamic. • You must initiate the connection from the local FortiGate.

Cloud Security 7.0 for Azure Study Guide

99

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

To verify if the VPN tunnel is established, and that traffic is being sent and received, access the IPsec Monitor widget on your FortiGate GUI. From here, you can also bring the tunnel up if needed. To diagnose the connection, use the following command on both FortiGate devices: #diagnose vpn ike gateway list For full configuration examples of both options described in this lesson, refer to the following guides: • FortiOS Azure Administration Guide • FortiOS Administration Guide

Cloud Security 7.0 for Azure Study Guide

100

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

Cloud Security 7.0 for Azure Study Guide

101

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

Good job! You now understand the options available to create site-to-site VPN connections to Azure. Now, you will learn the fundamentals of Azure virtual WAN.

Cloud Security 7.0 for Azure Study Guide

102

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding the fundamentals of Azure vWAN, you will be able to describe how you can use that service to interconnect multiple locations to each other and to Azure resources.

Cloud Security 7.0 for Azure Study Guide

103

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

Azure vWAN is an Azure managed service that acts as a hub to provide automated and optimized branch-tobranch, and branch-to-VNET connectivity. When deployed, it creates a hub and spoke topology. The image on this slides shows an example of a topology using Azure vWAN with hubs in two regions. The architecture of Azure vWAN consists of: • • • • •

vWAN Virtual hub Hub gateway Virtual hub-to-VNET connections Sites

On the topology shown on the slide, every branch can access each other, and the four VNETs. The costs associated with Azure vWAN are based on hourly rates, the amount of traffic going through the hubs, and the end points of the traffic flow.

Cloud Security 7.0 for Azure Study Guide

104

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

An Azure vWAN consists of the following components: • • • • •

vWAN : The virtual overlay network Virtual hub: One per Azure region. Enables connectivity from and to your on-premises networks. Virtual hub gateway: Used as the end point for the site-to-site connection from branches. Virtual hub-to-VNET connections: Connect the hub to VNETs within the same region as the hub. Sites: Represent your on-premises network. They are only used for site-to-site connections.

When they are part of an Azure vWAN, VNETs do not need their own VPN gateway. They use the hub gateway to send and receive remote traffic. This makes vWAN solutions very scalable. If any of your VNETs already has a VPN gateway, you must remove it before you connect it to the virtual hub. The configuration of the local networks is the same as the one used with an Azure VPN gateway. Note: The creation of a virtual hub with a virtual hub gateway takes approximately 30 minutes.

Cloud Security 7.0 for Azure Study Guide

105

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

Azure supports two vWAN types: Basic and Standard. The type selected determines the connection types it supports. You can upgrade from Basic to Standard, but you are not allowed to downgrade. If desired, you must configure it to allow branch-to-branch connectivity. You must add the VNET to hub connections manually. You can convert the virtual hub to a secured virtual hub by associating it with Azure Firewall Manager. This allows you to include security and routing policies to filter traffic among the different branches and virtual networks. You can also create secured virtual hubs directly from Azure Firewall Manager. Although still on preview at the time of this writing, you can deploy FortiGate in an Azure vWAN hub and run it natively, to act as a next generation firewall (NGFW), as well as an SD-WAN solution.

Cloud Security 7.0 for Azure Study Guide

106

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

Cloud Security 7.0 for Azure Study Guide

107

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

Congratulations! You have successfully completed this lesson. Now, you will review the objectives that you covered in this lesson.

Cloud Security 7.0 for Azure Study Guide

108

Deployment of VPN Fortinet Solutions in Microsoft Azure

DO NOT REPRINT © FORTINET

This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned Azure basic concepts, networking, security, and how to use Fortinet solutions with Azure.

Cloud Security 7.0 for Azure Study Guide

109

DO NOT REPRINT © FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as stipulated by the United States Copyright Act of 1976. Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.