Open in app

Sign in

Write

Sign in

How to set up a Fortigate VM to extend security and network capabilities in Telefónica Open Cloud

Sergio Carmona
Cobalt Bond
6 min readNov 7, 2017

--

by Sergio Carmona, Cloud, Monitoring and Security expert at Cobalt Bond

There are several scenarios where one would need to extend network and security capabilities in Open Cloud, for example:

  • enabling internet access to ECSs that do not have an External IP,
  • publish several applications through NAT or Reverse Proxy,
  • provide local DNS to VPC subnets,
  • extend VPN capabilities
  • and, of course, providing UTM security or advanced IPS and ADDoS protection.

In this story I’m going to tell you how to create and setup a FortiGate Virtual Appliance in Telefonica Open Cloud, than can help you to deal with some of the scenarios mentioned above.

Uploading the Fortigate VM image file

The first thing we need is to have access to a Fortigate VM image. If you are a Fortinet partner you can find it in the download area at the Fortinet partners portal, or you can ask a Fortinet partner to get one for you.

We need to get the OpenXen image. In this case I will use 5.6.2 that is currently the last release:

FGT_VM64_XEN-v5-build1486-FORTINET.out.OpenXen.zip

First we need to upload the image file to OBS using OBS Browser or any other similar tool that can manage S3 Compatible Storage.

Importing the Fortigate VM image file into IMS

Once the image is uploaded into OBS we can import it to IMS (just go to IMS menu and select “Create Private Image” and then select to create from a file, select the file from your OBS Bucket and set the OS Type to “Other, 64 bits” and 40GB(that is the minimum size for an OS disk in Open Cloud)…we will add later an additional volume to role as logdisk.

Creating the ECS based on the imported image

Once the image file has been imported we can apply for a ECS based on it.

Fortigate VM are free to use during 14 days for 1VCPU and 1 GB RAM. After this period or to upsize the ECS you will need to set up a proper license.)

For the OS volume we recommend minimal size (40GB) and SSD to have the best performance.

We will also need to provide 2 NICs in different subnets (for example front-end an back-end subnets) and assign an EIP to the front-end one. We will also provide an additional data Volume to role as logdisk (the log disk size can be set up to 2TB and I also recommend SSD volumen to boost performance).

Setting up a few important things:

Once our Fortigate VM ECS is running we need to perform some tasks to preconfigure and grant access to the GUI.

Firewall interfaces pre-setup:

We need to access through Open Cloud VNC to the VM to configure Network interfaces and set DCHP mode so that they can obtain the internal IP that is linked to the NIC in Open Cloud.

We need to use admin with no password to login into the Fortigate VM console.

FortiGate-VM64-Xen #
FortiGate-VM64-Xen # config system interface
FortiGate-VM64-Xen (interface) # edit port1
FortiGate-VM64-Xen (port1) # set mode dhcp
FortiGate-VM64-Xen (port1) # next
FortiGate-VM64-Xen (interface) # edit port2
FortiGate-VM64-Xen (port2) # set mode dhcp
FortiGate-VM64-Xen (interface) # end
FortiGate-VM64-Xen #

Then we will have to prepare the data volume to role as logdisk

FortiGate-VM64-Xen # execute formatlogdisk

After formating the disk the system will force a logout so we login again with the same credentials and send a reboot command to get dhcp at the interfaces.

FortiGate-VM64-Xen # execute reboot

After rebooting we should be able to access GUI through http using the internal IP address

Firewall GUI access:

Login into the console GUI using admin with no password

Now we need to configure interfaces and policies to allow traffic to the internet (for example to provide access to the internet to ECSs allocated in the same subnet than port2):

Set up Lan and WAN interfaces:

We will use port1 as WAN (so just be sure that the NIC linked to port1 is the one that has the EIP) and port2 to access the LAN so we would have to turn off default gateway retrieval from the firewall interface menu:

Enable policy for traffic from LAN to WAN:

Now we enable traffic from port2 (LAN) to port1(WAN) through a firewall policy:

A very important step: Disabling SRC/DST Verification

As the traffic from Fortigate VM will be flowing from its own interfaces (with their own mac addresses) we need to disable src/dst verification in the NICs configuration in Open Cloud console in order to avoid Open Cloud to block internal traffic that comes from/to unknown mac addresses:

Almost done…

Now the firewall is ready to process traffic coming from the subnet (LAN) but…the ECS are using the subnet gateway so we need to access each of the ECS that we want to send traffic to the firewall and modify their default gateway. We have 2 ways:

  • assign a temporary EIP to login into each of them
  • access to them through their internal IP using a VPN

Once we can login into one then we need to change the default gateway:

For example lets say we have a Linux ECS (CentOS 7) we have to edit the network-script for the eth0 interface and change from DHCP to static and set up the GATEWAY to the IP assigned to port2 in the firewall:

[root@ecs-whatever]$ vi /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE="eth0"
BOOTPROTO="none"
ONBOOT="yes"
NM_CONTROLLED="no"
PERSISTENT_DHCLIENT="y"
IPADDR=10.99.96.110
NETMASK=255.255.255.0
GATEWAY=10.99.96.122

If you were accessing the ECS through OpenCloud VPN don’t forget to create a static route in the ECS to allow VPN traffic to return back through the default gateway, otherwise VPN traffic would be coming from the default gateway but returning back through the firewall and that would be a problem!!!

We can now reboot ECS or Network service in order to apply changes in the network configuration.

If you were accessing through EIP you can now unbind the EIP from the ECS’s NIC and release it.

Don’t forget, if it this was the case, to create a port forwarding rule in the firewall otherwise you won’t be able to login into the ECS. It’s easy you just only have to create a Virtual IP to redirect external port to internal port and IP and create an IP policy to allow traffic from WAN to LAN in the Virtual IP object.

Testing…

We can run a ping test from this ECS and capture packets in firewall to check that the ECS is actually accessing internet through the firewall instead through its own EIP:

And that’s all…

Don’t forget to deal with your security groups in Open Cloud and also with the right policies in the Firewall to minimize risk exposition while allowing the right traffic. Don’t also forget to set up a proper password for the user admin in the Fortigate.

Hope you have found this reading helpful.

Comments are welcome.

Cheers.

Open Cloud
Fortigate
Firewall
VPN

--

--

Sergio Carmona
Cobalt Bond

Written by Sergio Carmona

14 Followers
Editor for

a veces no y a veces tampoco

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams