FortiOS 6.0 VPN: Fortinet Security Fabric over IPsec VPN

In this example, an HA cluster called Edge is the root FortiGate in the Security Fabric and a FortiGate called Branch is the remote FortiGate.

1. Configuring the tunnel interfaces

To configure Edge to listen for FortiTelemetry traffic over the VPN, connect to Edge, go to Network > Interfaces, and edit the tunnel interface.

Set IP to the local IP address for this interface (10.10.10.1) and Remote IP/Network mask to the IP address for the Branch tunnel interface (10.10.10.2/32).

Under Administrative Access, enable FortiTelemetry.

Connect to Branch, go to Network > Interfaces, and edit the tunnel interface.

Set IP to the local IP address for this interface (10.10.10.2) and Remote IP/Network mask to the IP address for the Edge tunnel interface (10.10.10.1/32).

2. Adding the tunnel interfaces to the VPN

To create an address for the Edge tunnel interface, connect to Edge, go to Policy & Objects > Addresses, and create a new address.

Set Category to Address and set Subnet/IP Range to the IP address for the Edge tunnel interface (10.10.10.1/32).

Create a second address for the Branch tunnel interface. For this address, enable Static Route Configuration.

To allow VPN traffic between the Edge tunnel interface and the Branch tunnel interface, go to VPN > IPsec Tunnels, and edit the VPN tunnel. Select Convert To Custom Tunnel.

Under Phase 2 Selectors, create a new Phase 2. Set Local Address to use a Named Address and select the address for the Edge tunnel interface. Set Remote Address to use a Named Address, and select the address for the Branch tunnel interface.

To route traffic to the Branch tunnel interface, go to Network > Static Routes, and create a new route.

Set Destination to Named Address, and select the address for the Branch tunnel interface. Set Device to the tunnel interface.

To allow traffic between the tunnel interfaces, go to Policy & Objects > IPv4 Policy and edit the policy allowing local VPN traffic.

Set Source to include the Edge tunnel interface and Destination to include the Branch tunnel interface.

Edit the policy allowing remote VPN traffic to include the tunnel interfaces.

On Branch, repeat this step to include the following:

• Addresses for both tunnel interfaces (enable Static Route Configuration for the Edge tunnel interface address)
• A Phase 2 that allows traffic between the Branch tunnel interface and the Edge tunnel interface
• A static route to the Edge tunnel interface
• Edited policies that allow traffic to flow between the tunnel interfaces

To allow the new phase 2 to take effect, go to Monitor > IPsec Monitor, and restart the VPN tunnel.

3. Authorizing Branch for the Security Fabric

You can authorize a FortiGate, FortiAP, or FortiSwitch to join the Security Fabric by using the device’s serial number, rather than sharing the password for the Security Fabric (the Group password option also isn’t available isn’t available in FortiOS 6.0.3 and later).

To authorize Branch, connect to Edge, and enter the following CLI command:

config system csf
  config trusted-list
    edit <serial_number>
  end
end

To add Branch to the Security Fabric, connect to Branch, and go to Security Fabric > Settings.

Enable FortiGate Telemetry. Set the Group name. Leave Group password blank (the Group password option isn’t available isn’t available in FortiOS 6.0.3 and later). Enable Connect to upstream FortiGate. Set FortiGate IP to the IP address of the Edge tunnel interface.

To verify that Branch is now part of the Security Fabric, connect to Edge, and go to Security Fabric > Settings. Branch appears in the Topology.

4. Allowing Branch to access the FortiAnalyzer

To create an address for the FortiAnalyzer, connect to Branch, go to Policy & Objects > Addresses, and create a new address. Enable Static Route Configuration.

To allow VPN traffic between the FortiAnalyzer and the Branch tunnel interface, go to VPN > IPsec Tunnels, and create a new Phase 2.

To route traffic to the FortiAnalyzer, go to Network > Static Routes, and create a new route.

On Edge, repeat this step to create an address for FortiAnalyzer and a new Phase 2 that allows traffic between the FortiAnalyzer and the Branch tunnel interface. Edge doesn’t require a new static route.

To allow traffic between Branch and the FortiAnalyzer, go to Policy & Objects > IPv4 Policy, and create a new policy.

Set Incoming Interface to the VPN interface, and set Outgoing Interface to the interface that connects to the FortiAnalyzer (in the example, port16). Set Source to the Branch tunnel interface, and set Destination to the FortiAnalyzer.

Enable NAT for this policy.

To authorize the Branch FortiGate on the FortiAnalyzer, connect to the FortiAnalyzer, and go to Device Manager > Unregistered.

Select Branch, then select +Add to register Branch.

Branch now appears as Registered.

5. Results

To view Branch as part of the Security Fabric topology, connect to Edge and go to Security Fabric > Logical Topology. Branch is shown as part of the Security Fabric, connecting over the IPsec VPN tunnel.

6. Desynchronizing Branch from the FortiAnalyzer, FortiSandbox, and FortiManager (optional)

If you don’t want Branch to automatically use the settings that Edge pushes for the FortiAnalyzer, FortiSandbox, and FortiManager, use the following CLI command to configure these settings locally:

config system csf
  set configuration-sync local
end

Go to Security Fabric > Settings. You can now configure the settings for FortiAnalyzer logging, Central Management, and Sandbox Inspection. You can also choose to use local logging rather than sending logs to a FortiAnalyzer.

This option is available for all FortiGate devices in the Security Fabric, except for the root FortiGate.