Secure AWS workloads with FortiGate CNF SaaS

Welcome!

AWS Software-Defined Networking (SDN) is elastic, complex, and quite different than traditional on-premise networking. In this workshop you will learn how to use FortiGate Cloud Native Firewall as a Service (FortiGate CNF) to protect your AWS workloads deployed in common architecture patterns.

This workshop is intended to help accomplish the following:

Learn common AWS networking concepts such as routing traffic in and out of VPCs for various traffic flows
Interact with FortiGate CNF Portal to deploy CNF instances, build security policy sets, and deploy them
Test traffic flows in an example environment and use FortiGate CNF to control traffic flows

Introduction

Secure AWS workloads with FortiGate CNF SaaS

Learning Objectives

At the end of this workshop, you will complete the following objectives:

Understand AWS Networking Concepts (10 minutes)
Understand AWS Common Architecture Patterns (10 minutes)
Understand FortiGate CNF terminology (5 minutes)
Subscribe to FortiGate CNF (5 minutes)
Onboard an AWS account (5 minutes)
Deploy a FortiGate CNF Instance & GWLBe endpoints (20 minutes)
Create a policy set and apply it to a FortiGate CNF Instance (10 minutes)
Test traffic flows (distributed in + egress and centralized e-w + egress) (20 minutes)

Workshop Components

These are the AWS and Fortinet components that will be used during this workshop:

AWS Marketplace
FortiCloud
FortiGate CNF Portal
AWS CloudFormation Templates (Infrastructure as Code, IaC)
AWS SDN (AWS intrinsic router and route tables in a VPC)
AWS Gateway Load Balancer (GWLB)
AWS Transit Gateway (TGW)
AWS EC2 Instances (Amazon Linux OS)

AWS Reference Architecture Diagram

This is the architecture and environment that will be used in the workshop.

With AWS networking there are several different ways to organize your AWS architecture to take advantage of FortiGate CNF traffic inspection. The important point to know is that as long as the traffic flow has a symmetrical routing path (for forward and reverse flows), the architecture will work.
This diagram will highlight two main designs that are common architecture patterns for securing traffic flows.
Distributed Ingress + Egress
Centralized Egress + East-West

Workshop Prerequisites

In this section we will step through the what is needed before you can get the most out of the rest of the workshop!

Workshop Logistics

Accessing an AWS environment

For AWS Immersion Days and other events, we will provide you the following via email on the day of the event:

AWS sign in link
IAM User w/ console access
Password for the IAM User

Warning

Please only submit your request once in the text box below. Once submitted, you will receive further information via email. There will not be any feedback or response in the text box.

Note

We recommend using our pre provisioned AWS accounts for the workshop as this provides the fastest hands on experience, without worrying about charges incurred on your AWS bill.

Accessing the FortiGate CNF Console

FortiGate CNF and other SaaS solutions are tied to your FortiCloud account. If you do not already have one, please navigate here and complete the registration process.

If you already have an account and don’t want to use that for this lab, it is recommended to create your own FortiCloud account.

Once logged in, you will see your FortiCloud dashboard.

You will log into the FortiGate CNF console later during the hands on section.

Info

Please log out before proceeding to the next part of the workshop.

Navigating the AWS Console

When you first login you will see the Console Home page.

Use the Search Box at the top to search for services such as EC2, VPC, CloudFormation, etc.

When the results pop up, right click the name of the service and open the desired console in a new tab. This makes navigation easier.

This concludes this section.

AWS Networking Concepts

Before diving into the reference architecture for this workshop, let’s review core AWS networking concepts.

AWS Virtual Private Cloud (VPC) is a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

Availability Zones (AZ) are multiple, isolated locations within each Region that have independent power, cooling, physical security, etc. A VPC spans all of the AZs in the Region.

Region, is a collection of multiple AZs in a geographic location. The collection of AZs in the same region are all interconnected via redundant, ultra-low-latency networks.

All subnets within a VPC are able to reach each other with the default or intrinsic router within the VPC. All resources in a subnet use the intrinsic router (1st host IP in each subnet) as the default gateway. Each subnet must be associated with a VPC route table, which specifies the allowed routes for outbound traffic leaving the subnet.

An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.

AWS NAT Gateway (NAT GW) is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

AWS Transit Gateway (TGW) is a highly scalable cloud router that connects your VPCs in the same region to each other, to on-premise networks, and even to the internet through one hub. With the use of multiple route tables for a single TGW, you can design hub and spoke routing for traffic inspection and enforcement of security policy across multiple VPCs.

AWS (Gateway Load Balancer (GWLB) is a transparent network gateway that distributes traffic (in a 3/5 tuple flow aware manner) to a fleet of virtual appliances for inspection. This is a regional load balancer that uses GWLB endpoints (GWLBe) to securely intercept data plane traffic within consumer VPCs in the same region.

In this workshop we will use all these components to test FortiGate CNF in an enterprise design.

For a deep dive on AWS networking concepts in your own lab, outside of this event, you can follow the AWS Network Immersion Day workshop in your own AWS account at your leisure.

This concludes this section.

AWS Common Architecture Patterns

While there are many ways to organize your infrastructure there are two main ways to design your networking when using GWLB, centralized and distributed. From the perspective of networking, routing, and GWLBe placement. We will discuss this further below.

FortiGate CNF is a SaaS offering that on the backend uses FortiGates, AWS GWLB, and GWLB endpoints to intercept customer traffic and inspect this transparently. As part of the deployment process for FortiGate CNF instances, the customer environment will need to implement VPC routing and Ingress Routing at the IGW to intercept the traffic to be inspected.

The FortiGate CNF security stack which includes the AWS GWLB and other components will be deployed in Fortinet managed AWS accounts. The details of the diagram are simply an example of the main components used in FortiGate CNF. This is more to understand what happens when customer traffic is received at our GWLB.

Decentralized designs do not require any routing between the protected VPC and another VPC through TGW. These designs allow simple service insertion with minimal routing changes to the VPC route tables. The yellow numbers show the initial packet flow for a session and how it is routed (using ingress and VPC routes) to the GWLBe endpoint which then sends traffic to the FortiGate CNF stack. The blue numbers show the returned traffic after inspection by the FortiGate CNF stack.

Note

Any subnet where the GWLBe for the FortiGate CNF instance is to be deployed will need to have a specific tag name and value to be seen in the FortiGate CNF portal. Currently this is the tag name fortigatecnf_subnet_type and tag value endpoint.

Centralized designs require the use of TGW to provide a simple hub and spoke architecture to inspect traffic. These can simplify east-west, egress, and ingress traffic inspection needs while removing the need for IGWs and NAT Gateways to be deployed in each protected VPC for egress inspection. You can still mix a decentralized architecture to inspect ingress and even egress traffic while leveraging the centralized design for all east-west inspection.

The yellow numbers show the initial packet flow for a session and how it is routed (using ingress, VPC routes, and TGW routes) to the GWLBe which then sends traffic to the FortiGate CNF stack. The blue numbers (east-west) and purple numbers (egress) show the returned traffic after inspection by the FortiGate CNF stack.

For more examples of distributed and centralized models, please reference the examples in the FortiGate CNF Admin Guide.

This concludes this section.

FortiGate CNF Terminology

Term	Description
CNF Console	The console in which you deploy CNF instances and manage policy sets
CNF Instance	A deployment of CNF resources in an auto scale group in the region of your choice
Policy Set	The group of FW rules, objects, and security profile groups that are assigned to one or many CNF Instance(s)
Security Profile Group	A group of Layer 7 inspection profiles such as Intrision Prevention (IPS), DNS filtering, and known bad IP blocking

This concludes this section.

Workshop Hands On

Task 1

1. Log into your AWS account and navigate to the AWS Marketplace listing for FortiGate CNF (click for MP listing). In the upper right corner, click View purchase options. On the next page, click Subscribe.

1. In the available offers list, select the Public offer.

1. The page should update and show the GA pricing. Click Subscribe.

1. A green banner will be at the top of the screen. Click Set up your account and this will open a new tab in the AWS Marketplace console.

1. Select Login or create vendor account and this will open a pop up window to login to FortiCloud.

Info

If you have an existing FortiCloud Account, click Login. Otherwise, the register button will walk you through creating your own account quickly.

1. Once completed, you will see that the FortiCloud account is now linked with the AWS account. Click Launch template to open a new tab in the CloudFormation console. On the CloudFormation console, tick the Capabilities box and then click Create stack. Once the template has been successfully created, move on to the next step.

Info

Please use the us-west-2 (Oregon) region for this template. If you are in a different region, simply click on the region in the upper right hand corner and select Oregon.

1. Login to FortiGate CNF Console. Once logged in, click on your account tile and you will see the CNF dashboard.

Info

If you see No Subscription Found, please logout, wait 10-15 minutes, and try again. You should see Successful Subscription once the backend registration is completed.

1. This concludes this section.

Task 2

Task 2: Deploying CNF Instances and GWLBe endpoints

Info

For this section of the workshop we will be using the us-east-2 (Ohio) region.

1. In the FortiGate CNF console, navigate to CNF instances and click New > CNF.

1. Provide a name for the CNF instance, select us-east-2 for the region for deployment, select Internal S3 for the log type, and select the S3 bucket created by CloudFormation for the logging destination. Then click Save. This will drop you back to the list of CNF instances while this is deployed in the background.

Note

Note: FortiGate CNF is available in the following regions today. Based on customer demand, more regions will be supported in the future.

us-east-1 (N. Virginia)
us-east-2 (Ohio)
us-west-1 (N. California)
us-west-2 (Oregon)
ca-central-1 (Central)
sa-east-1 (Sao Paulo)
eu-central-1 (Frankfurt)
eu-central-2 (Zurich)
eu-west-1 (Ireland)
eu-west-2 (London)
il-central-1 (Tel Aviv)
ap-east-1 (Hong Kong)
ap-northeast-1 (Tokyo)
ap-southeast-1 (Singapore)

1. The CNF Instance should show up as active after roughly 10 minutes, now is a great time for a break :). Then you can select and edit it to deploy endpoints and assign a policy set.

1. On the Configure Endpoints section of the wizard, click the New button. Then you can select the account, VPC, then toggle the Select from all subnets to off (this filters the subnets to only show ones that are properly tagged), and the subnet to deploy the VPC endpoint to. Repeat this step for all subnets in the table below, then click the Next button. Once all have been created, click Next.

VPC	Subnet
Application-VPC	Application-GwlbeSubnet1
Application-VPC	Application-GwlbeSubnet2
Inspection-VPC	Inspection-GwlbeSubnet1
Inspection-VPC	Inspection-GwlbeSubnet2

Info

Note: In order for FortiGate CNF to successfully create a GWLBe in a subnet, the subnet must be properly tagged. The subnet needs a Tag Name = fortigatecnf_subnet_type and Tag Value = endpoint. Otherwise you will see an error that the subnet ID is invalid. The subnets below have already been tagged properly. In this example environment, the subnets above have already been properly tagged.

1. On the Configure Policy Set section of the wizard, the default ‘allow_all’ policy is used to allow all traffic from a Layer 4 perspective and click Exit. You should then see the list of CNF instances again.

1. To validate all GWLBe endpoints have been deployed and are active (takes ~5 mins), select and edit the CNF instance and click Next to view the GWLBe endpoints on the Configure Endpoints section of the wizard. Then click Exit to leave the CNF configuration wizard.

1. Log into your AWS Account and navigate to the VPC Console > Endpoints. Each of the GWLBe endpoints you deployed in the FortiGate CNF Console should be visible in your account. Notice the tag name and value pairs assigned to the endpoints.

Info

Note: At this point in a normal environment, you would need to create ingress and VPC routes to direct traffic to the GWLBe endpoints that were created by FortiGate CNF for inspection. However, for this workshop there is a Lambda function that is creating these routes for you to match the AWS Reference Architecture Diagram.

1. To validate that the relevant VPC routes have been automatically created to route traffic to the GWLBe endpoints, in the AWS VPC console, navigate to Virtual Private Cloud > Route Tables, select each of the route tables listed below and confirm these routes exist in the route tab of the route table details pane.

VPC Route Table	# Routes to GLWBe
Application-IgwRouteTable	2x (one per public subnet), one per GWLBe (each AZ)
Application-Public1RouteTable	1x (default route), GWLBe AZ1
Application-Public2RouteTable	1x (default route), GWLBe AZ2
Inspection-Public1RouteTable	1x (10.0.0.0/8 route), GWLBe AZ1
Inspection-Public2RouteTable	1x (10.0.0.0/8 route), GWLBe AZ2
Inspection-TgwAttach1RouteTable	1x (default route), GWLBe AZ1
Inspection-TgwAttach2RouteTable	1x (default route), GWLBe AZ2

1. To confirm that app1 in the Application VPC is reachable, in the AWS CloudFormation console, toggle the view nested button to off > then select the stack name > and on the details pane select the outputs tab. You should see the output for URLforApp1. Click on the value for that output to check that App1 is reachable now. You should see a simple webpage with some metadata about the backend web server instance that is reachable via the public Network Load Balancer (NLB).

1. This concludes this section.

Task 3

Task 3: Create a policy set and apply it to a FortiGate CNF Instance

1. At this point, we are using the default allow_all policy set which allows all communication to be allowed without any restriction from a Layer 4 and Layer 7 perspective.

1. To customize the actual L4 rules and L7 security profile groups applied, in the FortiGate CNF Console navigate to Configuration > Policy Sets to create your own policy set. Simply click Create New, select Policy Set, and give your policy set a name.

1. Before adding in L4 rules within the policy set, create a few simple address objects. Navigate to Configuration > Addresses, click New, and Address. Then create each of the address objects below.

Name	Type	IP/Netmask Value
ClassA	Subnet	10.0.0.0/8
ClassB	Subnet	172.16.0.0/12
ClassC	Subnet	192.168.0.0/16
GooglePublicDNS1	Subnet	8.8.8.8/32
GooglePublicDNS2	Subnet	8.8.4.4/32
AppPublicSubnet1	Subnet	10.1.1.0/24
AppPublicSubnet2	Subnet	10.1.2.0/24

1. Next, create an Address Group to include all the RFC 1918 class objects. On the same page, click New, and Address Group. Then create each the address object below.

Name	Members Value
RFC-1918	ClassA, ClassB, ClassC

1. In FortiGate CNF you can create different types of address objects to be more flexible and granular in your rules within your policy set. Create an FQDN based address object by clicking New, and Address. Select FQDN for Type, then create the address object below.

Tip

Note: This can be used for internal Application, Network, and even legacy Elastic Load Balancers (ie ALB, NLB, ELB) to dynamically resolve their private IPs.

Name	Type	FQDN Value
ipinfo.io	FQDN	ipinfo.io

1. Geography based address objects are available in FortiGate CNF. This allows controlling traffic based on public IPs assigned to countries around the globe. These objects can be used as a source or destination object within policies used in a policy set. Create a geo based address object by clicking New, and Address. Select Geography for Type, then create the address objects below.

Tip

Note: The IP for the country or region is automatically determined from the Geography IP database which is provided by FortiGuard Servers on a recurring basis. For more granular control to applications (especially external), it is recommended to use URL or DNS filtering and even Application Control for L7 inspection.

Name	Type	Country/Region Value
UnitedStates	Geography	United States
Russia	Geography	Russian Federation

1. Dynamic metadata based address objects are available in FortiGate CNF. This allows controlling of traffic based on things such as VPC ID, Auto Scale Group, EKS Cluster or Pod, and even Tag Name + Value pairs for a given AWS account and region. Create a dynamic based address object by clicking New, and Address. Select Dynamic for Type, then create the address objects below.

Tip

Note: This is using AWS API calls behind the scenes such as ec2:DescribeInstances, eks:ListClusters, eks:DescribeCluster, etc. For instances, these must be running to have their IP address(es) (public and or private IPs) returned.

Note: For each object, you will use the same values for these settings:

Type	AWS Account ID	AWS Region
Dynamic	Workshop-AWS-Account-ID	us-east-2

Here is the list of dynamic objects to create:

Name	SDN Address Type	Filter Value
ProdAPIBackend	Private	Tag.env=prod AND Tag.app-role=api AND Tag.app-tier=backend
ProdAuthBackend	Private	Tag.env=prod AND Tag.app-role=auth AND Tag.app-tier=backend
SDNGroup1	Private	Tag.sdn-group=group1
SDNGroup2	Private	Tag.sdn-group=group2
SDNGroup3	Private	Tag.sdn-group=group3

1. Now you will create a policy set to enforce L4 rules using the address objects you just created in the previous steps. Navigate to Configuration > Policy Sets and click New, Policy Set. Give it a name and click Ok. You will be returned to the list of policy sets. Select your policy set and click Edit.

1. Now you can create the policies listed below to control all directions of traffic within the example environment. Click New and create the policies listed below:

Name	Source	Destination	Service	Action	Log Allowed Traffic
BlockList-Inbound	Russia	all	ALL	DENY	All Sessions
BlockList-Outbound	all	Russia	ALL	DENY	All Sessions
HTTPS-Inbound	UnitedStates	RFC-1918	HTTPS	ACCEPT	All Sessions
ICMP-EastWest	RFC-1918	RFC-1918	ALL_ICMP	ACCEPT	All Sessions
AuthSharedServices-EastWest	ProdAPIBackend	ProdAuthBackend	HTTPS + RADIUS	ACCEPT	All Sessions
ICMP-Egress	RFC-1918	UnitedStates	ALL_ICMP	ACCEPT	All Sessions
IPinfo-Egress	SDNGroup1 + SDNGroup2 + AppPublicSubnet1 + AppPublicSubnet2	ipinfo.io	HTTPS	ACCEPT	All Sessions

1. In order to use this policy set, it must be applied to the deployed FortiGate CNF Instance. Navigate to CNF instances and select and edit the CNF Instance then click the Configure Policy Set bread crumb. In the Apply Policy Set, select your policy set then click Save then Exit.

Warning

Note: If you skip this step, your CNF Instance would still be using the allow_all policy set which means it basically just a cool FireRouter. 😜

1. This concludes this section.

Task 4

Task 4: Validate Resolution of Dynamic Address Objects

1. At this point, we are using a few dynamic address objects in our policy set. To confirm what they have resolved to, navigate to CNF Instances page and right click the instance and select View Policy Set Revision.

1. On the pop up window, select the Addresses tab and double click each of the dynamic address objects to confirm they resolve the IP addresses listed below.

Name	IP Address	Instance
ProdAPIBackend	10.2.2.10	WrkInstance2
ProdAuthBackend	10.1.2.10	SSInstance1
SDNGroup1	10.1.3.10 & 10.1.4.10	AppInstance1 & AppInstance2
SDNGroup2	10.2.1.10 & 10.2.2.10	WrkInstance1 & WrkInstance2

Tip

Note: The Dynamic Address Objects are resolved again every 60 seconds to maintain an up to date list of addresses.

1. In the EC2 Console, Navigate to Auto Scaling > Auto Scale Groups then select and edit the existing group.

1. Next, edit the group details and set the Desired, Minimum, and Maximum capacity to 1. A new EC2 instance will be launched within a minute or two.

1. In the CNF console navigate to Policy & Objects > Addresses and create a new dynamic address object based on the Auto Scale Group name, reference the values below:

Type	AWS Account ID	AWS Region
Dynamic	Workshop-AWS-Account-ID	us-east-2

Name	SDN Address Type	Filter Value
SSAutoScaleGrp1	Private	AutoScaleGroup-iday-SSAutoScaleGroup1-…

Info

Note: The unique identifier at the end of the Auto Scale Group will be different in your environment.

1. For the address object to be resolved, it must be used in a policy set that is applied to a deployed CNF Instance. In the CNF console navigate to Policy & Objects > Policy Sets, then edit the existing policy set, and add the new address object to the IPinfo-Egress rule as an additional source.

1. Navigate to CNF Instances page and right click the entry and select Sync Policy Set, then within a few seconds click Refresh.

1. On the CNF Instances page and right click the instance and select View Policy Set Revision again, then select the Addresses tab and double click the new dynamic address object to see the resolved private IP.

Info

Note: The resolved IP address value will be different in your environment.

1. The CNF Instance will continue to check what running resources match the configured filter in the dynamic address objects and update the list of resolved IP(s). To see this in action, in the EC2 Console, Navigate to Auto Scaling > Auto Scale Groups then select and edit the existing group and set the Desired, Minimum, and Maximum capacity to 3.

1. Within 60 seconds the existing address object will be updated. Navigate to CNF Instances page and right click the instance and select View Policy Set Revision again, then select the Addresses tab and double click the new dynamic address object to see the latest resolved private IPs.

1. This concludes this section.

Workshop Test Traffic

In this section you will validate that the policy set is controlling traffic as intended. Below is the overall architecture of the environment.

We will look into these specific traffic flows:

Distributed Ingress
Distributed Egress
Centralized Egress
Centralized East West

Distributed Ingress

For this traffic flow we will focus on the Application VPC. Distributed ingress is commonly used when there is a need to inspect traffic for a VPC that is directly accessible with an attached IGW and resources with a public Elastic IP (EIP) or behind a public load balancer (ie ALB, NLB, etc). The benefit of this design is that traffic does not need to traverse additional AWS networking components for inspection so each VPC is isolated from others. The caveat to consider is that each VPC would need a directly attached IGW and resources such as load balancers, NAT GWs, etc that have additional cost.

Step 1: An inbound connection starts with an external user initiating a connection to a public resource such as a public NLB. The public NLB has a DNS record that resolves to a public IP for one of the NLB’s Elastic Network Interface (ENI) in either public subnet. The first packet (ie TCP SYN) will then be seen at the IGW attached to the VPC where the public NLB is deployed. Since there is a Ingress route table assigned to the IGW, traffic destined to either public subnet will be sent to the GWLBe endpoint in the same AZ.

Note

The IGW will perform destination NAT to change the public IP of the NLB to the private IP of the NLB ENI.

Step 2: The traffic is received at the GWLBe endpoint which then routes the traffic to the associated GWLB ENI in the same AZ in the managed Fortinet AWS account/VPC. This is done behind the scene using AWS Private Link.

Step 3: The traffic is received at the GWLB ENI and is then encapsulated in a GENEVE tunnel and routed to one of the instances in the FortiGate CNF auto scale group for traffic inspection. Post inspection, if the traffic is allowed, the instance will hairpin the traffic back to the same GWLB ENI over GENEVE. Then the GWLB ENI will hairpin the traffic back to the same GWLBe endpoint.

Step 4: The GWLBe endpoint will then route the inspected traffic to the intrinsic router. The intrinsic router will route traffic directly to the NLB’s ENI as specified in the VPC route table assigned to the subnet.

Step 5: The NLB will send traffic to a healthy target, in either AZ since cross zone load balancing is enabled.

Note

The NLB will perform destination NAT to change the private IP to that of the healthy target.

Step 6: The web server will receive the traffic and respond. The return traffic will flow these steps in reverse.

1. To test out this flow navigate to the AWS CloudFormation console and toggle the view nested button to off > then select the stack name > and on the details pane select the outputs tab. You should see the output for URLforApp1. Click on the value for that output to check that App1 is no longer reachable now. Click on the value for the output EncryptedURLforApp1 and you will see the self-signed certificate warning. Once you accept the warning, you will see the test web page.

Note

You are now only allowing HTTPS inbound to your environment that is sourced from a public IP within the United States!

Distributed Egress

For this traffic flow we will focus on the Application VPC. Distributed egress is commonly used when there is a need to inspect traffic for a VPC that has an attached IGW and resources with a public Elastic IP (EIP) or that are behind a NAT GW. The benefit of this design is that traffic does not need to traverse additional AWS networking components for inspection so each VPC is isolated from others. The caveat to consider is that each VPC would need a directly attached IGW and resources such as NAT GWs that have additional cost.

Step 1: An outbound connection starts with a private EC2 instance initiating a connection to a public resource. The first packet (ie TCP SYN) will be routed to the intrinsic router which will route traffic to the NAT GW in the same AZ, as configured in the assigned VPC route table. The EC2 instance has a default route, received via DHCP, that points to the first host IP in the subnet which is the intrinsic router.

Step 2: The traffic is received at the NAT GW ENI which then routes the traffic to the associated GWLBe endpoint in the same AZ, as configured in the assigned VPC route table.

Note

The NAT GW will source NAT the traffic to the private IP assigned to its ENI.

Step 3: The traffic is received at the GWLBe endpoint which then routes the traffic to the associated GWLB ENI in the same AZ in the managed Fortinet AWS account/VPC. This is done behind the scene using AWS Private Link.

Step 4: The traffic is received at the GWLB ENI and is then encapsulated in a GENEVE tunnel and routed to one of the instances in the FortiGate CNF auto scale group for traffic inspection. Post inspection, if the traffic is allowed, the instance will hairpin the traffic back to the same GWLB ENI over GENEVE. Then the GWLB ENI will hairpin the traffic back to the same GWLBe endpoint.

Step 5: The GWLBe endpoint will then route the inspected traffic to the intrinsic router. The intrinsic router will route traffic directly to the IGW as specified in the VPC route table assigned to the subnet.

Note

The IGW will source NAT the traffic to the public EIP assigned to the NAT GW ENI.

Step 6: The destination will receive the traffic and respond. The return traffic will be intercepted at the IGW and routed to the GWLBe endpoint. Then the return traffic follow these steps in reverse.

1. To test out this flow navigate to the AWS EC2 console and go to Instances > Instances. Then select either AppInstance and click Connect > EC2 serial console. Copy the instance ID as this will be the username and click connect.

1. Login to the instance with the instance ID as the username and FORTInet123! as the password. Then run the commands below to test traffic:

ping 8.8.8.8

curl http://ipinfo.io

curl https://ipinfo.io

Note

You are now only allowing HTTPS outbound to one FQDN and ICMP to any public IP within the United States!

Centralized Egress

For this traffic flow we will focus on the Shared Services, Workload, and Inspection VPCs. Centralized egress is commonly used when there is a strong desire to control egress traffic through a common set of NAT GWs in an egress or what we call an Inspection VPC. The benefit of this design is that you only need NAT GWs in the Inspection VPC (one per AZ) vs every VPC (one per AZ), which have an hourly cost. The caveat of this design is traffic will traverse additional AWS networking components for inspection (ie TGW, etc) that will have additional cost.

Step 1: An outbound connection starts with a private EC2 instance initiating a connection to a public resource. The first packet (ie TCP SYN) will be routed to the intrinsic router which will route traffic to the TGW attachment in the same AZ, as configured in the assigned VPC route table. The EC2 instance has a default route, received via DHCP, that points to the first host IP in the subnet which is the intrinsic router.

Step 2: The traffic is received at the TGW ENI which then routes the traffic to the Inspection VPC TGW attachment, as configured in the associated Spoke VPC TGW route table.

Step 3: The traffic is received at the TGW ENI in the Inspection VPC which then routes the traffic to the GWLBe endpoint in the same AZ, as configured in the associated VPC route table.

Step 4: The traffic is received at the GWLBe endpoint which then routes the traffic to the associated GWLB ENI in the same AZ in the managed Fortinet AWS account/VPC. This is done behind the scene using AWS Private Link.

Step 5: The traffic is received at the GWLB ENI and is then encapsulated in a GENEVE tunnel and routed to one of the instances in the FortiGate CNF auto scale group for traffic inspection. Post inspection, if the traffic is allowed, the instance will hairpin the traffic back to the same GWLB ENI over GENEVE. Then the GWLB ENI will hairpin the traffic back to the same GWLBe endpoint.

Step 6: The GWLBe endpoint will then route the inspected traffic to the intrinsic router. The intrinsic router will route traffic directly to the NAT GW in the same AZ as specified in the VPC route table assigned to the subnet.

Step 7: The traffic is received at the NAT GW ENI which then routes the traffic to the intrinsic router. The intrinsic router will route traffic directly to the IGW as specified in the VPC route table assigned to the subnet.

Note: The NAT GW will source NAT the traffic to the private IP assigned to its ENI.

Step 8: The destination will receive the traffic and respond. The return traffic will follow these steps in reverse.

Note

The IGW will source NAT the traffic to the public EIP assigned to the NAT GW ENI.

1. To test out this flow navigate to the AWS EC2 console and go to Instances > Instances. Then select either WrkInstance and click Connect > EC2 serial console. Copy the instance ID as this will be the username and click connect.

1. Login to the instance with the instance ID as the username and FORTInet123! as the password. Then run the commands below to test traffic:

ping 8.8.8.8

curl http://ipinfo.io

curl https://ipinfo.io

Note

You are now only allowing HTTPS outbound to one FQDN and ICMP to any public IP within the United States!

Question 1: What happens if you try the same test from SSInstance1?

You should be able to access the IPinfo.io site over HTTPS and ping any public IP within the United States.

Question 2: What address objects are allowing this communication to work even though the sdn-group = group3 for this instance?

AppPublicSubnet1 + AppPublicSubnet2. Remember that Dynamic, FQDN, and standard address objects still resolve to IPs. Since the Application-VPC and SharedServices-VPC share the same CIDR the data plane traffic will match on those Address objects.

A solution to this would be to use multiple CNF Instances in a region or expand on your tagging strategy to make the objects be more specific while avoiding using broad subnet CIDR values in the same L4 rule.

Centralized East West

For this traffic flow we will focus on the Shared Services, Workload, and Inspection VPCs. Centralized East West is commonly used when there is need for multiple VPCs in the same region to access common private resources such as a shared services VPC, premise items, or workloads/services in other VPCs. The benefit of this design is that this a flexible but simple way to interconnect many resources in the same region. The caveat of this design is traffic will traverse additional AWS networking components for inspection (ie TGW, etc) that will have additional cost.

Step 1: An outbound connection starts with a private EC2 instance initiating a connection to a public resource. The first packet (ie TCP SYN) will be routed to the intrinsic router which will route traffic to the TGW attachment in the same AZ, as configured in the assigned VPC route table. The EC2 instance has a default route, received via DHCP, that points to the first host IP in the subnet which is the intrinsic router.

Step 2: The traffic is received at the TGW ENI which then routes the traffic to the Inspection VPC TGW attachment, as configured in the associated Spoke VPC TGW route table.

Step 3: The traffic is received at the TGW ENI in the Inspection VPC which then routes the traffic to the GWLBe endpoint in the same AZ, as configured in the associated VPC route table.

Step 6: The GWLBe endpoint will then route the inspected traffic to the intrinsic router. The intrinsic router will route traffic to the TGW attachment in the same AZ as specified in the VPC route table assigned to the subnet.

Step 7: The traffic is received at the TGW ENI which then routes the traffic to the Shared Services VPC TGW attachment, as configured in the associated Inspection VPC TGW route table.

Step 8: The traffic is received at the TGW ENI in the Shared Services VPC which then routes the traffic to the destination, as configured in the associated VPC route table.

1. To test out this flow navigate to the AWS EC2 console and go to Instances > Instances. Then select WrkInstance2 and click Connect > EC2 serial console. Copy the instance ID as this will be the username and click connect.

1. Login to the instance with the instance ID as the username and FORTInet123! as the password. Then run the commands below to test traffic:

ping 10.1.2.10

ssh ec2-user@10.1.2.10

curl -k https://10.1.2.10

Note

You are now only allowing HTTPS and RADIUS access between two resourced based on metadata (ie Tags)!

Question 1: What happens if you try the same test from WrkInstance1?

You are able to ping but SS annd HTTPS time out.

Question 2: What tags are allowing this communication to match the dynamic address objects?

For the ProdAPIBackend object, Tag.env=prod AND Tag.app-role=api AND Tag.app-tier=backend. For the ProdAuthBackend object, Tag.env=prod AND Tag.app-role=auth AND Tag.app-tier=backend.

Extra Credit

This is an extra credit section that gives you hands on with using FortiManager and FortiAnalyzer with FortiGate-CNF.

This will give you another environment to do the following:

Add a CNF Instance to FMG
Import the base ‘allow all’ policy set
Modify the policy set to apply L7 controls including SSL MitM
Install this to a CNF Instance
Add a CNF Instance to FortiAnalyzer
Inspect drill down widgets in FortiView
Inspect formatted logs in Log View

Tip

If you are short on time, we recommend scrolling through the section to see how easy it is to accomplish the tasks above and enjoy the results!

Task 1

Task 1: Deploying CNF Instances and GWLBe endpoints

Note

For this section of the workshop we will be using the us-west-1 (N. California) region. There is a deployment of another Application VPC where FortiGate-CNF will inspect the ingress & egress traffic flows. Also there is a Management VPC where FortiAnalyzer, FortiManager, and a Nikto Scanner are deployed.

1. In the AWS CloudFormation console, make sure you are in the us-west-1 (N. California) region, then toggle the view nested button to off > then select the stack name > and on the details pane select the outputs tab. You should see the output for FortiAnalyzerLoginURL. Copy just the public IP as we will need this for the next step.

1. In the FortiGate CNF console, navigate to CNF instances and click New. Provide a name for the CNF instance, select us-west-1 (N. California) for the region, toggle FortiManager mode to on, select FortiAnalyzer for the log type and paste the public IP from the previous step. To save time, you can configure the GWLBe endpoints at the same time. In the Endpoints section, click the New button. Then you can select the account, VPC, then toggle the Select from all subnets to off (this filters the subnets to only show ones that are properly tagged), and the subnet to deploy the VPC endpoint to. Repeat this step for all subnets in the table below, then click the Next button. Once all have been created, click OK.

VPC	Subnet
Application-VPC	Application-GwlbeSubnet1
Application-VPC	Application-GwlbeSubnet2

1. The CNF Instance should show up as active after roughly 10 minutes (Now is a great time for a break :) ). The endpoints will be deployed at this point.

1. To validate all GWLBe endpoints have been deployed and are active (takes ~5 mins), select and edit the CNF instance and click Next to view the GWLBe endpoints on the Configure Endpoints section of the wizard. Then click Exit to leave the CNF configuration wizard.

1. Log into your AWS Account and navigate to the VPC Console > Endpoints. Each of the GWLBe endpoints you deployed in the FortiGate CNF Console should be visible in your account. Notice the tag name and value pairs assigned to the endpoints.

Info

1. To validate that the relevant VPC routes have been automatically created to route traffic to the GWLBe endpoints, in the AWS VPC console, navigate to Virtual Private Cloud > Route Tables, select each of the route tables listed below and confirm these routes exist in the route tab of the route table details pane.

VPC Route Table	# Routes to GLWBe
Application-IgwRouteTable	2x (one per public subnet), one per GWLBe (each AZ)
Application-Public1RouteTable	1x (default route), GWLBe AZ1
Application-Public2RouteTable	1x (default route), GWLBe AZ2

1. To confirm that app1 in the Application VPC is reachable, in the AWS CloudFormation console, toggle the view nested button to off > then select the stack name > and on the details pane select the outputs tab. You should see the output for URLforApp1. Click on the value for that output to check that App1 is reachable now. You should see a simple webpage with some metadata about the backend web server instance that is reachable via the public Network Load Balancer (NLB).

1. This concludes this section.

Task 2

Task 2: FortiManager Integration

1. In the AWS CloudFormation console, make sure you are in the us-west-1 (N. California) region, then toggle the view nested button to off > then select the stack name > and on the details pane select the outputs tab. You should see the output for FortiManagerLoginURL. Login to the FortiManager with the username admin and the password FORTInet123!.

1. In the FortiManager GUI for the first login, you will be prompted to complete the setup wizard. Click Begin, Next, and Finish. Then on the home page, select Device Manager.

Info

Note: By default, FortiManager will be deployed with a self-signed certificate. You will see browser warnings for this and need to accept this to login successfully.

1. At the top left, click Add Device and select Discover Device.

1. In the FortiGate CNF console, navigate to CNF instances and select and edit the CNF instance, then toggle Display Primary FortiGate Information. Copy the Primary FGT information and click Exit.

1. In the FortiManager GUI, enter in the Primary FGT IP, toggle on Use Legacy Device Login, fill out the rest and click Next.

1. On the next page, click Next and the FortiManager will begin discovering and adding the CNF Instance.

1. Once this process is complete, click Import Now, then Import Policy Package and click Next. Select Automatically import all VDOMs and click Next and the FortiManager will import a policy package for each VDOM. Once complete, click Finish.

1. In the top left, click Device Manager then click Policy & Object. Then grab this bar and drag it to the right to see the full names of the policy packages.

1. Then right click the policy package ending in …root and click Delete. Do the same for the default policy package as well. Now you should be left with the policy package ending in …FG-Traffic.

1. Select policy #1, click Edit, then Edit again in the drop down menu.

1. In the edit firewall policy page, change the name to Inbound, set the Destination to be RFC1918-GRP, select default for Application Control, then all_default for IPS, toggle Log Allowed Traffic to All Sessions, finally type a note in the Change Note text box, then click OK to apply the changes.

1. Right click policy #1 again and click Clone Reverse to create a new policy. Then select policy #2, click Edit, then Edit again in the drop down menu.

1. In the edit firewall policy page, change the name to Outbound, select default for AntiVirus Profile, then monitor-all for Web Filter Profile, then deep-inspection for SSL/SSH Inspection, finally type a note in the Change Note text box, then click OK to apply the changes.

1. Right click the policy package and select Install Wizard. Then click Next, Next, Install. The FortiManager will begin pushing the modified policy package to the CNF Instance. Once complete, click Finish.

1. This concludes this section.

Task 3

Task 2: FortiAnalyzer Integration

1. In the AWS CloudFormation console, make sure you are in the us-west-1 (N. California) region, then toggle the view nested button to off > then select the stack name > and on the details pane select the outputs tab. You should see the output for FortiAnalyzerLoginURL. Login to the FortiAnalyzer with the username admin and the password FORTInet123!.

1. In the FortiAnalyzer GUI for the first login, you will be prompted to complete the setup wizard. Click Begin, Next, and Finish. Then on the home page, select Device Manager.

Info

Note: By default, FortiAnalyzer will be deployed with a self-signed certificate. You will see browser warnings for this and need to accept this to login successfully.

1. At the top right, click the Bell icon and select 2 Unauthorized device(s).. Then select both devices and click Authorize, on the next page click OK. Once complete, click Close.

1. Once logs have been received from all CNF instances, the widgets should all show green in a few minutes.

1. In the top left, click Device Manager then click FortiView and look at Top Threats. In ~15-20 minutes, logs should be generated by the EC2 instances in the Application VPC and the Nikto Scanner instance in the Management VPC. You can drill down on the widgets to get more information. Click on Eicar_TEST_File to see the source of the malware, then click the interface name to get to the formatted logs. Clicking on a log entry will bring up the log details.

Tip

Note: This malware was detected and blocked over a TLS encrypted connection because SSL MitM is enabled on the outbound policy.

1. Click on the following FortiView pages to see additional drill down widgets and click through the results to see more:
- Traffic -> Top Sources
- Traffic -> Top Destinations
- Traffic -> Policy Hits
- Applications & Websites -> Top Applications
- Applications & Websites -> Top Website Domains
- Applications & Websites -> Top Categories
- System -> Resource Usage

1. In the top left, click FortiView then click Log View then select FortiGate -> Security -> Intrusion Prevention. Double click any log entry to view the log details.

1. This concludes this section.

Secure AWS workloads with FortiGate CNF SaaS

Welcome!

Subsections of Secure AWS workloads with FortiGate CNF SaaS

Introduction

Secure AWS workloads with FortiGate CNF SaaS

Learning Objectives

Workshop Components

AWS Reference Architecture Diagram

Workshop Prerequisites

Subsections of Workshop Prerequisites

Workshop Logistics

Accessing an AWS environment

Accessing the FortiGate CNF Console

Navigating the AWS Console

AWS Networking Concepts

AWS Common Architecture Patterns

FortiGate CNF Terminology

Workshop Hands On

Subsections of Workshop Hands On

Task 1

Task 1: Subscribe to FortiGate CNF in AWS Marketplace & Onboard an AWS account

Task 2

Task 2: Deploying CNF Instances and GWLBe endpoints

Task 3

Task 3: Create a policy set and apply it to a FortiGate CNF Instance

Task 4

Task 4: Validate Resolution of Dynamic Address Objects

Workshop Test Traffic

Subsections of Workshop Test Traffic

Distributed Ingress

Distributed Egress

Centralized Egress

Centralized East West

Extra Credit

Subsections of Extra Credit

Task 1

Task 1: Deploying CNF Instances and GWLBe endpoints

Task 2

Task 2: FortiManager Integration

Task 3

Task 2: FortiAnalyzer Integration