Task 1: Fundamental Azure Services

Azure Portal

The Azure portal is a web-based, unified console that lets you create and manage all your Azure resources. With the Azure portal, you can manage your Azure subscription using a graphical user interface. You can build, manage, and monitor everything from simple web apps to complex cloud deployments in the portal. For example, you can set up a new database, increase the compute power of your virtual machines, and monitor your monthly costs. You can review all available resources, and use guided wizards to create new ones.

The Azure portal is designed for resiliency and continuous availability. It has a presence in every Azure datacenter. This configuration makes the Azure portal resilient to individual datacenter failures and helps avoid network slowdowns by being close to users. The Azure portal updates continuously, and it requires no downtime for maintenance activities. You can access the Azure portal with any supported browser.

Azure Resource Group

An Azure Resource Group is a container that enables you to manage related resources for an Azure solution. By using the resource group, you can coordinate changes to the related resources. For example, you can deploy an update to the resource group and have confidence that the resources are updated in a coordinated operation. Or, when you’re finished with the solution, you can delete the resource group and know that all of the resources are deleted.

There are some important factors to consider when defining your resource group:

• All the resources in your resource group should share the same lifecycle. You deploy, update, and delete them together. If one resource, such as a server, needs to exist on a different deployment cycle it should be in another resource group.
• Each resource can exist in only one resource group.
• You can add or remove a resource to a resource group at any time.
• You can move a resource from one resource group to another group.
• The resources in a resource group can be located in different regions than the resource group, but it’s recommended that you use the same location.
• A resource group can be used to scope access control for administrative actions. To manage a resource group, you can assign Azure Policies, Azure roles, or resource locks.
• You can apply tags to a resource group. The resources in the resource group don’t inherit those tags.
• A resource can connect to resources in other resource groups. This scenario is common when the two resources are related but don’t share the same lifecycle. For example, you can have a web app that connects to a database in a different resource group.
• When you delete a resource group, all resources in the resource group are also deleted.
• You can deploy up to 800 instances of a resource type in each resource group. Some resource types are exempt from the 800 instance limit. For more information, see resource group limits. https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resources-without-resource-group-limit
• Some resources can exist outside of a resource group. These resources are deployed to the subscription, management group, or tenant. Only specific resource types are supported at these scopes.
• To create a resource group, you can use the portal, Azure Resource Manager REST API, PowerShell, Azure CLI, ARM templates, and IaC tools, to name a few.

Azure Marketplace

Azure Marketplace is an online store for solutions that are built on or built for Azure and intended for IT professionals and developers. Buyers can access Azure Marketplace in the Azure portal or access the Azure Marketplace online store on the web. The Azure Marketplace online store includes listings for consulting and managed services. Azure Marketplace consulting services are professional service offerings that help customers get started with or accelerate the use of Azure. Azure Marketplace is a part of Azure, so you can access the catalog of Azure Marketplace solutions in the Azure portal through the Create a resource option. This option opens Azure Marketplace within the Azure portal, where you can search for solutions by name or by category.

Continue to Chapter 2 - Task 2: Azure Networking Concepts

Task 2: Azure Networking Concepts

Azure Virtual Network

• Azure Virtual Network is a service that provides the fundamental building block for your private network in Azure. An instance of the service (a virtual network) enables many types of Azure resources to securely communicate with each other, the internet, and on-premises networks. These Azure resources include virtual machines (VMs).

• All resources in a virtual network can communicate outbound with the internet, by default. You can also use a public IP address, NAT gateway, or public load balancer to manage your outbound connections. You can communicate inbound with a resource by assigning a public IP address or a public load balancer.

• You can connect virtual networks to each other by using virtual peering. The resources in either virtual network can then communicate with each other. The virtual networks that you connect can be in the same, or different, Azure regions.

• You can connect your on-premises computers and networks to a virtual network by using any of the following options:

  • Point-to-site virtual private network (VPN): Established between a virtual network and a single computer in your network. Each computer that wants to establish connectivity with a virtual network must configure its connection. This connection type is useful if you’re just getting started with Azure, or for developers, because it requires few or no changes to an existing network. The communication between your computer and a virtual network is sent through an encrypted tunnel over the internet.
  • Site-to-site VPN: Established between your on-premises VPN device and an Azure VPN gateway that’s deployed in a virtual network. This connection type enables any on-premises resource that you authorize to access a virtual network. The communication between your on-premises VPN device and an Azure VPN gateway is sent through an encrypted tunnel over the internet.
  • Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic doesn’t go over the internet.

• You can filter network traffic between subnets by using either or both of the following options:

  • Network security groups: Network security groups and application security groups can contain multiple inbound and outbound security rules. These rules enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
  • Network virtual appliances (NVA): A network virtual appliance is a VM that performs a network function, such as a firewall or WAN optimization. The FortiGate is considered a NVA.

• Azure routes traffic between subnets, connected virtual networks, on-premises networks, and the internet, by default. You can implement either or both of the following options to override the default routes that Azure creates:

  • Route tables: You can create custom route tables that control where traffic is routed to for each subnet.
  • Border gateway protocol (BGP) routes: If you connect your virtual network to your on-premises network by using an Azure VPN gateway, ExpressRoute connection, or FortiGate NVA, you can propagate your on-premises BGP routes to your virtual networks.

Azure Virtual Network Concepts

Before diving into the reference architecture for this workshop, let’s review some basic Azure networking concepts.

• Address space: When creating a virtual network, you must specify a custom private IP address space using public and private (RFC 1918) addresses. Azure assigns resources in a virtual network a private IP address from the address space that you assign. For example, if you deploy a VM in a virtual network with address space, 10.0.0.0/16, the VM is assigned a private IP like 10.0.0.4.

• Subnets: Subnets enable you to segment the virtual network into one or more sub-networks and allocate a portion of the virtual network’s address space to each subnet. You can then deploy Azure resources in a specific subnet. Just like in a traditional network, subnets allow you to segment your virtual network address space into segments that are appropriate for the organization’s internal network. Segmentation improves address allocation efficiency. You can secure resources within subnets using Network Security Groups.

• Regions: A virtual network is scoped to a single region/location; however, multiple virtual networks from different regions can be connected together using Virtual Network Peering.

• Subscription: A virtual network is scoped to a subscription. You can implement multiple virtual networks within each Azure subscription and Azure region.

In this workshop we will use these components to highlight insertion of FortiGate NGFW into an enterprise architecture.

Continue to Chapter 2 - Task 3: FortiGate-VM Support for Azure

Task 3: FortiGate-VM Support for Azure

FortiGate-VM

By combining stateful inspection with a comprehensive suite of powerful security features, FortiGate next generation firewall technology delivers complete content and network protection. This solution is available for deployment on Microsoft Azure.

In addition to advanced features such as an extreme threat database, vulnerability management, and flow-based inspection, features including application control, firewall, antivirus, IPS, web filter, and VPN work in concert to identify and mitigate the latest complex security threats.

FortiGate-VM for Azure supports active/passive high availability (HA) configuration with FortiGate-native unicast HA synchronization between the primary and secondary nodes. When the FortiGate-VM detects a failure, the passive firewall instance becomes active and uses Azure API calls to configure its interfaces/ports.

FortiGate-VM also supports active/passive HA and active/active HA using Azure load balancer services.

Instance Type Support

FortiGate supports the following instance types on Azure:

• Compute optimized instance types

  • F Series

• General purpose instance types

  • D Series

• Memory optimized instance types

  • E Series

Models

FortiGate-VM is available with different CPU and RAM sizes and you can deploy it on various private and public cloud platforms. The following table shows the models conventionally available to order, also known as bring your own license models.

Continue to Chapter 3 - Getting Started

Azure Environment Provision

Public Cloud - 102 - Azure Foundational

Provision an environment for this workshop

Continue to Chapter 3 - Task 2: Azure Portal - Lab Access

Task 1: Azure Portal Lab Access

Lab Environment

• This lab is configured to allow each student to have their own training lab environment using pre-created Azure resource groups all in one shared Azure Subscription.

Azure Portal Lab Access

• First, you must log in to the Azure Portal. Then, you will gain access to the lab environment.

To access the Azure Portal sign-in page

1. Open a browser and access the following URL:

   • https://portal.azure.com

2. Use the credentials shared with you by your instructors.

   • Username: “studentxx@fortinetcloud.onmicrosoft.com”

3. Enter Temporary access credentials

   • 

4. Click Sign in.

5. Click No on the ‘Stay signed in?’ prompt

6. Click Get started on the ‘Welcome to Microsoft Azure’ page.

7. Click Skip on the ‘How do you plan to use Azure’ page.

8. Click Skip on the ‘Now, let show you around Azure’ page.

9. Click on the Home link in the upper left corner.

   

10. Click on Resource Groups in the main page.

    

11. Confirm your resource group is shown.

    

Continue to Chapter 4: Deploy a VNET

Task 1: Deploy an Azure Virtual Network (VNET)

In Task 1, you will deploy VNET (Virtual Network) in the training Resource Group that you have been assigned to.

1. Navigate into your Resource Group and click on the + Create located at the top left of the tool bar.

   

   You will be redirected to the Azure Marketplace.

2. In the Marketplace search bar

   • Enter Virtual Network and then enter
   • Navigate to the Virtual Network offering from Microsoft
   • Select Create and Virtual network.

   

   You will be redirected to the Create virtual network template.

3. Under the Basics tab, the Subscription and Resource Groups should already be filled in with your assigned info. If not, see the screen shot below for details.

   • Under Instance details, enter the following:

     • Virtual network name: “Studentxx_VNET” (Replace “xx” with your assigned student number)
     • Region: “(US) West US 3”

   • Click Next.

   

4. On the Security tab, make sure none of the services are selected and click Next. Feel free to read through the available services that can be enabled.

5. On the IP address tab, edit the default address space to “192.168.1.0/24”.

   • Select the edit button (Red) next to the “default” subnet and, in the new window to the right, update the following info:

     • Name: “External_Subnet”
     • Starting address: “192.168.1.0”
     • Size: “/27”

   • Select Save

     

   • Select + Add a subnet (see red below), and add the following info:

     

6. Continue to + Add a subnet

   • Add “Protected-A_Subnet”

   • Add “Protected-B_Subnet”

     With their respective subnets. See the diagram below for IP address range assignments.

   • Click Next.

   

7. On the Tags tab, click Next.

8. On the Review + create tab

   • confirm the template summary and select create.

   

9. When the deployment is complete, you will get a Your deployment is complete notice.

   • Confirm your deployment has completed and under Resource group select the “studentxx-azure102-rg” link. See red section below.

   

10. Your screen should return you to your respective resource group with the new virtual network listed. Feel free to click on the new virtual network and look around.

    

11. You have just created an Azure virtual network (VNET). The diagram below is a visual representation of your new VNET.

    

Continue to Chapter 4 - Task 2: Deploy Linux Virtual Machines (VMs).

Task 2: Deploy Linux Virtual Machines (VMs)

Now that a VNET is configured, Task 2 will cover

• Deploying two Linux VMs in the VNET
• Identify assigned public IP (PIP)
• Confirm access to the Internet
• Confirm access between each VM

VM - Linux-A-VM will be assigned to the Protected-A_Subnet VM - Linux-B-VM will be assigned to the Protected-B_Subnet

Steps to create Linux-A-VM

1. Navigate into your Resource Group and click on the + Create located at the top left of the tool bar.

   

   You will be redirected to the Azure Marketplace.

2. In the Marketplace search bar, enter ubuntu 24.04 lts and then enter. Navigate to the Ubuntu 24.04 LTS - all plans including Ubuntu Pro offering from Canonical and select Create and Ubuntu Server 24.04 LTS.

   

   You will be redirected to the Create a virtual machine template.

3. Under the Basics tab, update the following fields:

   (Leave the default entry of the other fields not listed here) - Resource group: “studentxx-azure102-rg” - Virtual machine name: “Linux-A-VM” - Availability options: “No infrastructure redundancy required” - Security type: “Standard” - Size: Select “See all sizes”

   

   • On the Select a VM size screen, expand the D-Series v5 section and select “D2as_v5” and then click Select

   

   • Continuing from the Create a virtual machine screen:

     • Authentication type: “Password”
     • Username: “studentxx” (Replace xx with your student number)
     • Password: “FortinetAzure2024!” (Same as your Azure portal login)
     • Confirm password: “FortinetAzure2024!”

4. Confirm the changes and the other fields default entries match the following diagram.

   

   

   

5. Select Next: Disks >.

6. On the Disk tab, keep the default settings and click Next: Networking >. Feel free to read through the available disk services that can be changed/enabled.

7. Under the Networking tab, update the following fields: (Leave the default entry of the other fields not listed here)

   • Virtual network: “Studentxx_VNET”

   • Subnet: “Protected-A_Subnet (192.168.1.128/27)”

   • Public IP: Select Create new

   • On the new Create public IP address on the right, enter the following:

     • Name: “Linux-A-VM_PIP”
     • Routing preference: “Internet”
     • Select OK

   • Delete public IP and NIC when VM is deleted: Select

8. Confirm the changes and the other fields default entries match the following diagram.

   

9. Select Review + create >.

10. Feel free to read through the Management, Monitoring, Advanced, and Tags tabs for additional services that can be changed/enabled.

11. Confirm the template validation has passed and select Create

    

12. The Deployment is in progress notice is displayed.

    

13. Once the Your deployment is complete notice is displayed, click on the student11-azure102-rg link to be re-directed to your resource group.

    

14. Verify the new Linux-A-VM and the associated components are listed.

    

Steps to create Linux-B-VM

1. Follow the same 1-14 steps above to create the Linux-B-VM. You will need to alter the following where appropriate: - Virtual machine name: “Linux-B-VM” - Subnet: “Protected-B_Subnet (192.168.1.160/27)” - Public IP: Select Create new - On the new Create public IP address on the right, enter the following: - Name: “Linux-B-VM_PIP”

2. Verify the new Linux-B-VM and the associated components are listed.

   

Continue to Chapter 4 - Task 3: Identify VM info and Unsecured Services

Task 3: Identify VM Info and Unsecured Services

Now that you have deployed both Linux virtual machines, Linux-A-VM and Linux-B-VM, you are going to identify their assigned private and public IP (PIP) addresses, confirm which ports are open on each VM, and what access is available to and from their assigned subnets.

In the following steps 1-6, you will learn how to navigate and identify IP information for both VMs and login to each VM via the console.

Useful Hint: Access the serial console of both virtual machines in different tabs to help simply navigation.

1. Navigate into your Resource Group and right click on the virtual machine Linux-A-VM. Select Open Link in New Tab

   

   You will see the Linux-A-VM Overview page in a new tab.

2. Under the Essentials and Properties sections, right hand side, identify the assigned private and public IP of Linux-A_VM

   • Navigate to the bottom left of the screen, expand the Help menu, and select Serial console.

     

   You will be redirected to the Linux-A-VM | Serial Console screen.

3. Login to the Linux-A-VM console using the credentials you used when creating the Linux-A-VM.

   

4. Return to the studentxx-azure102-rg tab and right click on the virtual machine Linux-B-VM. Select Open Link in New Tab

   You will see the Linux-B-VM Overview page in a new tab.

5. Under the Essentials and Properties sections, right hand side, identify the assigned private and public IP of Linux-B-VM

   • Navigate to the bottom left of the screen, expand the Help menu, and select Serial console.

     You will be redirected to the Linux-B-VM | Serial Console screen.

6. Login to the Linux-B-VM console using the credentials you used when creating Linux-B-VM.

   The VNET security policy for company ABC is as follows:

   • Linux-A-VM will be the management server. Per company ABC security policy, it should only have SSH and PING access to Linux-B-VM and HTTP/HTTPS access to the Internet. There should also be SSH access to Linux-A-VM from the Internet.

   • Linux-B-VM is the www server. Only HTTP services from the Internet should be allowed. It will also have HTTP and HTTPS access to the Internet and only PING access to Linux-A-VM.

   The goals of the following steps seven and eight, are to note what service ports are open and listening on each VM, what access does each VM have across subnets, and what services to and from the Internet each VM has exposed and access to.

   With this information, we can implement company ABC’s VNET security policies when securing the VNET in Chapter Five: Securing the VNET.

   Make sure to configure Linux-B-VM first - Step seven

7. From the Linux-B-VM CLI:

   • a. Ping www.yahoo.com and confirm DNS and ICMP access to the internet: “ping www.yahoo.com” (CTRL+c to stop ping)
   • Confirm port 80 access to the Internet: “wget www.fortinet.com”. (Confirm “200 OK” response)
   • Confirm port 443 access to the Internet and the public IP assigned to Linux-B-VM: “curl https://ipinfo.io/ip”. (Confirm against what the Azure portal listed in step five above)
   • Check for Ubuntu updates and install them:
     • “sudo apt update”
     • “sudo apt upgrade” and select “Y”.
     • Type “clear” after the updates have finished.
   • Install the web service NGINX: “sudo apt install nginx” and select “Y”.
   • Checking access to Linux-A-VM:
   • Ping the private IP of Linux-A-VM and confirm replies. (See step two above for IP)
   • Install NMAP: “sudo apt install nmap” and select “Y”
   • Scan open ports on Linux-A-VM: “nmap -F 192.168.1.xxx” (See step two above for IP) Note the open port(s) on Linux-A-VM
   • Confirm SSH access to Linux-A-VM:
     • Login via SSH: ssh studentxx@192.168.1.xxx"
     • Run “sudo ss -ltn” to confirm the same open ports that NMAP reported
     • Type exit to disconnect from Linux-A-VM

8. From the Linux-A-VM CLI:

   • Ping “www.yahoo.com” and confirm replies. (CTRL+c to stop ping)
   • Confirm port 80 access to the Internet: “wget www.fortinet.com”
   • Confirm port 443 access to the Internet and the public IP assigned to Linux-A-VM: “curl https://ipinfo.io/ip” (Confirm against what the Azure portal listed in step two above)
   • Check for Ubuntu updates and install them:
     • “sudo apt update”
     • “sudo apt upgrade” and select “Y”.
     • Type “clear” after the updates have finished.
   • Ping the private IP of Linux-B-VM and confirm replies. (See step five above for IP)
   • Install NMAP: “sudo apt install nmap”
   • Scan open ports on Linux-B-VM: “nmap -F 192.168.1.xxx” (Note step five above for IP) Note the open port(s) on Linux-B-VM.
   • Confirm SSH access to Linux-B-VM:
     • Login via SSH: ssh studentxx@192.168.1.xxx"
     • Run “sudo ss -ltn” to confirm the same open ports that NMAP reported.
     • Type exit to disconnect from Linux-B-VM.

The following diagram is a visual representation of your current VNET and VM deployment.

What do steps seven and eight, above, tell you about access to/from the Internet to both Linux VMs? Does this match company ABC’s VNET security policy?

What do steps seven and eight, above, tell you about access between each Linux VM in different subnets? Does this match company ABC’s VNET security policy?

Continue to Chapter Five: Securing the VNET

Task 1: Deploy a FortiGate NVA

In the following task, you will deploy a FortiGate network virtual appliance (NVA)in the training Resource Group that you have been assigned. After deployment, you will login to the FortiGate and verify a few settings.

Creation Steps

1. Navigate into your Resource Group and click on the + Create located at the top left of the tool bar.

   

   You will be redirected to the Azure Marketplace.

2. In the Marketplace search bar, enter Fortinet FortiGate and then enter. Navigate to the Fortinet FortiGate Next-Generation Firewall offering from Fortinet and select Create and Single VM.

   

   You will be redirected to the Create Single VM template.

3. Under the Basics tab, the Subscription and Resource Groups should already be filled in with your assigned info. If not, see the screen shot below for details.

   • Under Instance details, select/enter the following:
     • Region: “West US 3”
     • FortiGate administrative username: “studentxx”
     • FortiGate password/Confirm password: “FortinetAzure2024!”
     • Fortigate Name Prefix: “studentxx”
     • Fortigate Image SKU: “Pay As You Go”
     • Fortigate Image Version: “7.4.4”
   • Select Next.

   

4. On the Instance tab, review the default entries. Note the two blue shaded areas under FortiGate License for future knowledge.

   • Select Next.

   

5. On the Networking tab, enter/edit the following:

   • Virtual network: “Studentxx_VNET (studentxx-azure102-rg)”. (Do not select the option with the prepended (NEW)).
   • External Subnet: “External_Subnet”
   • Internal subnet: “Internal_Subnet”
   • Protected subnet: “Protected-A_Subnet”
   • Accelerated Networking: “Enabled”
   • Select Next.

   

6. On the Public IP tab, keep the default Public IP address already entered. It should have a “(new)” listed in the beginning of the field.

   • Select Next

   

7. On the Advanced tab, keep the default settings. Note the option for the FortiGate to be managed by a FortiManager.

   • Select Next.

   

8. On the Review + create tab, scroll down and review the template entries.

   • Select Create.

   

9. The screen should refresh and you will see Deployment is in progress.

   

10. After a few minutes, you will see Your deployment is complete. Select Go to resource group

    

11. Confirm the FortiGate NVA and its related services have been deployed.

    

12. Select studentxx-FGT and the Overview page will be displayed. Look under the Properties tab/Networking section (mid screen, right hand column) and identify the Public IP address and Private IP address. This information is redundant and listed in several places. (See right hand column under Essentials)

    

13. Copy and paste the Public IP address into your local browser and you should be directed to the FortiGate NVA login page. Don’t forget to prefix the Public IP address with https://

14. Enter the login info you created in Step 3 above. You will be presented with the FortiGate Setup page. Click “Begin”

    

15. On the Migrate Config with FortiConverter page, click “Later”

    

16. On the Automatic Patch Upgrades for v7.4 page, click “Save and continue”

    

17. On the Disable Automatic Patch Upgrades page, select “I acknowledge” and then “OK”

    

18. On the Dashboard Setup page, select “OK”

    

19. On the What’s new in FortiOS 7.4 video, select “Don’t show again” and “OK”.

20. Look around and get familiar with the Dashboard/Status page. Note items such as the Virtual Machine widget with the PAYGO license, Firmware version, and WAN IP.

    

21. Navigate on the left to Network and Interfaces. Note the port1 and port2 interfaces and assigned private IP address.

    • Why did they get assigned these subnets? Note the private IP address for both port1 and port2. You will need this info for future tasks.

    

22. Feel free to continue looking around the FortiGate GUI and see if you notice screens that are different compared to a hardware FortiGate GUI.

23. You have just deployed a FortiGate NVA. The diagram below is a visual representation of your VNET with the Linux VMs and FortiGate NVA.

    

Continue to Chapter 5 - Task 2: Deploy a Route Table and Create a UDR

Task 2: Deploy a Route Table and Create a UDR

In Task Two, you will deploy a Route Table and modify the Route Table by associating both protected subnets to use port2 of the FortiGate as the default route. This is what is called a User Defined Route (UDR).

1. Navigate into your Resource Group and click on the + Create located at the top left of the tool bar.

   

   You will be redirected to the Azure Marketplace.

2. In the Marketplace search bar, enter route table and then enter. Navigate to the Route table offering from Microsoft and select Create and Route table.

   

   You will be redirected to the Create Route table template.

3. Under the Basics tab, the Subscription and Resource Groups should already be filled in with your assigned info. If not, see the screen shot below for details.

   • Under Instance details, enter the following:
     • Region: “West US 3”
     • Name: “Studentxx_RT” (Replace xx with your assigned student number)
     • Propagate gateway routes: “No”
   • Select Next.

   

4. On the Tags tab, click Next. Nothing to enter here.

5. On the Review + create tab, confirm your entries under Basics and then select create.

   

6. The screen should refresh and you will see Deployment is in progress.

7. After a few minutes, you will see Your deployment is complete. Select Go to resource. You will be directed to the Studentxx_RT Overview page.

   

8. Take a few moments and familiarize yourself with the route table Overview page.

   In the next few steps, you will be creating a UDR

9. From the Studentxx_RT Overview page, navigate to Settings and then Routes. From the Routes page, select + Add.

   

10. The Add route will display on the right. Enter the following:

    • Route name: “Default”
    • Destination type: “IP Address”
    • Destination IP address/CIDR ranges: “0.0.0.0/0”
    • Next hop type: “Virtual appliance”
    • Next hop address: “192.168.1.36” (Confirm this is the same IP assigned to port2 on your FortiGate NVA).
    • Select Add

    

11. You will see the new route called Default listed under the Routes section.

    

12. Continue to add two more routes for Protected-A-Subnet and Protected-B-Subnet.

    

13. When finished, the Routes page should have the three routes listed. See the following diagram for confirmation.

    

14. On the left hand side, select Subnets and + Associate. The Associate subnet page will display on the right. Enter the following:

    • Virtual network: “Studentxx_VNET” (Replace xx with your assign student number)
    • Subnet: “Protected-A_Subnet”
    • Select OK.

    

15. Click + Associate again and add the Protected-B_Subnet. You should have both subnets listed under the Subnets tab.

    

16. Return to the Overview page to see a summary of the Routes and associated Subnets.

    

Continue to Chapter 5 - Task 3: Confirm Linux VMs access via FortiGate

Task 3: Confirm Linux VMs access via FortiGate

In Task Three, you will confirm the Linux VMs are using the FortiGate NVA as their default route and that all traffic to/from the Linux VMs is going through the FortiGate.

1. Navigate into your Resource Group and open, in separate tabs, the FortiGate GUI, the Linux-A-VM console, and the Linux-B-VM console.

2. From the Linux-A-VM console, run the following:

   • ping www.yahoo.com
   • ping 192.168.1.164

Did you get a response from either? Why not?

1. From the Linux-B-VM console, run the following:

   • ping www.yahoo.com
   • ping 192.168.1.132

Did you get a response from either? Why not?

1. From the Fortinet GUI, open a console window, and enter the following command:

   • diagnose sniffer packet port2 'icmp'

2. Run steps two and three again.

   Do you see the traffic being reported in the FortiGate console? Is the traffic from both Linux VMs being routed to the FortiGate via port2?

3. The diagram below is a visual representation of your VNET with the Linux VMs traffic flow via the FortiGate NVA. This is now the active flow of traffic based on the UDRs in the Route Table.

   

Continue to Chapter 5 - Task 4: Configure FortiGate Polices

Task 4: Configure FortiGate Policies

Now that you have confirmed traffic from both Linux VMs is being routed to the FortiGate, you will create policies that will accomplish the security requirements requested by company ABC. To meet these requirements, the following access needs to be setup for each Linux VM.

Linux-A-VM is the management server and should have the following access:

• SSH and PING access to Linux-B-VM
• HTTP and HTTPS access to the Internet
• SSH access to Linux-A-VM from the Internet

Linux-B-VM is the www server and should have the following access:

• HTTP service from the Internet
• HTTP and HTTPS access to the Internet
• PING access to Linux-A-VM

In the following steps, you will create an address object, a VIP, and a Firewall Policy for Linux-A-VM and then repeat each step to create similar configurations for Linux-B-VM.

1. From the FortiGate GUI, navigate to Policy & Objects, Addresses, and click “+ Create new”.

   

2. Enter the following:

   • Name: “Linux-A-VM”
   • Interface: “port2”
   • Type: “Subnet”
   • IP/Netmask: “192.168.1.132/32”

   Click OK and confirm the new address for Linux-A-VM is displayed.

   

3. Repeat step two above and create an address for Linux-B-VM. Your Address screen should have both Linux VMs listed.

   

4. Navigate to Policy & Objects, Virtual IPs, and click “+ Create new”.

   

5. Enter the following:

   • Name: “Linux-A-VM_VIP”
   • Interface: “port1”
   • External IP address/range: “192.168.1.4”
   • Map to IPv4 address/range: “192.168.1.132”
   • Port Forwarding: “Enable”
   • External service port: “22”
   • Map to IPv4 port: “22”

   Click OK and confirm the new VIP for Linux-A-VM is displayed.

   

6. Repeat step five above and create a VIP for Linux-B-VM. HTTP should be the service port. Your Virtual IPs screen should have two entries.

   

7. Navigate to Policy & Objects, Firewall Policy, and click “+ Create new”.

   

8. Enter the following:

   • Name: “Internet access to Linux-A-VM”
   • Incoming interface: “port1”
   • Outgoing interface: “port2”
   • Source: “all”
   • Destination:: “Linux-A-VM_VIP”
   • Service: “SSH”
   • NAT: Toggle to disabled

Click OK and confirm the new policy for Linux-A-VM is displayed.

1. Enter the following to create a policy to allow SSH and PING access to Linux-B-VM.

   • Name: “SSH & PING access to Linux-B-VM”
   • Incoming interface: “port2”
   • Outgoing interface: “port2”
   • Source: “Linux-A-VM”
   • Destination:: “Linux-B-VM”
   • Service: “SSH PING”
   • NAT: Toggle to disabled

   Click OK and confirm the new policy is displayed.

   

2. Repeat and modify step nine above to finishing adding the required policies for Linux-A-VM, HTTP and HTTPS access to the Internet, and the following policies needed for Linux-B-VM.

   Linux-B-VM is the www server and should have the following access:

   • HTTP service from the Internet
   • HTTP and HTTPS access to the Internet
   • PING access to Linux-A-VM

3. When you are finished adding all the policies for both Linux-VMs, your Firewall Policy page should look similar to the following:

   

Continue to Chapter 5 - Task 5: Confirm Managed Traffic

Task 5: Confirm Managed Traffic

In Task five, you will confirm that the Firewall Policies are correct and accomplish the security requirements for Company ABC. In the following steps, you will run the same cli commands on each Linux VM to confirm which services are reachable and blocked.

Summary of access to/from each Linux VM:

Linux-A-VM is the management server and should have the following access:

• SSH and PING access to Linux-B-VM

• HTTP and HTTPS access to the Internet

• SSH access to Linux-A-VM from the Internet

  From the Linux-A-VM CLI:

  1. Ping the private IP of Linux-B-VM and confirm replies.

  2. Confirm SSH access to Linux-B-VM and login: ssh studentxx@192.168.1.xxx"

     • Type exit to disconnect from Linux-B-VM.

  3. Confirm port 80 access to the Internet: “wget www.fortinet.com”

  4. Confirm port 443 access to the Internet and the public IP assigned to Linux-A-VM: “curl https://ipinfo.io/ip” (Confirm against what the Azure portal has listed as the Public IP assigned to the FortiGate or confirm against the IP you used to login to the FortiGate GUI.

  5. From your client of choice, SSH from the Internet to the VIP assigned to Linux-A-VM. If you do not have a SSH client installed, use the following website and scan for the SSH service - https://dnschecker.org/port-scanner.php. Select Port Type: “Server Ports”.

  Why is HTTPS showing up on the scan results?

Linux-B-VM is the www server and should have the following access:

• HTTP and HTTPS access to the Internet

• PING access to Linux-A-VM

• HTTP service available from the Internet

  From the Linux-B-VM CLI:

  1. Confirm port 80 access to the Internet: “wget www.fortinet.com”

  2. Confirm port 443 access to the Internet and the public IP assigned to Linux-B-VM: “curl https://ipinfo.io/ip” (Confirm against what the Azure portal has listed as the Public IP assigned to the FortiGate or confirm against the IP you used to login to the FortiGate GUI.)

  3. Ping the private IP of Linux-A-VM and confirm replies.

  4. From your local browser, open a tab and enter “http://x.x.x.x” (x.x.x.x is the VIP of Linux-B-VM) Confirm you get an NGINX welcome screen.

Congrats if you confirmed access on all the requirements above on the first check.

If time permits try enabling other ports on the Linux VMs and allowing access via the FortiGate. Also, spend some time looking around the FortiGate NVA GUI and see if you notice differences between what options are available compared to the FortiGate hardware GUI.

Thanks for attending this course.

END OF COURSE