Fortinet FortiGate Automation Stitch Workshop

FortiGate Automation Stitch Workshop

In this workshop you will learn how to deploy and utilize FortiGate Automation Stitches on Azure in several different use cases

FortiGate Automation Stitch TEC Workshop

Introduction: As enterprises adopt the Cloud as the new core for application hosting, the application environments may change dynamically related to workload needs. Policies need to be dynamic to secure these changing environments. Utilizing configuration options of the FortiGate along with Cloud automation capabilities, security can be designed to automatically respond to environment evolution.

FortiGate Automation Stitches, Dynamic Address Objects, SDN Connectors and Azure Automation combined create a unique and powerful way to enhance Cloud security postures by

  • Stitching together Triggers and Actions
  • Recognizing changes to the Cloud environments
  • Maintaining dynamic address objects comprising the IPs of target VM groups
  • Executing FortiGate security and Azure routing updates in response to VM existence

The purpose of this Workshop is to explore and utilize the concepts specific to FortiGate Automation Stitches and their incorporation with Azure Cloud environment.

Workshop Objectives

  • Deploy using Terraform
    • One FortiGate VM
    • Two Linux VMs
    • Azure Automation Account
    • Azure Automation Runbook
  • Configure FortiGate Automation Stitches
    • Email on user login - Easy
    • Update Azure Route Table triggered by VM existence and Tag - Complex

About TEC Workshops

TEC Workshops provide the learner with the opportunity to put into practice newly developed skills in an easy to launch environment that can be used for customer engagements. At a minimum a TEC Workshop will include the following:

  • A use case description

  • An integrated lab and demo environment

    • Informational call-outs for key points to discuss or highlight to a customer
    • Questions that could be asked while giving the TEC Workshop as a demo
    • Points of value that relate the business value to the technical feature

  • A reference architecture(s)

Optional components may be included for certain use cases

The TEC Workshop may not be a completely, self-contained learning experience for a single product. A TEC Workshop will cover features and often multiple products where they relate to the use case of interest.

Deployments will be automated for those tasks that are not salient to the learning or demonstration activity in the use case. For example, for a TEC Workshop focused on Indicators of Compromise, the system may deploy a FortiGate and FortiAnalyzer with configurations for these systems. However, the leaner will have to configure the Event Handlers for IOC setup.

Warning

The examples and sample code provided in this workshop are intended to be consumed as instructional content. These will help you understand how various Fortinet and Azure services can be architected to build a solution while demonstrating best practices along the way. These examples are not intended for use in production environments without full understanding of how they operate.

Version:
Last updated: Thu, May 22, 2025 22:03:19 UTC
Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Subsections of Fortinet FortiGate Automation Stitch Workshop

Chapter 1 - Getting Started

Fortinet FortiGate Automation Stitch Workshop

Tasks

Warning

In an instructor led event, for example XPERTS this step may not be required

  • Provision Azure Environment
  • Setup Azure Cloud Shell
  • Run Terraform
  • Verify Terraform

Chapter 1 - Provisioning the Azure environment (5min)

Task 0 - Provision Azure Environment

Provision Azure Environment, minimally enter your Email address and click Provision

Notes

Customer/Partner Name / Event Code

  • If you are using this workshop for a Customer/Partner - enter their name
  • If you are a Customer/Partner - enter your Customer/Partner name
  • If this is an instructor led event please enter the provided Event Code
Warning

After submitting, this page will return with a blank email address box and no other indications.

Provisioning can take several minutes.

PLEASE DO NOT SUBMIT MULTIPLE TIMES

When provisioning is complete, one of the following will happen.

  • You will receive an email with Azure environment credentials. Use those credentials for this environment, even if you have your own.
  • You will receive and email indicating that there are no environments available to utilize. In this case please try again at a later date.
  • You will receive an email indicating that the supplied email address is from an unsupported domain.
  • No email will be received due to an unexpected error. You can try again or notify the Azure CSE team.

Subsections of Chapter 1 - Getting Started

Task 1 - Setup Azure CloudShell

Task 1 - Setup your AzureCloud Shell

  • Login to Azure Cloud Portal https://portal.azure.com/ with the provided login/password

    cloudshell1 cloudshell1 cloudshell2 cloudshell2

  • Click on Cloud Shell icon on the Top Right side of the portal

    cloudshell5 cloudshell5

  • Click PowerShell cloudshell6 cloudshell6

  • Click on “Show advanced settings”

    cloudshell7 cloudshell7

The field Storage Account should auto populate. If it does not, it is because the “Cloud Shell Region” field is not set to the Region where the Storage Account is located. Please try Central US, East US, and West US

  • Select

    • Use existing Resource Group

      • Field should auto populate with USERXX-fgt-as-workshop (USERXX is your Username)

    • Use existing Storage account

      • Field should auto populate with USERXX############ (############) is a random string

    • Use existing File Share

      • This field will not auto populate
      • type cloudshellshare

  • Click “Attach Storage”

    cloudshell8 cloudshell8

  • You now have access to Azure Cloud Shell console.

  • Maximize the console window

    cloudshell9 cloudshell9

Task 2 - Run Terraform

Task 2 - Run the Terraform Deployment

Perform the following step in your Cloudshell console to create your environment.

  1. Clone the Github repo https://github.com/FortinetCloudCSE/fortigate-automation-stitch-workshop
  2. Change directory to the fortigate-automation-stitch-workshop/terraform/azure folder
  3. Run terraform init
  4. Run terraform plan -var="username=$env:USER"
  5. Run terraform apply -var="username=$env:USER"

Copy and paste these commands into your Cloud Shell console. The terraform variable username will be populated with the value of the environment variable USER

git clone https://github.com/FortinetCloudCSE/fortigate-automation-stitch-workshop
cd ./fortigate-automation-stitch-workshop/terraform/azure
terraform init
terraform plan -var="username=$env:USER"
terraform apply -var="username=$env:USER" -auto-approve

terraform1 terraform1 terraform2 terraform2 terraform3 terraform3

Task 3 - Terraform Verifications

Task 3 - Terraform Verification

  1. Access the FortiGate, using the Terraform output.

    terraform3 terraform3

    • Terraform output can be redisplayed at any point as long as you are in the ./fortigate-automation-stitch-workshop/terraform/azure directory, by using the command terraform output
    • To view the FortiGate and Linux VM login credentials use the command terraform output credentials
    cd
cd ./fortigate-automation-stitch-workshop/terraform/azure
terraform output
terraform output credentials

  2. Review the Resource Group and created components.

    • 1 - Automation Account
    • 4 - Disks for the VMs
    • 4 - Network Interfaces for the VMs
    • 2 - Network security groups
    • 1 - Public IP address for the FortiGate
    • 1 - Route table
    • 1 - Runbook
    • 1 - Storage account
    • 3 - Virtual Machines
      • 1 - FortiGate
      • 2 - Linux VMs
    • 1 - Virtual Network - Containing 3 Subnets
      • snet-external
      • snet-internal
      • snet-protected
    1. Minimize the Cloudshell console window
    2. Click the slide-drawer menu icon (AKA the hamburger menu)
    3. Click Home
    4. Click Resource Groups
    5. Click your Resource Group USERXX-fgt-as-workshop

    resourcegroup1 resourcegroup1 resourcegroup2 resourcegroup2 resourcegroup3 resourcegroup3

  3. Verify your Resources

    resourcegroup4 resourcegroup4

Chapter 1 Discussion

Discussion Points During a Demo - Chapter 1

Fortinet provides a large library of infrastructure as code (IaC) templates to deploy baseline and iterate POC and production environments in public cloud. IaC support includes Terraform, Ansible, and cloud-specific services such as Azure ARM, AWS Cloudformation, and Google Deployment templates. Terraform Providers are available for several Fortinet products to insert and iterate running configuration.

For more information, review the following:

Key questions during your demo - Chapter 1

When giving this TEC Workshop as as demo, the following questions will provide a basis for next steps and future meetings:

  • Has your organization standardized on an IaC tool-set for infrastructure provisioning and iteration?
  • How are the responsibilities for infrastructure assigned? Does cloud network fall under a DevOps, Cloud Networking, or Application Delivery team, as examples?
  • What is view on how IaC can improve workflows?
  • Is workflow automation in cloud and cross-organizational collaboration important within your cloud business?

Chapter 2 - Azure Automation

Fortinet FortiGate Automation Stitch Workshop

Chapter 2 - Azure Automation Overview (15min)

Tasks

  • Review Azure Automation Account
  • View Azure Automation Runbook
  • Review Azure Identity

Subsections of Chapter 2 - Azure Automation

Task 1 - Review Azure Automation Account

Azure Automation

Automation in Azure can be accomplished in a number of ways, Logic Apps, Function Apps, Runbooks, etc. Each of the automation methods can be triggered in a number of ways, for example Events, Webhooks, and Schedules.

An Azure Runbook is just a script, in this case PowerShell, that the Automation Account can run. The Actions the Runbook can perform are controlled by the roles (what actions are allowed) and scope (where those actions can be performed) that have been granted to the Automation Account, via the Automation Account Identity.

The Runbook Actions are provided by PowerShell Modules that have been imported into the Automation Account. The PowerShell Modules are libraries of commands called Cmdlets that are grouped into several domains. For example, Accounts, Automation, Compute, Network, and Resources.

The Runbook created during the Terraform deployment process was imported from the Github repository for this Workshop. The function of the Runbook is to add or remove a route from a route table. The details of the route are related to the IP address of a VM that has been tagged with a specific tag and value.

The Runbook is triggered via a webhook when a VM with a specific tag with a specific value is observed by the FortiGate Azure SDN connector. The tag specifics and SDN Connector are covered in later tasks.

Task 1 - Review Azure Automation Account

  1. Click the Automation Account aa-USERXX
  2. Click Runbooks
  3. Click Update-RouteTable

The overview shows details bout the Runbook. Important items to note are the Runbook type and version. In this case the Runbook type is PowerShell and the version is 5.1

The Runbook can be executed in several ways.

  • Manually

  • Linked to a schedule

  • Via a Webhook

    runbook1 runbook1

Task 2 - View Azure Automation Runbook

Task 2 - View Azure Automation Runbook

  1. Click View to view the runbook PowerShell code

    runbook2 runbook2

    The code has several sections

    • Lines 1-10: Indicate the functionality, author and last edit.
    • Lines 11-16: Define a single mandatory parameter named $webhookdata and clears any passed contextual information.
    • Lines 18-85: Several actions take place
      • Was the Runbook triggered by a webhook or not
      • Parse the webhook body
      • Determine if a route is being added, removed, or if an invalid operation was indicated.
        • For both the added and removed option the command Connect-AzAccount -Identity -Force is run to allow the PowerShell to use the Automation Account Identity to perform actions in the Azure environment, e.g., adding/removing a route from a route table.

    A Runbook can be executed by the Automation Account, however if the Runbook attempts to perform an action that the Automation Account identity does not have the privilege to do then the actions will fail. The initial privilege setting of the RunAutomation Account identity is none.

    This Runbook expects to be executed only via a Webhook with a payload provided by the FortiGate.

Task 3 - Review Azure Identity

Azure Identity

Azure uses identity with many objects in the cloud environments. Identity is a way to provide an object with permissions. As mentioned previously the Identity has no permissions until a role is assigned. Permissions are given by assigning one or more Azure Roles to the object. The role assigned permissions are associated to a scope.

Azure’s definition of a role is:

  • A Role is a collection of permissions

Azure’s definition of a scope is:

  • A Scope is a set of resources that the role assignment applies to. Scope has levels that are inherited at lower levels. For example, if you select a subscription scope, the role assignment applies to all resource groups and resources in the subscription.

Task 3 - Review Azure Identity

  1. Click the Automation Account | Runbooks in the breadcrumb links aa-USERXX | Runbooks
  2. Scroll down in the left-hand navigation to “Identity”
  3. Click Identity
  4. Click Azure Role Assignments

The Azure Automation Account Identity has the role of “Contributor” with a scope of the Resource Group USERXX-fgt-as-workshop

This means that any action a Contributor Role can perform can be done by all Runbooks associated with this Azure Automation Account to all of the resources in the scoped Resource Group

aaaccount1 aaaccount1 aaaccount2 aaaccount2 aaaccount3 aaaccount3 aaaccount4 aaaccount4

Chapter 2 Discussion

Discussion Points During a Demo - Chapter 2

When discussing Azure Automation with the Customer it is important to point out

  • Azure Automation Runbooks can be used to provide automation capability with Azure Environments, The Runbooks can be run manually, on a schedule, or via a webhook.
  • Azure Automation Identity can be assigned one or more Azure Roles to one or more Azure Scopes.
  • Azure Automation Runbooks can be written in PowerShell and Python.

Azure Automation Runbooks can be triggered via a FortiGate Automation Stitch, the Action of the FortiGate Automation Stitch can be a Webhook used to send information from a FortiGate to an Azure Automation Runbook.

Utilizing the FortiGate Azure SDN Connector the FortiGate can react to events in the Azure Environment and trigger actions in the Azure environment.

The FortiGate Azure SDN Connector enables the FortiGate to be dynamically aware of the Azure environment, combine that awareness with Azure Automation Runbooks and there are infinite possibilities for Security issue detection, remediation, and so much more.

Chapter 3 - FortiGate Simple Automation Stitch

Fortinet FortiGate Automation Stitch Workshop

Chapter 3 - FortiGate Simple Automation Stitch (10min)

A FortiGate Automation Stitch combines a Trigger and one or more Actions.

Tasks

  • Create a Simple Automation Stitch - Email when an Admin user logs in, out or fails login.
    • Create an Automation Trigger
    • Create an Automation Action
    • Create an Automation Stitch
  • Check that the Automation Stitch is working

Subsections of Chapter 3 - FortiGate Simple Automation Stitch

Task 1 - Automation Trigger

Task 1 - Create Automation Trigger

This task creates the trigger for when an Admin logs in or out or fails to login.

  1. Login to the FortiGate using the IP address and credentials from the Terraform output.
  2. Click through any opening screens for FortiGate setup actions, no changes are required.
  3. Click “Security Fabric”
  4. Click “Automation”
  5. Click “Trigger”
  6. Click “Create New”

stitchtask1 stitchtask1 stitchtask1 stitchtask1

  1. Click “FortiOS Event Log” in Miscellaneous section
  2. Enter
    • Name: Admin activity trigger
  3. Click “+” in Event field
  4. Enter search term “Admin Log” in “Select Entries”
  5. Click these entries to add to the Event field
    • Admin Login failed
    • Admin Login successful
    • Admin Logout successful
  6. Click Close
  7. Click OK

stitchtask1 stitchtask1 stitchtask1 stitchtask1 stitchtask1 stitchtask1

Task 2 - Automation Action

Task 2 - Create Automation Action

This task creates the action for when an Admin logs in or out or fails to login.

  1. Click “Action”
  2. Click “Create New”
  3. Click “Email” in Notifications

stitchtask2 stitchtask2 stitchtask2 stitchtask2

  1. Enter
    • Name: Admin activity action
    • From: “USERXX@ftg.com” <– does not need to be a valid email
    • To: a valid email address to receive the email
    • Subject: Admin activity
  2. Click OK

stitchtask2 stitchtask2 stitchtask2 stitchtask2

Task 3 - Automation Stitch

Task 3 - Create Automation Stitch

This task creates the stitch for when an Admin logs in or out or fails to login.

  1. Click “Stitch”
  2. Click “Create New”

stitchtask3 stitchtask3

  1. Enter
    • Name: Admin activity stitch
  2. Click “Add Trigger”
  3. Click “Admin activity trigger” in “Select Entries”
  4. Click “Apply”
  5. Click “Add Action”
  6. Click “Admin activity action” in “Select Entries”
  7. Click “Apply”
  8. Click “OK”

stitchtask3 stitchtask3 stitchtask3 stitchtask3 stitchtask3 stitchtask3

Task 4 - Test Automation Stitch

Task 4 - Test Automation Stitch

This task tests the automation stitch for when an Admin logs in or out or fails to login.

  1. Logout
  2. Login with an incorrect password
  3. Login with the correct password
  4. Check the destination email for Automation Stitch messages.

stitchtask4 stitchtask4

Chapter 4 - FortiGate Complex Automation Stitch

Fortinet FortiGate Automation Stitch Workshop

Chapter 4 - FortiGate Complex Automation Stitch (30min)

A FortiGate Automation Stitch brings together a Trigger and one or more Actions. In the previous chapter the goal was to create a simple automation stitch that was self-contained and resulted in a notification by email of an event but took no further action related to the event.

The tasks presented in this chapter will incorporate several components of the FortiGate and Azure. The goal of the Automation Stitch created by the next set of tasks is to manage a host route in an Azure Route table. The host route will be managed (added/deleted) in the Azure Route table based on the existence of a VM with a specific tag and a specific value.

An Azure Route table is used to provide a more specific route to data traffic in an Azure Virtual network. Azure Virtual network data traffic, by default, can route between all VMs in all subnets in the Virtual network. The traffic can be controlled by Azure Network Security Groups (NSGs) but not inspected.

The preferred way for traffic to flow would be through a Network Virtual Appliance (NVA), like a FortiGate, where the traffic can be inspected, this can be achieved by using a Route table. By associating subnets to a Route table, all routes in the Route table will supersede the default routes that the data traffic within the Virtual network normally utilizes, for the subnets included in the Route table. A Route table route can ensure that data traffic between subnets must utilize the FortiGate (NVA) as the next hop.

Data traffic from subnet to subnet can be inspected, but what about data traffic between VMs in the same subnet? For this type of routing Azure allows host routes in a Route table. A host route is a /32 route, this means that the most specific route in an Azure Route table can be a host’s IP address. Adding a host route to the Azure Route table and specifying the next hop for that route to be the FortiGate, ensures that data traffic to the host must use the FortiGate as the next hop. Even if the traffic is coming from a VM in the same subnet as the host.

Ensuring that VM to VM data traffic in the same subnet is routed via the FortiGate is a form of micro-segmentation.

Tasks

  • Create a Complex Automation Stitch - Update an Azure Route table to micro-segment VMs in the same subnet, using host routes
  • Create a FortiGate Azure SDN Connector in disabled mode
  • Utilize FortiGate Dynamic Address Objects in FortiGate Policy
  • Utilize FortiGate Log entries as an Automation Stitch trigger
  • Utilize FortiGate Automation Stitch to trigger an Azure Automation Runbook
  • Enable the FortiGate Azure SDN Connector
  • Check that the Automation Stitch is working

Note

To complete these task’s configurations without having to go through the manual process use these following Terraform commands, while in the terraform/fortios directory.

terraform init
terraform apply -auto-approve

Subsections of Chapter 4 - FortiGate Complex Automation Stitch

Task 1 - SDN Connector & Dynamic Addresses

Task 1 - Create FortiGate Azure SDN Connector and Dynamic Address Objects

The completed Automation Stitch trigger will be when a log is recorded for the following events:

  • Dynamic address added
  • Dynamic address removed

These log events are recorded when a FortiGate Dynamic Address is updated by adding or removing an address. FortiGate Dynamic Addresses are updated when the conditions of the Dynamic Address filter are met.

The Dynamic address filters can utilize the data returned from the FortiGate Azure SDN Connector. The filters can match on several aspects of the Azure environment. The Dynamic address filters in this task will match on Azure Tags and Values.

The configurations are presented as a combination of FortiGate CLI commands and screenshots of the configured object. All of the command blocks can be copied and pasted into the FortiGate CLI console.

  1. Login to the FortiGate using the IP address and credentials from the Terraform output.

  2. Click through any opening screens for FortiGate setup actions, no changes are required.

  3. Click the CLI Console

  4. Enter the following CLI commands to create an Azure SDN Connector named “AzureSDN”

    config system sdn-connector
    edit "AzureSDN"
        set type azure
        set status disable 
    next
end

    sdnconnector1 sdnconnector1 sdnconnector2 sdnconnector2

The Azure SDN Connector is set to disable for now, it will be set to enable in Task 5. The SDN Connector needs to exist for the Dynamic Addresses to refer to it, but at this point in the exercise it needs to remain disabled.

Create Dynamic Addresses

  1. Use the FortiGate CLI Console to enter the following commands

  2. Create AppServers Address

    config firewall address
    edit "AppServers"
        set type dynamic
        set sdn "AzureSDN"
        set filter "Tag.ComputeType=AppServer"
    next
end

  3. Create DbServers Address

    config firewall address
    edit "DbServers"
        set type dynamic
        set sdn "AzureSDN"
        set filter "Tag.ComputeType=DbServer"
    next
end

  4. Create WebServers Address

    config firewall address
    edit "WebServers"
        set type dynamic
        set sdn "AzureSDN"
        set filter "Tag.ComputeType=WebServer"
    next
end

For the time being all of the Dynamic Addresses will remain unresolved, because the Azure SDN Connector is currently set to disable. You will view the updated WebServers Address in Task 5 after the Azure SDN Connector is set to enable

Task 2 - Automation Trigger

Create Complex Automation Stitch

A FortiGate Automation Stitch brings together a Trigger and one of more Actions.

FortiGate Automation Stitch Triggers are grouped in categories. The Miscellaneous category includes

  • FortiOS Event Log
  • Incoming Webhook
  • Schedule

The FortiGate Automation Stitch will be triggered by a log entries related to Dynamic addresses. When a Dynamic address is updated by adding or removing an IP address, the FortiGate Automation Stitch will be triggered.

The Dynamic addresses setup in the previous step are updated when a VM with a specific tag and value is discovered or when a previously discovered VM with a specific tag and value no longer exists in the Azure environment.

  • Tag: ComputeType Value: AppServer - updates the AppServers address
  • Tag: ComputeType Value: DbServer - updates the DbServers address
  • Tag: ComputeType Value: WebServer - updates the WebServers address

A Dynamic address is updated by adding or removing an IP address in the object. Either action creates a FortiGate Event Log, the event logs are named

  • Dynamic address added
  • Dynamic address removed

Task 2 - Create an Automation Trigger for each Dynamic Address - AppServers, DbServers, WebSevers

The configurations are presented as a combination of FortiGate CLI commands and screenshots of the configured object. All of the command blocks can be copied and pasted into the FortiGate CLI console.

  1. Login to the FortiGate using the IP address and credentials from the Terraform output.
  2. Click through any opening screens for FortiGate setup actions, no changes are required.
  3. Click the CLI Console
  4. Enter the following CLI commands to create an Automation Stitch Trigger for each Dynamic Address

  • AppServers

    config system automation-trigger
    edit "AppServer Existence"
        set description "Tag ComputeType with value of AppServer updates route table."
        set event-type event-log
        set logid 53200 53201
        config fields
            edit 1
                set name "cfgobj"
                set value "AppServers"
            next
        end
    next
end

  • DbServers

    config system automation-trigger
    edit "DbServer Existence"
        set description "Tag ComputeType with value of DbServer updates route table."
        set event-type event-log
        set logid 53200 53201
        config fields
            edit 1
                set name "cfgobj"
                set value "DbServers"
            next
        end
    next
end

  • WebServers

    config system automation-trigger
    edit "WebServer Existence"
        set description "Tag ComputeType with value of WebServer updates route table."
        set event-type event-log
        set logid 53200 53201
        config fields
            edit 1
                set name "cfgobj"
                set value "WebServers"
            next
        end
    next
end

  1. View the configured Triggers in the FortiGate UI

    • Minimize “CLI Console”
    • Click “Security Fabric”
    • Click “Automation”
    • Click the “Trigger” tab

    complexstitchtask2-1 complexstitchtask2-1

  2. View WebServer Existence configuration in the FortiGate UI

    • Double-Click the WebServer Existence trigger

    In the CLI configuration the logid was set by specifying the logid number. The logid in the CLI is called the Event in the UI in the UI Clicking the “+” in the event field opens the “Select Entries” dialog, where log events can be searched and selected by name.

    complexstitchtask2-2 complexstitchtask2-2 complexstitchtask2-3 complexstitchtask2-3

    The “Field filter(s)” for a log event are the logs fields and the value expected in the log field. In the trigger the Field filter is the log field cfgobj. Logs can be viewed in the UI, however, to view raw logs in the CLI, use the execute log command and sub-commands. An example of the event logs used in the trigger is shown below.

    complexstitchtask2-4 complexstitchtask2-4

Task 3 - Automation Action

Create Complex Automation Stitch

A FortiGate Automation Stitch brings together a Trigger and one of more Actions.

The action is to build and send a Webhook. A Webhook is a way to send an HTTP request to a listening endpoint. The endpoint can then do something with the Webhook based on the HTTP method. FortiGate Webhook actions support several HTTP methods; DELETE, GET, PATCH, POST, and PUT.

The Webhook configured in this task uses the POST method. The HTTP POST method will utilize HTTP headers and the request body to send data to the listening endpoint. The listening endpoint was described earlier in the chapter describing Azure Automation. The Azure Automation Webhook (this is the listening endpoint) was created as part of the Terraform deployment. The Azure Automation Webhook is associated to the Azure Automation Runbook Update-RouteTable.

To summarize there are two Webhooks;

  • Azure Automation Webhook listens for incoming requests and sends the request to the Azure Automation Runbook Update-RouteTable
  • FortiGate Automation Stitch Action Webhook sends data in the form of an HTTP POST request to the Azure Automation Webhook

The data sent by the FortiGate Webhook action is sent (POSTed) to the Azure Automation Runbook Update-RouteTable where it is parsed and acted upon based on the sent data. Possible runbook actions are

  • Update the Azure Route table rt-protected in the Resource Group USERXX-fgt-as-workshop by adding a host route
  • Update the Azure Route table rt-protected in the Resource Group USERXX-fgt-as-workshop by removing a host route
  • Return an error message indication that the passed data was incorrect or that the runbook was not executed via the Webhook

The FortiGate Automation Stitch action is triggered by a log entry related to Dynamic addresses, when a Dynamic address is updated by adding or removing an IP address. The Dynamic addresses setup previously are updated when a VM with a specific tag and value is discovered or if a previously discovered VM with a specific tag and value is no longer seen in the Azure environment.

The triggers setup in the last task can all utilize the same action.

Task 3 - Create Automation Action

  1. Login to the FortiGate using the IP address and credentials from the Terraform output.
  2. Click through any opening screens for FortiGate setup actions, no changes are required.
  3. Click the CLI Console
  4. Enter the following CLI commands to create an Automation Stitch Action that will send a Webhook to Azure
  • There are two options to create the action

    1. Replace the values indicated below with the information specific to your deployment. The values can be obtained by running the following terraform commands in the terraform/azure directory - Refer to Chapter 1 Task 2 - Run Terraform

      • YOUR_RESOURCE_GROUP - terraform output
      • YOUR_WEBHOOK - terraform output webhook

    2. Use the contents of the generated FortiOS configuration file

      • terraform/fortios/fortigate_automation_action_cli.cfg
      • This file was created for this specific deployment when the initial terraform apply was executed.

The webhook URI contains a question mark (?) between the words webhooks and token. When pasting text into the FortiGate CLI question marks are removed, due to the question mark having special meaning in the FortiGate CLI.

config system automation-action
    edit "routetableupdate"
        set description "Update Route Table for MicroSegmentation"
        set action-type webhook
        set protocol https
        set uri "YOUR_WEBHOOK"
        set http-body "{\"action\":\"%%log.action%%\", \"addr\":\"%%log.addr%%\"}"
        set port 443
        config http-headers
            edit 1
                set key "ResourceGroupName"
                set value "YOUR_RESOURCE_GROUP"
            next
            edit 2
                set key "RouteTableName"
                set value "rt-protected"
            next
            edit 3
                set key "RouteNamePrefix"
                set value "microseg"
            next
            edit 4
                set key "NextHopIp"
                set value "10.1.1.4"
            next
        end
        set verify-host-cert disable
    next
end

complexstitchtask3-1 complexstitchtask3-1

  1. View the configured Action in the FortiGate UI

    • Minimize “CLI Console”
    • Click “Security Fabric”
    • Click “Automation”
    • Click the “Action” tab

    complexstitchtask3-2 complexstitchtask3-2

  2. View routetableupdate configuration in the FortiGate UI

    • Double-Click the routetableupdate trigger

    complexstitchtask3-3 complexstitchtask3-3

The Action fields

  • Protocol - HTTP or HTTPS
  • URL - the Azure Automation Webhook is entered into this field without the https:// prefix
  • Custom Port - the port the Azure Automation Webhook is listening on
  • Method - the HTTPS method
  • HTTP body - the body of the POST request - in this request the body is formatted as JSON. The items %%log.action%% and %%log.addr%% represent the FortiGate event log fields from the log that triggered the action. These values are:
    • log.action - object-add or object-remove
    • log.addr - the IP address of the VM with the ComputeType tag
  • HTTP header - additional header fields - these fields could also have been passed in the HTTP body

    • ResourceGroupName - the name of the Azure Resource Group containing the Azure Route table to update

    • RouteTableName - the name of the Azure Route table to update

    • RouteNamePrefix - a prefix for the routes managed by the Azure Automation Runbook

    • NextHopIp - the Next Hop IP Address for the routes managed by the Azure Automation Runbook

      • Ensure that a question mark (?) is placed between the words webhooks and token
      • Add a question mark is not present
      • Click “OK” to save the update complexstitchtask3-3 complexstitchtask3-3

Task 4 - Automation Stitch

Create Complex Automation Stitch

A FortiGate Automation Stitch brings together a Trigger and one of more Actions.

Three FortiGate Automation Stitches need to be created, one for each trigger. All the stitches will utilize the same action. Each stitch is used to connect the trigger to one or more actions. The stitches created in this task each only have one action.

Task 3 - Create Automation Stitches

  1. Login to the FortiGate using the IP address and credentials from the Terraform output.
  2. Click through any opening screens for FortiGate setup actions, no changes are required.
  3. Click the CLI Console
  4. Enter the following CLI commands to create Automation Stitches to connect the triggers to the action.

  • AppServers

    config system automation-stitch
    edit "routetableupdate-AppServers"
        set description "Update route table for App Servers"
        set trigger "AppServer Existence"
        config actions
            edit 1
                set action "routetableupdate"
            next
        end
    next
end

  • DbServers

    config system automation-stitch
    edit "routetableupdate-DbServers"
        set description "Update route table for Db Servers"
        set trigger "DbServer Existence"
        config actions
            edit 1
                set action "routetableupdate"
            next
        end
    next
end

  • WebServers

    config system automation-stitch
    edit "routetableupdate-WebServers"
        set description "Update route table for Web Servers"
        set trigger "WebServer Existence"
        config actions
            edit 1
                set action "routetableupdate"
            next
        end
    next
end
  1. View the configured Action in the FortiGate UI

  • Minimize “CLI Console”

  • Click “Security Fabric”

  • Click “Automation”

  • Click the “Stitch” tab

    complexstitchtask4-1 complexstitchtask4-1

  1. View routetableupdate-WebServers configuration in the FortiGate UI

  • Double-Click the routetableupdate-WebServers Action

    complexstitchtask4-2 complexstitchtask4-2

The configuration is very simple; a single trigger is added and multiple actions can be attached to the trigger.

Task 5 - Enable Azure SDN Connector

Task 5 - Enable Azure SDN Connector

The completed Automation Stitch trigger will be when a log is recorded for the following events:

  • Dynamic address added
  • Dynamic address removed

These log events are recorded when a FortiGate Dynamic Address is updated by adding or removing an address. FortiGate Dynamic Addresses are updated when the conditions of the Dynamic Address filter are met.

The Dynamic address filters can utilize the data returned from the FortiGate Azure SDN Connector. The filters can match on several aspects of the Azure environment. The Dynamic address filters in this task will match on Azure Tags and Values.

The configurations are presented as a combination of FortiGate CLI commands and screenshots of the configured object. All of the command blocks can be copied and pasted into the FortiGate CLI console.

Enable and View the Azure SDN Connector

  1. Login to the FortiGate using the IP address and credentials from the Terraform output.

  2. Click through any opening screens for FortiGate setup actions, no changes are required.

  3. Click “Security Fabric”

  4. Click “External Connectors”

  5. Toggle the enable button on the Azure SDN Connector, it will take at least 60 seconds for the SDN Connector to retrieve information from Azure.

  6. Hover over “AzureSDN” <– The SDN Connector may have already discovered Azure Environment objects, if so follow the next steps to view them.

    • Click “View Connector Objects”
    • Scroll through discovered objects, the ones that the Dynamic addresses will use in the “Tag” group
    • Click “X” to exit the view

  7. Double-Click “AzureSDN” to view the configuration in the UI

    sdnconnector3 sdnconnector3 sdnconnector4 sdnconnector4 sdnconnector5 sdnconnector5

Notice that the switch “Use managed identity” is enabled. This allows the FortiGate to issue Azure Resource Manager API calls to read the Azure environment. The “Resource path” can also be enabled to scope the read requests to a particular “Subscription ID” and “Resource group”.

The Azure identity of the FortiGate has already been scoped to the Resource Group when the Contributor Role was assigned to the FortiGate during deployment.

View the FortiGate’s Azure Assigned Identity Contributor Role and Scope

  1. Login to Azure Cloud Portal https://portal.azure.com/ with the provided login/password
  2. Navigate to your Resource Group “USERXX-fgt-as-workshop”
  3. Click “vm-fgt”
  4. Click “Identity”
  5. Click “Azure role assignments”

The Azure “Contributor” role has been assigned to the FortiGate’s associated Azure Identity, with a scope of the Resource Group “USERXX-fgt-as-workshop”. This means that any API request issued by the FortiGate Azure SDN Connector has all the privileges of the Contributor role but only on objects that are in the specified Resource Group.

sdnconnector6 sdnconnector6 sdnconnector7 sdnconnector7 sdnconnector8 sdnconnector8

View the FortiGate Dynamic Address Resolution

Now that the Azure SDN Connector has been enabled the WebServers Address should populate with a resolved IP address for a VM with the Tag ComputeType and the value Webserver.

  1. View the configured Addresses in the FortiGate UI

    • Click “Policy & Objects”
    • Click “Addresses”

    dynamicaddress1 dynamicaddress1 dynamicaddress2 dynamicaddress2

As part of the environment deployment by Terraform:

  • A linux VM with the name vm-linux-2 was deployed
  • A tag ComputeType with the value WebServer was added to the VM
  • The VM data retrieved by the Azure SDN connecter matched the WebServers address filter
  • The address object was populated with the IP address of the VM vm-linux-2

The red exclamation point near an address name indicates that the filter(s) for the address did not match anything.

  1. View the Matched addresses in the FortiGate UI

    • Hover over the address name WebServers
    • Click the “View Matched Addresses” button

  2. View an Address configuration in the FortiGate UI

    • Double-Click the WebServers Address

    dynamicaddress3 dynamicaddress3

Chapter 5 - FortiGate Policy & Route

Fortinet FortiGate Automation Stitch Workshop

Chapter 5 - FortiGate Policy & Route (5min)

The previous task created a complex FortiGate Automation Stitch that when triggered caused a route table update in Azure utilizing and Azure Automation Runbook.

Why do this? To force traffic that would have otherwise flowed between VMs in the same subnet to go through the FortiGate. This enables the traffic to be inspected. In order for the FortiGate to inspect the traffic and then send it on to the desired destination a policy and a route are required to be configured in the FortiGate.

The Policy will allow all traffic between WebServers. By using Dynamic Addresses, as WebServers are deployed and deallocated in Azure, the Address object will be updated by the Azure SDN Connector.

The Route will indicate to the FortiGate which port to send the traffic out to reach the destination.

Tasks

  • Create a FortiGate Policy to allow WebServer to WebServer Communication
  • Create a FortiGate Static Route to the WebServer Subnet

Subsections of Chapter 5 - FortiGate Policy & Route

Task 1 - FortiGate Policy

Task 1 - Create FortiGate Firewall Policy

  1. Login to the FortiGate using the IP address and credentials from the Terraform output.

  2. Click through any opening screens for FortiGate setup actions, no changes are required.

  3. Click the CLI Console

  4. Enter the following CLI commands to create a FortiGate Firewall Policy “webserver2webserver”

    config firewall policy
    edit 1
        set name "webserver2webserver"
        set srcintf "port2"
        set dstintf "port2"
        set action accept
        set srcaddr "WebServers"
        set dstaddr "WebServers"
        set schedule "always"
        set service "ALL"
    next
end

  5. View the configured Policy in the FortiGate UI

    • Minimize “CLI Console”
    • Click “Policy & Objects”
    • Click “Firewall Policy”

    firewallpolicy1 firewallpolicy1

  6. View webserver2webserver configuration in the FortiGate UI

    • Double-Click the webserver2webserver Policy

    firewallpolicy2 firewallpolicy2

Notice that the Dynamic address WebServers is used as both the source and destination.

Task 2 - FortiGate Route

Task 1 - Create FortiGate Static Route

  1. Login to the FortiGate using the IP address and credentials from the Terraform output.

  2. Click through any opening screens for FortiGate setup actions, no changes are required.

  3. Click the CLI Console

  4. Enter the following CLI commands to create a FortiGate Static Route “webser2webserver”

    config router static
    edit 1
        set dst 10.1.2.0 255.255.255.0
        set gateway 10.1.1.1
        set device "port2"
    next
end

  5. View the configured Action in the FortiGate UI

    • Minimize “CLI Console”
    • Click “Network”

    staticroute1 staticroute1

  6. View 10.1.2.0/24 static route configuration in the FortiGate UI

    • Double-Click the 10.1.2.0/24 Policy

    staticroute1 staticroute1

Chapter 6 - Verify

Fortinet FortiGate Automation Stitch Workshop

Chapter 6 - Verify (10min)

This task is where everything comes together, the integration of FortiGate Automation and Azure Automation.

Consider the application of the the Automation techniques, the FortiGate is responding to a change in the Azure environment by triggering a routing change in the Azure environment. In a dynamic Cloud environment the ability to respond to a change without manual intervention is key to ensuring a secure environment.

Tasks

  • Ping the linux VMs from each other
  • Sniff the linux VM pings
  • Tag vm-linux-1 VM as a WebServer

Subsections of Chapter 6 - Verify

Task 1 - Pings

Task 1 - Ping the linux VMs from each other

  1. Navigate to the Azure Route table rt-protected

routetable1 routetable1

There may already be a host route for vm-linux-2 10.1.2.5/32 with a next hop IP 10.1.1.4, FortiGate port2. This route may be here because of the FortiGate Automation Stitch and when vm-linux-2 was deployed it was tagged with “ComputeType=WebServer”.

The other VM vm-linux-1 has the tag “ComputeType” but the tag value is set to “unknown”. The FortiGate Azure SDN Connector does collect this VM’s information each time a scan of the Azure environment is done, however, the Tag and Value do not match any Dynamic address. A FortiGate Automation Stitch is not triggered.

For the next steps two browser windows should be open to the Azure environment at the same time.

  1. Navigate to each linux VM in a separate browser window
  2. Scroll to the bottom of the left hand navigation
  3. Click “Serial Console”

From each linux VM ping the other linux VM

  1. Ping vm-linux-2 from vm-linux-1 - let the ping run even though there is no response
    • ping 10.1.2.5
  2. Ping vm-linux-1 from vm-linux-2 - let the ping run even though there is no response
    • ping 10.1.2.4

pinglinuxvm1 pinglinuxvm1

Task 2 - Sniff

Task 2 - Sniff the linux VMs ping traffic from the FortiGate

  1. Login to the FortiGate using the IP address and credentials from the Terraform output.
  2. Click through any opening screens for FortiGate setup actions, no changes are required.
  3. Click the CLI Console
  4. Enter the CLI command to sniff the ping traffic between the two linux VMx
    • diagnose sniffer packet port2 'proto 1' 4 0 a

sniffping1 sniffping1

The output of the sniffer command shows:

  • vm-linux-1 (10.1.2.4) is sending a ping to 10.1.2.5
  • vm-linux-1 (10.1.2.4) is responding to a ping from 10.1.2.5

Two things to realize from this output

  • vm-linux-2 (10.1.2.5) can send traffic directly to vm-linux-1 (10.1.2.4) because they are in the same subnet and there is no host route for vm-linux-1 in the rt-protected Route table because vm-linux-1 is not tagged as a WebServer
  • vm-linux-1 (10.1.2.4) can only communicate with vm-linux-2 (10.1.2.5) through the FortiGate however, the traffic is dropped by policy because vm-linux-1 (10.1.2.4) is not in the WebServers Dynamic address.

Task 3 - Tag

Task 3 - Tag the Linux VM vm-linux-1 as a WebServer

  1. Navigate to the VM vm-linux-1
  2. Click the “edit” link next to Tags
  3. Change the “ComputeType” value to “WebServer”
  4. Click “Save”

sniffping1 sniffping1

Now that the VM vm-linux-1 has a tag ComputeType with a value of WebServer several actions take place

  • FortiGate Azure SDN Connector will return the updated environment information to the FortiGate
  • FortiGate Dynamic address “WebServers” will be updated with IP address 10.1.2.4
  • FortiGate event log will trigger the FortiGate Automation Stitch to send a Webhook to Azure
  • Azure Automation will send the FortiGate Webhook data to the Azure Automation Runbook
  • Azure Automation Runbook will run and add a host route for vm-linux-1 to Azure Route table rt-protected
  • Traffic will flow between vm-linux-1 and vm-linux-2

These actions take 2-4 minutes to complete. The FortiGate Azure SDN Connector scan every 60 seconds. Once the FortiGate Webhook is sent to Azure Automation the Runbook run is queued. When the Azure Automation Runbook completes the Azure Route table updates can take 1-2 minutes to take effect.

Updated Route table - there is a host route for both linux VMs, all traffic for these VMs must go through the FortiGate and match a policy

routetable2 routetable2

FortiGate Sniffer - there is bidirectional traffic for the pings

sniffping2 sniffping2

Linux VM Consoles

pinglinuxvm1 pinglinuxvm1

This concludes the workshop tasks, to explore further

  • Update the ComputeType tag value to AppServer and DbServer
  • Update the FortiGate Firewall Policy to allow AppServer and DbServer
  • Create an Address Group with AppServers, DbServers, and WebServers
  • Allow an AppServer to communicate with a DbServer but not with a WebServer
  • and so on…