Configure a Fortigate Security Appliance (FSA)

Introduction

A Fortigate Security Appliance (FSA) is a dedicated single-tenant network device that is connected upstream from a server and protects any or all servers on a public VLAN.  It is purchased separate from a server order and can be added to a VLAN at any time.  SoftLayer deploys the 300 series Fortigate Security Appliance within a Virtual Domain (VDOM) on the dedicated appliance allowing customers full access to that virtual domain without compromising the integrity of the device.  Customers have virtually full access to advanced features and the ability to fine tune the device to a much higher degree than other products.  The firewall blocks or shapes traffic before the traffic ever reaches the server. The main advantages are that a server only has to handle 'good' traffic and that bandwidth can be constrained for less critical communications.  Customers can manage the FSA either through the web based FortiOS GUI or the CLI (Command Line Interface) via SSH.  High availability can also be ordered which provides two appliances in active-passive deployment with synchronized configurations.

Intended Use: Single Public VLAN Protection

User Interface: Fortigate GUI and Command Line Interface

Features: Stateful Packet Inspection, VLAN Protection, Ingress Firewall Rules, Egress Firewall Rules, NAT, SSL VPN Termination, IPSec VPN Termination, Advanced Logging, High Availability (Optional)

Throughput: 2000Mbps

 

Understanding the Default Deployment

The Fortigate Security Appliance is deployed as a single Virtual Domain (typically firewall001) on a dedicated appliance.  The customer has full access to the resources of the appliance (processors, memory, etc), but access to device-level configuration is constrained to ensure SoftLayer can effectively support the device. 

The FSA is deployed in "NAT" mode and resides in 2 VLANS/networks within the public network infrastructure. The "Outside" VLAN is the SoftLayer public VLAN where traffic enters the the data center and is routed to the FSA.  The "Inside" VLAN is the customer's assigned protected public FCR (Frontend Customer Router) VLAN  and is where the customer's server resources reside.  

SoftLayer deploys the FSA with 2 bonded 1G interfaces on each of these two networks during the provisioning process.  SoftLayer also deploys a single interface for provisioning and maintenance of the device which is not made available to customers.

SoftLayer deploys the firewall with all IPv4 and IPv6 traffic allowed, including a specific rule (softlayer-admin) designed to allow the SoftLayer internal administration network to access devices through the firewall.  Denial of Service protections and most other filters are configured not to enforce.

 

Adding a Fortigate Security Appliance to a public VLAN

In the Control Portal, navigate to Network -> IP Management -> VLANs

Filter By "Primary Router: fcr" to view only your Public VLANs (optional)

Each row represents a VLAN in your infrastructure.  SoftLayer populates the "VLAN Number" and "Primary Router" information automatically indicating the true VLAN number and the router that it is configured on.  The "Name" field is left for users to define a recognizable name (Such as DMZ, Intranet, Public, or Database).

The far right column (Gateway / Firewall) contains a details about what hardware firewall protection is in place.  Click on "Add Firewall" for the appropriate VLAN.  If the field is already populated, a firewall or Network Gateway is already associated with the VLAN.  That device must be removed from the VLAN before you can proceed.

You will be presented with your Firewall options.  These options include a "Fortigate Security Appliance" and a "Fortigate Security Appliance (High Availability)".  The High Availability option deploys the same hardware and interface, but deploys a second passive node to continue processing traffic if the active node fails.  High Availability reduces the risk of excessive downtime.  Select one of the two options.  You can also click the "Servers on this VLAN" button to ensure you are selecting the appropriate VLAN.

A Fortigate Security Appliance cannot be ordered as part of a server order and must be placed after at least one public compute node is established (adding the associated VLAN to the user's account).

 

Managing the Fortigate Security Appliance

When the Firewall is first added to the VLAN, a set of rules is initially put in place that allows all traffic through the firewall. Rules and other configurations can then be added to control the traffic.

In the Control Portal, navigate to Network -> IP Management -> VLANs

Filter By "Primary Router: fcr" to view only your Public VLANs (optional)

Each row represents a VLAN in your infrastructure.  Click on the Firewall-vlanXXXX.networklayer.com link associated with the VLAN you want to manage.

This takes you to the firewall Device Details screen.  From here you can view the associated VLAN/subnets, the current "Status" of the firewall routing, and the management information.

The management information includes a Management IP, a Username, and a Password.  This Management IP is publicly accessible until hardened by the user.  To access the GUI, click on the management IP link or open https://[Management IP] in a web browser.  Enter the username and password provided.  For automation purposes or advanced use cases, administration is also available via SSH with the same IP and credentials.

From this GUI, users are able to administrate the Fortigate Security Appliance as a VDOM Administrator.  This provides access to most features, but users will need to open support tickets to Install/Manage/Remove SSL Certificates or perform administrative functions on the device such as initiating a manual HA failover, rebooting, upgrading, or performing a default configuration restore.

Fortinet maintains online documentation including an interactive cookbook at that can be used for reference during configuration.

 

Managing Firewall Rules (Policies)

Fortigate utilizes the concept of a policy which includes the ability to accept/deny traffic, apply security profiles, shape traffic, log traffic, and schedule to timeframe for a policy to apply.  To assemble a policy, you must first create the objects that will take part in the policy.  This section will review the options for the policy.

After logging into the appliance, navigate to the "Policy and Objects" menu and select the protocol you wish to manage (IPv4,IPv6,etc).  Policies are implemented against traffic based on the Sequence Number on the far left of each policy.  Users can drag a policy higher in the list to have it implemented earlier or move the policy lower to have it implemented later. 

To add a policy, click "Create New" and refer to these field definitions:

Incoming Interface: Either the public-facing interface (outside interface) for ingress rules or compute-facing interface (inside interface) for egress rules.

Source Address: This is the source IP(s) for the traffic.  This is a pick-list, so the IP must be added to the "Addresses" list on the "Objects Menu." An "All" option is available.

Source User(s): This applies the policy to a user or group created in the "User and Device" panel.

Source Device Type: This applies the policy to a device created in the "User and Device" panel.

Destination Address: This is the target IP(s) of the traffic.  This is a pick-list, so the IP must be added to the "Addresses" list on the "Objects Menu." An "All" option is available.

Schedule: This determines when the policy will run.  An "Always" option is available or users can create a schedule in the Objects menu under Schedules.

Service: This determined the service that the policy will apply to.  An "ALL" option is available as well as numerous standard services.  Additional services can be added in the Services menu under Objects.

Action: Accepts or Denys the traffic. (Selecting Deny removes many of the remaining options that are not necessary).

Firewall / Network Options: Enables or disables NAT and associated options.

Security Profiles: Provides an On/Off toggle for each option as well as allows association to profile.

Traffic Shaping: This allows you to configure the maximum and guaranteed (minimum) bandwidth available to the traffic.  A maximum connections limit can also be set on a per-IP shaper.  Note: DSCP settings are not effective since user generated QoS information is ignored by the SoftLayer platform.

Logging Options: Configures when "Allowed" traffic is recorded.  This setting (and especially the "Capture Packets" option) utilize device resources.

Comments: User generated comments

Enable this policy: Enables or disables the policy

 

Example of a simple "Allow All" rule for web traffic to a web server:

Incoming Interface: outside VLAN

Source Address: All

Source User(s): Blank

Source Device Type: Blank

Outgoing Interface: inside VLAN

Destination Address: x.x.x.x (Web Server IP)

Schedule: always

Service: HTTP

Action: ACCEPT

NAT: OFF

Security Profiles: Use Standard

Traffic Shaping: Off

Log Allowed Traffic: On (Security Events)

Comments: Web Server Traffic x.x.x.x

Enable this policy: On

 

Securing the Fortigate Security Appliance

Customers have access to configure the Fortigate Security Appliance to meet security and compliance requirements.  Customers can harden their administrative users.  SoftLayer provides a VDOM Administrator account with a randomly assigned password.  Customers can rotate that password, create read-only users and restrict access based on "Trusted Hosts" which accepts traffic only from specified source IPs (up to 3).  These activities are completed through the Fortigate GUI by accessing System -> Admin -> Administrators and all access and changes are logged.

Customers can also restrict access to the administrative interfaces to only the protocols they require (typically HTTPS and SSH since this provides in-transit encryption).  For additional security, customers can disable external access to the administrative interface.  This is accomplished by enabling the appropriate protocols on the INSIDE interface (the interface that a customers SoftLayer public VLAN resides on) and disabling all protocols on the OUTSIDE interface (the interface that public internet traffic is received from).  This additional security measure requires that the user have a server positioned inside the VLAN from which they will administer the Fortigate security appliance.  These configurations are made from within the Fortigate GUI at System -> Network -> Interfaces by editing the appropriate interfaces.

Bypassing the Fortigate Security Appliance

Users can temporarily route around the firewall, select Actions -> Set Route Bypass.  This takes approximately 2 minutes to take effect.  This feature is intended for use if there is a suspected firewall issue or as part of troubleshooting if there are issues with the applications behind the firewall.  While in bypass mode, the status area on the Firewall management pages will display "Routing AROUND firewall"

 

Cancelling a Firewall

Firewalls can be cancelled at any time by navigating to the firewall management page and clicking Actions -> Cancel Firewall.  Note that this will leave all devices on the VLAN without frontend firewall protections.  This service is provided month to month and billing will be discontinued for the next month upon cancellation.

 

Limitations

Incompatible with Windows Network Load Balancing (NLB) due to the way ARP is processed

High Availability failover functionality is not exposed to the user.  If the master firewall malfunctions, but does not failover automatically a support ticket will be required.  Device monitoring for critical services is recommended to ensure that firewalls are appropriately passing traffic.

A Fortigate Security Appliance cannot be deployed on a VLAN that is currently associated with a Network Gateway, Hardware Firewall, or Fortigate Security Appliance.

The Fortigate Security Appliance is associated with a single public customer VLAN (the "inside" vlan) and cannot access the private network.