FortiGate Security Appliance On IBM Solution Architecture

2y ago
10 Views
3 Downloads
1.10 MB
9 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Abby Duckworth
Transcription

FortiGate Security Appliance on IBM CloudSolution ArchitectureDate: 2017–12–22 Copyright IBM Corporation 2017Page 1 of 9

Table of Contents12Introduction. 41.1About FortiGate Security Appliance . 41.2Background . 41.3Key Benefits . 5Design . 62.1Overview. 62.2FortiGate Security Appliance Deployment . 6Appliance configuration . 7Firewall configuration . 7High Availability . 8User Management . 8Caveats. 8Licensing . 8Appendix A—Reference . 9List of FiguresFigure 1 VMware Cloud Foundation on IBM Cloud .4Figure 2 FortiGate Security Appliance on VMware Cloud Foundation High Level Components .6Figure 3 FortiGate Security Appliance network topology .7List of TablesTable 1 FortiGate Security Appliance summary .7Table 2 Permitted outbound traffic .8 Copyright IBM Corporation 2017Page 2 of 9

Summary of ChangesThis section records the history of significant changes to this document. Only the most significant changesare described here.VersionDateAuthorDescription of Change1.02017–12–22Jack BenneyFrank ChodackiDaniel De AraujoBob KellenbergerSimon Kofkin–HansenScott MoonenJim RobbinsInitial Release Copyright IBM Corporation 2017Page 3 of 9

1 Introduction1.1 About FortiGate Security ApplianceThe purpose of this document is to define and describe the FortiGate Security Appliance architecture forthe vCenter Server and VMware Cloud Foundation offerings deployed in the IBM Cloud. Specifically, itwill detail the components of the solution and high–level configuration of each component in the design.This solution is considered to be an additional component and extension of both the vCenter Serversolution offering and the VMware Cloud Foundation solution offering on IBM Cloud. As a result, thisdocument will not cover the existing configuration of the foundation solutions on IBM Cloud. Therefore, itis highly recommended to review and understand the VMware on IBM Cloud solution architecture locatedon the IBM Architecture Center before reading this document.Figure 1 VMware Cloud Foundation on IBM Cloud1.2 BackgroundIBM Cloud provides a variety of connectivity options for your IBM Cloud for VMware Solutions VMwareenvironment. For low bandwidth or initial connectivity, you can use the IBM Cloud VPN to connectdirectly to your dedicated private network. For dedicated connections, IBM Cloud offers a Direct Linkservice to connect to your existing network service provider or to connect to other clouds via a cloudexchange provider. IBM Cloud also offers public network connectivity for applications that need to beavailable over the public network, or for cases where your solution allows for public connectivity ortunneling and does not require Direct Link. Copyright IBM Corporation 2017Page 4 of 9

If you choose public interconnectivity for your VMware environment, you have a number of additionaloptions to provide firewall, NAT, and VPN services for your connection. The base IBM Cloud for VMwaresolutions offerings include VMware NSX licensing suitable for deploying NSX Edge Services Gatewaysthat you can use for firewall, NAT, and VPN services for protect your environment’s public networkaccess. However, in case you require a physical firewall and gateway device rather than a virtual firewallfor your VMware environment, this architecture specifies how to deploy the IBM Cloud FortiGate SecurityAppliance offering as part of your environment’s security implementation.IBM Cloud also offers a FortiGate–VM offering which is provides network security services in virtualappliance form within your vSphere cluster. Visit the IBM Architecture Center to see the FortiGate–VMsolution architecture.1.3 Key BenefitsThe FortiGate 300 series Security Appliance available in the IBM Cloud offers firewall, routing, NAT, andVPN services to your VMware environment, including the following: Deep packet inspectionSSL inspectionIntrusion preventionData loss preventionSandboxingAnti–malware and anti–virusWeb filteringTraffic shapingWebUI and command line management interface Copyright IBM Corporation 2017Page 5 of 9

2 Design2.1 OverviewThe FortiGate Security Appliance solution complements the IBM Cloud for VMware Solutions offeringsby providing perimeter firewall and gateway services. These services are provided by dedicated physicalFortiGate devices within the IBM Cloud network.Figure 2 FortiGate Security Appliance on VMware Cloud Foundation High Level Components2.2 FortiGate Security Appliance DeploymentThe FortiGate Security Appliance offering is deployed to an existing IBM Cloud public VLAN in the samedata center and POD as your VMware instance. As part of deployment, your instance’s existing publicVLAN is attached to the “inside” interfaces of the appliances, and a new public VLAN is allocated andattached to the “outside” interfaces of the appliances. All traffic destined to your instance’s public networkis routed through the FortiGate appliances as shown in Figure 3, which act as a perimeter firewall andgateway for your instance. In this figure, the original public VLAN is now denoted as a protected VLAN. Copyright IBM Corporation 2017Page 6 of 9

Figure 3 FortiGate Security Appliance network topologyAppliance configurationThe FortiGate Security Appliance offering is deployed as a pair of physical appliances configured to behighly available in active–passive mode. Configuration is automatically replicated between the appliances.The configuration of the appliances is as follows:AttributeConfigurationApplianceFortiGate 300 series or betterLocationSame data center and POD as VMware instanceHigh availabilityTwo appliances deployed in active–passive configurationNetworkDual 1 GbE bonded on both inside and outside networksUpstreamIBM Cloud public VLAN (new)DownstreamIBM Cloud public VLAN (existing)Table 1 FortiGate Security Appliance summaryFirewall configurationDepending on your security requirements, you can configure the FortiGate Security Appliance to routetraffic, NAT traffic, or offer VPN services. When initially deployed by IBM Cloud for VMware, theappliance is configured in one of two configurations depending on the time of deployment:Deployment timeConfigurationTogether with VMwareinstance deployment Outbound management traffic is permitted (see below)All other traffic is blockedAfter VMware instanceis deployed Outbound management traffic is permitted (see below)All other traffic is permittedThe reason for this difference is that an existing VMware instance is assumed to have existing publicconnections, so the FortiGate appliances are deployed in such a way that those connections are notinterrupted other than a brief outage as traffic is rerouted through the FortiGate appliances. Copyright IBM Corporation 2017Page 7 of 9

In all cases, after deployment, configuring the FortiGate Security Appliances to suit your application’sneeds and your security requirements is beyond the scope of this design.However, you are required to allow network traffic required by the IBM Cloud for VMware offering itself.IBM’s offerings require outbound public connectivity from the IBM Cloud Driver virtual machine throughthe management NSX ESG to the public network. The Cloud Driver uses these connections to access yourinstance’s database and message queues in the IBM Cloud. Optional solution components such as ZertoVirtual Replication and F5 BIG–IP may also route public connections through the management NSX ESGfor product registration and billing, product support, or diagnostics. Therefore, you must minimally permitthe following outbound traffic through the FortiGate Security Appliances:FieldConfigurationSource ZoneInsideSource IPManagement NSX ESG public IPDestination ZoneOutsideDestination IPAllServiceAllActionACCEPTNATDisableTable 2 Permitted outbound trafficOther than this rule and any other rules necessary for your application traffic, you should ensure that adefault deny policy is configured for all traffic traversing from the inside to outside interfaces, and from theoutside to inside interfaces.Optionally, you can enable FortiGate management connections on the inside interface and disablemanagement connections on the outside interface. Note that this will require you to use the IBM CloudVPN to manage the FortiGate.High AvailabilityThe FortiGate Security Appliances are already configured by IBM Cloud as a highly available pair.Configuration is automatically replicated between the two, and management and network functions failoverfrom the active node to the primary node in case of failure.User ManagementThe FortiGate Security Appliances are initially deployed with a single administrative user for your use.You can create additional users with differing privileges using the FortiGate administrative interface.CaveatsThe FortiGate Security Appliance is not compatible with Microsoft Windows Network Load Balancing(NLB).LicensingThere are no licensing requirements for the physical FortiGate Security Appliance. Copyright IBM Corporation 2017Page 8 of 9

Appendix A—ReferenceAdditional information about IBM Cloud and FortiGate Security Appliance on IBM Cloud can be found atthe following sites: IBM Cloud Architecture Center for ntent/architecture/virtualizationArchitecture/IBM Cloud Direct irect-linkIBM Cloud FortiGate Security Appliance fsaFortinet product sheets.html Copyright IBM Corporation 2017Page 9 of 9

on the IBM Architecture Center before reading this document. Figure 1 VMware Cloud Foundation on IBM Cloud 1.2 Background IBM Cloud provides a variety of connectivity options for your IBM Cloud for VMware Solutions VMware environment. For low bandwidth or initial connectivity, you can use the IBM

Related Documents:

Expected Life Span 3-5 years License cost Perpetual License for life. Fortinet Confidential Initial Setup. Fortinet Confidential . FortiGate-50B FortiGate-50B 20 FortiGate- 60B/C FortiGate-80C 500 FortiGate -110C/111C FortiGate-200B FortiGate-310 FortiGate-620 FortiGate-800 1000 FortiGate-1240 FortiGate-3016B

FortiGate-100D FortiGate-3700D/DX FortiGate-100E/EF FortiGate-3810D FortiGate-101E FortiGate-3815D FortiGate-140D FortiGate-3950D . Manual Bootdevice AESencrypted UsedtogenerateIKE protocolkeys ByerasingtheBoot deviceandpower cyclingthemodule

Mar 14, 2021 · Datasheet Fortigate-60D CP0 FortiSOC2 1 1839 3879 n/a Fortigate 60D datasheet FortiWiFi-60E SOC3 ARMv7 4 1863 3662 (EMMC) n/a Fortigate 60E datasheet Fortigate-60E SOC3 ARMv7 4 1866 3662 (EMMC) n/a Fortigate 60E datasheet FortiGate-61E SOC3 ARMv7 4 1866 3662 (EMMC) 122104 Fortigate

FortiGate Rugged 30D FortiGate Rugged 35D FortiGate Rugged 60D FortiGate Rugged 90D Product SKU Description FortiGate Rugged 30D FGR-30D Ruggedized, 4x GE RJ45 ports, 2x GE SFP slots, 2x DB9 Serial. Maximum managed FortiAPs (Total / Tunnel) 2 / 2. FortiGate Rugged 35D FGR-35D Ruggedized,

The information in this guide applies to all FortiGate un its. All FortiGate models except the FortiGate-30B model support VDOMs, and all FortiGate models support VLANs. By default, your FortiGate unit supports a maximum of 10 VDOMs in any combination of NAT/Route and Transparent operating modes. For FortiGate models numbered

FortiGate Rugged 30D FortiGate Rugged 35D FortiGate Rugged 60D FortiGate Rugged 90D Product SKU Description FortiGate Rugged 30D FGR-30D Ruggedized, 4x GE RJ45 ports, 2x GE SFP slots, 2x DB9 Serial. Maximum managed FortiAPs (Total / Tunnel) 2 / 2. FortiGate Rugged 35D FGR-35D Ruggedized, IP67 rating for outdoor environment, 3x GE RJ45 Switch ports.

FortiGate 60E FortiGate/FortiWiFi 30D FortiWiFi 90D FortiWiFi 60E Pricing Model FortiGate 100D FortiGate 300D FortiGate 600D MID-RANGE APPLIANCES ENTRY-LEVEL APPLIANCES FortiGate 200D 8 - 20 Gbps 2.5 - 4 Gbps 800 Mbps - 3.5 Gbps High-Performance Network Security Platforms NEW Security Services &a

FORTIGATE 200D FORTIGATE 200D-POE FORTIGATE 240D FORTIGATE 240D-POE FORTIGATE 280D-POE Hardware Specifications GE RJ45 WAN Interfaces 2 2 2 2 2 GE RJ45 LAN Interfaces 16 8 40 16 52 GE RJ45 PoE LAN Interfaces – 8 – 24 32 GE SFP DMZ Interfaces 2 2