More and more clients are tempted to virtualize their environemnt (or part of it) using one of the solutions available on the market. I just finished project in the Azure Cloud and I'd like to share my experience and give tips for you. There is an official documentation to that, but not everything is clear and obvious.
Design and requirements are similar to the scenraio which is recommended by Fortinet and Microsoft.
Let's asume that:
- there are 2 subscriptions: PROD and TEST
- in each subscription, there is 1 VNet with 1 subnet for VMs
- in PROD subscription we deploy a new VNnet, called VNET_TRANS
- in VNET_TRANS we deploy FortiGate HA from Azure Marketplace using template FortiGate Next-Generation Firewall for Azure LB HA in a LB sandwitch
- in VNET_TRANS there is a Gateway which interconnects Azure environment with On-Prem networks
- FortiGate's port1 is facing Public Load Balancer. port2 is facing Interal LB.
- FortiGates used for scanning inter VNet traffic
- FortiGates used for scanning traffic between Azure and On-Prem networks
I won't go step-by-step with Azure deployment. It's a pretty standard one and there are many tutorials how to do it. I'll focus on issues that emerged during this project.
This is the first interesting topic! In this scenario, we require that port2 is an ingress interface and egress as well. Will it work with FortiGate? If you try to find an answer in the Internet, it's not clear. Some say that firewall will act as a router, because FortiGate requires 2 different interfaces to kick in with it's NGFW capabilities. That is not true. Everything will work, just the way you can expect from a modern firewall. A slightly reduced performance is the only downside. In a test scenario, non-noticeable. Nothing to be concerned about. So tight your shoelaces, you'll be configuring firewall policies from port2 to port2. No vlans! Excited? OK, next one!
What's that SNAT and why is it recommended? Azure Load Balancers are great, however they have 1 minor issue - they are not session aware. So traffic from host A to host B can be directed to FortiGate-A, but there is no guarantee that returning traffic will go through the same firewall. Issue? Yes, of course. It has a name: asymmetric routing!
Solution? S-NAT! How to achieve it? It's simple: enable interface NAT for all rules.
Now Microsoft / Server guy starts his part configuring ADs and all required flows. After few days he finds out that SNAT for Active Directory is not recommended and not supported by Microsoft. Let me quote:
The Microsoft statement regarding Active Directory over NAT is:
* Active Directory over NAT has not been tested by Microsoft.
* We do not recommend Active Directory over NAT.
* Support for issues related to Active Directory over NAT will be very limited and will reach the bounds of commercially reasonable efforts very quickly.
How to deal with it?
FGSP - FortiGate Session Protocol
Anwer is FGSP. Amend config a bit:
- disable NAT for all internal rules
- configure FGSP. Example config below:
config system ha set hbdev "port1" 50 set session-pickup enable set session-pickup-connectionless enable set session-pickup-expectation enable set standalone-config-sync enable set override disable set priority 200 end config system cluster-sync edit 1 set peerip 10.0.1.12 set syncvd "root" next end
You might be tempted to use a dedicated interface for FGSP. I tried with VM size: Standard_F2s and it is not possible. You are limited to only 2 interfaces. Chose the one, which handles smaller amount of traffic in your scenario. For me, it's port1. If you need more NICs, you have to chose a bigger VM size. At least Standard_F8s.
NOTE! Config sync never worked for me. I assumed it's a bug in FOS 6.0.4 and ignored that, as both FortiGates were managed by FortiManager. However, I've heard from other people that on FortiOS 6.2.2 sync is still not working.
The last step in FGSP scenario is to make sure, that Internel Load Balancer has enabled Session Persistence. You can configure it under Load Balancing Rules. Example screenshot below:
FortiGates in Azure environment works pretty well in both SNAT and FGSP deployments. However, to avoid Active Directory issues, go for FGSP option from the day 1! You'll save yourself a lot of precious time. If you have the main FortiGate in your DataCenter, configure SecureFabric to have a greater visibility into the Azure Cloud security from your main firewall.
Bullet points for things which were more or less suprising:
- firewall on-a-stick is working perfectly fine in Azure
- SNAT is not the best solution if you have AD environment
- VM size Standard_F2s supports only 2 interfaces
In the another artice, I will describe how to configure SDN Azure Connector and what issues you can find on your way, which are not described clearly in Fortinet docs.