Introduction

More and more clients are tempted to virtualize their environemnt (or part of it) using one of the solutions available on the market. I just finished project in the Azure Cloud and I'd like to share my experience and give tips for you. There is an official documentation to that, but not everything is clear and obvious.

Design

Design and requirements are similar to the scenraio which is recommended by Fortinet and Microsoft.

Let's asume that:

  • there are 2 subscriptions: PROD and TEST
  • in each subscription, there is 1 VNet with 1 subnet for VMs
  • in PROD subscription we deploy a new VNnet, called VNET_TRANS
  • in VNET_TRANS we deploy FortiGate HA from Azure Marketplace using template FortiGate Next-Generation Firewall for Azure LB HA in a LB sandwitch
  • in VNET_TRANS there is a Gateway which interconnects Azure environment with On-Prem networks
  • FortiGate's port1 is facing Public Load Balancer. port2 is facing Interal LB.

Requirements:

  • FortiGates used for scanning inter VNet traffic
  • FortiGates used for scanning traffic between Azure and On-Prem networks

Deployment

I won't go step-by-step with Azure deployment. It's a pretty standard one and there are many tutorials how to do it. I'll focus on issues that emerged during this project.

Firewall on-a-stick

This is the first interesting topic! In this scenario, we require that port2 is an ingress interface and egress as well. Will it work with FortiGate? If you try to find an answer in the Internet, it's not clear. Some say that firewall will act as a router, because FortiGate requires 2 different interfaces to kick in with it's NGFW capabilities. That is not true. Everything will work, just the way you can expect from a modern firewall. A slightly reduced performance is the only downside. In a test scenario, non-noticeable. Nothing to be concerned about. So tight your shoelaces, you'll be configuring firewall policies from port2 to port2. No vlans! Excited? OK, next one!

What's that SNAT and why is it recommended? Azure Load Balancers are great, however they have 1 minor issue - they are not session aware. So traffic from host A to host B can be directed to FortiGate-A, but there is no guarantee that returning traffic will go through the same firewall. Issue? Yes, of course. It has a name: asymmetric routing!

Solution? S-NAT! How to achieve it? It's simple: enable interface NAT for all rules.

Now Microsoft / Server guy starts his part configuring ADs and all required flows. After few days he finds out that SNAT for Active Directory is not recommended and not supported by Microsoft. Let me quote:

The Microsoft statement regarding Active Directory over NAT is:
* Active Directory over NAT has not been tested by Microsoft.
* We do not recommend Active Directory over NAT.
* Support for issues related to Active Directory over NAT will be very limited and will reach the bounds of commercially reasonable efforts very quickly.

How to deal with it?

FGSP - FortiGate Session Protocol

Anwer is FGSP. Amend config a bit:

  1. disable NAT for all internal rules
  2. configure FGSP. Example config below:
config system ha
    set hbdev "port1" 50
    set session-pickup enable
    set session-pickup-connectionless enable
    set session-pickup-expectation enable
    set standalone-config-sync enable
    set override disable
    set priority 200
end

config system cluster-sync
    edit 1
        set peerip 10.0.1.12
        set syncvd "root"
    next
end

You might be tempted to use a dedicated interface for FGSP. I tried with VM size: Standard_F2s and it is not possible. You are limited to only 2 interfaces. Chose the one, which handles smaller amount of traffic in your scenario. For me, it's port1. If you need more NICs, you have to chose a bigger VM size. At least Standard_F8s.

NOTE! Config sync never worked for me. I assumed it's a bug in FOS 6.0.4 and ignored that, as both FortiGates were managed by FortiManager. However, I've heard from other people that on FortiOS 6.2.2 sync is still not working.

The last step in FGSP scenario is to make sure, that Internel Load Balancer has enabled Session Persistence. You can configure it under Load Balancing Rules. Example screenshot below:

Summary

FortiGates in Azure environment works pretty well in both SNAT and FGSP deployments. However, to avoid Active Directory issues, go for FGSP option from the day 1! You'll save yourself a lot of precious time. If you have the main FortiGate in your DataCenter, configure SecureFabric to have a greater visibility into the Azure Cloud security from your main firewall.

Bullet points for things which were more or less suprising:

  • firewall on-a-stick is working perfectly fine in Azure
  • SNAT is not the best solution if you have AD environment
  • VM size Standard_F2s supports only 2 interfaces

In the another artice, I will describe how to configure SDN Azure Connector and what issues you can find on your way, which are not described clearly in Fortinet docs.