Fortigate configuration for SD WAN, LANs and VLANS with IPsec Support
Configuring a Fortigate firewall to accommodate a complex network setup involves multiple steps, including configuring WAN interfaces, creating VLANs, setting up IPsec tunnels, and defining firewall policies. Each step is crucial in ensuring that the network operates securely and efficiently, meeting the specific needs of the organization.
In today’s digital landscape, ensuring robust and secure network connectivity is paramount for any organization. Firewalls are the frontline defense in protecting networks from unauthorized access and potential threats. Among the various firewall solutions available, Fortinet’s Fortigate firewalls are renowned for their reliability, flexibility, and comprehensive security features. In this guide, we will delve into configuring a Fortigate firewall to accommodate a complex network scenario involving multiple WAN connections, VLANs, a DMZ, and an IPsec tunnel.
Scenario Overview
Our network configuration involves the following components, WAN, LAN, VLAN, DMZ and IPsec Tunnel.
WAN Connections: Two WAN connections are used for SD-WAN to optimize and balance the traffic load.
LAN Connections:
Three LAN connections, where the LAN1 has three VLANs:
- VLAN10: General internet access for users.
- VLAN20: Access to a remote network via an IPsec tunnel and vice versa.
- VLAN30: Access to local servers within the network.
Second LAN serves as a DMZ for isolated and controlled access to certain services.
Third LAN provides internet access for specific users.
IPsec Tunnel:An IPsec tunnel to another location with a public IP address xxx.xxx.xxx.xx/32.
Objectives
- VLAN10 should have access to the internet.
- VLAN20 should have access to the remote network via the IPsec tunnel, and the remote network should have access back to VLAN20.
- VLAN30 should have access to local servers within the network.
- The second LAN should be configured as a DMZ with internet access.
- The third LAN should provide internet access to its users.
Configuration Steps
Step 1: Configuring WAN Interfaces and SD-WAN
Configuration for the WAN interfaces and SD WAN
WAN1: wan1
WAN2: wan2
Enable SD-WAN:
config system virtual-wan-link set status enable end
Add WAN interfaces to SD-WAN:
config system virtual-wan-link config members edit 1 set interface "wan1" next edit 2 set interface "wan2" next end end
Detailed Explanation
SD-WAN (Software-Defined Wide Area Network) is a revolutionary approach that simplifies WAN management and operation by decoupling the networking hardware from its control mechanism. In our setup, we enable SD-WAN to intelligently distribute the traffic load between two WAN connections. This setup ensures optimal performance and redundancy.
Step 2: LAN Interfaces and VLANs
Configuration for the LAN interfaces and VLANS
LAN1: lan1
LAN2 (DMZ): lan2
LAN3: lan3
Create VLAN Interfaces:
config system interface edit "vlan10" set vdom "root" set ip 192.168.10.1 255.255.255.0 set interface "lan1" set vlanid 10 next edit "vlan20" set vdom "root" set ip 192.168.20.1 255.255.255.0 set interface "lan1" set vlanid 20 next edit "vlan30" set vdom "root" set ip 192.168.30.1 255.255.255.0 set interface "lan1" set vlanid 30 next end
Detailed Explanation
Virtual LANs (VLANs) are a method to create separate networks within a single physical network infrastructure. VLANs enhance security, improve performance, and simplify network management. In this configuration, VLAN10, VLAN20, and VLAN30 are created on LAN1, each serving different purposes: general internet access, IPsec tunnel access, and local server access, respectively.
Step 3: IPsec Tunnel
Configuration for IPsec Tunnel
config vpn ipsec phase1-interface edit "IPsec-Tunnel" set interface "wan1" set peertype any set proposal aes256-sha256 set remote-gw xxx.xxx.xxx.xx set psksecret <Your-PSK> next end
Phase 2 configuration
config vpn ipsec phase2-interface edit "IPsec-Tunnel" set phase1name "IPsec-Tunnel" set proposal aes256-sha256 set dst-subnet 0.0.0.0 0.0.0.0 set src-subnet 0.0.0.0 0.0.0.0 next end
Detailed Explanation
An IPsec (Internet Protocol Security) tunnel provides secure communication between two networks over the internet. Phase 1 of the IPsec tunnel involves setting up the IKE (Internet Key Exchange) parameters such as the remote gateway, encryption algorithms, and pre-shared key (PSK). Phase 2 involves configuring the IPsec parameters such as the proposal (encryption and authentication methods) and defining the local and remote subnets that will communicate over the tunnel.
Step 4: Firewall Policies
For VLAN10 with Internet Access
config firewall policy edit 1 set name "VLAN10-to-Internet" set srcintf "vlan10" set dstintf "virtual-wan-link" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
Detailed Explanation
Firewall policies are crucial in controlling the flow of traffic through the network. The policy for VLAN10 ensures that devices in VLAN10 can access the internet through the SD-WAN link. NAT (Network Address Translation) is enabled to allow internal IP addresses to be translated to a public IP address for internet communication.
VLAN20 with IPsec Tunnel access
config firewall policy edit 2 set name "VLAN20-to-IPsec" set srcintf "vlan20" set dstintf "IPsec-Tunnel" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 3 set name "IPsec-to-VLAN20" set srcintf "IPsec-Tunnel" set dstintf "vlan20" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
Detailed Explanation
The firewall policies for VLAN20 control the traffic flow between VLAN20 and the remote network via the IPsec tunnel. The first policy allows VLAN20 to initiate connections to the remote network, and the second policy allows the remote network to initiate connections back to VLAN20.
VLAN30 with access to Local Server
config firewall policy edit 4 set name "VLAN30-to-Servers" set srcintf "vlan30" set dstintf "lan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
Detailed Explanation
The policy for VLAN30 ensures that devices within this VLAN can communicate with local servers located in LAN1. This setup is crucial for accessing internal resources such as file servers, databases, and applications.
LAN2 with DMZ Internet Access
config firewall policy edit 5 set name "DMZ-to-Internet" set srcintf "lan2" set dstintf "virtual-wan-link" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
Detailed Explanation
The DMZ (Demilitarized Zone) is a network segment that is exposed to the internet but isolated from the internal network. This configuration allows devices in the DMZ (LAN2) to access the internet while keeping them segregated from the more sensitive internal network.
LAN3 with internet access to users
config firewall policy edit 6 set name "LAN3-to-Internet" set srcintf "lan3" set dstintf "virtual-wan-link" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
Detailed Explanation
The policy for LAN3 ensures that users connected to this LAN can access the internet. This is essential for providing internet connectivity to specific users or devices within this segment.
Step 5: SD-WAN Rules
config system virtual-wan-link config service edit 1 set name "SDWAN-Internet" set mode load-balance set src "vlan10" "lan2" "lan3" set dst "all" set service "ALL" next end end
Detailed Explanation
SD-WAN rules are configured to manage and optimize the traffic flow through the WAN links. In this configuration, we set up a rule to load-balance internet traffic from VLAN10, LAN2, and LAN3 across the available WAN connections. This approach ensures efficient utilization of the WAN links and improves redundancy and fault tolerance.