Cloud Initiative 1-Lab Guide Lift and Shift Azure
Cloud Initiative 1-Lab Guide Lift and Shift Azure
Cloud Initiative 1-Lab Guide Lift and Shift Azure
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as
stipulated by the United States Copyright Act of 1976.
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks
are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be
registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their
respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions,
and actual performance and other results may vary. Network variables, different network environments and other conditions
may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all
warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-
identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding
written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables,
features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet
reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of
the publication shall be applicable.
15 December 2022
Table of Contents
Objectives ............................................................................................................................................ 11
TASK 13 - CONFIGURE FORTIGATE ACTIVE-ACTIVE ROUTING AND SECURITY POLICIES ......... 106
Lab Environment
This lab is configured to allow each student to have their own training lab environment using pre-
created Azure resource groups all in one shared Azure Subscription.
https://portal.azure.com
2. Use the credentials shared with you by your instructors. If you didn’t find it, try looking at your junk
mail too. Look for an email with a subject of: MIS - Xperts Summit - Public Cloud Track - AZURE
LAB Credentials
7. Enter the necessary information to change your password then click Submit
8. Upon seeing the following screen, this tab can be closed as the password was changed
successfully.
9. If you want to change your Azure dashboard language you can follow the next steps:
9.1 Once you are logged into your Azure account click on gear icon in the upper right corner
9.3 Then you can choose the language and regional format of your preference. In this case
“Español” to change the Dashboard language to Spanish.
9.4 Click on Apply. A message will come up to ask if you are sure to change the language. Click
on OK and that will save the change you made.
10. Of note, in the Azure account, which is a new Azure subscription, only four resource groups will be
already there pre-created. All four will be used in this lab. No new ones can be created as
resource groups are used as the basis of the individualization of the security in the lab
environment
11. Click on Resource Groups in the main page.
12. Confirm the four resource groups are shown (with a different student number).
The customer Global Gas company is moving to Azure as a lift and shift. This is due to their main
datacenter and all its equipment is well passed its end of support by the various manufacturers.
The CIO is concerned about problems with the quality of communications and interruptions of the
datacenter.
The new CISO needs to improve the level of compliance and auditing in the multi-cloud environment
In preparation for moving the various workload, the IT network security department is setting up a
secure landing zone based on Azure Enterprise Scale using Fortinet.
You are part of this team and will be the main person deploying and configuring in Azure the various
network and security components.
Objectives
• Configure Azure resources
• Familiarize with Fortinet architecture in Azure
• Gain an understanding of networking and security in Azure leveraging Fortinet
11
Lab Access Using the Azure Portal
Lab Diagrams
Network Topology
Detailed Architecture
12
Task 1 - Creating a Virtual Network in Azure
Our first step is going to be creation of a new VNET (Virtual Network) in the training Resource Group
for the workload VNET.
Creation steps
1. From the Azure Portal, click on Create a resource
2. A new page will be displayed. Search for Virtual Network in the search bar and hit enter.
13
Task 1 - Creating a Virtual Network in Azure
14
Task 1 - Creating a Virtual Network in Azure
15
Task 1 - Creating a Virtual Network in Azure
5. The VNET wizard will be opened. Fill in using the table below
Subscription FTNT-Training
Resource group lcexp<your student number>-training
Instance Name workload-VNET
Region East US
16
Task 1 - Creating a Virtual Network in Azure
7. Add 10.3.0.0/16 into IPv4 address space and then click on “Add subnet”. The existing vNet
information must be deleted.
17
Task 1 - Creating a Virtual Network in Azure
8. A new pane will open on the right side of the screen. Add a DMZ Network by adding
Subnet name DMZ-Protected-A
Subnet address range 10.3.0.0/24
9. Click on Add
18
Task 1 - Creating a Virtual Network in Azure
10. The DMZ subnet will then appear in the VNET configuration
11. Click Next: Security or click on the Security pane, nothing will be changed there
19
Task 1 - Creating a Virtual Network in Azure
12. Then click on Next: Tags or click on the Tags pane, there is nothing to change there either
13. Verify that everything is set accordingly and click Create
20
Task 1 - Creating a Virtual Network in Azure
15. Upon completion of the deployment, go to the list of Resource Groups, select the training
Resource Group where after a few minutes the newly created VNET will appear (might require
web browser refresh).
21
Task 2 - Deploy linuxssh virtual machine
Our next step is going to be creation of a new VM (Virtual Machine) into the workload VNET.
Creation steps
1. From the main Azure Portal, click on Create a resource
Use the following information from the table to fill out the page as showed in the image below.
Some of those field will require additional click through wizards (Image, Size)
Subscription FTNT-Training
Resource group lcexp<your student number>-training
Virtual machine name linuxssh
Region (US) east US
Availability options No infrastructure redundancy required
Security Type Standard
Image Ubuntu Server 20.04 LTS – Gen1 or Gen 2
Size Standard_B1s – 1vcpu, 1GiB memory
Administrator authentication type Password
Username azureadm
Password <choose your own>
Public inbound ports Allow selected ports
Select inbound ports SSH (22)
22
Task 2 - Deploy linuxssh virtual machine
23
Task 2 - Deploy linuxssh virtual machine
3. Click on Next: Disks (at the bottom) or click the Disk pane, there is nothing to change here
4. Click on Next: Networking (at the bottom) or click on the Networking pane.
5. In this Networking pane, change the Public IP address to None as shown
6. Click on Next: Management (at the bottom) or click on the Management pane, nothing will be
changed there
24
Task 2 - Deploy linuxssh virtual machine
7. In the Monitoring pane, under Boot diagnostics select Enable with custom storage account. A
new drop-down box will appear. Select the pre-create storage account under Diagnostics storage
account.
8. Click on Next: Advanced (at the bottom) or click the Advanced pane, there is nothing to change
here
9. Click on Next: Tags (at the bottom) or click the Tags pane, there is nothing to change here
10. Verify that everything is set accordingly and click Create
25
Task 3 - Deploy dvwa virtual machine.
Our next step is going to be creation of the next VM (Virtual Machine) into the workload VNET. This
VM will be running the software DVWA.
From the project itself: D..n (word blocked out on purpose) Vulnerable Web Application (DVWA) is a
PHP/MySQL web application that is d..n vulnerable. Its main goal is to be an aid for security
professionals to test their skills and tools in a legal environment, help web developers better
understand the processes of securing web applications and to aid both students & teachers to learn
about web application security in a controlled classroom environment.
The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of
difficulty, with a simple straightforward interface.
Creation steps
1. From the main Azure Portal, click on Create a resource
26
Task 3 - Deploy dvwa virtual machine.
3. Use the following information from the table to fill out the page as showed in the image below
Subscription FTNT-Training
Resource group lcexp<your student number>-training
Virtual machine name dvwa
Region (US) east US
Availability options No infrastructure redundancy required
Security Type Standard
Image Ubuntu Server 20.04 LTS – Gen1
Size Standard_B2s – 2vcpu, 4GiB memory
Administrator authentication type Password
Username azureadm
Password <choose your own>
Public inbound ports Allow selected ports
Select inbound ports SSH (22), HTTP (80), HTTPS (443)
27
Task 3 - Deploy dvwa virtual machine.
28
Task 3 - Deploy dvwa virtual machine.
4. Click on Next: Disks (at the bottom) or click the Disk pane, there is nothing to change here
5. Click on Next: Networking (at the bottom) or click on the Networking pane.
6. In this Networking pane, change the Public IP address to None as shown
7. Click on Next: Management (at the bottom) or click on the Management pane, there is nothing to
change here
29
Task 3 - Deploy dvwa virtual machine.
8. In the Monitoring pane, under Boot diagnostics select Enable with custom storage account. A
new drop-down box will appear. Select the pre-create storage account under Diagnostics storage
account.
9. Click on Next: Advanced (at the bottom) or click the Advanced pane, there is nothing to change
here
10. Click on Next: Tags (at the bottom) or click the Tags pane, there is nothing to change here
11. Verify that everything is set accordingly and click Create
30
Task 3 - Deploy dvwa virtual machine.
31
Task 3 - Deploy dvwa virtual machine.
14. The screen should look like this, if it does not yet, please wait around 5 minutes or so
32
Task 3 - Deploy dvwa virtual machine.
15. In the Virtual machine left menu, scroll all the way down and select Serial console
16. Login with the previously created credentials (azureadm and the chosen password)
33
Task 3 - Deploy dvwa virtual machine.
19. Next configure DVWA to start using the following command (all in one line):
sudo docker run --restart=always --name dvwa -d -p 80:80
vulnerables/web-dvwa
34
Task 3 - Deploy dvwa virtual machine.
20. Confirm that DVWA installed correctly using the following command:
sudo docker container ls
35
Task 4 - Deploy FortiGate Active-Passive
The next step is the deployment of the of the FortiGate firewalls (in Active-Passive mode) along with
associated network resources including the virtual network for the Internet Egress Hub.
Creation steps
1. From the main Azure Portal, click on Create a resource
3. The following results will appear, look at the FortiGate Marketplace Entry
36
Task 4 - Deploy FortiGate Active-Passive
4. In that same FortiGate entry, click on Create, then click on Active-Passive HA with ELB/ILB
37
Task 4 - Deploy FortiGate Active-Passive
5. Use the following information from the table to fill out the page as showed in the image below
Subscription FTNT-Training
Resource group lcexp<your student number>-fgtap
Region (US) east US
FortiGate Administrative Username azureadm
FortiGate password <choose your own>
FortiGate Name Prefix fgap
FortiGate Image SKU Pay As You Go
FortiGate Image Version Latest
38
Task 4 - Deploy FortiGate Active-Passive
39
Task 4 - Deploy FortiGate Active-Passive
40
Task 4 - Deploy FortiGate Active-Passive
10. Use the following information from the table to fill out the page as showed in the image below
Name hub-VNET
Address range 10.1.0.0/16
41
Task 4 - Deploy FortiGate Active-Passive
12. Confirm information entered matches the screen below and then click Next: Public IP
42
Task 4 - Deploy FortiGate Active-Passive
13. Under External Load Balancer, click Create new which will open a new pane on the right
14. In the right pane named Create public IP address, select SKU Standard
15. Repeat step 13 and 14 for both FortiGate fgap-FGT-A management and FortiGate fgap-FGT-B
management
43
Task 4 - Deploy FortiGate Active-Passive
18. Click on Next: Advanced at the bottom, there is nothing to change in the Advanced pane
19. On the Review + create pane, verify that everything is set accordingly and click Create
44
Task 4 - Deploy FortiGate Active-Passive
21. This template deploys several resources, expect 5 minutes for the deployment to complete
22. Since there is a limit of 200 route tables for each individual Azure Subscription, and that the route
table deployed by this template is not being used, it needs to be deleted.
23. From the main Azure Portal, click on Resource groups
24. Click on the lcexp<your student number>-fgtap resource group name itself to open a new pane
on the right.
45
Task 4 - Deploy FortiGate Active-Passive
25. Scroll all the way down and click on the name fgap-RouteTable-ProtectedASubnet
46
Task 4 - Deploy FortiGate Active-Passive
27. Click on the three dots … on the right side and then Dissociate
47
Task 4 - Deploy FortiGate Active-Passive
30. Go back to on the lcexp<your student number>-fgtaa resource group and then scroll all the way
down and select the route table named fgap-RouteTable-ProtectedASubnet
48
Task 4 - Deploy FortiGate Active-Passive
49
Task 5 - Configure VNET Peering FGAP
The next step is the configuration of the virtual network (VNET) peering between the Workload VNET
and the FortiGate FGAP VNET to allow for intercommunications between the two VNETs.
Configuration steps
1. From the main Azure Portal, click on Resource groups
2. Click on the lcexp<your student number>-fgtap resource group name itself to open a new pane
on the right.
50
Task 5 - Configure VNET Peering FGAP
3. In the resource group pane, scroll down and click on the name hub-VNET
51
Task 5 - Configure VNET Peering FGAP
6. Use the following information from the table to fill out the page as showed in the image below
52
Task 5 - Configure VNET Peering FGAP
8. Confirm the peering status shows Connected as per the screenshot below, you might have to
wait a few minutes occasionally clicking the Refresh button:
9. Next navigate away from this pane by click on Resource groups in the upper left menu
11. In the right pane, click on the name of the linuxssh Network interface
53
Task 5 - Configure VNET Peering FGAP
12. In the left Network interface menu, scroll all the way down and click on Effective routes
13. Confirm the routing entry for the VNET peering is showing as per below. This view is very useful
for troubleshooting Azure routing issues.
54
Task 6 - Configure Workload subnet UDR
The next step is the creation and configuration of the user defined route to force the traffic destined to
the Internet from the workload DMZ subnet to go out via the FortiGate firewalls.
2. Click on the lcexp<your student number>-training resource group name itself to open a new
pane on the right.
55
Task 6 - Configure Workload subnet UDR
5. At the bottom of the Route table entry, click on Create and Route table
6. In the Create Route table pane, use the following information from the table to fill out the page as
showed in the image below
Name Workload-ROUTETABLE
Propagate gateway routes no
7. Click on Next: Tags at the bottom, there is nothing to change in the Tags pane
8. Click on Review + create at the bottom
56
Task 6 - Configure Workload subnet UDR
10. As before a prompt will show that the deployment is in progress. From this point forward in the lab
guide, this step will be omitted for brevity
11. From the deployment completion screen, click on Home in the upper right corner
57
Task 6 - Configure Workload subnet UDR
13. Click on the lcexp<your student number>-fgtap resource group name itself to open a new pane
on the right.
14. In the resource group pane, scroll down and click on the name fgap-internalLoadBalancer
58
Task 6 - Configure Workload subnet UDR
16. Make note of the IP address assigned by Azure to the Load balancer (10.1.2.4 in this example)
18. Click on the lcexp<your student number>-training resource group name itself to open a new
pane on the right.
59
Task 6 - Configure Workload subnet UDR
19. Scroll down and click on the name itself of the route table workload-ROUTETABLE
60
Task 6 - Configure Workload subnet UDR
22. Use the following information from the table to fill out the page as showed in the image below
61
Task 6 - Configure Workload subnet UDR
27. Use the following information from the table to fill out the right pane as showed in the image
below, then click Accept
28. Confirm the subnet association was successful as per the screen below:
62
Task 6 - Configure Workload subnet UDR
32. In the right pane, click on the name of the dvwa Network interface, the number that is part of the
name is random for each student.
33. In the left Network interface menu, scroll down to click on Effective routes
63
Task 6 - Configure Workload subnet UDR
34. In the right Effective routes pane, confirm the user defined route previously defined as per below
64
Task 6 - Configure Workload subnet UDR
38. In the right pane, click on the name of the linuxssh Network interface. The numbers that are part
of the name are random.
65
Task 6 - Configure Workload subnet UDR
39. In the left Network interface menu, scroll all the way down and click on Effective routes
40. In the right Effective routes pane, confirm the user defined route previously defined as per below
66
Task 7 - Configure FortiGate Active Passive
The next step is the configuration of the FortiGate firewalls deployed in Active-Passive mode located
in the Inbound VNET.
Configuration steps
1. From the main Azure Portal, click on Resource groups
2. Click on the lcexp<your student number>-fgtap resource group name itself to open a new pane
on the right.
67
Task 7 - Configure FortiGate Active Passive
4. Make note of the public IP address of the management interface of FortiGate fgap-FGT-A,
20.169.190.33 in this example
5. Open a new web browser tab to https of that public IP address, https://20.169.190.33 in this
example, and log in using the credentials of azureadm and the previously chosen password.
68
Task 7 - Configure FortiGate Active Passive
8. Make note of the public IP address of the management interface of FortiGate fgap-FGT-B,
20.169.207.186 in this example
9. Open another new web browser tab to https of that public IP address, https://20.169.207.186 in
this example, and log in using the credentials of azureadm and the previously chosen password.
10. On both FortiGate web browser tabs dismiss the FortiGate Setup prompt by clicking Later
69
Task 7 - Configure FortiGate Active Passive
12. Near the upper right corner, confirm the FortiGate selected says HA: Primary. If it says HA:
Secondary, change to the web browser tab of the other FortiGate
13. In the left FortiGate menu of the primary FortiGate, click on System and then on HA, ensure that
both FortiGate are showing under the status of Synchronized. This typically takes 5 minutes.
14. In the same FortiGate menu, click on Network, then Static Routes, then + Create New
70
Task 7 - Configure FortiGate Active Passive
15. Use the following information from the table to fill out the New Static Route as showed in the
image below then click OK
17. In the same FortiGate menu, click on Policy and Objects, then Firewall Policy, then + Create
New
71
Task 7 - Configure FortiGate Active Passive
18. Use the following information from the tables to fill out the Policy as showed in the image below
then click OK
Name Default-Outbound
Incoming Interface port2
Outgoing Interface port1
Source Create New Address
Name workload-VNET
Type Subnet
IP/Netmask 10.3.0.0/24
Destination all
Service ALL
AntiVirus Enabled with default
Web Filter Enabled with default
DNS Filter Enabled with default
Application Control Enabled with default
IPS Enabled with default
SSL Inspection certificate-inspection
Log Allowed Traffic All Sessions
72
Task 7 - Configure FortiGate Active Passive
20. You have completed the configuration of the FortiGate Active Passive firewalls
73
Task 8 – Confirm VM outbound access
The next step is the confirmation of the traffic destined to the Internet from the VMs in the workload
DMZ subnet to go out via the FortiGate FGAP firewalls located in the outbound VNET.
2. Click on the lcexp<your student number>-training resource group name itself to open a new
pane on the right.
3. In the right pane, click on the name of the dvwa Virtual Machine
74
Task 8 – Confirm VM outbound access
4. In the Virtual machine left menu, scroll all the way down and select Serial console
5. Login with the previously created credentials (azureadm and the chosen password)
6. Next confirm the VM has outbound access by using the command below
curl http://www.fortinet.com
75
Task 8 – Confirm VM outbound access
8. Next in the same FortiGate menu, click Log & Report then Forward Traffic. Confirm the traffic is
indeed passing through the FortiGate
9. In the same FortiGate menu, click on Policy and Objects, then Firewall Policy, then confirm the
number of bytes transferred is also increasing in that particular security policy
10. Due to service quota limitations in the Azure training account, the entire content of the FGAP
resource groups needs to be deleted. In a normal production environment, this would not happen.
11. From the main Azure Portal, click on Resource groups
12. Click on the lcexp<your student number>-fgtap resource group name itself to open a new pane
on the right.
76
Task 8 – Confirm VM outbound access
13. Click on the ⬜ (square) next to the Name header to automatically select all the items in the
resource group
77
Task 8 – Confirm VM outbound access
78
Task 9 - Deploy FortiGate Active-Active
The next step is the deployment of the of the FortiGate firewalls (in Active-Active) along with
associated network resources including the virtual network for the Internet Ingress Hub.
Deployment steps
1. From the main Azure Portal, click on Create a resource
3. The following results will appear, look at the FortiGate Marketplace Entry
79
Task 9 - Deploy FortiGate Active-Active
4. In that same FortiGate entry, click on Create, then click on Active-Active LoadBalanced with
ELB/ILB.
80
Task 9 - Deploy FortiGate Active-Active
5. Use the following information from the table to fill out the page as showed in the image below
Subscription FTNT-Training
Resource group lcexp<your student number>-fgtaa
Region (US) east US
FortiGate Administrative Username azureadm
FortiGate password <choose your own>
FortiGate Name Prefix fgaa
FortiGate Image SKU Pay As You Go
FortiGate Image Version Latest
81
Task 9 - Deploy FortiGate Active-Active
82
Task 9 - Deploy FortiGate Active-Active
10. Use the following information from the table to fill out the page as showed in the image below,
removing any default information
Name inbound-VNET
Address range 10.2.0.0/16
83
Task 9 - Deploy FortiGate Active-Active
12. Confirm information entered matches the screen below and then click Next: Public IP
84
Task 9 - Deploy FortiGate Active-Active
13. Under Public IP address, click Create new which will open a new pane on the right
14. In the right pane named Create public IP address, select SKU Standard then click OK to return to
the left pane
15. Click on Next: Public IP Verification at the bottom, then click on Accept
16. Confirm the Public IP has been validated
17. Click on Next: Advanced at the bottom, there is nothing to change in the Advanced pane
18. Click on Next: Review + create at the bottom
85
Task 9 - Deploy FortiGate Active-Active
19. On the Review + create pane, verify that everything is set accordingly and click Create
20. This template deploys several resources, expect 5 minutes for the deployment to complete
21. Since there is a limit of 200 route tables for each individual Azure Subscription, and that the route
table deployed by this template is not being used by this lab, it needs to be disassociated and then
deleted.
86
Task 9 - Deploy FortiGate Active-Active
23. Click on the lcexp<your student number>-fgtaa resource group name itself to open a new pane
on the right.
87
Task 9 - Deploy FortiGate Active-Active
24. Scroll all the way down and click on the name fgaa-RouteTable-ProtectedASubnet
88
Task 9 - Deploy FortiGate Active-Active
26. Click on the three dots … on the right side and then Dissociate
89
Task 9 - Deploy FortiGate Active-Active
29. Go back to on the lcexp<your student number>-fgtaa resource group and then scroll all the way
down and select the route table named fgaa-RouteTable-ProtectedASubnet
90
Task 9 - Deploy FortiGate Active-Active
91
Task 10 - Configure VNET Peering FGAA
The next step is the configuration of the virtual network (VNET) peering between the Workload VNET
and the FortiGate FGAA VNET to allow for intercommunications between the two VNETs.
Configuration steps
34. From the main Azure Portal, click on Resource groups
35. Click on the lcexp<your student number>-fgtaa resource group name itself to open a new pane
on the right.
92
Task 10 - Configure VNET Peering FGAA
36. In the resource group pane, scroll down and click on the name inbound-VNET
37. In the Virtual network left menu, scroll down to click Peerings
93
Task 10 - Configure VNET Peering FGAA
39. Use the following information from the table to fill out the page as showed in the image below
94
Task 10 - Configure VNET Peering FGAA
41. Confirm the peering status shows Connected as per the screenshot below, you might have to
wait a few minutes occasionally clicking the Refresh button:
42. Next navigate away from this pane by click on Resource groups in the upper left menu
44. In the right pane, click on the name of the linuxssh Network interface
95
Task 10 - Configure VNET Peering FGAA
45. In the left Network interface menu, scroll all the way down and click on Effective routes
46. Confirm the routing entry for the VNET peering is showing as per below. This view is very useful
for troubleshooting Azure routing issues.
96
Task 11 - Configure Azure LB for inbound SSH
The next step is the creation of the appropriate Azure Load Balancer rules to permit inbound SSH
traffic destined to the linuxssh VM.
Configuration steps
1. From the main Azure Portal, click on Resource groups
2. Click on the lcexp<your student number>-fgtaa resource group name itself to open a new pane
on the right.
97
Task 11 - Configure Azure LB for inbound SSH
5. Click on + add on the right pane to create a new load balancing rule
98
Task 11 - Configure Azure LB for inbound SSH
6. Use the following information from the table to fill out the page as showed in the image below
Name ssh-to-linuxssh
Frontend IP address fgaa-ELB-ExternalSubnet-FrontEnd
Backend pool fgaa-ELB-ExternalSubnet-BackEnd
Port 22
Backend port 2022
Health probe lbprobe (TCP:8008)
Session persistence Client IP and protocol
Floating IP Enable
99
Task 11 - Configure Azure LB for inbound SSH
8. Confirm the load balancing rule added with the screen below
100
Task 12 - Configure FortiGate Active-Active config synchronization
The next step is the configuration of the configuration synchronization of the FortiGate firewalls
deployed in Active-Active mode located in the Inbound VNET by leveraging a FortiOS feature typically
used in autoscaling groups or VM scale sets. The feature will work even though this deployment does
not use autoscaling groups / VM scale sets.
Configuration steps
1. From the main Azure Portal, click on Resource groups
2. Click on the lcexp<your student number>-fgtaa resource group name itself to open a new pane
on the right.
101
Task 12 - Configure FortiGate Active-Active config synchronization
5. In the right pane, make note of the Frontend IP and Frontend port for both FortiGate fgaa-FGT-A
and FortiGate fgaa-FGT-B for the HTTPS admin access
102
Task 12 - Configure FortiGate Active-Active config synchronization
6. Open a new web browser tab to https of the FrontEnd IP address along with the port for FortiGate
fgaa-FGT-A, https://20.163.217.20:40030 in this example, and log in using the credentials of
azureadm and the previously chosen password.
7. Open another web browser tab to https of the FrontEnd IP address along with the port for
FortiGate fgaa-FGT-B, https://20.163.217.20:40031 in this example, and log in using the
credentials of azureadm and the previously chosen password.
103
Task 12 - Configure FortiGate Active-Active config synchronization
8. On both FortiGate web browser tabs dismiss the FortiGate Setup prompt by clicking Later
On the Dashboard Status of FortiGate fgaa-FGT-A, confirm Auto Scaling is not configured and then
open a CLI Console prompt by clicking on the upper right icon of >_
104
Task 12 - Configure FortiGate Active-Active config synchronization
11. On the Dashboard Status of FortiGate fgaa-FGT-B, confirm Auto Scaling is also not configured
and then open a CLI Console prompt by clicking on the upper right icon of >_
13. Exit out of the CLI Console then confirm the secondary mode of Autoscale configuration of
FortiGate fgaa-FGT-B on the upper right corner of the Dashboard Status. This might require a
wait of approximately 5 minutes
14. On the web browser tab of FortiGate fgaa-FGT-A also exit out of the CLI console and confirm the
Autoscale configuration
105
Task 13 - Configure FortiGate Active-Active Routing and Security Policies
The next step is the configuration of the configuration the static routes and security policies of the
FortiGate firewalls deployed in Active-Active mode located in the Inbound VNET. This will allow
inbound traffic to the DMZ protected Subnet located in the workload VNET
Configuration steps
1. From the main Azure Portal, click on Resource groups
2. Click on the lcexp<your student number>-fgtaa resource group name itself to open a new pane
on the right.
106
Task 13 - Configure FortiGate Active-Active Routing and Security Policies
5. In the right pane, make note of the Frontend IP and Frontend port for FortiGate fgaa-FGT-A for the
HTTPS admin access
6. Open a new web browser tab to https of the FrontEnd IP address along with the port for FortiGate
fgaa-FGT-A, https://20.163.217.20:40030 in this example, and log in using the credentials of
azureadm and the previously chosen password.
107
Task 13 - Configure FortiGate Active-Active Routing and Security Policies
7. In the left FortiGate menu of fgaa-FGT-A click on Network, then Static Routes, then + Create
New
8. Use the following information from the tables to fill out the New Static Route as showed in the
image below then click OK
108
Task 13 - Configure FortiGate Active-Active Routing and Security Policies
10. In the same FortiGate menu, click on Policy and Objects, then Virtual IPs, then + Create New
11. Use the following information from the table to fill out the New Virtual IP as showed in the image
below then click OK
Name Public-LB-IP
Interface Any
Type Static NAT
External IP address/range FGAA LB Frontend IP (20.163.217.20 in this example
from step 5)
Map to IPv4 address/range 10.3.0.4
Port Forwarding TCP
Port Mapping Type On to one
External service port 2022
Map to IPv4 22
109
Task 13 - Configure FortiGate Active-Active Routing and Security Policies
13. In the same FortiGate menu, click on Policy and Objects, then Firewall Policy, then + Create
New
110
Task 13 - Configure FortiGate Active-Active Routing and Security Policies
14. Use the following information from the table to fill out the Policy as showed in the image below
then click OK
Name ssh-to-linux
Incoming Interface port1
Outgoing Interface port2
Source all
Destination Public-LB-IP (Virtual IP)
Service SSH
Log Allowed Traffic All Sessions
111
Task 13 - Configure FortiGate Active-Active Routing and Security Policies
16. Open another web browser tab to https of the FrontEnd IP address along with the port for
FortiGate fgaa-FGT-B, https://20.163.217.20:40031 in this example, and log in using the
credentials of azureadm and the previously chosen password.
17. Click on Log in Read-Only
18. In the left FortiGate menu of fgaa-FGT-B click on Network, then Static Routes. Confirm the
static route created on FortiGate fgaa-FGT-A is synchronized over to FortiGate fgaa-FGT-B
19. In the same FortiGate menu, click on Policy and Objects, then Firewall Policy. Confirm the
Policy created on FortiGate fgaa-FGT-A synchronized over to FortiGate fgaa-FGT-B
112
Task 14 - Test inbound SSH to linuxssh
The next step is to test the entire configuration by confirming SSH access into linuxssh VM is
permitted.
Task steps
1. Open an SSH connection from you own laptop to the FrontEnd IP address (20.163.217.20 in this
example). The screenshot below show the popular PuTTY software, but any suitable SSH client
can be used.
113
Task 15 - Deployment of FortiWeb Active-Active
The next step is the deployment of the FortiWeb web application firewall deployed in Active-Active
mode located in the Inbound VNET. This deployment is done using an ARM template located in the
Fortinet GitHub.
Deployment steps
1. Open a web browser tab to go to the following URL: https://github.com/fortinet/fortiweb-
ha/releases/tag/1.0.8
114
Task 15 - Deployment of FortiWeb Active-Active
115
Task 15 - Deployment of FortiWeb Active-Active
6. Enter Template deployment in the search box then click on the first inline result that comes up
116
Task 15 - Deployment of FortiWeb Active-Active
11. Click Save at the bottom left once the template uploaded successfully
117
Task 15 - Deployment of FortiWeb Active-Active
12. To fill in the template parameters, the Subscription Id and Tenant Id will have to be manually
discovered. This situation is rather common with customers, thus why these steps were devised
13. Open a new browser tab to portal.azure.com then click on the upper right triple bar icon (≡) to
open the left Azure menu, then click on All services
118
Task 15 - Deployment of FortiWeb Active-Active
15. Copy and paste the Subscription ID to a text editor or similar tool
16. In the same web browser tab, click on the upper right triple bar icon ( ≡) to open the left Azure
menu, then click on Azure Active Directory
17. Copy and paste the Tenant ID to a text editor or similar tool
119
Task 15 - Deployment of FortiWeb Active-Active
18. Use the following information from the table to fill out the template as showed in the image below
then click Review + Create at the bottom
Subscription FTNT-Training
Resource group lcexp<your student number>-fwb
Region (US) east US
Subscription ID <from step 15>
Tenant ID <from step 17>
Restapp ID <from the email sent>
Restapp Secret <from the email sent>
Resource Name Prefix fwbha
Vm Sku Standard_F2s_v2
Vm Admin Username azureadm
Vm Authentication Type password
Vm Admin password <choose your own>
Vm Ssh Public Key <blank>
Vm image type OnDemand
Vm image Version latest
Vm Count 2
Vnet New Or Existing existing
Vnet Resource Group lcexp<your student number>-fgtaa
Vnet Name inbound-VNET
Vnet Address Prefix 10.2.0.0/16
Vnet Subnet1 Name ExternalSubnet
Vnet Subnet1 Prefix 10.2.1.0/24
Vnet Subnet2 Name InternalSubnet
Vnet Subnet2 Prefix 10.2.2.0/24
Load Balancer Type Public
Fortiweb Ha Mode active-active-high-volume
Fortiweb Ha Group Name fwbaa
Fortiweb Ha Group Id 2
Fortiweb Ha Override disable
Storage Account Name <blank>
Storage Access Key <blank>
Storage License Container Name <blank>
120
Task 15 - Deployment of FortiWeb Active-Active
121
Task 15 - Deployment of FortiWeb Active-Active
19. Confirm that validation passed then click Create at the bottom
122
Task 15 - Deployment of FortiWeb Active-Active
22. In the right pane under tags, make note of the ha-role of the FortiWeb VM, whether it is Slave or
Master
23. In the left Virtual machine menu, click on Networking
24. In the right Networking pane, copy the NIC Public IP of fwbha-external-nic1
25. Open a web browser tab to https of that public IP address and port 8443,
https://52.234.232.6:8443 in this example, and log in using the credentials of azureadm and the
previously chosen password.
26. Repeat steps 21 to 25 to open an additional web browser tab to the public IP address of
fwbha-vm2
123
Task 15 - Deployment of FortiWeb Active-Active
27. On the web browser page of the Slave FortiWeb VM (fwbha-vm1 in this example) confirm that
both cluster members are displayed in the System Information widget,
and that the status of HA: Secondary is displayed in the upper right corner.
28. On the web browser page of the Master FortiWeb VM (fwbha-vm2 in this example) confirm that
both cluster members are displayed in the System Information widget,
and that the status of HA: In sync is displayed in the upper right corner.
124
Task 16 - Configure FortiWeb Active-Active Routing and Policies
The next step is the configuration of the static routes and content routing policies of the FortiWeb web
application firewalls deployed in Active-Active mode located in the Inbound VNET.
Configuration steps
1. Navigate to the lcexp<your student number>-fwb resource group, then click on the name fwbha-
loadbalance Load Balancer.
2. In the left Load balancer menu, click on Frontend IP configuration, and then make note of the IP
address in the right pane (52.154.67.11 in this example). This will be used later.
125
Task 16 - Configure FortiWeb Active-Active Routing and Policies
3. Using the FortiWeb Master web GUI used in task 15 or re-open it in a web browser tab to https of
the public IP address and port 8443 of the FortiWeb Master member. https://52.154.65.37:8443 in
this example, and log in using the credentials of azureadm and the previously chosen password.
This is not using the load balancing FrontEnd IP.
4. On that web browser page, in the left FortiWeb menu, click on Network, then click on Route and
click on +Create New
126
Task 16 - Configure FortiWeb Active-Active Routing and Policies
5. Use the following information from the tables to fill out the New Static route that will allow Fortiweb
to reach workload subnet. Then click on OK
Destination IP 10.3.0.0/24
Gateway Address 10.2.2.1
Interface port2
6. On that web browser page, in the left FortiWeb menu, click on Network, then Virtual IP, then
+Create New
7. The Create Virtual IP form will be opened. Fill in using the table below then click OK
Name dvwa-virtual-ip
IPv4 Address <IP address from step 2>/32
IPv6 Address ::0
Interface port1
127
Task 16 - Configure FortiWeb Active-Active Routing and Policies
8. In the same left FortiWeb menu, click on Server Objects, then expand Server, then click Virtual
Server, then click +Create New
9. In the Edit Virtual Server pane, enter dvwa-virtual-server as name then click OK. Click on
+Create New in the same right pane
10. In the New Virtual Server item right pane, select the Virtual IP dvwa-virtual-ip then click OK
11. In the same Edit Virtual Server pane, click on +Create New to create an additional entry
12. In the New Virtual Server item right pane, enable Use Interface IP and then select port1 then
click OK
128
Task 16 - Configure FortiWeb Active-Active Routing and Policies
14. In the same left FortiWeb menu, click on Server Objects, then expand Server, then click Server
Pool, then click +Create New
15. In the right Edit Server Pool pane, enter a name of dvwa-server-pool and then click OK
129
Task 16 - Configure FortiWeb Active-Active Routing and Policies
16. In the same Edit Server Pool pane, click on +Create New to create a new server pool rule
17. Confirm the IP address of the dvwa VM by navigating in a new web browser tab to Resource
groups, then to lcexp<your student number>-training resource group, then clicking on the VM
name of dvwa. Look in the Networking properties
18. In the same FortiWeb tab, in the New Server Pool Rule pane on the right, enter the IP of the
dvwa VM from step 14 then click OK
130
Task 16 - Configure FortiWeb Active-Active Routing and Policies
19. In the same left FortiWeb menu, click on Policy, then expand Server Policy, then click +Create
New
131
Task 16 - Configure FortiWeb Active-Active Routing and Policies
20. The New Policy form will be opened. Fill in using the table below then click OK
Name dvwa-server-policy
Deployment Mode Single Server/Server Balance
Virtual Server dvwa-virtual-server
Server Pool dvwa-server-pool
Protected Hostnames <blank>
HTTP Service HTTP
HTTPS Service HTTPS
Replacement Message Predefined
132
Task 16 - Configure FortiWeb Active-Active Routing and Policies
21. Open a new web browser tab to the load balancer frontend IP of step 2 on port 80,
http://52.154.67.11 in this example. Login with username admin and Password of password
133
Task 16 - Configure FortiWeb Active-Active Routing and Policies
134
Task 16 - Configure FortiWeb Active-Active Routing and Policies
25. Change the security level to low if not already at that level by choosing Low in the pulldown menu
and then by clicking Submit
135
Task 16 - Configure FortiWeb Active-Active Routing and Policies
27. Enter an IP address to ping, for example 8.8.8.8 then click Submit
136
Task 16 - Configure FortiWeb Active-Active Routing and Policies
29. Next enter an IP address followed by a semicolon and then a Linux command, for example pwd
8.8.8.8; pwd
30. Notice not only the ping command executed but also the Linux pwd command in the output
137
Task 17 - Configure FortiWeb Active-Active Security Policies.
The next step is the configuration of the security policies of the FortiWeb web application firewalls
deployed in Active-Active mode located in the Inbound VNET.
Configuration steps
1. Open a web browser tab (if not already open) to https of the public IP address and port 8443 of
the master FortiWeb VM, https://52.154.65.37:8443 in this example, and log in using the
credentials of azureadm and the previously chosen password.
2. On that web browser page, in the same left FortiWeb menu, click on Policy, then expand Server
Policy, click on dvwa-server-policy name and then click on Edit
138
Task 17 - Configure FortiWeb Active-Active Security Policies.
3. In the right pane of Edit Policy, scroll down to Web Protection Profile, and choose Inline
Standard Protection from the pull-down menu then click OK
4. (Login into the DVWA into a new web browser tab if not already logged in) Next in the left DVWA
menu, click on Command Injection
139
Task 17 - Configure FortiWeb Active-Active Security Policies.
5. Next enter an IP address followed by a semicolon and then a Linux command, for example pwd
8.8.8.8; pwd
140
Task 17 - Configure FortiWeb Active-Active Security Policies.
7. Go back to the Master FortiWeb console to investigate the attack logs. In the same left FortiWeb
menu, click on Log&Report, then expand Log Access, click on Attack.
This attack is classified as Generic Attacks and you can even identify which input parameters
were detected as threats. To review the log detail just click on each one.
Tip
If you don’t find the command injection attack log in the Master FortiWeb VM, look on the Slave
FortiWeb VM attack log, as it’s possible that your request was handled by the secondary unit.
141
Task 17 - Configure FortiWeb Active-Active Security Policies.
142
Extra Task - Configure FortiWeb Active-Active Traffic logging
Traffic logging is a great feature when troubleshooting connectivity issues, but it implies a heavy
resource consumption. Since the release of FortiWeb v7.0.2, you can only enable traffic logging via CLI.
In previous releases, this option was available directly in the GUI.
To enable traffic logging, you will use the following commands in the Master FortiWeb VM.
config log traffic-log
set packet-log {enable | disable}
set status {enable | disable}
end
Configuration steps
1. Open a web browser tab (if not already open) to https of the public IP address and port 8443 of
the master FortiWeb VM, https://52.154.65.37:8443 in this example, and log in using the
credentials of azureadm and the previously chosen password.
On that web browser page, in the same left FortiWeb menu, click on Command Line symbol.
143
Extra Task - Configure FortiWeb Active-Active Traffic logging
3. To avoid unnecessary resource consumption, FortiWeb will not generate traffic log for all server
policies unless specified. After enabling status in config log traffic-log, you also need to
enable the traffic log setting in Server Policy through GUI or CLI config server-policy
policy.
On that web browser page, in the same left FortiWeb menu, click on Policy, then expand Server
Policy, click on dvwa-server-policy name and then click on Edit
144
Extra Task - Configure FortiWeb Active-Active Traffic logging
4. In the right pane of Edit Policy, scroll down to Log Config, and turn on the Enable Traffic Log
option, then click OK
145
Extra Task - Configure FortiWeb Active-Active Traffic logging
5. Generate additional traffic in the protected web application. Open a new web browser tab to the
load balancer frontend IP on port 80, http://52.154.67.11 in this example. Login with username
admin and Password of password
6. Next in the left DVWA menu, click on SQL Injection, and type the number 1 in the User ID field
and then Submit.
You can repeat this step, with number 2, 3, 4 and 5 to generate additional traffic.
146
Extra Task - Configure FortiWeb Active-Active Traffic logging
7. Go back to the Master FortiWeb console to verify the traffic logs. In the same left FortiWeb menu,
click on Log&Report, then expand Log Access, click on Traffic.
You can review the log detail by clicking on each one.
Tip
If you review the Traffic Log in the Slave FortiWeb VM you will notice that they are different
from the Master Traffic Log. The reason is because Master and Slave are working in an
Active-Active configuration, and acting as standalone FortiWeb but with configuration
synchronization, and hence there are no log replication.
147