Cisco Firepower to Fortinet Fortigate Site to Site VPN (English)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

well hello my name is aaron taurus i'm with cisco and i'm one of the technical security architects with cisco and we'll be going over how to configure a site-to-site vpn between a fortigate and a firepower 1010 all right so what we're looking at right now is the dashboard of the fortigate but before i get into configurations or anything i kind of want to set up the understanding of how this diagram looks so on one hand we have a 48 on the other hand we have a firepower and on the outside lan interfaces of these both of these units essentially they have public interfaces and meaning they have a static ip address from the isp both on the inside have their own private unique networks one might be 10 10 10 the other one might be 10 20 20 20 right but with what the what we're trying to accomplish here and more in the real world environment is how do we configure two different vendors uh to do vpn between each other it might be in a case where you might have a fortigate data center or maybe in a virtual cloud or public cloud and maybe you have a firepower 1010 at a remote location and you need to be able to gain access to the network behind this let's say for example this virtual fortigate or this headquarters firewall right the whole point in the real world environment not everybody may have the exact same vendor all right so let's get into this i will go over the configuration of the 48 first and you'll notice that i'll go to network and then interfaces under interfaces i'll just kind of go over how i configured this particular unit and and we'll kind of go over the configuration of the firepower too you'll see here under internal i configure 192.168 100.99 as the default network behind the internal you'll notice that it has a hardware switch i'm actually only using one port it might be connected to another switch or maybe just one device behind it and over here in wan one you'll notice that i have a public static ip address now on the internal side we have a dhcp so anything that we connect to that insert internal network will have a dhcp address but here i have statically assigned a static public ip address that i got from the isp directly into the fortigate you'll notice here in the 40k i've enabled access for me to reach this particular 48 do testing like ping or ssh or https on this particular interface and i've enabled the interface but if i go back to uh internal and you'll notice that it's a hardware switch because this particular model allows me to have multiple internal ports as a member of like a bridge group right you'll see here that i can take members in and out of that membership you'll notice that i have dot 99 is my gateway which is the default for the 48 on the internal side uh what access i want to enable and disable for the 48 from administrative point of view and i have also enabled the dhcp server for the inside of this interface so any devices that are directly connected to this particular interface or this internal network will get an ip address from this particular range okay and then the interface is also enabled the next thing i want to do is go to static routes and then under static routes you'll notice that i have an any and any route going to the public internet and this particular ip address that we're seeing here is probably the router the gateway of my public internet provider right and i'm using wan one and just saying that all traffic that i have is destined for the internet uh i don't have any other special configurations like sd-wan or explicit proxy or anything so we're not gonna go through those today um but we will go over policy and objects so you'll notice under ipv4 policy which is the configuration of the firewall rules or policies for the 48 uh that i have a rule here saying internal to wan one so any traffic that's part of the hardware switch uh which is uh the internal one port uh going to lan one which we just specified being the internet access for the actual fortigate itself um is going to be allowed and we're saying all traffic on the inside and all traffic going to the outside on an always schedule uh and all ports uh are going to be accepted now the one uh thing that we notice about fortigate is that it allows a nat statement not to be separate policies they're actually integrated into the actual firewall policies which to me is very handy it kind of helps me from administration point of view specify um you know how gnats are working and kind of keep them in a in a single centralized area you'll see that you'll be able to measure the traffic and active sessions going into a particular rule okay we're not going to be enabling any antivirus web filtering or dns filtering in this particular policy we could i highly suggest it if you have traffic going out to the internet and um and you want to be able to ensure security uh in the 40k you would enable these different options here antivirus web filtering application control ips and at later time i'd be more happy to show those to you but why is that important because if we do create a fire a firewall policy for ipsec or for vpns uh you might maybe want the the load of the of the encryption offloading or the av or ips to take uh take place at the headquarters uh instead of the remote location right so meaning that if there was an affection or a compromise happen at a remote branch they would have to travel through the internet through the vpn tunnel to this particular headquarters and that this unit here would capture that traffic and quarantine it or clean it before it get access to the data center or whatever is behind this particular firewall that's one use case obviously you turn on um security from the fortigate as well as to firepower maybe it will capture something on both ends that maybe the other vendor didn't capture but the more you enable the more you turn on the less sessions and the less amount of memories available on these units to do that what i would call deep back inspection when it comes to advanced security okay so now let's go into the firepower unit and kind of go over the basic configurations of this particular unit you'll see under interfaces here that i have multiple interfaces just like we did in 40 game we'll see here that we have what i would call ethernet one one which is the default wan interface of the firepower 1010 if we edit that particular interface you'll notice that i have that static address here with a subnet associated to it it's a routed interface and the status is enabled and then you'll notice here that i am using a port of 1 8 okay and 1 8 being the inside interface uh of that actual firewall that we're using that we can connect the device to uh to be able to get through that vpn tunnel now here you'll notice that um i'm using an interior network of 192.168.111.1 in a slash 24 and i'm also using a dhcp server uh enabled uh for that as well uh it's a routed interface now if you notice that i'm not using the bridge group or the hardware switch associated to the firepower just to make it easier i'm using a separate interface so i took one eight out of the bridge interface and it kind of made its own routed interface within the actual firewall itself okay now we have that set up let's go to routing under routing you'll notice that i have an any and any statement going to the gateway in the gateways.206. uh the one differences is here you specify host names for address objects um for the networks as well as the gateway so those are things that you create on the fly or that you do predetermined before you go in here and configure it so if we go to objects uh go to networks you'll notice that a lot of these things are specified in here you'll notice that ipv4 gateway is that 206 address uh the inside network uh address that we were using so you might have to specify this or do it on the fly as you're making those configurations and then some other things i want to point out here is under smart licensing under smart licensing we're using an evaluation version of the firepower and you'll notice that the remote access vpn is nine enables that's not something we're going over today but the reason i bring that up is because we're not gonna be able to use some advanced encryption methods like three does um so in this particular configuration that we're doing we're using desks but uh sure you probably want to go with a more stronger encryption um and better best practices but because the lack of license that we have on both sides we're just using simplistic uh configuration but those can be modified and changed at any given time if you do have a smart account you can register the device enter the token and you can pay for the uh the update services and so on for the firepower so that you can get the added encryption uh methods into this particular unit itself now let's jump back to the 48 and let's go over what i would call the vpns okay so the cool thing about a 40k is that they have wizards and so does the firepower 1010 but the one nice thing that i like about the 40k is that i can bring tunnels up and down uh at any given time and i'll show that to you here shortly but what i want to do is kind of show you how to configure a site-to-site uh vpn between the fortigate into firepower that works uh and that allows us to route traffic through it so they have a integrated wizard into the of the fortigate so let's and i already have this all created um so i'm not going to save this but we'll go back and i'll show you the configuration for each but for example let's say the remote side is austin firepower right site to site but there's a template array associated in the fortigate that allows us to kind of use a predetermined template with p1p2 proposals and we can modify those okay we have no nap between sites because they're you know they both have static addresses we go ahead and click next um the ip address will be um the actual ip address of the fire power unit and that's the wan wan interface of the remote uh device and then the outgoing interface is wan one which is the internet facing um interface on the 48 reaching the internet and then we'll you know for example use whatever pre-shared key you're using between both devices now if we click next uh the local interface would be the internal uh it would specify that internal address for us but we also have to specify what is the remote um ip address or network that's uh behind the firepower right and then you're gonna have to do the reverse once we get to the other unit the the local internet the local address to the firepower would be the one one one zero and then the remote would be one one zero but since we are behind the forty gate right now our local subnet is the 192.168.100.0.24 and the network behind the firepower is 192.168.111.0624 okay we go ahead and select uh you know create uh once we do that it would it go ahead and creates what i would call the um the vpn tunnel okay now once we edit that particular tunnel there will be a button up here and i already did it so forgive me that says convert to custom because it's actually wrong there are some changes that we need to do uh because of the licensing that we have on both units will not match so on the 40 gate side i asked that on that button right up here which you don't see in this particular screen we'll say convert to custom once we convert to custom we need to go through all the configuration here to make sure it matches to the defaults of the firepower for example if i click on um on edit for the network you'll notice it has a static address the remote peer address the interface that's using the outside we're using nat universal and that we're doing dead peer detection on demand okay now let's go to authentication we are using a pre-shared key we're going to use the same pre-share key at both locations but we are in this particular case going to use ike one okay in a later video i'd be more happy to show you how to do i2 but just for simplistic reasons to get a tunnel up and running we're gonna use ike one we are doing main id uh when would you use main id and aggressive if we would use aggressive if we were behind an added address and we had to make it call out but in this case we use main idea on both both firewalls because there's both static addresses on both locations p1 proposal uh we uh forgive me we're not actually uh changing uh that i actually probably should cancel and come back into this i don't want to say that since we have this uh tunnel already up and running so going back to the p1 proposal you'll notice that i have uh dez and shaw one of course there are better options in here uh such as three does and aes 256 but as i explained before because of the licensing um you know we're going to use desk right now but this is you know as long as they're matching on both sides you should be just fine we're using des sha 1 for authentication we're using uh definite helm in group 14 and the key life eight six four zero zero uh and then we'll go down to p2 proposal uh here the wizard automatically created the local and the remote object names with those ip address subnets that we use so you we can go back and take a look at those um and you'll say local address remote address but when you click on advanced there are some changes here that you probably have to make for example encryption being des authentication being shot 1 enabling and replay detection pfs is enabled 14 and then the seconds you would uh you would make those changes uh save them now there's a couple of other things that we have to specify that that are working before we bring everything back up so let's go to what i call addresses right just to make sure that those addresses are done correctly that we didn't do any uh typos or whatever but the wizard created the local subnet and the remote subnet okay so those were added in here and you'll notice that it went ahead and created these address groups and the reason why you create these address groups is because in the future if you need to add a different uh subnet into them it's easier to just create the object and put it into um those address groups than having to recreate a whole new vpn tunnel we can add them to the exact the exact uh existing vpn tunnel now let's go to ipv version policy so there's a difference between uh what i call route based and policy based vpns and what the wizard did it created what i call a route-based vpn so the encryption is being done from an interface versus the policy okay and a policy-based vpn uh you would probably put action encrypt uh from from a policy perspective but in the fortigate in this particular route-based vpn we can route things kind of like a gre tunnel right we could route things over this particular uh virtual interface and i'll kind of show you what that looks like but let's look at the policies and since it's a route-based vpn there has to be an exit and an inch in it you know like going out and inbound okay so you'll notice that we're using this um virtual interface that creates for ipsec called fdm austin uh going to our internal network and then we have internal going to this virtual interface called fdm austin okay so here we'll edit it you'll notice that it shows the interface it shows uh the internal and then the virtual interface it shows those networks that we have that remote and local and you'll notice here it says accept not ipsec because again this is a tunnel based a route-based vpn not a policy-based vpn if we were creating a policy-based vpn you would select ipsec but in this case we are not doing that okay there's no need for nat because since we're doing routing we're routing that traffic over these virtual interfaces and we're not uh doing policy okay uh and then if you go look at the other policy uh you'll notice here um the same thing but it's just in a different direction so now it's going local to remote again it's accepting and we're not doing any matting and the one thing i want you to notice here is that you'll notice that some traffic is being generated from one direction to the other now he's noticed here where it says log utm we can log any connections but we also can attach what i call security policies uh to the traffic on the vpn so if you want to apply web filter antivirus or dns filter application control you can does it make sense is the question the more you add to a policy from a security perspective the slower and the more resources are going to be used within that of that box or that solution right but if you have the resources to do it why not if you're forcing all internet traffic to go through this policy then you might want to configure web web filtering and specify what you want to allow or block okay now since this is a route based vpn let's go take a look at those particular static routes that we have going through that virtual interface okay you'll see here we have all traffic going to a black hole unless specified going to the fdm uh austin okay and fdm austin is what we call the firepower unit all right so you'll see here that anything that's destined for that remote traffic that 192.168.11.0624 is destined to go through this interface all right so anything on the internal network that's destined for that network would be routed through this virtual interface so let's go look at that virtual interface so if you look under wan one you'll notice that we have fdm uh austin it's a virtual interface and if we wanted to give it an ip address and allow people to administer the 40k if we to you know change configuration or we could uh or we could you can make this like an ospf route or you know a bgp or whatever we definitely could but in this case we're not um we're just creating this a site vpn all right now let before i come back here let's go through the configuration side of the firepower unit okay from the configuration side from the fire up from the firepower unit through what we call fdm which is the firepower device manager as an on-box on-box management for the firepower units um again as i stated we're using an evaluation license so we do we do not have the advanced encryption or advanced security feature for the firepower to use 3ds we're just using does okay you go to site site configuration under site site configuration uh you go ahead and click add and you'll be able to be taken through a wizard to configure this uh obviously you'll be naming it so if we wanted to again i'm just going to go through a test configuration but operate pre-configured this uh test and then obviously the local uh vpn access interface right and and essentially that's going to be the the dirty internet connection right and then you also specify what is the remote ip address of the 40 gate uh that we're trying to reach okay and that's a 205 address and this is static okay the local network which is our network right which is here local to us which would be in this particular case the inside network 8 network because i'm behind interface 8 and then here the remote network uh will be the the network that i have over there now i usually hate watching videos and they don't explain what that means and i explained it in the 48 but i'll explain it in the firepower the inside 8 network local network is the local network behind my interface 8 on my firepower unit my local network is dot zero 192.168.111.0 twenty four that's where my pc sits the remote network is 192 168 dot i believe it was 100.0 24. that is the local network on the other side of the 40k okay so it so we're basically saying what's my local network and what's the remote local network all right now once we click next it's going to ask us uh you know like version two or like version one we're gonna do ike version one just for simplistic reasons okay now this is where it gets a little bit trickier because of the licensing it does this doesn't reflect everybody if you do have a full-blown license you don't have to follow this method but if you don't and you just want to get a site site vpn tunnel up and running you definitely can follow this method uh in this case we're using what i call shaw des group 14 pre-shared key id okay but you do have various other options in here from aes 256 to 3 does to using certificates however you want to configure that but in this particular case we're using pre-shared key does group 14. now from a ipsec proposal um you know we have to add one and the one that we added was the des sha now if you had the licensing you want to you know go create one and say three does shot or whatever you definitely could but i created one called the des shaw because i know that that's what we're using on the other location the pre-shared key you type in the key that you have shared between both locations and then i'm going to exempt a nap now what i mean by exempting that is that there there is no reason why i need to have traffic uh going uh to a particular location right and so what i what i really mean by that is that a no nat statement it means that we're not going to use nat to be routed through the internet enable um pfs duffy helm in group 14 on the other location so we should select that we click next and then it pretty much completes uh that particular tunnel that we just created okay so it will show up here and i'm gonna go and edit this uh tunnel just to kind of show you how it looks like uh again it's outside that's right my interface this is our uh external when ip address of the 48 inside network the remote network uh then we have we're using ike version one the uh proposals for uh ike version one policy all right i'm using des group 14 pre-shared key um now i'm using over here i use the custom one the fortigate uh devshaw i created that to be honest with you um and then uh the pre-ship key that we have shared between both firewalls i selected no nat um and that actually might be wrong i do apologize to no not inside eight um so i probably need to go check and make sure that's working correctly uh and then the definitely helmet 14 right i click next uh and then allows you to review the actual configuration um and it allows me to see how everything's working and how everything's running you'll see that we know the nat exempt the like policies the authentication type and etc i click finish and then we're done at that point uh we have one more step we have to go to policies and from a policy perspective i have to create a policy you click up here at the right hand corner uh and select you know where what how you want traffic to flow right and in this particular case i have a policy already created uh in this particular policy i'm saying inside 8 which is the zone associated to port 8 my network is the inside 8 which is the 192.168.110 network is destined for the outside right and then uh then the remote austin network and i go ahead and click on allow or trust okay i trust all traffic to go through that particular case now again you can create your own uh intrusion protection or policies that you want to scan traffic going to that particular network but in this case we're not going to do that we're just creating a policy site to site uh under monitoring uh here you have the ability to look all the events and everything are going on associated to the firepower unit but the one thing i want to bring up if you do have problems uh getting on the fly creating the ike policies for ike version one or hike version two you go to objects and then you go to ike policies and under i policies you can create what you need that's custom for your location i did have to do this i did have to create one um and you could put the priority the name the you know the aes you know does three does whatever it might be uh is it pre-shared key certificate duffy helming group uh shaw or lifetime associated to it and sometimes uh if you're working with third-party vendor depending on who it is those lifetimes might be different right in this case we have control over both firewalls so we can change that or just use the defaults but sometimes you might be working with a cloud provider sometimes you might be working with a vendor that has changed it and so you have to match those statements you want the flexibility to be able to modify those if needed to from when from at least one location now uh let's bring this tunnel up the one cool thing about fortigate is that you can bring tunnels up on the fly uh so if you see here under ipsec tunnels uh i click on the tunnel uh you'll see it's inactive i can click on it and actually select it and say bring up uh bring up all face two selectors or just you know the one associated to that and you'll see here uh that we have uh the fdm uh traffic the fdm tunnel between the fortigate and the firepower is up okay now how do i go and validate that uh traffic's actually flowing through this right a lot of times if you're doing this remote you know you may not be on site you may not be able to see traffic right so a lot of times having uh access to the dashboard now both units can do this you have cli access to both units you know but here in this case there's a built-in uh sniffer into the 40k and let me uh type that out and then um and then the virtual interface so let me explain kind of what i'm doing here so diag sniffer packet which is basically kind of a tc dump and then the virtual interface we're looking at is fdm austin okay we could do this for lan one we do this for internal we can do this for any physical interface but since we have an actual virtual physical interface that was created any traffic that goes through that interface will start capturing here so we could validate if traffic is actually getting through it and a lot of guys that's a great troubleshooting tool for me because a lot of times i'll tell the remote people hey can you ping this address like my machine's on the opposite side of that tunnel uh and then i'll pull this up and sometimes i'll see the pink only going one way and not going the other way like well i can't ping and i go well you know i see it so maybe your windows firewall's enabled you have to disable that in order for it to reply and a lot of times that's it and they disable their host firewall next you know their replies are going through but if that doesn't happen that at least gives us the packy capture or the pcaps to be able to identify you know in real time what problems are happening right uh another troubleshooting tool we have uh under log and report is here we have vpn events right and under vpn events allows us to see the proposals um you know into the 40 game allows you the inbound outbound you know and so on you'll see here probably from last night when i was configuring this uh some errors or and the errors were allowing me to see kind of where where i was having problems so but you'll be able to see pretty much the success and the failures the tunnel statistics from this and you'll see when like phase two goes down and etc but anyways in a nutshell uh guys i there's a lot more i can cover uh obviously there's a lot more troubleshooting and cli troubleshooting i can do uh probably uh from the uh firepower too as well kind of showing you you know how do i go about troubleshooting from a cli perspective how to identify if a certain p1 or p2p2 proposal or failing i will do that a later video more of an advanced video but the purpose of today was really just to show you a quick and dirty how do i get a basic vpn tunnel up and running between a 48 and a firepower right uh i know there's a lot of demand on well now that i got up and running i want to route traffic through it i want to be able to troubleshoot problems more in advance video i'd be more than happy to do that but the purpose of this video is essentially just gain that tunnel up so i hope you uh learned a lot and if you have any questions or ever want to reach out feel free to subscribe to the channel we'll be more than happy to show you more we have tons of great things on this youtube channel and we're looking forward to you guys learning thank you

Info

Channel: Unknown Chronicles - Cisco Security

Views: 1,092

Rating: undefined out of 5

Keywords: cisco, cisco firepower, fortigate, vpn, site to site vpn, cisco vpn with fortinet, cisco fortinet, vpn cisco fortigate

Id: -rm9Ku5-UAw

Channel Id: undefined

Length: 29min 3sec (1743 seconds)

Published: Mon Aug 24 2020