Embed Size (px)
Citation preview
Copyright IBM Corporation 2017 Page 1 of 9
FortiGate Security Appliance on IBM Cloud
Solution Architecture
Date: 2017–12–22
Copyright IBM Corporation 2017 Page 2 of 9
Table of Contents
1 Introduction................................................................................................................................ 4
1.1 About FortiGate Security Appliance .................................................................................... 4
1.2 Background ......................................................................................................................... 4
1.3 Key Benefits ........................................................................................................................ 5
2 Design ....................................................................................................................................... 6
2.1 Overview.............................................................................................................................. 6
2.2 FortiGate Security Appliance Deployment .......................................................................... 6
Appliance configuration .............................................................................................. 7
Firewall configuration .................................................................................................. 7
High Availability .......................................................................................................... 8
User Management ...................................................................................................... 8
Caveats ....................................................................................................................... 8
Licensing ..................................................................................................................... 8
Appendix A—Reference ................................................................................................................... 9
List of Figures
Figure 1 VMware Cloud Foundation on IBM Cloud ........................................................................................ 4
Figure 2 FortiGate Security Appliance on VMware Cloud Foundation High Level Components .. 6
Figure 3 FortiGate Security Appliance network topology ........................................................................... 7
List of Tables
Table 1 FortiGate Security Appliance summary ............................................................................................. 7
Table 2 Permitted outbound traffic ..................................................................................................................... 8
Copyright IBM Corporation 2017 Page 3 of 9
Summary of Changes
This section records the history of significant changes to this document. Only the most significant changes
are described here.
Version Date Author Description of Change
1.0
2017–12–22 Jack Benney
Frank Chodacki
Daniel De Araujo
Bob Kellenberger
Simon Kofkin–Hansen
Scott Moonen
Jim Robbins
Initial Release
Copyright IBM Corporation 2017 Page 4 of 9
1 Introduction
1.1 About FortiGate Security Appliance
The purpose of this document is to define and describe the FortiGate Security Appliance architecture for
the vCenter Server and VMware Cloud Foundation offerings deployed in the IBM Cloud. Specifically, it
will detail the components of the solution and high–level configuration of each component in the design.
This solution is considered to be an additional component and extension of both the vCenter Server
solution offering and the VMware Cloud Foundation solution offering on IBM Cloud. As a result, this
document will not cover the existing configuration of the foundation solutions on IBM Cloud. Therefore, it
is highly recommended to review and understand the VMware on IBM Cloud solution architecture located
on the IBM Architecture Center before reading this document.
Figure 1 VMware Cloud Foundation on IBM Cloud
1.2 Background
IBM Cloud provides a variety of connectivity options for your IBM Cloud for VMware Solutions VMware
environment. For low bandwidth or initial connectivity, you can use the IBM Cloud VPN to connect
directly to your dedicated private network. For dedicated connections, IBM Cloud offers a Direct Link
service to connect to your existing network service provider or to connect to other clouds via a cloud
exchange provider. IBM Cloud also offers public network connectivity for applications that need to be
available over the public network, or for cases where your solution allows for public connectivity or
tunneling and does not require Direct Link.
Copyright IBM Corporation 2017 Page 5 of 9
If you choose public interconnectivity for your VMware environment, you have a number of additional
options to provide firewall, NAT, and VPN services for your connection. The base IBM Cloud for VMware
solutions offerings include VMware NSX licensing suitable for deploying NSX Edge Services Gateways
that you can use for firewall, NAT, and VPN services for protect your environment’s public network
access. However, in case you require a physical firewall and gateway device rather than a virtual firewall
for your VMware environment, this architecture specifies how to deploy the IBM Cloud FortiGate Security
Appliance offering as part of your environment’s security implementation.
IBM Cloud also offers a FortiGate–VM offering which is provides network security services in virtual
appliance form within your vSphere cluster. Visit the IBM Architecture Center to see the FortiGate–VM
solution architecture.
1.3 Key Benefits
The FortiGate 300 series Security Appliance available in the IBM Cloud offers firewall, routing, NAT, and
VPN services to your VMware environment, including the following:
• Deep packet inspection
• SSL inspection
• Intrusion prevention
• Data loss prevention
• Sandboxing
• Anti–malware and anti–virus
• Web filtering
• Traffic shaping
• WebUI and command line management interface
Copyright IBM Corporation 2017 Page 6 of 9
2 Design
2.1 Overview
The FortiGate Security Appliance solution complements the IBM Cloud for VMware Solutions offerings
by providing perimeter firewall and gateway services. These services are provided by dedicated physical
FortiGate devices within the IBM Cloud network.
Figure 2 FortiGate Security Appliance on VMware Cloud Foundation High Level Components
2.2 FortiGate Security Appliance Deployment
The FortiGate Security Appliance offering is deployed to an existing IBM Cloud public VLAN in the same
data center and POD as your VMware instance. As part of deployment, your instance’s existing public
VLAN is attached to the “inside” interfaces of the appliances, and a new public VLAN is allocated and
attached to the “outside” interfaces of the appliances. All traffic destined to your instance’s public network
is routed through the FortiGate appliances as shown in Figure 3, which act as a perimeter firewall and
gateway for your instance. In this figure, the original public VLAN is now denoted as a protected VLAN.
Copyright IBM Corporation 2017 Page 7 of 9
Figure 3 FortiGate Security Appliance network topology
Appliance configuration
The FortiGate Security Appliance offering is deployed as a pair of physical appliances configured to be
highly available in active–passive mode. Configuration is automatically replicated between the appliances.
The configuration of the appliances is as follows:
Attribute Configuration
Appliance FortiGate 300 series or better
Location Same data center and POD as VMware instance
High availability Two appliances deployed in active–passive configuration
Network Dual 1 GbE bonded on both inside and outside networks
Upstream IBM Cloud public VLAN (new)
Downstream IBM Cloud public VLAN (existing)
Table 1 FortiGate Security Appliance summary
Firewall configuration
Depending on your security requirements, you can configure the FortiGate Security Appliance to route
traffic, NAT traffic, or offer VPN services. When initially deployed by IBM Cloud for VMware, the
appliance is configured in one of two configurations depending on the time of deployment:
Deployment time Configuration
Together with VMware
instance deployment • Outbound management traffic is permitted (see below)
• All other traffic is blocked
After VMware instance
is deployed • Outbound management traffic is permitted (see below)
• All other traffic is permitted
The reason for this difference is that an existing VMware instance is assumed to have existing public
connections, so the FortiGate appliances are deployed in such a way that those connections are not
interrupted other than a brief outage as traffic is rerouted through the FortiGate appliances.
Copyright IBM Corporation 2017 Page 8 of 9
In all cases, after deployment, configuring the FortiGate Security Appliances to suit your application’s
needs and your security requirements is beyond the scope of this design.
However, you are required to allow network traffic required by the IBM Cloud for VMware offering itself.
IBM’s offerings require outbound public connectivity from the IBM Cloud Driver virtual machine through
the management NSX ESG to the public network. The Cloud Driver uses these connections to access your
instance’s database and message queues in the IBM Cloud. Optional solution components such as Zerto
Virtual Replication and F5 BIG–IP may also route public connections through the management NSX ESG
for product registration and billing, product support, or diagnostics. Therefore, you must minimally permit
the following outbound traffic through the FortiGate Security Appliances:
Field Configuration
Source Zone Inside
Source IP Management NSX ESG public IP
Destination Zone Outside
Destination IP All
Service All
Action ACCEPT
NAT Disable
Table 2 Permitted outbound traffic
Other than this rule and any other rules necessary for your application traffic, you should ensure that a
default deny policy is configured for all traffic traversing from the inside to outside interfaces, and from the
outside to inside interfaces.
Optionally, you can enable FortiGate management connections on the inside interface and disable
management connections on the outside interface. Note that this will require you to use the IBM Cloud
VPN to manage the FortiGate.
High Availability
The FortiGate Security Appliances are already configured by IBM Cloud as a highly available pair.
Configuration is automatically replicated between the two, and management and network functions failover
from the active node to the primary node in case of failure.
User Management
The FortiGate Security Appliances are initially deployed with a single administrative user for your use.
You can create additional users with differing privileges using the FortiGate administrative interface.
Caveats
The FortiGate Security Appliance is not compatible with Microsoft Windows Network Load Balancing
(NLB).
Licensing
There are no licensing requirements for the physical FortiGate Security Appliance.
Copyright IBM Corporation 2017 Page 9 of 9
Appendix A—Reference Additional information about IBM Cloud and FortiGate Security Appliance on IBM Cloud can be found at
the following sites:
• IBM Cloud Architecture Center for Virtualization:
https://www.ibm.com/cloud/garage/content/architecture/virtualizationArchitecture/
• IBM Cloud Direct Link:
https://www.ibm.com/cloud-computing/bluemix/direct-link
• IBM Cloud FortiGate Security Appliance configuration:
https://knowledgelayer.softlayer.com/procedure/configure-fortigate-security-appliance-fsa
• Fortinet product datasheets:
https://www.fortinet.com/resources/datasheets.html
