Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner
KevinGallaugher
F5 Employee
F5 Employee

Introduction

The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic?

An integrated F5 and Fortinet FortiGate solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more Fortinet FortiGate VMs, which can block previously hidden threats. This solution eliminates the blind spots introduced by SSL/TLS.

Prerequisites

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain

F5 BIG-IP version 17.1

F5 SSL Orchestrator version 11.0

Fortinet FortiGate Virtual Appliance

Fortinet FortiGate version 7.2.4

Deployed on VMWare ESXi version 6.7

Fortinet FortiGate will be configured as a Virtual Wire in Transparent Mode

Additional Help

If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE

For information on SSL Certificate considerations and trust, click HERE

Fortinet FortiGate Virtual Edition Configuration

ESX Virtual Hardware Configuration

The Network Adapters should be configured like the following:

Screenshot 2023-11-10 at 8.49.57 AM.png

Network Adapter 1 is used for Management and corresponds to the “mgmt” interface on the FortiGate.

Network Adapter 2 is used for egress connections from BIG-IP to port1 on the FortiGate.

Network Adapter 3 is used for ingress connections from port2 on the FortiGate to BIG-IP.

Create a Port Group for BIG-IP to connect to the FortiGate port1 interface. The ESX vSwitch topology should be configured as follows:

Screenshot 2023-11-10 at 8.56.35 AM.png

Create a Port Group for BIG-IP to connect to the FortiGate port1 interface. The ESX vSwitch topology should be configured as follows:

Screenshot 2023-11-10 at 8.59.00 AM.png

Fortinet FortiGate Configuration

Enable Transparent Mode from the CLI.

Screenshot 2023-11-10 at 9.02.13 AM.png

Configure the Virtual Wire as follows:

Screenshot 2023-11-10 at 9.04.42 AM.png

Give it a name, vwire in this example. Add port1 and port2. Click OK.

Screenshot 2023-11-10 at 10.34.30 AM.png

Create a Firewall Virtual Wire Pair Policy

Select Policy & Objects > Firewall Virtual Wire Pair Policy > Create New

Screenshot 2023-11-10 at 10.37.37 AM.png

Give it a name, “policy” in this example. Set the Source, Destination and Service. In this example they are set to all. The Action should be set to Allow. Optionally enable the Security Profiles. Click OK.

Screenshot 2023-11-10 at 10.41.17 AM.png

F5 BIG-IP SSL Orchestrator VMWare ESXi Configuration

Configure the Virtual Machine Network Adapters as follows:

Screenshot 2023-11-10 at 10.45.51 AM.png

Network Adapter 1 is used for Management and corresponds to the management interface on the BIG-IP.

Network Adapter 2 is used for network connectivity from the BIG-IP to the North.

Network Adapter 3 is used for network connectivity from the BIG-IP to the South.

Network Adapter 4 is used for egress connections from BIG-IP to port1 on the FortiGate.

Network Adapter 5 is used for ingress connections from port2 on the FortiGate to BIG-IP.

BIG-IP SSL Orchestrator Network Configuration

The BIG-IP VLAN settings should look like the following:

Screenshot 2023-11-10 at 10.49.44 AM.png

Egress is used for egress connections from BIG-IP to port1 on the FortiGate.

Ingress is used for ingress connections from port2 on the FortiGate to BIG-IP.

Network_North is used for network connectivity from the BIG-IP to the North.

Network_South is used for network connectivity from the BIG-IP to the South.

The BIG-IP Self IPs setting should look like the following:

Screenshot 2023-11-10 at 10.52.29 AM.png

These Self IPs will be used for connectivity from the BIG-IP to the North and South. Self IPs are not needed for the connection from/to BIG-IP and FortiGate.

Note: in this example SSL Orchestrator is deployed with an L3 Inbound Topology. That’s what the two Self IPs are for. Your configuration will look different if using an L2 Topology.

BIG-IP SSL Orchestrator Configuration

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.

Navigate to SSL Orchestrator > Configuration.

Screen Shot 2023-03-30 at 8.52.01 AM.png

Create the Fortinet FortiGate Service

Under Services, click Add.

Screenshot 2023-11-10 at 12.29.00 PM.png

In the Service Catalog select the Inline L2 tab then double click on Generic Inline Layer 2

Screenshot 2023-11-10 at 10.58.27 AM.png

Give it a name, FortiGate in this example.  Under Network Configuration click Add

Screenshot 2023-11-10 at 11.00.20 AM.png

Under Network Configuration set From BIGIP VLAN to Egress. Set To BIGIP VLAN to Ingress. Click Done.

Screenshot 2023-11-10 at 11.02.21 AM.png

Enable the Port Remap option to remap the port to 80.

Screenshot 2023-11-10 at 11.06.41 AM.png

Click Save & Next at the bottom.

Screen Shot 2023-03-21 at 10.01.46 AM.png

Click the name of the Service Chain.

Screen Shot 2023-03-21 at 10.03.11 AM.png

Select the FortiGate Service from the left and click the arrow to move it to the right.  Click Save.

Screen Shot 2023-03-29 at 11.28.36 AM.png

Click OK

Screen Shot 2023-03-29 at 11.29.58 AM.png

Click Save & Next at the bottom.

Screen Shot 2023-03-21 at 10.08.17 AM.png

Click Deploy
Screen Shot 2023-03-21 at 10.09.30 AM.png

Click OK to the Success message.

Screen Shot 2023-03-21 at 10.13.43 AM.png

When done it should look like the following:

Screenshot 2023-11-10 at 11.09.21 AM.png

From the Services screen if you expand the Pool Member Status you should see the FortiGate VM.

Screenshot 2023-11-10 at 11.10.28 AM.png

Testing the Configuration

In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:

https://192.168.0.5

Test this connection now and it should look like the following:

Screen Shot 2023-03-29 at 11.37.25 AM.png

A tcpdump taken from the BIG-IP Egress and Ingress VLANS should show the connection in plain-text HTTP:

Screenshot 2023-11-10 at 11.16.41 AM.png

Conclusion

This completes configuration of BIG-IP SSL Orchestrator with Fortinet FortiGate Virtual Edition. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Fortinet FortiGate Service and inspected for malicious payloads or policy violations.

Related Articles

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition  

Version history
Last update:
‎27-Nov-2023 17:29
Updated by:
Contributors