Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire
Introduction
The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic?
An integrated F5 and Fortinet FortiGate solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more Fortinet FortiGate VMs, which can block previously hidden threats. This solution eliminates the blind spots introduced by SSL/TLS.
Prerequisites
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain
F5 BIG-IP version 17.1
F5 SSL Orchestrator version 11.0
Fortinet FortiGate Virtual Appliance
Fortinet FortiGate version 7.2.4
Deployed on VMWare ESXi version 6.7
Fortinet FortiGate will be configured as a Virtual Wire in Transparent Mode
Additional Help
If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE
For information on SSL Certificate considerations and trust, click HERE
Demo video:
Fortinet FortiGate Virtual Edition Configuration
ESX Virtual Hardware Configuration
The Network Adapters should be configured like the following:
Network Adapter 1 is used for Management and corresponds to the “mgmt” interface on the FortiGate.
Network Adapter 2 is used for egress connections from BIG-IP to port1 on the FortiGate.
Network Adapter 3 is used for ingress connections from port2 on the FortiGate to BIG-IP.
Create a Port Group for BIG-IP to connect to the FortiGate port1 interface. The ESX vSwitch topology should be configured as follows:
Create a Port Group for BIG-IP to connect to the FortiGate port1 interface. The ESX vSwitch topology should be configured as follows:
Fortinet FortiGate Configuration
Enable Transparent Mode from the CLI.
Configure the Virtual Wire as follows:
Give it a name, vwire in this example. Add port1 and port2. Click OK.
Create a Firewall Virtual Wire Pair Policy
Select Policy & Objects > Firewall Virtual Wire Pair Policy > Create New
Give it a name, “policy” in this example. Set the Source, Destination and Service. In this example they are set to all. The Action should be set to Allow. Optionally enable the Security Profiles. Click OK.
F5 BIG-IP SSL Orchestrator VMWare ESXi Configuration
Configure the Virtual Machine Network Adapters as follows:
Network Adapter 1 is used for Management and corresponds to the management interface on the BIG-IP.
Network Adapter 2 is used for network connectivity from the BIG-IP to the North.
Network Adapter 3 is used for network connectivity from the BIG-IP to the South.
Network Adapter 4 is used for egress connections from BIG-IP to port1 on the FortiGate.
Network Adapter 5 is used for ingress connections from port2 on the FortiGate to BIG-IP.
BIG-IP SSL Orchestrator Network Configuration
The BIG-IP VLAN settings should look like the following:
Egress is used for egress connections from BIG-IP to port1 on the FortiGate.
Ingress is used for ingress connections from port2 on the FortiGate to BIG-IP.
Network_North is used for network connectivity from the BIG-IP to the North.
Network_South is used for network connectivity from the BIG-IP to the South.
The BIG-IP Self IPs setting should look like the following:
These Self IPs will be used for connectivity from the BIG-IP to the North and South. Self IPs are not needed for the connection from/to BIG-IP and FortiGate.
Note: in this example SSL Orchestrator is deployed with an L3 Inbound Topology. That’s what the two Self IPs are for. Your configuration will look different if using an L2 Topology.
BIG-IP SSL Orchestrator Configuration
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.
Navigate to SSL Orchestrator > Configuration.
Create the Fortinet FortiGate Service
Under Services, click Add.
In the Service Catalog select the Inline L2 tab then double click on Generic Inline Layer 2
Give it a name, FortiGate in this example. Under Network Configuration click Add
Under Network Configuration set From BIGIP VLAN to Egress. Set To BIGIP VLAN to Ingress. Click Done.
Enable the Port Remap option to remap the port to 80.
Click Save & Next at the bottom.
Click the name of the Service Chain.
Select the FortiGate Service from the left and click the arrow to move it to the right. Click Save.
Click OK
Click Save & Next at the bottom.
Click Deploy
Click OK to the Success message.
When done it should look like the following:
From the Services screen if you expand the Pool Member Status you should see the FortiGate VM.
Testing the Configuration
In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:
Test this connection now and it should look like the following:
A tcpdump taken from the BIG-IP Egress and Ingress VLANS should show the connection in plain-text HTTP:
Conclusion
This completes configuration of BIG-IP SSL Orchestrator with Fortinet FortiGate Virtual Edition. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Fortinet FortiGate Service and inspected for malicious payloads or policy violations.
Related Articles
Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition