Contents

Fortinet VPN with Firebox Cloud Integration Guide

This document describes how to configure a VPN tunnel between WatchGuard Firebox Cloud and a Fortinet FortiGate 90D.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • WatchGuard Firebox Cloud v11.12.1. B522519 installed in Amazon Web Services (AWS)
  • Fortinet FortiGate 90D v5.2.7, build718 (GA)

Test Topology

This diagram outlines the topology used in this integration:

WatchGuard Firebox Cloud and Fortinet topology diagram

Configure Firebox Cloud

Follow these steps to configure the BOVPN virtual interface on your Firebox.

  1. Log in to Firebox Cloud Web UI at https://<AWS public IP address>:8080.
  2. From the navigation menu, select VPN > BOVPN Virtual Interfaces.

Screen shot of Firebox Cloud Web UI navigation menu

  1. Click Screen shot of Lock icon to unlock the configuration.

Screen shot of the BOVPN Virtual Interfaces lock dialog box

  1. Click Add.
  2. From Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  3. On the Gateway Settings page, select Use Pre-Shared Key.
  4. In the adjacent text box, type the pre-shared key.

Screen shot of the VPN, BOVPN Virtual Interfaces dialog box,Gateway Settingsl tab

  1. In the Gateway Endpoint section, click Add.

Screen shot of the VPN, BOVPN Virtual Interfaces dialog box,Gateway Settingsl tab, Add

  1. From the Physical drop-down list, select External.
  2. Select By IP Address.
  3. In the adjacent text box, type the AWS public IP address for your Firebox Cloud.

Screen shot of the Gateway Endpoint Settings dialog box, Local Gateway tab

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the public IP address of the FortiGate 90D WAN interface.
  4. Select By IP Address.
  5. In the adjacent text box, type the public IP address of the FortiGate 90D WAN interface.

Screen shot of the Gateway Endpoint Settings dialog box, Remote Gateway tab

  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase1 tunnel when it is inactive check box.
  3. Select the Add this tunnel to the BOVPN-Allow policies check box.

Screen shot of the BOVPN Virtual Interfaces, Edit dialog box

  1. Select the VPN Routes tab.
  2. Click Add.
  3. From the Choose Type drop-down list, select Host IPv4 or Host IPv6. In our example, we specify an IPv4 IP address.
  4. In the Route To text box, type the IP address of a route that will use this virtual interface.

Screen shot of the VPN Route Settings

  1. Click OK.

Screen shot of the BOVPN Virtual Interfaces, Edit dialog box, VPN Routes tab

  1. Select the Phase1 Settings tab.
  2. From the Version drop-down list, select IKEv1.
  3. From the Mode drop-down list, select Main.
  4. In the Transform Settings section, click Add.
  5. From the Authentication drop-down list, select SHA2-256.
  6. From the Encryption drop-down list, select AES(256-bit).
  7. From the Key Group drop-down list, select Diffie-Hellman Group 2.

Screen shot of the Transform Settings dialog box

  1. Click OK. Keep all other Phase 1 settings at the default values.

Screen shot of the  Phase 1 Settings tab

  1. Click Save.

For stronger security, we recommend that you add a new Phase 2 proposal:

  1. From the navigation menu, select VPN > Phase 2 Proposals.
  2. To add a new Phase 2 proposal, click Add.
  3. In the Name text box, type ESP-AES256-SHA2-256.
  4. From the Type drop-down list, select ESP (Encapsulating Security Payload).
  5. From the Authentication drop-down list, select SHA2-256.
  6. From the Encryption drop-down list, select AES(256-bit). Leave the default value for all other settings.

Screen shot of Fireware Web UI, VPN, Phase 2 Proposals, Add dialog box

  1. Click Save.

Screen shot of Fireware Web UI, VPN, Phase 2 Proposals dialog box

Apply the new Phase 2 proposal to your BOVPN virtual interface:

  1. Select VPN > BOVPN Virtual Interfaces.
  2. Select the interface you added. Click Edit.
  3. Select the Phase 2 Settings tab.
  4. From the IPSec Proposals drop-down list, select ESP-AES256-SHA2-256.
  5. Click Add.
  6. Remove any other proposals that appear in the list. Leave the default value for all other Phase 2 settings.

Screen shot of Fireware Web UI, VPN, BOVPN Virtual Interfaces dialog box, Phase2 Setting tab

  1. Click Save.

Configure FortiGate 90D

Follow these steps to configure the interfaces, VPN settings, policies, and routes on your FortiGate device.

Interface Settings

  1. Log in to the FortiGate 90D Web UI at https://<IP address of FortiGate 90D>. The default IP address is https://192.168.1.99.
  2. From the navigation menu, select System > Network > Interfaces.

Screen shot of the Fortigate 90D WEb UI, System, Network, Interfaces navigation menu

  1. Configure the external interface (wan1) and the internal interface (internal2). For information about how to configure interfaces, see the Fortinet User Guide.

Screen shot of the Fortinet, Wan1 and Wan2 status dialog box

IPSec VPN Tunnels Settings

  1. From the navigation menu, select VPN > Tunnels.

Screen shot of the Fortinet, VPN, Tunnels navigation

  1. Click Create New.
  2. In the Name text box, type peer1.
  3. Select Custom VPN Tunnel (No Template).

Screen shot of the Fortinet, VPN Setup dialog box

  1. Click Next.
  2. In the Network section, select the IPv4 check box.
  3. From the Remote Gateway drop-down list, select Static IP Address.
  4. In the IP Address text box, type the AWS public IP address. In our example, the IP address is 203.0.113.2.
  5. From the interface drop-down list, select wan1. Leave the default value for all other settings in the Network section.

Screen shot of the Fortinet, Network section of the dialog box

  1. In the Authentication section, from the Method drop-down list, select Pre-shared Key.
  2. In the Pre-shared Key text box, type the pre-shared key.

Screen shot of the Fortinet, Authentication dialog box

  1. In the IKE section, for Version, select 1.
  2. For Mode, select Main (ID protection).

Screen shot of the Fortinet, IKE section of dialog box

  1. In the Phase 1 Proposal section, remove all proposals except AES256 for encryption and SHA256 for authentication.
  2. For the Diffie-Hellman Group, select 2. Clear all other check boxes.
  3. Leave the default value for all other Phase 1 settings.

Screen shot of the Fortinet, Phase 1 Proposal section of dialog box

  1. In the XAUTH section, leave the default settings.

Screen shot of the Fortinet, XAUTH section of dialog box

  1. In the Phase 2 Selectors section, expand Advanced.
  2. Remove all proposals except AES256 for encryption and SHA256 for authentication.
  3. Clear the Enable Perfect Forward Secrecy (PFS) check box.
  4. Leave the default value for all other Phase 2 selectors.

Screen shot of the Fortinet, Phase 2 Selectors section of the dialog box

  1. Click .

Screen shot of the Fortinet, Network dialog box

  1. Click OK.

Screen shot of the Fortinet, create New Tunnel dialog box

Policy Settings

  1. From the navigation menu, select Policy & Object > Objects > Address.

Screen shot of the Fortinet, Policy & Object, Objects, Address dialog box

  1. Click Create New.
  2. In the Name text box, type a name for the IP address.
  3. From the Type drop-down list, select IP/Netmask.
  4. In the Subnet /IP Range text box, type the IP address.
  5. Leave the default value for all other settings.

Screen shot of the Fortinet, Policy & Object, Objects, Address, Create New dialog box

  1. Click OK.
  2. Repeat steps 1-7 to create another IP address.

Screen shot of the Fortinet, Policy & Object, Objects, Address dialog box

  1. From the navigation menu, select Policy & Object > Policy > IPv4.

Screen shot of the Fortinet, Policy & Object, IPv4 dialog box

  1. Click Create New.
  2. From the Incoming Interface drop-down list, select internal2.
  3. From the Source Address drop-down list, select FortiGate 90D_INT.
  4. From the Outgoing Interface drop-down list, select peer1.
  5. From the Destination Address drop-down list, select WatchGuard Cloud_INT.
  6. From the Schedule drop-down list, select always.
  7. From the Service drop-down list, select All.
  8. From the Action drop-down list, select Accept.
  9. Leave the default value for all other settings.

Screen shot of the Fortinet, Policy & Object, IPv4, Create New dialog box

  1. Click OK.
  2. Repeat these steps to create another policy.

Screen shot of the Fortinet, Policy & Object, IPv4 dialog box

The polices that you created appear on this page.

Screen shot of the Fortinet, Policies created list dialog box

Route Settings

  1. From the navigation menu, select System > Network > Routing.

Screen shot of the Fortinet, System, Network, Routing dialog box

  1. Click Create New.
  2. In the Destination IP/Mask text box, type the IP address of the VPN peer tunnel.
  3. From the Device drop-down list, select peer1.
  4. Leave the default value for all other settings.

Screen shot of the Fortinet, System, Network, Routing, Create New dialog box

  1. Click OK.

Screen shot of the Fortinet, System, Network, Routing dialog box, Static Routes section

Test the Integration

  1. Log in to Firebox Web UI.
  2. From the navigation menu, select System Status > VPN Statistics.
  3. Verify that the VPN tunnel is active.
  4. Log in to FortiGate 90D Web UI.
  5. From the navigation menu, select VPN > Monitor > IPsec Monitor.
  6. Verify that the VPN tunnel is active.
  7. Create an ICMP policy on the Firebox and FortiGate devices to allow ICMP traffic.

In the Firewall Policy settings on your Firebox:

Screen shot of the Firebox Firewall Policy, Settings tab

On the FortiGate 90D:

Screen shot of the Fortinet 90D interface dialog box

  1. Verify that the servers at 10.0.1.39 and 192.168.13.2 can successfully ping each other.

On the server at 10.0.1.39:

Screen shot of the server 10.0.1.39 command prompt dialog box ping test

On the server at 192.168.13.2:

Screen shot of the server 192.168.13.2 command prompt dialog box ping test

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search