Saturday, July 1, 2017

FGT VM in transparent mode on ESXi 6.0

Our goal with this config is to inspect/restrict traffic sourced/destined from servers on our LAN without causing much impact to the existing network.

Failing to specify VLAN, Forwarding-domain and strict src/dst addresses may result in a Layer2 loop/broadcast storm. Please make sure to follow the directions carefully.


1.     Deploy OVF Template
b.     I prefer to thin provision everything but that is your choice
c.     Do not power on the Virtual machine after deploying.
2.     Shut off your VM servers that you would like to add to the port group so that we may edit their port assignments.
3.     Create a Port Group in ESXi

Make sure that you assign a unique vlan id here.

Edit your server VM and assign the network adapter to your new port group.
Edit your FGTVM.
Disconnect all ports that will not be used.
You will need 3 ports: In/Out/mgmt.
In this case, we are using:
Port1 for out to our network.
Port2 for management.
Port8 for connection the VM port group.
Your port group should now look something like this if you had 2 servers in it. The only exception is that your ports are not green as we have not powered anything on yet.

4.     Power on your FGT VM  and console into FortiOS CLI.
5.     As a precaution, we should shut all ports.
config sys interface
edit port1
set status down
#repeat for all ports
6.     Set the box transparent mode.
config system settings
set opmode transparent
set manageip
            #this will log you out so log back in.
7.     Set DNS and static route if needed.
config system dns
set primary x.x.x.x
set secondary x.x.x.x
            config router static
                        edit 0
                                    set dst x.x.x.x x.x.x.x
                                    set gateway x.x.x.x
8.     Set the forward-domain for your interfaces that are not used for management.
config system interface
edit port1
            set forward-domain 100
edit port8
            set forward-domain 100
9.     Set the allowaccess for your mgmt. interface.
config system interface
edit port2
            set allowaccess ping https
10.  Setup the in/out firewall policies for your Server communications.
It is very important that you set specify srcaddr/dstaddr to avoid layer2 issues on your network .
config firewall policy
edit 0
            set name “p1-p8”
            set srcintf port1
            set dstintf port8
            set srcaddr all
            set dstaddr "/32 srvIP"
            set service any
            set schedule always
            set action accept
edit 0
            set name “p8-p1”
            set srcintf port8
            set dstintf port1
            set dstaddr  all
            set srcaddr "/32 srvIP"
            set service any
            set schedule always
            set action accept

11.  Enable your 3 interfaces on the FGTVM and power on your VM servers. Traffic towards your servers should now be routed through your FGTVM and the FGT should be accessible via the management IP.

12.  Go back and apply any UTM policies, restrict services, etc in your policies that you may require.

No comments: