[Question] Internet connectivity for FG instances themselves

Question

[Question] Internet connectivity for FG instances themselves

arnaudluti opened this issue 3 years ago · 3 comments

I'm currently trying to setup an active-passive ELB/ILB FG cluster in our Azure tenant,
Thanks for the work and the procedures & templates provided.

In general order, i got some doubts about the routes & outbound connections established from the FG instances themselves;

Which interface is used by the Fortigate to access internet ? (to update definitions, licences, Azure SDN fabric connectors...) In any procedures, i couldn't find something about that (following that document).
To establish IPSec tunnel, we use the external LB Public IP address (one of...). As far as i understood, the IPsec connection is coming from the on-premise firewall ? The FG instances in Azure cannot dial-up the tunnel ? (if yes, which interface is used ?)
What's the private IP defined as a default gateway on external interface ?... i explain:

After the deployment, the two Fortigate have set an private IP as a default gateway on them external NIC (external LB subnet).

Assuming that my external load-balancer subnet is 172.17.240.240/28, first Fortigate has an IP 172.17.240.245/28, second has the 172.17.240.246/28.

There is a 172.17.240.241/28 IP which as been configured as a default gateway on the WAN interface, and i couldn't find that IP somewhere else in Azure ! (not in external LB config, not in subnet/vnet configs... ?!).

It looks like that's the private implicit IP which is carried by the external loadbalancer. From the two Fortigate, i can't ping that IP, i can't even reach the public IP carried by the external loadbalancer, because the route to it has as gateway that 172.17.240.241 !

... So, from the Fortigate themselves, it looks like i can't reach internet, because of that default route.

Here is the NIC 1 (external interface) conf from FG-1;

And it's static route table;

Trying to outcome:

Do you have any informations about that?

Thanks in advance!
Arnaud

Answer 1 · 2021-06-20T20:24:07.000Z

Hi @arnaudluti,

A lot of questions! Let's start...

Which interface is used by the Fortigate to access internet ? (to update definitions, licences, Azure SDN fabric connectors...) In any procedures, i couldn't find something about that (following that document).

All outbound connection as adhering to the routing table available in the FortiGate. If you setup the FGT using the default templates then all will go via the port1 and the default gateway.

There is 1 exception and that is the Azure SDN Fabric Connector. As this needs internet connectivity on both units this will go out via the port 4 or HA MGMT port. Primary and Secondary units have internet access via this interface even when the secondary is in passive mode. Not needed for the failover with ELB/ILB but for failover with the SDN connector.

To establish IPSec tunnel, we use the external LB Public IP address (one of...). As far as i understood, the IPsec connection is coming from the on-premise firewall ? The FG instances in Azure cannot dial-up the tunnel ? (if yes, which interface is used ?)
If you configure the inbound config as defined on the link below the inbound connection will be used to setup the connection from the on-premise firewall.
https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-inbound-connections.md#configuration---ipsec
Outbound if you only define 1 public IP on the external load balancer that will be used for the outbound connection of the IPSEC tunnel (FGT sends a packet with the external interface private IP and the ELB will translate it to the available public IP.)

You can also add a secondary private IP to your FGT and attach a instance level public IP to establish tunnels specific from only 1 IP. Either you defined only one public IP and failover using the SDN connector or you define a public IP on each FGT and define these in 2 separate tunnels on your on-premise FGT.
https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-outbound-nat-considerations.md

What's the private IP defined as a default gateway on external interface ?

In each subnet in a Microsoft Virtual Network there are 3 reserved IPs. The first IP is always the default gateway of that subnet. If you sned traffic to it the VNET routing will be used. More information can be found here:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets

Ping is not a good way to test your connectivity in Azure. It is best that you use telnet, netcat of tcping for example.

Hope this gives you the needed information or fire away if it is not clear.

Regards,

Joeri

Answer 2 · 2021-06-30T15:27:55.000Z

Closing as there is no update. Feel free to reopen or open new issue.

Answer 3 · 2021-06-30T17:24:08.000Z

Hello @jvhoof
I'm really sorry for the late response, i'm working alternatively on the Azure infrastructure... ;)
Thank you very much for the details, it gave me all the necessary comprehension, especially for the Azure reserved IPs in the snet.
I could establish an IPsec tunnel between the active Azure FGT & on-premise FGT , thru the external load-balancer IP. Still have to configure & test the HA, then i will be able to test the failover.
Thanks for the templates, it rocks! I will give a look to Terraform as well.
I wish you good continuation.
Arnaud