Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HashiTalks Terraform + FortiGate

Takamichi Asai
September 29, 2021
180

HashiTalks Terraform + FortiGate

Takamichi Asai

September 29, 2021
Tweet

Transcript

  1. Takamichi Asai

    View full-size slide

  2. 2
    © Fortinet Inc. All Rights Reserved.
    1. AWSに新しいVPCを作成する。
    2. そこにFortiGate-VMをデプロイする。
    3. 本社にあるFortiGateとVPNを張る。
    4. ⽀社にあるFortiGateとVPNを張る。
    5. 各FortiGateにセキュリティポリシーを適⽤する。
    6. VPC上にインスタンスを作成する。
    7. FortiGateのポリシーが更新される。
    シナリオ
    Terraform
    VM

    View full-size slide

  3. 3
    © Fortinet Inc. All Rights Reserved.
    1. AWSに新しいVPCを作成する。
    2. そこにFortiGate-VMをデプロイする。
    https://github.com/fortinet/fortigate-terraform-deploy

    View full-size slide

  4. 4
    © Fortinet Inc. All Rights Reserved.
    resource "aws_network_interface" "eth0" {
    description = "fgtvm-port1"
    subnet_id = aws_subnet.publicsubnetaz1.id
    }
    resource "aws_network_interface" "eth1" {
    description = "fgtvm-port2"
    subnet_id = aws_subnet.privatesubnetaz1.id
    source_dest_check = false
    }
    resource "aws_network_interface_sg_attachment" "publicattachment" {
    depends_on = [aws_network_interface.eth0]
    security_group_id = aws_security_group.public_allow.id
    network_interface_id = aws_network_interface.eth0.id
    }
    resource "aws_network_interface_sg_attachment" "internalattachment" {
    depends_on = [aws_network_interface.eth1]
    security_group_id = aws_security_group.allow_all.id
    network_interface_id = aws_network_interface.eth1.id
    }
    resource "aws_instance" "fgtvm" {
    ami = var.license_type == "byol" ? var.fgtvmbyolami[var.region] : var.fgtvmami[var.region]
    instance_type = var.size
    availability_zone = var.az1
    key_name = var.keyname
    user_data = data.template_file.FortiGate.rendered
    root_block_device {
    volume_type = "standard"
    volume_size = "2"
    }
    ebs_block_device {
    device_name = "/dev/sdb"
    volume_size = "30"
    volume_type = "standard"
    }
    network_interface {
    network_interface_id = aws_network_interface.eth0.id
    device_index = 0
    }
    network_interface {
    network_interface_id = aws_network_interface.eth1.id
    device_index = 1
    }
    tags = {
    Name = "FortiGateVM"
    }
    }
    data "template_file" "FortiGate" {
    template = "${file("${var.bootstrap-fgtvm}")}"
    vars = {
    type = "${var.license_type}"
    license_file = "${var.license}"
    adminsport = "${var.adminsport}"
    }
    }
    FortiGateのインタフェース設
    定とサブネットを紐付け。
    インスタンスタイプの設定。
    ライセンス(BYOLかPAYGか)も
    ここで。
    BYOLの場合はライセンスファイルを
    同じディレクトリ上に置いておく。
    // AMIs are for FGTVM AWS(BYOL) - 7.0.1
    variable "fgtvmbyolami" {
    type = map
    default = {
    us-west-2 = "ami-0070ab4edc735c379"
    us-west-1 = "ami-09e5387cc293153c1"
    us-east-1 = "ami-02678839ab63d47a1"
    us-east-2 = "ami-01fc50db5a27388fa"
    ap-east-1 = "ami-069022a0b0042e2b8"
    ap-south-1 = "ami-00609a13c17b3cf5d"
    ap-northeast-2 = "ami-0a0e4c41637e6936f"
    ap-southeast-1 = "ami-0d9a129903b7ba964"
    ap-southeast-2 = "ami-0b9ef7623fc628069"
    ap-northeast-1 = "ami-0bfb0a297a846758d"
    ca-central-1 = "ami-0f5966c7ff86c1cb6"
    eu-central-1 = "ami-09ca8648996694d40"
    eu-west-1 = "ami-01118ca5692326739"
    eu-west-2 = "ami-073e5153688b42f25"
    eu-west-3 = "ami-00e8ba0a04789ad0e"
    eu-north-1 = "ami-0907f64a7bbfb94ff"
    me-south-1 = "ami-098b025df177bd3d4"
    sa-east-1 = "ami-01abe8a3a6cd165e7"
    }
    }
    variable "bootstrap-fgtvm" {
    // Change to your own path
    type = string
    default = "fgtvm.conf"
    }
    // license file for the active fgt
    variable "license" {
    // Change to your own byol license file, license.lic
    type = string
    default = "FGVM32TM21000248.lic"
    }
    イメージ(FortiOS)のIDは変数
    として定義済み。
    fgtvm.tf
    variables.tf
    FortiGateの初期設定を別
    ファイルで⽤意。

    View full-size slide

  5. 5
    © Fortinet Inc. All Rights Reserved.
    fgtvm.conf
    Content-Type: multipart/mixed; boundary="==AWS=="
    MIME-Version: 1.0
    --==AWS==
    Content-Type: text/x-shellscript; charset="us-ascii"
    MIME-Version: 1.0
    config system global
    set hostname FGTVM
    set admin-sport ${adminsport}
    end
    config system interface
    edit port1
    set alias public
    set mode dhcp
    set allowaccess ping https ssh fgfm
    next
    edit port2
    set alias private
    set mode dhcp
    set allowaccess ping https ssh fgfm
    set defaultgw disable
    next
    end
    config system accprofile
    edit "api_admin"
    set secfabgrp read-write
    set ftviewgrp read-write
    set authgrp read-write
    set sysgrp read-write
    set netgrp read-write
    set loggrp read-write
    set fwgrp read-write
    set vpngrp read-write
    set utmgrp read-write
    set wanoptgrp read-write
    set wifi read-write
    next
    end
    config system api-user
    edit "tf_admin"
    set accprofile "api_admin"
    set vdom "root"
    next
    end
    %{ if type == "byol" }
    --==AWS==
    Content-Type: text/plain; charset="us-ascii"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment; filename="license"
    ${file(license_file)}
    %{ endif }
    --==AWS==--
    APIユーザーを追加しておく。
    あとでFortiOS Providerが利⽤できるように。

    View full-size slide

  6. 6
    © Fortinet Inc. All Rights Reserved.
    Apply complete! Resources: 24 added, 0 changed, 0 destroyed.
    Outputs:
    FGTPublicIP = "54.249.98.137"
    Password = "i-0c04332ac9e7b8162"
    Username = "admin"
    FortiGateのIPアドレスとユーザー名とデフォルトのパスワード(インスタンスID)がOutputされる。

    View full-size slide

  7. 7
    © Fortinet Inc. All Rights Reserved.
    FortiGateが起動したらログインしてAPIキーを取得しておく。

    View full-size slide

  8. 8
    © Fortinet Inc. All Rights Reserved.
    3. 本社にあるFortiGateとVPNを張る。
    4. ⽀社にあるFortiGateとVPNを張る。
    5. 各FortiGateにセキュリティポリシーを適⽤する。
    https://registry.terraform.io/providers/fortinetdev/fortios/latest/docs

    View full-size slide

  9. 9
    © Fortinet Inc. All Rights Reserved.
    //----------------------------
    variable FortiGate-VM_IP {
    default = "54.249.98.137" // Required
    }
    variable FortiGate-VM_subnet {
    default = "10.1.1.0 255.255.255.0"
    }
    variable FortiGate-VM_token {
    default = "gpfGsm8w0Q6kbys0ssd6QxQ3zq07H3" // Required
    }
    //----------------------------
    variable FortiGate-1_IP {
    default = "8.209.223.64"
    }
    variable FortiGate-1_subnet {
    default = "192.168.0.0 255.255.252.0"
    }
    variable FortiGate-1_token {
    default = "z031tg16mn0Q5xr4hpq1kNrzckr601"
    }
    //----------------------------
    variable FortiGate-2_IP {
    default = "8.209.212.176"
    }
    variable FortiGate-2_subnet {
    default = "192.168.4.0 255.255.252.0"
    }
    variable FortiGate-2_token {
    default = "8pGj1qGHr480QQmddqQg46GN0psc4p"
    }
    variables.tf
    ← IPアドレスとAPIキーをコピペ。
    ← オンプレFortiGateは記⼊済み。
    ← オンプレFortiGateは記⼊済み。

    View full-size slide

  10. 10
    © Fortinet Inc. All Rights Reserved.
    FortiGateごとにテンプレート。
    # Configure the FortiOS Provider for FortiGate
    terraform {
    required_providers {
    fortios = {
    source = "fortinetdev/fortios"
    version = "1.13.1"
    }
    }
    }
    provider "fortios" {
    hostname = var.FortiGate-VM_IP
    token = var.FortiGate-VM_token
    insecure = "true"
    }
    provider "fortios" {
    alias = "FortiGate-1"
    hostname = var.FortiGate-1_IP
    token = var.FortiGate-1_token
    insecure = "true"
    }
    provider "fortios" {
    alias = "FortiGate-2"
    hostname = var.FortiGate-2_IP
    token = var.FortiGate-2_token
    insecure = "true"
    }
    FortiGate-VM.tf
    FortiGate-1.tf
    FortiGate-2.tf
    Providerは「fortios」
    同じProviderをAliasで使い分け。
    同じProviderをAliasで使い分け。

    View full-size slide

  11. 11
    © Fortinet Inc. All Rights Reserved.
    FortiGate-1.tf
    resource "fortios_vpnipsec_phase1interface" "FG1-Tunnel_1" {
    provider = fortios.FortiGate-1
    name = "Tunnel_1"
    interface = "port1"
    peertype = "any"
    net_device = "disable"
    proposal = "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1"
    remote_gw = var.FortiGate-VM_IP
    psksecret = "F0rt1net!"
    }
    resource "fortios_vpnipsec_phase2interface" "FG1-Tunnel_1" {
    provider = fortios.FortiGate-1
    name = "Tunnel_1"
    phase1name = fortios_vpnipsec_phase1interface.FG1-Tunnel_1.name
    proposal = "aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
    aes256gcm chacha20poly1305"
    src_subnet = "0.0.0.0 0.0.0.0"
    dst_subnet = "0.0.0.0 0.0.0.0"
    }
    resource "fortios_router_static" "FG1-Tunnel_1" {
    provider = fortios.FortiGate-1
    seq_num = 1
    device = fortios_vpnipsec_phase2interface.FG1-Tunnel_1.name
    dst = var.FortiGate-VM_subnet
    IPsec Phase1の設定
    IPsec Phase2の設定
    VPCへのトラフィックをIPsecに
    向けるスタティックルート。
    FortiGate-1 # show vpn ipsec phase1-interface
    config vpn ipsec phase1-interface
    edit "Tunnel_1"
    set interface "port1"
    set peertype any
    set net-device disable
    set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
    set remote-gw 54.249.98.137
    set psksecret ENC
    i7XJjyPD5/R0XACnTUbs9KhGUMA9mUPk+zUmRD4zALoQf7KM6ohVNF7DgwYzFHnRWz5RYsWkdD
    2ZmbaFtjJdpSN9qgIB+GS2z4cpxnIuPfyb9zz6ci1GoZk1fFRPYVeF/t+1LKbrFcAOtRjeQTXo
    RTS9ipfeNYpF70tz4M3qfnkBl9JWP3F/4+qvSISu7xdNiIkJ8w==
    next
    end
    設定項⽬はCLIとまったく同じ。

    View full-size slide

  12. 12
    © Fortinet Inc. All Rights Reserved.
    FortiGate-1.tf
    resource "fortios_system_sdnconnector" "FG1-VPC1" {
    provider = fortios.FortiGate-1
    name = "VPC1"
    use_metadata_iam = "disable"
    type = "aws"
    status = "enable"
    access_key = var.access_key
    secret_key = var.secret_key
    region = "ap-northeast-1"
    }
    resource "fortios_firewall_address" "FG1-service_a" {
    provider = fortios.FortiGate-1
    name = "service_a"
    type = "dynamic"
    sdn = fortios_system_sdnconnector.FG1-VPC1.name
    filter = "Tag.Name=service_a"
    }
    resource "fortios_firewall_address" "FG1-service_b" {
    provider = fortios.FortiGate-1
    name = "service_b"
    type = "dynamic"
    sdn = fortios_system_sdnconnector.FG1-VPC1.name
    filter = "Tag.Name=service_b"
    SDNコネクター機能。
    VPC内のIPアドレスをAPIで拾って来てくれる。
    拾ってきたアドレスをTagでフィルタ
    ーして、アドレスオブジェクトとして
    利⽤。

    View full-size slide

  13. 13
    © Fortinet Inc. All Rights Reserved.
    FortiGate-1.tf
    resource "fortios_firewall_policy" "FG1-Service_A" {
    provider = fortios.FortiGate-1
    policyid = 10
    name = "Service_A"
    action = "accept"
    schedule = "always"
    ssl_ssh_profile = "certificate-inspection"
    srcintf {
    name = "Team_A"
    }
    dstintf {
    name = fortios_vpnipsec_phase2interface.FG1-Tunnel_1.name
    }
    srcaddr {
    name = "Team_A address"
    }
    dstaddr {
    name = fortios_firewall_address.FG1-service_a.name
    }
    service {
    name = "HTTPS"
    }
    }
    そのアドレスオブジェクトをファイア
    ウォールポリシーで利⽤する。
    EC2が追加、削除されると動的に更新
    される。
    VPC内の特定のリソースに対してのみIPsecの利
    ⽤を許可するポリシー。

    View full-size slide

  14. 14
    © Fortinet Inc. All Rights Reserved.
    FortiGate-VM.tf
    resource "fortios_firewall_policy" "Service_A" {
    policyid = 10
    name = "Service_A"
    action = "accept"
    schedule = "always"
    ssl_ssh_profile = "deep-inspection"
    inspection_mode = "proxy"
    utm_status = "enable"
    av_profile = "default"
    waf_profile = "default"
    ips_sensor = "protect_http_server"
    srcintf {
    name = "any"
    }
    dstintf {
    name = "port2"
    }
    srcaddr {
    name = "all"
    }
    dstaddr {
    name = fortios_firewall_address.service_a.name
    }
    service {
    name = "HTTPS"
    }
    }
    AWS側のFortiGateではEC2の属性に応じたポリ
    シーを設定。
    例)”service_a”というタグで作られたインスタ
    ンスにはWAFとAVを適⽤。
    resource "fortios_firewall_policy" "Service_B" {
    policyid = 11
    name = "Service_B"
    action = "accept"
    schedule = "always"
    ssl_ssh_profile = "deep-inspection"
    utm_status = "enable"
    ips_sensor = "default"
    srcintf {
    name = "any"
    }
    dstintf {
    name = "port2"
    }
    srcaddr {
    name = "all"
    }
    dstaddr {
    name = fortios_firewall_address.service_b.name
    }
    service {
    name = "SSH"
    }
    }
    例)”service_b”というタグで作られたインスタ
    ンスにはSSHのみ許可してIPSを適⽤。

    View full-size slide

  15. 15
    © Fortinet Inc. All Rights Reserved.
    6. VPC上にインスタンスを作成する。
    7. FortiGateのポリシーが更新される。
    ⾃動で追跡してくれる。

    View full-size slide

  16. 16
    © Fortinet Inc. All Rights Reserved.
    サマリー
    TerraformとFortiGateを使うことで、クラウド上に作成された新しいリソースに対して、
    • オンプレのリソースとの安全な接続
    • 不正利⽤や侵害からの保護
    • 異なる拠点からも同じセキュリティポリシーを適⽤
    • 動的なIPアドレス追跡
    をリードタイムなしで適⽤できる、という例でした。
    さらに進んだ使い⽅として、
    • FortiManagerを利⽤したより⼤規模な管理
    • ひとつのテンプレートで複数のFortiGateに対してポリシー管理が出来ます。
    • ZTNA機能を利⽤したより安全性の⾼い接続
    • AWS側のFortiGateで利⽤者の属性と端末の状態に応じたポリシーを適⽤できます。(リモートアクセスにも対応)
    など考えられます。

    View full-size slide