HashiTalks Terraform + FortiGate

Transcript

1. Takamichi Asai

2. 2 © Fortinet Inc. All Rights Reserved. 1. AWSに新しいVPCを作成する。 2.

   そこにFortiGate-VMをデプロイする。 3. 本社にあるFortiGateとVPNを張る。 4. ⽀社にあるFortiGateとVPNを張る。 5. 各FortiGateにセキュリティポリシーを適⽤する。 6. VPC上にインスタンスを作成する。 7. FortiGateのポリシーが更新される。 シナリオ Terraform VM

3. 3 © Fortinet Inc. All Rights Reserved. 1. AWSに新しいVPCを作成する。 2.

   そこにFortiGate-VMをデプロイする。 https://github.com/fortinet/fortigate-terraform-deploy

4. 4 © Fortinet Inc. All Rights Reserved. resource "aws_network_interface" "eth0"

   { description = "fgtvm-port1" subnet_id = aws_subnet.publicsubnetaz1.id } resource "aws_network_interface" "eth1" { description = "fgtvm-port2" subnet_id = aws_subnet.privatesubnetaz1.id source_dest_check = false } resource "aws_network_interface_sg_attachment" "publicattachment" { depends_on = [aws_network_interface.eth0] security_group_id = aws_security_group.public_allow.id network_interface_id = aws_network_interface.eth0.id } resource "aws_network_interface_sg_attachment" "internalattachment" { depends_on = [aws_network_interface.eth1] security_group_id = aws_security_group.allow_all.id network_interface_id = aws_network_interface.eth1.id } resource "aws_instance" "fgtvm" { ami = var.license_type == "byol" ? var.fgtvmbyolami[var.region] : var.fgtvmami[var.region] instance_type = var.size availability_zone = var.az1 key_name = var.keyname user_data = data.template_file.FortiGate.rendered root_block_device { volume_type = "standard" volume_size = "2" } ebs_block_device { device_name = "/dev/sdb" volume_size = "30" volume_type = "standard" } network_interface { network_interface_id = aws_network_interface.eth0.id device_index = 0 } network_interface { network_interface_id = aws_network_interface.eth1.id device_index = 1 } tags = { Name = "FortiGateVM" } } data "template_file" "FortiGate" { template = "${file("${var.bootstrap-fgtvm}")}" vars = { type = "${var.license_type}" license_file = "${var.license}" adminsport = "${var.adminsport}" } } FortiGateのインタフェース設 定とサブネットを紐付け。 インスタンスタイプの設定。 ライセンス（BYOLかPAYGか）も ここで。 BYOLの場合はライセンスファイルを 同じディレクトリ上に置いておく。 // AMIs are for FGTVM AWS(BYOL) - 7.0.1 variable "fgtvmbyolami" { type = map default = { us-west-2 = "ami-0070ab4edc735c379" us-west-1 = "ami-09e5387cc293153c1" us-east-1 = "ami-02678839ab63d47a1" us-east-2 = "ami-01fc50db5a27388fa" ap-east-1 = "ami-069022a0b0042e2b8" ap-south-1 = "ami-00609a13c17b3cf5d" ap-northeast-2 = "ami-0a0e4c41637e6936f" ap-southeast-1 = "ami-0d9a129903b7ba964" ap-southeast-2 = "ami-0b9ef7623fc628069" ap-northeast-1 = "ami-0bfb0a297a846758d" ca-central-1 = "ami-0f5966c7ff86c1cb6" eu-central-1 = "ami-09ca8648996694d40" eu-west-1 = "ami-01118ca5692326739" eu-west-2 = "ami-073e5153688b42f25" eu-west-3 = "ami-00e8ba0a04789ad0e" eu-north-1 = "ami-0907f64a7bbfb94ff" me-south-1 = "ami-098b025df177bd3d4" sa-east-1 = "ami-01abe8a3a6cd165e7" } } variable "bootstrap-fgtvm" { // Change to your own path type = string default = "fgtvm.conf" } // license file for the active fgt variable "license" { // Change to your own byol license file, license.lic type = string default = "FGVM32TM21000248.lic" } イメージ（FortiOS）のIDは変数 として定義済み。 fgtvm.tf variables.tf FortiGateの初期設定を別 ファイルで⽤意。

5. 5 © Fortinet Inc. All Rights Reserved. fgtvm.conf Content-Type: multipart/mixed;

   boundary="==AWS==" MIME-Version: 1.0 --==AWS== Content-Type: text/x-shellscript; charset="us-ascii" MIME-Version: 1.0 config system global set hostname FGTVM set admin-sport ${adminsport} end config system interface edit port1 set alias public set mode dhcp set allowaccess ping https ssh fgfm next edit port2 set alias private set mode dhcp set allowaccess ping https ssh fgfm set defaultgw disable next end config system accprofile edit "api_admin" set secfabgrp read-write set ftviewgrp read-write set authgrp read-write set sysgrp read-write set netgrp read-write set loggrp read-write set fwgrp read-write set vpngrp read-write set utmgrp read-write set wanoptgrp read-write set wifi read-write next end config system api-user edit "tf_admin" set accprofile "api_admin" set vdom "root" next end %{ if type == "byol" } --==AWS== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="license" ${file(license_file)} %{ endif } --==AWS==-- APIユーザーを追加しておく。 あとでFortiOS Providerが利⽤できるように。

6. 6 © Fortinet Inc. All Rights Reserved. Apply complete! Resources:

   24 added, 0 changed, 0 destroyed. Outputs: FGTPublicIP = "54.249.98.137" Password = "i-0c04332ac9e7b8162" Username = "admin" FortiGateのIPアドレスとユーザー名とデフォルトのパスワード（インスタンスID）がOutputされる。

7. 7 © Fortinet Inc. All Rights Reserved. FortiGateが起動したらログインしてAPIキーを取得しておく。

8. 8 © Fortinet Inc. All Rights Reserved. 3. 本社にあるFortiGateとVPNを張る。 4.

   ⽀社にあるFortiGateとVPNを張る。 5. 各FortiGateにセキュリティポリシーを適⽤する。 https://registry.terraform.io/providers/fortinetdev/fortios/latest/docs

9. 9 © Fortinet Inc. All Rights Reserved. //---------------------------- variable FortiGate-VM_IP

   { default = "54.249.98.137" // Required } variable FortiGate-VM_subnet { default = "10.1.1.0 255.255.255.0" } variable FortiGate-VM_token { default = "gpfGsm8w0Q6kbys0ssd6QxQ3zq07H3" // Required } //---------------------------- variable FortiGate-1_IP { default = "8.209.223.64" } variable FortiGate-1_subnet { default = "192.168.0.0 255.255.252.0" } variable FortiGate-1_token { default = "z031tg16mn0Q5xr4hpq1kNrzckr601" } //---------------------------- variable FortiGate-2_IP { default = "8.209.212.176" } variable FortiGate-2_subnet { default = "192.168.4.0 255.255.252.0" } variable FortiGate-2_token { default = "8pGj1qGHr480QQmddqQg46GN0psc4p" } variables.tf ← IPアドレスとAPIキーをコピペ。 ← オンプレFortiGateは記⼊済み。 ← オンプレFortiGateは記⼊済み。

10. 10 © Fortinet Inc. All Rights Reserved. FortiGateごとにテンプレート。 # Configure

    the FortiOS Provider for FortiGate terraform { required_providers { fortios = { source = "fortinetdev/fortios" version = "1.13.1" } } } provider "fortios" { hostname = var.FortiGate-VM_IP token = var.FortiGate-VM_token insecure = "true" } provider "fortios" { alias = "FortiGate-1" hostname = var.FortiGate-1_IP token = var.FortiGate-1_token insecure = "true" } provider "fortios" { alias = "FortiGate-2" hostname = var.FortiGate-2_IP token = var.FortiGate-2_token insecure = "true" } FortiGate-VM.tf FortiGate-1.tf FortiGate-2.tf Providerは「fortios」 同じProviderをAliasで使い分け。 同じProviderをAliasで使い分け。

11. 11 © Fortinet Inc. All Rights Reserved. FortiGate-1.tf resource "fortios_vpnipsec_phase1interface"

    "FG1-Tunnel_1" { provider = fortios.FortiGate-1 name = "Tunnel_1" interface = "port1" peertype = "any" net_device = "disable" proposal = "aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1" remote_gw = var.FortiGate-VM_IP psksecret = "F0rt1net!" } resource "fortios_vpnipsec_phase2interface" "FG1-Tunnel_1" { provider = fortios.FortiGate-1 name = "Tunnel_1" phase1name = fortios_vpnipsec_phase1interface.FG1-Tunnel_1.name proposal = "aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305" src_subnet = "0.0.0.0 0.0.0.0" dst_subnet = "0.0.0.0 0.0.0.0" } resource "fortios_router_static" "FG1-Tunnel_1" { provider = fortios.FortiGate-1 seq_num = 1 device = fortios_vpnipsec_phase2interface.FG1-Tunnel_1.name dst = var.FortiGate-VM_subnet IPsec Phase1の設定 IPsec Phase2の設定 VPCへのトラフィックをIPsecに 向けるスタティックルート。 FortiGate-1 # show vpn ipsec phase1-interface config vpn ipsec phase1-interface edit "Tunnel_1" set interface "port1" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 54.249.98.137 set psksecret ENC i7XJjyPD5/R0XACnTUbs9KhGUMA9mUPk+zUmRD4zALoQf7KM6ohVNF7DgwYzFHnRWz5RYsWkdD 2ZmbaFtjJdpSN9qgIB+GS2z4cpxnIuPfyb9zz6ci1GoZk1fFRPYVeF/t+1LKbrFcAOtRjeQTXo RTS9ipfeNYpF70tz4M3qfnkBl9JWP3F/4+qvSISu7xdNiIkJ8w== next end 設定項⽬はCLIとまったく同じ。

12. 12 © Fortinet Inc. All Rights Reserved. FortiGate-1.tf resource "fortios_system_sdnconnector"

    "FG1-VPC1" { provider = fortios.FortiGate-1 name = "VPC1" use_metadata_iam = "disable" type = "aws" status = "enable" access_key = var.access_key secret_key = var.secret_key region = "ap-northeast-1" } resource "fortios_firewall_address" "FG1-service_a" { provider = fortios.FortiGate-1 name = "service_a" type = "dynamic" sdn = fortios_system_sdnconnector.FG1-VPC1.name filter = "Tag.Name=service_a" } resource "fortios_firewall_address" "FG1-service_b" { provider = fortios.FortiGate-1 name = "service_b" type = "dynamic" sdn = fortios_system_sdnconnector.FG1-VPC1.name filter = "Tag.Name=service_b" SDNコネクター機能。 VPC内のIPアドレスをAPIで拾って来てくれる。 拾ってきたアドレスをTagでフィルタ ーして、アドレスオブジェクトとして 利⽤。

13. 13 © Fortinet Inc. All Rights Reserved. FortiGate-1.tf resource "fortios_firewall_policy"

    "FG1-Service_A" { provider = fortios.FortiGate-1 policyid = 10 name = "Service_A" action = "accept" schedule = "always" ssl_ssh_profile = "certificate-inspection" srcintf { name = "Team_A" } dstintf { name = fortios_vpnipsec_phase2interface.FG1-Tunnel_1.name } srcaddr { name = "Team_A address" } dstaddr { name = fortios_firewall_address.FG1-service_a.name } service { name = "HTTPS" } } そのアドレスオブジェクトをファイア ウォールポリシーで利⽤する。 EC2が追加、削除されると動的に更新 される。 VPC内の特定のリソースに対してのみIPsecの利 ⽤を許可するポリシー。

14. 14 © Fortinet Inc. All Rights Reserved. FortiGate-VM.tf resource "fortios_firewall_policy"

    "Service_A" { policyid = 10 name = "Service_A" action = "accept" schedule = "always" ssl_ssh_profile = "deep-inspection" inspection_mode = "proxy" utm_status = "enable" av_profile = "default" waf_profile = "default" ips_sensor = "protect_http_server" srcintf { name = "any" } dstintf { name = "port2" } srcaddr { name = "all" } dstaddr { name = fortios_firewall_address.service_a.name } service { name = "HTTPS" } } AWS側のFortiGateではEC2の属性に応じたポリ シーを設定。 例）”service_a”というタグで作られたインスタ ンスにはWAFとAVを適⽤。 resource "fortios_firewall_policy" "Service_B" { policyid = 11 name = "Service_B" action = "accept" schedule = "always" ssl_ssh_profile = "deep-inspection" utm_status = "enable" ips_sensor = "default" srcintf { name = "any" } dstintf { name = "port2" } srcaddr { name = "all" } dstaddr { name = fortios_firewall_address.service_b.name } service { name = "SSH" } } 例）”service_b”というタグで作られたインスタ ンスにはSSHのみ許可してIPSを適⽤。

15. 15 © Fortinet Inc. All Rights Reserved. 6. VPC上にインスタンスを作成する。 7.

    FortiGateのポリシーが更新される。 ⾃動で追跡してくれる。

16. 16 © Fortinet Inc. All Rights Reserved. サマリー TerraformとFortiGateを使うことで、クラウド上に作成された新しいリソースに対して、 •

    オンプレのリソースとの安全な接続 • 不正利⽤や侵害からの保護 • 異なる拠点からも同じセキュリティポリシーを適⽤ • 動的なIPアドレス追跡 をリードタイムなしで適⽤できる、という例でした。 さらに進んだ使い⽅として、 • FortiManagerを利⽤したより⼤規模な管理 • ひとつのテンプレートで複数のFortiGateに対してポリシー管理が出来ます。 • ZTNA機能を利⽤したより安全性の⾼い接続 • AWS側のFortiGateで利⽤者の属性と端末の状態に応じたポリシーを適⽤できます。（リモートアクセスにも対応） など考えられます。
17. None