Automating FortiGate Next Generation Firewall Intrusion Prevention using AWS CloudFormation
Automating FortiGate Next Generation Firewall Intrusion Prevention using AWS CloudFormation
AWS CloudFormation provides a way for you to create templates that can help you automatically launch resources. This helps you eliminate manual tasks such as configuring route tables or assigning elastic IP addresses (EIP) to instances.
In this blog post, I show how to help protect your AWS environment from attacks by using an AWS CloudFormation template to launch a FortiGate Next Generation Firewall (FortiGate). FortiGate is available in AWS Marketplace. I show how to use the AWS CloudFormation template and how to configure FortiGate Intrusion Prevention. Fortinet offers a free 30-day trial of FortiGate.
As more customers move to AWS and use more AWS services, security complexity grows and can become daunting. Not only does security get more complex, but so does all the infrastructure as more services are adopted and more applications are re-architected to be native to AWS. You need to be able to adapt your entire environment to be as agile as possible. The dynamic nature of the cloud requires infrastructure, security, and network to respond as quickly as possible. Automation, such as using AWS CloudFormation templates to launch and configure a new firewall, can help.
In this solution, I show how to launch and automatically configure FortiGate using AWS CloudFormation. I also include a demo environment to test the following use cases as part of intrusion prevention:
- Blocking a URL
- Enabling web filtering
- Botnet Command and Control (C&C) IP blocking
I also show how to use this solution to protect against a malicious download. The following architecture diagram shows the resources the AWS CloudFormation template creates.
- In your AWS cloud, the AWS CloudFormation template creates two Virtual Private Clouds (VPCs). One is a Security Services Hub VPC, and the other is a spoke VPC.
- The Security Services Hub VPC contains Fortinet’s NGFW solution and FortiGate with a single Elastic Network Interface (ENI) located in the public subnet.
- The Spoke VPC contains a single EC2 instance located inside a private subnet.
- Both VPCs are connected to the transit gateway via VPC attachments.
Refer to the following diagram.
A. Create the stack
Step 1: Initiate the AWS CloudFormation template
Launch the AWS CloudFormation template from Fortinet’s GitHub repository repository by following these steps:
- Log on to the AWS CloudFormation console with your admin credentials.
- Choose Create stack.
- In Prerequisite – Prepare template, choose Template is ready.
- In Specify template, choose Amazon S3 URL.
- Enter the Amazon S3 URL: https://s3-us-west-2.amazonaws.com/fortinet-aws/fabric-connector-aws.template
- Select Next.
Step 2: Configure the AWS CloudFormation stack options
Specify the stack details by entering the following values for Stack name and Parameters:
- Stack name: fortinet-fabric-connector-aws
- CIDRForWorkLoadInstanceAccess: to to allow access from all CIDR, enter 0.0.0.0/0.
- CloudHubPublicSubnetCIDR: enter your CIDR range of the public subnet. I entered 10.0.0.0/24.
- CloudHubVPCCIDR: enter the CIDR range of the VPC where CloudHub resides. I entered 10.0.0.0/16.
- FortigateInstanceType: enter the type of EC2 instance to launch the solution in. This must be c5n.large or larger. I entered c5n.large.
- KeyName: enter the EC2 keypair you want to use to access via SSH.
- SpokePrivateSubnetCIDR: enter the CIDR range of the private subnet in the spoke VPC. I entered 10.1.0.0/24.
- WorkLoadInstanceType: enter the end user EC2 instance type. I entered t2.small.
- Select Next.
Step 3: Finalize and create stack
On the Configuration stack options page, leave the default values and select Next. Alternatively, if there’s a tagging policy in place within your AWS environment, you can add your tags or change IAM policy and select Next.
Step 4: Launch the CloudFormation stack
To create FortiGate, launch the stack by doing the following:
- Review the stack settings.
- Make sure that I acknowledge that AWS CloudFormation might create IAM resources. option is checked.
- Select Create stack.
B. Verify the stack, security policies, Fabric Connector, and route table propagation
Step 1: Verify successful stack creation
The console will take you to the fortinet-fabric-connector-aws CloudFormation execution status page. This page shows your new stack’s status as CREATE_IN_PROGRESS. Refer to the following screenshot.
Wait for the AWS CloudFormation stack to finish. When it’s done, review the resources that were created successfully. In the following screenshot, SpokeTransitGatwayAttachment, InstanceProfile, and TranistGatewayRouteTable show the status of CREATE_COMPLETE. SpokeTRansitGatewayRoue, SpokePrivateRoute, and SpokeTransitGatewayRoute are still in progress.
Step 2: Get the Elastic public IP address and Instance ID address
- Log in to the Amazon EC2 service console.
- In the left sidebar, choose Instances.
- Select the checkbox next to the FortiGate instance you just created. In the bottom pane, locate the Elastic IP and Instance ID addresses. Copy the Elastic (public) IP address and the Instance ID.
Step 3: Verify Fabric Connector and security policies have been automatically set up
- In a web browser, log in to the FortiGate console. To do this, use the Elastic IP address from step B.2. Enter admin as the username, and leave the password blank.
- In the left sidebar, select Fabric Connectors and verify that AWS Connector is toggled to green.
- In the left sidebar under Policy and Objects, select IPV4 Policy.
- In the right sidebar, verify your policies. With my CloudFormation stack, in the NAT column, ssh-workload-policy and vpc-internet_access policies are enabled and vpc-loopback_access is disabled. The vpc-loopback_access policy does not support NAT, so you can safely ignore its state. Refer to the following screenshot.
Step 4: Verify your IAM allows Fabric Connector to pull information from AWS
- Log in to the AWS Identity and Access Management console.
- In the left sidebar, select Roles.
- In the Search box under the Create Role button, enter fortinet-fabric-connector-aws-InstanceRole.
- Verify the role fortinet-fabric-connector-aws-InstanceRole-XXXXXXX exists on the screen.
Step 5: Verify the route table is propagating routes
- Log in to the Amazon VPC console.
- In the left sidebar, select Transit Gateway Route Table.
- Select the FromHub transit gateway route table.
- Select the Propagations sub-tab.
- Verify the routes exist and are propagated to the spoke and hub VPCs. If they are, you should see at least one entry with Attachment ID, depending on your route table.
Repeat these steps for the ToHub transit gateway route table.
Congratulations! You have successfully launched and configured FortiGate using AWS CloudFormation and verified your setup. After setup, it’s a good idea to run a test to verify intrusion protection is working as desired.
C. Test by simulating an attack
Step 1: Prepare a test file
To test that the solution is working against a possible malicious file download, I am using a sample file from the European Institute for Computer Antivirus (EICAR). Here’s how to download that sample file:
- SSH into the workload located in the Spoke VPC via FortiGate’s public IP address, found in Step B.2.
- Download a European Institute for Computer Antivirus (EICAR) test file using the following command:
- You see the result ‘eicar.com’ saved when the file has been downloaded.
Step 2: Create a new IPS profile to detect the test file
To test whether FortiGate detects and blocks the test file, you must first create an Intrusion Prevention Security (IPS) sensor. Sensors are made up of filters and override rules to detect attacks. This requires changing the default policies. To this this, do the following:
- In a web browser, log in to the FortiGate console using the admin credentials specified in step B.3.
- In the left sidebar under Security Profiles, choose Intrusion Prevention.
- Enter a name for the sensor. I use EICARDemo.
- For “Scan Outgoing Connections to Botnet Sites”, select Disable.
- Choose Create New.
Step 3: Create a filter for the new sensor
- To test whether FortiGate detects and blocks the previously downloaded test file, you must create a filter with different signatures. To create a filter to detect and block files based on defined criteria, do the following:
In the FortiGate console, after completing step C.2, choose Type: Filter.
- Verify TGT Server, Sev, and OS Linux exist. If not, search for them and choose Add to enable them.
- Verify your new IPS sensor addition is correct. The Name should be EICAR Demo, Details should list TGT, SEV, and OS. Scan Outgoing Connections to Botnet Sites should be disabled.
- Select OK.
Step 4: Add the IPS Security Profile to the outgoing security policy
IPS Security profiles enable you to instruct the FortiGate unit about what to look for in the traffic that you either don’t want or want to monitor as it passes through the device. A security profile is a group of options and filters that you can apply to one or more firewall policies. Adding the security to the outgoing policy enables detection of outgoing traffic based on defined criteria.
- In the FortiGate console left sidebar under Policy & Objects, choose IPv4 Policy.
- Enter the following values:
- Name: vpc-internet_access
- Incoming Interface: transit-gw
- Outgoing Interface: port1
- Source: all
- Destination: all
- Schedule: always
- Service: ALL
- Action: ACCEPT
- Inspection Mode: Flow-based
- NAT: On
- IP Pool Configuration: Use Outgoing Interface Address
- Preserve Source Port: b
- Protocol Options: default
- AntiVirus: Off
- Web Filter: Off
- DNS Filter: Off
- IPS: On (Select EICARDemo)
- SSL Inspection: cetificate-inspection
- Log Allowed Traffic: On – All Sessions
- Generate Logs when Session Starts: Off
- Capture Packets: Off
- Select OK.
Step 5: Test the policy
To test the policy, try to download the same file from EICAR by repeating step C.1. If FortiGate and the IPS you created in step C.2 are successful, the file will be blocked. This time, you should receive an ERROR 403: Forbidden result. This indicates FortiGate has successfully blocked the file download.
To confirm that the IPS profile you created in step C.2 did indeed block the file, check the logs. To do this:
- In the FortiGate console left sidebar under Log & Report, choose Intrusion Prevention.
- The Date/Time column shows the date and time of the intrusion. An Action of dropped indicates that the attack (the unwelcome file) was blocked.
You have successfully verified that the IPS policy you created has protected you against a malicious download.
In this post, I showed how to use an AWS CloudFormation template to automatically launch FortiGate resources with preset policies and configurations. This automation should streamline the process of deploying FortiGate to your AWS environment. Additionally, I showed a step-by-step walkthrough of how to create a new IPS sensor within FortiGate, add a filter to detect a test file, and test that FortiGate successfully blocked the file. For more detailed information, please refer to the Deployment Guide.
About the Authors
Nam Le, Senior Partner Solutions Architect, AWS Marketplace
Nam Le focuses on security and governance with close to 20 years of experience in consulting, sales, and engineering. He specializes in AWS Control Tower, AWS Service Catalog, AWS Marketplace, and AWS Data Exchange. As an AWS Marketplace Solutions Architect, he also works with AWS partners to build and deliver best-practices solutions to customers. Outside of work, he enjoys biking, car building, travel photography, and spending time with family.
Calvin Nguyen, Technical Marketing Engineer, Fortinet
Calvin Nguyen has been in the technology industry for over five years with experiences in IT, sales, marketing, and engineering. He is an AWS Certified Solution Architect working on Fortinet solutions on AWS. Outside of his role as a Technical Marketing Engineer, he enjoys practicing martial arts, biking, hiking, and drinking tea.