IBM Cloud Global

Cloud Global

Our mission is to provide clients with an online user community of industry peers and IBM experts, to exchange tips and tricks, best practices, and product knowledge. We hope the information you find here helps you maximize the value of your IBM Cloud solutions.

 View Only

vFSA on IBM Cloud: Part 2 Configuration

By Andrew Sloma posted Tue April 30, 2024 12:36 PM

  

vFSA on IBM Cloud: Part 2 Configuration

In part 1 we discussed the architecture for the new IBM Cloud Virtual Fortigate offering. In this second part we will discuss some basic configuration steps needed to take advantage of the routing and firewall capabilities of the vFSA.

The vFSA is a customer managed appliance. This means once the Gateway is provisioned you have full access to the host and the Global VDOM of the vFSA. This opens up all the features the vFSA provides. I am going to explore several use cases that have specific relevance to the infrastructure IBM Cloud provides.

Order VSI’s and Configure the vFSA To Route Them

In this example I want to run 2 VSI’s in the same datacenter. Each VSI will be private only and will reside on a distinct subnet and premium VLAN that I have ordered. The goal will be to route and protect traffic to and from both VSI’s with the vFSA and to allow communication between the two VSI’s on the two distinct broadcast domains.

Order the VLANs and Devices

Order the Premium VLANs first. Place orders for a VSI on each of these VLAN’s.

We will call these VSI’s “VSI781” and “VSI794” respectively going forward.

Configure the Interfaces

Since the VSI’s are private only we should configure sub-interfaces on agg2 as this is connected to the private network. I will create a sub-interface for each VLAN subnet in the root VDOM. Specify the subnet and what type of traffic to allow access for. We will test ping and ssh to make sure traffic is being routed properly so make sure to specify those protocols. Specify the parent interface and the VLAN id’s. Do this for each VLAN.

config system interface

edit "VLAN_781"
    set vdom "root"
    set ip 10.9.16.65 255.255.255.192
    set allowaccess ping https ssh http
    set device-identification enable
    set role lan
    set mtu-override enable
    set interface "agg2"
    set vlanid 781
next 
edit "VLAN_794"
    set vdom "root"
    set ip 10.9.23.65 255.255.255.192
    set allowaccess ping https ssh http
    set device-identification enable
    set role lan
    set mtu-override enable
    set interface "agg2"
    set vlanid 794
next
end

Configure the Firewall Policies

Create policies to allow both ingress and egress traffic between the sub-interfaces and the private transit network (agg0). Note, by default the vFSA firewall policy allows all traffic on the private network so no policies are needed for ingress and egress on agg0 except for the new interfaces we just created.

config firewall policy
    edit 4
        set srcintf "VLAN_781"
        set dstintf "VLAN_794"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 5
        set srcintf "VLAN_794"
        set dstintf "VLAN_781"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 6
        set srcintf "agg0"
        set dstintf "VLAN_781"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 7
        set srcintf "VLAN_781"
        set dstintf "agg0"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 8
        set srcintf "agg0"
        set dstintf "VLAN_794"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 9
        set srcintf "VLAN_794"
        set dstintf "agg0"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Try out Ping and SSH Between VSIs

Now that we have configured the vFSA to allow network traffic between these 2 VLANs let’s run some tests. Most accounts are VRF enabled for Classic. Therefore, all private VLANs within the account have network addressability to all other private VLANs. So out-of-the-box these 2 VSI’s can ping each other.

However, to protect these VSI’s we must route the 2 VLANs through the vFSA Gateway.

Now, we have modified the network underlay to route all traffic destined for subnets on these 2 VLANs to be routed through the vFSA instead of the default backend customer routers (BCR). At this point both of the VSI’s should be able to ping each other and basic routing is now configured!

It’s important to note, if we had not configured the vFSA to route traffic on these VLAN’s in the earlier instructions then these VSI’s would not be reachable after this route through action. So configure the vFSA first, then route the VLAN’s through it.

Use the Firewall Policies to block Ping Between VSIs

Let’s run some basic configuration to take advantage of the firewall policy built into the vFSA. We will setup a very simple policy to block ping requests from “VSI781” to “VSI794”. We can take advantage of the pre-defined firewall service named “PING” when we build the policy. Later we will create a custom firewall service for a specific policy.

config firewall policy
edit 10
    set name "Block-PING-781-TO-794"
    set srcintf "VLAN_781"
    set dstintf "VLAN_794"
    set srcaddr "VLAN_781 address"
    set dstaddr "VLAN_794 address"
    set schedule "always"
    set service "PING"
    set logtraffic all
next
end

The policy is now created, but it’s priority is lower than the base policy we created for these interfaces in the prior exercise so it will not be applied yet.

Use the GUI to drag the policy to a higher priority or use the CLI to reorder the policy. For example:

config firewall policy
move 10 before 4
end

As we can see “VSI781” is blocked from pinging “VSI794” but we can still ping back to “VSI781” from “VSI794”.

Use the Firewall Policies to block HTTP Between VSIs

Let’s setup a slightly more custom firewall policy. I have created a simple python HTTP web application running on port 9004 on “VSI781”. As the output shows “VSI794” is able to execute a curl GET and receive a response.

Now let’s create a custom firewall service for this web application.

config firewall service custom
    edit "HTTP-9004"
        set protocol TCP
        set tcp-portrange 9004-9004
    next
end

We will use this service to create a firewall policy that blocks HTTP requests on port 9004 from the “VSI794” source interface to the “VSI781” destination interface. Make sure this policy is a higher priority than the default policy.

config firewall policy
edit 11
    set name "Block-HTTP"
    set srcintf "VLAN_794"
    set dstintf "VLAN_781"
    set srcaddr "VLAN_794 address"
    set dstaddr "VLAN_781 address"
    set schedule "always"
    set service "HTTP-9004"
    set logtraffic all
next
end

As we can see the request timed out as the Firewall policy blocked the request.

Viewing the Traffic Logs

We can see the enforcement of all these policies from the vFSA web management console by opening Policy & Objects > Firewall Policy and enabling Logging for each of the Policies. Here is an example showing the “Log” set to “ALL”:

We can then navigate to Log & Report > Forward Traffic and see all the accepted and denied traffic on these policies. We can see the allowed HTTP requests before the policy and denied requests after applying the HTTP and ICMP policies.

Summary

This blog provided basic guidance for VLAN routing and firewall configuration. The Fortinet Fortigate documentation should be the next step for learning how to take advantage of all the advanced features the vFSA has to offer.

Next Step: vFSA on IBM Cloud: Part 3 Operational Administration and Maintenance

Landed in the middle of this series? Start here: vFSA on IBM Cloud: Part 1 Architecture
0 comments
17 views

Permalink

https://community.ibm.com/community/user/blogs/andrew-sloma/2024/04/25/vfsa-on-ibm-cloud-part-2-configuration