Overlay fortigate NGFW dual LB example into 3-networks-hub-and-spoke

[fmichaelobrien]

20240517: assigned to Andrew

• stopped (non-VDOM) deployment in obrienlabs.app
• review VDOM hidden status from Martin - https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface-s-hidden-VDOM/ta-p/214783

  Requirements

  Adapt the 40net solution into the TEF (Bartek) https://github.com/40net-cloud/fortinet-gcp-solutions/tree/master/FortiGate https://github.com/fortinet/fortigate-terraform-deploy/tree/main/gcp/7.4 https://github.com/fortinet/fortigate-tutorial-gcp/tree/main/terraform last run from feb https://github.com/fortinet/fortigate-tutorial-gcp/issues/7

see example TEF deployment in #360 and https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/351

see alternate GCP native NGFW / Firewall+ overlay work in https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/396

• Ideally the NGFW work in 396 and 389 are pluggable and work as an option to the existing transitive VMs in the TEF
• see see https://github.com/hashicorp/terraform-provider-google/issues/17030 b/321386368

Architecture

• https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/377

See previous analysis in

• https://github.com/fortinet/fortigate-tutorial-gcp/issues/7
• https://github.com/40net-cloud/fortinet-gcp-solutions/issues/11
• https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/873
• https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/854

Design

Take the existing TEF V4 and adapt the Fortinet terraform example LB sandwich HA cluster below Verified https://github.com/fortinet/fortigate-tutorial-gcp/tree/main/terraform Unverified https://github.com/40net-cloud/fortinet-gcp-solutions/tree/master/FortiGate look at the best one from Fortinet https://github.com/fortinet/fortigate-terraform-deploy/tree/main/gcp/7.4

Notes

• see https://github.com/GoogleCloudPlatform/terraform-example-foundation-app/blob/main/foundation-extension/3-networks-extension/README.md
• see https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/gcp-administration-guide/856600

CLI

• https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sniffer/ta-p/194222
• https://help.fortinet.com/fdb/5-1-13/olh/Content/FortiDB/User%20Guide/using-the-command-line-interface/show/show_system_interface.htm

[fmichaelobrien]

Discussion with Andrew - and a refresher. We are good with VM optimization down to e2-standard-4

As i understand it we need VM08 instances to get 4 nic's - I in my last couple deploys of the FG cluster did not vary with 04 or 02. Marian tested with 02 and as expected you can't customize up the nics - I would assume 08 VMs for now along with their up to $30 cost/day (excluding byol). Usually I keep the VMs off between debug sessions

checking my last deploy https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/446#issuecomment-1912757155 ...

yes

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/project/hub-env/fortigate/fortigate-ap-primary.yaml#L29

  description: Fortigate Primary Instance
  machineType: n2-standard-4

yes, lets go with e2-standard-4 - as long as the VMs come up with all 4 nics - we are good

and my older tutorial run - I was mistaken - vm08 is the image not the vm size

https://github.com/fortinet/fortigate-tutorial-gcp/issues/1#issuecomment-1284803534

4 nicsCreated [https://www.googleapis.com/compute/v1/projects/fortigate-tutorial-gcp-lgz3/zones/europe-west1-b/instances/fgt-vm-euwest1-b].
NAME: fgt-vm-euwest1-b
ZONE: europe-west1-b
MACHINE_TYPE: e2-standard-4
PREEMPTIBLE:
INTERNAL_IP: 172.20.0.2,172.20.1.2,172.20.2.2,172.20.3.2
EXTERNAL_IP: 34.79.46.47

[obriensystems]

currently stopped in obrienlabs.app