Open obriensystems opened 4 months ago
instanceid is the default fortigate password
Instance Id
8812780880263879211
configure static route to workload
user-data vm1 public ip
config system global
set hostname fgtvm-us-central1-a
end
config system probe-response
set mode http-probe
set http-probe-value OK
set port 8008
end
config system api-user
edit terraform
set api-key 6cQSkMghcrvLr7BUfrFVUCT0OVXMgZ
set accprofile "prof_admin"
config trusthost
end
next
end
config system sdn-connector
edit "gcp"
set type gcp
set ha-status enable
next
end
config system dns
set primary 169.254.169.254
set protocol cleartext
unset secondary
end
config system ha
set group-name "gcp-group"
set mode a-p
set hbdev "port3" 50
set session-pickup enable
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port4"
set gateway 172.20.3.1
next
end
set override enable
set priority 1
set unicast-hb enable
set unicast-hb-peerip 172.20.2.3
set unicast-hb-netmask 255.255.255.0
end
config system interface
edit port1
set mode static
set ip 172.20.0.2/32
set secondary-IP enable
config secondaryip
edit 0
set ip 34.66.221.152/32
set allowaccess probe-response
next
end
next
edit port2
set mode static
set allowaccess ping
set ip 172.20.1.3/32
set secondary-IP enable
config secondaryip
edit 0
set ip 172.20.1.2/32
set allowaccess probe-response
next
end
next
edit port3
set mode static
set allowaccess ping
set ip 172.20.2.2/32
next
edit port4
set mode static
set ip 172.20.3.3/32
set allowaccess ping https ssh fgfm
next
edit "probe"
set vdom "root"
set ip 169.254.255.100 255.255.255.255
set allowaccess probe-response
set type loopback
next
end
config router static
edit 0
set device port1
set gateway 172.20.0.1
next
edit 0
set device port2
set dst 172.20.1.0/24
set gateway 172.20.1.1
next
edit 0
set device port2
set dst 35.191.0.0/16
set gateway 172.20.1.1
next
edit 0
set device port2
set dst 130.211.0.0/22
set gateway 172.20.1.1
next
end
config firewall ippool
edit 0
set startip 34.66.221.152
set endip 34.66.221.152
set comment "GCP load balancer frontend"
next
end
config system sdn-connector
edit "gcp"
config gcp-project-list
edit qwiklabs-gcp-01-62abedfb5261
next
edit qwiklabs-gcp-01-d1a9da47981f
next
end
next
end
config sys global
set admintimeout 90
end
config system api-user
edit "apiadminro"
set api-key cXdpa2xhYnMtZ2NwLTAxLTYyYWJlZG
set accprofile "super_admin_readonly"
set vdom "root"
next
end
set firewall policy for outgoing
restart workloads
A canary app for ingress/egress testing of NGFW (PA/IDS or Fortigates)
Redirect inbound traffic to a frontend VM running in Google Cloud behind FortiGate Secure outbound traffic from Google Cloud to Internet Secure east-west traffic between VMs running in Google Cloud
see lab https://www.cloudskillsboost.google/focuses/77469?catalog_rank=%7B%22rank%22%3A1%2C%22num_filters%22%3A0%2C%22has_search%22%3Atrue%7D&parent=catalog&search_id=29858686
"Hub and spoke with VPC peering While the VPC Peering itself is non-transitive (two VPC networks can communicate only if directly peered), it's different if peering is combined with custom route and a routing NVA (network virtual appliance). A custom route created in the hub VPC with next hop set to FortiGate (or ILB fronting a FortiGate cluster) can be exported to all peered VPCs using export custom route property. The route imported to peered spoke VPCs will apply to all traffic leaving the spoke VPC sending it to the FortiGate appliance. Note that the route table is evaluated only once when the packet is leaving its source, it is not re-evaluated once the packet crosses the peering (so it's not affected by a peered subnet route in the hub VPC when on the way to FortiGate). It is important to note that the default route in spoke VPCs would take precedence over the route imported via the peering and thus has to be deleted."