Open obriensystems opened 8 months ago
obriensystems
commented
8 months ago starting deployment of https://github.com/fortinet/fortigate-tutorial-gcp via fork for adjustments/PRs in https://github.com/CloudLandingZone/fortigate-tutorial-gcp org is olapp
obriensystems
commented
8 months ago michael@cloudshell:~/fortigate-gcloud$ gcloud config set project fortigate-gcloud-olapp
Updated property [core/project].
michael@cloudshell:~/fortigate-gcloud (fortigate-gcloud-olapp)$ mkdir ../fortigate-gcloud-olap
michael@cloudshell:~/fortigate-gcloud (fortigate-gcloud-olapp)$ cd ../fortigate-gcloud-olap/
michael@cloudshell:~/fortigate-gcloud-olap (fortigate-gcloud-olapp)$following last Oct 2022 run in https://github.com/fortinet/fortigate-tutorial-gcp/issues/1
michael@cloudshell:~/fortigate-gcloud-olap (fortigate-gcloud-olapp)$ git clone https://github.com/fortinet/fortigate-tutorial-gcp.gitswitching repos
michael@cloudshell:~$ gcloud config set project fortigate-gcloud-olapp
michael@cloudshell:~ (fortigate-gcloud-olapp)$ cd kcc-olapp/
michael@cloudshell:~/kcc-olapp (fortigate-gcloud-olapp)$ ls
github kpt
michael@cloudshell:~/kcc-olapp (fortigate-gcloud-olapp)$ cd github/
michael@cloudshell:~/kcc-olapp/github (fortigate-gcloud-olapp)$ ls
michael@cloudshell:~/kcc-olapp/github (fortigate-gcloud-olapp)$ git clone https://github.com/CloudLandingZone/fortigate-tutorial-gcp.git
Cloning into 'fortigate-tutorial-gcp'...
remote: Enumerating objects: 147, done.
remote: Counting objects: 100% (147/147), done.
remote: Compressing objects: 100% (112/112), done.
remote: Total 147 (delta 45), reused 131 (delta 33), pack-reused 0
Receiving objects: 100% (147/147), 413.66 KiB | 8.80 MiB/s, done.
Resolving deltas: 100% (45/45), done.
michael@cloudshell:~/kcc-olapp/github (fortigate-gcloud-olapp)$ cd fortigate-tutorial-gcp/
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ mkdir _CloudLandingZone
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ ls
_CloudLandingZone deployment-manager docs gcloud README.md service_account_create.sh terraformfollow https://github.com/fortinet/fortigate-tutorial-gcp#how-to-deploy https://github.com/fortinet/fortigate-tutorial-gcp/blob/main/docs/sdn_privileges.md then https://github.com/fortinet/fortigate-tutorial-gcp/tree/main/gcloud review https://github.com/fortinet/fortigate-tutorial-gcp/blob/main/docs/architecture-reference.md review https://github.com/fortinet/fortigate-tutorial-gcp/pull/2/files
get compute quota increased 5-10
Thank you for submitting Case # (ID:f122f1a15f6c4a5993) to Google Cloud Platform support for the following quota:
Change Networks from 5 to 10
2 min
Your quota request for fortigate-gcloud-olapp has been approved and your project quota has been adjusted according to the following requested limits:
+----------+------------+--------+-----------------+----------------+
| NAME | DIMENSIONS | REGION | REQUESTED LIMIT | APPROVED LIMIT |
+----------+------------+--------+-----------------+----------------+
| NETWORKS | | GLOBAL | 10 | 10 |
+----------+------------+--------+-----------------+----------------+1 min to see in the console
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ chmod 777 service_account_create.sh
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ GCP_PROJECT_ID=$(gcloud config get-value project)
Your active configuration is: [cloudshell-31235]
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ echo $GCP_PROJECT_ID
fortigate-gcloud-olapp
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ ./service_account_create.sh
Your active configuration is: [cloudshell-31235]
Creating FortigateSdnReader role in project fortigate-gcloud-olapp...
WARNING: API is not enabled for permissions: [compute.zones.list, compute.instances.list, container.clusters.list, container.nodes.list, container.pods.list, container.services.list]. Please enable the corresponding APIs to use those permissions.
Created role [FortigateSdnReader].
etag: BwYSAqrzDCA=
includedPermissions:
- compute.instances.list
- compute.zones.list
- container.clusters.list
- container.nodes.list
- container.pods.list
- container.services.list
name: projects/fortigate-gcloud-olapp/roles/FortigateSdnReader
stage: ALPHA
title: FortiGate SDN Connector Role (read-only)
Creating new service account (FortiGate SDN Connector)...
Created service account [fortigatesdn-ro].
Granting fortigatesdn-ro service account access to project fortigate-gcloud-olapp...
Updated IAM policy for project [fortigate-gcloud-olapp].
bindings:
- members:
- serviceAccount:fortigatesdn-ro@fortigate-gcloud-olapp.iam.gserviceaccount.com
role: projects/fortigate-gcloud-olapp/roles/FortigateSdnReader
- members:
- user:michael@obrienlabs.app
role: roles/owner
etag: BwYSAqstk54=
version: 1
serviceAccount:fortigatesdn-ro@fortigate-gcloud-olapp.iam.gserviceaccount.com
Service account created succesfullymanually enable service - add to PR
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ gcloud services enable compute.googleapis.com
Operation "operations/acf.p2-57004541128-d5343e8d-567e-4527-bbf3-33368792b0b0" finished successfully.
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ gcloud services enable container.googleapis.com
Operation "operations/acf.p2-57004541128-206df470-c061-47b8-8942-ed985ada2a74" finished successfully.License setup - register licenses first for byod
obriensystems
commented
8 months ago todo
https://support.fortinet.com/asset/#/views/products/detail;from=%252Fviews%252Fproducts
copy and rename
michael@cloudshell:~ (fortigate-gcloud-olapp)$ cp ~/FGVM8VTM24000185.lic kcc-olapp/github/fortigate-tutorial-gcp/gcloud/
michael@cloudshell:~ (fortigate-gcloud-olapp)$ cp ~/FGVM8VTM24000186.lic kcc-olapp/github/fortigate-tutorial-gcp/gcloud/tutorial-vars.sh changes
# keep
CIDR_EXT=172.20.0.0/24 # untrusted network
CIDR_INT=172.20.1.0/24 # trusted network
CIDR_HASYNC=172.20.2.0/24 # FortiGate heartbeat network
CIDR_MGMT=172.20.3.0/24 # FortiGate management network (note, this can be merged with heartbeat for firmware 7.0+)
CIDR_WRKLD_TIER1=10.0.0.0/16 # sample workload frontend network
CIDR_WRKLD_TIER2=10.1.0.0/16 # sample workload backend network
WRKLD_PROXY_IP=10.0.0.5
WRKLD_WEB_IP=10.1.0.5
# modify
#REGION=europe-west1
#ZONE1=europe-west1-b
#ZONE2=europe-west1-c
REGION=northamerica-northeast1
ZONE1=northamerica-northeast1-b
ZONE2=northamerica-northeast1-ctutorial-create.sh adjustments
--image-family=fortigate-70-byol \
to match - but replace payg with byolhttps://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/project/hub-env/setters.yaml#L53C66-L53C113 --image-family=fortigate-70-byol \
fgt-primary-image: projects/fortigcp-project-001/global/images/fortinet-fgtondemand-724-20230201-001-w-license
as
--image-family=fortigate-74-byol \see https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/gcp-administration-guide/736375/about-fortigate-vm-for-gcp https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/gcp-administration-guide/385467/finding-public-fortigate-images
run
michael@cloudshell:~ (fortigate-gcloud-olapp)$ FGT_IMG=$(gcloud compute images list --project fortigcp-project-001 --filter="name ~ fortinet-fgt- AND status:READY" --format="get(selfLink)" | sort -r | head -1)
michael@cloudshell:~ (fortigate-gcloud-olapp)$ echo $FGT_IMG
https://www.googleapis.com/compute/v1/projects/fortigcp-project-001/global/images/fortinet-fgt-arm64-743-20240208-001-w-license
better
michael@cloudshell:~ (fortigate-gcloud-olapp)$ gcloud compute images list --project fortigcp-project-001 --filter="name ~ fortinet-fgt-74 AND status:READY"
NAME: fortinet-fgt-740-20230512-001-w-license
PROJECT: fortigcp-project-001
FAMILY: fortigate-74-byol
DEPRECATED:
STATUS: READY
NAME: fortinet-fgt-741-20230905-001-w-license
PROJECT: fortigcp-project-001
FAMILY: fortigate-74-byol
DEPRECATED:
STATUS: READY
NAME: fortinet-fgt-742-20231227-001-w-license
PROJECT: fortigcp-project-001
FAMILY: fortigate-74-byol
DEPRECATED:
STATUS: READY
NAME: fortinet-fgt-743-20240208-001-w-license
PROJECT: fortigcp-project-001
FAMILY: fortigate-74-byol
DEPRECATED:
STATUS: READY
0745 run - eta 45 min
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp/gcloud (fortigate-gcloud-olapp)$ ./tutorial-create.sh
################################################################################
#
# I. VPCs and subnets
# --------------------
reated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/ext-vpc-global].
NAME: ext-vpc-global
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:
Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network ext-vpc-global --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network ext-vpc-global --allow tcp:22,tcp:3389,icmp
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/int-vpc-nanortheast1].
NAME: int-vpc-nanortheast1
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:
Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network int-vpc-nanortheast1 --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network int-vpc-nanortheast1 --allow tcp:22,tcp:3389,icmp
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/fgt-hasync-vpc].
NAME: fgt-hasync-vpc
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:
Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network fgt-hasync-vpc --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network fgt-hasync-vpc --allow tcp:22,tcp:3389,icmp
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/fgt-mgmt-vpc].
NAME: fgt-mgmt-vpc
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:
Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network fgt-mgmt-vpc --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network fgt-mgmt-vpc --allow tcp:22,tcp:3389,icmp
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/ext-sb-nanortheast1].
NAME: ext-sb-nanortheast1
REGION: northamerica-northeast1
NETWORK: ext-vpc-global
RANGE: 172.20.0.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/int-sb-nanortheast1].
NAME: int-sb-nanortheast1
REGION: northamerica-northeast1
NETWORK: int-vpc-nanortheast1
RANGE: 172.20.1.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/fgt-hasync-sb-nanortheast1].
NAME: fgt-hasync-sb-nanortheast1
REGION: northamerica-northeast1
NETWORK: fgt-hasync-vpc
RANGE: 172.20.2.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/fgt-mgmt-sb-nanortheast1].
NAME: fgt-mgmt-sb-nanortheast1
REGION: northamerica-northeast1
NETWORK: fgt-mgmt-vpc
RANGE: 172.20.3.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
Creating firewall...working.
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/firewalls/ext-to-fgt-fw-allowall].
Creating firewall...done.
NAME: ext-to-fgt-fw-allowall
NETWORK: ext-vpc-global
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: all
DENY:
DISABLED: False
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/firewalls/int-to-fgt-fw-allowall].
Creating firewall...done.
NAME: int-to-fgt-fw-allowall
NETWORK: int-vpc-nanortheast1
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: all
DENY:
DISABLED: False
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/firewalls/fgt-hasync-fw-allowall].
Creating firewall...done.
NAME: fgt-hasync-fw-allowall
NETWORK: fgt-hasync-vpc
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: all
DENY:
DISABLED: False
Creating firewall...working.
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/firewalls/fgt-mgmt-fw-allow-admin].
Creating firewall...done.
NAME: fgt-mgmt-fw-allow-admin
NETWORK: fgt-mgmt-vpc
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: tcp:22,tcp:443
DENY:
DISABLED: False
Creating router [ext-nat-cr-nanortheast1]...done.
NAME: ext-nat-cr-nanortheast1
REGION: northamerica-northeast1
NETWORK: ext-vpc-global
Creating NAT [ext-nat-nanortheast1] in router [ext-nat-cr-nanortheast1]...working.
Creating NAT [ext-nat-nanortheast1] in router [ext-nat-cr-nanortheast1]...done.
################################################################################
#
# II. Reserve static IP addresses
# -------------------------------
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-mgmt-eip-nanortheast1-b].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-mgmt-eip-nanortheast1-c].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-ip-int-nanortheast1-b].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-ip-int-nanortheast1-c].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgtilb-ip-int-nanortheast1].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-ip-ext-nanortheast1-b].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-ip-ext-nanortheast1-c].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-ip-hasync-nanortheast1-b].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-ip-hasync-nanortheast1-c].
################################################################################
#
# III. Create FortiGate service account
# -------------------------------------
Your active configuration is: [cloudshell-22774]
RROR: (gcloud.iam.roles.create) Resource in projects [fortigate-gcloud-olapp] is the subject of a conflict: A role named FortigateSdnReader in projects/fortigate-gcloud-olapp already exists.
ERROR: (gcloud.iam.service-accounts.create) Resource in projects [fortigate-gcloud-olapp] is the subject of a conflict: Service account fortigatesdn-ro already exists within project projects/fortigate-gcloud-olapp.
- '@type': type.googleapis.com/google.rpc.ResourceInfo
resourceName: projects/fortigate-gcloud-olapp/serviceAccounts/fortigatesdn-ro@fortigate-gcloud-olapp.iam.gserviceaccount.com
Updated IAM policy for project [fortigate-gcloud-olapp].
bindings:
- members:
- serviceAccount:fortigatesdn-ro@fortigate-gcloud-olapp.iam.gserviceaccount.com
role: projects/fortigate-gcloud-olapp/roles/FortigateSdnReader
- members:
- serviceAccount:service-57004541128@compute-system.iam.gserviceaccount.com
role: roles/compute.serviceAgent
- members:
- serviceAccount:service-57004541128@container-engine-robot.iam.gserviceaccount.com
role: roles/container.serviceAgent
- members:
- serviceAccount:service-57004541128@containerregistry.iam.gserviceaccount.com
role: roles/containerregistry.ServiceAgent
- members:
- serviceAccount:57004541128-compute@developer.gserviceaccount.com
- serviceAccount:57004541128@cloudservices.gserviceaccount.com
role: roles/editor
- members:
- user:michael@obrienlabs.app
role: roles/owner
- members:
- serviceAccount:service-57004541128@gcp-sa-pubsub.iam.gserviceaccount.com
role: roles/pubsub.serviceAgent
etag: BwYSC_rGTW4=
version: 1
################################################################################
#
# IV. Create Fortigate instances
# IV. Create Fortigate instances
# ------------------------------
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-b/disks/fgt-logdisk-nanortheast1-b].
NAME: fgt-logdisk-nanortheast1-b
ZONE: northamerica-northeast1-b
SIZE_GB: 100
TYPE: pd-ssd
STATUS: READY
New disks are unformatted. You must format and mount a disk before it
can be used. You can find instructions on how to do this at:
https://cloud.google.com/compute/docs/disks/add-persistent-disk#formatting
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-c/disks/fgt-logdisk-nanortheast1-c].
NAME: fgt-logdisk-nanortheast1-c
ZONE: northamerica-northeast1-c
SIZE_GB: 100
TYPE: pd-ssd
STATUS: READY
New disks are unformatted. You must format and mount a disk before it
can be used. You can find instructions on how to do this at:
https://cloud.google.com/compute/docs/disks/add-persistent-disk#formatting
eated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-c/disks/fgt-logdisk-nanortheast1-c].
NAME: fgt-logdisk-nanortheast1-c
ZONE: northamerica-northeast1-c
SIZE_GB: 100
TYPE: pd-ssd
STATUS: READY
New disks are unformatted. You must format and mount a disk before it
can be used. You can find instructions on how to do this at:
https://cloud.google.com/compute/docs/disks/add-persistent-disk#formatting
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-b/instances/fgt-vm-nanortheast1-b].
NAME: fgt-vm-nanortheast1-b
ZONE: northamerica-northeast1-b
MACHINE_TYPE: e2-standard-4
PREEMPTIBLE:
INTERNAL_IP: 172.20.0.2,172.20.1.2,172.20.2.2,172.20.3.2
EXTERNAL_IP: 34.47.2.97
STATUS: RUNNING
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-c/instances/fgt-vm-nanortheast1-c].
NAME: fgt-vm-nanortheast1-c
ZONE: northamerica-northeast1-c
MACHINE_TYPE: e2-standard-4
PREEMPTIBLE:
INTERNAL_IP: 172.20.0.3,172.20.1.3,172.20.2.3,172.20.3.3
EXTERNAL_IP: 35.234.254.244
STATUS: RUNNING
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-b/instanceGroups/fgt-umig-nanortheast1-b].
NAME: fgt-umig-nanortheast1-b
LOCATION: northamerica-northeast1-b
SCOPE: zone
NETWORK:
MANAGED:
INSTANCES: 0
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-c/instanceGroups/fgt-umig-nanortheast1-c].
NAME: fgt-umig-nanortheast1-c
LOCATION: northamerica-northeast1-c
SCOPE: zone
NETWORK:
MANAGED:
INSTANCES: 0
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-b/instanceGroups/fgt-umig-nanortheast1-b].
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-c/instanceGroups/fgt-umig-nanortheast1-c].
Waiting 2 minutes for the VM instance to bootstrap...
###################################################################################
# This script will now attempt to connect to CLI of your newly-deployed FortiGate. #
# Please log in as 'admin' using the instance id printed below as initial password
# and change the password to your own as prompted. When done, please logout using
# 'exit' command to resume the deployment.
#
#
4242014965180213935
Wait 4 minutes a possible manual login/pw-change...
pw change did not take
but script change did with instance id and m*s1 as pw
The authenticity of host '34.47.2.97 (34.47.2.97)' can't be established.
ECDSA key fingerprint is SHA256:5u10kjcmJkO+j3F6nucdQe6oeszdOw3nG66p3ycMQ+M.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '34.47.2.97' (ECDSA) to the list of known hosts.
Please login with username=admin and password=<instance-id>
admin@34.47.2.97's password:
You are forced to change your password. Please input a new password.
According to the password policy enforced on this device, please change your password!
New password must conform to the following policy:
minimum-length=8; must not be same as last two passwords
New Password:
Confirm Password:
fgt-vm-nanortheast1-b # exit
Connection to 34.47.2.97 closed.
ls: cannot access '/home/michael/.ssh/id_rsa.pub': No such file or directory
Generating new SSH key
Generating public/private rsa key pair.
Enter file in which to save the key (/home/michael/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/michael/.ssh/id_rsa
Your public key has been saved in /home/michael/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:YkZtVbFJz5Ys+SXfbC/zXzDiEtcqAoup/H13KzLodM8 michael@cs-606565321060-default
The key's randomart image is:
+---[RSA 3072]----+
| ..+. |
| . . . B . |
| . o = B .|
| . . = =.|
| = S . o = =|
| = + + o +.|
| o o.o o o o o|
| . . o..++oo. +.|
| o...o. +Eo.. +|
+----[SHA256]-----+
Uploading new SSH key to FortiGate. Please log in using your new admin password:
admin@34.47.2.97's password:
fgt-vm-nanortheast1-b #
fgt-vm-nanortheast1-b (admin) #
fgt-vm-nanortheast1-b (admin) # SSH key is good.
fgt-vm-nanortheast1-b (admin) #
fgt-vm-nanortheast1-b (admin) #
fgt-vm-nanortheast1-b #
################################################################################
#
# V. Health checks
# ----------------
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/healthChecks/fgt-hcheck-tcp8008].
NAME: fgt-hcheck-tcp8008
PROTOCOL: HTTP
fgt-vm-nanortheast1-b #
fgt-vm-nanortheast1-b (probe-response) #
fgt-vm-nanortheast1-b (probe-response) #
fgt-vm-nanortheast1-b (probe-response) #
fgt-vm-nanortheast1-b (probe-response) #
fgt-vm-nanortheast1-b #
################################################################################
#
# VI. Internal Load Balancer
# ---------------------------758
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/backendServices/fgtilb-int-bes-nanortheast1].
NAME: fgtilb-int-bes-nanortheast1
BACKENDS:
PROTOCOL: TCP
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/backendServices/fgtilb-int-bes-nanortheast1].
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/backendServices/fgtilb-int-bes-nanortheast1].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/forwardingRules/fgtilb-int-fwd-nanortheast1-tcp].
fgt-vm-nanortheast1-b #
fgt-vm-nanortheast1-b (interface) #
fgt-vm-nanortheast1-b (port2) #
fgt-vm-nanortheast1-b (port2) #
fgt-vm-nanortheast1-b (secondaryip) # new entry '0' added
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (secondaryip) #
fgt-vm-nanortheast1-b (port2) #
fgt-vm-nanortheast1-b (interface) #
fgt-vm-nanortheast1-b # fgt-vm-nanortheast1-b #
fgt-vm-nanortheast1-b (static) # new entry '0' added
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (static) # new entry '0' added
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (static) #
fgt-vm-nanortheast1-b #
fgt-vm-nanortheast1-b # Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/routes/rt-int-nanortheast1-default-via-fgt].
NAME: rt-int-nanortheast1-default-via-fgt
NETWORK: int-vpc-nanortheast1
DEST_RANGE: 0.0.0.0/0
NEXT_HOP: 172.20.1.4
PRIORITY: 1000
################################################################################
#
# VII. Workload spoke VPC networks
# --------------------------------
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier1].
NAME: wrkld-tier1
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:
Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network wrkld-tier1 --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network wrkld-tier1 --allow tcp:22,tcp:3389,icmp
eated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier2].
NAME: wrkld-tier2
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:
Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network wrkld-tier2 --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network wrkld-tier2 --allow tcp:22,tcp:3389,icmp
Deleted [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/routes/default-route-feed25d5a1413ec3].
Deleted [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/routes/default-route-de3d97daa81107fd].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/wrkld-sb-tier1-nanortheast1].
NAME: wrkld-sb-tier1-nanortheast1
REGION: northamerica-northeast1
NETWORK: wrkld-tier1
RANGE: 10.0.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/wrkld-sb-tier2-nanortheast1].
NAME: wrkld-sb-tier2-nanortheast1
REGION: northamerica-northeast1
NETWORK: wrkld-tier2
RANGE: 10.1.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
Creating firewall...working.
reating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/firewalls/wrkld-fw-tier1-allowall].
Creating firewall...done.
NAME: wrkld-fw-tier1-allowall
NETWORK: wrkld-tier1
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: all
DENY:
DISABLED: False
Creating firewall...working.
reating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/firewalls/wrkld-fw-tier2-allowall].
Creating firewall...done.
NAME: wrkld-fw-tier2-allowall
NETWORK: wrkld-tier2
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: all
DENY:
DISABLED: False
################################################################################
#
# VIII. Peering workloads to trusted VPC network
# ---------------------------------------------
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/int-vpc-nanortheast1].
---
autoCreateSubnetworks: false
creationTimestamp: '2024-02-23T04:45:43.140-08:00'
id: '8223224008170352024'
kind: compute#network
name: int-vpc-nanortheast1
networkFirewallPolicyEnforcementOrder: AFTER_CLASSIC_FIREWALL
peerings:
- autoCreateRoutes: true
exchangeSubnetRoutes: true
exportCustomRoutes: true
exportSubnetRoutesWithPublicIp: true
importCustomRoutes: false
importSubnetRoutesWithPublicIp: false
name: wrkld-peer-hub-to-tier1
network: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier1
stackType: IPV4_ONLY
state: INACTIVE
stateDetails: '[2024-02-23T04:59:54.027-08:00]: Waiting for peer network to connect.'
routingConfig:
routingMode: REGIONAL
selfLink: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/int-vpc-nanortheast1
selfLinkWithId: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/8223224008170352024
subnetworks:
- https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/int-sb-nanortheast1
---
autoCreateSubnetworks: false
creationTimestamp: '2024-02-23T04:45:43.140-08:00'
id: '8223224008170352024'
kind: compute#network
name: int-vpc-nanortheast1
networkFirewallPolicyEnforcementOrder: AFTER_CLASSIC_FIREWALL
peerings:
- autoCreateRoutes: true
exchangeSubnetRoutes: true
exportCustomRoutes: true
exportSubnetRoutesWithPublicIp: true
importCustomRoutes: false
importSubnetRoutesWithPublicIp: false
name: wrkld-peer-hub-to-tier1
network: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier1
stackType: IPV4_ONLY
state: ACTIVE
stateDetails: '[2024-02-23T05:00:00.869-08:00]: Connected.'
- autoCreateRoutes: true
exchangeSubnetRoutes: true
exportCustomRoutes: true
exportSubnetRoutesWithPublicIp: true
importCustomRoutes: false
importSubnetRoutesWithPublicIp: false
name: wrkld-peer-hub-to-tier2
network: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier2
stackType: IPV4_ONLY
state: INACTIVE
stateDetails: '[2024-02-23T05:00:15.038-08:00]: Waiting for peer network to connect.'
routingConfig:
routingMode: REGIONAL
selfLink: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/int-vpc-nanortheast1
selfLinkWithId: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/8223224008170352024
subnetworks:
- https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/int-sb-nanortheast1
routingMode: REGIONAL
selfLink: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/int-vpc-nanortheast1
selfLinkWithId: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/8223224008170352024
subnetworks:
- https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/int-sb-nanortheast1
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier2].
---
autoCreateSubnetworks: false
creationTimestamp: '2024-02-23T04:58:37.022-08:00'
id: '8307187887207950483'
kind: compute#network
name: wrkld-tier2
networkFirewallPolicyEnforcementOrder: AFTER_CLASSIC_FIREWALL
peerings:
- autoCreateRoutes: true
exchangeSubnetRoutes: true
exportCustomRoutes: false
exportSubnetRoutesWithPublicIp: true
importCustomRoutes: true
importSubnetRoutesWithPublicIp: false
name: wrkld-peer-tier2-to-hub
network: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/int-vpc-nanortheast1
stackType: IPV4_ONLY
state: ACTIVE
stateDetails: '[2024-02-23T05:00:21.558-08:00]: Connected.'
routingConfig:
routingMode: REGIONAL
selfLink: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier2
selfLinkWithId: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/8307187887207950483
subnetworks:
- https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/wrkld-sb-tier2-nanortheast1
fgt-vm-nanortheast1-b #
fgt-vm-nanortheast1-b (static) # new entry '0' added
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (static) # new entry '0' added
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (static) #
fgt-vm-nanortheast1-b #
################################################################################
#
# IX. External Load Balancer
# ----------------------------
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgtelb-serv1-eip-nanortheast1].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/backendServices/fgtelb-bes-nanortheast1].
NAME: fgtelb-bes-nanortheast1
BACKENDS:
PROTOCOL: UNSPECIFIED
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/backendServices/fgtelb-bes-nanortheast1].
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/backendServices/fgtelb-bes-nanortheast1].
Created [https://www.googleapis.com/compute/beta/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/forwardingRules/fgtelb-serv1-fwd-nanortheast1-l3].
fgt-vm-nanortheast1-b #
fgt-vm-nanortheast1-b (interface) #
fgt-vm-nanortheast1-b (port1) #
fgt-vm-nanortheast1-b (port1) #
fgt-vm-nanortheast1-b (secondaryip) # new entry '11' added
fgt-vm-nanortheast1-b (11) #
fgt-vm-nanortheast1-b (11) #
fgt-vm-nanortheast1-b (11) #
fgt-vm-nanortheast1-b (secondaryip) #
fgt-vm-nanortheast1-b (port1) #
fgt-vm-nanortheast1-b (interface) #
fgt-vm-nanortheast1-b #
##############################################
Configuring outbound connections
----------------------------------------------
fgt-vm-nanortheast1-b # fgt-vm-nanortheast1-b #
fgt-vm-nanortheast1-b (ippool) # new entry 'gcp-elb-serv1' added
fgt-vm-nanortheast1-b (gcp-elb-serv1) #
fgt-vm-nanortheast1-b (gcp-elb-serv1) #
fgt-vm-nanortheast1-b (gcp-elb-serv1) #
fgt-vm-nanortheast1-b (ippool) #
fgt-vm-nanortheast1-b # fgt-vm-nanortheast1-b #
fgt-vm-nanortheast1-b (policy) # new entry '0' added
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (policy) #
fgt-vm-nanortheast1-b #
###############################################
# Sample workload VMs
#----------------------------------------------
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-b/instances/wrkld-tier1-proxy].
NAME: wrkld-tier1-proxy
ZONE: northamerica-northeast1-b
MACHINE_TYPE: e2-small
PREEMPTIBLE:
INTERNAL_IP: 10.0.0.5
EXTERNAL_IP:
STATUS: RUNNING
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-b/instances/wrkld-tier2-web].
NAME: wrkld-tier2-web
ZONE: northamerica-northeast1-b
MACHINE_TYPE: e2-small
PREEMPTIBLE:
INTERNAL_IP: 10.1.0.5
EXTERNAL_IP:
STATUS: RUNNING
#############################################
# Forward Inbound Connections
#--------------------------------------------
fgt-vm-nanortheast1-b # fgt-vm-nanortheast1-b #
fgt-vm-nanortheast1-b (vip) # new entry 'elb-serv1-to-proxy-tcp80' added
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) #
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) #
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) #
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) #
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) #
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) #
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) #
fgt-vm-nanortheast1-b (vip) #
fgt-vm-nanortheast1-b # fgt-vm-nanortheast1-b #
fgt-vm-nanortheast1-b (address) # new entry 'tier1' added
fgt-vm-nanortheast1-b (tier1) #
fgt-vm-nanortheast1-b (tier1) #
fgt-vm-nanortheast1-b (tier1) #
fgt-vm-nanortheast1-b (tier1) #
fgt-vm-nanortheast1-b (address) # new entry 'tier2' added
fgt-vm-nanortheast1-b (tier2) #
fgt-vm-nanortheast1-b (tier2) #
fgt-vm-nanortheast1-b (tier2) #
fgt-vm-nanortheast1-b (tier2) #
fgt-vm-nanortheast1-b (address) #
fgt-vm-nanortheast1-b # fgt-vm-nanortheast1-b #
fgt-vm-nanortheast1-b (policy) # new entry '0' added
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (policy) # new entry '0' added
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (0) #
fgt-vm-nanortheast1-b (policy) #
fgt-vm-nanortheast1-b #
=======================================
# Next step:
# - run tutorial-test.sh to verify everything works
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp/gcloud (fortigate-gcloud-olapp)$ 0803
testing
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp/gcloud (fortigate-gcloud-olapp)$ ./tutorial-test.sh
------------------------------------------------------------------------------------
# This script will run a series of tests to verify if your deployment works correctly.
# With each test you will see information about the expected output - verify if it's
# matching what is returned by the test commands.
------------------------------------------------------------------------------------
-----------------------------------------------------------
## TEST: FGT HA clustering and licensing
## Expected output: primary and secondary reported with proper hostnames and non-empty serial numbers
fgt-vm-nanortheast1-b # HA Health Status: OK
fgt-vm-nanortheast1-b, FGVM8VTM24000185, HA cluster index = 1
fgt-vm-nanortheast1-c, FGVM8VTM24000186, HA cluster index = 0
fgt-vm-nanortheast1-b #
-----------------------------------------------------------
## TEST: ELB health
## Expected output: one healthy, one unhealthy backend
{
"ipAddress": "172.20.0.2",
"healthState": "HEALTHY"
}
{
"ipAddress": "172.20.0.3",
"healthState": "UNHEALTHY"
}
-----------------------------------------------------------
## TEST: ILB trusted health
## Expected output: one healthy, one unhealthy backend
{
"ipAddress": "172.20.1.2",
"healthState": "HEALTHY"
}
{
"ipAddress": "172.20.1.3",
"healthState": "UNHEALTHY"
}
-----------------------------------------------------------
## TEST: peering routes for wrkld-tier1
## Expected output: STATIC_PEERING_ROUTE to 0.0.0.0 is listed as accepted
DEST_RANGE: 172.20.1.0/24
TYPE: SUBNET_PEERING_ROUTE
NEXT_HOP_REGION: northamerica-northeast1
PRIORITY: 0
STATUS: accepted
DEST_RANGE: 0.0.0.0/0
TYPE: STATIC_PEERING_ROUTE
NEXT_HOP_REGION: northamerica-northeast1
PRIORITY: 1000
STATUS: accepted
-----------------------------------------------------------
## TEST: peering routes for wrkld-tier2
## Expected output: STATIC_PEERING_ROUTE to 0.0.0.0 is listed as accepted
DEST_RANGE: 172.20.1.0/24
TYPE: SUBNET_PEERING_ROUTE
NEXT_HOP_REGION: northamerica-northeast1
PRIORITY: 0
STATUS: accepted
DEST_RANGE: 0.0.0.0/0
TYPE: STATIC_PEERING_ROUTE
NEXT_HOP_REGION: northamerica-northeast1
PRIORITY: 1000
STATUS: accepted
-----------------------------------------------------------
## TEST: website working
## Expected output: HTTP 200 OK headers from nginx server
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Fri, 23 Feb 2024 13:06:31 GMT
Content-Type: text/html
Content-Length: 612
Connection: keep-alive
Last-Modified: Fri, 23 Feb 2024 13:02:55 GMT
ETag: "65d8977f-264"
Accept-Ranges: bytes
-----------------------------------------------------------
## TEST: website protected
## Expected output: information about blocked access to EICAR_TEST_FILE virus
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 35076 100 35076 0 0 210k 0 --:--:-- --:--:-- --:--:-- 210k
<h1>High Security Alert</h1>
<p>You are not permitted to download the file "eicar.com" because it is infected with the virus "EICAR_TEST_FILE".</p>
========================================
# Next step:
# - open http://34.95.49.161 to open protected web page
# - open https://34.47.2.97 to explore your FortiGate
# - run tutorial-delete.sh to clean up
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp/gcloud (fortigate-gcloud-olapp)$ diff
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ git status
On branch main
Your branch is up to date with 'origin/main'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: gcloud/tutorial-create.sh
modified: gcloud/tutorial-vars.sh
modified: service_account_create.sh
Untracked files:
(use "git add <file>..." to include in what will be committed)
gcloud/metadata_active.txt
gcloud/metadata_passive.txt
diff --git a/gcloud/tutorial-create.sh b/gcloud/tutorial-create.sh
index bcdc731..a07ab44 100755
--- a/gcloud/tutorial-create.sh
+++ b/gcloud/tutorial-create.sh
@@ -377,6 +377,9 @@ gcloud compute disks create fgt-logdisk-$ZONE2_LABEL --zone=$ZONE2 \
## To find image for specific version use command like below
#gcloud compute images list --project fortigcp-project-001 --filter="name ~ fortinet-fgt- AND status:READY" --format="get(selfLink)"
+#
+# https://www.googleapis.com/compute/v1/projects/fortigcp-project-001/global/images/fortinet-fgt-743-20240208-001-w-license
+
## Create FortiGate 4-nic instances using the image selected above.
## FortiGates will be provisioned with the basic configuration and with BYOL licenses from
## lic1.lic and lic2.lic files
@@ -384,7 +387,7 @@ gcloud compute disks create fgt-logdisk-$ZONE2_LABEL --zone=$ZONE2 \
gcloud compute instances create fgt-vm-$ZONE1_LABEL --zone=$ZONE1 \
--machine-type=e2-standard-4 \
--image-project=fortigcp-project-001 \
- --image-family=fortigate-70-byol \
+ --image-family=fortigate-74-byol \
--can-ip-forward \
--network-interface="network=ext-vpc-global,subnet=ext-sb-$REGION_LABEL,no-address,private-network-ip=fgt-ip-ext-$ZONE1_LABEL" \
--network-interface="network=int-vpc-$REGION_LABEL,subnet=int-sb-$REGION_LABEL,no-address,private-network-ip=fgt-ip-int-$ZONE1_LABEL" \
@@ -400,7 +403,7 @@ gcloud compute instances create fgt-vm-$ZONE1_LABEL --zone=$ZONE1 \
gcloud compute instances create fgt-vm-$ZONE2_LABEL --zone=$ZONE2 \
--machine-type=e2-standard-4 \
--image-project=fortigcp-project-001 \
- --image-family=fortigate-70-byol \
+ --image-family=fortigate-74-byol \
--can-ip-forward \
--network-interface="network=ext-vpc-global,subnet=ext-sb-$REGION_LABEL,no-address,private-network-ip=fgt-ip-ext-$ZONE2_LABEL" \
--network-interface="network=int-vpc-$REGION_LABEL,subnet=int-sb-$REGION_LABEL,no-address,private-network-ip=fgt-ip-int-$ZONE2_LABEL" \
@@ -453,6 +456,9 @@ echo "# This script will now attempt to connect to CLI of your newly-deployed Fo
## Find out active FortiGate instance id
gcloud compute instances describe fgt-vm-$ZONE1_LABEL --zone=$ZONE1 --format="get(id)"
+echo "Wait 4 minutes a possible manual login/pw-change..."
+sleep 240
+
## Wait a moment, connect to FortiGate and configure admin password
ssh admin@$EIP_MGMT
diff --git a/gcloud/tutorial-vars.sh b/gcloud/tutorial-vars.sh
index 63a2c6e..aa79c51 100755
--- a/gcloud/tutorial-vars.sh
+++ b/gcloud/tutorial-vars.sh
@@ -10,11 +10,14 @@ WRKLD_PROXY_IP=10.0.0.5
WRKLD_WEB_IP=10.1.0.5
## Define region and zones for deployment and save into variables for convenience
-REGION=europe-west1
-ZONE1=europe-west1-b
-ZONE2=europe-west1-c
+#REGION=europe-west1
+#ZONE1=europe-west1-b
+#ZONE2=europe-west1-c
+REGION=northamerica-northeast1
+ZONE1=northamerica-northeast1-b
+ZONE2=northamerica-northeast1-c
### Some resource names will be labeled with region or zone name. Let's use their
### shortened names:
REGION_LABEL=$(echo $REGION | tr -d '-' | sed 's/europe/eu/' | sed 's/australia/au/' | sed 's/northamerica/na/' | sed 's/southamerica/sa/' )
ZONE1_LABEL=$REGION_LABEL-${ZONE1: -1}
-ZONE2_LABEL=$REGION_LABEL-${ZONE2: -1}
+ZONE2_LABEL=$REGION_LABEL-${ZONE2: -1}
\ No newline at end of file
diff --git a/service_account_create.sh b/service_account_create.sh
old mode 100644
new mode 100755
index 6b8500c..60fd4f5
--- a/service_account_create.sh
+++ b/service_account_create.sh
@@ -2,6 +2,10 @@
GCP_PROJECT_ID=$(gcloud config get-value project)
+## set services for roles in existing project
+gcloud services enable compute.googleapis.com
+gcloud services enable container.googleapis.comverify alternate ip address on elb/ilb - for routing to work
obriensystems
commented
8 months ago Check networks | static routes
Normally we run the 4 packages core-lz, client-setup, client-lz, client-project-setup and then the hub-env package around the following architecture which stands up 1 VPC for the client and 4 for the hub-env https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Architecture
Client requires a non-managed landing zone consisting of a single VPC containing both the perimeter firewall and the client workloads. This LZ is a one-off LZ per client - unmanaged
An alternative to peering the client-landing-zone host-project with this hub-env project in #847 However peering is unavoidable as the example fortigate deployment needs 2 min for the dual LB version.
proposed gcloud only start with base fortinet script - except this one is 3 VPC with 2 for the fortigate cluster (internal LB is in its own subnet) + 1 for the workloads https://github.com/fortinet/fortigate-tutorial-gcp/blob/main/gcloud/tutorial-create.sh see https://github.com/fortinet/fortigate-tutorial-gcp/issues/1 https://github.com/fortinet/fortigate-tutorial-gcp/issues/5
Current hub-env VPCs are 4
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/project/hub-env/network/vpc.yaml#L15
check hardcoded management subnet and docs https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/gcp-administration-guide/736375/about-fortigate-vm-for-gcp