search

fortinet / fortigate-autoscale-aws

AWS Transit Gateway can be used to connect Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. FortiGate Autoscale with Transit Gateway integration extends the protection to all networks connected to the Transit Gateway.
MIT License
10 stars 9 forks source link

Forti-Analyzer issues on template #67

Open ManikantaNandyala opened 3 years ago

ManikantaNandyala commented 3 years ago

Hi Team,

The provided Fortigate AutoScale templates are going to create a new Forti-Analyzer while deploying for every deployment

  1. Instead of creating a new Forti-Analyzer for repeated usage of the Autoscale Fortigate Template we need to map the existing Forti-analyzer.

  2. Auto-Scaled Fortigate Firewalls dynamically should get authenticate automatically from the Forti-Analyzer as well as FortiGate Firewall, instead of authenticating manually.

  3. Once the authenticated FortiGate firewalls move to the respective ADOM in Forti-Analyzer.

JaydenLiang commented 3 years ago

Hi Team,

The provided Fortigate AutoScale templates are going to create a new Forti-Analyzer while deploying for every deployment

  1. Instead of creating a new Forti-Analyzer for repeated usage of the Autoscale Fortigate Template we need to map the existing Forti-analyzer.
  2. Auto-Scaled Fortigate Firewalls dynamically should get authenticate automatically from the Forti-Analyzer as well as FortiGate Firewall, instead of authenticating manually.
  3. Once the authenticated FortiGate firewalls move to the respective ADOM in Forti-Analyzer.

We will add support for point 1. I'll create a separate issue for it and please monitor it then.

Please clarify point 2 and 3.

ManikantaNandyala commented 3 years ago

image

Refer to the above image to understand the requirements.

  1. Newly Scaled Fortigate Firewalls in the Autoscale cluster should get authenticate automatically from the Forti-Analyzer & vice versa i.e Fortigate Firewall.

  2. After authenticating the newly scaled FW to the Forti-Analyzer, by default, it will move the root ADOM in the Forti-Analyzer but the requirement is to move the authenticated Firewalls to respective ADOM in Forti-Analyzer based on the tag or CIDR range of the FW AutoScale Cluster VPC.

Example:- Refer to the image above.

FW Cluster-1 AutoScale VPC CIDR Range is 10.1.0.0/24 should be mapped with Forti-Analyzer ADOM FW Cluster-1 Adom

JaydenLiang commented 3 years ago

image

Refer to the above image to understand the requirements.

  1. Newly Scaled Fortigate Firewalls in the Autoscale cluster should get authenticate automatically from the Forti-Analyzer & vice versa i.e Fortigate Firewall.
  2. After authenticating the newly scaled FW to the Forti-Analyzer, by default, it will move the root ADOM in the Forti-Analyzer but the requirement is to move the authenticated Firewalls to respective ADOM in Forti-Analyzer based on the tag or CIDR range of the FW AutoScale Cluster VPC.

Example:- Refer to the image above.

FW Cluster-1 AutoScale VPC CIDR Range is 10.1.0.0/24 should be mapped with Forti-Analyzer ADOM FW Cluster-1 Adom

Hi @ManikantaNandyala , thank you for your diagram. Can you try to write an automation script facilitating the Using the Command Line Interface? This script can interact directly with the FortiAnalyzer / FortiManager. Since you will need to maintain the whole set of peering VPCs where each VPC has a specific IP range, it is much easier for you to design the behaviours of grouping your devices into the right ADOM using such script as an external supporting tool to the Autoscale.

ManikantaNandyala commented 3 years ago

@JaydenLiang We are expecting the default script/template for this use case from fortinet, based on our requirements we will amend the changes to interact directly with the FAZ & FMG.

JaydenLiang commented 3 years ago

This script is an add-on to the Autoscale project. @ManikantaNandyala , we are following up with your expected solution in another communication channel.

We are not going to make this add-on a built-in feature for the project but I'll leave this issue open for any possible solution in this way (aka: as an add-on).