fortinet / fortigate-tutorial-gcp

6 stars 12 forks source link

FortiGate Deployment Tutorial for Google Cloud

This repository contains documentation and code to use for a sample deployment of a FortiGate reference architecture in Google Cloud.

Reference architecture describes the recommended way to configure FortiGate VM instances and Google Cloud infrastructure. It is designed to cover most of the use-cases and will meet the requirements of most of the deployments. Note though, that in some cases a different architecture or some modifications might be required. If in doubt - please contact Fortinet cloud team for assistance at gcptech (at) fortinet.com

The code samples will deploy FortiGate HA cluster and a simple 2-tier web application. FortiGates will protect the sample app by inspecting inbound north-south traffic from Internet, outbound south-north traffic from servers to Internet as well as East-West traffic between web application Tier 1 and Tier 2.

This repository is use-case centric. It was created to help you match the configuration to the security functions you will use. Where possible, the use-cases are separated from the base FortiGate deployment. As different tools have different capabilities, this separation is implemented differently depending on the tool of your choice:

Architecture

The recommended way to deploy FortiGates is a multi-AZ Active-Passive FGCP cluster with set of (up to 3) load balancers to direct the traffic flows through the active FGT instance (a pattern known as "load balancer sandwich"): FortiGate reference architecture overview

While it is technically possible to use a single network interface to connect to both internal and external networks, it is recommended to use one external and one internal NIC for clarity of architecture and FortiGate configuration. Additional two NICs will be used for cluster heartbeat and management. This means you will need 4 separate VPC networks to connect to the FortiGates.

Note: starting from version 7.0 you can use the same network interface for FGCP heartbeat and management.

It is recommended to place the workloads (your application servers) in separate VPCs (possibly in separate projects) and use VPC Peering to maintain connectivity between FortiGate internal VPC and workload VPCs. You can choose to either:

How To Deploy