[UPDATE 1] Decommissioned Cisco ASA 5506-X Firepower Firewall and Deployed Fortigate 60F Firewall for an Investment Company in Singapore on 8 July 2021 Thursday

Subject: [UPDATE 1] Decommissioned Cisco ASA 5506-X Firepower Firewall and Deployed Fortigate 60F Firewall for an Investment Company in Singapore on 8 July 2021 Thursday


Good day from Singapore,


On 8 July 2021 Thursday, between 2 PM and 5 PM Singapore time, I have decommissioned a Cisco ASA 5506-X Firepower Firewall and deployed/replaced it with Fortigate 60F firewall for an investment company in Singapore.


Configuration of the Fortigate 60F firewall appliance includes Duo 2FA integration and SSL VPN. You will also need to configure a RADIUS server on your Windows Server 2016/2019 in the same network as the Fortigate using Duo Authentication Proxy. No other RADIUS server is necessary.


The firmware of Fortigate 60F firewall has been upgraded to the latest version 7.0.0.


The most singular point about this Fortigate 60F firewall appliance deployment is that the SSL VPN uses Duo 2FA instead of Fortitokens. It is a rather unusual setup. You can read about Duo 2FA integration with Fortigate SSL VPN below.


Reference Guide: Fortinet FortiGate SSL VPN with RADIUS Auto Push

Link: https://duo.com/docs/fortinet


If your enterprise/business/corporate internet plan has a dynamic IP address, you need to configure FortiGuard Dynamic DNS (DDNS).


Reference Guide: DDNS

Link: https://docs.fortinet.com/document/fortigate/latest/administration-guide/685361/ddns


Before you can configure FortiGuard DDNS, you need to register your Fortigate firewall appliance at https://support.fortinet.com/ with the serial number and contract number.


To configure the SSL VPN tunnel, you need to read the following guide.


Reference Guide: Configuring the SSL VPN tunnel

Link: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/690301/configuring-the-ssl-vpn-tunnel


It is also mandatory to add firewall security policies otherwise your SSL VPN tunnel will not work.


Reference Guide: Adding security policies

Link: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/364638/adding-security-policies


In short, you will need to configure the following security policies on your Fortigate firewall:


(1) internal/LAN to WAN1 (otherwise known as outgoing internet access policy)


(2) allow SSL VPN tunnel to access your internal network


(3) allow SSL VPN tunnel to access the internet (optional)


The last one will be an IMPLICITY DENY security policy to block all incoming connections.


There are, of course, many other guides to follow but I will only list the above guides for now.


Single-handedly, I spent a few days (over a period of about 2 weeks) to configure this Fortigate 60F firewall appliance before actual day deployment on 8 July 2021 Thursday. On the day of deployment at our customer's site, it is just plug and play. The whole process was very smooth. There were no hiccups.


Fortigate firewall appliances are based on open source Linux. Sophos firewall appliances are also based on open source Linux. Cisco ASA firewall appliances are also based on open source Linux.


Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 9 July 2021, is a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant with a System Integrator (SI)/computer firm in Singapore. He is an IT enthusiast.





REFERENCES

==========


[1] https://marc.info/?l=netfilter&m=162583986807702&w=2

Comments

Popular posts from this blog

[24 Mar 2022 Thursday] Erectile Dysfunction and Viagra

Patching Linux Kernel 5.5.7 to Add Support for AUFS Filesystem