40Mins to Grow Your Business

Understanding Fortinet’s Public Cloud Security Solutions

20th November 2018

Emmanuel Rabatan - CSE AWS / OCI

erabatan@fortinet.com

Michael Haines – Senior Cloud Architect

mah@fortinet.com

© Copyright Fortinet Inc. All rights reserved.

Emmanuel Rabatan
CSE AWS / OCI
erabatan@fortinet.com

© Copyright Fortinet Inc. All rights reserved.

Before we start… 3
What you can get on marketplace

 On-Demand:  BYOL Perpetual Licenses

» FortiGate-VM » FortiGate-VM
» FortiWeb-VM » FortiAuthenticator-VM
» FortiAnalyzer-VM » FortiGate-VM
» FortiRecorder » FortiWeb-VM
» FortiSandbox » FortiWeb-Manager-VM
» FortiWeb-Manager » FortiManager-VM
» FortiSandbox-VM » FortiAnalyzer-VM
» FortiVoice-VM » FortiMail-VM
» FortiWeb Manager
 VMs size: » FortiSIEM-VM
» VM01 to VM32 to VMUL (Virtual » FortiSIEM-Collector-VM
CPU) » FortiSIEM-Report-Server-VM
» FortiVoice-VM
» FortiSandbox-VM

4
More on…AWS GitHub Site

 AWS CloudFormation Templates:

» https://github.com/fortinetsolutions

5
More on…AWS Fortinet Web Site

 For more information and AWS Solutions:

» https://www.fortinet.com/aws

6
Target Public Cloud
AWS WAF service

8
AWS WAF Managed Rules

 Available via AWS Marketplace

 Fortinet complements AWS WAF offering
» 4 packages of rules (malicious Bots, SQL/XSS,
Exploits, OWASP TOP10)
» Low costs <1,5$ per 1M requests or < 30$/month

 Actions at ruleset level: log, alert, block

 Ensures protection is up-to-date with latest
signatures
 Easy setup as a part of AWS infrastructure AWS
» FortiWeb as a VM can’t be installed in CloudFront WAF

MANAGED • Prepackaged WAF Rulesets

• Updated regularly
RULES • Additional subscription

9
Fortinet & AWS Guard Duty
 Fortinet fully integrates with AWS
Guard Duty
 Guard Duty generates an event in
cloudwatch which feeds a file on S3.
 FortiOS integrate external IP lists to
its local detection database using a
connector.

10
 HA in same AZ

*Template: HA unicast on github

11
 HA cross AZ

A B
Move EIP

Config sync

*Template: route failover

12
 Transit VPC
2nd account

*Template: TransitVPC primary account *Template: TransitVPC Spoke VPC *Template: TransitVPC secondary
account
13
Fortinet SDN connector & AWS
 FortiOS can use AWS API to dynamically pull
information from AWS environment.
 Dynamic objects are used to integrate AWS
components to FortiOS security

• 10.1.0.23
• 10.1.0.141
• 10.1.0.219

14
Fortinet Automation & AWS
 Security events raised by FortiOS can trigger AWS services.
 Then Lambda can do anything

Fortigate

15
More coming

 Many new features and projects to integrate in AWS:

» Fortiview / topology
» Fortisandbox cloud
» New HA design
» IPSec perf
» DPDK
» FortiMeter
» Vmware support
»…

16
Michael Haines
Senior Cloud Architect
mah@fortinet.com

© Copyright Fortinet Inc. All rights reserved.

Agenda

 What are ARM Templates

» Specific to Fortinet’s Solutions
 What are the Use-Cases when using ARM Templates
» Specific to Fortinet’s Solutions
 Getting Started with ARM Templates
 Getting Started with What Tools to Use
 Good Practices when Developing ARM Templates
 Summary

18
What are ARM
Templates
 Template file, JSON e.g.
fortigatedeploy.json, Main file,
declares resources, input parameters
etc.
 Parameters file, JSON e.g.
fortigatedeploy.parameters.json,
Optional file, provides values for all
the parameters at deploy time
 Deployed into a Resource group,
groups are not defined in the
template

19
Fortinet’s Solution ARM Templates

 Developed by Fortinet
» For all products that are available from the Azure Marketplace
 Tested and Certified by Microsoft
» Fortinet submits its Solution ARM Templates to the Microsoft Azure Team for
Certification (this process can be lengthy!)
 Fortinet’s ARM Templates Published
» The Microsoft Azure Team Publish Fortinet’s Solution ARM Templates

20
Fortinet Use-Cases when using ARM Templates

 Deploying more than 2 vNICs

» From the Azure Portal (UI) Marketplace you can not deploy more than 2
vNICs
 Simplify Automation
» Automating Fortinet’s Solutions (think DevOps), using Multiple Products,
such as the FortiGate-VM and FortiWeb-VM ‘virtual appliances’, AutoScaling
etc.
 Deploying to the Same Azure Resource Group
» When you want to deploy Fortinet’s Solutions to an ‘Existing’ Resource
Group. You can NOT do this from the Azure Portal (UI)

21
Getting Started with Fortinet’s ARM Templates
 Where do I get ARM Templates from
» Create your ARM Templates from scratch (much more complex!)
 Azure Portal (UI)
» Use the Azure Portal (UI) and just before you deploy one of Fortinet’s Solutions,
select 'Download template and parameters' this includes everything you need to
get started
 Azure Portal (UI) Resource Group
» If your Application e.g. FortiGate-VM ‘virtual appliance’ is already running, go to the
Azure Portal (UI), select your ‘Resource Group' and then select 'Automation script’
 Fortinet’s GitHub Repository
» Get Fortinet's Custom ARM Templates from Fortinet's GitHub Repository. The
Azure Templates are located here : https://github.com/fortinetsolutions/Azure-
Templates

22
Getting Started with What Tools to Use
 Use your Favorite Editor
» You can use an editor such as vi, emacs etc., but this is much more complex and
really not advisable
 Azure Portal (UI)
» Use the Azure Portal (UI) and just before you deploy one of Fortinet’s Solutions,
select 'Download template and parameters' this includes everything you need to
get started
 Azure Portal (UI) Resource Group
» If your Application e.g. FortiGate-VM ‘virtual appliance’ is already running, go to the
Azure Portal (UI), select your ‘Resource Group' and then select 'Automation script’
 Fortinet’s GitHub Repository
» Get Fortinet's Custom ARM Templates from Fortinet's GitHub Repository. The
Azure Templates are located here : https://github.com/fortinetsolutions/Azure-
Templates

23
Good Practices when Developing ARM
Templates
 Validation
» Before you ‘commit’ anything to your GIT repository, ‘Validate’ your
‘template’ and ‘parameters’ file
» Example using the Azure CLI :

$ az group deployment validate –resource-group <RG NAME> --template-

file <PATH> --parameters <PATH>

$ az group deployment validate -g MAH40MINSRG --template-file

/Users/michaelh/Desktop/Fortinet/Fortinet-Conferences/2018/40Mins-Cloud-
Webinar/40Mins-Cloud-Webinar-Templates/template.json --parameters
/Users/michaelh/Desktop/Fortinet/Fortinet-Conferences/2018/40Mins-Cloud-
Webinar/40Mins-Cloud-Webinar-Templates/parameters.json

24
Good Practices when Developing ARM
Templates

 Reduce your Parameters

» Do not overload your ‘Parameters’ template (as much and as best you can)
» Move (when it makes sense to) your ‘Parameters’ into ‘Variables’
 Use a Unique Identifier
» Use a ‘Unique Identifier’ / ‘Unique String’ to your Deployment (when
deploying the same resources / DevOps etc.)
 Use Variables
» Use ‘Variables’ to remove the dependency on ‘Static’ values and make them
more ‘Dynamic’

25
Summary of Practices when Developing ARM
Templates
 Use Git
 Validate, then Commit
 Minimize the use of Parameters
 Use a Unique Identifier / Unique String
 Use Variables wherever possible

26