Public Cloud - AWS Lab Guide - FortiXpert

Prévia do material em texto

<p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>LAB 1 — Single FortiGate deployment</p><p>using AWS Marketplace</p><p>In this lab, you will access your AWS console, launch a single FortiGate form the AWS Marketplace</p><p>and create the basic VPC and FortiGate configuration to allow outgoing and incoming traffic.</p><p>On the screenshots you may see AWS pricing, please ignore this information as those prices might</p><p>have changed since the creation of this guide. Please refer to AWS and Fortinet websites for the latest</p><p>information regarding the potential costs of running these labs.</p><p>Objectives</p><p>• Create a basic VPC with Public and Private subnets</p><p>• Deploy a FortiGate and Windows Server from the AWS Marketplace</p><p>• Use the VPC Route Tables, Security Groups and Elastic IP</p><p>• Configure a FortiGate to allow incoming and outgoing traffic between the Public and Private</p><p>subnets</p><p>Time to Complete</p><p>Estimated: 45 minutes</p><p>Prerequisites</p><p>Before beginning this lab, you must already have access to AWS console through a provided account</p><p>or an account of your own.</p><p>To access the AWS console</p><p>1. Open a web browser and go to https://console.aws.amazon.com/ and login to your account.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>2. You should now be on the AWS Console.</p><p>1 Create a basic VPC</p><p>In this exercise, you will create a basic Virtual Private Cloud (VPC) using the AWS Console.</p><p>This VPC will have the public and private subnets, route tables and Internet gateway.</p><p>Create the VPC</p><p>You will create a new VPC instead of using the default one. For this you will need to complete the</p><p>following steps:</p><p>• Create a VPC</p><p>• Create subnets</p><p>• Create an Internet gateway To create a VPC</p><p>1. Go to the Services menu.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>2. Go to the VPC console in the Networking & Content Delivery section, you may also use the</p><p>search box to find it.</p><p>3. Go to Your VPCs on left panel, then click Create VPC.</p><p>4. On the Create VPC wizard, set the Name tag to LabVPC.</p><p>5. Set the IPv4 CIDR block to 10.0.0.0/16.</p><p>6. Leave the other values as default.</p><p>7. Click Create.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>To create Subnets</p><p>1. Go to Subnets on left panel, then click Create subnet.</p><p>2. On Create subnet wizard, set the Name tag to Public.</p><p>3. Set the VPC to the one you previously created.</p><p>4. Set the IPv4 CIDR block to 10.0.0.0/24.</p><p>5. Leave the other values as default.</p><p>6. Click Create.</p><p>7. Repeat the same process to create another subnet.</p><p>8. Set the Name tag to Private.</p><p>9. Set the VPC to the one you previously created.</p><p>10. Set the IPv4 CIDR block to 10.0.1.0/24.</p><p>11. Leave the other values as default.</p><p>12. Click Create.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>13. Your subnets table should look similar to this:</p><p>To create an Internet Gateway</p><p>1. Go to Internet Gateways on left panel, then click Create internet gateway.</p><p>2. On Create internet gateway wizard, set the Name tag to Lab Internet Gateway.</p><p>3. Click Create.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>4. Once back in the Internet gateways table, select the one recently created, then click on Actions</p><p>and select Attach to VPC.</p><p>5. On the Attach to VPC wizard, select the VPC to one you previously created.</p><p>6. Click Attach.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>2 Deploy a FortiGate from the AWS</p><p>Marketplace</p><p>You will launch a single FortiGate and a Windows Server using the AWS Marketplace.</p><p>Deploy EC2 instances</p><p>You will launch two EC2 instances using the AWS Marketplace. For this you will need to complete</p><p>the following steps:</p><p>• Create a Key Pair</p><p>• Launch a single FortiGate</p><p>• Launch a single Windows Server</p><p>• Create and configure Security Groups</p><p>To create a Key Pair</p><p>1. Go to the Services menu and select the EC2 console. You may open it in a new tab to facilitate</p><p>using multiples consoles at the same time.</p><p>2. Go to Key Pairs on the left panel, then click Create Key Pair.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>3. Set the Key pair name to Lab.</p><p>4. Click Create.</p><p>5. Save the generated file to a secure location on your computer. You will not be able to download it</p><p>again afterwards.</p><p>To deploy a FortiGate</p><p>1. Go to Instances on the left panel, then click Launch Instance.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>2. On the Launch Instance wizard, click AWS Marketplace on the left panel</p><p>3. Type Fortinet in the search box and press Enter, then click Select on the Fortinet FortiGate</p><p>Next-Generation Firewall Pay-As-You-Go (PAYG) version.</p><p>4. On the Fortinet FortiGate Next-Generation Firewall pop-up click the View Additional Details in</p><p>AWS Marketplace link to be able to specify the FortiOS version to launch.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>5. On the Product Overview page, select Continue to Subscribe.</p><p>6. On the launch settings select t2.small in Choose EC2 Instance Type and Click in Configure</p><p>Instance Details.</p><p>7. On VPC Settings select the previously created VPC.</p><p>8. Select the public subnet 10.0.0.0/24 under Subnet Settings</p><p>9. Configure Auto-Assign Public IP to Disable. Let all other settings in their default values and click</p><p>6. Configure Security Group at top right.</p><p>10. On the Security Group Settings section, click Create New Security Group.</p><p>11. Set Security Group Name to FortiGate Security Group.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>12. Set Description to FortiGate Security Group and Click in Review and Launch.</p><p>13. Review and Click in Launch.</p><p>14. On the Key Pair Settings select Lab.</p><p>15. Click Launch Instance.</p><p>16. Confirm the instance is successfully deployed.</p><p>17. Go back to the EC2 Console > Instances.</p><p>18. Click the edit pencil icon next to the blank instance name.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>To deploy a Windows Server</p><p>1. Go to Instances on the left panel, then click Launch Instance.</p><p>2. Type Windows in the search box and press Enter, then click Select on the Microsoft Windows</p><p>Server 2016 Base.</p><p>20. Set the Instance name to FortiGate Lab 1 and click the accept icon.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>3. Select the Instance Type t2.micro.</p><p>4. Click Next: Configure Instance Details.</p><p>5. On Network select the previously created VPC.</p><p>6. On Subnet select the Private subnet.</p><p>7. Leave the other values as default.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>8. Click Configure Security Group on top menu.</p><p>9. Make sure Create a new security group is selected and you have a rule for TCP 3389.</p><p>10. Click Review and Launch.</p><p>11. Click Launch.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>12. On the pop-up under Select a key pair use Lab.</p><p>13. Mark the acknowledge warning.</p><p>14. Click Launch Instances.</p><p>15. Go back to EC2 Console > Instances.</p><p>16. Rename the created instances to Windows Server Lab.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>3 Configure the VPC network</p><p>You will configure the Network Interfaces, Route Tables, Security Groups and Elastic IP.</p><p>Configure Elastic IP</p><p>You will configure an Elastic IP which are Public IPs forwarded to the EC2 resources like the EC2</p><p>instances. For this you will need to complete the following steps:</p><p>• Create an</p><p>Elastic IP</p><p>• Associate the Elastic IP to an Instance network interface To create an</p><p>Elastic IP</p><p>1. Go to EC2 Console > Elastic IP.</p><p>2. Click Allocate new address.</p><p>3. On the Allocate new address wizard, use the Amazon pool as the IPv4 address pool.</p><p>4. Click Allocate.</p><p>5. Click Close.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>To associate an Elastic IP</p><p>1. Select the recently allocated Elastic IP.</p><p>2. Click Actions > Associate address.</p><p>3. On the Associate address wizard, select Network interface as the Resource type.</p><p>4. Select the Network interface corresponding to the FortiGate.</p><p>5. Select the FortiGate IP Public address as the Private IP.</p><p>6. Click Associate.</p><p>Configure Network Interfaces</p><p>You will configure a Network Interface for an EC2 instance. You will also disable the change</p><p>SourceDestination Check feature for the FortiGate internal interface, so it can forward traffic from</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>public IPs to the private network without using source NAT. For this you will need to complete the</p><p>following steps:</p><p>• Create a Network Interfaces</p><p>• Attach a Network Interface to an EC2 instance</p><p>• Disable Source-Destination Check To create a Network Interface</p><p>1. Go to EC2 Console > Network Interfaces.</p><p>2. Click Create Network Interface.</p><p>3. On the Create Network Interface pop-up, set the Subnet to Private.</p><p>4. Select the Security Group FortiGate Security Group.</p><p>5. Click Yes, Create.</p><p>6. Rename the interfaces to easily identify them.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>To attach a Network Interface</p><p>1. Select the recently created Network Interface.</p><p>2. Click Actions > Attach.</p><p>3. On the Attach Network Interface pop-up, set the FortiGate Lab 1 as the Instance ID.</p><p>4. Click Attach.</p><p>To disable Source-Destination Check on a Network Interface</p><p>1. Select the FortiGate Private Interface Network Interface.</p><p>2. Click Actions > Change Source/Dest. Check.</p><p>3. On the Change Source/Dest. Check pop-up, select Disabled.</p><p>4. Click Save.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>Configure Route Tables</p><p>You will configure the Route Tables for your VPC. You will want the public subnet traffic to access the</p><p>Internet through the AWS Internet Gateway, and the private subnet traffic to go to your FortiGate. For</p><p>this you will need to complete the following steps:</p><p>• Configure the public route table to use the Internet Gateway</p><p>• Create a private route table to use the FortiGate as default gateway</p><p>• Associate each subnet to a corresponding route table</p><p>• Add rules on the Security Group to allow traffic for additional services to the FortiGate</p><p>To modify a Route Table</p><p>1. Go to VPC Console > Route Tables.</p><p>2. Rename the existing Route table to FortiGate Public Route Table.</p><p>3. Click the Routes tab.</p><p>4. Click Edit routes.</p><p>5. Click Add route.</p><p>6. Set Destination to 0.0.0.0/0 and Target to Lab Internet Gateway.</p><p>7. Click Saves routes.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>8. Click the Subnet Associations tab.</p><p>9. Click Edit subnet associations.</p><p>10. Select the Public subnet 10.0.0.0/24.</p><p>11. Click Save.</p><p>To create a Route Table</p><p>1. Go to VPC Console > Route Tables.</p><p>2. Click Create route table.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>3. Set Name tag to FortiGate Private Route Table.</p><p>4. Set VPC to the LabVPC.</p><p>5. Select the FortiGate Private Route Table.</p><p>6. Click the Routes tab.</p><p>7. Click Edit routes.</p><p>8. Click Add route.</p><p>9. Set Destination to 0.0.0.0/0 and Target to FortiGate Private Interface.</p><p>10. Click Save routes.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>11. Select FortiGate Private Route Table.</p><p>12. Click the Subnet Associations tab.</p><p>13. Click Edit subnet associations.</p><p>14. Select the Private subnet 10.0.1.0/24.</p><p>15. Click Save.</p><p>Configure Security Groups</p><p>You will modify an existing Security Group, they are Access Control Lists (ACLs) that control inbound</p><p>and outbound traffic directly on an Instance Network Interface, even from and to their same subnet.</p><p>Normally all outbound traffic is allowed by default, and you need to allow inbound traffic as needed, as</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>you will be using a FortiGate to pass traffic through it, you will need to allow rules to match the firewall</p><p>policies that you will create later on the FortiGate or traffic will not even arrive to its interfaces.</p><p>To modify a Security Group</p><p>1. Go to EC2 Console > Instances.</p><p>2. Select the FortiGate Lab 1 instance.</p><p>3. On the Description tab, click the FortiGate Security Group. This will take you directly to the</p><p>Security Group assigned to that instance.</p><p>4. Click the Inbound tab.</p><p>5. Click Edit.</p><p>6. On the Edit inbound rules pop-up, click Add Rule.</p><p>7. Configure the following in the new rule:</p><p>Field</p><p>Value</p><p>Type Custom TCP</p><p>Protocol TCP</p><p>Port Range 3389</p><p>Source 0.0.0.0/0</p><p>8. Click Save.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>3 Configure the FortiGate</p><p>Accessing a FortiGate on AWS is different from a regular FortiGate VM, as you will normally need the</p><p>Elastic IP associated to its private IP, have the required protocols allows on the Security Group, and</p><p>use the Instance ID as the default admin password. You can use static IP address on the FortiGate</p><p>ports, but for simplifying the cloud AWS use dynamically assigned IP address as the cloud</p><p>environment changes, for this reason it is recommended to use DHCP configuration as much as</p><p>possible on the FortiGate ports.</p><p>FortiGate configuration</p><p>You will access the FortiGate over its Elastic IP and do the basic configuration to allow RDP traffic to</p><p>the Windows Server. For this you will need to complete the following steps:</p><p>• Access the FortiGate</p><p>• Configure the FortiGate ports</p><p>• Create a Virtual IP</p><p>• Create a firewall policy</p><p>• Test your configuration To</p><p>access the FortiGate on AWS</p><p>1. Go to EC2 Console > Instances.</p><p>2. Take note of your FortiGate Elastic IP and Instances ID. Tip: On some texts there is a button on</p><p>the right to quickly copy the information to the clipboard.</p><p>3. On your browser go to the Elastic IP address over HTTPS on the regular 443 port.</p><p>4. A Login Disclaimer will indicate that the admin password is set to the instance-id.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>5. Login to the FortiGate.</p><p>6. You will be prompted to change the admin password, set it to nse7cloud.</p><p>To modify the FortiGate ports</p><p>1. On the FortiGate, go to Network > Interfaces.</p><p>2. Edit the port2.</p><p>3. Configure the following:</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>Field</p><p>Value</p><p>Alias Internal</p><p>Role DMZ</p><p>Addressing mode DHCP</p><p>Retrieve default gateway from server Disabled</p><p>4. Click OK.</p><p>5. Edit the port1.</p><p>6. Configure the following:</p><p>Field</p><p>Value</p><p>Alias External</p><p>Role WAN</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>Addressing mode DHCP</p><p>Retrieve default gateway from server Enabled</p><p>Override internal DNS Enabled</p><p>7. Click OK.</p><p>8. The port2 should have received a private IP Address on the 10.0.1.0/24 network.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>s</p><p>1. On the FortiGate, go to Policy & Objects > Virtual IPs.</p><p>2. Create a new Virtual IP.</p><p>3. Configure the following:</p><p>Field Value</p><p>Name Windows Server Lab RDP</p><p>Interface port1</p><p>External IP Address Use the FortiGate port1 IP</p><p>Mapped IP Address</p><p>Use the Windows Server IP</p><p>Port Forwarding Enabled</p><p>Protocol TCP</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>External Service Port 3389</p><p>Map to Port 3389</p><p>4. Click OK.</p><p>To create Firewall Policies</p><p>1. On the FortiGate, go to Policy & Objects > IPv4 Policy.</p><p>2. Create a new Policy.</p><p>3. Configure the following:</p><p>Field Value</p><p>Name Windows Server Lab RDP policy</p><p>Incoming Interface port1</p><p>Outgoing Interface port2</p><p>Source all</p><p>Destination Windows Server Lab RDP</p><p>Schedule always</p><p>Service RDP</p><p>Action ACCEPT</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>NAT Disabled</p><p>Log Allowed Traffic All Sessions</p><p>4. Click OK.</p><p>Caution: On a production environment you should enable the appropriate Security Profiles</p><p>to protect the traffic going through this policy.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>4 Testing</p><p>Test your configuration</p><p>You should now be able to access the Windows Server via Remote Desktop through the FortiGate</p><p>policy over the FortiGate’s Elastic IP. To test your configuration</p><p>1. Go to EC2 Console > Instances.</p><p>2. Select the Windows Server.</p><p>3. Click Connect.</p><p>4. Click Get Password.</p><p>5. On Key Pair Path browse for the .pem file you saved with the Lab AWS key was created.</p><p>6. Click Decrypt Password.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>7. Copy the Password.</p><p>8. Click Close.</p><p>9. Make a Remote Desktop connection to the FortiGate Elastic IP.</p><p>10. Use the Administrator as user name and the password you copied.</p><p>11. On the FortiGate, go to Log & Report > Forward Traffic. If the connection was successful you</p><p>should have logs on the FortiGate matching the Windows Server LAB RDP policy.</p><p>LAB 2 — Configuring FortiGate Fabric</p><p>Connector for AWS dynamic objects</p><p>In this lab, you will connect your deployed FortiGate to the AWS API to retrieve resource values from</p><p>your AWS Console and create dynamic objects for the FortiGate policies. This works both for</p><p>FortiGates in and outside AWS, allowing the configuration to automatically adjust to changes in the</p><p>cloud in real time.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>Objectives</p><p>• Create an AWS Identity & Access Management (IAM) access to the API</p><p>• Configure a FortiGate Fabric Connector to AWS</p><p>• Create Firewall dynamic objects feed from AWS</p><p>• Create a policy using the dynamic objects</p><p>Time to Complete</p><p>Estimated: 20 minutes</p><p>1 Create an AWS IAM access</p><p>You will create a User on the AWS IAM and allow Programmatic access to your AWS account for</p><p>the FortiGate.</p><p>Create the IAM User</p><p>You will create a new IAM User and obtain the Access key ID and Secret access key to be</p><p>configured on the FortiGate.</p><p>To create an IAM User</p><p>1. Go to the AWS Console.</p><p>2. On the Services menu look for the IAM Console.</p><p>3. Click Users on the left panel.</p><p>4. Click Add user.</p><p>5. On the first step of the Add user wizard.</p><p>6. Set User name to FortiGate.</p><p>7. Check only Programmatic access on the Access type.</p><p>8. Click Next: Permissions.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>9. On the second step of the Add user wizard.</p><p>10. Click Attach existing policies directly.</p><p>11. For this lab select the AdministratorAccess policy.</p><p>12. Click Next: Tags.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>Caution: On a production environment use a policy that is limited to read only the</p><p>information you are going to need.</p><p>13. Click Next on the third and fourth steps.</p><p>14. When the user is successfully click Show on the Secret access key.</p><p>15. Copy both the Access key ID and the Secret access key.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>2 Configure the FortiGate</p><p>The FortiGate uses this API access to obtain information from AWS, allowing dynamic objects to stay</p><p>updated to any changes on the cloud</p><p>Configure the FortiGate Fabric Connector for</p><p>AWS</p><p>You will configure the FortiGate to use a Fabric Connector to retrieve information from the AWS</p><p>account. With this you will be able to create dynamic object to be used on the FortiGate configuration.</p><p>To create a Fabric Connector for AWS</p><p>1. On the FortiGate from the previous lab. Go to Security Fabric > Fabric Connectors.</p><p>2. Click Create New.</p><p>3. Select Amazon Web Services (AWS) on the SDN section.</p><p>4. Configure the following on the Connector Settings:</p><p>Field Value</p><p>Name AWS Lab</p><p>AWS access key ID Use the one obtained from the AWS Console</p><p>AWS secret access key Use the one obtained from the AWS Console</p><p>AWS region name Type the region code. For example: us-east-1</p><p>AWS VPC ID</p><p>Enable and use the corresponding ID for the Lab</p><p>VPC</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>Update Interval Use Default</p><p>Status Enabled</p><p>5. Click OK.</p><p>6. After a few seconds you should have a green arrow on the right bottom corner of the AWS</p><p>Connector.</p><p>To create a FortiGate dynamic object</p><p>1. Go to Policy & Objects > Addresses.</p><p>2. Click Create New > Address.</p><p>3. Configure the following:</p><p>Field Value</p><p>Name AWS Windows Server Lab</p><p>Type Fabric Connector Address</p><p>Fabric Connector Type Amazon Web Services (AWS)</p><p>Filter</p><p>Select InstanceId that match the Windows</p><p>Server</p><p>4. Click OK.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>5. Once created you should see the Windows Server IP when you hover the mouse of the Address</p><p>object.</p><p>Configure the FortiGate policy</p><p>You will configure the FortiGate to allow outgoing traffic from the Windows Server using the IP address</p><p>obtained from the AWS Fabric Connector.</p><p>To create a firewall policy with a dynamic object</p><p>1. Go to Policy & Objects > IPv4 Policy.</p><p>2. Click Create New.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>3. Configure the following:</p><p>Field Value</p><p>Name Windows Server Outgoing</p><p>Incoming Interface port2</p><p>Outgoing Interface port1</p><p>Source AWS Windows Server Lab</p><p>Destination all</p><p>Schedule always</p><p>Service ALL</p><p>Action ACCEPT</p><p>NAT Enabled</p><p>Log Allowed Traffic All Sessions</p><p>4. Click OK.</p><p>Caution: On a production environment you should enable the appropriate Security Profiles</p><p>to protect the traffic going through this policy.</p><p>3 Testing</p><p>Test your configuration</p><p>You should now be able to navigate on the Internet from the Windows Server.</p><p>To test your configuration</p><p>1. Connect to the Windows Server via Remote Desktop.</p><p>2. Navigate to https://www.fortinet.com/.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>3. On the FortiGate, go to Log & Report > Forward Traffic. If the connection was successful you</p><p>should have logs on the FortiGate matching the Windows Server Outgoing policy.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>LAB 3 — FortiWeb deployment in</p><p>AWS</p><p>In this lab, you will deploy and configure a FortiWeb on the private network to add Web Application</p><p>Firewall (WAF) protection to a web service running on a Windows Server.</p><p>Objectives</p><p>• Launch a FortiWeb from the AWS Marketplace</p><p>• Configure the VPC network and security</p><p>• Install IIS on the Windows Server</p><p>• Configure the FortiWeb to reverse proxy and protect the IIS web service</p><p>• Configure the FortiGate to allow HTTP traffic to the FortiWeb</p><p>Time to Complete</p><p>Estimated: 30 minutes</p><p>1 Deploy a FortiWeb from the AWS</p><p>Marketplace</p><p>You will launch a single FortiWeb using the AWS Marketplace. Afterwards you will have to adjust</p><p>some network and security settings on the EC2 Console.</p><p>Launch a FortiWeb EC2 instance</p><p>You will launch a single FortiWeb using the AWS</p><p>Marketplace. To</p><p>launch a FortiWeb</p><p>1. Go to the AWS Console.</p><p>2. Go to EC2 Console > Instances.</p><p>3. Click Launch Instance.</p><p>4. On the Launch Instance wizard, click AWS Marketplace on the left panel</p><p>5. Type Fortiweb in the search box and press Enter, then click Select on the Fortinet FortiWeb</p><p>Web Application Firewall WAF VM PAYG version.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>Note: If you have a license you may select the FortiWeb BYOL version, you will have to</p><p>register the license code on the Fortinet support site, download the license file and upload it</p><p>to the FortiWeb GUI after launching it.</p><p>6. On the Fortinet FortiWeb Web Application Firewall WAF VM pop-up click the View Additional</p><p>Details in AWS Marketplace link to be able to specify the FortiWeb OS version to launch.</p><p>7. On the Product Overview page, select Continue to Subscribe.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>8. On the launch settings select c4.large as the EC2 Instance Type and click Next: Configure</p><p>Instance Details.</p><p>9. On VPC Settings select the previously created VPC.</p><p>10. Select the private subnet 10.0.1.0/24 under Subnet Settings.</p><p>11. On the Security Group Settings section, click Create New Based On Seller Settings.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>12. Click Save.</p><p>13. On the Key Pair Settings select Lab.</p><p>14. Click Launch.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>Configure the instances network and security</p><p>For this particular lab you will need to modify some network and security settings on the EC2 Console.</p><p>To configure FortiWeb Security Group</p><p>1. Go to EC2 Console > Security Groups.</p><p>2. Select FortiWeb Security Group.</p><p>3. Click the Inbound tab.</p><p>4. Click Edit.</p><p>5. In the Edit inbound rules pop-up, click Add Rule.</p><p>6. Configure the following in the new rule:</p><p>Field</p><p>Value</p><p>Type Custom TCP</p><p>Protocol TCP</p><p>Port Range 8443</p><p>Source 0.0.0.0/0</p><p>7. Click Save.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>To configure FortiWeb Network Interface</p><p>1. Go to EC2 Console > Instances.</p><p>2. Select FortiWeb Lab.</p><p>3. On the Description tab, click on the eth0 network interface.</p><p>4. Click the Interface ID.</p><p>5. On the Network Interfaces, with the interface selected, click Actions > Manager IP Addresses.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>6. On the Manager IP Addresses pop-up. Click Assign new IP.</p><p>7. Leave the Private IP to Auto-Assign.</p><p>8. Click Yes, Update.</p><p>9. Take note of the second assigned Private IP.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>To configure Windows Server Security Group</p><p>1. Go to EC2 Console > Instances.</p><p>2. Select Windows Server Lab.</p><p>3. On the Description tab, click the assigned Security group.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>4. On the Security Groups, with the security group selected, click the Inbound tab.</p><p>5. Click Edit.</p><p>6. In the Edit inbound rules pop-up, click Add Rule.</p><p>7. Configure the following in the new rule:</p><p>Field</p><p>Value</p><p>Type HTTP</p><p>Protocol TCP</p><p>Port Range 80</p><p>Source 0.0.0.0/0</p><p>8. Click Save.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>2 Protect the Web Service with FortiWeb</p><p>Install IIS on the Windows Server, configure the FortiWeb to reverse proxy and protect it, finally</p><p>configure the FortiGate to allow the Elastic IP incoming HTTP traffic to the FortiWeb.</p><p>Install IIS on the Windows Server</p><p>Basic installation of IIS on Windows Server with the default home page. To</p><p>install IIS on Windows Server</p><p>1. Connect to the Windows Server using Remote Desktop.</p><p>2. Click on the Windows Menu.</p><p>3. Click on the Windows PowerShell app icon.</p><p>4. On the Windows PowerShell window, paste the follow command and hit enter. Install-</p><p>WindowsFeature -name Web-Server -IncludeManagementTools</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>5. Wait a couple of minutes for the installation to complete.</p><p>6. Test the installation by accessing the localhost from the web browser.</p><p>Configure the FortiWeb</p><p>Configure the FortiWeb as a reverse proxy to protect the Web Server with WAF.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>To access the FortiWeb</p><p>1. From the Windows Server web browser access the FortiWeb on its primary private IP over</p><p>HTTPS on port 8443.</p><p>2. Access the FortiWeb using the admin user and the Instance id as password.</p><p>3. You will be prompted to change the password.</p><p>4. Go to Server Objects > Server > Server Pool and click Create New > Create HTTP Server</p><p>Pool.</p><p>5. Configure the following:</p><p>Field</p><p>Value</p><p>Name WebServerPool</p><p>Type Reverse Proxy</p><p>Single Server/Server Balance Single Server</p><p>6. Click OK.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>7. Click Create New.</p><p>8. Configure the following on the New Server Pool Rule:</p><p>Field Value</p><p>Status Enable</p><p>Server Type IP</p><p>IP Use the Windows Server IP</p><p>Port 80</p><p>Connection Limit 0</p><p>HTTP/2 Disabled</p><p>SSL Disabled</p><p>9. Click OK.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>10. Go to Server Objects > Server > Virtual Server and click Create New.</p><p>11. Configure the following:</p><p>Field Value</p><p>Name WebService</p><p>Use Interface IP Disabled</p><p>IPv4 Address Use the second private IP of the FortiWeb</p><p>Interface port1</p><p>12. Click OK.</p><p>13. Go to Policy > Server Policy and click Create New > Create HTTP Policy.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>14. Configure the following:</p><p>Field Value</p><p>Policy Name WebServicePolicy</p><p>Deployment Mode Single Server/Server Pool</p><p>Virtual Server WebService</p><p>Server Pool WebServerPool</p><p>Client Real IP Disabled</p><p>HTTP Service HTTP</p><p>Redirect HTTP to HTTPS Disabled</p><p>Web Protection Profile Inline Medium Level Security</p><p>15. Click OK.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>Caution: On a production environment you should enable the appropriate security settings</p><p>to protect the traffic going through this policy.</p><p>16. Go to Log&Report > Log Config > Other Log Settings.</p><p>17. Enable the Traffic Log.</p><p>18. Click Apply.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>Configure the FortiGate to allow HTTP traffic from the Elastic IP to the FortiWeb.</p><p>To configure the FortiGate</p><p>1. On the FortiGate from the previous lab, go to Policy & Objects > Virtual IPs and click Create</p><p>New > Virtual IP.</p><p>2. Configure the following:</p><p>Field Value</p><p>Name WebService FortiWeb protected</p><p>Interface port1</p><p>External IP Address Use the FortiGate port1 IP</p><p>Mapped IP Address Use the FortiWeb second IP</p><p>Port Forwarding Enabled</p><p>Protocol TCP</p><p>External Service Port 80</p><p>Configure the FortiGate</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>Map to Port 80</p><p>3. Click OK.</p><p>4. Go to Policy & Objects > IPv4 Policy and click Create New.</p><p>5. Configure the following:</p><p>Field Value</p><p>Name WebService Policy</p><p>Incoming Interface port1</p><p>Outgoing Interface port2</p><p>Source all</p><p>Destination WebService FortiWeb protected</p><p>Schedule always</p><p>Service HTTP</p><p>Action ACCEPT</p><p>NAT Disabled</p><p>Log Allowed Traffic All Sessions</p><p>6. Click OK.</p><p>FortiXpert Content – Do not distribute – Internal only – Confidential</p><p>3 Testing</p><p>Test your configuration</p><p>You should now be able to access the IIS home</p>page from your computer. 
To test your configuration 
1. Navigate to the FortiGate Elastic IP on HTTP from your computer web browser. 
FortiXpert Content – Do not distribute – Internal only – Confidential 
 
2. On the FortiGate, go to Log & Report > Forward Traffic. If the connection was successful you 
should have logs on the FortiGate matching the WebService Policy. 
 
3. On the FortiWeb, go to Log&Report > Log Access > Traffic. You should have logs on the 
FortiWeb matching the WebServicePolicy. 
FortiXpert Content – Do not distribute – Internal only – Confidential 
 
 
4 Terminate the lab 
Today lab is done 
You may now terminate all the resources created on the AWS console to prevent any unnecessary 
running costs. 
To terminate your Instances 
1. On the AWS Console, go to EC2 Console > Instances. 
2. Select all the instances. 
3. Click Actions > Instance State > Terminate. 
FortiXpert Content – Do not distribute – Internal only – Confidential 
 
4. Check Release attached Elastic IPs and confirm the instances termination by clicking Yes, 
Terminate. 
 
5. Do not delete the Key Pair, VPC, Subnets, Route Tables and Internet Gateway as you will use 
them on the next labs.