Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Adding Axis Secure Web Gateway to a Fortigate SD-WAN

This thread has been viewed 24 times
  • 1.  Adding Axis Secure Web Gateway to a Fortigate SD-WAN

    Posted Feb 28, 2024 01:45 PM

    Steps executed on a Fortigate 60F running FortiOS: 7.2.4

    Step 1: Create a Location

    Go to Policy Locations and create a new Location

    Add name, subnet range name and subnet range


    Step 2: Create IPSEC tunnel

    On the Axis Admin Portal:

    Go to settings > Connectors > Tunnel

    Create new IPSEC tunnel and associate the IPSEC tunnel with the Location you created in step 1

     

    Step 3: Create a Policy Rule

    Go to Policy > Rules

    Add a new rule, make sure to set the Source as your home location, set the action to "Allow", and click Apply/Commit changes

    Step 4: Create Custom Tunnel on the Fortigate

    Click Next

     

    Step 5: IPSEC generic settings

    Chosen settings:

    ·        Choose dynamic DNS (non-standard setting)

    ·        Choose Mode Config (non-standard setting) < the remote site will inject default route

    ·        NAT traversal (standard setting)

    ·        The rest are all standard settings too


    Step 6: Phase 1, PSK settings

    Fill PSK and chose IKE Version 2.


    Step 7: Phase 1 proposal settings

    Just leave in the standard settings but make sure the "ID" field of the Axis Tunnel matches the "Local ID" field.


    Step 8: Phase 2 settings

    Just use the standard settings

     

    Step 9: Create new SD-WAN Zone

    Create a new SD-WAN Zone

    And add the new Axis interfaces

    In my case: SD-WAN Zone "Overlay"

    Interfaces: Axis-Primary and Axis-Backup

     

    Step 10: Add the Axis Interfaces to IP SLA (not mandatory)

    Step 11: Create SDWAN Rule

    Make sure to select the new SD-WAN Zone and appropriate source

    Destination can be anything

    Interfaces have to be the Axis VPN interfaces


    Step 12: Add Firewall Policies

    Add two Firewall Policies with NAT disabled to and from Axis to your local subnet

    In my case I created a test VLAN called Axis, allocated a subnet which I named "Axis address"

    Outgoing interface should be the newly created SD-WAN Zone (Overlay in my case) for all traffic towards Axis VPN and the opposite for return traffic.



    Proof that my Iphone is using Axis Cloud



  • 2.  RE: Adding Axis Secure Web Gateway to a Fortigate SD-WAN

    EMPLOYEE
    Posted Mar 01, 2024 07:47 AM

    Great work! Thanks for sharing.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------