FortiGate secure remote access with Terraform beta release.
This script requires the Azure CLI.
- Login to Azure with
az login
. - Add your Client ID, Subscription ID and Tenant ID to the Terraform vars.tf.
- Adjust the
remote_subnet
andremote_subnet_netmask
variables to that of your spoke FortiGate subnet range. The default value is10.100.81.0
. - Run
terraform init
. - Run
terraform apply
.
To navigate to your deployed FortiGate use the Public IP address and the default admin port of 8443.
The default admin username and password can be found in vars.tf under admin_name
and admin_password
.
Note: For ease of configuration, search for EasyKey in the output. It will contain configuration that can be applied to Spoke VPN devices.
Once the Terraform deployment is complete, follow the steps below to attach the spoke to the FortiGate hub.
- Navigate to your spoke FortiGate and open VPN > IPsec Wizard.
- Enter a Name for the spoke.
- For Template type, select
Hub-and-Spoke
. - Under Role, ensure
Spoke
is selected. - Click Next and you will be brought to the Authentication tab.
Note: Enter EasyKey from the output will contain configuration that can be applied to Spoke VPN devices for ease of configuration.
-
Under Remote IP Address enter the Public IP address of the FortiGate you deployed.
You can find this value in the outputs. Runterraform output
in the deployment folder to see the results again. -
The Outgoing interface should adjust automatically based on the Remote IP address entered.
-
Enter the Pre-shared key. This can be found in the
vars.tf
file underpsk_key
.
For EasyKey setup, only the Pre-shared key needs to be entered.
-
Select the local interface, and input the local subnet.
-
Click Create and the VPN wizard should finalize.
These steps are performed on the FortiOS GUI.
- On the navigation bar, select User & Device > User Definition.
- Click Create New:
- Select Local User.
- Set up credentials for the user.
- (Optional) Add an Email address.
- Click Submit.
These steps are performed on the FortiOS GUI.
- On the navigation bar, select User & Device > User Groups.
- Click Create New:
- Under Type, select Firewall.
- Enter the name of the group and select members:
- Click OK.
These steps are performed on the FortiOS GUI.
- On the navigation bar, select VPN > SSL-VPN Settings.
- At the bottom of the SSL-VPN Settings page, there is a table to assign a User and/or User group to specific portals.
- Click Create New :
- Select a User and/or User group.
- Select Portal.
- Click OK.
These steps are performed on the FortiOS GUI.
- On the navigation bar, select Policy & Objects > IPv4 Policy.
- Enter a Name for the policy (if not editing).
- The Incoming Interface should be SSL-VPN tunnel interface (ssl.root).
- Select the desired Outgoing interface.
- Under Sources, select addresses and on the User tab select the User and/or User group.
- Select a Destination and Service.
- Click OK.
Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services. For direct issues, please refer to the Issues tab of this GitHub project. For other questions related to this project, contact [email protected].
License © Fortinet Technologies. All rights reserved.