{"id":26054,"date":"2023-01-02T14:51:20","date_gmt":"2023-01-02T14:51:20","guid":{"rendered":"https:\/\/cloud-cod.com\/?p=26054"},"modified":"2023-11-03T16:15:26","modified_gmt":"2023-11-03T16:15:26","slug":"deploying-fortigate-firewalls-in-azure-transit-firenet","status":"publish","type":"post","link":"https:\/\/cloud-cod.com\/index.php\/2023\/01\/02\/deploying-fortigate-firewalls-in-azure-transit-firenet\/","title":{"rendered":"Deploying Fortigate Firewalls in Azure Transit Firenet"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"26054\" class=\"elementor elementor-26054\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f6e65eb elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f6e65eb\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-cbdb876\" data-id=\"cbdb876\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c16f72e elementor-widget elementor-widget-heading\" data-id=\"c16f72e\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.17.0 - 01-11-2023 *\/\n.elementor-heading-title{padding:0;margin:0;line-height:1}.elementor-widget-heading .elementor-heading-title[class*=elementor-size-]>a{color:inherit;font-size:inherit;line-height:inherit}.elementor-widget-heading .elementor-heading-title.elementor-size-small{font-size:15px}.elementor-widget-heading .elementor-heading-title.elementor-size-medium{font-size:19px}.elementor-widget-heading .elementor-heading-title.elementor-size-large{font-size:29px}.elementor-widget-heading .elementor-heading-title.elementor-size-xl{font-size:39px}.elementor-widget-heading .elementor-heading-title.elementor-size-xxl{font-size:59px}<\/style><h2 class=\"elementor-heading-title elementor-size-default\">Introduction<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-79df3d7 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"79df3d7\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5b6b8c3\" data-id=\"5b6b8c3\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f829325 elementor-widget elementor-widget-text-editor\" data-id=\"f829325\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.17.0 - 01-11-2023 *\/\n.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#69727d;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#69727d;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}<\/style>\t\t\t\t<p>There have been some blog articles already created describing the deployment of Fortigate Firewalls in Aviatrix Transit Firenet, incl. the best one that I have seen so far:\u00a0<a href=\"https:\/\/rtrentinsworld.com\/2022\/06\/03\/deploying-an-aviatrix-firenet-on-azure-with-fortinet-fortigate\/\" target=\"_blank\" rel=\"noopener\">Ricardo Trentin&#8217;s one<\/a>. Nevertheless, I wanted to share additional pieces of information that might be informative.<\/p><p>The purpose of this post is to show:<\/p><ul><li>how to create Firenet from normal Aviatrix Transit VNET in Azure<\/li><li>how to deploy Fortigate using specific image ID<\/li><li>how to perform initial setup of Frotigate Firewalls<\/li><\/ul>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6728146 elementor-widget elementor-widget-heading\" data-id=\"6728146\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Fortigate in Azure Firenet - overview<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e8f7a41 elementor-widget elementor-widget-image\" data-id=\"e8f7a41\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.17.0 - 01-11-2023 *\/\n.elementor-widget-image{text-align:center}.elementor-widget-image a{display:inline-block}.elementor-widget-image a img[src$=\".svg\"]{width:48px}.elementor-widget-image img{vertical-align:middle;display:inline-block}<\/style>\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"http:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/Fortigate_in_Aviatrix_Firenet_diagram.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Fortigate_in_Aviatrix_Firenet_diagram\" data-elementor-lightbox-description=\"Aviatrix Firenet with Fortigate Firewalls - diagram\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjYwNTYsInVybCI6Imh0dHBzOlwvXC9jbG91ZC1jb2QuY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDIzXC8wMVwvRm9ydGlnYXRlX2luX0F2aWF0cml4X0ZpcmVuZXRfZGlhZ3JhbS5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"302\" src=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/Fortigate_in_Aviatrix_Firenet_diagram-768x302.png\" class=\"attachment-medium_large size-medium_large wp-image-26056\" alt=\"Aviatrix Firenet with Fortigate Firewalls - diagram\" srcset=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/Fortigate_in_Aviatrix_Firenet_diagram-768x302.png 768w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/Fortigate_in_Aviatrix_Firenet_diagram-300x118.png 300w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/Fortigate_in_Aviatrix_Firenet_diagram-1024x403.png 1024w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/Fortigate_in_Aviatrix_Firenet_diagram-1536x604.png 1536w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/Fortigate_in_Aviatrix_Firenet_diagram-2048x806.png 2048w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Aviatrix Firenet with Fortigate Firewalls - diagram<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-37d5b1c elementor-widget elementor-widget-text-editor\" data-id=\"37d5b1c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-weight: var( --e-global-typography-text-font-weight ); font-size: 0.875rem;\">The Aviatrix\u00a0<\/span><a style=\"font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-weight: var( --e-global-typography-text-font-weight ); font-size: 0.875rem; background-color: #ffffff;\" href=\"https:\/\/registry.terraform.io\/modules\/terraform-aviatrix-modules\/mc-firenet\/aviatrix\/latest\" target=\"_blank\" rel=\"noopener\">mc-firenet<\/a><span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-weight: var( --e-global-typography-text-font-weight ); font-size: 0.875rem;\">\u00a0module will be used for deploying Firewalls in Azure Transit. The mc-firenet module must be used in conjunction with\u00a0<\/span><a style=\"font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-weight: var( --e-global-typography-text-font-weight ); font-size: 0.875rem; background-color: #ffffff;\" href=\"https:\/\/registry.terraform.io\/modules\/terraform-aviatrix-modules\/mc-transit\/aviatrix\/latest\" target=\"_blank\" rel=\"noopener\">mc-transit<\/a><span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-weight: var( --e-global-typography-text-font-weight ); font-size: 0.875rem;\">\u00a0module. Hence, It is required to deploy Transit VNET using mc-transit module first.<\/span><\/p><p>The mc-transit module creates VNET in Azure with few subnets (those subnets can be seen in the diagram above). From Fortigate FW1\u2019s perspective the most important ones are:<br \/>\u2022 \u201c-Public-FW-ingress-egress-1\u201d where Network Interface of FW1 port1 (Internet\/WAN) is placed<br \/>\u2022 \u201c-dmz-firewall-lan\u201d where Network Interface of FW1 port 2 (LAN) is placed<br \/>In case of FW2 those subnets are called \u201c-Public-FW-ingress-egress-2\u201d and \u201c-hagw-dmz-firewall-lan\u201d respectively.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a2ccb8c elementor-widget elementor-widget-heading\" data-id=\"a2ccb8c\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">1 - Deploying the Fortigate Firewalls using Terraform<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dd2faf8 elementor-widget elementor-widget-text-editor\" data-id=\"dd2faf8\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>I have created Transit VNET using the following TF code:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-db2185c elementor-widget elementor-widget-code-highlight\" data-id=\"db2185c\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp>module \"mc-transit\" {\r\n  source                 = \"terraform-aviatrix-modules\/mc-transit\/aviatrix\"\r\n  version                = \"2.4.0\"\r\n  cloud                  = \"Azure\"\r\n  cidr                   = \"10.11.0.0\/16\"\r\n  region                 = \"East US\"\r\n  account                = \"Azure-Jakub\"\r\n  enable_transit_firenet = true\r\n  instance_size          = \"Standard_B2ms\"\r\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6b7e0d3 elementor-widget elementor-widget-text-editor\" data-id=\"6b7e0d3\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span style=\"color: var( --e-global-color-text ); font-family: var( --e-global-typography-text-font-family ), Sans-serif; font-weight: var( --e-global-typography-text-font-weight ); font-size: 0.875rem;\">Now, it is time to create Fortigate Firewalls (two of them) using mc-firenet module. As you may notice below, we will use data source to gather the CIDR used by \u201c-Public-FW-ingress-egress-1\u201d subnet. The same CIDR is used for both &#8220;egress_cidr&#8221; and &#8220;mgmt_cidr&#8221; as there is no separate mgmt interface in Fortigate.<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-84067df elementor-widget elementor-widget-text-editor\" data-id=\"84067df\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Please notice that if you want to use the FortiOS version that is not listed in Controller GUI, you must use the \u201cfirewall_image_id\u201d argument instead of \u201cfirewall_Image_version\u201d (as shown above).<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4e89591 elementor-widget elementor-widget-heading\" data-id=\"4e89591\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Creating REST_API User<\/h3>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dcf233e elementor-widget elementor-widget-text-editor\" data-id=\"dcf233e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>The REST_API user will be created using Fortigate GUI. The user will have Admin Profile assigned.<\/p><p>Let\u2019s create Admin Profile \u201capi_admin\u201d first:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-abf4423 elementor-widget elementor-widget-code-highlight\" data-id=\"abf4423\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp>data \"azurerm_subnet\" \"public_ingress_egress_firewall_subnet\" {\r\n  name                 = \"${module.mc-transit.vpc.name}-Public-FW-ingress-egress-1\"\r\n  virtual_network_name = module.mc-transit.vpc.name\r\n  resource_group_name  = module.mc-transit.vpc.resource_group\r\n}\r\n\r\nmodule \"mc-firenet\" {\r\n  source  = \"terraform-aviatrix-modules\/mc-firenet\/aviatrix\"\r\n  version = \"1.4.0\"\r\n\r\n  #required:\r\n  transit_module = module.mc-transit\r\n  firewall_image = \"Fortinet FortiGate (PAYG_20190624) Next-Generation Firewall Latest Release\" # name as it appears in Aviatrix Controller GUI: Firewall Network -> Setup -> Firewall -> step 2a, field: Firewall Image \r\n\r\n  #optional:\r\n  custom_fw_names = [\"Azure-FW1\", \"Azure-FW2\"]\r\n  #firewall_image_version = \"7.0.5\"                                                              # Aviatrix Controller GUI: Firewall Network -> Setup -> Firewall -> step 2a, field: Firewall Image Version\r\n  firewall_image_id  = \"fortinet:fortinet_fortigate-vm_v5:fortinet_fg-vm_payg_2022:7.0.9\"       # if firewall_image_id is used -> argument firewall_image_version must be commented out\r\n  fw_amount          = \"2\"\r\n  egress_cidr        = data.azurerm_subnet.public_ingress_egress_firewall_subnet.address_prefix # Public-FW-ingress-egress-1 subnet CIDR for FW az-1\r\n  egress_enabled     = true                                                                     # default = false, once set to true a default route will be generated by Transit GW and advertised everywhere\r\n  inspection_enabled = true\r\n  instance_size      = \"Standard_D3_v2\"\r\n  mgmt_cidr          = data.azurerm_subnet.public_ingress_egress_firewall_subnet.address_prefix # Public-FW-ingress-egress-1 subnet CIDR for FW az-1\r\n  username           = \"fwadmin\"                                                                # default username is fwadmin\r\n  password           = \"<your_password>\"\r\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5a867c1 elementor-widget elementor-widget-image\" data-id=\"5a867c1\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"http:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_admin_profile.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Fortigate - Admin Profile creation\" data-elementor-lightbox-description=\"Fortigate - Admin Profile creation\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjYwNTgsInVybCI6Imh0dHBzOlwvXC9jbG91ZC1jb2QuY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDIzXC8wMVwvZm9ydGlnYXRlX2FkbWluX3Byb2ZpbGUucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"507\" src=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_admin_profile-768x507.png\" class=\"attachment-medium_large size-medium_large wp-image-26058\" alt=\"Fortigate - Admin Profile creation\" srcset=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_admin_profile-768x507.png 768w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_admin_profile-300x198.png 300w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_admin_profile-1024x676.png 1024w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_admin_profile.png 1376w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Fortigate - Admin Profile creation<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a58bc6a elementor-widget elementor-widget-text-editor\" data-id=\"a58bc6a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>The set of permissions depends on the pieces of configuration you want to modify later with Terraform, e.g.<\/p><ul><li>interface\/port \u2013 requires Read\/Write for Network\/Configuration<\/li><li>(optionally) static route \u2013 requires Read\/Write for Network\/Router<\/li><li>(optionally) policy \u2013 requires Read\/Write for Firewall\/Policy<\/li><\/ul>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b32f2a9 elementor-widget elementor-widget-image\" data-id=\"b32f2a9\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"http:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_permissions.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Fortigate - Required Permissions\" data-elementor-lightbox-description=\"Fortigate - Required Permissions\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjYwNTksInVybCI6Imh0dHBzOlwvXC9jbG91ZC1jb2QuY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDIzXC8wMVwvZm9ydGlnYXRlX3Blcm1pc3Npb25zLnBuZyJ9\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1100\" src=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_permissions-768x1100.png\" class=\"attachment-medium_large size-medium_large wp-image-26059\" alt=\"Fortigate - Required Permissions\" srcset=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_permissions-768x1100.png 768w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_permissions-209x300.png 209w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_permissions-715x1024.png 715w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_permissions.png 968w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Fortigate - Required Permissions<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-24a2ea9 elementor-widget elementor-widget-text-editor\" data-id=\"24a2ea9\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Once Admin Profile is there, the REST-API user can be created:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-491b8e4 elementor-widget elementor-widget-image\" data-id=\"491b8e4\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"http:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_rest_api_1.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Fortigate - creation of REST_API user\" data-elementor-lightbox-description=\"Fortigate - creation of REST_API user\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjYwNjAsInVybCI6Imh0dHBzOlwvXC9jbG91ZC1jb2QuY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDIzXC8wMVwvZm9ydGlnYXRlX3Jlc3RfYXBpXzEucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"400\" src=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_rest_api_1-640x400.png\" class=\"attachment-onepress-medium size-onepress-medium wp-image-26060\" alt=\"Fortigate - creation of REST_API user\" srcset=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_rest_api_1-640x400.png 640w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_rest_api_1-480x300.png 480w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Fortigate - creation of REST_API user<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ed5c212 elementor-widget elementor-widget-image\" data-id=\"ed5c212\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"http:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_rest_api_2.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Fortigate - creation of REST_API user\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjYwNjEsInVybCI6Imh0dHBzOlwvXC9jbG91ZC1jb2QuY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDIzXC8wMVwvZm9ydGlnYXRlX3Jlc3RfYXBpXzIucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"373\" src=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_rest_api_2-768x373.png\" class=\"attachment-medium_large size-medium_large wp-image-26061\" alt=\"Fortigate - creation of REST_API user\" srcset=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_rest_api_2-768x373.png 768w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_rest_api_2-300x146.png 300w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_rest_api_2-1024x497.png 1024w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_rest_api_2-1536x745.png 1536w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_rest_api_2.png 1948w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Fortigate - creation of REST_API user<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5eb5ff1 elementor-widget elementor-widget-text-editor\" data-id=\"5eb5ff1\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Please copy the Token for the API-admin user and store it in a safe place. It will be required in the configuration later.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6e2e386 elementor-widget elementor-widget-heading\" data-id=\"6e2e386\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Fortigate Provider in Terraform<\/h3>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9da4d14 elementor-widget elementor-widget-text-editor\" data-id=\"9da4d14\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>The \u201cfortios\u201d is the name of the provider to be used in Terraform.<\/p><p>There are two Firewalls deployed =&gt; which means two Tokens =&gt; and two provider sections must be configured. The Terraform \u201calias\u201d will be used to distinguish between FW-1 and FW-2.<\/p><p>The \u201cazurerm\u201d provider is required by data sources used later.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d5b939b elementor-widget elementor-widget-code-highlight\" data-id=\"d5b939b\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp>terraform {\r\n  required_providers {\r\n    aviatrix = {\r\n      source = \"AviatrixSystems\/aviatrix\"\r\n      version = \"3.0.0\"\r\n    }\r\n\r\n    azurerm = {\r\n      source  = \"hashicorp\/azurerm\"\r\n      version = \">= 2.39\"\r\n    }\r\n\r\n    fortios = {\r\n      source = \"fortinetdev\/fortios\"\r\n      version = \"1.16.0\"\r\n    }\r\n  }\r\n}\r\n\r\n\r\nprovider \"aviatrix\" {\r\n  # Aviatrix Controller\r\n  username      = var.controller_username\r\n  password      = var.controller_password\r\n  controller_ip = var.controller_ip\r\n}\r\n\r\nprovider \"fortios\" {\r\n  hostname = \"<Public-IP-FW1>\"                  # IP of the FW\r\n  token    = \"<Token-FW1>\"                      # token from FW GUI for REST API admin. data source can be used with a reference to Key Vault or Secrets Manager\r\n  insecure = \"true\"\r\n  alias    = \"fw1\"\r\n}\r\n\r\nprovider \"fortios\" {\r\n  hostname = \"<Public-IP-FW2>\"                  # IP of the FW\r\n  token    = \"<Token-FW1>\"                      # token from FW GUI for REST API admin. data source can be used with a reference to Key Vault or Secrets Manager\r\n  insecure = \"true\"\r\n  alias    = \"fw2\"\r\n}\r\n\r\nprovider \"azurerm\" {\r\n  features {}\r\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7670946 elementor-widget elementor-widget-heading\" data-id=\"7670946\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Fortigate Interface Configuration using Terraform<\/h3>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-290d528 elementor-widget elementor-widget-text-editor\" data-id=\"290d528\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>The WAN interface (port1) is configured properly by default. Though port2 (LAN interface) configuration must be adjusted (and its default config varies between FortiOS versions).<\/p><p>Use the following TF code to configure port2 (Read\/Write permission for Network\/Configuration is required):<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34162a9 elementor-widget elementor-widget-code-highlight\" data-id=\"34162a9\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp># Configure port2 (LAN) for Firewall Instance [0]\r\nresource \"fortios_system_interface\" \"fw1_lan_intf\" {\r\n  provider     = fortios.fw1\r\n  algorithm    = \"L4\"\r\n  defaultgw    = \"disable\" #default gateway from dhcp must be disabled\r\n  alias        = \"lan-int\"\r\n  mtu          = 1500\r\n  mtu_override = \"disable\"\r\n  name         = \"port2\"\r\n  type         = \"physical\"\r\n  vdom         = \"root\"\r\n  mode         = \"dhcp\"\r\n  allowaccess  = \"https\" #https required by Azure LB Health Checks\r\n  depends_on   = [module.mc-firenet]\r\n}\r\n\r\n# Configure port2 (LAN) for Firewall Instance [1]\r\nresource \"fortios_system_interface\" \"fw2_lan_intf\" {\r\n  provider     = fortios.fw2\r\n  algorithm    = \"L4\"\r\n  defaultgw    = \"disable\" #default gateway from dhcp must be disabled\r\n  alias        = \"lan-int\"\r\n  mtu          = 1500\r\n  mtu_override = \"disable\"\r\n  name         = \"port2\"\r\n  type         = \"physical\"\r\n  vdom         = \"root\"\r\n  mode         = \"dhcp\"\r\n  allowaccess  = \"https\" #https required by Azure LB Health Checks\r\n  depends_on   = [module.mc-firenet]\r\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7ad83e6 elementor-widget elementor-widget-heading\" data-id=\"7ad83e6\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Aviatrix Vendor Integration using Terraform<\/h3>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0dcdf5b elementor-widget elementor-widget-text-editor\" data-id=\"0dcdf5b\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>The \u201cVendor Integration\u201d feature configures static routes (for RFC1918 and Azure LB HealthCheck) on Fortigate.<\/p><p>Please notice that a Fortigate token for REST_API is required.<\/p><p>And REST_API user must have the following permission: Read\/Write for both Network\/Router Network\/Configuration.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-40b5b12 elementor-widget elementor-widget-code-highlight\" data-id=\"40b5b12\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp># Fortigates tokens can be stored in Key Vault or Secret Manager and referenced as data source\r\n# Remark: appropriate KeyVault Access Policy must be set\r\ndata \"azurerm_key_vault_secret\" \"fortigate11token\" {\r\n  name         = \"fortigate11token\"\r\n  key_vault_id = \"\/subscriptions\/0820a232-xxxxxxxxxx\/resourceGroups\/fw_yara_kv\/providers\/Microsoft.KeyVault\/vaults\/fwyarakv\" # ID from JSON view of KeyVault\r\n}\r\n\r\ndata \"azurerm_key_vault_secret\" \"fortigate12token\" {\r\n  name         = \"fortigate12token\"\r\n  key_vault_id = \"\/subscriptions\/0820a232-xxxxxxxxxx\/resourceGroups\/fw_yara_kv\/providers\/Microsoft.KeyVault\/vaults\/fwyarakv\" # ID from JSON view of KeyVault\r\n}\r\n\r\ndata \"aviatrix_firenet_vendor_integration\" \"fw1\" {\r\n  vpc_id        = module.mc-transit.transit_gateway.vpc_id\r\n  instance_id   = module.mc-firenet.aviatrix_firewall_instance[0].instance_id\r\n  vendor_type   = \"Fortinet FortiGate\"                                      # \"Generic\", \"Palo Alto Networks VM-Series\", \"Aviatrix FQDN Gateway\" and \"Fortinet FortiGate\"\r\n  public_ip     = module.mc-firenet.aviatrix_firewall_instance[0].public_ip\r\n  username      = \"apiadmin\"                                                # REST_API user\r\n  password      = module.mc-firenet.aviatrix_firewall_instance[0].password\r\n  api_token     = data.azurerm_key_vault_secret.fortigate11token.value       # Fortigate REST_API user token for FW1\r\n  firewall_name = module.mc-firenet.aviatrix_firewall_instance[0].firewall_name\r\n  save          = true\r\n  #synchronize   = true # \"save\" and \"synchronize\" cannot be invoked at the same time\r\n}\r\n\r\ndata \"aviatrix_firenet_vendor_integration\" \"fw2\" {\r\n  vpc_id        = module.mc-transit.transit_gateway.vpc_id\r\n  instance_id   = module.mc-firenet.aviatrix_firewall_instance[1].instance_id\r\n  vendor_type   = \"Fortinet FortiGate\"                                      # \"Generic\", \"Palo Alto Networks VM-Series\", \"Aviatrix FQDN Gateway\" and \"Fortinet FortiGate\"\r\n  public_ip     = module.mc-firenet.aviatrix_firewall_instance[1].public_ip\r\n  username      = \"apiadmin\"                                                # REST_API user\r\n  password      = module.mc-firenet.aviatrix_firewall_instance[1].password\r\n  api_token     = data.azurerm_key_vault_secret.fortigate12token.value       # Fortigate REST_API user token for FW2\r\n  firewall_name = module.mc-firenet.aviatrix_firewall_instance[1].firewall_name\r\n  save          = true\r\n  #synchronize   = true # \"save\" and \"synchronize\" cannot be invoked at the same time\r\n}\r\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2ea4854 elementor-widget elementor-widget-text-editor\" data-id=\"2ea4854\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>The following routes are configured after successful Vendor Integration:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-203fb68 elementor-widget elementor-widget-image\" data-id=\"203fb68\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"http:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_aviatrix_vendor_integration.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Fortigate - routes created by Aviatrix Vendor Integration\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjYwNjIsInVybCI6Imh0dHBzOlwvXC9jbG91ZC1jb2QuY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDIzXC8wMVwvZm9ydGlnYXRlX2F2aWF0cml4X3ZlbmRvcl9pbnRlZ3JhdGlvbi5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"103\" src=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_aviatrix_vendor_integration-768x103.png\" class=\"attachment-medium_large size-medium_large wp-image-26062\" alt=\"Fortigate - routes created by Aviatrix Vendor Integration\" srcset=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_aviatrix_vendor_integration-768x103.png 768w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_aviatrix_vendor_integration-300x40.png 300w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_aviatrix_vendor_integration-1024x137.png 1024w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_aviatrix_vendor_integration-1536x205.png 1536w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_aviatrix_vendor_integration-2048x274.png 2048w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Fortigate - routes created by Aviatrix Vendor Integration<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cf117e6 elementor-widget elementor-widget-heading\" data-id=\"cf117e6\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Optional: Static Routes configuration using TF instead of Aviatrix Vendor Integration<\/h3>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0f555db elementor-widget elementor-widget-text-editor\" data-id=\"0f555db\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Please notice that if you do not want to use Aviatrix Vendor Integration (though I cannot see any reason for not using it) you can create all the static routes using thefortios resource called &#8220;fortios_router_static&#8221;. Example below:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0e2611d elementor-widget elementor-widget-code-highlight\" data-id=\"0e2611d\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp>##############################################################################\r\n# Optional: Static Route\r\n# Static Routes will be configured via Aviatrix Vendor Integration feature\r\n# However, if required, static route can be configured using TF code\r\n# Example of the code is presented below\r\n##############################################################################\r\n\r\n# Data Sources are required in order to configure static route on FW with appropriate next-hop IP\r\ndata \"azurerm_subnet\" \"dmz_firewall_lan_1\" {\r\n  name                 = \"av-gw-${module.mc-transit.vpc.name}-dmz-firewall-lan\"\r\n  virtual_network_name = module.mc-transit.vpc.name\r\n  resource_group_name  = module.mc-transit.vpc.resource_group\r\n}\r\n\r\ndata \"azurerm_subnet\" \"dmz_firewall_lan_2\" {\r\n  name                 = \"av-gw-${module.mc-transit.vpc.name}-hagw-dmz-firewall-lan\"\r\n  virtual_network_name = module.mc-transit.vpc.name\r\n  resource_group_name  = module.mc-transit.vpc.resource_group\r\n}\r\n\r\n# Configure static route for Azure LB Health Checks\r\nresource \"fortios_router_static\" \"fw1_route_azurelb_hc\" {\r\n  provider        = fortios.fw1\r\n  comment         = \"Route for Azure Load Balancer Health Check\"\r\n  device          = \"port2\" # fixed port\/interface number\r\n  distance        = 10\r\n  dst             = \"168.63.129.16 255.255.255.255\" # fixed IP address 168.63.129.16 255.255.255.255\r\n  dynamic_gateway = \"disable\"\r\n  gateway         = \"${tonumber(split(\".\", split(\"\/\", data.azurerm_subnet.dmz_firewall_lan_1.address_prefix)[0])[0])}.${tonumber(split(\".\", split(\"\/\", data.azurerm_subnet.dmz_firewall_lan_1.address_prefix)[0])[1])}.${tonumber(split(\".\", split(\"\/\", data.azurerm_subnet.dmz_firewall_lan_1.address_prefix)[0])[2])}.${tonumber(split(\".\", split(\"\/\", data.azurerm_subnet.dmz_firewall_lan_1.address_prefix)[0])[3]) + 1}\" #\"10.11.0.81\" #next-hop equals to dmz-fiewall-lan virtual router IP x.x.x.81, or hagw-dmz-fiewall-lan virtual router IP x.x.x.129. Expression takes subnet_range and adds +1 to the last octet\r\n  src             = \"0.0.0.0 0.0.0.0\"\r\n  status          = \"enable\"\r\n  depends_on      = [module.mc-firenet]\r\n}\r\n\r\n# Configure static route for Azure LB Health Checks\r\nresource \"fortios_router_static\" \"fw2_route_azurelb_hc\" {\r\n  provider        = fortios.fw2\r\n  comment         = \"Route for Azure Load Balancer Health Check\"\r\n  device          = \"port2\" # fixed port\/interface number\r\n  distance        = 10\r\n  dst             = \"168.63.129.16 255.255.255.255\" # fixed IP address\r\n  dynamic_gateway = \"disable\"\r\n  gateway         = \"${tonumber(split(\".\", split(\"\/\", data.azurerm_subnet.dmz_firewall_lan_2.address_prefix)[0])[0])}.${tonumber(split(\".\", split(\"\/\", data.azurerm_subnet.dmz_firewall_lan_2.address_prefix)[0])[1])}.${tonumber(split(\".\", split(\"\/\", data.azurerm_subnet.dmz_firewall_lan_2.address_prefix)[0])[2])}.${tonumber(split(\".\", split(\"\/\", data.azurerm_subnet.dmz_firewall_lan_2.address_prefix)[0])[3]) + 1}\" #\"10.11.0.81\" #next-hop equals to dmz-fiewall-lan virtual router IP x.x.x.81, or hagw-dmz-fiewall-lan virtual router IP x.x.x.129. Expression takes subnet_range and adds +1 to the last octet\r\n  src             = \"0.0.0.0 0.0.0.0\"\r\n  status          = \"enable\"\r\n  depends_on      = [module.mc-firenet]\r\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6dbf652 elementor-widget elementor-widget-heading\" data-id=\"6dbf652\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Optional: Policy Rules creation using Terraform<\/h3>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1e78b2c elementor-widget elementor-widget-text-editor\" data-id=\"1e78b2c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>The following code presents how to create Policy rule using Terraform.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b573227 elementor-widget elementor-widget-code-highlight\" data-id=\"b573227\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp>##############################################################################\r\n# Optional: Fortigate Default LAN allow any\/any Policy for East-West traffic\r\n##############################################################################\r\nresource \"fortios_firewall_policy\" \"fw1_default_lan_allow\" {\r\n  provider = fortios.fw1\r\n  name     = \"Default LAN to LAN Allow All\"\r\n\r\n  srcaddr { name = \"all\" }\r\n  srcintf { name = \"port2\" }\r\n\r\n  dstaddr { name = \"all\" }\r\n  dstintf { name = \"port2\" }\r\n\r\n  service { name = \"ALL\" }\r\n\r\n  action     = \"accept\"\r\n  logtraffic = \"all\"\r\n  logtraffic_start = \"enable\" # for loggin traffic when the session starts\r\n\r\n  nat    = \"disable\"\r\n  status = \"enable\"\r\n}\r\n\r\nresource \"fortios_firewall_policy\" \"fw2_default_lan_allow\" {\r\n  provider = fortios.fw2\r\n  name     = \"Default LAN to LAN Allow All\"\r\n\r\n  srcaddr { name = \"all\" }\r\n  srcintf { name = \"port2\" }\r\n\r\n  dstaddr { name = \"all\" }\r\n  dstintf { name = \"port2\" }\r\n\r\n  service { name = \"ALL\" }\r\n\r\n  action     = \"accept\"\r\n  logtraffic = \"all\"\r\n  logtraffic_start = \"enable\" # for loggin traffic when the session starts\r\n\r\n  nat    = \"disable\"\r\n  status = \"enable\"\r\n}\r\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-663ab3d elementor-widget elementor-widget-heading\" data-id=\"663ab3d\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">2 - Verification<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-055505e elementor-widget elementor-widget-heading\" data-id=\"055505e\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Azure LB Health Check probes<\/h3>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1735fed elementor-widget elementor-widget-text-editor\" data-id=\"1735fed\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Once the Static Route for Azure LB HealthCheck is created (either using Aviatrix Vendor Integration or Terraform resource) you can check the Health Check status in Azure Portal.<\/p><p>Go to Load Balancer -&gt; select the proper LB -&gt; Metrics<\/p><p>Change the Metric to Health Probe Status<\/p><p>Health Checks must be successful for Azure Load Balancer to send traffic to Fortigate FWs.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bd5fcc9 elementor-widget elementor-widget-image\" data-id=\"bd5fcc9\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"http:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_loadbalancer_probes.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Fortigate - Azure LB Health Checks\" data-elementor-lightbox-description=\"Fortigate - Azure LB Health Checks\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjYwNjMsInVybCI6Imh0dHBzOlwvXC9jbG91ZC1jb2QuY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDIzXC8wMVwvZm9ydGlnYXRlX2xvYWRiYWxhbmNlcl9wcm9iZXMucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"633\" src=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_loadbalancer_probes-768x633.png\" class=\"attachment-medium_large size-medium_large wp-image-26063\" alt=\"Fortigate - Azure LB Health Checks\" srcset=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_loadbalancer_probes-768x633.png 768w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_loadbalancer_probes-300x247.png 300w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_loadbalancer_probes-1024x844.png 1024w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_loadbalancer_probes-1536x1266.png 1536w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_loadbalancer_probes.png 1721w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Fortigate - Azure LB Health Checks<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bcbf3f2 elementor-widget elementor-widget-heading\" data-id=\"bcbf3f2\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Logs for Local Traffic<\/h3>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-68ebfc4 elementor-widget elementor-widget-text-editor\" data-id=\"68ebfc4\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>To check that Health Probes are getting to the Firewall itself, we must enable proper logging for Local Traffic.<\/p><p>Go to Log &amp; Report -&gt; Log Settings<\/p><p>Change Local Traffic Log to \u201cAll\u201d<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-abebc76 elementor-widget elementor-widget-image\" data-id=\"abebc76\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"http:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Fortigate - enabling Local Traffic Logs\" data-elementor-lightbox-description=\"Fortigate - enabling Local Traffic Logs\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjYwNjQsInVybCI6Imh0dHBzOlwvXC9jbG91ZC1jb2QuY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDIzXC8wMVwvZm9ydGlnYXRlX2xvZ19sb2NhbF90cmFmZmljLnBuZyJ9\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1352\" src=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic-768x1352.png\" class=\"attachment-medium_large size-medium_large wp-image-26064\" alt=\"Fortigate - enabling Local Traffic Logs\" srcset=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic-768x1352.png 768w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic-170x300.png 170w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic-582x1024.png 582w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic-872x1536.png 872w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic.png 931w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Fortigate - enabling Local Traffic Logs<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2534a21 elementor-widget elementor-widget-text-editor\" data-id=\"2534a21\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>Now you can go to Log &amp; Report -&gt; Local Traffic<\/p><p>Click on \u201cAdd Filter\u201d, select Destination, and put Azure LB HealthCheck IP 168.63.129.16<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3d9471b elementor-widget elementor-widget-image\" data-id=\"3d9471b\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"http:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic_2.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Fortigate - checking Local Traffic Logs\" data-elementor-lightbox-description=\"Fortigate - checking Local Traffic Logs\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjYwNjUsInVybCI6Imh0dHBzOlwvXC9jbG91ZC1jb2QuY29tXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDIzXC8wMVwvZm9ydGlnYXRlX2xvZ19sb2NhbF90cmFmZmljXzIucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"323\" src=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic_2-768x323.png\" class=\"attachment-medium_large size-medium_large wp-image-26065\" alt=\"Fortigate - checking Local Traffic Logs\" srcset=\"https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic_2-768x323.png 768w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic_2-300x126.png 300w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic_2-1024x431.png 1024w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic_2-1536x647.png 1536w, https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/fortigate_log_local_traffic_2-2048x862.png 2048w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Fortigate - checking Local Traffic Logs<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Introduction There have been some blog articles already created describing the deployment of Fortigate Firewalls in Aviatrix Transit Firenet, incl. the best one that I have seen so far:\u00a0Ricardo Trentin&#8217;s &#8230;<\/p>\n","protected":false},"author":2,"featured_media":26100,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[14,18,16,15,17],"tags":[],"class_list":["post-26054","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aviatrix","category-azure","category-firewall","category-fortigate","category-terraform"],"uagb_featured_image_src":{"full":["https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/blog_post6-1.png",3592,3058,false],"thumbnail":["https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/blog_post6-1-150x150.png",150,150,true],"medium":["https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/blog_post6-1-300x255.png",300,255,true],"medium_large":["https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/blog_post6-1-768x654.png",768,654,true],"large":["https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/blog_post6-1-1024x872.png",800,681,true],"1536x1536":["https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/blog_post6-1-1536x1308.png",1536,1308,true],"2048x2048":["https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/blog_post6-1-2048x1744.png",2048,1744,true],"onepress-blog-small":["https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/blog_post6-1-300x150.png",300,150,true],"onepress-small":["https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/blog_post6-1-480x300.png",480,300,true],"onepress-medium":["https:\/\/cloud-cod.com\/wp-content\/uploads\/2023\/01\/blog_post6-1-640x400.png",640,400,true]},"uagb_author_info":{"display_name":"Jakub","author_link":"https:\/\/cloud-cod.com\/index.php\/author\/jakub\/"},"uagb_comment_info":663,"uagb_excerpt":"Introduction There have been some blog articles already created describing the deployment of Fortigate Firewalls in Aviatrix Transit Firenet, incl. the best one that I have seen so far:\u00a0Ricardo Trentin&#8217;s ...","_links":{"self":[{"href":"https:\/\/cloud-cod.com\/index.php\/wp-json\/wp\/v2\/posts\/26054","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloud-cod.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloud-cod.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloud-cod.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cloud-cod.com\/index.php\/wp-json\/wp\/v2\/comments?post=26054"}],"version-history":[{"count":31,"href":"https:\/\/cloud-cod.com\/index.php\/wp-json\/wp\/v2\/posts\/26054\/revisions"}],"predecessor-version":[{"id":26099,"href":"https:\/\/cloud-cod.com\/index.php\/wp-json\/wp\/v2\/posts\/26054\/revisions\/26099"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloud-cod.com\/index.php\/wp-json\/wp\/v2\/media\/26100"}],"wp:attachment":[{"href":"https:\/\/cloud-cod.com\/index.php\/wp-json\/wp\/v2\/media?parent=26054"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloud-cod.com\/index.php\/wp-json\/wp\/v2\/categories?post=26054"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloud-cod.com\/index.php\/wp-json\/wp\/v2\/tags?post=26054"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}