Overview
The purpose of this document is to describe the requirements and general information for building a Hub & Spoke architecture using FortiGate-VM on Oracle Cloud Infrastructure (OCI). Basic OCI and FortiGate-VMexperience are recommended.
This configuration was validated using FortiGate-VM version 6.2.3.
For more details on how to use the FortiGate-VM product, please visit Fortinet official website - https://www.fortinet.com.
Caveats and Limitations
FortiGate-VM on OCI Marketplace
We recommend using the latest FortiGate-VM version with support for SR-IOV.
The license model for FortiGate-VM on OCI changed with version 6.0.2. The number of vCPUs indicated by the license does not restrict the FortiGate-VM from working on a compute shapes with a greater number of VCPUs. The rest of the VCPUs are not used.
https://docs2.fortinet.com/vm/oci/FortiGate-VM/6.0/about-FortiGate-VM-for-oci/6.0.0/43335/models
This new license model works only on version 6. An active FortiGate-VM license can work on both version 5 and 6.
A trial or permanent license needs to be used to be able to configure FortiGate-VM using GUI.
For installing FortiGate-VM on OCI read this page https://www.ateam-oracle.com/fortinet-FortiGate-VM-oci-installation.
Step 1. Solution description.
Step 2. Prerequisites for FortiGate-VM and OCI.
Step 3. Pros and Cons for different network architectures.
Step 1. Solution description.
Some customers want to use 3rd party firewall vendors instead of using native cloud firewall capabilities. There are multiple reasons for wanting this, like more advanced features that are not available at this moment, or they already use that specific vendor in their own Data Centers. For this document, we will cover Fortinet and its FortiGate-VM solution.
There are different network topologies and each client chooses the right one based on their need. In this document, we will cover the Hub & Spoke network topology.
This topology it’s used for different scenarios, like:
OCI provides a native solution for a Hub & Spoke network topology by using a feature called Transit Routing.
This will allow to do the following:
Diagram 1 - General representation. Access to multiple VCNs in the same region and to OSN
For more information about Transit Routing feature check OCI website - https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Tasks/transitrouting.htm and https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Tasks/transitroutingoracleservices.htm.
We will use the network topology above (Diagram 1) to integrate FortiGate-VM as a firewall appliance.
In the end, the entire solution will accomplish the following:
Step 2. Prerequisites for FortiGate-VM and OCI.
Keep in mind that there are multiple ways to create a Hub & Spoke networking topology. As an example, we ca use LPGs between VCNs and use fewer network interfaces on FortiGate-VM.
Another example can be to use FortiGate VNICs between VCNs. This approach will use multiple VNICs but will allow the traffic to be segregated between multiple interface and increase the network performance.
We will discuss later the pros and cons of each implementation.
Here are some network diagrams using FortiGate-VM with or without LPGs:
Diagram 2 – General representation. FortiGate-VM using LPGs
Diagram 3 – General representation. FortiGate-VM without using LPGs
Based on the network diagrams above, here are the prerequisites for both solutions:
1. FortiGate-VM with LPGs:
FortiGate-VM prerequisites:
For this configuration we will need 3 VNICs attached to FortiGate-VM. Interfaces will be used for the following:
1. Management interface
2. Internet interface
3. OSN, On-premises interface and Spoke 1 & 2
OCI prerequisites:
For this configuration we will need the following:
2. FortiGate-VM without LPGs:
FortiGate-VM prerequisites:
For this configuration we will need 5 VNICs attached to FortiGate-VM. Interfaces will be used for the following:
OCI prerequisites:
For this configuration we will need the following:
When implementing a Hub & Spoke network architecture, the intent is to filter everything using FortiGate-VM policy security rules and IPS/IDS engine. However, you also have the option to add additional security by filtering at FortiGate-VM instance and the OCI level.
For building a HA environment using FortiGate-VM, check this blog page - https://www.ateam-oracle.com/fortinet-fortigate-ha-on-oci.
Step 3. Pros and Cons for different network architectures.
Pros and Cons to consider when using FortiGate-VM with or without LPGs:
item |
FortiGate-VM with LPGs |
FortiGate-VM without LPGs |
VNICs used |
minimum 3* (MNGM, WAN, LAN) |
minimum 3* + n (MNGM, WAN, LAN + nr. of Spokes) |
VM Cost |
Low (less VNICs**) |
High (more VNICs**) |
Bandwidth |
Based on the VM Shape*** |
Based on the VM Shape*** |
Traffic type |
North-South traffic |
East-West traffic |
Network links HA |
OCI Native |
Multiple FortiGate-VMs in HA |
Simplicity |
Simple |
More complex |
* 4 VNICs in case HA is needed.
** In OCI the number of VNICs is equal to the number of OCPUs.
*** The VM Shape used will have a total bidirectional bandwidth available. Doesn't matter how many VNICs the specific VM will have.
Previous Post
Next Post