The webhook is populated with the IP address, the action that was taken on the IP address in the FortiGate Dynamic Address (add or remove), and the Azure specific information, the name of Azure Resource Group that contains the Azure Route Table, the name of the Azure Route Table, the next hop IP address (FortiGate or Azure Load Balancer that sends traffic to the FortiGate), and a prefix string to name the host route. The FortiGate SDN event log indicates that an IP address was either added or removed from the FortiGate Dynamic Address.
![fortigate vm demo fortigate vm demo](https://images.g2crowd.com/uploads/product/image/large_detail/large_detail_57634ba5941edb286a214a4e99a70642/fortigate-vm.jpg)
The addition or deletion of the route is determined by the information sent from the FortiGate. The webhook is associated to an Azure Automation Account Runbook, the runbook is a PowerShell script that either adds the route to the Azure route table or deletes the route. The Azure route table update, either the addition or deletion of a VM IP address in the form of a host route is initiated in Azure via a webhook. When VM 10.20.1.4 responds to VM10.20.1.8, the response traffic does not go via the FortiGate unless there is a host route of 10.20.1.8/32 in the Azure route table. Without the addition of the host route to the Azure route table, VM 10.20.1.8 would be able to communicate directly with VM 10.20.1.4 and not have to send traffic via the FortiGate. Adding a VM's IP address to the Azure route table, this is called a host route, and indicating the FortiGate as the next hop, all traffic to that VM must pass through the FortiGate.įor example, adding the route 10.20.1.4/32 with the FortiGate IP of 10.17.1.6 as the next hop to the Azure route table, would cause a VM with the IP 10.20.1.8 to send traffic to the FortiGate at 10.17.1.6, when communicating with VM 10.20.1.4. VMs is these trusted subnets communicate without their traffic having traverse the FortiGate. Once trusted traffic in sent out port2 all the VMs in the trusted subnets can be receivers of the traffic, barring any other security measures. For Example, untrusted traffic ingresses into the network via the FortiGate port1 and inspected trusted traffic egresses via FortiGate port2. FortiGate deployments separate traffic into two categories, trusted and untrusted.
![fortigate vm demo fortigate vm demo](https://d9hhrg4mnvzow.cloudfront.net/www.fortigate-azure.com/2741247d-ebook-cover_108806c000000000000028.png)
![fortigate vm demo fortigate vm demo](http://1.bp.blogspot.com/-z3S7h_M2ru8/UXCfPFcL2uI/AAAAAAAAA0g/l2SYrCY3akU/s400/ltm-web.png)
VMs in FortiGate protected Azure networks send their traffic via the FortiGate if the destination of the traffic is in the Azure route table and the next hop for that destination is the FortiGate. A standard Azure route table in a FortiGate protected Azure network has the FortiGate (or a load balancer that sends traffic to the FortiGate) as the next hop. The FortiGate Dynamic Address will be populated with the IP addresses of the VMs that are identified via the Filter criteria in the FortiGate Dynamic Address.Ī route in an Azure route table determines how traffic is directed, based on the destination of the traffic. The FortiGate Dynamic Address also serves as a Source or Destination in FortiGate Policies. The ability for the FortiGate to recognize when a VM has been allocated or deallocated through the use of the FortiGate Dynamic Address is key to initiating an Azure route table update. Maintaining these VM specific routes can become problematic as a VM may be allocated and deallocated related to any number of metrics. VM to VM traffic inspection in the same subnet or network space significantly improves security. Adding a VM's IP address to the Azure route table where the FortiGate is the next hop can ensure that VM to VM communication is routed via the FortiGate. Network Security Groups can be implemented to manage VM communication, however this can be a time intensive process and NSGs do not have the ability to inspect traffic in as thoroughly as a FortiGate. In Azure, VMs on the same subnet and network typically have the ability to communicate without restriction. The FortiGate Automation Stitch Azure route table updates are made to support Micro Segmentation of VMs in FortiGate protected networks.
#Fortigate vm demo update#
The Azure route table update is either the addition of a route or the removal of a route from an Azure route table. The webhook contains the information required to update the Azure route table.
![fortigate vm demo fortigate vm demo](https://demo.pdfslide.net/img/380x512/reader025/reader/2021043016/589439a11a28ab73208b460a/r-2.jpg)
The SDN event log entry generated when a FortiGate Dynamic Address is updated, triggers the action of sending a Webhook to Azure.
#Fortigate vm demo code#
The code in the repository fortigate-automation-stitches, is an example of a FortiGate SDN Event Log being the Trigger to initiate the Action of updating an Azure Route Table to enforce VM Micro Segmentation. The Action, like the Trigger can be internal or external to the FortiGate. The Trigger can be internal or external to the FortiGate, when a trigger occurs one of more Actions can be initiated. A FortiGate Automation Stitch brings together a Trigger and an Action.