fortinet silver peak integration deployment guide · 4 deployment guide: fortinet silver peak...

DEPLOYMENT GUIDE

FORTINET /SILVER PEAK INTEGRATION

2

DEPLOYMENT GUIDE: FORTINET / SILVER PEAK INTEGRATION

CONTENTS

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Fortinet Security Fabric – . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Third Party Partners – . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

SD-WAN Fabric Partner – Silver Peak . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Importance of Secure SD-WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

When Should this be Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

How Does this Integration Work ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Deployment Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Deployment Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

FortiHypervisor Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Deploying the VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Configuring the Silver Peak Orchestrator VM . . . . . . . . . . . . . . . . . . . . .7

Configuring the Silver Peak EdgeConnect VM . . . . . . . . . . . . . . . . . . . . .8

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

3


OVERVIEW

FORTINET SECURITY FABRIC – To operate a fast and secure network, successful organizations demand high performance and immediate, automated response against network attacks.

Fortinet delivers the only security solution designed to provide world-class coverage from the cloud to the data center, to the endpoint, to IoT devices. It also secures applications, including email and web, while providing a secure first line of access to the network. The Fortinet Security Fabric integrates multiple security solutions that share intelligence to provide broader coverage, better visibility, and faster response than can be achieved with point solutions.

With Fortinet’s Fabric-Ready Partner Program, Fabric Partners like Silver Peak are now able to use deep API-level integrations to connect to Fortinet’s Security Fabric and bring superior value

to their customer networks and deployments. See https://blog.

fortinet.com/2017/04/06/fortinet-fabric-ready-partner-spotlight-

silver-peak-systems for more information.

THIRD PARTY PARTNERS – Fortinet has integrated with many leading ecosystem partners that add value to Fortinet’s Security Fabric, and Fortinet continues to add more partners each day. For a list of Fortinet Security Fabric Partners, check FUSE or reach out to your Fortinet Representative.

SD-WAN SECURITY FABRIC PARTNER – SILVER PEAK Fortinet began including SD-WAN vendors in the Fabric-Ready Program after customers requested it, because of the rapidly growing use of SD-WAN. MPLS costs are high, while Internet costs are dropping. Organizations want to increase Internet usage and decrease MPLS usage, while retaining high availability with WAN link load balancing and smart traffic routing.

Silver Peak’s Unity EdgeConnect SD-WAN solution provides secure and reliable virtual overlays to connect users to applications with the flexibility to use any combination of underlying transport without compromising application performance. To help maintain the security of the SD-WAN, many Silver Peak customers depend on Fortinet.

THE IMPORTANCE OF SECURE SD-WAN With the increasing use of SSL encryption technologies, more than 50 percent of all web traffic is now SSL, and this number continues to grow. Fortinet works with Silver Peak to enable end-to-end security in the SD-WAN, including SSL traffic.

WHEN SHOULD THIS BE USED? This integration is ideal for customers considering FortiGate and Silver Peak EdgeConnect as their security and SD-WAN solutions, respectively. The joint solution is also relevant for customers who use FortiGates and Silver Peak EdgeConnect devices but want a single branch-in-a-box deployment, with both these virtual network functions running on a single hardware device.

HOW DOES THIS INTEGRATION WORK? This integration consists of three elements:

1. The FortiHypervisor Platform – This platform is the compute node and provides the flexible branch-in-a-box solution that houses both the Fortinet and Silver Peak virtual network functions.

2. The FortiGate VM – The FortiGate VM provides security, and based on the platform in use, provides network processor performance acceleration for security processing, to keep up with the most demanding network loads. Providing best-in-class security, this VM can also be used to provide protection against both known and unknown threats with a FortiSandbox or FortiSandbox Cloud integration.

3. The Silver Peak EdgeConnect – The Silver Peak EdgeConnect VM acts as the WAN termination device and can accept multiple outgoing WAN Links. Using those WAN connections, EdgeConnect provides secure and reliable virtual overlays to connect users to applications with the flexibility to use any combination of underlying transport without compromising application performance. This dramatically lowers costs, enhances business agility, and accelerates time to value. EdgeConnect is a complete WAN solution that simply and intelligently pools (combines) any combination of physical WAN connectivity into high-performance virtual WANs, delivering an unmatched user experience edge to edge.

4


DEPLOYMENT VM NETWORKING OVERVIEW

FIGURE 1: NETWORK DIAGRAM

FIGURE 2 - FORTIHYPERVISOR HOSTING FORTIGATE, SILVER PEAK, AND OTHER VMS

Using this setup, the Silver Peak VM terminates all WAN Links for two reasons: 1. This method lets the Silver Peak EdgeConnect make the most of the WAN Link.

2. In its current position behind the EdgeConnect, the FortiGate is able to get visibility into all the incoming and outgoing traffic, and thereby is able to provide superior protection.

The FortiGate VM is connected to the EdgeConnect on the LAN Side. Various LAN Links are connected to it, providing access to LAN devices, including access through a FortiAP, if needed.

In this situation, this FortiGate VM could be the FortiAP Controller.

Additional VMs required for use on the branch, including Fortinet VMs like a FortiSIEM Collector or non-Fortinet VMs like Windows VM, can then be deployed on the same FortiHypervisor, behind the FortiGate.

DEPLOYMENT PREREQUISITES

1. FortiHypervisor FHV – This deployment guide shows a FortiHypervisor 500D. Be sure to have a suitable FortiHypervisor ready.

2. FortiGate VM – Be sure to have a FortiGate VM qcow2 image and your FortiGate VM license file ready.

3. Silver Peak EdgeConnect VM – Contact Silver Peak (https://www.silver-peak.com/company/contact) for Silver Peak EdgeConnect license access. Be sure to include relevant information, such as the name of customer and size of deal (when communicated internally).

Contact Fortinet at: [email protected].

Contact Silver Peak at: https://www.silver-peak.com/company/contact.

5


HOW TO DEPLOY

CONFIGURE THE FORTIHYPERVISOR

Deploy and bring up the FortiHypervisor

• Connect the Management Cable of the FortiHypervisor and configure the management IP using the standard FortiGate Configuration Methodology.

For example, Connect management port mgmt. 1 of FHV to your laptop. Configure your laptop to be in the 192.168.1.0/24 subnet Reach the FortiHypervisor at 192.168.1.99 using SSH You will not be able to configure the MGMT IP using the FHV UI, as this must be done over SSH.

Configure the IP and routing

FHV-500D#config system interface FHV-500D(interface)#edit mgmt1 FHV-500D(mgmt1)#set ip a.b.c.d 255.255.255.0 FHV-500D(mgmt1)#set allowaccess http https ping ssh FHV-500D#end

FHV-500D#config router static FHV-500D(router)#edit 1 FHV-500D(1)#set device mgmt1 FHV-500D(1)#set gateway a.b.c.254 FHV-500D(1)#end

• Now reset the IP address of the LAPTOP. You should now be able to access your FHV using the IP https://a.b.c.d/.

• Before proceeding further, ensure the FortiHypervisor is at least running 1.0.1 GA or later

DEPLOYING THE VMs

1. To deploy the VMs, upload the qcow2 images onto the FortiHypervisor.

• From the Images Tab, click Upload.

FIGURE 3 - FORTIHYPERVISOR IMAGE PAGE - EDGECONNECT

6


2. Configure the networking.

• Go to System > Virtual Switch, and configure the interface as shown. Since this setup is a demo, we can use all interfaces in bridge mode. It is equally simple to use them in pass-through mode instead to get the benefits of NP.

FIGURE 4 - FORTIHYPERVISOR IMAGE PAGE - FORTIGATE

FIGURE 5 - FORTIHYPERVISOR VIRTUAL SWITCH PAGE

The topology/interface selection is shown below.

FIGURE 6 - SILVER PEAK - FORTIHYPERVISOR DEPLOYMENT

7


3. Next, deploy the VMs.

• Go to Virtual Machine > Create New.

• Enter your information into the fields, including disks and networks, as shown below.

Silver Peak EdgeConnect Network Interfaces on the VM are setup as follows: Port4 – LAN Port2, Port3 – WAN Port1 – Mgmt

Be sure to check that the mapping is as illustrated.

Any Additional VMs can be deployed behind the FortiGate VM as needed.

-In this example there is an Ubuntu VM which sits behind the FortiGate VM.

The VMs are now ready to boot and configure.

THE PRIMARY COMPONENTS :

Unity Orchestrator

• Unity Orchestrator global management software offers customers the unique ability to centrally assign business intent policies to secure and control all Silver Peak Unity EdgeConnect software-defined wide area network (SD-WAN) traffic.

• It runs as a virtual machine on VMware ESX/ESXi, Microsoft Hyper-V, FortiHypervisor, Citrix XenServer, and the open source KVM hypervisor.

8


Unity EdgeConnect Unity EdgeConnect devices can be deployed in branch offices to create a secure, virtual network overlay. This enables customers to move to a broadband WAN at their own pace, whether site-by-site, or via a hybrid WAN approach that leverages MPLS and broadband Internet connectivity.

• Scales to support everything from small branches to large data centers

• Available as hardware or virtual appliances (supporting any common hypervisor)

• Hardware appliances available as 1U rack-mountable appliances

Cloud Portal

• Cloud-hosted Silver Peak service for license management and zero-touch provisioning

FIGURE 7 - SILVER PEAK ORCHESTRATOR DASHBOARD

FIGURE 8 - CONFIGURING THE SILVER PEAK EDGECONNECT VM

9


Log into the Silver Peak EdgeConnect VM. As a part of your Silver Peak License/Image package, you will also receive:

1. Credentials to Silver Peak Orchestrator

2. Deployment qcow2 image

3. Installation Guide

For the passwords needed in the next steps, refer to the Installation Guide.

1. Log into the Silver Peak VNF using the password you were given.

2. Use interface mgmt0 to set mgmt IP.

10


3. WAN0 maps to Port 9 and WAN1 maps to Port 10 on the FHV.

FIGURE 9 - SILVER PEAK INTERFACES PAGE

Next, add the Orchestrator IP on the VM and the ready-to-use license.

FIGURE 10 - SILVER PEAK ORCHESTRATOR IP

FIGURE 11 - SILVER PEAK EDGECONNECT DASHBOARD

Confirm the Orchestrator license.

a. Log into Orchestrator. b. Go to Configure > Administration > License & Registration.

11


FIGURE 12 - SILVER PEAK EDGECONNECT VPN TUNNELS

FIGURE 13 - SILVER PEAK TUNNELS PAGE

Now the FortiGate VM has Internet access and is ready to be licensed.

Use the Ubuntu VM to set up any licenses and configurations needed on the FortiGate VM.

1. Log into the FortiGate UI using the console button on FHV.

2. Set up the network Interfaces with the IP addresses from the CLI, as shown below.

a. Port2: Silver Peak EdgeConnect VM LAN interface.

b. Port3: FortiGate VM LAN.


Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700www.fortinet.com/sales

EMEA SALES OFFICE905 rue Albert Einstein06560 ValbonneFranceTel: +33.4.8987.0500

APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730

LATIN AMERICA HEADQUARTERSSawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430Sunrise, FL 33323Tel: +1.954.368.9990

August 17, 2017108245-0-0-EN

FIGURE 14 - FORTIGATE INTERFACES WITH PORTS

FIGURE 15 - FORTIGATE OUTBOUND POLICIES

3. Now add the policy to allow outbound traffic.

HOW TO GET HELP Contact Fortinet at: [email protected].

Contact Silver Peak at: https://www.silver-peak.com/company/contact

fortinet silver peak integration deployment guide · 4 deployment guide: fortinet silver peak...

Documents