Docy

Netskope GRE with Fortinet FortiGate

Netskope GRE with Fortinet FortiGate

This guide illustrates how to configure a GRE tunnel between Netskope and a FortiGate firewall device. This configuration example uses a FortiGate device running FortiOS version 6.4.9. It can work for all FortiOS versions.

Creating the GRE Tunnel in Netskope

To create the GRE tunnel for FortiGate in the Netskope UI:

  1. Go to Settings > Security Cloud Platform > GRE.
  2. Click New GRE Configuration.
  3. In the New GRE Configuration window:
    • Configuration Name: Enter a name for the GRE tunnel.
    • Tunnel Type: Select Default.
    • Source Peer: Enter the source peer IP address (i.e., exit public IP) of the FortiGate firewall that Netskope will receive packets from. Netskope identifies traffic belonging to your organization through your router or firewall IP addresses.
    GRE-Edit-GRE-Configuration.png
  4. Click Save and View POPs.
  5. In the Netskope POPs window, copy the GRE Gateway IP address of the two closest Netskope POPs. You need this information to establish the GRE tunnels on your FortiGate firewalls. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.

    Note

    FedRAMP High POPs are different that those shown here. Your FedRAMP High tenant will show the available POPs.

    GRE-Netskope-POPs.png

Configuring the GRE Tunnel in FortiGate

Enter the following CLI commands to configure the GRE tunnel:

config system gre-tunnel
    edit "GRE-NETSKOPE"
        set interface "port1"
        set remote-gw 163.116.174.36
        set local-gw 192.168.1.17
    next
end

Note the following:

  • For remote-gw, enter the IP address you copied of the Netskope POP. In this example, it’s the MRS1 GRE Gateway.
  • For local-gw, enter the IP address of the interface facing the internet. In this example, the FortiGate firewall is installed behind the ISP router and has a private IP address of 192.168.1.17, which is SNAT to 109.210.55.51.

Configuring the GRE Interface

There are two options to complete the remaining GRE configuration: CLI and GUI. The CLI is faster.

You must configure the GRE interface that FortiGate automatically created when you configured the GRE tunnel.

FortiGate CLI Configuration

Enter the following commands to configure the GRE interface:

config system interface
    edit "GRE-NETSKOPE"
        set ip 192.168.254.1 255.255.255.255
        set allowaccess ping
        set interface "port1"
    next
end

FortiGate GUI Configuration

  1. Go to Network > Interfaces.
  2. Edit GRE-NETSKOPE.
  3. Configure the following GRE interface:
    FortiGate-Edit-GRE-Tunnel-Interface.png
  4. Click OK.

Creating a Static Route

You must create a static route for the GRE interface. Note the distance and priority values.

FortiGate CLI Configuration

Enter the following commands to configure a static route:

config router static
    edit ### enter a digit number that doesn’t overlap with existing policies
        set distance 5
        set priority 10
        set device "GRE-NETSKOPE"
    next
end

FortiGate GUI Configuration

  1. Go to Network > Static Routes.
  2. Click + Create New.
  3. Configure the following static route:
    FortiGate-Edit-Static-Route.png
  4. Click OK.

Enter the following command to verify that the two default routes are installed correctly:

get router info routing-table all
CLI-get-router-info-routing-table-all.png

Creating Policy-Based Routes

You must create policy-based routes (PBRs) to route traffic through the GRE tunnel. This example routes all HTTP and HTTPs traffic from the LAN interface (i.e., port2 10.10.10.0/24).

FortiGate CLI Configuration

Enter the following commands to create PBRs:

config router policy
    edit ### enter a digit number that doesn’t overlap with existing policies
        set input-device "port2"
        set src "10.10.10.0/255.255.255.0"
        set dst "0.0.0.0/0.0.0.0"
        set protocol 6
        set start-port 443
        set end-port 443
        set output-device "GRE-NETSKOPE"
    next
    edit ### enter a digit number that doesn’t overlap with existing policies
        set input-device "port2"
        set src "10.10.10.0/255.255.255.0"
        set dst "0.0.0.0/0.0.0.0"
        set protocol 6
        set start-port 80
        set end-port 80
        set output-device "GRE-NETSKOPE"
    next
end

FortiGate GUI Configuration

  1. Go to Network > Policy Routes.
  2. Click + Create New.
    FortiGate-Policy-Routes.png
  3. Configure the following routing policy for HTTPS traffic:
    FortiGate-Edit-Routing-Policy-HTTPS.png
  4. Configure the following routing policy for HTTP traffic:
    FortiGate-Edit-Routing-Policy-HTTP.png
  5. Click OK.

Creating a Firewall Policy

You must create a firewall policy to allow traffic from the LAN interface to the GRE tunnel interface. This example uses an address object to identify the LAN subnet.

FortiGate CLI Configuration

Enter the following commands to create a firewall policy:

config firewall address
    edit "LAN"
        set associated-interface "port2"
        set subnet 10.10.10.0 255.255.255.0
    next
end
config firewall policy
    edit ### enter a digit number that doesn’t overlap with existing policies
        set name "to Netskope GRE"
        set srcintf "port2"
        set dstintf "GRE-NETSKOPE"
        set srcaddr "LAN"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
    next
end

FortiGate GUI Configuration

  1. Go to Policy & Objects > Addresses.
  2. Click + Create New.
  3. Create the following address object. Change the subnet to your LAN subnet:
    FortiGate-Edit-Address-Object.png
  4. Click OK.
  5. Go to Policy & Objects > Firewall Policy.
  6. Click + Create New.
  7. Create the following firewall policy:
    FortiGate-Edit-Firewall-Policy.png
  8. Click OK.

Troubleshooting

After the GRE tunnel is configured, the interface is always up. Following are some helpful tips for verifying and troubleshooting the configuration:

  • Enter the following command to create a monitor server and verify that traffic is going through the tunnel:
    config system link-monitor
        edit "0"
            set srcintf "GRE-NETSKOPE"
            set server "10.174.6.209"
        next
    end

    You can use this command to monitor the connectivity to the probe IP address of the Netskope POP.

  • Enter the following command to see if the link monitor is working:
    diagnose sys link-monitor status

    You should see a similar output:

    CLI-Link-Monitor-Status.png
  • In the Netskope UI, ensure there is a Seen status for the User Traffic and Keepalive columns:
    Netskope-GRE-Tunnel-Configuration.png
Share this Doc
In this topic ...