Netskope IPSec with Fortinet FortiGate

Netskope IPSec with Fortinet FortiGate

This guide illustrates how to configure a VPN IPSec tunnel between Netskope and a FortiGate firewall device. This configuration example uses a FortiGate device running FortiOS version 6.4.3. It can work for all FortiOS versions.

Configuring IPSec Tunnels in FortiGate

There’re two options to accomplish the configuration: CLI and GUI. The CLI is faster.

FortiGate CLI Configuration

  1. Create a VPN for IPsec Phase 1:
    config vpn ipsec phase1-interface     edit "NSKP-POP-XXXXX"         set interface "wan1"             << change for your wan interface         set ike-version 2         set keylife 86400         set peertype any         set net-device disable         set mode-cfg disable         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1         set localid "XXXXX@XXXXXX"       << change for your localid         set dhgrp 16 15 14         set remote-gw 163.116.XXXX.38    << change for your selected POP         set psksecret XXXXXXX            << change for your preshared     next end
  2. Create a VPN for IPsec Phase 2:
    config vpn ipsec phase2-interface     edit "NSKP-POP-XXXXX"         set phase1name "NSKP-POP-XXXXX"         set proposal aes256gcm aes128gcm aes128-sha1 aes256-sha1         set dhgrp 16 15 14         set auto-negotiate enable         set keylifeseconds 7200     next end
  3. Create at least one policy with VPN interface associated:
    config firewall policy     edit 999         set srcintf "internal"         set dstintf "NSKP-POP-XXXXX"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always         set service "HTTP" "HTTPS"         set logtraffic all         set nat enable     next end
  4. Create a static route to push VPN into RIB:
    config router static     edit 999         set priority 10         set device "NSKP-POP-XXXXX"     next end
    A static route must exist in the routing information base (RIB) before you can use it in policy-based routing.
  5. Create a policy-based router to redirect web traffic to Netskope:
    config router policy     edit 998         set input-device "internal"                 << incoming interface         set src "172.16.100.0/255.255.255.0"        << LAN network         set dst "0.0.0.0/0.0.0.0"         set protocol 6         set start-port 443         set end-port 443         set output-device "NSKP-POP-XXXXX"     next     edit 999         set input-device "internal"                 << incoming interface         set src "172.16.100.0/255.255.255.0"        << LAN network         set dst "0.0.0.0/0.0.0.0"         set protocol 6         set start-port 80         set end-port 80         set output-device "NSKP-POP-XXXXX" end

FortiGate GUI Configuration

  1. Click + Create New and then IPsec Tunnel.
    image6.png
  2. Under VPN Setup:
    • Name: Enter a name for the tunnel.
    • Template type: Select Custom.
    image7.png
  3. In the Network section, configure the IP address and interface information:
    Fortinet-FortiGate-Remote-Gateway.png
  4. In the Authentication section, configure the pre-shared key and select IKEv2:
    Fortinet-FortiGate-Authentication.png
  5. In the Phase 1 Proposal section, configure the following:

    Note

    The Local ID must be entered.Netskope recommends usingan email format as a local ID, such as xxxx@xxxx.xxx. It must be the same as the source identity in your Netskope tenant.

  6. In the Phase 2 Proposal section, configure the following:
    Fortinet-FortiGate-Phase-2-Proposal.png
  7. Click OK.

Creating a Policy with an Associated VPN Interface

To create at least one policy with a VPN interface associated:

  1. Go to Policy & Objects > Firewall Policy.
  2. Click + Create New.
    image11.png
  3. In the Edit Policy window, configure the following fields:
    image12.png
    image13.png

Creating a Route to Push VPN into RIB

A static route must exist in the routing information base (RIB) before you can use it in policy-based routing.

To create a static route that pushes the VPN into RIB:

  1. Go to Network > Static Routes.
  2. Click + Create New and then OK.
    image14.png
  3. Ensure the Administrative Distance is the same as the original default route but with a higher Priority. For example:
    config router static
         edit 3
            set distance 5
            set priority 10
            set device "NSKP-POP-XXXXX"
        next
    end

    To learn more about Administrative Distance and Priority: Fortinet documentation.

  4. Enter the following commands and ensure there are two static routes installed:
    get router info routing-table static
    Routing table for VRF=0
    S*      0.0.0.0/0 [5/0] via 192.168.1.1, wan1
                      [5/0] is directly connected, NSKP-POP-Milan, [10/0]

    If both routes aren’t displaying, your original default route might be obtained through DHCP. In the CLI, edit the original default route and set dynamic-gateway enable, and add values for the following:

    config router static
        edit 2
            set distance 5
            set priority 5
            set device "wan1"
            set dynamic-gateway enable
        next
        edit 3
            set distance 5
            set priority 10
            set device "NSKP-POP-XXXXX"
        next
    end

    Verify your two static routes.

Creating a Policy-Based Router to Redirect Web Traffic to Netskope

By default, policy-based routing (PBR) isn’t enabled in the FortiGate GUI, so you must implement a policy-based router to redirect traffic to the Netskope proxy.

  1. Go to System > Feature Visibility.
  2. Under Core Features, enable Advanced Routing and click Apply. You don’t need to reboot. This change doesn’t affect production.
    image18.png
  3. Go to Network > Policy Routes.
  4. Click + Create New.
    image19.png
  5. Create at least two PBRs (one for HTTP and another for HTTPS).
    image20.png

Configuring IPSec Tunnels in Netskope

To create the IPSec tunnels for FortiGate in the Netskope UI:

  1. Go to Settings > Security Cloud Platform > IPSec.
  2. Click Add New Tunnel.
  3. In the Add New IPSec Tunnel window:
    • Tunnel Name: Enter a name for the IPSec tunnel.
    • Source IP Address: (Optional) Enter the source peer IP address (i.e., exit public IP) of the FortiGate firewall that Netskope will receive packets from. Netskope identifies traffic belonging to your organization through your router or firewall IP addresses.
    • Source Identity: Enter an IP address, a fully-qualified domain name (FQDN), or an ID in email address format. For example, 1.1.1.1 or sourcelocation@company.com. The router or firewall uses the source identity for authentication during Internet Key Exchange (IKE).
    • Primary Netskope POP: Select the primary Netskope point of presence (POP) closest to you, and copy the IPSec Gateway IP address. You need this information to establish the primary IPSec tunnel on your FortiGate firewall. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.

      Note

      FedRAMP High POPs are different that those shown here. Your FedRAMP High tenant will show the available POPs.

    • Failover Netskope POP: Select the backup Netskope POP closest to you, and copy the IPSec Gateway IP address. You need this information to establish the backup IPSec tunnel on your FortiGate firewall. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.
    • Pre-Shared Key (PSK): Enter the pre-shared key that both sides of the tunnel will use to authenticate one another. The PSK must be unique for each tunnel.
    • Encryption Cipher: Select an encryption algorithm for the IPSec tunnel.
    • Maximum Bandwidth: Enter the maximum bandwidth for the IPSec tunnel. The tunnel size can be up to 1 Gbps. To enable the 1 Gbps option, contact your Sales Representative.
    • Advanced Settings: Click to view the following options.
      • Rekey: Select to rekey SAs when they expire. Netskope recommends using the default setting.
      • Reauthentication: Select to create new IKE and IPSec SAs when they expire. Netskope recommends using the default setting.
      • Trust X-Forwarded-For Header: Select to trust IP addresses contained in the X-Forwarded-For (XFF) HTTP header at the tunnel level. If you trust XFF at the tenant level, you can’t select this option.
        • Apply to all traffic: Use the XFF HTTP header to identify all user traffic going through the IPSec tunnel.
        • Apply to specific NAT/proxy IP(s): Use the XFF HTTP header to identify traffic from specific NAT and proxy IP addresses going through the IPSec tunnel. Click +Add Another to add multiple IP addresses.
    IPSecConfig.png
  4. Click Add.

Troubleshooting

Following are some helpful commands for troubleshooting the configuration:

  • Enter the following command to enable debug for an IPSec connection:
    diagnose debug application ike -1
    diagnose debug enable
  • Enter the following command to obtain the whole routing table:
    get router info routing-table all
    FortiGate-CLI-Routing-Table.png
  • Enter the following command to obtain an IPSec tunnel summary:
    get vpn ipsec tunnel summary
    FortiGate-CLI-IPSec-Tunnel-Summary.png
  • Enter the following command to obtain the IPSec tunnel details:
    get vpn ipsec tunnel name NSKP-POP-XXXXXX
    FortiGate-CLI-VPN-IPSec-Tunnel-Name.png
Share this Doc

Netskope IPSec with Fortinet FortiGate

Or copy link

In this topic ...