Netskope Help

Netskope IPSec with Fortinet FortiGate

This guide illustrates how to configure a VPN IPSec tunnel between Netskope and a FortiGate firewall device. This configuration example uses a FortiGate device running FortiOS version 6.4.3. It can work on all FortiOS versions.

There’re two options to accomplish the configuration: CLI and GUI. CLI is faster, but some users are more comfortable with the GUI option. Both are covered here.

Configure FortiGate using a CLI
  1. Create a VPN IPsec Phase 1.

    config vpn ipsec phase1-interface
        edit "NSKP-POP-XXXXX"
            set interface "wan1"             << change for your wan interface
            set ike-version 2
            set keylife 28800
            set peertype any
            set net-device disable
            set mode-cfg enable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set localid "XXXXX@XXXXXX"       << change for your localid
            set dhgrp 16 15 14
            set remote-gw 163.116.XXXX.38    << change for your selected POP
            set psksecret XXXXXXX            << change for your preshared
        next
    end
  2. Create a VPN IPsec Phase 2.

    config vpn ipsec phase2-interface
        edit "NSKP-POP-XXXXX"
            set phase1name "NSKP-POP-XXXXX"
            set proposal aes256gcm aes128gcm aes128-sha1 aes256-sha1
            set dhgrp 16 15 14
            set auto-negotiate enable
            set keylifeseconds 7200
        next
    end
  3. Create at least one policy with VPN interface associated. For example:

    config firewall policy
        edit 999
            set srcintf "internal"
            set dstintf "NSKP-POP-XXXXX"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always
            set service "HTTP" "HTTPS"
            set logtraffic all
            set nat enable
        next
    end
  4. Create a route to push VPN into RIB.

    config router static
        edit 999
            set priority 10
            set device "NSKP-POP-XXXXX"
        next
    end
  5. Create a policy-based router to redirect webtraffic to Netskope.

    config router policy
        edit 998
            set input-device "internal"                 << incoming interface
            set src "172.16.100.0/255.255.255.0"        << LAN network
            set dst "0.0.0.0/0.0.0.0"
            set protocol 6
            set start-port 443
            set end-port 443
            set output-device "NSKP-POP-XXXXX"
        next
        edit 999
            set input-device "internal"                 << incoming interface
            set src "172.16.100.0/255.255.255.0"        << LAN network
            set dst "0.0.0.0/0.0.0.0"
            set protocol 6
            set start-port 80
            set end-port 80
            set output-device "NSKP-POP-XXXXX"
    end
How to Configure FortiGate using WebUI

To begin, you must create a VPN IPsec interface.

  1. Create a new IPsec Tunnel.

    image6.png
  2. Find the command Wizard and select Custom.

    image7.png
  3. In the Remote Gateway section, enter the IP Address and Interface information. Continue to the Authentication section and complete the Method and Pre-shared Key sections.

    Fortinet-FortiGate-Remote-Gateway.png
    Fortinet-FortiGate-Authentication.png
  4. Complete the Phase 1 section.

    Fortinet-FortiGate-Phase-1-Proposal.png

    Note

    The Local ID must be entered.Netskope recommends usingan email format as a local ID, such as xxxx@xxxx.xxx. It must be the same as the source identity in your Netskope tenant.

  5. Complete the Phase 2 section. Enter the appropriate information into the Diffie-Hellman Group and Seconds sections.

    Fortinet-FortiGate-Phase-2-Proposal.png
  6. Click OK.

Create at least one policy.

  1. To create a policy with a VPN interface associated, go to Policy&Objects > Firewall Policy and click Create New.

    image11.png
  2. Enter the necessary information. For example:

    image12.png
    image13.png

To create a route that will push the VPN into RIB, go to Network > Static Routes and click Create New and then OK.

image14.png

Note

Administrative distance must be the same as the default route. Set a worse priority.

  1. By default, PBR is not enabled in the Web GUI, so a policy-based router must be implemented to redirect traffic to the Netskope tenant. To do so, go to System > Feature Visibility > Advanced Routing. Enable Advanced Routing and clickApply. It isn't necessary to reboot. This change doesn’t affect production.

    image18.png
  2. Go to Network > Policy Routers > Create New.

    image19.png
  3. Create at least two PBRs (one for HTTP and another for HTTPS).

    image20.png

To integrate Netskope IPSec with Fortigate, create a IPsec tunnel in your Netskope tenant.

  1. Go to Settings > Security Cloud Platform > IPSec and click Add New Tunnel.

  2. Enter a unique tunnel name.

  3. (Optional) Enter the source IP address.

  4. Enter the source identity, which can be an IP address, FQDN, or email address.

  5. Select the Primary and Failover Netskope POPs from the dropdown lists. Select POPs nearest to your location.

  6. Enter your pre-shared key.

  7. Select an encryption cipher type from the dropdown list.

  8. Select the maximum bandwidth for the tunnel from the dropdown list.

  9. When finished, click Add.

IPSecConfig.png

Some Useful Debug Commands

Below are some commands that can be useful when completing the configuration.

How to debug an IPSec connection:

image26.png

How to get router info routing-table all:

image27.png

How to get an IPSec tunnel summary:

image28.png

How to get IPSec like gateway:

image29.png

How to diagnose a sniffer packet on any port 443 4 0 a:

image30.png
image31.png