Cloud Security: FortiGate Best Practices in Azure and AWS

Fortinet’s FortiGate offers a robust solution for enhancing cloud security in both Azure and AWS environments. This guide, based on HIFENCE & Fortinet’s best practices outlines key strategies, configurations, and recommendations to optimize the deployment and management of FortiGate instances across these platforms.

If you need any help you can contact us here, or you can check out our it consulting where we work together and help you secure your cloud environment.

FortiGate Deployment in Azure

Choosing the Right Instance:

  • For Azure, FortiGate supports F(s)-series, F(s)v2-series, D(s)v2-series, and D(s)v3-series instances.
  • Single VM Deployment: The Fsv2-series is recommended due to its support for accelerated networking, which is crucial for high-performance scenarios.
  • High Availability (HA) Configuration: Opt for F4s or DS3v2 or higher instances to accommodate the required four NICs for WAN, LAN, HA Sync, and HA Management with accelerated networking.

Licensing and Versions:

  • FortiGate offers various licensing models in Azure, including perpetual and term-based licenses, allowing businesses to choose based on their long-term or short-term usage and upgrade needs.

HA Configurations:

  • Active-Passive setups with Standard Load Balancer are recommended for maintaining high availability while ensuring seamless failover capabilities.
  • It’s crucial to enable floating IP on the load balancer rule for traffic forwarding and disable it for self-traffic like SSLVPN and IPsec.

FortiGate Deployment in AWS

Selecting the Appropriate Instance:

  • Supported instances include the T2-series, T3-series, C4-series, C5-series, and C5n-series.
  • Single VM Deployment: The C5n-series is recommended for enhanced networking.
  • HA Configurations: For HA setups, C5n.2xlarge or higher instances are advised to support the four necessary NICs.

Licensing and Versions:

  • FortiGate on AWS follows a similar licensing structure to Azure, offering flexibility in choosing between perpetual and term-based licenses according to the deployment’s scope and scale.

HA and Active-Active Models:

  • AWS supports Active-Passive configurations with Transit Gateway, offering streamlined management of inter-VPC traffic and external connections.
  • For high throughput requirements, Active-Active models with Gateway Load Balancer ensure optimal performance, although it requires careful consideration of NAT limitations and IPsec complexity.

Best Practices and Recommendations

For Both Azure and AWS:

  • Template and Automation: Utilize solution templates and automation tools like Terraform and Ansible for efficient deployment and management of FortiGate instances. Fortinet’s GitHub repositories provide a wealth of resources, including ARM templates for Azure and CloudFormation templates for AWS.
  • Auto-scaling: Consider auto-scaling solutions to dynamically adjust your security posture in response to traffic variations, ensuring cost-efficiency and resilience.

Specific to Azure:

  • Prioritize instance types that support accelerated networking to enhance performance.
  • Implement VNet peering and adjust your load balancer configurations to optimize for your specific traffic patterns, whether North-South, South-North, or East-West.

Specific to AWS:

  • Leverage Enhanced Networking with C5n instances for improved network performance.
  • Utilize AWS Gateway Load Balancer for Active-Active configurations, recognizing the trade-offs in terms of NAT capabilities and design complexity.

Conclusion

Deploying FortiGate in Azure and AWS requires careful consideration of your cloud environment’s unique requirements, from selecting the right instance types and licensing models to configuring high availability and scaling strategies.

Use this best practices before you deploy them into the Cloud.

If you need any help you can contact us here, or you can check out our it consulting where we work together and help you secure your cloud environment.