-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #117 from fortinet/dev_3.6.0_test
Release 3.6.0.
- Loading branch information
Showing
76 changed files
with
13,791 additions
and
3,342 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
|
||
config firewall address | ||
edit internal-elb-web | ||
set type fqdn | ||
set fqdn "{INTERNAL_ELB_DNS}" | ||
set associated-interface "{EXTERNAL_INTERFACE}" | ||
next | ||
edit "private-subnet-egress" | ||
set associated-interface "{INTERNAL_INTERFACE}" | ||
next | ||
end | ||
|
||
config firewall vip | ||
edit internal-web | ||
set type fqdn | ||
set mapped-addr internal-elb-web | ||
set portforward enable | ||
set extintf "{EXTERNAL_INTERFACE}" | ||
set extport "{TRAFFIC_PORT}" | ||
set mappedport "{TRAFFIC_PORT}" | ||
next | ||
end | ||
|
||
config firewall policy | ||
edit 0 | ||
set name "internal-web-{TRAFFIC_PROTOCOL}-ingress" | ||
set srcintf "{EXTERNAL_INTERFACE}" | ||
set dstintf "{INTERNAL_INTERFACE}" | ||
set srcaddr "all" | ||
set dstaddr "internal-web" | ||
set action accept | ||
set schedule "always" | ||
set service "{TRAFFIC_PROTOCOL}" | ||
set nat enable | ||
next | ||
edit 0 | ||
set name "allow-private-subnet-egress" | ||
set srcintf "{INTERNAL_INTERFACE}" | ||
set dstintf "{EXTERNAL_INTERFACE}" | ||
set srcaddr "private-subnet-egress" | ||
set dstaddr "all" | ||
set action accept | ||
set schedule "always" | ||
set service "ALL" | ||
set nat enable | ||
next | ||
end | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,219 @@ | ||
#set vdom-exception for sync exclusions | ||
config system vdom-exception | ||
edit 0 | ||
set object vpn.ipsec.phase1-interface | ||
next | ||
edit 0 | ||
set object vpn.ipsec.phase2-interface | ||
next | ||
edit 0 | ||
set object router.bgp | ||
next | ||
edit 0 | ||
set object router.route-map | ||
next | ||
edit 0 | ||
set object router.prefix-list | ||
next | ||
edit 0 | ||
set object firewall.ippool | ||
next | ||
end | ||
|
||
#Router Configuration | ||
config router prefix-list | ||
edit "pflist-default-route" | ||
config rule | ||
edit 1 | ||
set prefix 0.0.0.0 0.0.0.0 | ||
unset ge | ||
unset le | ||
next | ||
end | ||
next | ||
edit "pflist-port1" | ||
config rule | ||
edit 1 | ||
set prefix "{@device.networkInterfaces#0.privateIpAddress}" 255.255.255.255 | ||
unset ge | ||
unset le | ||
next | ||
end | ||
next | ||
end | ||
|
||
config router route-map | ||
edit "rmap-outbound" | ||
config rule | ||
edit 1 | ||
set match-ip-address "pflist-default-route" | ||
next | ||
edit 2 | ||
set match-ip-address "pflist-port1" | ||
next | ||
end | ||
next | ||
end | ||
|
||
#IPSec Tunnel #1 | ||
#1: Internet Key Exchange (IKE) Configuration | ||
config vpn ipsec phase1-interface | ||
edit "tgw-vpn-1" | ||
set interface "port1" | ||
set local-gw "{@device.networkInterfaces#0.privateIpAddress}" | ||
set dhgrp 2 | ||
set proposal aes128-sha1 | ||
set keylife 28800 | ||
set net-device enable | ||
set remote-gw "{@vpn_connection.ipsec_tunnel.vpn_gateway.tunnel_outside_address.ip_address}" | ||
set psksecret "{@vpn_connection.ipsec_tunnel.ike.pre_shared_key}" | ||
set dpd-retryinterval 10 | ||
next | ||
end | ||
|
||
#2: IPSec Configuration | ||
config vpn ipsec phase2-interface | ||
edit "tgw-vpn-1" | ||
set phase1name "tgw-vpn-1" | ||
set proposal aes128-sha1 | ||
set dhgrp 2 | ||
set keylifeseconds 3600 | ||
next | ||
end | ||
|
||
#3: Tunnel Interface Configuration | ||
config system interface | ||
edit "tgw-vpn-1" | ||
set interface "port1" | ||
set ip "{@vpn_connection.ipsec_tunnel.customer_gateway.tunnel_inside_address.ip_address}" 255.255.255.255 | ||
set allowaccess ping | ||
set type tunnel | ||
set tcp-mss 1379 | ||
set remote-ip "{@vpn_connection.ipsec_tunnel.vpn_gateway.tunnel_inside_address.ip_address}" "{@vpn_connection.ipsec_tunnel.vpn_gateway.tunnel_inside_address.network_mask}" | ||
next | ||
end | ||
|
||
#4: Border Gateway Protocol (BGP) Configuration | ||
config router bgp | ||
set as "{@vpn_connection.ipsec_tunnel.customer_gateway.bgp.asn}" | ||
set router-id "{@device.networkInterfaces#0.privateIpAddress}" | ||
set ebgp-multipath enable | ||
set network-import-check disable | ||
config neighbor | ||
edit "{@vpn_connection.ipsec_tunnel.vpn_gateway.tunnel_inside_address.ip_address}" | ||
set capability-default-originate enable | ||
set link-down-failover enable | ||
set description "{@vpn_connection.id}-1" | ||
set remote-as "{@vpn_connection.ipsec_tunnel.vpn_gateway.bgp.asn}" | ||
set route-map-out "rmap-outbound" | ||
next | ||
end | ||
config network | ||
edit 1 | ||
set prefix "{@device.networkInterfaces#0.privateIpAddress}" 255.255.255.255 | ||
next | ||
end | ||
end | ||
|
||
#IPSec Tunnel #2 | ||
#1: Internet Key Exchange (IKE) Configuration | ||
config vpn ipsec phase1-interface | ||
edit "tgw-vpn-2" | ||
set interface "port1" | ||
set local-gw "{@device.networkInterfaces#0.privateIpAddress}" | ||
set dhgrp 2 | ||
set proposal aes128-sha1 | ||
set keylife 28800 | ||
set net-device enable | ||
set remote-gw "{@vpn_connection.ipsec_tunnel#1.vpn_gateway.tunnel_outside_address.ip_address}" | ||
set psksecret "{@vpn_connection.ipsec_tunnel#1.ike.pre_shared_key}" | ||
set dpd-retryinterval 10 | ||
next | ||
end | ||
|
||
#2: IPSec Configuration | ||
config vpn ipsec phase2-interface | ||
edit "tgw-vpn-2" | ||
set phase1name "tgw-vpn-2" | ||
set proposal aes128-sha1 | ||
set dhgrp 2 | ||
set keylifeseconds 3600 | ||
next | ||
end | ||
|
||
#3: Tunnel Interface Configuration | ||
config system interface | ||
edit "tgw-vpn-2" | ||
set interface "port1" | ||
set ip "{@vpn_connection.ipsec_tunnel#1.customer_gateway.tunnel_inside_address.ip_address}" 255.255.255.255 | ||
set allowaccess ping | ||
set type tunnel | ||
set tcp-mss 1379 | ||
set remote-ip "{@vpn_connection.ipsec_tunnel#1.vpn_gateway.tunnel_inside_address.ip_address}" "{@vpn_connection.ipsec_tunnel#1.vpn_gateway.tunnel_inside_address.network_mask}" | ||
next | ||
end | ||
|
||
#4: Border Gateway Protocol (BGP) Configuration | ||
config router bgp | ||
set as "{@vpn_connection.ipsec_tunnel.customer_gateway.bgp.asn}" | ||
set router-id "{@device.networkInterfaces#0.privateIpAddress}" | ||
set ebgp-multipath enable | ||
set network-import-check disable | ||
config neighbor | ||
edit "{@vpn_connection.ipsec_tunnel#1.vpn_gateway.tunnel_inside_address.ip_address}" | ||
set capability-default-originate enable | ||
set link-down-failover enable | ||
set description "{@vpn_connection.id}-2" | ||
set remote-as "{@vpn_connection.ipsec_tunnel#1.vpn_gateway.bgp.asn}" | ||
set route-map-out "rmap-outbound" | ||
next | ||
end | ||
config network | ||
edit 1 | ||
set prefix "{@device.networkInterfaces#0.privateIpAddress}" 255.255.255.255 | ||
next | ||
end | ||
end | ||
|
||
#Firewall Configuration (do this after the two tunnels have been set) | ||
|
||
config firewall ippool | ||
edit "ippool" | ||
set startip "{@device.networkInterfaces#0.privateIpAddress}" | ||
set endip "{@device.networkInterfaces#0.privateIpAddress}" | ||
next | ||
end | ||
|
||
config system zone | ||
edit "sys-zone-tgw-vpn" | ||
set interface "tgw-vpn-1" "tgw-vpn-2" | ||
next | ||
end | ||
|
||
#Firewall Policy Configuration | ||
config firewall policy | ||
edit 1 | ||
set name "vpc-vpc_access" | ||
set srcintf "sys-zone-tgw-vpn" | ||
set dstintf "sys-zone-tgw-vpn" | ||
set srcaddr "all" | ||
set dstaddr "all" | ||
set action accept | ||
set schedule "always" | ||
set service "ALL" | ||
set nat enable | ||
set ippool enable | ||
set poolname "ippool" | ||
next | ||
edit 2 | ||
set name "vpc-internet_access" | ||
set srcintf "sys-zone-tgw-vpn" | ||
set dstintf "port1" | ||
set srcaddr "all" | ||
set dstaddr "all" | ||
set action accept | ||
set schedule "always" | ||
set service "ALL" | ||
set nat enable | ||
next | ||
end |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
|
||
config sys interface | ||
edit "port3" | ||
set mode dhcp | ||
set defaultgw disable | ||
set allowaccess ping https ssh fgfm | ||
next | ||
edit "port4" | ||
set mode dhcp | ||
set defaultgw disable | ||
set allowaccess ping https ssh fgfm | ||
next | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
config system dns | ||
unset primary | ||
unset secondary | ||
end | ||
config system global | ||
set admin-sport "{ADMIN_PORT}" | ||
end | ||
config system auto-scale | ||
set status enable | ||
set sync-interface "{SYNC_INTERFACE}" | ||
set hb-interval "{HEART_BEAT_INTERVAL}" | ||
set role primary | ||
set callback-url "{CALLBACK_URL}" | ||
set psksecret "{PSK_SECRET}" | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
config log fortianalyzer setting | ||
set status enable | ||
set server "{FAZ_PRIVATE_IP}" | ||
set reliable enable | ||
end | ||
config report setting | ||
set pdf-report disable | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
config sys interface | ||
edit "port2" | ||
set mode dhcp | ||
set allowaccess ping https ssh http fgfm | ||
next | ||
end | ||
|
||
config router static | ||
edit 1 | ||
set dst "{VIRTUAL_NETWORK_CIDR}" | ||
set device "port2" | ||
set dynamic-gateway enable | ||
next | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.