DO NOT REPRINT

© FORTINET

Public Cloud Security

Study Guide
for FortiGate 6.4 and FortiWeb 6.3
Fortinet Training
https://training.fortinet.com

Fortinet Document Library

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums
https://forum.fortinet.com

Fortinet Support
https://support.fortinet.com

FortiGuard Labs
https://www.fortiguard.com

Fortinet Network Security Expert Program (NSE)

https://training.fortinet.com/local/staticpage/view.php?page=certifications

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Feedback
Email: [email protected]

10/13/2020
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 Introduction to Public Cloud 4

02 Fortinet Solutions for the Public Cloud 31
03 Fortinet Solution for AWS 55
04 Fortinet Solution for Azure 109
05 Fortinet Solution for Google Cloud Platform 152
06 FortiCWP and FortiCASB 180
 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about public cloud security.

Public Cloud Security 6.4 Study Guide 4

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

Public Cloud Security 6.4 Study Guide 5

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the fundamentals of public cloud, you will be able to
understand how public cloud applies to your network.

Public Cloud Security 6.4 Study Guide 6

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

The term public cloud comes from the marketing world, but in the technology world, public cloud can mean
one or more specific concepts. As shown on this slide, there are many different versions of a public cloud
solution. In a traditional on-premises scenario, all the servers, switches, and databases run locally, on site.
The virtual machines (VMs) that you deploy during the labs are considered to be infrastructure as a service
(IaaS). In an IaaS solution, some parts of networking and services are managed by the vendor, and other
parts are managed by the customer. There is also a solution called platform as a service (PaaS), where the
customer is responsible for programming applications and the rest of the services are managed by the
vendor. Finally, in the software as a service (SaaS) solution, the customer is using the services as a
consumer, for running applications. Some examples are Dropbox, Office365, and Salesforce. This course
focuses on the IaaS solution.

Public Cloud Security 6.4 Study Guide 7

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

An IaaS solution involves multiple vendors. The most popular vendors are AWS and Azure. The cloud solution
vendor AWS is the most popular in North America, while Azure is the most popular in rest of the world. Other
cloud solution vendors include Google Cloud, IBM Cloud, ORACLE Cloud, and Alibaba Cloud, to name a few.

Public Cloud Security 6.4 Study Guide 8

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

Vendor service names are vendor specific. As shown on this cheat sheet slide, the VM is named differently for
each vendor. For example, the Amazon Web Services VM is named Amazon Elastic Compute Cloud (EC2).
For Azure, the VM is named Virtual Machines, and for Google Cloud Platform, the VM is named Google
Compute Engine. There are also different names for DNS. For example, Amazon Route 53, Azure DNS, and
Google Cloud DNS. The content delivery network name is also based on the vendor, such as Amazon
Cloudfront, Azure CDN, and Google Cloud CDN.

Public Cloud Security 6.4 Study Guide 9

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

This slide shows the cloud security shared responsibility model. The lower stack includes the elements that
are provided and, therefore, secured by the cloud service provider. Cloud customers are responsible for
securing the remaining elements―network, applications, and data. The could security model is commonly
broken down using the familiar OSI layers model; however, the OSI layers model doesn’t represent the
security responsibility breakdown. In some cases, cloud users will build overlay networks on top of the cloud
network, or layer additional services on top of existing infrastructure services. In cases like these,
responsibility for the security of the modified infrastructure belongs to the customer. Essentially, if you manage
it, you are responsible for it.

Public Cloud Security 6.4 Study Guide 10

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

According to the best practice white pater published by Amazon, “Many organizations consider layered
security to be a best practice” for protecting network infrastructure. In the cloud, you can use a combination of
Amazon VPC, implicit firewall rules at the hypervisor layer, alongside network access control lists, security
groups, host-based firewalls, and IDS/IPS systems to create a layered solution for network security. Also, the
document suggests in-depth security in the public cloud. While security groups, NACLs, and host-based
firewalls meet the needs of many customers, if you’re looking for defense in-depth, you should deploy a
network- level security control appliance, and you should do so inline, where traffic is intercepted and
analyzed prior to being forwarded to its final destination, such as an application server.

Public Cloud Security 6.4 Study Guide 11

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

The first issue to consider as you look towards the cloud is which architectural approach you want to take in
adopting cloud services. The classes of cloud architecture are public, private, hybrid, and community. Now,
you will examine briefly each of the cloud solutions.

• Public Cloud: Public clouds are available to any organization, and a variety of well-known vendors
including Amazon, Microsoft, Google, Oracle, and Alibaba provide these public cloud environments.
• Private Cloud: As the name suggests, private clouds are designed to be visible only to the organization
that creates them. Private clouds provide many of the same benefits that a public cloud does, and still
allows you to maintain ownership of the data and equipment. A private cloud is essentially a private data
center that an organization creates with stacks of servers all running virtual environments, providing a
consolidated, efficient platform on which to run applications and store data.
• Hybrid Clouds: The cloud infrastructure is a composition of two or more distinct cloud infrastructures
(private, community, or public) that remain unique entities, but are bound together by standardized or
proprietary technology that enables data and application portability (for example, cloud bursting for load
balancing between clouds).
• Community Clouds: The cloud infrastructure is provisioned for exclusive use by a specific community of
consumers from organizations that have shared concerns (for example, mission, security requirements,
policy, and compliance considerations). It may be owned, managed, and operated by one or more of the
organizations in the community, a third party, or some combination of them, and it may exist on or off-
premises.

Public Cloud Security 6.4 Study Guide 12

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

Hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party,
public cloud services, with orchestration between the two platforms. Most organizations are in the process of
moving from an on-premises data center to a public cloud service and planning to maintain a combination of
both conventional IT and public cloud deployments. A hybrid cloud environment accommodates applications
that should run only on-premises and applications that can run on only a public cloud. A hybrid cloud lets you
allocate public cloud resources for short-term projects, at a lower cost than using your own data center IT
infrastructure. That way, you don’t overinvest in equipment that you will need only temporarily. For example a
customer could choose to run an ecommerce application locally during the normal sale days, but then use a
paid public cloud service to run the same ecommerce application during a peak sales event like Black Friday,
when more computing power is needed to meet the higher sales demand.

Public Cloud Security 6.4 Study Guide 13

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in networking in the public cloud, you will be able to understand traffic flow,
and how to manipulate traffic using routes in a virtual network.

Public Cloud Security 6.4 Study Guide 14

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

The Azure networking component manages all ARP traffic. In the scenario shown on this slide, the Azure
route service is responsible for the ARP reply. When client IP 10.0.2.4 makes the ARP request, the Azure
route service always replies with the MAC address 12:34:56:78:9A:BC . If you check the ARP table, you
will see the same MAC address for all the neighbors; however, if AWS is used, you will see the actual MAC
addresses of the VMs. Keep in mind that all the traffic always directs to the route service. When client A wants
to talk to client B, client A generates a unicast packet directed to the MAC address 12:34:56:78:9A:BC.
The mapping service does the sort of destination NAT to the MAC address, and replaces the actual MAC
address of the destination VM. Note that the Azure route service is not actually a router, but a service that
facilitates communication between VMs.

Public Cloud Security 6.4 Study Guide 15

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

Now, you will learn about traffic flow in a virtual network. As shown on this slide, there is a virtual network. The
virtual network is a group of different subnets within the same networking block. The name of the virtual
network is based on the vendor. In AWS, the virtual network is called VPC, and in Azure, it is called Vnet, but
in general, it is called virtual network. Within the virtual network, there are different subnets, for example LAN
subnet and DMZ subnet. Every virtual network contains a central router. At a first glance, the virtual network
seems to have a very simple setup―one VM needs to connect to another VM that is in the same network.
However, the setup is not as simple as it appears on this slide.

Public Cloud Security 6.4 Study Guide 16

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

Now, you will learn more about connectivity between two VMs in the same subnet. As shown on this slide, two
VMs are on the same subnet, 10.0.1.4 and 10.0.1.5, and you will learn how the VMs behave when you
ping from VM 10.0.1.4 to VM 10.0.1.5. Take note of the MAC address of VM 10.0.1.5 because it will
become important in a moment.

Public Cloud Security 6.4 Study Guide 17

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

As shown on this slide, the ping runs between the two VMs. In an Ethernet Layer 2 network, the source VM
would have sent out an ARP request for 10.0.1.5, then sent an echo request, and then the destination VM
would have sent an ARP request for 10.0.1.4 and then sent the reply. However, the behavior is different in
the Azure cloud. The VMs in the cloud use a virtualized Ethernet adapter (the OS in the VM follows that
behavior). However, there is not a real Layer 2 Ethernet network connected to the VM. Instead, it is plugged
into the Azure cloud.

Now you will learn how ping works in the Azure cloud. Based on the scenario shown on this slide, the Azure
cloud sends a response to the ARP with fake MAC address 123456789abc, it uses the same fake MAC
address for every ARP response. Consider that although these two VMs are in the same subnet, they are
likely not on the same physical host, or necessarily in the same rack, or possibly in the same Availability
Zone/datacenter. So the Azure cloud intercepts the packet, reads the Layer 3 destination IP address of the
ARP and provides the MAC address. The Azure ARP response is simply to get the VM OS to send the actual
packet. Once the packet comes out, it will use the destination IP address of the packet (not the MAC) to get it
to the correct VM.

Public Cloud Security 6.4 Study Guide 18

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

Now take a look at the source and destination MAC inside the VMs using the ipconfig command. Note
that these screenshots were taken from a different set of VMs than shown on the previous slides. They use
the same IP addresses, but have different MAC addresses than shown on the previous slides.

The PCAP screen capture shows that the ping arrives at the destination and the source MAC is not that of the
host in the same subnet, but of some Arista equipment, presumably the end of a tunnel/encapsulation point
inside the Azure datacenter. The destination is the real MAC address of the VM, though the source VM never
learned that MAC address through ARP. In Azure, the cloud sends the source VM an ARP reply for
10.0.1.5 with a fake MAC, requesting the packet details. Then it encapsulates the packet and tunnels it to
the destination VM. The IP address in every VM has to match how the cloud is configured for that VM.

Public Cloud Security 6.4 Study Guide 19

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

In the scenario shown on this slide, two VMs connect to each other by connecting between subnets in the
same virtual network using a router.

Public Cloud Security 6.4 Study Guide 20

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

Now you will learn the behavior of ping between two VMs in different subnets. There are two VMs in this
scenario and two subnets, 10.0.1.4 and 10.0.2.4. Note that 10.0.X.1 is cloud routing service in each
subnet and listed as the default gateway for each VM.

Public Cloud Security 6.4 Study Guide 21

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

Now, closely examine the ping and traceroute windows. As you will see, the ping traffic works but there is a no
default gateway showing up in the traceroute window. This is mainly because the routing service is not a real
router, but is instead just a service responsible for routing. You can ping between VMs, and the Azure cloud
responds to it, but it is not an actual router in the traditional sense. You will also notice that the ARP reply on it
is the same fake MAC 123456789abc.

The VM OS on 10.0.1.4 sends out the echo request to the destination IP address 10.0.2.5, and the cloud
notices the destination IP address. The cloud determines that the destination IP address is configured for
another VM. The cloud encapsulates the packet in the same way as on the same subnet scenario, and then
sends it to the destination VM. It is important to know that the packet never goes through a traditional router
that has to change destination MAC addresses, so it does not show up in traceroute.

Public Cloud Security 6.4 Study Guide 22

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

When a VM needs to connect to the internet, it must first connect to the router that sits between it and the
internet. In the scenario shown on this slide, traffic must NAT using a router that sits between the private IP
address and the public IP address. The VM cannot have a public IP address on its network interface. The
public IP address is manged by the cloud vendor.

Public Cloud Security 6.4 Study Guide 23

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

How does the traffic flow from the internet to the VM? One-to-one NAT connects the internet to the VM. Note
that all the VMs have a private IP address on their interface and cannot have a public IP address. Configuring
a public IP address on the VM interface is a mistake that is commonly made by administrators.

Public Cloud Security 6.4 Study Guide 24

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

Now, you will learn about Layer 2 networking in AWS cloud computing. Layer 2 networking works differently in
cloud computing. How does instance A communicate with instance B? As computer nodes in a regular
network, instance B must make the ARP request; therefore, it must make the broadcast requesting the MAC
address. However, in the cloud environment, there could be thousands of machines between two instances
generating lots of broadcast traffic in cloud switches, which is very problematic. So, what solution minimizes
the vast amount of broadcast traffic in cloud computing? The solution is the AWS mapping service, which
contains all the MAC addresses and IP addresses of the subnet as a database. As shown on this slide, the
AWS mapping service is responsible for capturing the request packet and replying with the correct MAC
address of instance B. The AWS mapping service checks its database for the correct IP address and
corresponding MAC address, and then the traffic flows from the MAC address to the MAC address on
instance B. So, there is no broadcast going over the network. It is important to know that you must assign and
declare all your VM IP addresses in the cloud portal. The cloud vendor console must sync IP information with
the VMs. If you add an IP address to the VM, you must add the IP addresses to the configuration of the cloud
console. Also, there is a cache service available inside the physical host that records all the information. If you
change the IP address of the VM, it may take some time to update that information in the cache service,
especially if you encounter any connectivity issues after changing the IP address of the host.

Public Cloud Security 6.4 Study Guide 25

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

Now, you will learn about Layer 2 restrictions in cloud computing. An instance will receive the traffic only if the
IP address is defined in the cloud console. If there are static or virtual IP addresses configured on the virtual
machine, you must make sure that those IP addresses are configured on the cloud console as well. In terms
of Layer 2 restrictions, there shouldn’t be any traditional Layer 2 traffic, such as FortiGate clustering protocol,
gratuitous ARP, instant IP failover and, so on. Basically there is no broadcast or multicast traffic in cloud
computing; only unicast traffic is allowed. Also, no Layer 2 modes are allowed in cloud computing, for
example, transparent mode or virtual wire.

Public Cloud Security 6.4 Study Guide 26

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

In Azure, you can use user-defined routes. An administrator can configure all the routes to force traffic to the
correct destinations. UDRs are similar to the policy routes on FortiGate. This slide shows two VMs and one
FortiGate device. If the VM in subnet 3 needs to connect to the internet, the administrator can configure a
UDR to force traffic to FortiGate first, then from FortiGate to the internet. In the scenario shown on this slide,
traffic can be inspected by FortiGate before going out to the internet. Any traffic going to the internet is source
NATed to the public IP address; however, that public IP address is not configured directly on the FortiGate
device. At the same time, the administrator can configure a route to inspect traffic going from one subnet to
another. Traffic destined to subnet 2 from subnet 3 can be forced to go to FortiGate first then to subnet 2. As
shown on this slide, FortiGate can have only a single interface for both incoming and outgoing traffic. When
creating a policy, you can create a policy from port1 to port1, source 10.0.3.0/24 and destination
0.0.0.0/0 to go to the internet.

Also keep in mind that the router shown on this slide does not exist, and it is only a service moving traffic
based on the UDR. By default, it can communicate directly out to the internet. If they have a public IP (PIP)
assigned, public clients can connect directly to any services enabled on these VMs.

Public Cloud Security 6.4 Study Guide 27

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

Now, you will learn about routing restrictions in cloud computing. When traffic enters the virtual network, it
must first go through the routing table, which is configured on the cloud console. At the same time, traffic
leaving a VM instance must have a valid route from the local subnet router; otherwise, traffic will be
blackholed. Keep in mind that there is always an embedded router on every subnet and all virtual machines
use the embedded router as the default gateway.

Public Cloud Security 6.4 Study Guide 28

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

Now, you will learn about the security aspect of the cloud computing. There are access control lists directly
embedded in the networking part of cloud computing. However, these access control lists are very basic and
have some limitations. ACLs have only Layer 4 and poor or no logging capabilities, and are very hard to
maintain. Moreover, access list names are based on vendor. For exmple, AWS has both ACLs and security
groups, while Azure has network security groups and Azure firewall. You will learn more about these lists later
in this course. Access control lists can be applied in different places, such as virtual NICs, VMs, and subnets,
to name a few. Why is the cloud considered more secure than a tradditional network? This is mainly related
ACLs. ACLs can be directly applied on to network interfaces and help to secure east-west traffic, by default.
Keep in mind that if you encounter any issues during the lab and troubleshooting, it could be an ACL, so you
need to pay extra attention during the labs.

Public Cloud Security 6.4 Study Guide 29

 Introduction to the Public Cloud

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this
lesson, you learned about the concept of the public cloud and how to use it in your network.

Public Cloud Security 6.4 Study Guide 30

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about public cloud security.

Public Cloud Security 6.4 Study Guide 31

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding Fortinet solutions for the public cloud, you will be able to
secure your cloud network using Fortinet solutions.

Public Cloud Security 6.4 Study Guide 32

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

As the leader in multi-cloud security, Fortinet gives you the confidence to deploy any application in any cloud.
Fortinet solutions provide broad protection across the entire digital attack surface, both on-premises and in
public clouds. Native integration with each of the major cloud providers enables automated, centralized
management across all clouds uniformly and seamlessly. Giving you unified visibility and control and policy
management that supports risk management and compliance requirements.

There are three Fortinet solutions for securing the public cloud: the secure connectivity solution, which
belongs to the category of infrastructure as a service (IaaS); application security; and visibility and control.
Fortinet provides solutions for each of these categories. For example, Fortinet can provide secure connectivity
for IaaS, but cannot provide the same solution for software as a service (SaaS) applications. So, for SaaS,
Fortinet can provide only visibility and control. In other words, you cannot create an IPsec tunnel or web
application firewall (WAF) to a dropbox (SaaS).

Public Cloud Security 6.4 Study Guide 33

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

As shown on this slide, Fortinet can provide different products to secure the public cloud.
Management & Automation: In order to make the best use of their often limited and overstretched security
personnel, Fortinet provides customers with a unique single-pane-of-glass solution that empowers them to
consistently manage the broad set of protection services that is natively integrated into the cloud
infrastructure. This approach also provides the ability to automate the management of these capabilities by
using standard web-based APIs, as well as consume predefined automation recipes. By extending this
automation framework across multiple cloud environments, customers can integrate the consumption of
security services into their emerging DevOps-oriented application lifecycles, while supporting a more agile
application and business operation.

Broad Protection: Offering the broadest set of security products both in and out of the cloud allows
customers to consistently build the most secure infrastructures possible, regardless of deployment mode,
workflow complexity, or degree of distribution and elasticity. The ability to natively integrate with the cloud
infrastructure allows Fortinet to uniquely offer multiple security products in—and between—the cloud
environments offered by every major cloud service provider. This helps customers build consumable and
automation-ready security services to protect their cloud applications, regardless of where they choose to
deploy them.

Native Integration: Integration seamlessly extends consistent security across the platforms of every major
cloud provider, enabling organizations to define security similarly across their multi-cloud and on-premises
deployments. Likewise, native integration provides the ability to natively consume cloud services by security
products, providing faster and more seamless protection and response, and extends the web service-based
APIs of products that are running in the cloud.

Public Cloud Security 6.4 Study Guide 34

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

This slide shows the Fortinet Security Fabric overlaid onto the multi-cloud reality that was previously outlined.
The key pillars are integration, protection, and management. As part of the Fortinet Security Fabric,
FortiManager and FortiAnalyzer provide automation-ready, single-pane-of-glass management, transparent
visibility, advanced compliance reporting, and network-aware rapid response across on-premises, cloud, and
hybrid environments.

Public Cloud Security 6.4 Study Guide 35

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

This slide shows the three pillars of the Fortinet Security Fabric for the cloud, and the services and capabilities
each pillar enables. Fortinet is investing in each of these pillars to provide native integration and capabilities
across clouds.

The Fortinet Security Fabric enables the following services and capabilities:
• Seamless integration of separate cloud infrastructures, and use of native cloud services
• Broad protection for each product, regardless of cloud platform—effectively running virtual versions of the
enforcement products on each cloud
• Management products that interact with, and manage the security of, the Fortinet products that run on each
cloud

Public Cloud Security 6.4 Study Guide 36

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

This slide shows the details of the different integration efforts and their availability across leading cloud
providers.

Public Cloud Security 6.4 Study Guide 37

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

To address the complexities of today’s digital enterprise and help reduce security gaps, Fortinet expands the
openness of its Security Fabric architecture through its fabric connectors to extend security visibility and
management capabilities deeper into Fabric-Ready Partner infrastructure and applications.

Fabric connectors help customers maintain a consistent network security posture with centralized
orchestration for users, applications, and data across hybrid, public, and private cloud environments. They
enable automation of workflows, SOC environments, threat feeds, and security policy automation across
clouds as new services and applications are deployed, removing the need for manual intervention.

Fabric connectors link into partner solutions through API integration points or through specialized engineering,
and are instantly accessible to customers through easy, downloadable DevOps kits with one-click activation.
The open design of the fabric connectors enables ongoing, deep integration with a growing number of
ecosystem components and extends the Security Fabric capabilities into validated, third-party infrastructure.

Public Cloud Security 6.4 Study Guide 38

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

An interesting aspect of the Fortinet solution is that the customer can run all devices on the cloud. There is no
need for the customer to run physical devices on-premises. Unlike other vendors, Fortinet can offer all
security products in cloud-based form, for example, FortiGate, FortiManager, FortiAnalyzer, and so on.

Public Cloud Security 6.4 Study Guide 39

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

The customer can extend the on-premises infrastructure to the cloud through the VPN. As shown on this slide,
the customer can run an IPsec tunnel between the cloud and the FortiGate on-premises infrastructure. On the
cloud side, you can deploy a cloud vendor`s native IPsec service, which is not recommended, or you can
depoly a virtual FortiGate, which is highly recommended.

Public Cloud Security 6.4 Study Guide 40

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

The Fortinet Security Fabric supports a hybrid cloud. You can configure an on-premises FortiGate to connect
to FortiGate on the cloud through the VPN tunnel, and share all the information from the Fortigate device on
the cloud, within the Fortinet Security Fabric. You can create a multi-cloud environment in the Security Fabric.
For example, an on-premises FortiGate can connect to Azure and AWS through VPN tunnels, and have the
entire topology view within the Security Fabric.

Public Cloud Security 6.4 Study Guide 41

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

It is important to know that the Fortinet cloud security solution is not a replacement for the existing cloud
vendor security. It is just an extra layer of security in addition to the cloud vendor security solutions. The
Fortinet cloud security solution provides more control and visibility, and delivers a highly optimized security
solution beyond native cloud vendor security options.

Public Cloud Security 6.4 Study Guide 42

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

Managing and securing an assortment of different cloud platforms remains a challenge. Few IT teams have
the expertise to manage a mixed deployment of multiple public cloud, private cloud, and on-premises
environments—especially considering the ongoing lack of skilled IT and cybersecurity talent.

To address the diversity challenge, many organizations choose to connect their clouds through their on-
premises data center WAN edge for centralized inspection and routing. But the use of this type of traditional
WAN infrastructure approach, though secure, inhibits agility and results in deployment complexity,
inconsistent network performance, and expensive connectivity.

Public Cloud Security 6.4 Study Guide 43

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

Fortinet Secure SD-WAN for Multi-Cloud solution is a new approach to establishing secure and high-
performance connectivity between IaaS workloads running on multiple clouds—without increasing cost and
complexity. This solution enables SD-WAN between clouds and empowers enterprise IT to build a seamless
cloud-to-cloud network and security architecture. Fortinet Secure SD-WAN solution delivers the following
capabilities:

• Automates the deployment of a seamless overlay network across different cloud networks, reducing
complexity and increasing agility to save teams time and resources.
• Offers visibility, control, and centralized management that unifies functionality across multiple cloud
environments through Fortinet Security Fabric SDN connectors and cloud-native integrations.
• Securely transports cloud traffic between clouds without needing to backhaul through the data center,
enabling better scaling of deployments and reducing latency.
• Intelligently selects connections based on cloud application and workload awareness, improving
performance and reducing dependence on costly leased lines or MPLS connections.

Public Cloud Security 6.4 Study Guide 44

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

There are different Fortinet licensing models to select from, based on the customer requirements.

• Bring your own license: The customer pays for the cloud vendor for the VMs and pays Fortinet for Fortinet
products running 24/7 on the cloud. This model is recommended for VMs running all the time on the cloud.
The customer gets Fortinet 24/7 support with the enterprise bundle.
• Pay as you go/on demand: The customer is paying for both through the cloud vendor, but pays for the
service based on usage. The customer gets Fortinet 8x5 support with the UTM bundle.

In both cases, the customer must pay infrastructure running costs directly to the cloud vendor.

Public Cloud Security 6.4 Study Guide 45

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

This slide shows the market availability of Fortinet products. Keep in mind that this information changes based
on new support availability for Fortinet products

Public Cloud Security 6.4 Study Guide 46

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

As you learned in a previous lesson, there is no traditional FortiGate Clustering Protocol (FGCP) to use in
high availability (HA) in cloud computing. The solution is to use HA active-passive unicast FGCP, which is a
modified version of the traditional FGCP. In this scenario, there is no multicast traffic between heartbeat
interfaces; instead, there is only unicast traffic. In order to form two HA FortiGate devices, you must configure
the peer IP address on each FortiGate device. Also, there is a management interface (port4), which is unique
to each cluster member and has a subnet with internet access. Each cluster member can be accessed
separately through management interfaces. There are two interfaces processing traffic, external and internal.
Both heartbeat and management interfaces are system VDOMs that are hidden and unusable for processing
production traffic.

Important: If you upgrade your HA cluster to FortiOS 6.4.0, all of the configuration, including the management
IP address, synchronizes between HA peers. To prevent this from happening, you can use the set object
system.interface command (under config system vdom-exception). This command is introduced
in FortiOS 6.4.1.

Public Cloud Security 6.4 Study Guide 47

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

HA must use the unicast IP address to sync between cluster members. You must add the two commands that
are highlighted on the slide to the traditional HA cluster configurations. These settings are unique to each
cluster member because the peer IP address is the other member of the cluster. When failover happens,
FortiGate uses AWS and Azure APIs to communicate to the cloud and report the failover. Commands are sent
directly to AWS or Azure to change the public IP address and the outbound routing table to the FortiGate IP
address and routing table. Also, failover times are unpredictable because of the number of items to rewrite,
serial changes, and so on.

Public Cloud Security 6.4 Study Guide 48

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

This slide shows an example of an active-active load balancing scenario. There are two load balancers, the
public load balancer and the internal load balancer. Also, there are two FortiGate devices in the same
availability set. You must pair both port1 interfaces of the FortiGate devices with the public load balancer. The
internet traffic goes to the public load balancer first, where it load balances the traffic to two FortiGate devices.
Then it goes to the internal load balancer, and finally, to the virtual machines. Every cloud vendor has its own
load balancing solutions.

Public Cloud Security 6.4 Study Guide 49

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

Auto scaling allows you to dynamically grow and shrink a group of FortiGate devices to match the traffic and
performance requirements. You can set a minimum and maximum number of FortiGate devices and scale out
as needed. The main benefits of using auto scalling are fault tolerance, availability, and cost management.

Public Cloud Security 6.4 Study Guide 50

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

Load balancing is used in auto scaling. For example, you can start with two FortiGate devices in an
autoscaling group as a minimum number, and then increase the number of FortiGate devices based on
application needs. If CPU usage becomes high during the minimum number set, you can configure rules to
increase the number of FortiGate devices to meet the demand. Autoscaling provides easy application scaling
for multiple resources across multiple services, in a short time.

Public Cloud Security 6.4 Study Guide 51

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

Fortigate auto scaling consists of a collection of Node.js modules and cloud-specific templates that support
basic autoscale functionality for groups of FortiGate VM instances through Microsoft Azure Functions and
Amazon AWS. This slide shows an example of FortiGate auto scaling with Azure. This scenario comprises
two load balancers and, in the middle, multiple FortiGate devices in the VM scale set. There is one FortiGate
primary device and a few FortiGate secondary devices. When this template is deployed, it will create a
databse with ID numbers based on FortiGate roles. So, every time a new FortiGate is deployed, it will check
the database to find the IP address of the primary FortiGate, and then get the configuration of the primary
FortiGate. All the configuration changes must be applied to the primary device. You can locate auto scaling
templates on GitHub.

Public Cloud Security 6.4 Study Guide 52

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

Fortinet GitHub is a Fortinet website where you can download various templates for your cloud security
design. Some examples are AWS cloud formation templates, and Azure templates that allow you to download
pre-configured settings for the cloud security solutions. You can visit the official Fortinet GitHub at the website
shown on this slide. However, during the lab you will be using a different GitHub, which is the Fortinet solution
GitHub (developer GitHub).

Public Cloud Security 6.4 Study Guide 53

 Fortinet Solutions for the Public Cloud

DO NOT REPRINT
© FORTINET

This slide shows the objectives covered in this lesson.

By mastering the objectives covered in this lesson, you learned methods to secure the public cloud using
Fortinet solutions.

Public Cloud Security 6.4 Study Guide 54

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the Fortinet solution for Amazon Web Services (AWS).

Public Cloud Security 6.4 Study Guide 55

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding AWS fundamentals, you will be able to use AWS successfully
and efficiently to deploy your security devices.

Public Cloud Security 6.4 Study Guide 56

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

As shown on this slide, AWS has a broad portfolio of services. You will see all available services when you
click the service manual on the console. However, in this course, you will mainly focus on EC2, VPC, IAM,
and DynamoDB.

Public Cloud Security 6.4 Study Guide 57

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

AWS Marketplace is an online store where customers can find, buy, and immediately start using the software
and services they need to build products and run their businesses. In AWS Marketplace, you can find
preconfigured images under AMI community images. These are easy-to-deploy instances uploaded by
vendors.

Public Cloud Security 6.4 Study Guide 58

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

AWS CloudFormation templates provide an easy way to create and manage a collection of related AWS
resources, enabling you to provision and update in an orderly and predictable fashion. You can use AWS
CloudFormation sample templates or create your own templates to describe the AWS resources. An AWS
CloudFormation template is a set of code, based on JSON, where you can specify the kind of VMs, number of
subnets, and IP addresses to deploy then pass into the FortiGate devices. After AWS resources are deployed,
you can modify and update them in a controlled and structured way. You can apply version control to your
AWS infrastructure the same way you do with your software. Keep in mind that you cannot find AWS
CloudFormation templates in AWS Marketplace. First, you must upload them to GitHub, and then upload them
to AWS Marketplace.

Public Cloud Security 6.4 Study Guide 59

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Amazon (EC2) is hosted in multiple locations worldwide. These locations are composed of regions and AZs.
Each region is a separate geographic area with multiple, isolated locations known as AZs. When you view
your resources, you'll see only the resources tied to the region you've specified. Regions are isolated from
each other, and AWS does not replicate resources across regions automatically. There is a charge for data
transfer between regions, but not all regions have the same features, functions, and offers.

Public Cloud Security 6.4 Study Guide 60

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

By launching your instances in separate AZs, you can protect your applications from a failure in a single
location. Think of it as a physical hypervisor located in a different data center. If data center A fails, your
workloads are redundantly deployed in data center B. An AWS best practice is to place instances in more
than one AZ. Each AZ is isolated, but the AZs in a region are connected through low-latency links. The new
unicast HA solution deploys into a single AZ; therefore, the best practice is to break them up and deploy them
into two AZs. You cannot have one FortiGate sitting between AZs; instead, you can have a load balancer
between AZs. An AZ is represented by a region code, followed by a letter identifier, for example, us-east-1a.

Public Cloud Security 6.4 Study Guide 61

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

The compute elements in AWS are called elastic compute cloud (EC2). The Amazon EC2 simple web service
interface allows you to obtain and configure capacity with minimal friction. It provides you with complete
control of your computing resources and lets you run on Amazon’s proven computing environment. So, EC2 is
a VM instance running inside AWS, for example, FortiGate or FortiWeb VM running as EC2 instances.

Public Cloud Security 6.4 Study Guide 62

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Amazon S3 is storage for the internet. You can use Amazon S3 to store and retrieve any amount of data at
any time, from anywhere on the web. You can accomplish these tasks using the AWS Management Console,
which is a simple and intuitive web interface. This is a file sharing service that you can use to create buckets
and then access them over FTP, HTTP, and NFS, to name a few. This is a sort of NAS service. For example,
a user can upload FortiGate licenses into the S3 bucket and use a script to grab the licenses and renew your
device licenses, as needed. Another example is if you deploy a FortiMail cluster and you would like to have
your mailboxes outside FortiMail, you can use an S3 bucket storage for mailbox data.

Public Cloud Security 6.4 Study Guide 63

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time
you consume, and there is no charge when your code is not running. With Lambda, you can run code for
virtually any type of application or backend service—all with zero administration. You can set up your code to
automatically trigger from other AWS services, or call it directly from any web or mobile app.

You can use this feature in HA deployments, where the HA functions use AWS Lambda functions to call the
failover. You can also use Lambda functions in FortiGate automation stiches. For example, you can create
Lambda functions, and then use FortiGate to trigger those functions, based on the situation.

Public Cloud Security 6.4 Study Guide 64

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Virtual private cloud (VPC) enables you to define a virtual network in your own logically isolated area within
AWS Cloud, known as a VPC. This is the same concept as a VNET in Microsoft Azure. The VPC belongs to a
region, and within the VPC, you can create different subnets. All subnets should be in the same CIDR block
that is defined for the VPC, for example, 10.0.0.0/16 block.

As shown on this slide, the VPC belongs to a region but not to any AZs. Within the VPC, you can deploy
subnets that belong to different AZs. Keep in mind that the interim router belongs to the VPC only and not to a
specific subnet.

Public Cloud Security 6.4 Study Guide 65

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

An ENI is a virtual network interface. In an ENI, you can create a network interface, attach it to an instance,
detach it from an instance, and attach it to another instance. The attributes of a network interface follow it as it
is attached to or detached from one instance, and reattached to another instance. When you move a network
interface from one instance to another, network traffic is redirected to the new instance. You can also modify
the attributes of your network interface, including changing its security groups and managing its IP addresses.
Keep in mind that once an ENI is created inside the AZ, it cannot be moved outside the AZ.

Public Cloud Security 6.4 Study Guide 66

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

The source/destination check feature is set by network interface. If source/destination checks are disabled
(not default behavior) in AWS, source and destination IP addresses that are different from the assigned IP
address of the interface are allowed. In AWS, the source/destination check feature is enabled by default. In
Azure, it is disabled by default.

Public Cloud Security 6.4 Study Guide 67

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

There are two different kinds subnets: public and private. A public subnet means that the subnet has an
internet gateway attached, and therefore has internet access. It may or may not have public IP addressing in
it. A private subnet is an internal subnet that doesn't have an internet gateway attached to it. Private subnets
must follow the addressing space defined on the VPC that they belong to. As we learned earlier, all the
subnets are connected to an intrinsic router that resides at the VPC level. For example, if you want to deploy a
FortiGate device for outgoing traffic protection, you can have one interface connect to the private subnet and
the other interface connect to the public subnet. After you have connected both interfaces, then you will define
a routing table on the private subnet to route internet traffic through the FortiGate device and then to public
subnet.

The first three usable IP addresses are reserved in AWS. The first IP address is reserved for the intrinsic
router, the second IP address is reserved for AWS DNS, and the third IP address is reserved for future use. If
you deploy a FortiGate device, you will need to use the fourth usable IP address.

Public Cloud Security 6.4 Study Guide 68

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

An internet gateway is a redundant, highly available VPC component that allows communication between
instances in your VPC and the internet. Internet gateway is a feature that you enable in the subnet, allowing
the intrinsic router to connect to the internet. If you want to make the subnet public, first you must create an
internet gateway, and then attach it to the appropriate subnet.

An internet gateway serves two purposes:

• It provides a target in your VPC route tables for internet-routable traffic

• It performs NAT for instances that have been assigned public IPv4 addresses

Public Cloud Security 6.4 Study Guide 69

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

The diagram on this slide shows the routing for a VPC with both an internet gateway and a virtual private
gateway, plus a public subnet and a VPN-only subnet. The main route table came with the VPC, and it also
has a route for the VPN-only subnet. A custom route table is associated with the public subnet. The custom
route table has a route over the internet gateway (the destination is 0.0.0.0/0, and the target is the internet
gateway). There is a global AWS within the AWS, and there is a region, and the VPC is created in the region.
Also, there are AZs inside the VPC. There are two different subnets, 10.0.0.0/24 and 10.0.1.0/24,
which belong to two AZs. A router between two AZs is responsible for routing traffic between the AZs. When
you create a VPC, it creates a default main routing table that can be used when there is no specific routing
table created for a subnet. You can create additional routing tables, and then attach them to a subnet.

Public Cloud Security 6.4 Study Guide 70

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

As mentioned in this lesson, when you create a VPC, it creates a default main routing table by default, and
subnets are associated with the main routing table. The gateway uses an ENI object and is not defined by an
IP address. EC2 instances always use the intrinsic router as the default gateway, but they are then redirected
to each gateway defined in the routing table. Note that you can create and use traditional or static routes
within an instance, but this will be problematic for future automation.

Public Cloud Security 6.4 Study Guide 71

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

AWS NAT gateway allows instances in a private subnet to connect to the internet or other AWS services
without using a NAT instance. As shown on this slide, the main routing table sends internet traffic from the
private subnet instances to the NAT gateway, then NAT gateway sends traffic to the IGW using the source IP
address of the elastic IP address. So, the advantage here is that instances of the private subnet hide behind
the NAT gateway. This scenario is useful if you want to inspect only Layer 4 traffic. However, if you want to
inspect higher layer traffic, you will need to deploy a proper firewall.

Public Cloud Security 6.4 Study Guide 72

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

An EIP address is a static, public IPv4 address. You can associate an EIP address with any instance or
network interface for any VPC in your account. You can use an EIP address to mask the failure of an instance
by rapidly remapping the address to another instance in your VPC. Associating the EIP address with the
network interface instead of directly with the instance, means that you can move all the attributes of the
network interface from one instance to another, in a single step.

During the lab, you will see both EIP and non-EIP addresses. Keep in mind that in an active-passive HA
setup, you must use an elastic IP address to move one instance to another during the failover.

Public Cloud Security 6.4 Study Guide 73

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Other services inside the VPC are the DHCP and DNS services. EC2 interfaces should use DHCP and, by
default, when you assign an IP address to an network interface, the DHCP service will be automatically
activated and deliver the IP address to the DHCP-enabled interface of the device. You can enable the DHCP
feature from the FortiGate interface to receive the IP address. You can also create specific options inside the
DHCP server.

Each EC2 instance has an internal DNS name that you should use to address traffic to it. This DNS server is
present on all subnets as the second valid IP address, and is the default DHCP option. At the same time,
every time you deploy a network interface, it gets assigned a random DNS name without any VPC reference.
The random DNS name can be resolved both inside and outside the VPC.

Public Cloud Security 6.4 Study Guide 74

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Now, you will learn about basic AWS infrastructure components. There are three main load balancers in
AWS: network load balancer, application load balancer, and classic load balancer.

Public Cloud Security 6.4 Study Guide 75

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets,
such as Amazon EC2 instances, containers, and IP addresses. ELB can handle the varying load of your
application traffic in a single AZ or across multiple AZs. ELBs sit at the VPC level, so they have access to
different subnets in different AZs. In order to have traffic and services load balancing between different AZs in
a high availability setup, you must use ELB.

Public Cloud Security 6.4 Study Guide 76

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Application load balancer is best suited for load balancing HTTP and HTTPS traffic, and provides advanced
request routing targeted at the delivery of modern application architectures, including microservices and
containers. Operating at the individual request level (Layer 7), application load balancer routes traffic to
targets within Amazon virtual private cloud (VPC), based on the content of the request.

Public Cloud Security 6.4 Study Guide 77

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Classic load balancer provides basic load balancing across multiple Amazon EC2 instances and operates at
both the request level and connection level. Classic load balancer is intended for applications that were built
within the EC2 classic network.

Public Cloud Security 6.4 Study Guide 78

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Amazon Route 53 is a global load balancing service. The load balancer sits inside the VPC, which is inside
the region. So, if you would like to have a multi-region load balancer, use Amazon Route 53. You can also use
Amazon Route 53 as a regular DNS service. By default, the Amazon Route 53 service comes with DoS
protection.

Public Cloud Security 6.4 Study Guide 79

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic
between them using private addresses. Instances in either VPC can communicate with each other as if they
are in the same network. You can create a VPC peering connection between your own VPCs, or with a VPC
in another AWS account. You can connect VPCs between different regions, inside regions. It is similar to
connecting both VPCs using a single cable and having a route existing in the routing table. For example, you
can have a route to force traffic to go to from one specific VPC to another VPC. A VPC peering connection is
a one-to-one relationship between two VPCs. Note that the cost associated with VPC peering varies
depending on how they connect between the same region or a different region.

As shown on this slide, there are some VPC peering limitations. For example, You cannot route packets
directly from VPC B to VPC C through VPC A. In order to route packets directly between VPC B and VPC C,
you can create a separate VPC peering connection between them (if they do not overlap CIDR blocks).

Public Cloud Security 6.4 Study Guide 80

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

What is transit VPC? Transit VPC is reference architecture that you can use multiple products to achieve. One
of the solutions to VPC peering is to use the transit VPC. As shown on this slide, VPCs A, B, D, and E can
connect to each other using IPsec tunnels through the transit VPC C. The transit VPC reduces the complexity
of VPC peering; however, adding more VPCs to the existing setup introduces a huge, administrative task. If
you have a current transit VPC running and you are happy with the setup, you might want to continue it. If
your organization is growing continuously and adding more VPCs, you should migrate to the AWS transit
gateway. Another drawback of the transit VPC is to maintain EC2 instances (a pair of routers) as highly
available to route traffic between VPCs.

Public Cloud Security 6.4 Study Guide 81

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

So what are the complexities of VPC peering? In order to achieve full mesh connectivity between VPCs, you
will need to use formula n(n-1)/2. As shown in the example on this slide, full mesh connectivity between six
VPCs requires 15 connections. Now, imagine if you had hundreds of VPCs requiring full mesh connectivity.

Based on customer feedbacks, AWS developed a new technology called transit gateway. AWS Transit
Gateway solves most of the problems introduced by VPC peering. As shown on this slide, transit gateway is
similar to transit VPC hub and spoke technology; however, AWS Transit Gateway is simpler and more
flexible.

Public Cloud Security 6.4 Study Guide 82

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Now, you will learn more about the concept of transit gateway. As shown on this slide, when transit gateway is
used, many VPCs connect to the AWS Transit Gateway. From the transit gateway, you can define rules to
route traffic between VPCs and restrict traffic between VPCs. There is no need to connect VPCs with multiple
IPsec connections. As shown in the example on this slide, you can connect multiple VPCs to the transit
gateway and then define rules to send traffic to the security hub VPC for traffic inspection between VPCs
(east-west traffic inspection), or to send traffic directly from one VPC to another through the transit gateway.

Public Cloud Security 6.4 Study Guide 83

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Transit gateway helps to solve multiple issues with VPC peering and transit VPC. Using transit gateway
technology, you can create multiple transit gateway route tables inside the transit gateway for better traffic
control. As shown in the example on this slide, you can create multiple attachments based on the number of
VPCs you need to connect. For example, you will need only three attachments to create all three VPCs. This
eliminates the full mesh requirement that is part of the VPC peering scenario.

As shown in the example, there are two route tables inside the transit gateway with three attachments. Any
traffic coming to the transit gateway, except subnets 10.1.0.0 and 10.2.0.0, goes to the security hub
VPC through attachment VPC-att-3. At the same time, traffic going to the subnet 10.1.0.0 uses VPC-
att-1, and subnet 10.2.0.0 uses the attachment VPC-att-2. This granular level of control means a
lighter workload for the administrator when they are adding multiple VPCs to the existing environment.

Another main advantage is bandwidth. Customers can create multiple VPN connections from the transit
gateway to the on-premises data center with ECMP to achieve higher bandwidth.

Public Cloud Security 6.4 Study Guide 84

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

This slide shows an example of Fortinet Cloud Security Services Hub with auto scaling and AWS Transit
Gateway. VPC-A and VPC-B are connected to the transit gateway with attachments, while VPC-C is
connected with IPsec to the transit gateway. Traffic can then route to the Fortinet cloud security hub, and
finally to the customer data center. You can use AWS Direct connect or IPsec to connect between the security
hub VPC and the customer on-premises FortiGate.

As shown on this slide, IPsec is used with ECMP from the transit gateway to the pair of active-active HA
FortiGate devices in the security VPC. This solution cannot be achieved using only VPC-based attachments.
The transit gateway distributes traffic evenly to the FortiGate devices for traffic inspection.

Public Cloud Security 6.4 Study Guide 85

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

This slide shows the official screenshot of the AWS shared responsibility model. This means that a customer
is responsible for security in the cloud, and AWS is responsible for the security of the cloud. It is very clear
that cloud vendors, as well as customers, play an important role of securing data in the cloud.

Public Cloud Security 6.4 Study Guide 86

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

An SG acts as a virtual firewall that controls the traffic for one or more instances. SGs are associated with
network interfaces. Changing the SGs of an instance changes the SG associated with the primary network
interface (eth0). By default, SGs allow all outbound traffic. Instances are automatically associated with the
default SG (unless you specify an SG). When you associate multiple SGs with an instance, the rules from
each SG are effectively aggregated to create one set of rules. You can create your own SGs and specify them
when you launch your instances. The only difference between the SGs in AWS and Azure, is that in AWS,
SGs are attached to the network interfaces.

Public Cloud Security 6.4 Study Guide 87

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

An NACL is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of
one or more subnets. Your VPC automatically comes with a modifiable default NACL. By default, it allows all
inbound and outbound IPv4 traffic. You can create a custom NACL and associate it with a subnet. By default,
each custom NACL denies all inbound and outbound traffic until you add rules. Each subnet in your VPC must
be associated with an NACL. If you don't explicitly associate a subnet with a NACL, it is associated with the
default NACL. An NACL has separate inbound and outbound rules, and each rule can either allow or deny
traffic. NACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic
(and the reverse).

Public Cloud Security 6.4 Study Guide 88

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

VPC flow logs is a feature that enables you to capture information about the IP traffic going to and from
network interfaces in your VPC. There is no additional charge for using flow logs; however, standard
CloudWatch Logs charges apply. Flow log data is published to a log group in CloudWatch Logs, and each
network interface has a unique log stream. Flow logs do not capture traffic to and from 169.254.169.254,
such as metadata traffic to and from 169.254.169.123 for the Amazon Time Sync Service, DHCP traffic,
and traffic to the reserved IP address for the default VPC router. Also, flow logs do not capture real-time log
streams for your network interfaces. You can use flow logs as a security tool to monitor the traffic that is
reaching your instance. Flow logs are useful if you want to perform quick troubleshooting and to see the
behavior of the security groups.

Public Cloud Security 6.4 Study Guide 89

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and
unauthorized behavior to protect your AWS accounts and workloads. The service uses machine learning,
anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty
analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC
Flow Logs, and DNS logs. You can use the FortiGate threat feed feature to obtain all blacklisted IP addresses
from GuardDuty and then create appropriate firewall policies to block traffic.

Public Cloud Security 6.4 Study Guide 90

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

AWS WAF is a web application firewall that helps protect your web applications from common web exploits
that could affect application availability, compromise security, or consume excessive resources. AWS WAF
gives you control over which traffic to allow or block from your web applications by defining customizable web
security rules. AWS WAF monitors the HTTP and HTTPS requests that are forwarded to Amazon CloudFront
or an application load balancer.

Amazon Inspector is an automated security assessment service that helps improve the security and
compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for
exposure, vulnerabilities, and deviations from best practices.

AWS Shield is a managed distributed denial of service (DDoS) protection service that safeguards applications
running on AWS. You can use AWS WAF web access control lists (web ACLs) to minimize the effects of a
DDoS attack.

Public Cloud Security 6.4 Study Guide 91

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding AWS and Fortinet solutions for AWS, you will be able to
successfully use AWS with Fortinet solutions.

Public Cloud Security 6.4 Study Guide 92

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

This slide shows the Fortinet solutions for AWS. AWS is the most broadly supported cloud vendor for Fortinet
products.

Public Cloud Security 6.4 Study Guide 93

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Now, you will learn about one of the AWS-supported Fortinet products, FortiSandbox. FortiSandbox is not a
hypervisor in AWS—it is simply a manager and analyzes the results of the sandboxing process. FortiSandbox
deploys new EC2 instances with the custom Windows VMs, and then it sends malware, runs it, and captures
the results for analysis. FortiSandbox for AWS does not need more resources because it performs
management and analysis tasks only. Note that the cost varies based on the number of EC2 instances
deployed, size of the instances, and duration of the running time.

Public Cloud Security 6.4 Study Guide 94

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

FortiSandbox for AWS enables organizations to defend against advanced threats natively in the cloud.

FortiSandbox provides several important benefits, including:

• Automated zero-day, advanced malware detection and mitigation
• An addition to network, email, endpoint, and other security, or an extension to on-premises security
architectures that leverages scale with complete control

FortiSandbox can be installed as a standalone zero-day malware behavior analysis system. Also,
FortiSandbox can be integrated with existing FortiGate, FortiMail, and FortiWeb AWS instances.

Public Cloud Security 6.4 Study Guide 95

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

FortiGate has an automation stitches feature that can be combined with AWS Lamda or other vendors that invoke
automation rules in the Fortinet Security Fabric. For example, you can use the Fortinet compromised host trigger feature
with AWS Lamda to automatically quarantine any identified infected hosts in the network. There are many automation
triggers that can be used with AWS Lamda.

Public Cloud Security 6.4 Study Guide 96

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Amazon GuardDuty integration with FortiGate automates security remediation for workloads running in AWS.
It accelerates time-to-protection for threats detected by the AWS service, and automates the creation of
network firewall rules in FortiGate to mitigate threats. It also reduces the dependency on manual incident
response and human intervention. You can use the URL of the GuardDuty blacklisted IP addresses found on
the FortiGate External Resources page, in the URL of external resource field.

Public Cloud Security 6.4 Study Guide 97

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

Fortinet Fabric Connectors help automate security operations and policies through one-click integrations with
partners, including AWS. You can pull information from AWS, addresses, VM names, and subnets, and then
use this information to create firewall policies. Compared to Azure, you need less information to configure this
in AWS.

Public Cloud Security 6.4 Study Guide 98

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

There are different Fortinet offerings that can provide WAF protection in AWS. For example, you can deploy a
FortiWeb VM inside the VPC. One of the drawbacks in this scenario is that you can protect only applications
going through the VPC.

You can also use FortiWeb Cloud, which is a WAF-as-a-service hosted by Fortinet that runs in AWS. You can
use FortiWeb Cloud to protect applications that are internet facing. For example, you can have your DNS
records pointing to the service, and then allow only web application traffic coming from FortiWeb Cloud, and
block all other traffic.

Public Cloud Security 6.4 Study Guide 99

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

FortiWeb rule sets are additional security signatures that you can use to enhance the protections included in
the base AWS WAF product. They are based on FortiWeb security service signatures, and are updated on a
regular basis to include the latest threat information from FortiGuard Labs.

Public Cloud Security 6.4 Study Guide 100

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

You can also purchase additional rule packages. There are four separate packaged rule sets based on
FortiGuard FortiWeb WAF signatures, which are available on AWS Marketplace. These rule sets offer the
same level of protection as WAF signatures on FortiWeb WAF devices (when combined, and all rules are
used). Some of the benefits of Fortinet managed rule sets include:

• Latest threat intelligence from FortiGuard

• Optimized rules for the AWS environment
• Simplified billing through AWS Marketplace
• Pay only for what is used

Public Cloud Security 6.4 Study Guide 101

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

AWS WAF partner rule groups are subscription-based, web application firewall signatures offered by third-
party vendors to augment the basic WAF protections offered by the Amazon WAF product. These new rule
groups allow AWS WAF customers to choose prepackaged WAF rules from leading IT security providers.
Until now, AWS offered only SQL injection and cross-site scripting (XSS) protection. With partner rule groups,
vendors now offer protection from a wide variety of application layer attacks packaged in a variety of security
rule sets. Some customer benefits include the following:

• Additional WAF protections from leading WAF vendors

• Ensures protection is up-to-date with the latest signatures
• Simplifies WAF setup and management
• Conveniently available on AWS Marketplace

Public Cloud Security 6.4 Study Guide 102

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

This slide shows how AWS WAF appears on the AWS WAF console and AWS Marketplace. You can
purchase WAF packages from AWS Marketplace and enable them on the WAF configuration.

Public Cloud Security 6.4 Study Guide 103

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

This slide shows a comparison between FortiWeb and AWS WAF partner rules. As you can see, there are
some limitations to the AWS WAF partner rules. For example, there is no malware protection in AWS WAF
partner rules because there is no engine to protect malware. So, if you need more rules, you can purchase
Fortinet managed rule sets in addition to AWS WAF partner rules to get full protection.

Public Cloud Security 6.4 Study Guide 104

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

This slide shows WAF product positioning. It compares services between AWS WAF partner rules and
FortiWeb.

Public Cloud Security 6.4 Study Guide 105

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

This slide shows an example of a FortiGate active-passive high availability scenario for AWS. This scenario is
based on a single AZ. You will do an active-passive configuration in the lab. If you like, you can also try
multiple AZs in the lab.

Public Cloud Security 6.4 Study Guide 106

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

This slide shows an example of FortiGate auto scaling for AWS. There are multiple FortiGate devices
deployed in two different AZs. Also, there are two load balancers. You will do this configuration in the lab.
AWS auto scaling monitors your applications and automatically adjusts capacity to maintain steady,
predictable performance at the lowest possible cost.

Public Cloud Security 6.4 Study Guide 107

 Fortinet Solution for AWS

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned the fundamentals of, and how to use Fortinet
solutions with, AWS.

Public Cloud Security 6.4 Study Guide 108

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the Fortinet solution for Microsoft Azure.

Public Cloud Security 6.4 Study Guide 109

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding Azure fundamentals, you will be able to successfully use
Azure with the Fortinet solution.

Public Cloud Security 6.4 Study Guide 110

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

When you visit the Azure portal, you will see many different services available. Depending on your
requirements, you can choose only services that you require for your business. In the labs, you will use only
four services, including virtual machines, VNets, Azure active directory (AD), and load balancers.

Public Cloud Security 6.4 Study Guide 111

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

As shown on this slide, you can choose your software needs from the Azure Marketplace website. Azure
Marketplace is the premier destination for software needs. The software is certified and optimized to run on
Azure. The difference between Azure Marketplace and AWS Marketplace is that, in Azure, you can find
FortiGate devices as templates. For example, you can find a FortiGate active-passive template as a load
balancer instead of a single virtual machine. There are no CloudFormation templates located directly on AWS
Marketplace. Note that only officially supported templates can be found on Azure Marketplace. Azure
Marketplace enables startups and independent software vendors to offer their solutions to Azure customers
around the world.

Public Cloud Security 6.4 Study Guide 112

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

ARM is the deployment and management service for Azure. It provides a management layer that enables you
to create, update, and delete resources in your Azure subscription. You use management features, like
access control, locks, and tags, to secure and organize your resources after deployment.

Some of the tasks that you can perform using ARM include:

• Repeatedly deploy solutions throughout the development lifecycle

• Deploy resources in a consistent state
• Manage your infrastructure through declarative templates, rather than scripts
• Define the dependencies between resources, so they are deployed in the correct order
• Apply access control to all services in a resource group
• Clarify your organization's billing by viewing costs for a group of resources that share the same tag
• Use JSON to define the infrastructure of a solution
• The JSON file is known as an ARM template, and it tells ARM how to deploy in a specific
environment

Public Cloud Security 6.4 Study Guide 113

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

The Azure SDKs help developers build apps for Azure. As shown on this slide, there are different SDKs and
tools, such as APIs and CLIs.

Public Cloud Security 6.4 Study Guide 114

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

The Azure CLI 2.11 is the CLI for managing Azure resources. Azure CLI 2.11 is optimized for managing and
administering Azure resources from the command line, and for building automation scripts that work for the
ARM. There are two command line tool options available to you during the lab: Batch and PowerShell. You
can use the tool in your browser with Azure Cloud Shell, or you can install it on macOS, Linux, and Windows,
and run it from the command line. It is very convenient to have command line access within the Azure
portal―you can easily copy and paste commands without having to log in to the CLI.

Public Cloud Security 6.4 Study Guide 115

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

Azure operates in multiple data centers around the world. These data centers are grouped into geographic
regions, giving you flexibility in choosing where to build your applications. Within each region, multiple data
centers exist to provide for redundancy and availability. This approach gives you flexibility as you design
applications to create VMs closest to your users and to meet any legal, compliance, or tax purposes.

Region pairs: This approach allows for the replication of resources, such as VM storage, across a geography
that should reduce the likelihood of natural disasters, civil unrest, power outages, or physical network outages
affecting both regions at once.

Feature availability: Some services or VM features are available only in certain regions, such as specific VM
sizes or storage types.

Global Azure services that do not require a particular region: Azure AD, Azure Traffic Manager, or Azure
DNS do not require a specific region.

Public Cloud Security 6.4 Study Guide 116

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

Azure availability zones is a high-availability offering that protects your applications and data from data center
failures. Availability zones are unique physical locations within an Azure region. Each availability zone is
made up of one or more data centers equipped with independent power, cooling, and networking. To ensure
resiliency, there’s a minimum of three separate availability zones in all enabled regions. The physical
separation of availability zones within a region protects applications and data from data center failures.

Public Cloud Security 6.4 Study Guide 117

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

Azure VMs are one of several types of on-demand, scalable computing resources that Azure offers. An Azure
VM gives you the flexibility of virtualization without having to buy and maintain the physical hardware that runs
it. However, you still need to maintain the VM by performing tasks, such as configuring, patching, and
installing the software that runs on it. As shown on this slide, the OS running inside Azure has storage and
network interfaces. By default, VMs have outbound internet connectivity.

Public Cloud Security 6.4 Study Guide 118

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

There are different types of VMs available in Azure. Azure VM series components are as follows:

• A Series: Entry-level economical VMs for development and testing

• D Series: General purpose computing
• Dv2 Series: Next-generation, general-purpose computing
• F Series: Computing-optimized VMs
• G Series: Memory and storage-optimized virtual machines
• H Series: High-performance VMs
• L Series: Storage-optimized VMs
• N Series: GPU-enabled VMs

FortiGate or FortiWeb should be deployed in a computer-optimized VM series with more CPU resource
availability, for better performance.

Public Cloud Security 6.4 Study Guide 119

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

The Azure VNet service securely connects Azure resources to each other using VNets. A VNet is a
representation of your own network in the cloud. You can also connect VNets to your on-premises networks.
VNets group all the subnets within a region. During the lab, you will deploy the VNet as shown on this slide.

Isolation: VNets are isolated from one another. You can create separate VNets for development, testing, and
production that use the same (CIDR) address blocks. Conversely, you can create multiple VNets that use
different CIDR address blocks and connect networks together. You can segment a VNet into multiple subnets.
Azure provides internal name resolution for VMs and cloud services role instances connected to a VNet. You
can optionally configure a VNet to use your own DNS servers, instead of using Azure internal name
resolution.
Internet connectivity: By default, all Azure VMs and cloud services role instances connected to a VNet have
access to the internet. You can also enable inbound access to specific resources, as needed.
Azure resource connectivity: Azure resources, such as cloud services and VMs, can be connected to the
same VNet. The resources can connect to each other using private IP addresses, even if they are in different
subnets. Azure provides default routing between subnets, VNets, and on-premises networks, so you don't
have to configure and manage routes.
VNet connectivity: VNets can be connected to each other, enabling resources connected to any VNet to
communicate with any resource on any other VNet.
On-premises connectivity: VNets can be connected to on-premises networks through private network
connections between your network and Azure, or through a site-to-site VPN connection over the internet.
Traffic filtering: You can filter VM and cloud services role instances network traffic by inbound and outbound
traffic, by source IP address and port, destination IP address and port, and protocol.
Routing: You can optionally override Azure default routing by configuring your own routes, or using BGP
routes through a network gateway.

Public Cloud Security 6.4 Study Guide 120

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

It is possible for a VNet to have more than one address space assigned to it. With dynamic assignment,
addresses are automatically allocated by the DHCP server when the VM starts and may not remain the same
when the VM reboots. Static assignment means that you can manually specify the address and it will be set
as a reservation by DHCP. The public IP address actually exists as a network address translation (NAT) entry
on the Azure fabric that gets mapped to the VM. If you are attaching a standard SKU public IP address to a
VM interface, you must apply a network security group; otherwise, you will not be able to reach that VM.

Public Cloud Security 6.4 Study Guide 121

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

You can connect several Azure resources to a VNet, such as VMs, cloud services, application service
environments, and VM scale sets. VMs connect to a subnet within a VNet through a network interface.

Public Cloud Security 6.4 Study Guide 122

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

When you deploy a network device, It is important to have the correct IP forwarding settings of an Azure
virtual network card. For example, IP forwarding allows FortiGate to generate traffic using a source IP address
that is different from the IP address assigned to the virtual network interface. If this feature is not enabled, the
packet will be identified as a spoofing packet, because the reply packet from the internet forwarded from
FortiGate to the client uses the public IP address of the internet service and is identified as a spoofing packet.
So, you have to make sure that this feature is enabled from the network interface to avoid it. In AWS, this
feature works the opposite way, so you will need disable this feature in AWS.

Public Cloud Security 6.4 Study Guide 123

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

By default, all resources connected to a VNet have outbound connectivity to the internet. You can have a
public IP addresses assigned to a network interface, or an assigned private IP address can connect to the
internet using a route defined in the routing table. The private IP address of the resource is SNATed to a
public IP address by the Azure infrastructure. You can change the default connectivity by implementing
custom routing and traffic filtering. To communicate inbound to Azure resources from the internet, or to
communicate outbound resources to the internet without SNAT, a resource must be assigned a public IP
address.

So, it is important to know that there is no special DMZ external type of subnet where resources get a public
IP address automatically in Azure. Also, it is not a good idea to assign a public IP addresses directly to the
virtual machine because of security issues, scalability issues, and so on. So, it is a best practice to use load
balancer, NAT gateway, or network virtual appliances to give internet access to the resources you need. Also,
you need to consider not opening all the ports rather than only the ports required.

Public Cloud Security 6.4 Study Guide 124

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

By default, Azure creates route tables that enable resources connected to any subnet in any VNet to
communicate with each other. You can implement either or both user-defined routes or BGP routes to
override the default routes Azure creates.

Public Cloud Security 6.4 Study Guide 125

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

It is important to know the route priority in Azure. As shown on this slide, if all the routes in the route table are
equally specific, then the preferred route is UDR followed by BGP, and then system routes. However, the
most specific route always wins. For example, 10.0.3.0/24 system route would precede 10.0.0.0/16
BGP route. If routes are equally specific, then priority order applies and UDR wins. UDRs are very powerful in
Azure.

Public Cloud Security 6.4 Study Guide 126

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

Azure DNS is a hosting service for DNS domains that provides name resolution using the Microsoft Azure
infrastructure. Azure DNS is responsible for translating (or resolving) a website or service name to its IP
address. It provides reliability, performance, seamless integration, and security. DNS service can be
configured for public DNS or internal DNS.

Public Cloud Security 6.4 Study Guide 127

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

Azure Load Balancer can scale your applications and create high availability for your services. Azure Load
Balancer supports inbound and outbound scenarios, provides low latency and high throughput, and scales up
to millions of flows for all TCP and UDP applications. Azure Load Balancer can be configured to load balance
incoming internet traffic to virtual machines, traffic between virtual machines in a virtual network, traffic
between virtual machines in cloud services, or traffic between on-premises computers and virtual machines in
a cross-premises virtual network. Azure Load Balancer can also be configured to forward external traffic to a
specific virtual machine. The standard load balancer adds support for zone redundancy.

Public Cloud Security 6.4 Study Guide 128

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

There are different types of load balancers. A standard load balancer can load balance traffic across multiple
availability zones. A basic load balancer can load balance only inside the availability zone. A public load
balancer has public IP addresses and shows that the internal load balancer has a private IP address in an
external facing interface. This slide shows two load balancers, a public load balancer for applications, and an
internal load balancer for the database layer. For IPsec load balancing, you can use a Layer 4 load balancer.
You can use an application gateway load balancer to load balance all your applications.

Direct server returns (or floating IP) is the Azure feature that prevents destination NAT (DNAT) from being
translated. So, traffic received by the destination VM must reply directly to the source IP address. Basically,
the destination VM does not send traffic back to the load balancer; the load balancer only redirects traffic.

For backend pool members, you can add VMs, and a scale set, or an availability set. Any devices that you
add to the availability set are automatically added to the target members of the load balancer.

Public Cloud Security 6.4 Study Guide 129

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

Azure Traffic Manager is a DNS-based traffic load balancer that enables you to optimally distribute traffic to
services across global Azure regions, while providing high availability and responsiveness. Azure Traffic
Manager uses DNS to direct client requests to the most appropriate service endpoint based on a traffic routing
method and the health of the endpoints. An endpoint is any internet-facing service that is hosted inside or
outside of Azure. Azure Traffic Manager provides a range of traffic routing methods and endpoint monitoring
options to suit different application needs and automatic failover models.

Azure Traffic Manager has four routing methods:

• Priority routing
• Weighted routing
• Performance routing
• Geographic routing

Public Cloud Security 6.4 Study Guide 130

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

This slide shows an example of a high-resilience deployment. In the example, DNS traffic is going to the traffic
manager and the traffic manager decides which region to send the traffic to. Each region has a public load
balancer or application gateway load balancer that load balances traffic between VMs in different availability
zones. Also, there is an internal load balancer for load balancing traffic between internal VMs.

Azure Traffic Manager helps to lower latency and provide multi-geo redundancy between regions. Azure
Application Gateway scales various request workloads and internal load balancers deliver connections to the
healthy HA cluster backend nodes.

Public Cloud Security 6.4 Study Guide 131

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

There are multiple ways to connect VNets to each other: you can connect an existing virtual network to
another VNet, you can use FortiGate VMs with IPSec between two Vnets, or you can use Azure VNet peering
or Azure VPN gateways.

Public Cloud Security 6.4 Study Guide 132

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

VNet peering enables you to seamlessly connect Azure VNets. After they are peered, the VNets appear as
one, for connectivity purposes. The traffic between VMs in the peered VNets is routed through the Microsoft
backbone infrastructure, much like traffic is routed between VMs in the same VNet, through private IP
addresses only. VNet peering enables resources connected to different Azure VNets to communicate with
each other and global VNet peering enables resources in the VNet to communicate across Azure regions. The
bandwidth and latency across the VNets is the same as if the resources were connected to the same VNet.

VNet-to-VNet connection enables the connection of resources that are connected to different Azure VNets
within the same, or different, Azure locations. Bandwidth is limited between VNets because traffic must flow
through an Azure VPN gateway.

Public Cloud Security 6.4 Study Guide 133

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

VPN gateways can be used to connect two VNets, or between on-premises networks and Azure VNets. In
order to connect two VNets together, you must create a VPN gateway in each Vnet. VPN gateways always
connect to a special subnet, called GatewaySubnet (this name is mandatory). To create a connection, specify
the two VPN gateways and configure a shared key. VPN gateways consist of two instances in an active-
standby configuration. It is also possible to create VPN gateways in an active-active configuration, which will
use a full mesh of IPsec tunnels. Failure of a gateway will result in the standby taking over. (The worst case
scenario is 90 seconds of failover time.)

You can also have FortiGate on one side and Azure VPN gateway on the other side.

Public Cloud Security 6.4 Study Guide 134

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

You can connect your on-premises network to a VNet using any combination of the following options:

Point-to-site VPN: Established between a single PC connected to your network and the VNet. This
connection type is great if you're just getting started with Azure, or for developers, because it requires few or
no changes to your existing network. The connection uses the SSTP protocol to provide encrypted
communication over the internet between the PC and the VNet. The latency for a point-to-site VPN is
unpredictable and encrypted, because the traffic traverses the internet.

Site-to-site VPN: Established between your VPN device and an Azure VPN Gateway. This connection type
enables any on-premises resource you authorize to access a VNet. The connection is an IPSec/IKE VPN that
provides encrypted communication over the internet between your on-premises device and the Azure VPN
gateway. The latency for a site-to-site connection is unpredictable, because the traffic traverses the internet.

Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This
connection is private. Traffic does not traverse the internet. The latency for an ExpressRoute connection is
predictable, because traffic doesn't traverse the internet and isn't encrypted.

Public Cloud Security 6.4 Study Guide 135

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

Azure Security Center is a unified infrastructure security management system that strengthens the security
posture of your data centers, and provides advanced threat protection (ATP) across your hybrid workloads in
the cloud. Security Center helps you prevent, detect, and respond to threats with increased visibility into, and
control over, the security of your Azure resources. Some of the benefits of Azure Security Center include,
integrated security monitoring and policy management across Azure subscriptions, and detection of threats
that might otherwise go unnoticed. Azure Security Center works with a broad ecosystem of security solutions,
including Fortinet.

Public Cloud Security 6.4 Study Guide 136

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

Azure Security Center can give you some recommendations based on your deployment. As shown on this
slide, Azure highly recommends adding a next generation firewall (NGFW) to your deployment. In order to
satisfy the populated recommendations, you must deploy the recommended devices from this menu. All the
vendor names are displayed in alphabetical order.

Public Cloud Security 6.4 Study Guide 137

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

You can filter network traffic between subnets using one or more of the following options:

• NSG
• Azure firewall
• NVA

Public Cloud Security 6.4 Study Guide 138

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

NSG is a list of access control rules that permit or deny traffic based on various criteria. NSG can be applied
either at the NIC level or at the subnet level. NSGs work only if a resource is connected to a VNet―they do
not work for other resources (like PaaS services). NSG can be applied to network interfaces, or to a full
subnet. Note that NSGs are stateful and no bidirectional policies are needed.

Public Cloud Security 6.4 Study Guide 139

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

An NVA is a VM running software that performs a network function, such as FortiGate and FortiWeb. NVAs
can provide WAN optimization and other network traffic functions. NVAs are typically used with UDR or BGP.
You can also use an NVA to filter traffic between VNets.

Public Cloud Security 6.4 Study Guide 140

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in Fortinet solutions for Azure, you will be able to successfully deploy and use
Fortinet products in Azure Marketplace.

Public Cloud Security 6.4 Study Guide 141

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

This diagram shows Azure Marketplace availability for Fortinet products. Keep in mind that the information
shown in this diagram could change, based on the new support availability for Fortinet products.

Public Cloud Security 6.4 Study Guide 142

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

Fortinet provides different ways to communicate with Azure. Public connectors called Fortinet SDN
connectors can be used to connect with Azure. As shown on this slide, you can use different parameters to
connect. For example, you do not need to configure a VM with the IP address on FortiGate. The VM IP
address is obtained automatically through APIs. This is the reason why you should keep the FortiGate
configuration as dynamic as possible, without assigning parameters statically. You will learn how to obtain all
the parameters during the lab.

Public Cloud Security 6.4 Study Guide 143

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

When you are configuring FortiGate settings, you need to get all the parameters from the Azure portal.
However, determining the correct name for the settings can be challenging. FortiGate names are identical to
the API names; however, Azure uses different names in their portal. For example, the Azure tenant ID is
called the directory ID in FortiGate, and the Azure key value for the application secret is called the client
secret in FortiGate.

Public Cloud Security 6.4 Study Guide 144

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

As shown on this slide, there are several types of filters that you can use. There are also many types of tags
in Azure. Currently, Fortinet supports only the tag set on a VM. For example, you can create a tag called
security policy and set up a value as DMZ. When a new VM is deployed by IT staff in DMZ, the security policy
tag can be added for the DMZ server from FortiGate. FortiGate automatically pulls the IP addresses related to
the tag and added to the DMZ outgoing policy, without making any changes to FortiGate. Current
implementation will limit use to one subscription and one resource group only, and only resources that are in
use and associated with running VMs will be allowed.

Public Cloud Security 6.4 Study Guide 145

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

There is no traditional FortiGate Clustering Protocol (FGCP) to use in HA on cloud computing. The solution is
to use HA active-passive unicast FGCP which is a modified version of the traditional Fortinet clustering
protocol. In this scenario, there is no multicast traffic between heartbeat interfaces, only unicast traffic. In
order to form two FortiGate devices in HA, the peer IP address needs to be configured on each FortiGate
device. Also, there is a management interface (port4) that is unique to each cluster member and has a subnet
with internet access. Each cluster member can be accessed separately through the management interfaces.
There are two interfaces processing the traffic―external and internal―and both heartbeat and management
interfaces are system VDOMs, which are hidden and unusable for processing production traffic.

Public Cloud Security 6.4 Study Guide 146

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

This slide shows how to configure an API for an active-passive cluster. When you configure fabric connectors
on FortiGate, you can add the settings shown on this slide. You will be using this configuration during the lab.
For example, FortiGate NIC is pointing to the Azure public IP address, which redirects traffic to the slave
device. You will also modify the routing table, as shown on this slide. Note that this configuration is unique to
each cluster member. This is the desired configuration if the slave becomes the master in the cluster.

Public Cloud Security 6.4 Study Guide 147

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

This slide shows some useful tips that you can use when configuring an active-passive unicast cluster. It is
very important to disable the override settings to avoid unnecessary failovers. Setting specific devices to
always take the same role in the cloud is not recommended, for example, setting a specific device as master.
If a failover happens, another API must be called and may take some time to finish the process. How virtual IP
(VIP) addresses work depends on the cloud vendor. FGCP uses the same IP address on both FortiGate
devices when traffic passes. Also, you will see a unique primary IP address and secondary IP address. The
secondary IP address can move from one device to another. So, you have to know which IP address to use
as an external IP address. For this reason, it is recommended that you use 0.0.0.0 as the external VIP
address, instead of using multiple IP addresses.

Public Cloud Security 6.4 Study Guide 148

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

This slide shows an active-active load balancing scenario. In this scenario, there are two load balancers: an
external load balancer and an internal load balancer. There are also two FortiGate devices in the same
availability set. The port1 interfaces on both FortiGate devices must be paired with the public external load
balancer. The internet traffic first goes to the public load balancer. The public load balancer load balances the
traffic to two FortiGate devices. Then the traffic goes to the internal load balancer, and finally, to the VMs.
Every cloud vendor has its own load balancing solutions.

Public Cloud Security 6.4 Study Guide 149

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

This slide shows FortiGate auto scale with Azure. You can deploy FortiGate VMs to support Azure Autoscale.
This requires a manual deployment incorporating one or more virtual machine scale sets (VMSS) and
network-related components, as well as Azure Function App scripts. Fortinet provides a FortiGate auto scale
for Azure deployment package to facilitate the deployment. Multiple FortiGate-VM instances form a VMSS to
provide highly efficient clustering at times of high workloads. FortiGate-VM instances are scaled out
automatically according to predefined workload levels. Auto scaling is achieved by using FortiGate-native HA
features such as config-sync, which synchronizes operating system (OS) configurations across multiple
FortiGate-VM instances at the time of scale-out events. In this scenario, a combination of two load balancers,
load balance traffic, and Cosmo DB determines which FortiGate device is selected as the master. You will
work with this scenario in a lab exercise.

Public Cloud Security 6.4 Study Guide 150

 Fortinet Solution for Microsoft Azure

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned Azure basic concepts, networking, security,
and how to use Fortinet solutions with Azure.

Public Cloud Security 6.4 Study Guide 151

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the Fortinet solution for Google Cloud Platform (GCP).

Public Cloud Security 6.4 Study Guide 152

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in GCP fundamentals, you will be able to understand GCP concepts and
security.

Public Cloud Security 6.4 Study Guide 153

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

This slide shows GCP services. However, GCP offers fewer services than Amazon Web Services (AWS) and
Microsoft Azure. The machine learning section is the important part of GCP, and the reason why some
customers use GCP instead of AWS or Azure.

Public Cloud Security 6.4 Study Guide 154

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

Google cloud platform (GCP) Market place is an online store where customers can find, buy, and immediately
start using the software and services they need to build products and run their businesses. As shown on this
slide, there are a limited number of Fortinet solutions that can be found in the GCP Marketplace.

Public Cloud Security 6.4 Study Guide 155

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

This is the GCP Console, which is the web-based GUI used to manage GCP projects and resources. When
you use the GCP Console, you create a new project or choose an existing project, and use the resources that
you create in the context of that project. You can create multiple projects, so you can use projects to separate
your work in whatever way makes sense for you. For example, you might start a new project if you want to
make sure only certain team members can access the resources in that project, while all team members can
continue to access resources in another project.

Public Cloud Security 6.4 Study Guide 156

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

Each project ID is unique across GCP. After you create a project, you can delete the project, but its ID can
never be used again. When billing is enabled, each project is associated with one billing account. Multiple
projects can have their resource usage billed to the same account. A project serves as a namespace. This
means every resource within each project must have a unique name, but you can usually reuse resource
names if they are in separate projects. Some resource names must be globally unique. For more information,
see the documentation for the resource.

A project is the organizing entity for what you're building. Any GCP resources that you allocate and use must
belong to a project. A project is made up of the settings, permissions, and other metadata that describe your
applications. Resources within a single project can work together easily—for example, by communicating
through an internal network, subject to the regions-and-zones rules. The resources that each project contains
remain separate across project boundaries; you can only interconnect them through an external network
connection.

Each GCP project has the following identifiers:

• A project name, which you provide

• A project ID, which you can provide or GCP can provide for you
• A project number, which GCP provides

As you work with GCP, you'll use these identifiers in specific command lines and API calls.

Public Cloud Security 6.4 Study Guide 157

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

Google Compute Engine (GCE) is an instance that customers can use to run their workloads. GCE is the IaaS
component of Google Cloud Platform. There are a number of VM instances, such as E2, N2, N2D and
different machine types, based on the number of CPUs and memory capacity.

Public Cloud Security 6.4 Study Guide 158

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

Deploying a FortiGate device in GCP is similar to other cloud vendor deployments, but there are few things
that you should note. It is important to know that GCP firewall rules are enforced at the instance level.
Customers can choose to allow or deny well-known TCP ports, such as port22, port80, and port443, before
you deploy an instance. When you deploy an instance, you must decide on the number of interfaces before
you finish the process, because GCP won`t allow you to add new interfaces after deploying an instance. If you
make a mistake, you must destroy the instance and recreate it.

Public Cloud Security 6.4 Study Guide 159

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

In GCP, the credentials of a deployed instance are visible in the instance detail section, and there are a
number of places that you can click to access the device directly. You must change the temporary password
the first time you log in.

Public Cloud Security 6.4 Study Guide 160

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

Google Cloud SDK is a set of tools for GCP. It contains gcloud, gsutil, and bq command line tools, which
you can use to access Compute engine, Cloud Storage, BigQuery, and other products and services from the
command line. You can run the tools interactively or in your automated scripts.

Cloud SDK is developed in Python and used to manage the resources in your project. It is available for
Windows, Linux, Debian/Ubuntu, Red Hat/Centos, Mac OS X, and Windows. Cloud SDK provides various CLI
utilities to manage and interact with multiple services on GCP. Supported Python versions are 3.5 to 3.7, and
2.7.9 or higher.

Public Cloud Security 6.4 Study Guide 161

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

Live migration: Google Compute Engine instances can be moved to nearby hosts while active—even while
under extreme load—complete with their working SSD storage (up to 1.5 TB). Since your VMs don’t need to
be rebooted for host software updates or other standard operational tasks, uptimes are superb. This ensures
predictable performance across all the different parts of your application.

Custom machine types: These let you configure the right combination of memory and virtual CPU for your
workload.

Global load balancers: A built-in load balancer is part of a worldwide distributed system for delivering
customers to infrastructure, the same system that supports Google products, like Maps, Gmail, and Search.

Public Cloud Security 6.4 Study Guide 162

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

As of 2020, GCP is available in multiple regions, zones, and network edge locations in more than two hundred
countries and territories. However, this number is less than what AWS and Azure offer. A region is a specific
geographical location where users can deploy cloud resources. Each region is an independent geographic
area that consists of zones.

Public Cloud Security 6.4 Study Guide 163

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

There are three main resources available in GCP: global, regional, and zonal resources. For example,
creating a network is a global operation, because a network is a global resource, while reserving an IP
address is a regional operation, because the address is a regional resource. As you start to optimize your
GCP, it's important to understand how these regions and zones interact. For example, even if you could, you
wouldn't want to attach a disk in one region to a computer in a different region because the latency you'd
introduce would make for very poor performance. Thankfully, GCP won't let you do this; disks can be attached
only to computers in the same zone.

It is important to know that all resources must always have a unique name within a project.

Public Cloud Security 6.4 Study Guide 164

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

Virtual machines (VMs) are called Google Compute Engine in GCP. Also, there are other options, such as a
serverless execution environment, which is equivalent to AWS Lambda or Azure functions. The following are
some of the benefits:

• Work in a serverless environment

• Use a managed application platform
• Leverage container technologies to gain lots of flexibility
• Build your own cloud-based infrastructure to have the most control and flexibility

Public Cloud Security 6.4 Study Guide 165

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

VPCs are created per region within a project, similar to how Azure works. The difference here is that you can
have a subnet that is spread across multiple availability zones. Each VM has a primary interface that connects
to one subnet. The VM can optionally have multiple network interfaces, with each additional interface
connecting to a different subnet in the same zone. Additional subnets can be created in your VPC, but
subnets cannot be shared between projects. A route specifies how packets leaving a VM should be directed.

Public Cloud Security 6.4 Study Guide 166

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

Google Cloud DNS is a global load balancing service that helps to publish and maintain DNS records by using
the same infrastructure that Google uses. You can use the GCP console, the command line, or a REST API to
work with managed zones and DNS records.

Public Cloud Security 6.4 Study Guide 167

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

There are multiple load balancers in GCP. The global external load balancer can load balance Layer 7 traffic
among regions such as HTTP, HTTPS, SSL proxy, and TCP proxy. The regional external load balancer
distributes traffic among a pool of instances within a region. The regional internal load balancer distributes
traffic from GCP VM instances to a group of instances in the same region. By default, all the GCP load
balancers are denial of service (DoS)-protected.

Public Cloud Security 6.4 Study Guide 168

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

If you have an existing network that you want to connect to GCP resources, Google Cloud Interconnect offers
three options for advanced connectivity.

• Carrier interconnect: Connects your infrastructure to Google's network edge through highly available,
lower-latency connections using service providers. You can also extend your private network into your
private compute engine network over carrier interconnect links by using a VPN tunnel between the
networks.
• Direct peering connection: Exchanges internet traffic between your network and the Google network at
one of Google's broad-reaching edge network locations.
• Cloud VPN: Connects your existing network to your compute engine network using an IPsec connection.
You can use VPN to connect two compute engine VPN gateways to each other.

Public Cloud Security 6.4 Study Guide 169

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

GCP security models are the same as other vendors. It is a shared responsibility model between the vendor
and the customer. Google secures the compute or container engine from GCP, and the customer is
responsible for securing VM OS and applications.

Public Cloud Security 6.4 Study Guide 170

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

GCP firewall rules let you allow or deny traffic to and from your VM instances, based on a configuration you
specify. Enabled GCP firewall rules are always enforced, protecting your instances regardless of their
configuration and operating system, even if they have not started up. Each VPC has its own firewall rules.
Controlling access and firewall rules are enforced at the instance level. GCP firewall rules can be modified
through the GCP console, gcloud command line tool, and REST API. Firewall rules can be applied to the
whole VPC, subnet, VM, and network interfaces.

Public Cloud Security 6.4 Study Guide 171

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in Fortinet solutions for GCP, you will be able to successfully deploy and use
Fortinet products in GCP.

Public Cloud Security 6.4 Study Guide 172

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

As shown on this slide, there are Fortinet solutions in GCP Marketplace. For now, the available Fortinet
solutions are FortiGate, FortiWeb, FortiManager, FortiADC, and FortiAnalyzer.

Public Cloud Security 6.4 Study Guide 173

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

You can access the SDN connector for GCP under APIs & Services and then create credentials.

Public Cloud Security 6.4 Study Guide 174

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

As shown on this slide, you can create a service account, and create a JSON type key to get all the details
necessary to configure the SDN connector.

Public Cloud Security 6.4 Study Guide 175

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

As shown on this slide, a file is downloaded to your PC, and the file contains the private key and all other
details.

Public Cloud Security 6.4 Study Guide 176

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

After you open the file that you previously downloaded, in a text editor, you will see all connector parameters
that are necessary for setting up the FortiGate public connector. You will need to extract the connector
parameters such as the project ID, service account, and private key.

Public Cloud Security 6.4 Study Guide 177

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

To configure the fabric connectors on FortiGate, in the GCP connector configuration, edit the Project name,
Service account email, and Private key fields with the data that you obtained from the JSON file, and click
OK. Alternatively select Use metadata IAM feature to connect without all the information from the JSON file.

Public Cloud Security 6.4 Study Guide 178

 Fortinet Solution for Google Cloud Platform

DO NOT REPRINT
© FORTINET

This slide shows the objectives covered in this lesson. By mastering the objectives covered in this lesson, you
learned GCP basic concepts, components, networking, security, GCP Marketplace, and FortiGate Fabric
Connector for GCP.

Public Cloud Security 6.4 Study Guide 179

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about public cloud security with FortiCWP and FortiCASB.

Public Cloud Security 6.4 Study Guide 180

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in FortiCWP, you will be able to successfully use it to secure your public cloud.

Public Cloud Security 6.4 Study Guide 181

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

A cloud workload protection (CWP) solution addresses the unique security requirements of infrastructure
management in modern multicloud environments. FortiCWP can access the cloud vendor’s management
console information directly through APIs. Organizations that use FortiCWP can get visibility, achieve
compliance, and remediate security risks for their IaaS environments. FortiCWP is a cloud-based service and
supports Google Cloud, Amazon Web Services, and Microsoft Azure. The main use cases for FortiCWP are
risk management, threat detection, data security, traffic analysis, and compliance reporting.

Public Cloud Security 6.4 Study Guide 182

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

FortiCWP uses each cloud vendor-specific API to gather information from their different native security
features, allowing for risk management of multi-cloud environments using a single console. So, security
operations teams can perform automated evaluation of their company security posture in large, multi-cloud
environments from the FortiCWP dashboard, instead of going through each account and vendor’s native
security tools manually.

Public Cloud Security 6.4 Study Guide 183

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

FortiCWP’s intuitive and modern user interface is both easy to use and informative. Administrators log in to
the web-based portal and then navigate to the controls and dashboards for each IaaS vendor. Risks are called
to the user’s attention through the dashboards, and advanced reporting tools provide in-depth information
about the event or user. Using the predefined default policies, organizations can be up in minutes and then
can tailor settings, as desired, over time. This slide shows an example of an IaaS risk dashboard. It shows an
assessment of configuration violations across cloud accounts, provides instant visibility into workloads with
higher risk, and gives easy drill-down to troubleshoot and gain actionable information.

Public Cloud Security 6.4 Study Guide 184

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

This slide shows an example of a predefined network policy on port23 (Telnet). This predefined policy will help to identify
any inbound Telnet traffic from the internet to cloud devices in Aws, Azure, or GCP. Also, the Remidiation tab provides
steps to mitigate the possible issue. Customers can create their own policies or rely on predefined policies. FortiCWP
uses policies for two purposes:

1. Scans and reports features use policies you set to differentiate between sensitive and non-sensitive data.
2. Alerts are generated depending on the policies you set.

The following is a list of the predefined policies featured on FortiCWP:

• Risk Assessment: FortiCWP uses risk assessment policies to determine if your organization's cloud platform follows
the recommended best practices. When users fail to follow these best practices, FortiCWP sends an alert.
• Data Analysis: Data analysis policies keep track of sensitive data. For example, if a user accesses a file containing
social security numbers (SSNs) and you have the SSN policy set, FortiCWP will send you an alert.
• Threat Protection: Threat protection policies track suspicious user behavior. If a user fails to enter his or her
password correctly multiple times, the Excessive Login Failures policy triggers, and FortiCWP sends you an alert.
• Network: Network policies focus on network security protocols, including monitoring of botnet activity and inbound
traffic from various internet sources such as SSH, SMTP, FTP, ports, and so on.
• Integration: Integration policies control the import setting for the embedded alerts coming from cloud account service
vendors. AWS GuardDuty, Inspector, Google Cloud Security Command Center, and Azure Security Center alerts can
be turned on or off here. Note that FortiCWP will start or stop receiving alerts from these services if they are turned on
or off.
• Compliance: Compliance policies track files relevant to specific regulations. If a user accesses a file containing
private heath information and you have the corresponding HIPAA policy set, FortiCWP will send you an alert.

Public Cloud Security 6.4 Study Guide 185

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

For organizations operating in a highly regulated industry, FortiCWP provides out-of-the-box policies for
standards and mandates, and allows organizations to quickly generate compliance reports for auditing teams,
so they can identify policy violations and take necessary remedial actions.

Some of the main advantages of FortiCWP are:

• Enhanced visibility and historical snapshots of public cloud environments

• Continuous monitoring of security and compliance assessment policies
• Comprehensive reporting to stay compliant and reduce risk

Public Cloud Security 6.4 Study Guide 186

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

FortiCWP and FortiCASB services are delivered through the FortinetOne service portal. Customers obtain
these licenses from a channel partner or directly from Fortinet, and then initiate them from within the
FortinetOne portal. FortiCWP has two parts:

• Workload Guardian for risk assessment, threat protection, compliance reporting and network security
• Storage Guardian, for scanning data stores for malware and sensitive data

A Workload Guardian license requires all cloud accounts to have a number of seats equal to or less than the
number of virtual machines to maintain monitoring. Storage Guardian is an add-on license. First, the customer
has to purchase and activate Workload Guardian, then they can apply their Storage Guardian license.

Storage Guardian itself has two options: basic, for malware detection, and advanced, which adds scanning for
data. You can find more license information in the Fortinet document library.

Public Cloud Security 6.4 Study Guide 187

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in FortiCASB, you will be able to successfully use it to secure your public
cloud.

Public Cloud Security 6.4 Study Guide 188

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

Cloud access security brokers (CASBs), in general, are on-premises or cloud-based security policy
enforcement points. CASBs are placed between cloud service users and providers to combine and interject
enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of
security policy enforcement. For example, security policies include authentication; single sign-on;
authorization; credential mapping; device profiling; data security (content inspection, encryption, tokenization);
logging; alerting; and malware detection and prevention.

FortiCASB is Fortinet’s cloud-native CASB service that provides visibility, compliance, data security, and
threat protection for cloud-based services. Using direct API access to cloud vendors, FortiCASB enables deep
inspection and policy management for data stored in SaaS applications. FortiCASB also provides advanced
tools that provide detailed user analytics and management tools to ensure policies are enforced, and your
organization’s data is not getting into the wrong hands.

Public Cloud Security 6.4 Study Guide 189

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

FortiCASB’s intuitive and modern user interface is both easy to use and informative. Administrators log in to
the web-based portal and then navigate to the controls and dashboards for each SaaS application. Risks are
called to the user’s attention through the dashboards, and advanced reporting tools provide in-depth
information about the event or user. Using the predefined default policies, organizations can be up in minutes,
and then can tailor settings, as desired, over time.

Public Cloud Security 6.4 Study Guide 190

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

Organizations are increasingly adopting software-as-a-service (SaaS) applications for the agility and savings
they offer, but find that they don't provide the required visibility and control. FortiCASB is a cloud-native CASB
subscription service that is designed to provide visibility, compliance, data security, and threat protection for
cloud-based services being used by an organization.

As shown on this slide, FortiCASB can be used as a monitoring and access tool for sanctioned applications by
FortiClient or FortiGate application control. Based on the example shown on this slide, applications like
Dropbox and One Drive are allowed by application control, but FortiCASB can be used to further inspect
specific user actions through the APIs of those providers. Other applications that can’t be monitored by
FortiCASB and are restricted, can then be blocked with application control.

Public Cloud Security 6.4 Study Guide 191

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

FortiGate and FortiClient application control provides support for fine-grained control on popular cloud
applications, such as YouTube, Dropbox, Baidu, and Amazon. However, in order to have application control
protection, traffic must flow through these devices. At the same time, devices with application control cannot
inspect the specific user actions within that application, because of hardcoded SSL certificates on their
endpoint clients.

The FortiCASB can inspect the user actions of supported applications, no matter where the user is or whether
those action are being inspected by a FortiGate, because it connects directly to the SaaS provider through the
API. By combining FortiCASB and application control, the customer can have the most complete control and
inspection of SaaS.

Public Cloud Security 6.4 Study Guide 192

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

This slide shows an example of a Dropbox account scanned by FortiCASB. It shows how many files have
been scanned and if FortiCASB found any issues.

The main features of FortiCASB are:

• DLP scanning
• Malware analysis with AV scanning and sandbox integration
• Document and user usage and permissions analysis
• Visibility and control into file collaboration
• Threat protection policies, suspicious activity―who, when, where

Public Cloud Security 6.4 Study Guide 193

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

This slide shows a summary of the per-app discovery and drill-down capabilities of FortiCASB. As shown on
this slide, using an API-based approach, FortiCASB monitors Office 365 activity by using web notification and
pulling data directly from Office 365 through the RESTful API. An administrator can easily use the drilldown
features to get more details about a specific user and activity.

Public Cloud Security 6.4 Study Guide 194

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

For compliance purposes, you can use FortiAnalyzer to run a report based on FortiCASB, FortiClient, and
FortiGate logs. It will give a report based on consolidated logs for sanctioned applications reported through
FortiCASB, tolerated applications, and blocked applications reported through FortiGate and FortiClient logs.

Public Cloud Security 6.4 Study Guide 195

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

This slide shows an example of a Salesforce discovery scenario. After the Salesforce application is added to
the FortiCASB portal, the FortiCASB administrator can monitor any user activities on the Salesforce
application. If there are compliance violations or suspicious activities, the administrator can take further
actions to minimize the risk.

Public Cloud Security 6.4 Study Guide 196

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

This slide shows an example of a user compliance violation. Data analysis policies keep track of sensitive
data. For example, a user uploads a file containing credit card information to Salesforce. FortiCASB policy
triggers and the FortiCASB administrator gets the alert message with remediation steps.

Public Cloud Security 6.4 Study Guide 197

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

Organizations are subject to a number of regulatory and standards compliance requirements. For example,
payment card industry data security standard (PCI DSS) affects only organizations that do credit card
transactions. However, the European Union’s general data protection regulation (GDPR), affects every
organization with European customers that collects personal data. There are also regulations, such as the
Health Insurance Portability and Accountability Act of 1996 (HIPAA), that affects multiple industries
(healthcare, academic, insurance, government entities, and more). Regardless of its reach, Fortinet is
committed to ensuring that its products help customers demonstrate compliance with applicable regulatory
statutes, as well as internal compliance initiatives.

Public Cloud Security 6.4 Study Guide 198

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

In summary, FortiCWP secures public cloud infrastructures from unwanted use through the cloud
management platform, by connecting directly to cloud infrastructure providers using APIs. FortiCASB secures
organizations from improper SaaS usage by directly connecting to the sanctioned applications using APIs, to
protect data and manage users in near real time.

As shown in the diagram on this slide, remote users are not behind FortiGate; however, their usage of these
applications is equally protected by Fortinet, because these are cloud-based services.

Public Cloud Security 6.4 Study Guide 199

 FortiCWP and FortiCASB

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about public cloud security with FortiCWP and
FortiCASB.

Public Cloud Security 6.4 Study Guide 200

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.