Rapport PFE SDWAN Nourhen & Mortadha Final Copy - pdf-1
Rapport PFE SDWAN Nourhen & Mortadha Final Copy - pdf-1
Rapport PFE SDWAN Nourhen & Mortadha Final Copy - pdf-1
Tunisian Republic
Higher Institute of Applied Sciences
Ministry of Higher Education
and Technology of Mateur.
and Scientific Research
By
Nourhen Ouhibi & Mortadha Jabari
I dedicate this work to those who are most dear to me in the world
To my Family
May this work be an expression of my gratitude for the sacrifices you have
made, the moral and material support that you have never ceased to give me.
You have done everything for my happiness and success.
Mortadha Jabari
To my Family
I hope this work serves as an expression of my gratitude for all the sacrifices
you have made and the unwavering moral and material support you have
provided me. Your dedication to my happiness and success has been
unparalleled.
To my Teammate Mortadha Jabari
thank you for your unwavering support, encouragement and belief in me that
was a source of inspiration and strength and I am grateful for every moment we
have spent. I look forward to many more successes together
Nourhen Ouhibi
Thanking
At the end of this work, we would like to thank God for giving us the strength
and courage to complete it. We would also like to express our sincere gratitude
to our supervisor Dr. Hrizi Hafedh for his guidance, support, valuable
suggestions, and informative advice throughout this project.
Our deepest thanks and respect go to Mr. Hanafi Faycel, our supervisor at
SOTETEL, for his great availability towards us, his valuable help and relevant
advice, as well as his constructive criticism throughout this project.
We would also like to extend our sincere thanks to all those who contributed to
our education, especially the professors and educators at the Higher Institute of
Applied Sciences and Technologies of Mateur.
Our sincere thanks to the president and members of the jury for the honor they
give us in accepting to judge this work.
Table of content
Dedication................................................................................................
Thanking ..................................................................................................
Table of content .......................................................................................
List of Tables ...........................................................................................
List of Figures .........................................................................................
List of Acronyms .....................................................................................
General Introduction..............................................................................1
Chapter 1 Project Context .....................................................................2
Introduction ........................................................................................................................................................ 2
1. Host organization overview............................................................................................................................ 2
1.1. Introduction ............................................................................................................................................. 2
1.2. SOTETEL Organigram ........................................................................................................................... 2
1.3 SOTETEL logo ........................................................................................................................................ 3
2. Project introduction ........................................................................................................................................ 3
2.1. Study of the existing ............................................................................................................................... 3
2.2. Criticism and problematic ....................................................................................................................... 3
2.3. Project Goals ........................................................................................................................................... 4
2.4. Network topology ................................................................................................................................... 4
3. Requirements.................................................................................................................................................. 5
3.1. Hardware environment............................................................................................................................ 5
3.2. Software and Virtual environnement ...................................................................................................... 5
3.3. Interfaces identification: ......................................................................................................................... 6
3.4. Virtual interfaces ..................................................................................................................................... 6
3.5. Local Subnets .......................................................................................................................................... 7
4. Methodology .................................................................................................................................................. 7
Conclusion ......................................................................................................................................................... 8
Chapter 2: Theory overview ..................................................................9
Introduction ........................................................................................................................................................ 9
1. SD-WAN technology ..................................................................................................................................... 9
1.1. SDWAN Concept.................................................................................................................................... 9
1.2. SDWAN layers ....................................................................................................................................... 9
1.3. SD-WAN principles .............................................................................................................................. 10
2. MPLS ........................................................................................................................................................... 11
2.1. MPLS concept....................................................................................................................................... 11
2.2. MPLS Components ............................................................................................................................... 12
2.3. MPLS functionality ............................................................................................................................... 12
3. SDWAN and MPLS comparison ................................................................................................................. 13
4. VPN .............................................................................................................................................................. 13
4.1. Site-to-Site VPN ................................................................................................................................... 14
4.2. IPsec VPN ............................................................................................................................................. 14
4.3. IPsec Tunnel Process ............................................................................................................................ 14
5. FortiGate Firewall ........................................................................................................................................ 15
5.1. NGFW concept ..................................................................................................................................... 15
5.2. FortiGate use cases ............................................................................................................................... 16
5.3. FortiGate NGFW 60F series ................................................................................................................. 16
Conclusion ....................................................................................................................................................... 17
Chapter 3: SDWAN Implementation ..................................................18
Introduction ...................................................................................................................................................... 18
1. Connecting the devices................................................................................................................................. 18
1.1. Setting up the management interface .................................................................................................... 18
1.2. Logging in ............................................................................................................................................. 18
1.3. Connecting FortiGate ports ................................................................................................................... 19
2. Configuring FortiGate Firewall .................................................................................................................... 19
2.1. Local Interfaces ..................................................................................................................................... 19
2.2. Configuring the WAN interfaces .......................................................................................................... 21
2.3. Connecting to Internet through SDWAN .............................................................................................. 22
2.4. Configuring MPLS interface ................................................................................................................. 22
3. Configuring Branch Site Router ................................................................................................................... 23
3.1. Interfaces ............................................................................................................................................... 23
3.2. Connecting Branch Site to Internet ....................................................................................................... 23
3.3. Default Static route ............................................................................................................................... 24
3.4. DHCP server configuration ................................................................................................................... 24
4. MPLS circuit ................................................................................................................................................ 24
4.1. MPLS components ................................................................................................................................ 24
4.2. setting up the circuit .............................................................................................................................. 24
4.3. Static Routing configuration ................................................................................................................. 26
5. IPsec VPN tunnels ........................................................................................................................................ 26
5.1. Branch Site configuration ..................................................................................................................... 26
5.2. HQ configuration .................................................................................................................................. 27
5.3. Redundant IP sec tunnel........................................................................................................................ 30
5.4. Adding IPsec tunnels to SDWAN zone ................................................................................................ 30
6. SLAs configurations ..................................................................................................................................... 30
6.1. HQ FortiGate SLAs .............................................................................................................................. 30
6.2. Branch Site Router SLAs ...................................................................................................................... 32
7. Testing .......................................................................................................................................................... 33
7.1. Internet SLA graph ............................................................................................................................... 33
7.2. Branch Site SLA graph ......................................................................................................................... 33
7.3. Branch site accessibility to Internet ...................................................................................................... 34
Conclusion ....................................................................................................................................................... 34
Chapter 4: Security and QoS ...............................................................35
Introduction ...................................................................................................................................................... 35
1. Address Objects ........................................................................................................................................... 35
1.1. Trusted lan group .................................................................................................................................. 35
1.2. P2P address group ................................................................................................................................. 36
1.3. Web server virtual IP ............................................................................................................................ 37
2. SDWAN rules for Traffic priority and QoS ................................................................................................. 37
2.1. Real Time Traffic rule: ......................................................................................................................... 37
2.2. None Real Time Traffic ........................................................................................................................ 39
2.3. Failover Rules ....................................................................................................................................... 40
3. Branch Site Router tracked static routes ...................................................................................................... 41
3.1. Route to HQ through MPLS ................................................................................................................. 41
3.2. Route to HQ through VPN tunnels 1&2 ............................................................................................... 41
3.3. Tracking Default static route ................................................................................................................. 41
3.2. Tracked static routing table ................................................................................................................... 41
4. IPv4 Firewall Policies. ................................................................................................................................. 42
4.1. Intervlan policy ..................................................................................................................................... 42
4.2. Access internet policy ........................................................................................................................... 42
4.3. Branch site traffic .................................................................................................................................. 43
4.4. Access DMZ web server firewall policy ............................................................................................... 44
4.5. Branch-site access internet Policy ......................................................................................................... 44
4.6. Firewall policies summery table ........................................................................................................... 45
5. Security feature: guest web portal authentication ......................................................................................... 46
6. Testing .......................................................................................................................................................... 46
6.1. SDWAN rules Decisions ...................................................................................................................... 46
6.2. HQ internet failover .............................................................................................................................. 47
6.3 Branch Site Internet failover .................................................................................................................. 47
6.4. Testing Connectivity between sites and failover ................................................................................... 47
6.5. Testing DMZ configuration .................................................................................................................. 48
6.6. QoS traffic testing ................................................................................................................................. 49
6.5. Testing guests web portal and reachability ........................................................................................... 50
Conclusion ....................................................................................................................................................... 50
General Conclusion .............................................................................51
References ...............................................................................................
Annex.......................................................................................................
List of Tables
A
ACL Access Control List
C
CCTV Closed-Circuit television
CSV Comma Separated Values
CoS Class of Service
D
DES Data Encryption Standard
DH Diffie±Hellman
DMZ Demitiralized Zone
DSL Digital Subscriber Line
DSCP Differentiated Services Code Point
E
ESP Encapsulating Security Payload
F
FortiOS Fortinet Operating System
FTP File Transfer Protocol
H
HQ Head Quarters
HTTP Hyper Text Transfer Protocol
HTTPs Hyper Text Transfer Protocol Secure
I
ICMP Internet Control Message Protocol
IKE Internet Key Encryption
IOS Internetworking Operating System
IPSec Internet Protocol Security
IPv4 Internet Protocol version 4
ISAKMP Internet Security Association and Key Management Protocol
ISR Integrated Service Router
ISP Internet Service Provider
L
LAN Local Area Network
LTE Long Term Evolution
LDP Label Distribution Protocol
LER Label Edge Router
LSR Label Switching Router
LSP Label Switching Path
M
MD5 Message Digest Method 5
Mgmt Management
MPLS Multi-Protocol Label Switching
N
NAT Network Address Translation
O
OF Optical Fiber
OSPF Open Shortest Path First
Q
QoS Quality Of Service
R
RT Real Time
S
SDN Software Defined Network
SDWAN Software Defined Wide Area Network
SLA Service Level Agreement
SA Security Association
T
TCP Transmission Control Protocol
ToS Type of Service
TFTP Trivial File Transfer Protocol
U
UDP User Datagram Protocol
V
VDSL Very-high-bitrate Digital Subscriber Line
VLAN Virtual Local Area Network
VoIP Voice over Internet Protocol
VPN Virtual Private Network
VTI Virtual Tunnel Interface
W
WAN Wide Area Network
Z
ZTNA Zero Trust Network Access
General Introduction
Our project focuses on deploying an SDWAN solution for an industrial company, providing
them with an efficient means of connecting two sites while maintaining Security and QoS. The
project consists of four chapters:
Chapter 1: Project context - In this section, we introduce the project topic and outline the goals
we aim to achieve through implementation.
Chapter 2: Theory Overview - Here, we delve into the theory behind the SDWAN solution,
studying relevant documentation and resources.
Chapter 4: Security and QoS configuration - The final chapter provides a detailed guide to the
steps taken, to configure SDWAN rules and firewall policies
1
Chapter 1 Project Context
Introduction
In this chapter, we will provide a comprehensive overview of the project. We will begin
by introducing the host organization, SOTETEL, before diving into the current state, the
challenges at hand, and the project objectives. Finally, we will select a methodology to guide
us in our solution.
1. Host organization overview
1.1. Introduction
SOTETEL, a telecommunications company established in 1981, is renowned for its
innovative approach to maintaining and implementing private and public telecommunication
networks in Tunisia and worldwide.
SOTETEL, a subsidiary of Tunisie Télécom, as the Tunisian Telecommunications Entreprises
Company. The company specializes in maintaining and implementing telecommunication
network infrastructures and has three main shareholders: Tunisie Télécom (35%), El Atheer
Funds (7.47%), and various others (57.33%). [7]
1.2. SOTETEL Organigram
2. Project introduction
2.1. Study of the existing
The organization has two branches: HQ, which has abundant resources including servers
and databases, and a smaller branch site that relies on HQ for services. Both branches have
internet access through one or more providers, but HQ has better internet access with two links
- one using OF technology, which provides excellent performance in terms of bandwidth and
latency, and the other is a VDSL line that remains unused after migrating to OF technology.
The branch site, on the other hand, only has one VDSL subscription, which the admins found
sufficient due to its lower traffic compared to HQ. An MPLS circuit connects the two sites,
with medium to high data flow traffic between them.
2.2. Criticism and problematic
Upon analysis, several issues are evident:
x The network infrastructure relies heavily on the MPLS network, which is a standalone
circuit and cannot handle the significant amount of traffic between the two sites.
x The loss of the MPLS network leads to a loss of connectivity between the two sites.
x The VDSL link is capable of efficiently transmitting lightweight to medium non-real-time
traffic, but it is being underutilized at the HQ.
x Switching between VDSL and FO links requires manual editing of the default static route,
which can be time-consuming.
x Only one link is utilized at the branch site to access public cloud services, which poses a
risk to connectivity, and the local networks lack proper traffic filtering and security
policies, leaving them vulnerable to security breaches.
3
2.3. Project Goals
Our objective is to find a modern and reliable solution to the identified problems:
x We create an SDWAN interface that will enable us to use both WAN links in HQ
dynamically based on preference and traffic type, without the need for human
intervention.
x We also want to secure the LAN using strong rules, policies, and a DMZ zone.
x We need more than one way to connect both sites and not rely on MPLS, to achieve this,
we will create VPN tunnels that connect both sites over the internet in a secure way.
x We also want to split traffic between sites based on the RT and non-RT criteria using
SDWAN rules
The newly introduced solution that meets all these needs is SDWAN.
2.4. Network topology
In this figure we have the main topology of the network:
4
3. Requirements
3.1. Hardware environment
x Cisco ISR 1921 (IOS 15.1)
The Cisco® 1921 ISR have been developed using 25 years of Cisco innovation and product
leadership as their foundation. These new platforms have been designed to facilitate the next
stage of branch-office development. [2]
x GNS3 v2.37 is a free and open-source software for simulating complex networks using
virtual machines and components like routers and firewalls.
x GNS3 virtual machine v2.37 is a lightweight and robust way to create GNS3 topologies
without common issues encountered in a local install.
x FortiGate-VM is a virtual appliance that monitors and regulates virtual traffic on
virtualization platforms like VMware vSphere, KVM, and AWS.
x Cisco 7200 is a virtual appliance that runs IOS 12.4 and is suitable for GNS3 projects.
x Webterm is a Debian-based virtual appliance that contains Firefox browser and networking
utilities.
5
x NETerm is a Linux kernel-based virtual appliance that emulates WAN links with features
like bandwidth limitation, delay, jitter, and packet loss.
x Toolbox is a virtual appliance that contains server-side software for secondary management
of network devices like nginx, FTP, TFTP, syslog, DHCP, and SNMP server.
6
3.5. Local Subnets
Subnets range need to be selected in order to create address objects inside the FortiGate data
base. Note that each VLAN has a virtual interface on the FortiGate firewall.
Site Device subnet Role IPv4 net address
VLAN 10 Servers and printers 192.168.10.0/24
VLAN 15 Administration Dep 192.168.15.0/24
VLAN 20 Maintenance Dep 192.168.20.0/24
VLAN 25 Engineering Dep 192.168.25.0/24
HQ FortiGate
VLAN 30 Marketing Dep 192.168.30.0/24
VLAN 35 IT Dep and IoT/CCTV 192.168.35.0/24
VLAN 40 Guests 192.168.40.0/24
DMZ Web and FTP servers 192.168.50.0/24
Branch Site Router LAN Local network 10.10.0.0/24
Table 3 VLANs, subnets Designations and IPv4 addresses
4. Methodology
Agile scrum methodology is a project management system that relies on incremental
development. Each iteration consists of two- to four-week sprints, where the goal of each sprint
is to build the most important features first and come out with a Potentially Shippable Product.
It is flexible and does not require strict structure. [5]
Each sprint begins with a planning meeting where the team selects the work items they will
attempt to complete during the sprint. The team then proceeds to work on the selected items,
meeting daily for brief stand-up meetings to ensure everyone is on the same page and to identify
any impediments that may be preventing progress. At the end of the sprint, the team holds a
review meeting to demonstrate the work completed and to gather feedback. The team also holds
a retrospective meeting to discuss what went well and what could be improved in the next sprint
So, we are going to utilize SCRUM methodology in the realization of our project.
7
Figure 6 Scrum process [5]
Conclusion
Now that we have introduced the problem and outlined the goals of our project, as well as
identified the requirements we can begin exploring the theory behind SDWAN
implementation.
8
Chapter 2: Theory overview
Introduction
In this section, we will delve into the theory required for our project. We will begin by
outlining the fundamental concepts of the Fortinet SDWAN solution. From there, we will
conduct a brief analysis of MPLS circuits and draw comparisons between the two
technologies. Then we introduce the concept of VPN. Finally, we will introduce the FortiGate
Firewall.
1. SD-WAN technology
1.1. SDWAN Concept
It is a networking technology that uses Software-Defined Networking (SDN) to optimize
and manage the performance of the Wide Area Network (WAN). It simplifies the management
of the WAN by using a centralized control function to securely distribute traffic directly over
the internet from branch locations to trusted SaaS and LaaS providers. This Virtual WAN
architecture allows organizations to connect users, applications, and data across a variety of
locations while delivering a high-quality user experience, increasing application performance,
agility, and business productivity.
1.2. SDWAN layers
An SD-WAN consists of three layers:
x Management and orchestration: This layer include FortiManager and FortiAnalyzer,
which provide uniform management and automated orchestration using REST APIs.
The layer also includes template-based solutions and performs logging, monitoring, and
analysis.
x Control, data plane, and security: The FortiGate here is the responsible for consolidating
underlays and overlays into SD-WAN zones. It offers scalable VPN solutions using
ADVPN, defines static and dynamic routing, and performs health checks, SD-WAN
monitoring, NGFW firewalling, and application-aware steering.
x Network access: This layer includes Fortis witch and FortiAP devices, which perform
WAN segmentation and provide built-in network access control.
¾ Overall, these three layers work together to create an efficient and secure SD-WAN
architecture that improves network performance and enables organizations to seamlessly
connect their users, applications, and data across multiple locations".[3]
9
1.3. SD-WAN principles
An SDWAN solution comports 5 pillars in order to function properly:
x Underlay:
which includes the technologies used to connect to the WAN and identify link properties.
x Overlay:
which manages VPN tunnels between sites for secure and redundant traffic transport.
x Routing:
which uses traditional routing with SDWAN rules to steer traffic based on QoS and other
criteria.
x Security:
achieved through NGFW features such as firewall policies and encryption. By implementing
security measures, an SDWAN solution can ensure the reliability and guaranteed delivery of
traffic.
x SDWAN:
Makes decisions on which optimal path to use for each session, frame, or data unit using
four elements:
o SDWAN zones:
The virtual interface that holds all underlays and overlays interfaces together. Multiple
zones can be created and grouped together as needed
o SDWAN members:
A member is simply the port that will run the traffic, each member must be assigned to a
zone, has gateway, and can have a priority/cost value.
o Performance SLAs:
Also known as Health-checks Monitor SDWAN members, identify failures, and give
statistics about QoS of each member.
SLAs can be used in two ways:
Active probing: by sending ICMP-echo packets to a server.
Passive probing by monitoring data passing through firewall policies.
o SDWAN Rules
use matching criteria such as application type, TCP/UDP ports, or ToS/DSCP values to steer
traffic. The strategy used to select the best link can be based on the member with the best
measured quality, the lowest cost that meets the SLA target requirements, maximum
bandwidth, or preferred members manually identified by admins. [3]
10
Figure 7 SDWAN principles
2. MPLS
2.1. MPLS concept
Multiprotocol Label Switching, or MPLS, is a switching mechanism that routes traffic along
the shortest path based on "labels" on behalf of network addresses to handle routing across
private WANs.
As an adaptable and protocol-independent solution, MPLS assigns labels to each packet to
control the path that the packet follows.
MPLS considerably increases the speed of traffic, so users experience no downtime while
connecting to the network.
An MPLS network is Layer 2.5 of the OSI 7-layers hierarchy, it sits between Data link layer
(layer2) and network layer(layer3). [8]
11
2.2. MPLS Components
MPLS has 4 major components:
x Labels are short identifiers used by LSRs to forward packets on an LSP. MPLS labels
are 4 bytes in length.
x Label edge routers (LERs) are located at the edge of MPLS circuits and act as
gateways between the IP and label domains, forwarding IP packets in and out of the
MPLS circuit.
x Label switching routers (LSRs) are located in the core of MPLS circuits and are
responsible for forwarding labels between LERs and within the MPLS domain.
x LSP: LSRs use the LDP protocol to create logical paths within the MPLS domain,
which the labels will follow. [6]
12
eliminates complex header analysis. Routing policy at subsequent hops may determine the
initial label selection instead of the Layer 3 packet header.
3. SDWAN and MPLS comparison
MPLS has been the traditional choice for enterprise connectivity, but with the rise of cloud-
based applications, it has become less practical and costlier. As a result, many organizations
DUHQRZRSWLQJIRUDPRGHUQVROXWLRQ³6'
-:$1´
.
Below, is a comparison, between MPLS and SD-WAN, that explains why SD-WAN is often
the better choice for modern businesses:
03/6LVOLPLWHGWRRQHOLQNZKLOH6'
-WAN provides flexibility by using multiple WAN
links, including MPLS, wireless, broadband, VPNs, and the internet.
03/6LVGHVLJQHGIRUFRQQHFWLQJUHPRWHORF
-WAN
enables end-to-end enterprise connectivity over large geographical distances, allowing users to
work regardless of location.
6'
-WAN offers centralized management and is often cloud-managed, while MPLS requires
complex configuration and management.
-WAN
6' offers advanced analytics capabilities to optimize application performance and
ensure application resiliency, while MPLS lacks this level of visibility and control. [8]
4. VPN
A VPN is a technology that allows users to create a secure, encrypted connection to another
network over the internet. VPNs are commonly used to protect sensitive data transmission,
bypass internet censorship, and access geographically-restricted content
Some of the main features of VPNs include:
x Encryption of data to ensure that it is secure and private.
x Authentication to verify the identity of the user.
x Tunneling to create a virtual connection between two networks, allowing users to
access resources as if they were on the same local network.
VPNs can be categorized into different types, including:
x Remote Access VPN: enables users to connect securely to a private network from
remote locations over the internet.
x Site-to-Site VPN: connects two or more networks together over the internet, allowing
devices in each network to communicate with each other as if they were on the same local
network.
13
4.1. Site-to-Site VPN
Site-to-Site VPN (also known as router-to-router VPN or LAN-to-LAN VPN) is a type of
VPN that connects two or more networks together over the internet. Site-to-Site VPN is
commonly used by businesses and organizations to securely connect multiple office locations
or data centers together over the internet. With a Site-to-Site VPN, employees can access
resources on a company¶
s network from any location, as if they were physically present in the
office. Site-to-Site VPNs typically use encryption protocols such as IPsec to secure the
connection.
4.2. IPsec VPN
IPsec (Internet Protocol Security) VPN is a type of VPN that provides encryption and
authentication for IP packets in a network. It is a protocol suite that ensures the secure
transmission of data over the internet. IPsec VPN is commonly used for Site-to-Site VPN
connections, as it provides a high level of security, encrypting all traffic between the connected
networks. However, setting up an IPsec VPN can be complex, and may require technical
expertise. Additionally, IPsec VPN can have some performance overhead due to the encryption
and decryption of data packets, which can affect network performance, especially for large data
transfers.
14
Figure 10 IPsec Tunnel
5. FortiGate Firewall
FortiGate firewall is a security device manufactured by the IT Cyber-security leaders
Fortinet, it is a part of what is known as NGFW which provide an ultimate threat protection for
businesses of all sizes.
5.1. NGFW concept
A classic Firewall is a security device that provide a stateful inspection of traffic passing
through it according tR UXOHV SURYLGHG E\ DGPLQV VXFK DV
while a NGFW has much more than that:
x Stateful inspection, which allows the firewall to track the state of network connections
and only allow authorized traffic.
x Integrated intrusion prevention, which helps to detect and block attempts to breach the
network.
x Application awareness and control, which enables the firewall to identify and prevent
risky or unauthorized applications from accessing the network.
x The ability to draw on threat intelligence sources, which helps the firewall to stay up-
to-date with the latest security threats and respond accordingly.
x Upgrade paths that allow for the incorporation of future information feeds, ensuring
that the firewall remains effective and relevant over time.
x Techniques for addressing evolving security threats, so that the firewall can adapt to
new and emerging forms of attack. [4]
15
5.2. FortiGate use cases
A FortiGate firewall can shine to its full potential and provide a great service in these cases
as it has the best tools for the job:
x NGFW: protecting networks using the next-generation capabilities.
x Secure SDWAN: deploying a secure SDWAN solution.
x Universal ZTNA: Control application access from anywhere with universal access
policies. [4]
5.3. FortiGate NGFW 60F series
x FortiOS:
FortiOS is a proprietary operating system used in FortiGate 60F. It provides security features
such as firewall, VPN, antivirus, intrusion prevention, web filtering, and more. FortiOS is
known for its ease of use and advanced security capabilities, making it popular among
businesses of all sizes. [4]
x Configuring FortiGate 60F:
To access the configuration of a FortiGate Device there is two ways:
x CLI: using a console port to access the Command line interface and start the
configuration process.
x GUI: it is possible to configure the device using the web portal as it by default have
a HTTPs/HTTP access on the all its local ports, the default IP address is
192.168.1.99/24.
x Hardware:
FortiGate 60F is considered in the entry level category for branch sites and small
businesses.
16
It has a total of:
1. 1xUSB port
2. 1xConsol port
3. 2xRj45 Gigabit-Ethernet WAN ports
4. 1xRj45 Gigabit-Ethernet DMZ port
5. 2xRj45 Gigabit-Ethernet switch ports model1
6. 5xRj45 Gigabit-Ethernet switch ports model2 [4]
Conclusion
With a firm understanding of the theoretical foundations of our project, we are now prepared
to move on to the practical phase. We will follow the necessary steps to achieve the goals
outlined earlier, building on the knowledge gained in the theoretical section
17
Chapter 3: SDWAN Implementation
Introduction
In this chapter, we will be discussing the implementation of Fortinet SDWAN, outlining the
steps taken to achieve our goals.
1. Connecting the devices
1.1. Setting up the management interface
To create the management interface, we connect a console cable to the FortiGate and use
Putty to log on to the terminal.
18
1.3. Connecting FortiGate ports
we connect the FortiGate wan ports to the corresponding modems (OF modem and VDSL
modem) and we connect the trunk port to the core switch that will manage VLANs
19
The same steps are done in order to create all other interfaces the only change done is the
VLAN id value and the IPv4 address and DHCP pool we included all VLANs in annex page
Then we create a DMZ interface that is located on Port 6 of the FortiGate firewall. There is
no DHCP server running on this interface, so the servers connected to it will use static IPv4
addresses. The interface is configured with a DMZ role.
As the VLANs are integrated with the port4 which will be a trunk port connected to the core
switch so we have to configure the VLANs in the switch and designate a trunk port using the
IEEE 802.1Q standard.
20
Once the interfaces are set up, we'll group them into a virtual zone named 'lan' to make them
easier to manage. We block the intra-zone traffic so we can control the traffic via the policies.
21
2.3. Connecting to Internet through SDWAN
First ZHKDYHWRFUHDWHDQ6':$1]RQHDQGDGG³
as members
to it and we set up the gateways of each wan connection no need to put a cost value as the rules
will decide the priority of each member
22
3. Configuring Branch Site Router
3.1. Interfaces
Primary, we set up two interfaces of the branch site router: gig1/0 with a private IPv4 address
10.10.0.1/24 as the local interface and gig0/0 with a public IPv4 address 100.30.30.2/24 as the
public interface that will be connected to VDSL modem.
Then we set up the MPLS interface as the gig2/0 with an IPv4 address of 172.16.0.2/30
Branch Site# int gig2/0
Branch Site# ip add 172.16.0.2 255.255.255.252
Branch Site# no sh
Branch Site# exit
3.2. Connecting Branch Site to Internet
First, we define the outside interface and the inside interface
● gig1/0: we define it as an inside interface because it is the local sided interface.
● gig0/0: we define it as an outside interface because it is the public sided interface.
int gig1/0 int gig0/0
ip nat inside ip nat outside
exit exit
Then we configure the NAT service in order to enable the translation of source IPv4
addresses when traffic is destined for the public internet (0.0.0.0/0) while preserving the
original source IPv4 address when traffic is destined for the HQ local addresses
(192.168.0.0/18), we created an Access Control List (ACL) named 'nat' for the NAT service.
So as the extended ACL in Cisco routers follow the top-to-bottom priority rule we define
the exception rule on top (id 10) and the general rule on bottom (id 20).
Branch Site# ip access-list extended nat
Branch Site# 10 deny ip 10.10.0.0 0.0.0.255 192.168.0.0 0.0.63.255
Branch Site# 20 permit ip 10.10.0.0 0.0.0.255 any
Branch Site# exit
Note : HQ summery address (192.168.0.0/18) is due to using the super-netting technique on
all of the local subnets in HQ site.
23
and then we activate the NAT translation to use the IPv4 of the outside interface with an
overloading on port numbers
Branch Site# ip nat inside source list nat interface gig1/0 overload
❖ The NAT allows IPv4 address translation and protects the private networks.
3.3. Default Static route
The default route here sends packets when no specific route is in the routing table and since
the internet is a big place (0.0.0.0/0) so internet connectivity will be provided by this route.
4. MPLS circuit
We create an MPLS circuit in a virtual environment GNS3
4.1. MPLS components
24
LER-HQ: LSR LER-BranchSite
int f0/0 int f0/0 int f0/0
ip add 172.17.0.2 255.255.255.252 ip add 2.2.2.2 255.255.255.252 ip add 2.2.2.1 255.255.255.252
no sh no sh no sh
ip ospf 1 area 0 ip ospf 1 area 0 ip ospf 1 area 0
exit exit exit
int f1/0 int f1/0 int f1/0
ip add 1.1.1.2 255.255.255.252 ip add 1.1.1.1 255.255.255.252 ip add 172.16.0.2 255.255.255.252
no sh no sh no sh
ip ospf 1 area 0 ip ospf 1 area 0 ip ospf 1 area 0
exit exit exit
Then after making sure that all 3 routers established OSPF neighbourhood we execute this
command on all of the 3 routers
router ospf 1
mpls ldp autoconfig
Now the OSPF process will configure LDP protocol on all the interfaces and establish
LDP neighbourhood inside of the circuit.
Here we see the neighbourhood of each router
25
And to make sure that the MPLS circuit is working we will trace an ICMP packet from
LER-HQ to LER-BranchSite.
It appears that the packet has been transmitted via an MPLS circuit and has been tagged with
label 17.
26
Branch Site# crypto isakmp policy1
Branch Site# hash md5
Branch Site# encryption des
Branch Site# authentication pre-share
Branch Site# lifetime 86400
Branch Site# group 2
Branch Site# exit
Branch Site# crypto isakmp key tunnel1 address 100.10.10.2
Phase2: we configure an IPsec transform set for providing confidentiality and integrity to
IP packets using the ESP protocol encryption is DES and hash is MD5, then we create a
phase 2 profile that will use the transform set encryptions and hash as well as DH group2 and
life time is by default 3600s.
Branch Site# crypto ipsec transform-set set1 esp-des esp-md5-hmac
Branch Site# mode tunnel
Branch Site# exit
Branch Site# crypto ipsec profile profile1
Branch Site# set transform-set set1
Branch Site# set pfs group2
Branch Site# exit
VTI: we configure Tunnel1 interface with an IP address and put the source interface
gig0/0, the destination IP address for the tunnel is set to the IPv4 of HQ wan1 port
100.10.10.2. the IPsec profile "profile1" is applied to the tunnel for providing security
services to the traffic.
Branch Site# int tunnel1
Branch Site# ip add 172.16.1.2 255.255.255.252
Branch Site# tunnel source gig0/0
Branch Site# tunnel destination 100.10.10.2
Branch Site# tunnel mode ipsec ipv4
Branch Site# tunnel protection ipsec profile profile1
Branch Site# exit
5.2. HQ configuration
First, we create the custom IPsec tunnel:
27
Next, we set the remote gateway to static IPv4 address of the Branch site public interface
100.30.30.2 and the WAN1 as the output interface.
28
Phase 2: we configure the IPsec phase 2 settings for a VPN tunnel. We use the same
encryption, hash and DH groups as the phase1 except lifetime 3600 seconds.
29
5.3. Redundant IP sec tunnel
We have created a redundant VPN tunnel with the same Phase 1 and Phase 2 properties as
a backup for Tunnel 1. The virtual interface for Tunnel 1 is overlayed on WAN 1, while the
virtual interface for Tunnel 2 is overlayed on WAN 2. This provides failover between the two
tunnels in case of a WAN 1 or WAN 2 failure we still have a VPN connection.
30
Those SLA will be used in the SDWAN rules for QoS traffic management.
31
6.2. Branch Site Router SLAs
In the Branch Site we will create 4 SLAs to monitor all the interfaces and we will identify them
with the id.
SLA1: it will monitor the access to the MPLS circuit by pinging the HQ FortiGate MPLS
interface 172.16.0.1/30 from the interface gig2/0.
SLA2: it will monitor the access to the VPN-tunnel1 by pinging the 172.16.1.1/30 from the
interface tunnel 1.
SLA3: it will monitor the access to the VPN-tunnel2 by pinging the 172.16.1.1/30 from the
interface tunnel 1.
SLA4: it will monitor the access to the public network by pinging the internet
gateway100.30.30.1 from the public interface gig0/0.
Then we will bind each SLA into a track object that will return an ON/OFF result based on
the results of the SLA, this track will be used to create static routes and enable or disable the
routes automatically.
32
7. Testing
7.1. Internet SLA graph
Here we can see the Internet SLA graph and performance monitoring we notice that WAN2
has much higher latency than WAN1 this is due to the much higher performance provided by
the OF link in comparison with the VDSL link .
33
7.3. Branch site accessibility to Internet
After pinging google DNS from the router and using a source address of 10.10.0.1/24 we
are now sure that the configuration we did is working.
Conclusion
After setting up the SDWAN interface and making sure there is connectivity from both
sites to the Internet we now ready to move on to the Filtering the traffic and configuring QoS
Rules.
34
Chapter 4: Security and QoS
Introduction
In this chapter we will perform the necessary security configuration to provide reliable
implementation as well as setting up QoS rules.
1. Address Objects
An address object is used In FortiGate Firewall to map an IPv4 subnet or range into an object
to utilize it in the IPv4 Policies as well as SDWAN rules.
1.1. Trusted lan group
First, we have to create an address object for each local subnet and also for the Branch site
local network.
To create VLAN10 subnet navigate to 'Policy & Objects' > 'Addresses' and create a new
address.
35
1.2. P2P address group
We create an address group to hold all point-to point connection IPv4 addresses such as VPN
tunnels and MPLS to make it easier for us to manage them in the Policies and rules
6RZHFUHDWH³03/6QHW´DGGUHVVREMHFWWRK
³931QHW´DGGUHVVREMHFWWRKROGWKH
2.16.1.0/30 addresses
³931QHW´DGGUHVVREMHFWWRKROGWKH
s.
Figure 40 VPN1 net , VPN2 net and MPLS net address objects
7KHQZHJURXSWKHPLQWRDQDGGUHVVJURXSFDO
.
36
1.3. Web server virtual IP
To configure port forwarding for the DMZ web server and make it accessible from the public
network, we created a web server virtual IP in the 'Virtual IPs' section of the 'Policy & Objects'
menu. The virtual IP forwards IPv4 address 100.10.10.3 TCP port 80 to 192.168.50.2 port 80,
and we set the WAN1 interface as the entry interface for our web server.
37
Figure 43 Access Branch Site Real Time Traffic Rule
38
2.2. None Real Time Traffic
And then, we create two additional SD-WAN rules that prioritize and route non-Real-Time
Traffic (ToS=0x20) to their destinations According to the results provided by the SLAs.
The first rule ³
Acces-Branch-site-NoneRealTime-Traf´
routes non-Real-Time Traffic from
trusted LAN, DMZ DQG33JURXSWRWKH%UDQFKVLWHR
-tunnel1&VPN-tunnel2.
The second rule´$FFHVV
-Internet-NoneRealTime-Traf´prioritizes and routes non-Real-
Time Traffic from trusted LAN, VLAN40, and DMZ interfaces to all destinations over
³:$1´
39
2.3. Failover Rules
To SURYLGHIDLORYHUEHWZHHQ³ZDQ´DQG³ZDQ
, we created an ³
Access-Internet
Rule´in the SDWAN rules that uses the Internet SLA. For the Quality of Service (QoS) criteria,
we select Latency, and we set the source address to include ³
DMZ,́ ³
vlan40,́ and the ³W
rusted
lan group".
In order to provide reliable access to a branch site, we configure a an SDWAN rule with a
priority mode and specify the members´931 ´
-WXQQHO´
VPN-WXQQHO´DQG³03/6´
, source
DGGUHVVHV³WUXVWHGORFDOODQ´
, and destination DGGUHVVWR³EUDQFKVLWH´
. We also associate the
rule with a health check ³%UDQFKVLWH6/$´
that monitors the network conditions.
40
3. Branch Site Router tracked static routes
3.1. Route to HQ through MPLS
We will configure the static route to HQ site 192.168.0.0/18 to be forwarded through next
hop address of 172.17.0.1 which is the IPv4 address of the MPLS interface of HQ site then
we link this route with the track object 1 which is linked to SLA1.
Branch Site# ip route 192.168.0.0 255.255.192.0 172.17.0.1 track 1
Then, we set up a backup default route with a next hop of 172.17.0.1 (through the MPLS) and
a metric of 2, and associate it with track object 1 If the track object goes down, the
corresponding route is removed from the routing table.
ip route 0.0.0.0 0.0.0.0 172.17.0.1 2 track 1
this way we created an Internet failover path for the Branch Site Router.
3.2. Tracked static routing table
41
4. IPv4 Firewall Policies.
4.1. Intervlan policy
Interlvan SROLF\DOORZVWKH9/$1VWRFRPPXQLFDWH
be isolated as it is for Guests Navigate to Policy & object>Firewall policy.
So, we allow 9/$1VWRFRPPXQLFDWHZLWKHDFKRWKHU¶V
. No NAT
is needed and no security profiles is used as the traffic is local.
42
4.3. Branch site traffic
To enable communication to the branch site, we set up a firewall policy that allows traffic
to flow from local HQ site site to the Branch site. we enable the policy and configure the out
coming and incoming interfaces as ³O
DQ³
and ³6'
-:$1´
. No NAT or security profiles is
needed as the traffic is flowing through trusted connections (VPNs and MPLS).
43
4.4. Access DMZ web server firewall policy
This policy will allow the incoming traffic from SDWAN to our web server to pass allowing
only HTTP and HTTPS traffic. The source address is all and destination is the virtual IP we
created for the web server:HGRQ¶WXVH1$7LQWKHSROLF\
NAT, we use security profiles to guarantee a level of security inspection.
from all web server always ALL ACCEPT Disabled default All
internet default
to dmz default
web default
server certificate-
inspection
45
5. Security feature: guest web portal authentication
For the guest vlan (vlan40) users should ask permission when they want to access internet
using the security mode: captive portal within the vlan40 interface which will ask the user for
a password when the want to surf the web. The password and username are pre-built in the
FortiGate users database as guest group.
46
6.2. HQ internet failover
To test SDWAN internet failover, we sent a stream of ICMP packets from a PC in VLAN10
to Google DNS 8.8.8.8 while disconnecting the WAN1 link. Two packets were lost, but
connectivity was later restored through WAN2, causing a change in latency.
47
notice that there are 2 breaks in the connectivity.
48
6.6. QoS traffic testing
Next, we test the QoS rules by trace routing some packets that we modified the ToS value
accordingly to match the VoIP traffic value (ToS = 0x70) and the mail and web value (ToS=
0x20).
Test 1 ToS = 0x70 traffic is passing by wan1(100.10.10.1) and by MPLS (172.17.0.2)
And in this graph, we can see the impact of those rules on the average latency during 24h
100
90
80
70
60
50
40
30
TIME
49
6.5. Testing guests web portal and reachability
Eventually, in order for the guest device to connect to public network an authentication is
required.
Also, we try to ping the VLAN10 interface from a guest device but no packet received this is
due to the Intervlan policy we made that prevent VLAN40 from reaching other VLANs
Conclusion
In conclusion, through the successful configuration of the network infrastructure, we are
now able to provide reliable and secure access to the internet and connectivity between the two
sites through the SDWAN using MPLS and IPsec VPN tunnels and providing a QoS traffic
split over.
50
General Conclusion
our team has successfully implemented a robust and reliable network infrastructure that meets
the needs of our organization. With the use of SD-WAN, MPLS circuits, and IPsec VPN
tunnels, we have significantly improved connectivity between our HQ and branch sites.
Moreover, the application of Quality of Service (QoS) rules has improved our network
infrastructure to better fulfill the organization's requirements.
One of the key features of our network infrastructure is the implementation of Fortinet's
FortiGate Next-Generation Firewall. This has significantly enhanced our security posture and
has allowed us to better protect our data and network from potential threats. With the use of
FortiGate, we have been able to implement advanced threat protection, secure connectivity,
and simplified management, which has resulted in improved security and reduced risk for our
organization.
From a strategic perspective, our network infrastructure has provided us with a strong
foundation to support our organization's growth and expansion plans. With the ability to easily
scale and adapt to new business requirements, we are confident that our network infrastructure
will continue to support our organization's success in the long term.
Overall, our project has enabled the company to improve its network performance, increase
security, and reduce costs. We are proud of the work we accomplished as a team and confident
that our work will have a positive impact on the company's productivity and success, both in
the short and long term.
51
References
[1] Cisco Catalyst 2960 Series Switches. Electronic book, Author Cisco , edited on
January 8, 2014
[2] https://www.cisco.com/c/en/us/products/collateral/routers/1900-series-integrated-
services-routers-isr/data_sheet_c78-598389.html , web page consulted on February
14, 2023
[3] https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/257828/sd-
wan-components-and-design-principles , web page consulted on February 29, 2023
[4] QuickStart Guide FortiGate/FortiWiFi 40F & 60F Series , Electronic book ,author
Fortinet edited on December 1, 2022
[5] https://asifulhaque.com/scrum-methodology-understanding-the-process-of-agile-
software-development/ , web page consulted on March 19, 2023
[6] http://igm.univ-mlv.fr/~dr/XPOSE2006/marot/architecture.html , web page consulted
on April 18, 2023
[7] https://www.sotetel.tn/fr/sotetel/a-propos/ , web page consulted on February 11, 2023
[8] https://www.paloaltonetworks.com/cyberpedia/mpls-what-is-multiprotocol-label-
switching , web page consulted on March 23, 2023
[9] https://docs.vmware.com/ , web page consulted on February 17, 2023
[10] https://docs.gns3.com/ , web page consulted on February 18, 2023
[11] https://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7, web page 28
April 2023
Annex
A1- this is the HTML code for the web page we tested connectivity with
<!DOCTYPE html>
<html>
<head>
<title>sotetel</title>
</head>
<body style="background-color: #003c4f; color: white;">
<table border="0" cellspacing="0" cellpadding="0" align="center">
<tbody>
<tr>
<td style="text-align: center;"></td>
</tr>
<tr>
<td>
<h1 style="text-align: center;">SOTETEL</h1>
</td>
</tr>
<tr>
<td>
</td>
</tr>
</tbody>
</table>
</body>
</html>
HQ# config vpn ipsec phase1- HQ# config vpn ipsec phase2-
interface interface
HQ# edit "vpn-tunnel2" HQ# edit "vpn-tunnel2"
HQ# set interface port2 HQ# set phase1name "vpn-
HQ# set remote-gw 100.30.30.2 tunnel2"
HQ# set nattraversal disable HQ# set proposal des-md5
HQ# set psksecret tunnel2 HQ# set keylifeseconds 3600
HQ# set proposal des-md5 HQ# set keepalive enable
HQ# set dhgrp 2 HQ# set auto-negotiate enable
HQ# set keylife 86400 HQ# set dhgro 2
HQ# end HQ# end
HQ# config vpn ipsec phase1- HQ# config vpn ipsec phase2-
interface interface
HQ# edit "vpn-tunnel2" HQ# edit "vpn-tunnel2"
HQ# set interface port2 HQ# set phase1name "vpn-
HQ# set remote-gw 100.30.30.2 tunnel2"
HQ# set nattraversal disable HQ# set proposal des-md5
HQ# set psksecret tunnel2 HQ# set keylifeseconds 3600
HQ# set proposal des-md5 HQ# set keepalive enable
HQ# set dhgrp 2 HQ# set auto-negotiate enable
HQ# set keylife 86400 HQ# set dhgro 2
HQ# end HQ# end