I have several Fortigates in remote locations that I typically access via Fortigate Cloud. With the outage that occurred yesterday (Fortigate Cloud services), I’m now looking to have a redundant path to manage them remotely. I do have the ability to RDP to a PC at the remote site, then access the Fortigate from the remote PC which works when the PC is online, but I don’t want to rely just on the PC for a lifeline.
I’m now considering creating IPSec tunnels from my office to each remote Fortigate, but want to know the pros/cons of doing so. It seems like enabling SSL VPN would be easiest with less overhead, but I’m a bit leery on opening up SSL-VPN due to recent security flaws in FortiOS. Do any of you create a direct IPSec tunnel just for backup management purposes? Thanks.
We manage all of our fortigates over IPSEC Mgmt tunnels that are built back to a hub Fortigate pair.
Each remote Fortigate has up to the 3 transport paths and an IPSEC tunnel is built over each. We then use BGP to control the primary, secondary and tertiary path that is used for the MGMT traffic
If the sites are not using SSL-VPN in general and you’d only enable it for you the easiest way is to leverage that, but completely lock it down with local-in policies, so that only your public IP can access it (you can technically also enable management on the WAN interface and use local-in policies, but that’s up to you).
The alternative is an IPsec tunnel, which we do as well and is fine, but make sure that your policies restrict access correctly, so that not everyone can connect to the remote side.
You might consider FMG. All of them can ssh to the gates over the FMG channel; the newest version includes such access to the GUI if you want that.
I have a similar setup, I just use loopback interfaces on the firewalls to allow access to the management and control it that way. The downside is that you have to include additional addressing in the routing, but the benefit is that they are always available as long as the tunnel is operational.
What is the difference, security wise, between using HTTPS remote management and SSL VPN. They are both using “SSL”?
I do something similar. But since our locations access resources hosted on our headquarters we had IPSec tunnels already in place for this purpose. For central management I still use Forticloud manager but when I’m troubleshooting issues i just login directly via the IPSec Tunnel.
Are any of these clusters? I am struggling to manage a cluster via IPSec vpn (can only get to the primary not the secondary)
This is great, thanks!
Yes, many of them are HA clusters. Most of the designs I have implemented have the primary and secondary share an IP, the active unit being the one that you would access. I can always jump to the secondary unit via the active one.
We also have other designs where we each unit has its own IP.
ok thanks, I am interested to know if its possible to be able to reach both units independently across a VPN in an HA cluster, I know we can access the secondary with the manage ha command, but we have monitoring tools so we like to have both units showing in the tool rather than the cluster VIP.
The roadblock we hit is the dedicated management IP doesn’t route, so unless you can hit it directly we can’t get it to work, our on premise clusters are fine but not the ones over vpn.