Web Security Service Legacy IPSEC Connectivity Instructions - Fortigate Firewalls
search cancel

Web Security Service Legacy IPSEC Connectivity Instructions - Fortigate Firewalls


Article ID: 174341


Updated On:


Cloud Secure Web Gateway - Cloud SWG


Symantec tested and validated that Fortinet® firewall devices are able to forward web traffic to the Web Security Service for policy checks and malware scanning. The following procedure
demonstrates the pre-shared secret method, which requires a unique gateway IP address.

Version Demonstrated:

  • Fortinet 300C
  • FortiOS v5.2.1, build618 (GA)

This procedure provides a guideline configuration that you can apply to the above model or other Fortinet models. It is likely that you have an existing Fortinet device configured in your network; therefore, slight alterations to the existing deployment might be required.


Deployment Notes

The most basic concept for this method is configure the router with a site-to-site VPN connection and configure the device policy rules to send web-based traffic to the Web Security
Service and ignore everything else. Depending on your geographical location, you must create at least two VPN gateways.

  • The device must have an external routeable IP address.
  • Do not send Auth Connector traffic to the Web Security Service.
  • You can create a designated host or subnet that tests the IPsec connectivity to the Web Security Service without interrupting the production traffic. After successful testing, you then add production subnets.

Note: Symantec has seen outages occur if the Phase 2 Timeout value is set to longer than four (4) hours. If the current setting is less than four hours, you can leave that value. Otherwise, adjust the time. The screenshots in the following procedure might not reflect this advisory.



Prerequisite—Verify that the device is ready for configuration.

This procedure assumes that the Fortigate appliance is already configured with the inside interface or group object with multiple inside interfaces and an outside interface that will communicate with the Web Security Service.

STEP 1—Begin a Custom VPN Tunnel configuration

  1. From the left-menu, select VPN > Tunnels.
  2. Click Create New.
  3. The interface displays the VPN Setup screen.
    Define the Phase 1 tunnel.
    1. Enter a meaningful Name for the tunnel interface.
      For example, the location of the device.
    2. Select Custom VPN Tunnel (No Template).
    3. Click Next. The interface displays a page with numerous network configuration parameters.

STEP 2—Define the tunnel network parameters

Tip: If a parameter change is not described here, the default is acceptable.

  1. Enter the following network and connection authentication information.
    1. Select the nearest Data Center to your network from this KB article, and enter the Web Security Service IP Address.
    2. Select the Interface that provides the outside connection. 
    3. Enter the Pre-shared Key, (PSK) which is the string used to secure the encrypted tunnel between the router and the Web Security Service.
      Tip: The PSK must be at least eight characters and cannot use special characters.
  2. Scrolling down displays the Phase 1 Proposal area.
    1. The Web Security Service supports various encryption algorithm combinations.
      Refer to the Web Security Service help center for details.
    2. Leave the Local ID field blank. By default, this value is auto. An added value might cause the tunnel to fail
      because of a FQDN interruption.
  3. The final area on the screen is New Phase 2.
    1. If the device did not populate the Name field, enter the meaningful name.
    2. The Local Address value(s) tell the device which internal segments to route to the outside and thus to the
      Web Security Service.
      • If you are performing a test, you can select IP Address from the drop-down and enter a single client
      • If you are ready to add production traffic, select Subnet and enter the IP address and subnet
    3. Click Advanced to display additional configuration options.
  4. Select Perfect Forward Secrecy (PFS), as this is a required option. 

Step 3—Create a backup tunnel

(Optional, but recommended) For failover, repeat Steps 1 and 2 to create backup VPN tunnel that directs traffic to another regional Web Security Service datacenter. When complete, the device displays VPN configurations similar to the following:

Step 4—Route Web Security Service-bound traffic through the tunnel interfaces

  1. Select Router > Static Routes.
  2. Click Create New. The device displays the New Static Route page.
  3. From the Device drop-down list, select the primary Web Security Service location that you configured in Step 2.1.a.

    Click OK.
  4. If you defined a backup location, repeat sub-steps 4.2 and 4.3 above to add that location. When complete, the
    device displays locations similar to the following.

Step 5—Define policy routes

  1. Select Router > Policy Routes.
  2. Click Create New.
    The device displays the New Routing Policy page. 
  3. Route port 80 traffic to the primary Web Security Service tunnel interface.
    1. For the Protocol, select TCP.
    2. From the Incoming Interface drop-down list, select the internal object (traffic coming from internal sources).
    3. Enter the Source Address/Mask test IP address or production IP address and subnet.
    4. For the Destination Address/Mask, enter, which equals traffic sent to any destination.
    5. For the Destination Ports, enter 80 to 80. This designates web (HTTP) traffic.
    6. From the Outgoing Interface drop-down list, select the primary Web Security Service location.
    7. Click OK.
  4. Repeat sub-steps 5.2 and 5.3 to create the a route with the same parameters, but in the Destination Ports fields,
    enter 443, which designates secure web (HTTPS) traffic.
  5. Repeat sub-steps 5.2 and 5.3 to create HTTP (port 80) and HTTPS (port 443) policy routes for the backup tunnel
    interface (if you are configuring one).
    Tip: The order of the entries is important. The primary tunnel must be listed above the secondary tunnel.

    Note: If you employing SAML authentication, you must also create an additional policy route for Destination Port 443.


Step 6—Define firewall policies that allow traffic through the tunnel interface.

  1. Select Policy & Objects > IPv4.
  2. Click Create New. The device displays the New Policy page.
  3. Define the following policy options.
    1. From the Incoming Interface drop-down list, select internal.
    2. From the Source Address drop-down list, select internal_subnet.
    3. From the Outgoing Interface drop-down list, select the primary Web Security Service location.
    4. From the Destination Address drop-down list, select all.
    5. The default Schedule is always (applies).
    6. From the Service drop-down list, select HTTP (in the Web Access section).
    7. Click the + icon to add another Service drop-down list; select HTTPS
    8. Verify that NAT is disabled.
    9. Click OK.

      Tip: In the example, only HTTP and HTTPS protocols are allowed over the VPN tunnel interfaces. If both VPN interfaces are down, then HTTP and HTTP traffic triggers the permit rule on the wan1 interface and web traffic goes direct to the Internet. If you have a requirement that web traffic must be denied if both tunnel interfaces are down, and additional rule on internal-wan1 to deny that traffic.

Step 7—Optional Failover Configuration

Symantec testing indicates that Data Center failover is provided without any additional configuration.

If a Web Security Service data center location IP address becomes unresponsive, the Fortinet device takes the appropriate interface down and the route policies will not apply. The next route policies are used instead, which sends traffic to the backup data center.

Fortinet provides an optional setting for the backup interface to monitor the primary. Testing did not indicate a difference in failover results when set, but you can set this option. Follow the commands in the Fortinet CLI example to setup monitoring.