In this tutorial, I will show you how to configure Cisco Umbrella SIG tunnel to Fortigate 60F in your lab environment.
First, I will show you how to configure Cisco Umbrella SIG, followed by Fortigate 60F. I will also show you where you can see the status and the logs to verify if the IPsec Tunnel is established successfully.
You can find the official Cisco Umbrella SIG Network Tunnel Configuration Guide here. Although you will not find the official configuration guide for Fortigate integration, but if you understand IP Sec Fundamental then it is not too difficult to configure this.
The configuration of Cisco Umbrella is pretty straight forward.
If you are integrating with Cisco SDWAN products (Meraki, vEdge, cEdge) the guide provides an easy step by step instruction for the integration.
You will need a bit more understanding of Fortigate configuration as it is not so straight forward. Hope this guide can help you to get started, but if you need to do more than the typical setup then you need to do a lot more research.
Architecture Diagram. In a typical branch setup you would route all the Internet traffic through Cisco Umbrella SIG Tunnel to get the maximum protection. However in this tutorial I will only be routing VLAN 42 traffic through Cisco Umbrella SIG Tunnel to the Melbourne Data Center
You can find the list of Umbrella head-end ip addresses at the following link.
Cisco Umbrella SIG Configuration
Now let’s get started with the Configurations in Cisco Umbrella SIG. Which comprises of the following steps.
- Login to your Umbrella Dashboard, go to Deployment and then Network Tunnels and click on Add
2. Give the Tunnel a meaning full name, and then under the Device Type select Other.
3. Next you can specify the Client Reachable Prefixes. Although this is optional it is a good practice to specify your organization IP address. Under the Configure Tunnel section.
4. Under the Configure Tunnel ID and Passphrase section select the authentication method. For this tutorial I am using FQDN. Then give the Tunnel ID a meaningful name and it should be between 8 to 100 characters in length. Next enter the Passphase and take note of the minimum requirement.
5. The completed configuration should look like the following. After you are done click on save.
6. You will be presented with the Tunnel ID and Passphase after you save, Copy the information and keep it safe and secure, as you will need these information for configuration at the Fortigate 60F side.
7. Once you complete the configuration you will see the Tunnel being configure pending for Fortigate to initiate the request to establish the IPsec Tunnel.
That is all you need to do on the Cisco Umbrella side to for the Secure Internet Gateway (SIG) Tunnel configuration.
Fortigate 60F Configuration
Now let’s go over to the Fortigate 60F side for the configuration. Which comprises of the following step.
In a typical branch you would include all the subnet and VLAN to be routed through the Cisco Umbrellla SIG tunnel before they reached the internet for the best Cloud Security protection.
However for lab testing we are going to choose a subnet as depicted in the Network Diagram at the beginning. To learn about how to create VLAN check out “How to create a VLAN in Fortigate 60F”
Now we can start configure the VPN tunnel, Routing and Firewall Policy.
- First we need to create a new VPN tunnel. Go to VPN -> IPSec Tunnels and then click on Create New.
2. Select IPSec Tunnel.
3. Select Custom at the VPN Creation Wizard
4. Give it a name
Locate the (Tokyo in this lab) Data Center IP address in the Umbrella Guide, do take note to check the website for the latest IP address available.
5. In the New VPN Tunnel tab.
Enter the IP Address of the Umbrella Tokyo IP Address and the Interface connected to the internet, in this tutorial our wan1. Change the DRD retry interval to 10.
Enter the Passphase you copied from the Umbrella Dashboard and paste it as the Pre-shared Key and select.
IKE Version 2
For the Phase 1 Proposal for this lab I have chosen the followings. Change the Key Lifetime to 49600 .You can paste the Tunnel ID that you have create in the Dashboard in the Local ID field.
Do take note for DH Group only 5, 14,19 and 20 is supported
You can find the supported Cisco Umbrella SIG Tunnel IPsec Parameter in the following link.
For the Phase 2 Selectors enter your Local Address and choose your encryption based on the supported parameters.
Once you are done you will see that the Tunnel is configure but status is inactive.
Next create a static route to route the traffic to the Cisco Umbrella SIG Tunnel.
Select the Tunnel you have created as the interface.
If you are not routing all traffic the Umbrella SIG tunnel you need to lower the Administrative Distance to 5.
You should now see a static route to the SIG tunnel you have created. The IPsec Tunnel is not up yet as we still need to set the Firewall Policy. And in this tutorial I am using Policy based routing to selective route only 1 VLAN through the Cisco Umbrella SIG tunnel.
Now go to the Firewall Policy and create a new policy.
Select the Incoming Interface where the internal network you have chosen to route through the Umbrella SIG tunnel.
In a typical deployment you would select all the LAN traffic.
Next select the SIG tunnel you have created as the outgoing interface.
Select all for the destination since all traffic should be routed through the Tunnel
Choose all service.
Make sure you turn off NAT
In a normal setup where you are sending all LAN traffic through the Cisco Umbrella SIG tunnel that is all that you have to do.
However for this tutorial I am only routing a particular subnet through the Cisco Umbrella SIG Tunnel. We need to configure the Policy Routing.
Go to Network -> Policy Routes and Create New
Select the VLAN that is participating in the IPsec tunnel. In our case the VLAN we created for this lab.
Next you can route all traffic or just select the subnet that is being routed through the tunnel.
For Destination, select all destination (0.0.0.0/0)
Turn on Outgoing Interface. For the Gateway address you need to specific for Umbrella Data Center IP address for the next hop.
For the outgoing Interface you need to specific the SIG Tunnel.
You can go to the Logs and Events to check out the communication. Not covered in this tutorial you can go to the CLI to look at the debug of the IPsec establishment logs and error. You need to change the logs to Memory to see the latest log.
If everything is configure properly. You should see that the tunnel is up.
Under Dashboard -> IPsec Monitor. you will see that the tunnel is up and both Phase 1 and Phase 2 is also up.
And in the Umbrella Console you will see you tunnel up.
That is all for this tutorial.