Fortigate | Persiapan Migrasi Firewall area SF

STEP-1: TAHAP PERSIAPAN MIGRASI
Lab ini sambungan dari Forti - Firewall ServerFarm on Nexus - VRF Mode , dimana bagian ini belum dimigrasi. Persiapan Migrasi: Bagian ini sdh dikonfig di swith SW-FS-01 dan SW-FS-01 sebelum migrasi, jadi konfigurasinya sdh ada di switch SF dan tidak memempengerahui konfig operasi switch.

Port-Channel atau EtherChannel Mode Active dalah Link Aggregation Control Protocol ( LACP ).

===========================
SW-FS-01
--------------------------
vlan 256
name Inside_Forti_Firewall_T3
exit
vlan 257
name Outside_Forti_Firewall_T3
exit

interface ethernet 1/4
description INSIDE_FORTI_P1
switchport
switchport access vlan 256
channel-group 6 mode active
exi

interface ethernet 1/5
description INSIDE_FORTI_P2
switchport
switchport mode access
switchport access vlan 256
channel-group 6 mode active
exi

interface ethernet 1/6
description OUTSIDE_FORTI_P3
switchport
switchport mode access
switchport access vlan 257
channel-group 5 mode active
exi

interface ethernet 1/7
description OUTSIDE_FORTI_P4
switchport
switchport mode access
switchport access vlan 257
channel-group 5 mode active
exi

interface vlan 256
description INSIDE_FORTI_FW_T3
no shu
ip address 10.90.254.58/29
ip router ospf 1 area 0.0.0.0
hsrp 1
preempt
priority 110
ip 10.90.254.57
exi
exit

interface vlan 257
description OUTSIDE_FORTI_FW_T3
no shu
ip address 10.90.254.50/29
ip router ospf 2 area 0.0.0.0
hsrp 1
preempt
priority 110
ip 10.90.254.49
exi
exit

interface port-channel 5
description OUTSIDE_FORTI
no shutdown
switchport
switchport access vlan 257
switchport mode access
exi

interface port-channel 6
description INSIDE_FORTI
shutdown
switchport
switchport mode access
switchport access vlan 256
exit
-------------------------------------------
SW-FS-02

vlan 256
name Inside_Forti_Firewall_T3
exit
vlan 257
name Outside_Forti_Firewall_T3
exit

interface ethernet 1/4
description INSIDE_FORTI_P1
no shut
switchport
switchport mode access
switchport access vlan 256
channel-group 6 mode active
exi

interface ethernet 1/5
description INSIDE_FORTI_P2
no shut
switchport
switchport mode access
switchport access vlan 256
channel-group 6 mode active
exi

interface ethernet 1/6
description OUTSIDE_FORTI_P3
no shut
switchport
switchport mode access
switchport access vlan 257
channel-group 5 mode active
exi

interface ethernet 1/7
description OUTSIDE_FORTI_P4
no shut
switchport
switchport mode access
switchport access vlan 257
channel-group 5 mode active
exi

interface vlan 256
description INSIDE_FORTI_FW_T3
no sh
ip address 10.90.254.59/29
ip router ospf 1 area 0.0.0.0
hsrp 1
preempt
ip 10.90.254.57
exi
exit

interface vlan 257
description OUTSIDE_FORTI_FW_T3
no sh
ip address 10.90.254.51/29
ip router ospf 2 area 0.0.0.0
hsrp 1
preempt
ip 10.90.254.49
exi
exit

interface port-channel 5
description OUTSIDE_FORTI
shutdown
switchport
switchport mode access
switchport access vlan 257
exi

interface port-channel 6
description INSIDE_FORTI
shutdown
switchport
switchport mode access
switchport access vlan 256
exit

FIREWALL-SERVER FARM.

Lalu dibagian firewall pastikan sdh dikonfig (interface inisde/outisde, routing defaul & statik, policy rule dan HA) pastikan semua sdh done). Pastikan p2p antar port inside/outside ke swith SF sdh reachable (ping sdh reply). Berikut Capturenya.

Interface IP

PING dari forti ke swith-SF / reply,Ok. jd sebelum migrasi bagian harus dimakesure bahwa p2p antar firewall dengan switch sdh reply, setelh reply, portnya bisa disable lg, menunggu hari H migrasi di enable lg.

===================================================
STEP-2.TAHAP LIVE MIGRASI

Di step ini adalah bagian dari proses live migrasi firewall di area SF(selama proses migrasi , berikut langkah2 ini yg perlu dilakukan)

SW_FS-01
--------------
Step-1

Aktifkan port INSIDE & OUTSIDE di FORTI-FW, karena sebelmnya status nya masih disable:
Staus interface Vlan256 dan Vlan257 di swith SF sdh enable/up, tdk perlu di no shut lagi.
Aktifkan port phisical INSIDE dan OUTSIDE (port1 - 4), karena staus interface-nya msh disable/down
Aktifkan port chanbel-5 dan channel-6 , karena interface port-ch5 dan port-ch6 (shutdown)

Step-2
Create vrf context OUTSIDE_FW_T3 di swith SW-SF-01
vrf context OUTSIDE_FW_T3

Step-3: Create spesisifk statik-route (segmen vlan SF) to Forti-FW via interface Outside
vrf context OUTSIDE_FW_T3
ip route 10.0.1.0/24 10.90.254.52 name VLan_10
ip route 10.0.2.0/24 10.90.254.52 name VLan_20
ip route 10.0.3.0/24 10.90.254.52 name VLan_30
ip route 10.0.4.0/24 10.90.254.52 name VLan_40
exit

Step-4 : Cretae VRF context OUTSIDE_FW_T3
router ospf 2
vrf OUTSIDE_FW_T3
exit

Step-5 :Create default-route
ip route 0.0.0.0 0.0.0.0 10.90.254.60 name internet

Step-6 : Create ip-prefix-list
ip prefix-list static-to-ospf-outside-fw permit 10.0.1.0/24
ip prefix-list static-to-ospf-outside-fw permit 10.0.2.0/24
ip prefix-list static-to-ospf-outside-fw permit 10.0.3.0/24
ip prefix-list static-to-ospf-outside-fw permit 10.0.4.0/24

dan
route-map STATIC-TO-OSPF-OUT permit 10
match ip address prefix-list static-to-ospf-outside-fw
exit

Step-7 : Create New OSPF Proses (ospf 2)
router ospf 2
vrf OUTSIDE_FW_T3
redistribute static route-map STATIC-TO-OSPF-OUT
exit
exit

Step-8 : Create vrf SW-SF-01
interface Ethernet1/1
no switchport
vrf member OUTSIDE_FW_T3
desc TO-CS-01
no switchport
ip address 10.90.252.6/30
ip ospf network point-to-point
ip router ospf 2 area 0.0.0.0
no shutdown
exit

interface Ethernet1/2
no switchport
vrf member OUTSIDE_FW_T3
desc TO-CS-02
no switchport
ip address 10.90.252.21/30
ip ospf network point-to-point
ip router ospf 2 area 0.0.0.0
no shutdown
exit

interface Vlan257
description OUTSIDE_FORTI_FW_T3
vrf member OUTSIDE_FW_T3
no shutdown
ip address 10.90.254.50/29
ip router ospf 2 area 0.0.0.0
hsrp 1
    preempt
    priority 110
    ip 10.90.254.49

-----------------------------------------
SW_FS-02

Step-1

Actifkan port ISNIDE/OUTSIDE di FORTI-FW, staus interface interface-nya mash disable, staus interface VLan256 dan VLan257 di swith SF sdh enable/up
Actifkans port Phisicla INSIDE dan INSIDE (port1 - 4), karena staus interface-nya msh disable/down
Actifkans port Chanbel-5 dan Channel-6 , akrena interface port-ch5 dan port-ch6 (shutdown)

Step-2: Create vrf context OUTSIDE_FW_T3 di swith SW-SF-01

vrf context OUTSIDE_FW_T3

Step-3: Create spesisifk statik-route (segmen vlan SF) to Forti via interface Outside

vrf context OUTSIDE_FW_T3
ip route 10.0.1.0/24 10.90.254.52 name VLan_10
ip route 10.0.2.0/24 10.90.254.52 name VLan_20
ip route 10.0.3.0/24 10.90.254.52 name VLan_30
ip route 10.0.4.0/24 10.90.254.52 name VLan_40
exit

Step-4 : Cretae VRF context OUTSIDE_FW_T3
router ospf 2
vrf OUTSIDE_FW_T3
exit

Step-5 :create default-route
ip route 0.0.0.0 0.0.0.0 10.90.254.60 name Internet

Step-6 : create ip-prefix-list
ip prefix-list static-to-ospf-outside-fw permit 10.0.1.0/24
ip prefix-list static-to-ospf-outside-fw permit 10.0.2.0/24
ip prefix-list static-to-ospf-outside-fw permit 10.0.3.0/24
ip prefix-list static-to-ospf-outside-fw permit 10.0.4.0/24

dan
route-map STATIC-TO-OSPF-OUT permit 10
match ip address prefix-list static-to-ospf-outside-fw
exit

Step-7 : create New OSPF Proses (ospf 2)
router ospf 2
vrf OUTSIDE_FW_T3
redistribute static route-map STATIC-TO-OSPF-OUT
exit
exit

Step-8 : Create vrf SW-SF-02
interface Ethernet1/1
no switchport
vrf member OUTSIDE_FW_T3
desc TO-CS-01
   ip address 10.90.252.18/30
ip ospf network point-to-point
ip router ospf 2 area 0.0.0.0
no shutdown
exit

interface Ethernet1/2
no switchport
vrf member OUTSIDE_FW_T3
desc TO-CS-02
   ip address 10.90.252.10/30
ip ospf network point-to-point
ip router ospf 2 area 0.0.0.0
no shutdown
exit

interface Vlan257
description OUTSIDE_FORTI_FW_T3
vrf member OUTSIDE_FW_T3
no shutdown
ip address 10.90.254.51/29
ip router ospf 2 area 0.0.0.0
hsrp 1
    preempt
   ip 10.90.254.49
exit

VERIFIKASI
Ping dan trace dari SF ke internet dan ke LAN-disti