The Security Guy

Let's keep the cloud from leaking!

Microsoft GSA Remote Networks – How to connect your FortiGate

While testing Microsofts Global Secure Access, we wanted to test the Remote Networks Feature, which is often overlooked. Since I worked with FortiGates in the past, I thought it couldn’t be that hard to configure the IPSec Tunnel that is needed to connect your site to GSA.

Far from it!

It took me hours to figure out the correct settings to make BGP work within the IPSec Tunnel.
Gladly, Microsoft provides you with some very detailed instructions on how to connect your CPE (which by the way stands for “Customer Premises Equipment”) to GSA:

Anyway, lets get into how to configure this stuff.

Configure Entra Side

Create Remote Network in GSA:

Add Remote Network Link (adjust settings as needed):

Select the following IKE Settings (can also be adjusted but this settings have proofed to work):

Set secure PSK:

After a few minutes, the Remote Network Link should be deployed and the configuration can be viewed:

Note down the relevant Information for the further process:

Configure FortiGate

Now the interesting part starts with configuring the FortiGate.
Make sure to have some kind of console access, since you will be entering a lot of CLI commands 😉

Configure VPN Interface:

config system interface
    edit "GX-GSA"
        set vdom "root"
        set ip 192.168.250.1 255.255.255.255
        set type tunnel
        set interface "WAN"
    next
end

Configure Phase1 for VPN

config vpn ipsec phase1-interface
    edit "GX-GSA"
        set interface "WAN"
        set ike-version 2
        set authmethod-remote psk
        set peertype any
        set proposal aes256-sha256
        set localid "x.x.x.x"
        set dpd disable
        set dhgrp 14
        set nattraversal disable
        set remote-gw y.y.y.y
        set psksecret <PSK>
        set psksecret-remote <PSK>
    next
end

Configure Phase 2 for VPN:

config vpn ipsec phase2-interface
    edit "GX-GSA"
        set phase1name "GX-GSA"
        set proposal aes256gcm
        set dhgrp 14
        set replay disable
        set keylifeseconds 300
    next
end

Configure Firewall Policy for BGP:

config firewall policy
    edit 0
        set name "fgt-gsa-bgp"
        set srcintf "GX-GSA"
        set dstintf "GX-GSA"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "BGP"
        set logtraffic all
    next
end

Configure Firewall Policies for GSA Tunnel:

config firewall policy
    edit 0
        set name "allToGSA"
        set srcintf "switch-internal"
        set dstintf "GX-GSA"
        set action accept
        set srcaddr "switch-internal address"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "allFromGSA"
        set srcintf "GX-GSA"
        set dstintf "switch-internal"
        set action accept
        set srcaddr "all"
        set dstaddr "switch-internal address"
        set schedule "always"
        set service "ALL"
    next
end

Configure static Route to BGP neighbor:

config router static
    edit 0
        set dst 192.168.250.2 255.255.255.255
        set device "GX-GSA"
    next
end

Configure BGP neighbor

config router bgp
    set as 64512
    set router-id 192.168.250.1
    config neighbor
        edit "192.168.250.2"
            set passive enable
            set soft-reconfiguration enable
            set ebgp-enforce-multihop enable 
            set remote-as 65476
        next
    end
end

Troubleshooting

If you encounter issues on the way, here are some nice commands that could help you with troubleshooting and solving the issue:

-- Routing --
get router info routing-table all

-- BGP --

get router info bgp neighbors <NEIGHBOR IP> received-routes
get router info bgp neighbors <NEIGHBOR IP> advertised-routes

get router info bgp neighbors <NEIGHBOR IP>

-- VPN --
diagnose vpn tunnel list
get vpn ipsec tunnel summary
diagnose vpn ike status detailed

-- Start Debugging Console for IPSec: --
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-add4 <IPSEC Gateway IP>
diagnose debug application ike -1
diagnose debug enable

-- Disable Debugging Console --
diagnose debug disable
diagnose debug reset

References