FortiDeceptor
FortiDeceptor provides Deception-based Breach Protection to deceive, expose and eliminate external and internal threats.
Aarafat
Staff
Staff
Article Id 195220
Description
This article describes how to extend deception service between two sites using VXLAN over IPSec tunnel.

Scope
FortiGate: v6.2.0 build 0866, FortiDeceptor: v3.0.0 build 011.

Solution
Network Topology:

FortiDeceptor is installed on HQ and the deception network needs to be extended to a remote branch to be protected.




Configuration and Validation Overview:

To extend the deception network for HQ to a branch, follow these steps:

1) Initialize the VM Decoys in the HQ Deception network.
2) Configure IPSec Tunnel on HQ and Branch.
3) Create VXLAN tunnel over the IPSec tunnel on the HQ and Branch and create the software switch to bridge the VXLAN interface and local network on HQ and Branch.
4) Configure the firewall rules on HQ and Branch.
5) On the branch subnet, verify the connectivity to reach the same layer2 hosts on HQ.
6) Test the Decoy VMs can generate events from attacker originating from a branch network.

Configuration & Validation Details:

1) Initialize the VM Decoys in the HQ Deception network. Steps:

- Initialize FortiDeceptor to deploy VMs on 172.18.18.0/24 network on port2.




- Initialize the decoy VMs and assign the corresponding IP addresses as Linux decoy of 172.18.18.50/24 and Windows decoy of 172.18.18.60/24.
Enable SAMBA and SSH on the Linux decoy, SMB and RDP on the Windows decoy as lure services.
Valid pingable IP address is needed as a gateway for the decoys to initialize.
Initially, this is the FortiGate-HQ port10 IP address.

- Once initialized, verify the current status of the Decoys are running.
Note the highlighted decoys below.




2) Configure IPSec Tunnel on HQ and Branch.

- Phase1 configuration on FortiGate-HQ:
# config vpn ipsec phase1-interface
    edit "branches"
        set interface "port6"
        set mode aggressive
        set peertype one
        set net-device enable
        set proposal aes256-sha256
        set remote-gw 10.0.0.106
        set peerid "branches"
        set psksecret ENC
iovalPlbcZMqkc72ILcxwkPpoYt+AjIgLbpaZPSHSFhwQezWLuhvBYr2mGnKVS+m94tdivOXeG
XmXT9YPPRcqKlV5gq1kRkYyqPd29nsrM03Enwnnu9eCdsujvBGQzgGWS7jSHlOuHo0lh8JicL
3KHb0Pat4RPrFvCwl2dBMkvviRngKz7lL5o3Ki/yDVl5SwLsr5A==
    next
end
- Phase2 configuration on FortiGate-HQ:
# config vpn ipsec phase2-interface
    edit "branches"
        set phase1name "branches"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
    next
end
- Change the IP address of the IPSec tunnel Interface on FortiGate-HQ:
# config system interface
    edit "branches"
        set vdom "root"3
        set ip 192.168.255.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 192.168.255.2 255.255.255.255
        set interface "port6"
    next
end
- Phase 1 configuration on FortiGate-Branch:
# config vpn ipsec phase1-interface
    edit "HQ"
        set interface "port2"
        set mode aggressive
        set peertype any
        set net-device enable
        set proposal aes256-sha256
        set localid "branches"
        set remote-gw 10.0.0.102
        set psksecret ENC
oJupYf1CA6iB5ek8r8mbh7O5NODwYHXznYcndaxD3EDddzvD+BipAnImQJh142l2seqOLpi
zSRpuc5IVePlrVADbTlrN301JZxSinaEuSBvr66PkArnZOTk1K4YPVtdiRqR9NoAPWesF3I79EK
9Y0zLXIiMU+Zn+6Km7TeCmjDaezT6RVTp+oR6zrpMkrdZmvlkBIA==
    next
end
- Phase 2 configuration on FortiGate-Branch:
# config vpn ipsec phase2-interface
    edit "HQ"
        set phase1name "HQ"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set auto-negotiate enable
    next
end
- Change the IP address of the IPSec tunnel Interface on FortiGate-Branch:
# config system interface
    edit "HQ"
        set vdom "root"
        set ip 192.168.255.2 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 192.168.255.1 255.255.255.255
        set interface "port2"
    next
end


The IPSec VPN between HQ and Branch should be up.

3) Create VXLAN tunnel over the IPSec tunnel on the HQ and Branch and create the software switch to bridge the VXLAN interface and local network on HQ and Branch.

- Create VXLAN interface over the IPSec Interface in FortiGate-HQ:
# config system vxlan
    edit "br_vxlan"
        set interface "branches"
        set vni 1
        set remote-ip "192.168.255.2"
    next
end

- Create software switch to bridge LAN and VXLAN interfaces on FortiGate-HQ:
# config system switch-interface
    edit "br_ipsec-vxlan"
        set vdom "root"
        set member "br_vxlan" "port10"
    next
end
- Change the IP address of the software switch to replace the original gateway IP address on FortiGate-HQ:
# config system interface
    edit "br_ipsec-vxlan"
        set vdom "root"
        set ip 172.18.18.254 255.255.255.0
        set allowaccess ping
        set type switch
    next
end

- Create VXLAN interface over the IPSec Interface in FortiGate-Branch:
# config system vxlan
    edit "HQ_vxlan"
        set interface "HQ"
        set vni 1
        set remote-ip "192.168.255.1"
    next
end

- Create software Switch to bridge LAN and VXLAN interfaces on FortiGate-Branch:
# config system switch-interface
    edit "HQ_ipsec-vxlan"
        set vdom "root"
        set member "HQ_vxlan" "port1"
    next
end
- Change the IP address of the software switch to replace the original gateway IP address on FortiGate-Branch:
# config system interface
    edit "HQ_ipsec-vxlan"
        set vdom "root"
        set ip 172.18.18.244 255.255.255.0
        set allowaccess ping
        set type switch
        set device-identification enable
        set lldp-transmission enable
        set fortiheartbeat enable
        set role lan
    next
end
4) Configure the firewall rules on HQ and Branch.

- Configure firewall policy for LAN to Internet in FortiGate-HQ:
# config firewall policy
    edit 0
    set name "FDC-LAN_To_INTERNET"
    set srcintf "br_ipsec-vxlan"
    set dstintf "port6"
    set srcaddr "all"
    set dstaddr "all"
    set action accept
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set fsso disable
    set nat enable
    next
end
- Configure firewall policy for LAN to Remote_LAN (SameSubnet in the branch) in Fortigate-HQ:
# config firewall policy
    edit 0
        set name "HQ_to_Branch"
        set srcintf "br_ipsec-vxlan"
        set dstintf "branches"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
    next
end
- Configure firewall policy for LAN to Internet in FortiGate-Branch:
# config firewall policy
    edit 0
        set name "Local_Internet"
        set srcintf "HQ_ipsec-vxlan"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat enable
    next
end
- Configure firewall policy for LAN to Remote_LAN (Same Subnet in HQ) in FortiGate-Branch:
# config firewall policy
    edit 0
    set name "Allow_All"
    set srcintf "HQ_ipsec-vxlan"
    set dstintf "HQ"
    set srcaddr "all"
    set dstaddr "all"
    set action accept
    set schedule "always"
    set service "ALL"
    set logtraffic disable
    set fsso disable
    next
end
5) On the branch subnet, verify the connectivity to reach the same layer 2 hosts on HQ:

Note that Branch is able to access the internet locally along with the extended layer2  subnet in HQ.
The following diagram shows that attacker 172.18.18.234 is able to ping the Linux (172.18.18.50) and the Windows (172.18.18.60) decoys in HQ.
The attacker machine is able to access the internet at the same time (pinging 8.8.8.8).






6) Test the Decoy VMs can generate events from attacker originating from a branch network.
From the attacker machine, access the Linux Decoy via SSH.
The Same way, all decoy services are accessible from the branch network within the same extended subnet.







Contributors