Tuesday, July 9, 2019

Fortinet, ZScaler, GRE tunnels and the need to bypass

Hey all, I need your ideas please.

We’re a ZScaler customer for web filtering. We use IPSec tunnels from each branch to the closest tower for location based access rules. (also use ZScaler app locally for auth and offsite protection).

The IPSec tunnels terminate on a Fortinet firewall in each branch. We have a number of websites and systems that we need to break out locally rather than sending onwards to ZScaler. (mainly compatibility reasons – but can also be licensing etc.)

Currently this works nicely. The IPSec tunnels are tunnel mode, not interface mode.

The general topology looks something like: CoreSwitch -> Firewall ->TCP80+443-TunneltoZScaler -> Internet

ZScaler have a 200Mb/s limit on an IPSec tunnel. My head office is now hitting that limit and I need to change my traffic forwarding method. The recommendation is to move to a GRE tunnel as this supports 1Gb/s.

I’ve labbed this up and got it working.

The problem is that I can no longer bypass traffic easily as the GRE tunnel is an interface. Routing occurs before the policy lookup. (https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-life-of-packet-52/LoP-packet-flow.htm)

I know I can drop the tunnels completely and rely only on the ZScaler app but then I’ll lose the ability to have bandwidth control per site. (https://help.zscaler.com/zia/choosing-traffic-forwarding-methods)

I need to come up with a new solution. I need your ideas.

I need to do destination-based routing that supports the general IP addresses, FQDN’s and if possible the increasing need for wildcard FQDN’s. Ideally it will have a user friendly interface so my wider team can operate daily. (we have a high rate of change)

Has anyone else hit this? How have you approached this?

All help and ideas welcomed.

Cheers

Hkey.



No comments:

Post a Comment