-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaz_fgt_config.tftpl
136 lines (127 loc) · 2.89 KB
/
az_fgt_config.tftpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
Content-Type: multipart/mixed; boundary="==AZURE=="
MIME-Version: 1.0
--==AZURE==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="license"
LICENSE-TOKEN: ${flex_token}
--==AZURE==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
config system ha
set group-name "fgtha"
set mode a-p
set hbdev "port3" 100
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port3"
set gateway ${ha_gateway}
next
end
set override enable
set priority ${ha_priority}
set unicast-hb enable
set unicast-hb-peerip ${ha_peer_ip}
end
config sys interface
edit port3
set allowaccess ssh https
next
edit port1
set allowaccess probe-response
next
end
config firewall vip
edit "rdp-to-100"
set extip ${elb_pip}
set mappedip "10.100.100.100"
set extintf "port1"
set portforward enable
set extport 3389
set mappedport 3389
next
end
config firewall policy
edit 1
set name "rdp-to-100-allow"
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "rdp-to-100"
set schedule "always"
set service "ALL"
set nat enable
next
end
config router bgp
set as ${fgt_asn_az}
config neighbor
%{ for peer in bgp_az_peers ~}
edit ${ peer }
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set interface "port2"
set remote-as ${bgp_az_asn}
next
%{ endfor ~}
end
end
config vpn ipsec phase1-interface
edit aws
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set remote-gw ${ipsec_aws_peer}
set psksecret ${psksecret}
next
end
config vpn ipsec phase2-interface
edit "aws"
set phase1name "aws"
next
end
config sys interface
edit aws
set ip 169.254.169.253/32
set remote-ip 169.254.169.254/30
next
end
config router bgp
config neighbor
edit 169.254.169.254
set remote-as ${fgt_asn_aws}
set soft-reconfiguration enable
next
end
end
config system sdn-connector
edit "AzureSDN"
set type azure
next
end
config fire address
edit "az-wrkld-subnet"
set type dynamic
set sdn "AzureSDN"
set filter "Subnet=wrkld"
next
end
config firewall policy
edit 0
set name "Azure-to-AWS"
set srcintf "port2"
set dstintf "aws"
set action accept
set srcaddr "az-wrkld-subnet"
set dstaddr "all"
set schedule "always"
set service "HTTP"
set logtraffic all
set logtraffic-start enable
next
end
--==AZURE==--