FeatureReq: Simpler optional gcloud LandingZone - combined perimeter + client-landing-zone for non-managed clients - 3 VPC (2 for fortigate cluster)

[obriensystems]

Normally we run the 4 packages core-lz, client-setup, client-lz, client-project-setup and then the hub-env package around the following architecture which stands up 1 VPC for the client and 4 for the hub-env
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Architecture

Client requires a non-managed landing zone consisting of a single VPC containing both the perimeter firewall and the client workloads.
This LZ is a one-off LZ per client - unmanaged

An alternative to peering the client-landing-zone host-project with this hub-env project in #847
However peering is unavoidable as the example fortigate deployment needs 2 min for the dual LB version.

proposed gcloud only
start with base fortinet script - except this one is 3 VPC with 2 for the fortigate cluster (internal LB is in its own subnet) + 1 for the workloads
https://github.com/fortinet/fortigate-tutorial-gcp/blob/main/gcloud/tutorial-create.sh
see
fortinet/fortigate-tutorial-gcp#1
fortinet/fortigate-tutorial-gcp#5

Current hub-env VPCs are 4

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/project/hub-env/network/vpc.yaml#L15

check hardcoded management subnet
and docs
https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/gcp-administration-guide/736375/about-fortigate-vm-for-gcp

[obriensystems]

starting deployment of https://github.com/fortinet/fortigate-tutorial-gcp via fork for adjustments/PRs in
https://github.com/CloudLandingZone/fortigate-tutorial-gcp
org is olapp

[obriensystems]

• empty org to start
• billing quota 20 added
• project quota 20 added

michael@cloudshell:~/fortigate-gcloud$ gcloud config set project fortigate-gcloud-olapp
Updated property [core/project].
michael@cloudshell:~/fortigate-gcloud (fortigate-gcloud-olapp)$ mkdir ../fortigate-gcloud-olap
michael@cloudshell:~/fortigate-gcloud (fortigate-gcloud-olapp)$ cd ../fortigate-gcloud-olap/
michael@cloudshell:~/fortigate-gcloud-olap (fortigate-gcloud-olapp)$

following last Oct 2022 run in fortinet/fortigate-tutorial-gcp#1

michael@cloudshell:~/fortigate-gcloud-olap (fortigate-gcloud-olapp)$ git clone https://github.com/fortinet/fortigate-tutorial-gcp.git

[obriensystems]

switching repos

michael@cloudshell:~$ gcloud config set project fortigate-gcloud-olapp
michael@cloudshell:~ (fortigate-gcloud-olapp)$ cd kcc-olapp/
michael@cloudshell:~/kcc-olapp (fortigate-gcloud-olapp)$ ls
github  kpt
michael@cloudshell:~/kcc-olapp (fortigate-gcloud-olapp)$ cd github/
michael@cloudshell:~/kcc-olapp/github (fortigate-gcloud-olapp)$ ls
michael@cloudshell:~/kcc-olapp/github (fortigate-gcloud-olapp)$ git clone https://github.com/CloudLandingZone/fortigate-tutorial-gcp.git
Cloning into 'fortigate-tutorial-gcp'...
remote: Enumerating objects: 147, done.
remote: Counting objects: 100% (147/147), done.
remote: Compressing objects: 100% (112/112), done.
remote: Total 147 (delta 45), reused 131 (delta 33), pack-reused 0
Receiving objects: 100% (147/147), 413.66 KiB | 8.80 MiB/s, done.
Resolving deltas: 100% (45/45), done.
michael@cloudshell:~/kcc-olapp/github (fortigate-gcloud-olapp)$ cd fortigate-tutorial-gcp/
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ mkdir _CloudLandingZone
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ ls
_CloudLandingZone  deployment-manager  docs  gcloud  README.md  service_account_create.sh  terraform

follow
https://github.com/fortinet/fortigate-tutorial-gcp#how-to-deploy
https://github.com/fortinet/fortigate-tutorial-gcp/blob/main/docs/sdn_privileges.md
then
https://github.com/fortinet/fortigate-tutorial-gcp/tree/main/gcloud
review
https://github.com/fortinet/fortigate-tutorial-gcp/blob/main/docs/architecture-reference.md
review
https://github.com/fortinet/fortigate-tutorial-gcp/pull/2/files

get compute quota increased 5-10

Thank you for submitting Case # (ID:f122f1a15f6c4a5993) to Google Cloud Platform support for the following quota:
Change Networks from 5 to 10

2 min
Your quota request for fortigate-gcloud-olapp has been approved and your project quota has been adjusted according to the following requested limits:

+----------+------------+--------+-----------------+----------------+
| NAME     | DIMENSIONS | REGION | REQUESTED LIMIT | APPROVED LIMIT |
+----------+------------+--------+-----------------+----------------+
| NETWORKS |            | GLOBAL |              10 |             10 |
+----------+------------+--------+-----------------+----------------+

1 min to see in the console

michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ chmod 777 service_account_create.sh 
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ GCP_PROJECT_ID=$(gcloud config get-value project)
Your active configuration is: [cloudshell-31235]
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ echo $GCP_PROJECT_ID
fortigate-gcloud-olapp

michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ ./service_account_create.sh 
Your active configuration is: [cloudshell-31235]
Creating FortigateSdnReader role in project fortigate-gcloud-olapp...
WARNING: API is not enabled for permissions: [compute.zones.list, compute.instances.list, container.clusters.list, container.nodes.list, container.pods.list, container.services.list]. Please enable the corresponding APIs to use those permissions.

Created role [FortigateSdnReader].
etag: BwYSAqrzDCA=
includedPermissions:
- compute.instances.list
- compute.zones.list
- container.clusters.list
- container.nodes.list
- container.pods.list
- container.services.list
name: projects/fortigate-gcloud-olapp/roles/FortigateSdnReader
stage: ALPHA
title: FortiGate SDN Connector Role (read-only)
Creating new service account (FortiGate SDN Connector)...
Created service account [fortigatesdn-ro].
Granting fortigatesdn-ro service account access to project fortigate-gcloud-olapp...
Updated IAM policy for project [fortigate-gcloud-olapp].
bindings:
- members:
  - serviceAccount:[email protected]
  role: projects/fortigate-gcloud-olapp/roles/FortigateSdnReader
- members:
  - user:[email protected]
  role: roles/owner
etag: BwYSAqstk54=
version: 1
serviceAccount:[email protected]
Service account created succesfully

manually enable service - add to PR

michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ gcloud services enable compute.googleapis.com
Operation "operations/acf.p2-57004541128-d5343e8d-567e-4527-bbf3-33368792b0b0" finished successfully.
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ gcloud services enable container.googleapis.com
Operation "operations/acf.p2-57004541128-206df470-c061-47b8-8942-ed985ada2a74" finished successfully.

License setup - register licenses first for byod

[obriensystems]

todo

• license lic1/2.lic copy after registration
• modify gce images from 7.0 to 7.4.3 - see fortinet license set to payg 7.2.4 but license yaml in setters set for byol - that uses 7.0 - need 7.2.4 or better 7.4.3 image for byol #850
• increase quota on n2 vms - see Increase quota for N2_CPUS for hub-env prior to deployment or switch to e2-standard-2 for management vm and keep n2-standard-4 for both fortigate VMs to come in under default 8 vCPU quota for N2 #625

https://support.fortinet.com/asset/#/views/products/detail;from=%252Fviews%252Fproducts

copy and rename
michael@cloudshell:~ (fortigate-gcloud-olapp)$ cp ~/FGVM8VTM24000185.lic kcc-olapp/github/fortigate-tutorial-gcp/gcloud/
michael@cloudshell:~ (fortigate-gcloud-olapp)$ cp ~/FGVM8VTM24000186.lic kcc-olapp/github/fortigate-tutorial-gcp/gcloud/

[obriensystems]

tutorial-vars.sh changes

# keep
CIDR_EXT=172.20.0.0/24          # untrusted network
CIDR_INT=172.20.1.0/24          # trusted network
CIDR_HASYNC=172.20.2.0/24       # FortiGate heartbeat network
CIDR_MGMT=172.20.3.0/24         # FortiGate management network (note, this can be merged with heartbeat for firmware 7.0+)
CIDR_WRKLD_TIER1=10.0.0.0/16    # sample workload frontend network
CIDR_WRKLD_TIER2=10.1.0.0/16    # sample workload backend network
WRKLD_PROXY_IP=10.0.0.5
WRKLD_WEB_IP=10.1.0.5

# modify
#REGION=europe-west1
#ZONE1=europe-west1-b
#ZONE2=europe-west1-c
REGION=northamerica-northeast1
ZONE1=northamerica-northeast1-b
ZONE2=northamerica-northeast1-c

tutorial-create.sh adjustments

  --image-family=fortigate-70-byol \
  to match - but replace payg with byol

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/project/hub-env/setters.yaml#L53C66-L53C113
--image-family=fortigate-70-byol \

  fgt-primary-image: projects/fortigcp-project-001/global/images/fortinet-fgtondemand-724-20230201-001-w-license

as
  --image-family=fortigate-74-byol \

see
https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/gcp-administration-guide/736375/about-fortigate-vm-for-gcp
https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/gcp-administration-guide/385467/finding-public-fortigate-images

run

michael@cloudshell:~ (fortigate-gcloud-olapp)$ FGT_IMG=$(gcloud compute images list --project fortigcp-project-001 --filter="name ~ fortinet-fgt- AND status:READY" --format="get(selfLink)" | sort -r | head -1)
michael@cloudshell:~ (fortigate-gcloud-olapp)$ echo $FGT_IMG
https://www.googleapis.com/compute/v1/projects/fortigcp-project-001/global/images/fortinet-fgt-arm64-743-20240208-001-w-license

better
michael@cloudshell:~ (fortigate-gcloud-olapp)$ gcloud compute images list --project fortigcp-project-001 --filter="name ~ fortinet-fgt-74 AND status:READY"
NAME: fortinet-fgt-740-20230512-001-w-license
PROJECT: fortigcp-project-001
FAMILY: fortigate-74-byol
DEPRECATED: 
STATUS: READY

NAME: fortinet-fgt-741-20230905-001-w-license
PROJECT: fortigcp-project-001
FAMILY: fortigate-74-byol
DEPRECATED: 
STATUS: READY

NAME: fortinet-fgt-742-20231227-001-w-license
PROJECT: fortigcp-project-001
FAMILY: fortigate-74-byol
DEPRECATED: 
STATUS: READY

NAME: fortinet-fgt-743-20240208-001-w-license
PROJECT: fortigcp-project-001
FAMILY: fortigate-74-byol
DEPRECATED: 
STATUS: READY

[obriensystems]

0745 run - eta 45 min

michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp/gcloud (fortigate-gcloud-olapp)$ ./tutorial-create.sh 
################################################################################
#
# I. VPCs and subnets
# --------------------
reated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/ext-vpc-global].
NAME: ext-vpc-global
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE: 
GATEWAY_IPV4: 

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network ext-vpc-global --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network ext-vpc-global --allow tcp:22,tcp:3389,icmp

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/int-vpc-nanortheast1].
NAME: int-vpc-nanortheast1
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE: 
GATEWAY_IPV4: 

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network int-vpc-nanortheast1 --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network int-vpc-nanortheast1 --allow tcp:22,tcp:3389,icmp

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/fgt-hasync-vpc].
NAME: fgt-hasync-vpc
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE: 
GATEWAY_IPV4: 

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network fgt-hasync-vpc --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network fgt-hasync-vpc --allow tcp:22,tcp:3389,icmp
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/fgt-mgmt-vpc].
NAME: fgt-mgmt-vpc
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE: 
GATEWAY_IPV4: 

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network fgt-mgmt-vpc --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network fgt-mgmt-vpc --allow tcp:22,tcp:3389,icmp

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/ext-sb-nanortheast1].
NAME: ext-sb-nanortheast1
REGION: northamerica-northeast1
NETWORK: ext-vpc-global
RANGE: 172.20.0.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE: 
INTERNAL_IPV6_PREFIX: 
EXTERNAL_IPV6_PREFIX: 
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/int-sb-nanortheast1].
NAME: int-sb-nanortheast1
REGION: northamerica-northeast1
NETWORK: int-vpc-nanortheast1
RANGE: 172.20.1.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE: 
INTERNAL_IPV6_PREFIX: 
EXTERNAL_IPV6_PREFIX: 

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/fgt-hasync-sb-nanortheast1].
NAME: fgt-hasync-sb-nanortheast1
REGION: northamerica-northeast1
NETWORK: fgt-hasync-vpc
RANGE: 172.20.2.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE: 
INTERNAL_IPV6_PREFIX: 
EXTERNAL_IPV6_PREFIX: 

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/fgt-mgmt-sb-nanortheast1].
NAME: fgt-mgmt-sb-nanortheast1
REGION: northamerica-northeast1
NETWORK: fgt-mgmt-vpc
RANGE: 172.20.3.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE: 
INTERNAL_IPV6_PREFIX: 
EXTERNAL_IPV6_PREFIX: 
Creating firewall...working.    
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/firewalls/ext-to-fgt-fw-allowall].                       
Creating firewall...done.                                                                                                                                                   
NAME: ext-to-fgt-fw-allowall
NETWORK: ext-vpc-global
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: all
DENY: 
DISABLED: False
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/firewalls/int-to-fgt-fw-allowall].                       
Creating firewall...done.                                                                                                                                                   
NAME: int-to-fgt-fw-allowall
NETWORK: int-vpc-nanortheast1
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: all
DENY: 
DISABLED: False
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/firewalls/fgt-hasync-fw-allowall].                       
Creating firewall...done.                                                                                                                                                   
NAME: fgt-hasync-fw-allowall
NETWORK: fgt-hasync-vpc
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: all
DENY: 
DISABLED: False
Creating firewall...working.   
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/firewalls/fgt-mgmt-fw-allow-admin].                      
Creating firewall...done.                                                                                                                                                   
NAME: fgt-mgmt-fw-allow-admin
NETWORK: fgt-mgmt-vpc
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: tcp:22,tcp:443
DENY: 
DISABLED: False
Creating router [ext-nat-cr-nanortheast1]...done.                                                                                                                           
NAME: ext-nat-cr-nanortheast1
REGION: northamerica-northeast1
NETWORK: ext-vpc-global
Creating NAT [ext-nat-nanortheast1] in router [ext-nat-cr-nanortheast1]...working.

Creating NAT [ext-nat-nanortheast1] in router [ext-nat-cr-nanortheast1]...done.                                                                                             
################################################################################
#
# II. Reserve static IP addresses
# -------------------------------
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-mgmt-eip-nanortheast1-b].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-mgmt-eip-nanortheast1-c].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-ip-int-nanortheast1-b].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-ip-int-nanortheast1-c].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgtilb-ip-int-nanortheast1].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-ip-ext-nanortheast1-b].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-ip-ext-nanortheast1-c].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-ip-hasync-nanortheast1-b].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgt-ip-hasync-nanortheast1-c].
################################################################################
#
# III. Create FortiGate service account
# -------------------------------------
Your active configuration is: [cloudshell-22774]

RROR: (gcloud.iam.roles.create) Resource in projects [fortigate-gcloud-olapp] is the subject of a conflict: A role named FortigateSdnReader in projects/fortigate-gcloud-olapp already exists.
ERROR: (gcloud.iam.service-accounts.create) Resource in projects [fortigate-gcloud-olapp] is the subject of a conflict: Service account fortigatesdn-ro already exists within project projects/fortigate-gcloud-olapp.
- '@type': type.googleapis.com/google.rpc.ResourceInfo
  resourceName: projects/fortigate-gcloud-olapp/serviceAccounts/[email protected]
Updated IAM policy for project [fortigate-gcloud-olapp].
bindings:
- members:
  - serviceAccount:[email protected]
  role: projects/fortigate-gcloud-olapp/roles/FortigateSdnReader
- members:
  - serviceAccount:[email protected]
  role: roles/compute.serviceAgent
- members:
  - serviceAccount:service-57004541128@container-engine-robot.iam.gserviceaccount.com
  role: roles/container.serviceAgent
- members:
  - serviceAccount:[email protected]
  role: roles/containerregistry.ServiceAgent
- members:
  - serviceAccount:[email protected]
  - serviceAccount:[email protected]
  role: roles/editor
- members:
  - user:[email protected]
  role: roles/owner
- members:
  - serviceAccount:[email protected]
  role: roles/pubsub.serviceAgent
etag: BwYSC_rGTW4=
version: 1
################################################################################
#
# IV. Create Fortigate instances


# IV. Create Fortigate instances
# ------------------------------
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-b/disks/fgt-logdisk-nanortheast1-b].
NAME: fgt-logdisk-nanortheast1-b
ZONE: northamerica-northeast1-b
SIZE_GB: 100
TYPE: pd-ssd
STATUS: READY

New disks are unformatted. You must format and mount a disk before it
can be used. You can find instructions on how to do this at:

https://cloud.google.com/compute/docs/disks/add-persistent-disk#formatting

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-c/disks/fgt-logdisk-nanortheast1-c].
NAME: fgt-logdisk-nanortheast1-c
ZONE: northamerica-northeast1-c
SIZE_GB: 100
TYPE: pd-ssd
STATUS: READY

New disks are unformatted. You must format and mount a disk before it
can be used. You can find instructions on how to do this at:

https://cloud.google.com/compute/docs/disks/add-persistent-disk#formatting


eated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-c/disks/fgt-logdisk-nanortheast1-c].
NAME: fgt-logdisk-nanortheast1-c
ZONE: northamerica-northeast1-c
SIZE_GB: 100
TYPE: pd-ssd
STATUS: READY

New disks are unformatted. You must format and mount a disk before it
can be used. You can find instructions on how to do this at:

https://cloud.google.com/compute/docs/disks/add-persistent-disk#formatting

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-b/instances/fgt-vm-nanortheast1-b].
NAME: fgt-vm-nanortheast1-b
ZONE: northamerica-northeast1-b
MACHINE_TYPE: e2-standard-4
PREEMPTIBLE: 
INTERNAL_IP: 172.20.0.2,172.20.1.2,172.20.2.2,172.20.3.2
EXTERNAL_IP: 34.47.2.97
STATUS: RUNNING
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-c/instances/fgt-vm-nanortheast1-c].
NAME: fgt-vm-nanortheast1-c
ZONE: northamerica-northeast1-c
MACHINE_TYPE: e2-standard-4
PREEMPTIBLE: 
INTERNAL_IP: 172.20.0.3,172.20.1.3,172.20.2.3,172.20.3.3
EXTERNAL_IP: 35.234.254.244
STATUS: RUNNING
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-b/instanceGroups/fgt-umig-nanortheast1-b].
NAME: fgt-umig-nanortheast1-b
LOCATION: northamerica-northeast1-b
SCOPE: zone
NETWORK: 
MANAGED: 
INSTANCES: 0

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-c/instanceGroups/fgt-umig-nanortheast1-c].
NAME: fgt-umig-nanortheast1-c
LOCATION: northamerica-northeast1-c
SCOPE: zone
NETWORK: 
MANAGED: 
INSTANCES: 0
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-b/instanceGroups/fgt-umig-nanortheast1-b].
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-c/instanceGroups/fgt-umig-nanortheast1-c].
Waiting 2 minutes for the VM instance to bootstrap...

###################################################################################
# This script will now attempt to connect to CLI of your newly-deployed FortiGate. #
# Please log in as 'admin' using the instance id printed below as initial password
# and change the password to your own as prompted. When done, please logout using
# 'exit' command to resume the deployment.
#
# 
4242014965180213935
Wait 4 minutes a possible manual login/pw-change...

pw change did not take

but script change did with instance id and m*s1 as pw

The authenticity of host '34.47.2.97 (34.47.2.97)' can't be established.
ECDSA key fingerprint is SHA256:5u10kjcmJkO+j3F6nucdQe6oeszdOw3nG66p3ycMQ+M.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '34.47.2.97' (ECDSA) to the list of known hosts.
Please login with username=admin and password=<instance-id>
[email protected]'s password: 
You are forced to change your password. Please input a new password.
According to the password policy enforced on this device, please change your password!
New password must conform to the following policy:
minimum-length=8; must not be same as last two passwords

New Password: 
Confirm Password: 
fgt-vm-nanortheast1-b # exit
Connection to 34.47.2.97 closed.
ls: cannot access '/home/michael/.ssh/id_rsa.pub': No such file or directory
Generating new SSH key
Generating public/private rsa key pair.
Enter file in which to save the key (/home/michael/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/michael/.ssh/id_rsa
Your public key has been saved in /home/michael/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:YkZtVbFJz5Ys+SXfbC/zXzDiEtcqAoup/H13KzLodM8 michael@cs-606565321060-default
The key's randomart image is:
+---[RSA 3072]----+
|          ..+.   |
|       . . . B . |
|      . o   = B .|
|     . .     = =.|
|      = S . o = =|
|     = +   + o +.|
|    o o.o o o o o|
| . . o..++oo.  +.|
|  o...o. +Eo..  +|
+----[SHA256]-----+
Uploading new SSH key to FortiGate. Please log in using your new admin password:
[email protected]'s password: 
fgt-vm-nanortheast1-b # 
fgt-vm-nanortheast1-b (admin) # 
fgt-vm-nanortheast1-b (admin) # SSH key is good.

fgt-vm-nanortheast1-b (admin) # 
fgt-vm-nanortheast1-b (admin) # 
fgt-vm-nanortheast1-b # 
################################################################################
#
# V. Health checks
# ----------------

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/healthChecks/fgt-hcheck-tcp8008].
NAME: fgt-hcheck-tcp8008
PROTOCOL: HTTP
fgt-vm-nanortheast1-b # 
fgt-vm-nanortheast1-b (probe-response) # 
fgt-vm-nanortheast1-b (probe-response) # 
fgt-vm-nanortheast1-b (probe-response) # 
fgt-vm-nanortheast1-b (probe-response) # 
fgt-vm-nanortheast1-b # 
################################################################################
#
# VI. Internal Load Balancer
# ---------------------------

758

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/backendServices/fgtilb-int-bes-nanortheast1].
NAME: fgtilb-int-bes-nanortheast1
BACKENDS: 
PROTOCOL: TCP
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/backendServices/fgtilb-int-bes-nanortheast1].
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/backendServices/fgtilb-int-bes-nanortheast1].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/forwardingRules/fgtilb-int-fwd-nanortheast1-tcp].
fgt-vm-nanortheast1-b # 
fgt-vm-nanortheast1-b (interface) # 
fgt-vm-nanortheast1-b (port2) # 
fgt-vm-nanortheast1-b (port2) # 
fgt-vm-nanortheast1-b (secondaryip) # new entry '0' added

fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (secondaryip) # 
fgt-vm-nanortheast1-b (port2) # 
fgt-vm-nanortheast1-b (interface) # 
fgt-vm-nanortheast1-b # fgt-vm-nanortheast1-b # 
fgt-vm-nanortheast1-b (static) # new entry '0' added

fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (static) # new entry '0' added

fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (static) # 
fgt-vm-nanortheast1-b # 

fgt-vm-nanortheast1-b # Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/routes/rt-int-nanortheast1-default-via-fgt].
NAME: rt-int-nanortheast1-default-via-fgt
NETWORK: int-vpc-nanortheast1
DEST_RANGE: 0.0.0.0/0
NEXT_HOP: 172.20.1.4
PRIORITY: 1000

################################################################################
#
# VII. Workload spoke VPC networks
# --------------------------------



Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier1].
NAME: wrkld-tier1
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE: 
GATEWAY_IPV4: 

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network wrkld-tier1 --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network wrkld-tier1 --allow tcp:22,tcp:3389,icmp

eated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier2].
NAME: wrkld-tier2
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE: 
GATEWAY_IPV4: 

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network wrkld-tier2 --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network wrkld-tier2 --allow tcp:22,tcp:3389,icmp


Deleted [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/routes/default-route-feed25d5a1413ec3].
Deleted [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/routes/default-route-de3d97daa81107fd].
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/wrkld-sb-tier1-nanortheast1].
NAME: wrkld-sb-tier1-nanortheast1
REGION: northamerica-northeast1
NETWORK: wrkld-tier1
RANGE: 10.0.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE: 
INTERNAL_IPV6_PREFIX: 
EXTERNAL_IPV6_PREFIX: 
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/wrkld-sb-tier2-nanortheast1].
NAME: wrkld-sb-tier2-nanortheast1
REGION: northamerica-northeast1
NETWORK: wrkld-tier2
RANGE: 10.1.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE: 
INTERNAL_IPV6_PREFIX: 
EXTERNAL_IPV6_PREFIX: 
Creating firewall...working.         
reating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/firewalls/wrkld-fw-tier1-allowall].                      
Creating firewall...done.                                                                                                                                                   
NAME: wrkld-fw-tier1-allowall
NETWORK: wrkld-tier1
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: all
DENY: 
DISABLED: False
Creating firewall...working.   
reating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/firewalls/wrkld-fw-tier2-allowall].                      
Creating firewall...done.                                                                                                                                                   
NAME: wrkld-fw-tier2-allowall
NETWORK: wrkld-tier2
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: all
DENY: 
DISABLED: False

################################################################################
#
# VIII. Peering workloads to trusted VPC network
# ---------------------------------------------

Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/int-vpc-nanortheast1].
---
autoCreateSubnetworks: false
creationTimestamp: '2024-02-23T04:45:43.140-08:00'
id: '8223224008170352024'
kind: compute#network
name: int-vpc-nanortheast1
networkFirewallPolicyEnforcementOrder: AFTER_CLASSIC_FIREWALL
peerings:
- autoCreateRoutes: true
  exchangeSubnetRoutes: true
  exportCustomRoutes: true
  exportSubnetRoutesWithPublicIp: true
  importCustomRoutes: false
  importSubnetRoutesWithPublicIp: false
  name: wrkld-peer-hub-to-tier1
  network: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier1
  stackType: IPV4_ONLY
  state: INACTIVE
  stateDetails: '[2024-02-23T04:59:54.027-08:00]: Waiting for peer network to connect.'
routingConfig:
  routingMode: REGIONAL
selfLink: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/int-vpc-nanortheast1
selfLinkWithId: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/8223224008170352024
subnetworks:
- https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/int-sb-nanortheast1
---
autoCreateSubnetworks: false
creationTimestamp: '2024-02-23T04:45:43.140-08:00'
id: '8223224008170352024'
kind: compute#network
name: int-vpc-nanortheast1
networkFirewallPolicyEnforcementOrder: AFTER_CLASSIC_FIREWALL
peerings:
- autoCreateRoutes: true
  exchangeSubnetRoutes: true
  exportCustomRoutes: true
  exportSubnetRoutesWithPublicIp: true
  importCustomRoutes: false
  importSubnetRoutesWithPublicIp: false
  name: wrkld-peer-hub-to-tier1
  network: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier1
  stackType: IPV4_ONLY
  state: ACTIVE
  stateDetails: '[2024-02-23T05:00:00.869-08:00]: Connected.'
- autoCreateRoutes: true
  exchangeSubnetRoutes: true
  exportCustomRoutes: true
  exportSubnetRoutesWithPublicIp: true
  importCustomRoutes: false
  importSubnetRoutesWithPublicIp: false
  name: wrkld-peer-hub-to-tier2
  network: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier2
  stackType: IPV4_ONLY
  state: INACTIVE
  stateDetails: '[2024-02-23T05:00:15.038-08:00]: Waiting for peer network to connect.'
routingConfig:
  routingMode: REGIONAL
selfLink: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/int-vpc-nanortheast1
selfLinkWithId: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/8223224008170352024
subnetworks:
- https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/int-sb-nanortheast1

 routingMode: REGIONAL
selfLink: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/int-vpc-nanortheast1
selfLinkWithId: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/8223224008170352024
subnetworks:
- https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/int-sb-nanortheast1
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier2].
---
autoCreateSubnetworks: false
creationTimestamp: '2024-02-23T04:58:37.022-08:00'
id: '8307187887207950483'
kind: compute#network
name: wrkld-tier2
networkFirewallPolicyEnforcementOrder: AFTER_CLASSIC_FIREWALL
peerings:
- autoCreateRoutes: true
  exchangeSubnetRoutes: true
  exportCustomRoutes: false
  exportSubnetRoutesWithPublicIp: true
  importCustomRoutes: true
  importSubnetRoutesWithPublicIp: false
  name: wrkld-peer-tier2-to-hub
  network: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/int-vpc-nanortheast1
  stackType: IPV4_ONLY
  state: ACTIVE
  stateDetails: '[2024-02-23T05:00:21.558-08:00]: Connected.'
routingConfig:
  routingMode: REGIONAL
selfLink: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/wrkld-tier2
selfLinkWithId: https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/global/networks/8307187887207950483
subnetworks:
- https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/subnetworks/wrkld-sb-tier2-nanortheast1
fgt-vm-nanortheast1-b # 
fgt-vm-nanortheast1-b (static) # new entry '0' added

fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (static) # new entry '0' added

fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (static) # 
fgt-vm-nanortheast1-b # 
################################################################################
#
# IX. External Load Balancer
# ----------------------------

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/addresses/fgtelb-serv1-eip-nanortheast1].

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/backendServices/fgtelb-bes-nanortheast1].
NAME: fgtelb-bes-nanortheast1
BACKENDS: 
PROTOCOL: UNSPECIFIED
Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/backendServices/fgtelb-bes-nanortheast1].

Updated [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/backendServices/fgtelb-bes-nanortheast1].
Created [https://www.googleapis.com/compute/beta/projects/fortigate-gcloud-olapp/regions/northamerica-northeast1/forwardingRules/fgtelb-serv1-fwd-nanortheast1-l3].
fgt-vm-nanortheast1-b # 
fgt-vm-nanortheast1-b (interface) # 
fgt-vm-nanortheast1-b (port1) # 
fgt-vm-nanortheast1-b (port1) # 
fgt-vm-nanortheast1-b (secondaryip) # new entry '11' added

fgt-vm-nanortheast1-b (11) # 
fgt-vm-nanortheast1-b (11) # 
fgt-vm-nanortheast1-b (11) # 
fgt-vm-nanortheast1-b (secondaryip) # 
fgt-vm-nanortheast1-b (port1) # 
fgt-vm-nanortheast1-b (interface) # 
fgt-vm-nanortheast1-b # 
##############################################
Configuring outbound connections
----------------------------------------------

fgt-vm-nanortheast1-b # fgt-vm-nanortheast1-b # 
fgt-vm-nanortheast1-b (ippool) # new entry 'gcp-elb-serv1' added

fgt-vm-nanortheast1-b (gcp-elb-serv1) # 
fgt-vm-nanortheast1-b (gcp-elb-serv1) # 
fgt-vm-nanortheast1-b (gcp-elb-serv1) # 
fgt-vm-nanortheast1-b (ippool) # 
fgt-vm-nanortheast1-b # fgt-vm-nanortheast1-b # 
fgt-vm-nanortheast1-b (policy) # new entry '0' added

fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (policy) # 
fgt-vm-nanortheast1-b # 
###############################################
# Sample workload VMs
#----------------------------------------------

Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-b/instances/wrkld-tier1-proxy].
NAME: wrkld-tier1-proxy
ZONE: northamerica-northeast1-b
MACHINE_TYPE: e2-small
PREEMPTIBLE: 
INTERNAL_IP: 10.0.0.5
EXTERNAL_IP: 
STATUS: RUNNING
Created [https://www.googleapis.com/compute/v1/projects/fortigate-gcloud-olapp/zones/northamerica-northeast1-b/instances/wrkld-tier2-web].
NAME: wrkld-tier2-web
ZONE: northamerica-northeast1-b
MACHINE_TYPE: e2-small
PREEMPTIBLE: 
INTERNAL_IP: 10.1.0.5
EXTERNAL_IP: 
STATUS: RUNNING

#############################################
# Forward Inbound Connections
#--------------------------------------------

fgt-vm-nanortheast1-b # fgt-vm-nanortheast1-b # 
fgt-vm-nanortheast1-b (vip) # new entry 'elb-serv1-to-proxy-tcp80' added

fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) # 
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) # 
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) # 
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) # 
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) # 
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) # 
fgt-vm-nanortheast1-b (elb-serv1-to-pro~p80) # 
fgt-vm-nanortheast1-b (vip) # 
fgt-vm-nanortheast1-b # fgt-vm-nanortheast1-b # 
fgt-vm-nanortheast1-b (address) # new entry 'tier1' added

fgt-vm-nanortheast1-b (tier1) # 
fgt-vm-nanortheast1-b (tier1) # 
fgt-vm-nanortheast1-b (tier1) # 
fgt-vm-nanortheast1-b (tier1) # 
fgt-vm-nanortheast1-b (address) # new entry 'tier2' added

fgt-vm-nanortheast1-b (tier2) # 
fgt-vm-nanortheast1-b (tier2) # 
fgt-vm-nanortheast1-b (tier2) # 
fgt-vm-nanortheast1-b (tier2) # 
fgt-vm-nanortheast1-b (address) # 
fgt-vm-nanortheast1-b # fgt-vm-nanortheast1-b # 
fgt-vm-nanortheast1-b (policy) # new entry '0' added

fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (policy) # new entry '0' added

fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (0) # 
fgt-vm-nanortheast1-b (policy) # 
fgt-vm-nanortheast1-b # 
=======================================
# Next step:
# - run tutorial-test.sh to verify everything works
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp/gcloud (fortigate-gcloud-olapp)$ 

0803

[obriensystems]

[obriensystems]

testing

michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp/gcloud (fortigate-gcloud-olapp)$ ./tutorial-test.sh 
------------------------------------------------------------------------------------
# This script will run a series of tests to verify if your deployment works correctly.
# With each test you will see information about the expected output - verify if it's
# matching what is returned by the test commands.
------------------------------------------------------------------------------------

-----------------------------------------------------------
##  TEST: FGT HA clustering and licensing
##  Expected output: primary and secondary reported with proper hostnames and non-empty serial numbers
fgt-vm-nanortheast1-b # HA Health Status: OK
fgt-vm-nanortheast1-b, FGVM8VTM24000185, HA cluster index = 1
fgt-vm-nanortheast1-c, FGVM8VTM24000186, HA cluster index = 0
fgt-vm-nanortheast1-b # 
-----------------------------------------------------------
##  TEST: ELB health
##  Expected output: one healthy, one unhealthy backend
{
  "ipAddress": "172.20.0.2",
  "healthState": "HEALTHY"
}
{
  "ipAddress": "172.20.0.3",
  "healthState": "UNHEALTHY"
}
-----------------------------------------------------------
##  TEST: ILB trusted health
##  Expected output: one healthy, one unhealthy backend
{
  "ipAddress": "172.20.1.2",
  "healthState": "HEALTHY"
}
{
  "ipAddress": "172.20.1.3",
  "healthState": "UNHEALTHY"
}
-----------------------------------------------------------
##  TEST: peering routes for wrkld-tier1
##  Expected output: STATIC_PEERING_ROUTE to 0.0.0.0 is listed as accepted
DEST_RANGE: 172.20.1.0/24
TYPE: SUBNET_PEERING_ROUTE
NEXT_HOP_REGION: northamerica-northeast1
PRIORITY: 0
STATUS: accepted

DEST_RANGE: 0.0.0.0/0
TYPE: STATIC_PEERING_ROUTE
NEXT_HOP_REGION: northamerica-northeast1
PRIORITY: 1000
STATUS: accepted
-----------------------------------------------------------
##  TEST: peering routes for wrkld-tier2
##  Expected output: STATIC_PEERING_ROUTE to 0.0.0.0 is listed as accepted
DEST_RANGE: 172.20.1.0/24
TYPE: SUBNET_PEERING_ROUTE
NEXT_HOP_REGION: northamerica-northeast1
PRIORITY: 0
STATUS: accepted

DEST_RANGE: 0.0.0.0/0
TYPE: STATIC_PEERING_ROUTE
NEXT_HOP_REGION: northamerica-northeast1
PRIORITY: 1000
STATUS: accepted
-----------------------------------------------------------
##  TEST: website working
##  Expected output: HTTP 200 OK headers from nginx server
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Fri, 23 Feb 2024 13:06:31 GMT
Content-Type: text/html
Content-Length: 612
Connection: keep-alive
Last-Modified: Fri, 23 Feb 2024 13:02:55 GMT
ETag: "65d8977f-264"
Accept-Ranges: bytes

-----------------------------------------------------------
##  TEST: website protected
##  Expected output: information about blocked access to EICAR_TEST_FILE virus
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 35076  100 35076    0     0   210k      0 --:--:-- --:--:-- --:--:--  210k
    <h1>High Security Alert</h1>
    <p>You are not permitted to download the file "eicar.com" because it is infected with the virus "EICAR_TEST_FILE".</p>

========================================
# Next step:
# - open http://34.95.49.161 to open protected web page
# - open https://34.47.2.97 to explore your FortiGate
# - run tutorial-delete.sh to clean up
michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp/gcloud (fortigate-gcloud-olapp)$ 

[obriensystems]

[obriensystems]

see fortinet/fortigate-tutorial-gcp#7
repo https://github.com/CloudLandingZone/fortigate-tutorial-gcp

[obriensystems]

diff

michael@cloudshell:~/kcc-olapp/github/fortigate-tutorial-gcp (fortigate-gcloud-olapp)$ git status
On branch main
Your branch is up to date with 'origin/main'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   gcloud/tutorial-create.sh
        modified:   gcloud/tutorial-vars.sh
        modified:   service_account_create.sh

Untracked files:
  (use "git add <file>..." to include in what will be committed)
        gcloud/metadata_active.txt
        gcloud/metadata_passive.txt


diff --git a/gcloud/tutorial-create.sh b/gcloud/tutorial-create.sh
index bcdc731..a07ab44 100755
--- a/gcloud/tutorial-create.sh
+++ b/gcloud/tutorial-create.sh
@@ -377,6 +377,9 @@ gcloud compute disks create fgt-logdisk-$ZONE2_LABEL --zone=$ZONE2 \
 ## To find image for specific version use command like below
 #gcloud compute images list --project fortigcp-project-001 --filter="name ~ fortinet-fgt- AND status:READY" --format="get(selfLink)"
 
+#
+# https://www.googleapis.com/compute/v1/projects/fortigcp-project-001/global/images/fortinet-fgt-743-20240208-001-w-license
+
 ## Create FortiGate 4-nic instances using the image selected above.
 ## FortiGates will be provisioned with the basic configuration and with BYOL licenses from
 ## lic1.lic and lic2.lic files
@@ -384,7 +387,7 @@ gcloud compute disks create fgt-logdisk-$ZONE2_LABEL --zone=$ZONE2 \
 gcloud compute instances create fgt-vm-$ZONE1_LABEL --zone=$ZONE1 \
   --machine-type=e2-standard-4 \
   --image-project=fortigcp-project-001 \
-  --image-family=fortigate-70-byol \
+  --image-family=fortigate-74-byol \
   --can-ip-forward \
   --network-interface="network=ext-vpc-global,subnet=ext-sb-$REGION_LABEL,no-address,private-network-ip=fgt-ip-ext-$ZONE1_LABEL" \
   --network-interface="network=int-vpc-$REGION_LABEL,subnet=int-sb-$REGION_LABEL,no-address,private-network-ip=fgt-ip-int-$ZONE1_LABEL" \
@@ -400,7 +403,7 @@ gcloud compute instances create fgt-vm-$ZONE1_LABEL --zone=$ZONE1 \
 gcloud compute instances create fgt-vm-$ZONE2_LABEL --zone=$ZONE2 \
   --machine-type=e2-standard-4 \
   --image-project=fortigcp-project-001 \
-  --image-family=fortigate-70-byol \
+  --image-family=fortigate-74-byol \
   --can-ip-forward \
   --network-interface="network=ext-vpc-global,subnet=ext-sb-$REGION_LABEL,no-address,private-network-ip=fgt-ip-ext-$ZONE2_LABEL" \
   --network-interface="network=int-vpc-$REGION_LABEL,subnet=int-sb-$REGION_LABEL,no-address,private-network-ip=fgt-ip-int-$ZONE2_LABEL" \
@@ -453,6 +456,9 @@ echo "# This script will now attempt to connect to CLI of your newly-deployed Fo
 ## Find out active FortiGate instance id
 gcloud compute instances describe fgt-vm-$ZONE1_LABEL --zone=$ZONE1 --format="get(id)"
 
+echo "Wait 4 minutes a possible manual login/pw-change..."
+sleep 240
+
 ## Wait a moment, connect to FortiGate and configure admin password
 ssh admin@$EIP_MGMT
 
diff --git a/gcloud/tutorial-vars.sh b/gcloud/tutorial-vars.sh
index 63a2c6e..aa79c51 100755
--- a/gcloud/tutorial-vars.sh
+++ b/gcloud/tutorial-vars.sh
@@ -10,11 +10,14 @@ WRKLD_PROXY_IP=10.0.0.5
 WRKLD_WEB_IP=10.1.0.5
 
 ## Define region and zones for deployment and save into variables for convenience
-REGION=europe-west1
-ZONE1=europe-west1-b
-ZONE2=europe-west1-c
+#REGION=europe-west1
+#ZONE1=europe-west1-b
+#ZONE2=europe-west1-c
+REGION=northamerica-northeast1
+ZONE1=northamerica-northeast1-b
+ZONE2=northamerica-northeast1-c
 ### Some resource names will be labeled with region or zone name. Let's use their
 ### shortened names:
 REGION_LABEL=$(echo $REGION | tr -d '-' | sed 's/europe/eu/' | sed 's/australia/au/' | sed 's/northamerica/na/' | sed 's/southamerica/sa/' )
 ZONE1_LABEL=$REGION_LABEL-${ZONE1: -1}
-ZONE2_LABEL=$REGION_LABEL-${ZONE2: -1}
+ZONE2_LABEL=$REGION_LABEL-${ZONE2: -1}
\ No newline at end of file
diff --git a/service_account_create.sh b/service_account_create.sh
old mode 100644
new mode 100755
index 6b8500c..60fd4f5
--- a/service_account_create.sh
+++ b/service_account_create.sh
@@ -2,6 +2,10 @@
 
 GCP_PROJECT_ID=$(gcloud config get-value project)
 
+## set services for roles in existing project
+gcloud services enable compute.googleapis.com
+gcloud services enable container.googleapis.com

[obriensystems]

verify alternate ip address on elb/ilb - for routing to work

[obriensystems]

Check networks | static routes