AWS servers fail to match policy when policy is VPN00xxxx to the external interface

Question

Hi All,We have a VPN connecting to cloud AWS services. We have created policys to enable traffic from our cloud servers to the internet via our on prem Fortigate.However the traffic fails to hit the policy we have created and instead hits the implicit deny all. Not sure what is going on here, we are in the process of migrating our on prem servers to AWS cloud. I know with AWS we can give them public IPs so they can connect direct to the internet but we want to maintain some control via our firewall.  The only think I can think of is that we are using the same connection (our WAN interface) to connect to AWS and the internet. Although when creating the policies you have the option of interface so we have AWS-VPN to External. any advice or help appreciated.regards,Chris.

sjoshi · Answer

Hi,

You can take a debug flow to understand more detail about policy matching and can also do a policy lookup

https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/38044/using-the-debug-flow-tool

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-policy-lookups/ta-p/192912

Verify the src, dst address used on the policy along with the services allowed.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded