Skip to main content
tozden
tozden
New Member
December 2, 2021
Question

How to add 1000+ IP addresses?

  • December 2, 2021
  • 4 replies
  • 4792 views

We use FortiGate 100E as the company FW & VPN Gateway for remote workers. Within the office we access AWS services with IP based restrictions (office IP is granted access to AWS services). 

Now I need to give AWS Services access to remote users will be connected to office VPN on Fortigate 100E.

 

I do not want to inject default route to VPN users but selectively inject routes which are needed AWS services. Here I have a list of 1800+ different subnets which I obtained from Amazon.

It is not possible to insert them one by one manually over FortiGate web interface.

I think I am not the only person who needed to give access to AWS services over VPN gateway.  Does anyone has a better solution proposal (other than injecting default route)?

 

4 replies

Cudin
Cudin
Explorer
December 2, 2021

Hi tozden,

if possibile i would disable split-tunneling to force routing of all vpn traffic to the office, so it could be forwarded correctly to AWS services without the need to reconfigure all vpn routes client-side

 

hermann
hermann
Visitor III
December 3, 2021

agree with Cudin.

Or, If you need access to Webservices only, you could make use of a Web proxy with a smart proxy.pac script that the VPN clients should use. The script could manage the access a smart way: AWS access through the Web proxy using the IP address of branch office and the rest on the direct way.

BR

Hermann M.

    Cudin
    Cudin
    Explorer
    December 3, 2021

    Hello Hermann,

    very interesting solution, could you please detail further how to create the web proxy script in that way?

    Markus_M
    Staff & Editor
    Markus_M
    Staff & Editor
    December 4, 2021

    When I need to add a bunch of "the same" stuff to a FGT I will usually

    - get a backup configuration

    - copy the respective section out of it

    - use some advanced search and replace editor, "Notepad++" or "sublime" do it well as example

    - get my to be inserted data set into some format that can then be used to search and replace the unneeded content with the
    edit 0
    set ....
    next
    edit 0

    set ...

    next

     

    and so on.

    Search your list of IPs for the pattern as text before and after the IP, make it replaceable with some FGT syntax.

     

    Best regards,

     

    Markus

    Jackstorm
    Jackstorm
    Visitor III
    December 4, 2021

    It is easy to use script and fortigate api to create huge address. 
    if you cannot code, you can try nimble, (https://nimbletext.com/live), you can use list and template to create huge amount address, policy,etc. apply it via firewall script, it is also efficient. 

     

      Terms & ConditionsAccessibility statement