Subnets in hub architecture and spokes in OCI

Forum|Forum|1 year ago
September 26, 2024
3 replies
1727 views

Hello community.

We are implementing fortigate in the OCI cloud. We have seen several tutorials that indicate that for each network I want traffic to be sent over the fortigate I need a VCN.

My question is, can I create 1 single VCN Spoke and there have all the subnets I need making the traffic go through the FW.

I have tested with the above configuration and sending traffic between subnets in the same spoke VCN but the FW does not do policy validation, it sends the traffic directly.

FortiGate

Best answer by GIAdmin

Hello Fortigate community. We have found the solution in the following article because the problem was that the traffic was entering and exiting through the same interface and did not make policy check:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Traffic-handled-by-FortiGate-for-packet-which/ta-p/196651?externalID=FD36468

In summary if you can have more than one subnet per VCN in OCI if you want to deploy a Fortigate FW.

Guide to deploy Fortigate FW:

https://apexapps.oracle.com/pls/apex/dbpm/r/livelabs/view-workshop?wid=846

lgupta

Staff

Hello GIAdmin, Good day!

I have tested with the above configuration and sending traffic between subnets in the same spoke VCN but the FW does not do policy validation, it sends the traffic directly.

Could you please confirm if the traffic is hitting the firewall using sniffer?

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sniffer/ta-p/194222

If the traffic is hitting the firewall, please run a debug flow to validate the traffic flow.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/54688/debugging-the-packet-flow

Other reference:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560

Thank you!

kinmo

New Member

Some of these responses come across as being dogmatic. Hub of network only, then DNS should be in its own Spoke? Where do you draw the line.

OP, it depends on what works for the organisation. Some see share services as peer to a business app (thus a spoke), others view shared services as part of the underlying infrastructure fabric supporting businesses apps, thus part of the Hub.

Just don't develop tunnel vision.

GIAdminAuthorAnswer

Visitor III

Hello Fortigate community. We have found the solution in the following article because the problem was that the traffic was entering and exiting through the same interface and did not make policy check:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Traffic-handled-by-FortiGate-for-packet-which/ta-p/196651?externalID=FD36468

In summary if you can have more than one subnet per VCN in OCI if you want to deploy a Fortigate FW.

Guide to deploy Fortigate FW:

https://apexapps.oracle.com/pls/apex/dbpm/r/livelabs/view-workshop?wid=846

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded