Help
FortiGate-VM on AWS Discussions & Onboarding Information
MarkusM
New Contributor

Created on ‎11-24-2025 08:03 AM Edited on ‎11-24-2025 08:09 AM

Fortigate with AWS GWLB - How does it know the Geneve TLV values for egress?

Hi,

 

I am playing with Fortigate in AWS together with AWS GWLB and Geneve encapsulation. To my surprise it works, but I would like to understand HOW.

 

The packets from AWS GWLB endpoint service are coming to the FGT encapsulated with Geneve protocol. To differentiate between multiple source VPCs (GWLB endpoints), AWS adds optional identifier attributes (TLVs) to the packet metadata in incoming packets. With VDOMs you can have multiple logical Geneve interfaces separated by those identifiers. But as we have the PAYG licensing, we don't have VDOMs.

 

No here the question: As it works fine even without VDOMs - without having the traffic differentiated by logical interface - how can Fortigate know which Geneve TLV identifier to add to outgoing packets? Is this information stored in the session table?

 

Thanks & regards

Markus

 

PS: If there is any mod here - please move this to the AWS related group if possible

65
0 Kudos
0 REPLIES 0
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.