Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JaskiratM
Staff & Editor
Staff & Editor

Created on ‎09-20-2022 08:52 PM Edited on ‎12-29-2025 12:27 PM By Community Manager

Article Id 223254

Technical TIP: Traffic from AWS LAN hosts toward remote site via IPsec tunnel does not reach FortiGate VM deployed in AWS as EC2 instance.

Description:

 

This article describes that traffic from AWS LAN hosts toward remote site via IPsec tunnel does not reach FortiGate VM deployed in AWS as EC2 instance.

 

Scope:

(PC1)----------(Firewall)==========IPSEC TUNNEL============(FortiGate in AWS)-----------(PC2)


When on PC 2, ping traffic is initiated to PC1, it does not reach the FortiGate in AWS.

In addition, traffic from PC1 only reaches PC2 if NAT is enabled on the FortiGate in AWS.


Solution:

  1. Go to the EC2 dashboard in the AWS Management console.

JaskiratM_0-1662656154009.png

 

  1. Check mark the EC2 instance which has the FortiGate AMI loaded and go to the networking section.

JaskiratM_3-1662656194637.png

 

  1. Scroll down to the network interfaces and locate the network interface which has the same IP as the LAN port of the FortiGate VM.

JaskiratM_5-1662656211376.png

 

In this example, port2 has an IP of 10.0.1.100/24.

 

JaskiratM_9-1662656232593.png

 

The AWS ENI also has the same IP(PrivateENI).

 

  1. Select the interface ID on the PrivateENI entry. Once the Network Interface settings are open, check the box and select actions, then choose Change source/destination check and select it.


JaskiratM_10-1662656276193.png

 

JaskiratM_11-1662656276204.png

 

  1. Once that option is selected, a pop-up will appear with the source destination check enabled.

By default, 'Change source/destination check' is enabled on every ENI. It prevents that interface in AWS from receiving any packets other than the destination IP of the interface IP itself.

If the source of the traffic is not from one of the IP addresses on the interface or destined to on the IP addresses on the interface, the traffic will be dropped.


JaskiratM_13-1662656309791.png

 

With the current setting any packet hitting the LAN interface of the FortiGate with the destination IP other than the Interface IP will be dropped, which is valid for the traffic between PC1 and PC2.


(S: 10.1.1.1 ,D:10.1.10.1)------------------------------>(10.1.10.1)AWS ENI---> Packet is allowed.

(S: 10.1.1.1 ,D:10.1.10.10)------------------------------>(10.1.10.1)AWS ENI--->Packet is dropped.

 

Disabling it will allow the second packet in the example above to pass through.

 

JaskiratM_14-1662656309793.png

 

  1. Uncheck the setting, then save the settings. The FortiGate VM will then be able to receive traffic from the local subnet without NAT being required for traffic coming from peer units.

 

Related document:

NAT instances - Amazon Virtual Private Cloud

2535
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.