Description
This article describes how to configure a GENEVE tunnel interface on FortiOS-based Virtual Machines for AWS Cloud deployments.
Scope
FortiOS 6.4.4 and above.
Solution
Introducing the GENEVE tunnel protocol.
Security Inspection models used in AWS Cloud Infrastructures rely on AWS Appliance Gateway (AWG) services to provide a transparent interface between users and Security Services.
An AGW has two sides (Frontend and Backend). The side that faces the traffic source and destination is called AGW Frontend. The side that faces target appliances is called AGW Backend. On the AGW Frontend, AGW operates in bump-in-the-wire mode, acting as the next-hop gateway. On AGW Backend, AGW operates as a load-balancer for routing traffic flows through one out of multiple equivalent target appliances. AGW ensures stickiness of flows in both directions with target appliances and also reroutes flows if one of the selected appliances becomes unhealthy.
AGW is designed to work transparently for users and applications i.e. traffic source and destination software stacks do not have any knowledge there may be an AGW and Appliances in the traffic path. Thus, by default, that means source/destination IPs of users and applications' original packets would normally bypass the AGW or appliances if being routed using a regular routing table.
Transparently forwarding original packets to the AGW and Appliances requires firstly those packets to be routed towards the AGW using the underlying VPC routing tables, and secondly to be encapsulated into a new L3 packet towards the appliances.
To achieve this transparent forwarding behavior (i.e. to keep the original packet contents as it is) and be able to provide extra information to the appliances, AGW encapsulates the original packet in a GENEVE tunnel and sends/receives packets to/from appliances. Appliances need to decap-encap GENEVE TLVs to process the original packet. AGW is a packet-in/packet-out service. It does not maintain any L4-L7 states and does not perform TLS/SSL decryption/encryption. These functions are the responsibility of the appliances.
In addition, in order to enable partners to support multi-tenant appliances, another key requirement is that appliances need to know the source and destination of the traffic, even in case of overlapping customer CIDRs. AGW can achieve this by sending extra information to the appliance (e.g. AGW Endpoint ID, Attachment ID, Flow Cookie) using a Type-Length-Value (TLV) triplet in each GENEVE packet.
GENEVE Protocol Encapsulation Details.
Example of a GENEVE tunnel configuration.
Assuming a customer wants to secure the data flow between a client located on the Internet (80.12.67.53) and a Web Service (10.35.1.245) located in its own AWS VPC. Typically, traffic from the client will be routed at some point toward the AGW facing the Firewall Appliance fleet. The AGW then encapsulates this traffic into a GENEVE tunnel packet which is then sent toward the best suitable FortiGate VM appliance instance to UDP port 6081. After inspection, the FortiGate appliance routes, via the GENEVE tunnel, this traffic back to the AGW which then forwards it to the target Web Service. In this scenario, the GENEVE tunnel endpoints are 10.4.1.22/24 on the AGW/GWLB side and 10.4.1.139/24 on the FortiGate side.
Corresponding FortiGate configuration:
# config system interface
edit "port1"
set vdom "root"
set ip 10.4.1.139 255.255.255.0 <<< GENEVE tunnel local IP address
set allowaccess ping http https ssh
set type physical
set snmp-index 1
set mtu-override enable
set mtu 9001
next
edit "consumer"
set vdom "root"
set type geneve
set snmp-index 4
set interface "port1"
next
end
# config system geneve
edit "consumer" <- GENEVE tunnel interface definition
set interface "port1"
set type ppp <- case where the internal packet has no Ethernet Header.
set remote-ip 10.4.1.22 <- GENEVE tunnel remote peer IP address.
next
end
# config firewall policy
edit 1
set srcintf "consumer"
set dstintf "consumer"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
<- Security Profile is typically added here
next
end
# config router static
edit 1
set gateway 10.4.1.22 <- route back to the AGW/GWLB in the Availability Zone
set device "consumer"
next
end
Corresponding packet capture details:
Note: in the example above, the ‘Internal packet’ does not include any Ethernet Header. This implies the GENEVE tunnel needs to be configured with ‘ppp’ type (set type ppp).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.