FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 228212



This article describes how to configure a GENEVE tunnel interface on FortiOS-based Virtual Machines for AWS Cloud deployments.




FortiOS 6.4.4 and above.




Introducing the GENEVE tunnel protocol.


Security Inspection models used in AWS Cloud Infrastructures rely on AWS Appliance Gateway (AWG) services to provide a transparent interface between users and Security Services.


An AGW has two sides (Frontend and Backend). The side that faces the traffic source and destination is called AGW Frontend. The side that faces target appliances is called AGW Backend. On the AGW Frontend, AGW operates in bump-in-the-wire mode, acting as the next-hop gateway. On AGW Backend, AGW operates as a load-balancer for routing traffic flows through one out of multiple equivalent target appliances. AGW ensures stickiness of flows in both directions with target appliances and also reroutes flows if one of the selected appliances becomes unhealthy.




AGW is designed to work transparently for users and applications i.e. traffic source and destination software stacks do not have any knowledge there may be an AGW and Appliances in the traffic path. Thus, by default, that means source/destination IPs of users and applications' original packets would normally bypass the AGW or appliances if being routed using a regular routing table.


Transparently forwarding original packets to the AGW and Appliances requires firstly those packets to be routed towards the AGW using the underlying VPC routing tables, and secondly to be encapsulated into a new L3 packet towards the appliances.


To achieve this transparent forwarding behavior (i.e. to keep the original packet contents as it is) and be able to provide extra information to the appliances, AGW encapsulates the original packet in a GENEVE tunnel and sends/receives packets to/from appliances. Appliances need to decap-encap GENEVE TLVs to process the original packet. AGW is a packet-in/packet-out service. It does not maintain any L4-L7 states and does not perform TLS/SSL decryption/encryption. These functions are the responsibility of the appliances.


In addition, in order to enable partners to support multi-tenant appliances, another key requirement is that appliances need to know the source and destination of the traffic, even in case of overlapping customer CIDRs. AGW can achieve this by sending extra information to the appliance (e.g. AGW Endpoint ID, Attachment ID, Flow Cookie) using a Type-Length-Value (TLV) triplet in each GENEVE packet.


GENEVE Protocol Encapsulation Details.




Example of a GENEVE tunnel configuration.


Assuming a customer wants to secure the data flow between a client located on the Internet ( and a Web Service ( located in its own AWS VPC. Typically, traffic from the client will be routed at some point toward the AGW facing the Firewall Appliance fleet. The AGW then encapsulates this traffic into a GENEVE tunnel packet which is then sent toward the best suitable FortiGate VM appliance instance to UDP port 6081. After inspection, the FortiGate appliance routes, via the GENEVE tunnel, this traffic back to the AGW which then forwards it to the target Web Service. In this scenario, the GENEVE tunnel endpoints are on the AGW/GWLB side and on the FortiGate side.


Corresponding FortiGate configuration:


# config system interface

    edit "port1"

        set vdom "root"

        set ip   <<< GENEVE tunnel local IP address

        set allowaccess ping http https ssh

        set type physical

        set snmp-index 1

        set mtu-override enable

        set mtu 9001


    edit "consumer"

        set vdom "root"

        set type geneve

        set snmp-index 4

        set interface "port1"




# config system geneve

    edit "consumer"              <- GENEVE tunnel interface definition

        set interface "port1"

        set type ppp    <- case where the internal packet has no Ethernet Header.

        set remote-ip <- GENEVE tunnel remote peer IP address.            




# config firewall policy

    edit 1

        set srcintf "consumer"

        set dstintf "consumer"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

                            <- Security Profile is typically added here




# config router static

    edit 1

        set gateway <- route back to the AGW/GWLB in the Availability Zone

        set device "consumer"




Corresponding packet capture details:




Note: in the example above, the ‘Internal packet’ does not include any Ethernet Header. This implies the GENEVE tunnel needs to be configured with ‘ppp’ type (set type ppp).