| Description |
This article describes the method to route ingress and egress traffic bounded to the FortiGate loopback interface in AWS VPC.
By default, the AWS VPC router will route traffic to and from FortiGate ENI (Elastic Network Interface) for only the subnet to which the ENIs are associated. Hence traffic sourced/destined to configured network interfaces will always work.
Consider the below topology. In this, traffic to/from the FortiGate loopback interface will fail.
FG04 # diag ip address list IP=10.4.0.5->10.4.0.5/255.255.255.0 index=3 devname=port1 IP=10.4.2.5->10.4.2.5/255.255.255.0 index=4 devname=port2 IP=10.4.1.1->10.4.1.1/255.255.255.255 index=11 devname=loopback-mgmt
By default, the VPC router will not route traffic from server 10.4.2.9 to loopback interface 10.4.1.1 via FortiGate interface: port2.
The traffic sourced from the FortiGate loopback interface 10.4.1.1 will fail. This will impact all loopback-related traffic to and from FortiGate VM in AWS. |
| Scope | FortiGate-VM instance in AWS. |
| Solution |
By default, the AWS VPC route table will have the VPC IPv4 CIDR mapped to ‘local’, which is the VPC router.
Route to loopback interface IP 10.4.1.1/32 cannot be added to the route table because the route destination does not match any subnet that is configured in the VPC.
It is recommended to modify the target as network interface – FortiGate port 2 for the destination 10.4.0.0/16.
Test Result:
 |
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip : How to route loopback traffic of F...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.