FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JaskiratM
Staff
Staff
Article Id 230829
Description

 

This article describes a general troubleshooting approach to determine routing/traffic issues on the AWS cloud environment when connected to an on-premises firewall via IPSEC VPN.

 

Scope

 

FortiGate deployed in AWS cloud connected to an On-Premise Fortigate via IPSEC VPN:

 

(LAN-172.16.1.0/24)------(FGT)======IPSEC=====(FGT AWS)-------(private subnet: 10.0.1.0/24)

 

A Windows server is deployed in the private subnet with an IP of 10.0.1.148.

When a user tries to reach out to the 10.0.1.148 server from the LAN of on-premises FortiGate, the ping fails but debug flow/sniffers on both FortiGate show the traffic leaving out the FortiGate in AWS.

 

Solution

 

1) As an approach,  pick one node as the starting point and go through each and every node in the path to the endpoint. In this case here, the path would be anything in between the AWS FortiGate and the endpoint.

-> Private ENI (network Interface of the EC2)
-> Security group of the EC2
-> route table of the private subnet
-> Security group associated with the private subnet
-> Security group associated with the endpoint EC2 instance

-> The ENI of the EC2 endpoint

 

2) Private ENI of the Fortigate needs to be checked for the source destination check as listed in the article below:

https://community.fortinet.com/t5/FortiGate/Technical-TIP-Traffic-from-AWS-LAN-hosts-toward-remote-s...

 

3) Check the Security groups of the EC2 FortiGate for outbound/inbound rules to see if the IP is in the rule outbound:

 

In the EC2 dashboard, select the FortiGate EC2 instance and check the security field of the EC2:

 

JaskiratM_0-1669333068752.png

 

4) Route Table needs to have a route to the destination and associated in the Subnet.

In the EC2 dashboard, select the concerned FortiGate and find the associated private subnet.

It is possible to view the details of the subnet by clicking the Subnet ID.

 

JaskiratM_1-1669333085688.png

 

A new tab with the subnet information will pop up. In the route-table section, it is possible to see all the routes in the subnet.

 

JaskiratM_2-1669333101192.png

 

5)  In the same tab, under network ACL settings, check for the inbound/outbound rules.

 

JaskiratM_3-1669333116070.png

 

6) The last things to be checked are the security groups(inbound/outbound rules) and the source destination check for the ENI.

EC2 dashboard -> Endpoint EC2 instance -> Networking section as shown below:

 

JaskiratM_4-1669333134868.png

 

The ENI settings can be checked by following the article below:

https://community.fortinet.com/t5/FortiGate/Technical-TIP-Traffic-from-AWS-LAN-hosts-toward-remote-s...

 

Related document:

https://community.fortinet.com/t5/FortiGate/Technical-TIP-Traffic-from-AWS-LAN-hosts-toward-remote-s...

Contributors