Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: FortiGate in AWS
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate in AWS
I'm trying to get a FortiGate setup and I have an outside subnet and an inside subnet setup on it. From AWS, I have multiple subnets setup and wish for each of those to start going through the FortiGate.
Can I set these up as VLANs on the FortiGate or do I need to enable a port for each one? Currently, I have a medium tier FG setup, but it only allows me two interfaces, internal and external.
I cannot seem to get the correct configuration where I can have a test machine (instance) in a different subnet/VLAN where it will ping the FGT.
Example:
Outside: 172.250.254.254
Inside: 172.250.253.254
Test VLAN: 172.250.250.254 (IP for VLAN interface)
Test Machine 250: 172.250.250.250 (Linux instance)
Test Machine 253: 172.250.253.250 (Linux instance)
From Machine 253, I can ping the IP for the inside interface at 172.250.253.254.
From Machine 250, I cannot ping the IP for the VLAN 250 interface at 172.250.250.254.
On the Fortigate in cli, I can ping both the inside interface ip and the VLAN 250 interface ip.
I really can't find much in the way of how this can be setup with more than one subnet.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
diag arp list but are you sure of the VPC subnets or is this a typo
Inside: 172.250.253.254 Test VLAN: 172.250.250.254 (IP for VLAN interface) Test Machine 250: 172.250.250.250 (Linux instance) Test Machine 253: 172.250.253.250 (Linux instance)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, correct about those.
In the VPC, I have subnets 172.250.253.0/24 and 172.250.250.0/24
Inside IP of FGT: 172.250.253.254. Any instance machine I put into the 172.250.253.0 subnet, it works fine. I can ping both ways.
IP of VLAN 250 on FGT: 172.250.250.254. This is part of the inside port (port2). Any instance machine I put into 172.250.250.0/24, I cannot ping the VLAN 250 gateway IP (172.250.250.254).
I guess I'm wondering, do I need to setup my inside IP to cover all of the subnets I need, and then I can VLAN on it...and set my route tables up to include all of the IPs I need? Right now, the AWS route table for both of those subnets point to the inside interface (port2) on the FGT instance.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your VPC do you have two subnet? if that's truly the case than you need interfaces in the AWS instance. How would the AWS-FGT know about the 2nd subnet if it did not have a route to it or a 2nd interface ?
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the VPC has multiple subnets, which I'm putting as VLAN interfaces on the FGT.
I guess my question is...on the FGT, do I need a separate port to attach to each interface for the instance? I have the medium instance running right now, and it only supports 2 ports (port1 and port2), which I have assigned for Outside and Inside.
Would I need to create a bigger instance to add port3, port4, etc.? I'm going to have multiple subnets in the VPC, so I can't imagine having to add port50...portN just to support all of the subnets.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have a few options; dual VPC and VPC peering , vpc vpn peeriing, or stack teirs within the VPC
subnet1 ( WEB ) subnet2 ( DBS ) subnet3 ( APP ) but yes the 2nd subnet would need reach and fw.policies for it. You can't filter traffic if it doesn't make it to the firewall ;)
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't guess that makes sense for what I'm trying to accomplish. I currently have 11 subnets on this VPC. I would really have to create the firewall instance with 11 ports? What if I decide to add 50 subnets...how to I get those routed to the Fortigate? Surely it doesn't support 50 ports?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
correct and within the VPC you have routing natively between subnets defined in the VPC and the main route table. Did you follow the AWS deployment guide from FTNT ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did yes. I have a route table sending traffic from say the VLAN 250 to the Fortigate.
I have the routes, 172.250.0.0/16 ( the main route ) and then 0.0.0.0/0 going to the inside interface on the FGT.
That route table has two subnet associations with it, the 253 (inside interface main IP), and then the VLAN 250 subnet.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bendsley. I couldnt even get the Private Interface working on Fortigate. my ping dropped at the public interface and couldn't even get across. Do you mind sharing your config?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,680 -
FortiClient
1,755 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
474 -
FortiAP
469 -
FortiClient EMS
429 -
6.0
416 -
5.6
362 -
FortiMail
317 -
6.2
251 -
SSL-VPN
242 -
FortiAuthenticator v5.5
234 -
IPsec
207 -
FortiWeb
205 -
5.0
196 -
FortiNAC
188 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
33 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiGate-VM
11 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1705 | |
| 1093 | |
| 752 | |
| 446 | |
| 230 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.