Hi all,
Is there any way to obtain the real IP address of a client that accesses EC2 instances through an Amazon Internet Gateway that is routed through a FortiGate VM? I know that Amazon performs NAT on their end to map public/Elastic IP addresses to the Private IP but this is causing issues with testing the feasibility of using FortiGate VM as a replacement to Amazon Security Groups.
For testing, I have a simple WAN (public subnet) and a LAN (private subnet) attach to the FortiGate VM with the appropriate route tables. When I simulate an external user connecting to a web server in our private subnet via a reverse proxy, the logs show the connection as coming from the LAN interface of the FortiGateVM. If I disable NAT on the incoming firewall rule allowing HTTP\HTTPS access through the VIP but then I am unable to connect. It seems that Amazon forces a double NAT scenario making it difficulty to obtain the true IP address.
Ideally I would like to have the following workflow where the true IP address is shown in the FortiGate VM logs.
User --> FortiGateVM --> Reverse Proxy --> Windows Web Server
Is this possible or am I better off continuing to use Amazon's native tools for managing security and logging? Thanks everyone.
'If I disable NAT on the incoming firewall rule allowing HTTP\HTTPS access through the VIP but then I am unable to connect'
You should be able to turn off source NAT successfully if your end goal is only to do destination NAT (VIP).
It may be best if you do a debug flow to see where that traffic is stopping, you can use these commands:
-------------------
di de res
di de flow filter addr x.x.x.x <-- User's Public IP you are testing with
di de flow trace start 1000
di de en
When you're done:
di de res
di de di
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.