I have a scenario where there are two subnets in AWS, a public subnet and private subnet. Most of the public subnet have web servers running with multiple public IP's to access from the internet.
Now I would like to deploy the Fortigate Firewall in the same public subnet & route all those web servers traffic through the Fortigate without changing already mapped public/elastic IP's of those web servers. Can some one please provide some inputs on this ?
PS: my private subnet traffic towards internet through Fortigate is working fine & also traffic from internet to private subnet via Fortigate WAN public VIP and port forwarding is working perfectly.
Only concern are the instances hosted in the public subnet where it has multiple public IP's and I can't change the architecture keeping existing setup in view. Appreciate your inputs, thanks
Solved! Go to Solution.
If you have those public IP addresses statically reserved, you should be able to create secondary IPs on the Fortigate and map those IPs to the secondary IPs of the fortigate. The traffic would then go to the fortigate itself. In order for the scenario you are going after, you would have to do source NAT on the Fortigate to hide the public IP address of the client otherwise traffic will be asymmetric breaking the session. A better solution would be to move those servers to a private subnet and have the fortigate handle the traffic so you can get IPS level protection, etc.
Thank you everyone for your inputs, I figured it out. Understood in other way around, all I need to do is create secondary IP's (as many as required) for Fortigate WAN subnet, then map an elastic IP. Followed by mapping WAN and LAN private IP VIP's and allow the rules, so we are doing a double-NAT here to accomplish this.
I'm not sure how you can accomplish what you want to do without changing your architecture.
You need to change your web servers so that they are behind the FortiGate which is an inherent architectural change.
A pretty decent (yet simple) reference architecture and configuration describing what you want to do is here: https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/619591/sing...
Hello Graham, Thank you for the update. I completely understand the public subnet & protected subnet concept in new implementations. However, my requirement is little different as I mentioned previously.
Let's correlate it with traditional based networking & now cloud networking too, where we'll have multiple web servers which needs to be accessed by the internet users & each web server has its only individual public/elastic IP. I need that to be routed through the Fortigate like a web server hosted in DMZ. The problem if you put them in a protected subnet is that the servers will no longer be able to use its individual public IP's & needs to use only WAN IP as VIP with port forwarding which is not a feasible solution if you have multiple web servers running on same destination ports. There should be a way like we have in traditional based networking where you have a public IP pool & you nat them at Firewall end for each web server.
Im no AWS expert but this should be possible of course. People do it all the time. I’m not sure exactly how but possibly using multiple IP addresses on an interface?
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/MultipleIP.html
Thanks, Graham, for your quick reply, the doc shows adding multiple IPs on an instance; however, my requirement is completely different as I informed previously. Definitely yes, there should be some solution. Looking forward a solution from someone on this forum, thanks much for your inputs.
Your requirement is not completely different, actually. Your instance, in this case, is the FortiGate firewall. It will answer requests for all of the public IP addresses now and then forward those to your Web Servers which will be behind the FortiGate on the private subnet.
If you have those public IP addresses statically reserved, you should be able to create secondary IPs on the Fortigate and map those IPs to the secondary IPs of the fortigate. The traffic would then go to the fortigate itself. In order for the scenario you are going after, you would have to do source NAT on the Fortigate to hide the public IP address of the client otherwise traffic will be asymmetric breaking the session. A better solution would be to move those servers to a private subnet and have the fortigate handle the traffic so you can get IPS level protection, etc.
Hello.
Can you explain how to route the traffic from the existing ip of the VM so they go trough the Fortigate? Alsoo, how can i add multiple IP in fortigate?
As you recomend, i start and deploy all my VM i a private subnet, but the issue now is that i dont have a public ip for each VM,a nd i have only one that is for fortigate. In this case, how can i route from the public subnet, the traffic to the VM that are in the private subnet? All my vm have different requirements and different permisions
Hello mwissa/Graham, I understand what you are saying; but it didn't work out. Let me put it in this way for example.
VPC1: CIDR 192.168.0.0/16
Public Subnet: 192.168.0.0/24, FGT WAN interface IP: 192.168.0.50 (public IP 203.10.10.10)
Web servers already hosted in public subnet: 192.168.0.100 (public IP 203.10.10.111 on port 443), 192.168.0.101 (public IP 203.10.10.112 on port 443), 192.168.0.102 (public IP 203.10.10.113 on port 443) and multiple IPs for multiple web servers
Route for public subnet pointed towards IGW
Private Subnet: 192.168.1.0/24, FGT LAN interface IP: 192.168.1.50
Internal servers: 192.168.1.100, 192.168.1.101, 192.168.1.102 (works all on 443)
Route for private subnet pointed towards FGT LAN interface
1. Even if you create secondary public IP on Fortigate it will be mapped to its secondary interface which will not fulfill the requirement
2. Even if I move all those web servers in public subnet to private subnet, then I need to do a specific VIP configuration for each and every server with FGT WAN interface associated elastic IP address.
E.g Anything to come from WAN interface to reach 192.168.1.100 source port 8443, destination port 443, 192.168.1.101 source port 8444 destination port 443.
I already have public IPs to the servers and creating multiple VIPs with different source port is not an ideal solution for me, I just want to route those n number of public IPs provided for web servers via the Firewall just like a DMZ setup.
This is no different than the DMZ setup you are referring to. I'm not sure why you think you need to create port-based VIPs. You do not. You can just do simple one-to-one VIPs.
https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/510402/static-virtual-ips
Secondary public subnet IPs will exist on the primary FGT public interface.
https://docs.fortinet.com/document/fortigate/7.2.3/cli-reference/9620/config-system-interface
See
set secondary-IP
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.