I have a scenario where there are two subnets in AWS, a public subnet and private subnet. Most of the public subnet have web servers running with multiple public IP's to access from the internet.
Now I would like to deploy the Fortigate Firewall in the same public subnet & route all those web servers traffic through the Fortigate without changing already mapped public/elastic IP's of those web servers. Can some one please provide some inputs on this ?
PS: my private subnet traffic towards internet through Fortigate is working fine & also traffic from internet to private subnet via Fortigate WAN public VIP and port forwarding is working perfectly.
Only concern are the instances hosted in the public subnet where it has multiple public IP's and I can't change the architecture keeping existing setup in view. Appreciate your inputs, thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you have those public IP addresses statically reserved, you should be able to create secondary IPs on the Fortigate and map those IPs to the secondary IPs of the fortigate. The traffic would then go to the fortigate itself. In order for the scenario you are going after, you would have to do source NAT on the Fortigate to hide the public IP address of the client otherwise traffic will be asymmetric breaking the session. A better solution would be to move those servers to a private subnet and have the fortigate handle the traffic so you can get IPS level protection, etc.
Thank you everyone for your inputs, I figured it out. Understood in other way around, all I need to do is create secondary IP's (as many as required) for Fortigate WAN subnet, then map an elastic IP. Followed by mapping WAN and LAN private IP VIP's and allow the rules, so we are doing a double-NAT here to accomplish this.
Thank you everyone for your inputs, I figured it out. Understood in other way around, all I need to do is create secondary IP's (as many as required) for Fortigate WAN subnet, then map an elastic IP. Followed by mapping WAN and LAN private IP VIP's and allow the rules, so we are doing a double-NAT here to accomplish this.
Glad to hear you got it sorted! Consider marking one of our responses as solution? We get credit that way and reference for other users is there.
No problem Graham, doing that right away.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.