Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ravitejag
New Contributor II

How to route multiple public IP addresses traffic through Fortigate in AWS

I have a scenario where there are two subnets in AWS, a public subnet and private subnet. Most of the public subnet have web servers running with multiple public IP's to access from the internet.

 

Now I would like to deploy the Fortigate Firewall in the same public subnet & route all those web servers traffic through the Fortigate without changing already mapped public/elastic IP's of those web servers. Can some one please provide some inputs on this ?

 

PS: my private subnet traffic towards internet through Fortigate is working fine & also traffic from internet to private subnet via Fortigate WAN public VIP and port forwarding is working perfectly. 

 

Only concern are the instances hosted in the public subnet where it has multiple public IP's and I can't change the architecture keeping existing setup in view. Appreciate your inputs, thanks

 

FortiGate 

2 Solutions
mwissa
Staff
Staff

If you have those public IP addresses statically reserved, you should be able to create secondary IPs on the Fortigate and map those IPs to the secondary IPs of the fortigate. The traffic would then go to the fortigate itself. In order for the scenario you are going after, you would have to do source NAT on the Fortigate to hide the public IP address of the client otherwise traffic will be asymmetric breaking the session. A better solution would be to move those servers to a private subnet and have the fortigate handle the traffic so you can get IPS level protection, etc.

View solution in original post

ravitejag
New Contributor II

Thank you everyone for your inputs, I figured it out. Understood in other way around, all I need to do is create secondary IP's (as many as required) for Fortigate WAN subnet, then map an elastic IP. Followed by mapping WAN and LAN private IP VIP's and allow the rules, so we are doing a double-NAT here to accomplish this.

View solution in original post

12 REPLIES 12
ravitejag
New Contributor II

Thank you everyone for your inputs, I figured it out. Understood in other way around, all I need to do is create secondary IP's (as many as required) for Fortigate WAN subnet, then map an elastic IP. Followed by mapping WAN and LAN private IP VIP's and allow the rules, so we are doing a double-NAT here to accomplish this.

gfleming

Glad to hear you got it sorted! Consider marking one of our responses as solution? We get credit that way and reference for other users is there.

Cheers,
Graham
ravitejag
New Contributor II

No problem Graham, doing that right away.

Top Kudoed Authors