How to safely permit traffic to an Amazon AWS hosted site (Cloudfront)

x_member · ‎11-04-2016

Running 5.2.7 on a FGT60D and one of the sites that we programmatically retrieve data from has moved recently to Amazon's hosting service. Previously this traffic was permitted using the site FQDN, however as I understand it this can now resolve to a number of different IPs depending on server load etc. - data retrieval is failing periodically now.

What is the best practice for permitting traffic to a specific URL hosted in this way?

x_member · ‎11-14-2016

In the absence of any responses I've been experimenting with Application Control and WebFilter policies without success.

I now have a ticket raised with Fortinet Support for assistance but would still appreciate any insights that the community could share.

emnoc · ‎11-14-2016

You could use a FQDN style dans records in 5.4.x and with a short ttl, but ideally I would use a ipsec tunnel to the VPC

Ken

PCNSE

NSE

StrongSwan

x_member · ‎11-15-2016

emnoc wrote:
You could use a FQDN style dans records in 5.4.x and with a short ttl, but ideally I would use a ipsec tunnel to the VPC

Ken

Thanks for responding however I'm not sure I understand; I should also have specified that we're using a FGT60 on 5.2.7 waiting on bugfixes for SSL DPI on inbound traffic before doing any firewall upgrades. The hosted site is an external resource (UK government) providing healthcare data that we make available to clients, so I'm not sure how the IPSec tunnel solution would apply?

Does 5.2.x permit the same FQDN approach?

How to safely permit traffic to an Amazon AWS hosted site (Cloudfront)

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website