Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GIAdmin
New Contributor

Created on ‎09-26-2024 08:44 AM

Subnets in hub architecture and spokes in OCI

Hello community.

 

We are implementing fortigate in the OCI cloud. We have seen several tutorials that indicate that for each network I want traffic to be sent over the fortigate I need a VCN.

My question is, can I create 1 single VCN Spoke and there have all the subnets I need making the traffic go through the FW.

 

I have tested with the above configuration and sending traffic between subnets in the same spoke VCN but the FW does not do policy validation, it sends the traffic directly.

Labels:
734
0 Kudos
1 Solution
GIAdmin
New Contributor

Created on ‎09-30-2024 07:47 AM

Hello Fortigate community. We have found the solution in the following article because the problem was that the traffic was entering and exiting through the same interface and did not make policy check: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Traffic-handled-by-FortiGate-for-packet-wh...

 

In summary if you can have more than one subnet per VCN in OCI if you want to deploy a Fortigate FW.

Guide to deploy Fortigate FW:

https://apexapps.oracle.com/pls/apex/dbpm/r/livelabs/view-workshop?wid=846

View solution in original post

624
0 Kudos
3 REPLIES 3
lgupta
Staff
Staff

Created on ‎09-29-2024 07:57 AM

Hello GIAdmin, Good day!

 

I have tested with the above configuration and sending traffic between subnets in the same spoke VCN but the FW does not do policy validation, it sends the traffic directly.

 

Could you please confirm if the traffic is hitting the firewall using sniffer?

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...

If the traffic is hitting the firewall, please run a  debug flow to validate the traffic flow.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/54688/debugging-the-packet-flow

 

Other reference:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...



Thank you!

Best regards,

-lgupta



If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.
672
kinmo
New Contributor

Created on ‎09-29-2024 03:25 PM

Some of these responses come across as being dogmatic. Hub of network only, then DNS should be in its own Spoke? Where do you draw the line.

OP, it depends on what works for the organisation. Some see share services as peer to a business app (thus a spoke), others view shared services as part of the underlying infrastructure fabric supporting businesses apps, thus part of the Hub.

Just don't develop tunnel vision.

https://19216811.cam/ https://1921681001.id/
https://19216811.cam/ https://1921681001.id/
657
0 Kudos
GIAdmin
New Contributor

Created on ‎09-30-2024 07:47 AM

Hello Fortigate community. We have found the solution in the following article because the problem was that the traffic was entering and exiting through the same interface and did not make policy check: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Traffic-handled-by-FortiGate-for-packet-wh...

 

In summary if you can have more than one subnet per VCN in OCI if you want to deploy a Fortigate FW.

Guide to deploy Fortigate FW:

https://apexapps.oracle.com/pls/apex/dbpm/r/livelabs/view-workshop?wid=846

625
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.