Hello community.
We are implementing fortigate in the OCI cloud. We have seen several tutorials that indicate that for each network I want traffic to be sent over the fortigate I need a VCN.
My question is, can I create 1 single VCN Spoke and there have all the subnets I need making the traffic go through the FW.
I have tested with the above configuration and sending traffic between subnets in the same spoke VCN but the FW does not do policy validation, it sends the traffic directly.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Fortigate community. We have found the solution in the following article because the problem was that the traffic was entering and exiting through the same interface and did not make policy check:
In summary if you can have more than one subnet per VCN in OCI if you want to deploy a Fortigate FW.
Guide to deploy Fortigate FW:
https://apexapps.oracle.com/pls/apex/dbpm/r/livelabs/view-workshop?wid=846
Hello GIAdmin, Good day!
I have tested with the above configuration and sending traffic between subnets in the same spoke VCN but the FW does not do policy validation, it sends the traffic directly.
Could you please confirm if the traffic is hitting the firewall using sniffer?
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...
If the traffic is hitting the firewall, please run a debug flow to validate the traffic flow.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/54688/debugging-the-packet-flow
Other reference:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Thank you!
Some of these responses come across as being dogmatic. Hub of network only, then DNS should be in its own Spoke? Where do you draw the line.
OP, it depends on what works for the organisation. Some see share services as peer to a business app (thus a spoke), others view shared services as part of the underlying infrastructure fabric supporting businesses apps, thus part of the Hub.
Just don't develop tunnel vision.
Hello Fortigate community. We have found the solution in the following article because the problem was that the traffic was entering and exiting through the same interface and did not make policy check:
In summary if you can have more than one subnet per VCN in OCI if you want to deploy a Fortigate FW.
Guide to deploy Fortigate FW:
https://apexapps.oracle.com/pls/apex/dbpm/r/livelabs/view-workshop?wid=846
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.