- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: aws internet traffic and aws
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aws internet traffic and aws
Hi,
I have an IPsec connection set up from AWS to Fortigate.
In AWS, there's a private subnet containing various services, including EC2 instances.
Within my Fortinet, there are two networks - a DMZ network and an internal network, and they can communicate with the EC2 instances without any issues.
However, I'm currently facing a challenge: I want to enable internet access for the EC2 instances through the IPsec connection, following this path:
EC2 ===> Fortigate 1 ===> Internet
To achieve this, I've configured the AWS route table to have a route with destination 0.0.0.0/0 pointing to the virtual private gateway (VGW) to handle internet-bound traffic.
On the Fortigate side, I've implemented two policies. The first policy is to allow traffic from the WAN to AWS IPsec, and the second policy is to allow traffic from AWS IPsec to the WAN.
Unfortunately, despite these configurations, the setup isn't functioning as expected. When capturing traffic on the Fortigate, the results show:
1 0.000000 192.168.16.44 8.8.8.8 ICMP 60 Echo (ping) request id=0x0001, seq=51820/27850, ttl=128 (no response found!)
This suggests that the ping request from 192.168.16.44 (presumably one of the EC2 instances) to 8.8.8.8 (Google's DNS server) did not receive a response.
I'd appreciate any guidance or suggestions to troubleshoot and resolve this issue.
Thank you.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I can see two routes here. Which one is Active in FIB?
Your traffic enters Firewall on FGT-AWS2, so it should have an active route to AWS EC2 instance via FGT-AWS2 only.
Best Regards,
Regards,
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is your FortiGate Located in AWS or are your referring to a FortiGate appliance on-premise and a VPN connection between AWS VPG and an On-premise FortiGate device?
If the FortiGate is on-premise and you are receiving traffic from the AWS VPC EC2 instance on the FortiGate, please check you have the required policy from AWS-IPsec(Fortigate VPN interface) to WAN and have enabled Source NAT on this policy to use outgoing interface IP (ie WAN interface IP).
You can refer to traffic logs to confirm if this traffic is matching the right policy on the FortiGate or not and NAT is applied successfully.
If my understanding of your setup is not correct, please share the diagram for better understanding.
Best Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Saneeshpv_FTNT
My proposal is to set up the AWS network as a private link, acting as a DMZ or internal network. The reason for this choice is that the Fortigate AWS SaaS incurs additional costs, and I am already paying for the Fortigate appliance.
The network
{ interna..-----{--\
fortigate -----------{ dmz----------{ --------- internet
{ aws----------{--/
internal network (192.168.3.0/24)
dmz network (192.168.1.0/24)
aws network (192.168.16.0/24)
Of course, the internal and DMZ networks have access to the internet in both directions.
internal and dmz has access to aws network
but aws has not access to internet, dmz and internal
on aws route 0.0.0.0/0 is on aws ipsec vpn
I do a diagnostic by ping from e2c 192.168.16.44
diagnose sniffer packet any 'host 192.168.16.44 and icmp' 4 0 l
interfaces=[any]
filters=[host 192.168.16.44 and icmp]
2023-07-20 09:58:30.882948 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:35.887153 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:40.908303 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:45.908813 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:50.909318 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:55.910043 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:00.910546 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:05.911074 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:10.911382 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:15.911851 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:20.912448 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Your AWS network (VPC) is connected to your FortiGate via IPsec VPN tunnel I am assuming, and you are receiving the traffic on the FortiGate Firewall through this VPN from EC2 instance. If so, please perform a quick sniffer with only "Destination IP and ICMP" as filter to understand if this traffic is exiting your FGT firewall over the internet WAN interface or not and below is the sniffer command.
diagnose sniffer packet any 'host 8.8.8.8 and icmp' 4 0 l
At this moment make sure you stop any other ping traffic to 8.8.8.8 apart from the one from the EC2 instance.
Also did you make sure NAT is enabled in on the internet bound policy from AWS to WAN?
Best Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nat from aws to wan is enable
this is the command result
# diagnose sniffer packet any 'host 8.8.8.8 and icmp' 4 0 l
interfaces=[any]
filters=[host 8.8.8.8 and icmp]
2023-07-21 10:14:35.712754 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-21 10:14:40.713158 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-21 10:14:45.713753 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-21 10:14:50.714274 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-21 10:14:55.714779 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-21 10:15:00.715286 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-21 10:15:05.715707 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
^C
7 packets received by filter
0 packets dropped by kernel
kind regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It looks like traffic is not going out of FGT Firewall as we could only see In packets only.
Please enable Debug flow on the firewall and share the output with me.
Enable Debug flow from Putty (SSH session) with session logging enabled.
========================================================
diag debug reset
diag debug flow filter addr 8.8.8.8
diag debug flow filter protocol 1
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow trace start 1000
diag debug console timestamp enable
diag debug enable
Generate Traffic and After Capturing logs disable debug and Reset Debug flow
============================================================
diag debug disable
diag debug reset
Also share the FGT relevant configuration for verification.
Best Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
thank you
2023-07-21 10:39:01 id=20085 trace_id=1 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55777."
2023-07-21 10:39:01 id=20085 trace_id=1 func=init_ip_session_common line=5995 msg="allocate a new session-00372a04"
2023-07-21 10:39:01 id=20085 trace_id=1 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:39:01 id=20085 trace_id=1 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:39:01 id=20085 trace_id=1 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:39:01 id=20085 trace_id=1 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:39:01 id=20085 trace_id=1 func=ip_session_handle_no_dst line=6079 msg="trace"
2023-07-21 10:39:06 id=20085 trace_id=2 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55778."
2023-07-21 10:39:06 id=20085 trace_id=2 func=init_ip_session_common line=5995 msg="allocate a new session-00372a64"
2023-07-21 10:39:06 id=20085 trace_id=2 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:39:06 id=20085 trace_id=2 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:39:06 id=20085 trace_id=2 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:39:06 id=20085 trace_id=2 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:39:06 id=20085 trace_id=2 func=ip_session_handle_no_dst line=6079 msg="trace"
2023-07-21 10:39:11 id=20085 trace_id=3 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55779."
2023-07-21 10:39:11 id=20085 trace_id=3 func=init_ip_session_common line=5995 msg="allocate a new session-00372aa0"
2023-07-21 10:39:11 id=20085 trace_id=3 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:39:11 id=20085 trace_id=3 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:39:11 id=20085 trace_id=3 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:39:11 id=20085 trace_id=3 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:39:11 id=20085 trace_id=3 func=ip_session_handle_no_dst line=6079 msg="trace"
2023-07-21 10:39:16 id=20085 trace_id=4 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55780."
2023-07-21 10:39:16 id=20085 trace_id=4 func=init_ip_session_common line=5995 msg="allocate a new session-00372b66"
2023-07-21 10:39:16 id=20085 trace_id=4 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:39:16 id=20085 trace_id=4 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:39:16 id=20085 trace_id=4 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:39:16 id=20085 trace_id=4 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:39:16 id=20085 trace_id=4 func=ip_session_handle_no_dst line=6079 msg="trace"
2023-07-21 10:39:21 id=20085 trace_id=5 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55781."
2023-07-21 10:39:21 id=20085 trace_id=5 func=init_ip_session_common line=5995 msg="allocate a new session-00372e10"
2023-07-21 10:39:21 id=20085 trace_id=5 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:39:21 id=20085 trace_id=5 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:39:21 id=20085 trace_id=5 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:39:21 id=20085 trace_id=5 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:39:21 id=20085 trace_id=5 func=ip_session_handle_no_dst line=6079 msg="trace"
2023-07-21 10:39:26 id=20085 trace_id=6 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55782."
2023-07-21 10:39:26 id=20085 trace_id=6 func=init_ip_session_common line=5995 msg="allocate a new session-00372e95"
2023-07-21 10:39:26 id=20085 trace_id=6 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:39:26 id=20085 trace_id=6 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:39:26 id=20085 trace_id=6 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:39:26 id=20085 trace_id=6 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:39:26 id=20085 trace_id=6 func=ip_session_handle_no_dst line=6079 msg="trace"
2023-07-21 10:39:31 id=20085 trace_id=7 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55783."
2023-07-21 10:39:31 id=20085 trace_id=7 func=init_ip_session_common line=5995 msg="allocate a new session-00372f15"
2023-07-21 10:39:31 id=20085 trace_id=7 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:39:31 id=20085 trace_id=7 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:39:31 id=20085 trace_id=7 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:39:31 id=20085 trace_id=7 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:39:31 id=20085 trace_id=7 func=ip_session_handle_no_dst line=6079 msg="trace"
2023-07-21 10:39:36 id=20085 trace_id=8 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55784."
2023-07-21 10:39:36 id=20085 trace_id=8 func=init_ip_session_common line=5995 msg="allocate a new session-00372f79"
2023-07-21 10:39:36 id=20085 trace_id=8 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:39:36 id=20085 trace_id=8 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:39:36 id=20085 trace_id=8 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:39:36 id=20085 trace_id=8 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:39:36 id=20085 trace_id=8 func=ip_session_handle_no_dst line=6079 msg="trace"
2023-07-21 10:39:41 id=20085 trace_id=9 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55785."
2023-07-21 10:39:41 id=20085 trace_id=9 func=init_ip_session_common line=5995 msg="allocate a new session-00372fbf"
2023-07-21 10:39:41 id=20085 trace_id=9 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:39:41 id=20085 trace_id=9 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:39:41 id=20085 trace_id=9 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:39:41 id=20085 trace_id=9 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:39:41 id=20085 trace_id=9 func=ip_session_handle_no_dst line=6079 msg="trace"
2023-07-21 10:39:46 id=20085 trace_id=10 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55786."
2023-07-21 10:39:46 id=20085 trace_id=10 func=init_ip_session_common line=5995 msg="allocate a new session-00373044"
2023-07-21 10:39:46 id=20085 trace_id=10 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:39:46 id=20085 trace_id=10 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:39:46 id=20085 trace_id=10 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:39:46 id=20085 trace_id=10 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:39:46 id=20085 trace_id=10 func=ip_session_handle_no_dst line=6079 msg="trace"
2023-07-21 10:39:51 id=20085 trace_id=11 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55787."
2023-07-21 10:39:51 id=20085 trace_id=11 func=init_ip_session_common line=5995 msg="allocate a new session-003730cf"
2023-07-21 10:39:51 id=20085 trace_id=11 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:39:51 id=20085 trace_id=11 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:39:51 id=20085 trace_id=11 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:39:51 id=20085 trace_id=11 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:39:51 id=20085 trace_id=11 func=ip_session_handle_no_dst line=6079 msg="trace"
2023-07-21 10:39:56 id=20085 trace_id=12 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55788."
2023-07-21 10:39:56 id=20085 trace_id=12 func=init_ip_session_common line=5995 msg="allocate a new session-0037316a"
2023-07-21 10:39:56 id=20085 trace_id=12 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:39:56 id=20085 trace_id=12 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:39:56 id=20085 trace_id=12 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:39:56 id=20085 trace_id=12 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:39:56 id=20085 trace_id=12 func=ip_session_handle_no_dst line=6079 msg="trace"
diag debug 2023-07-21 10:40:01 id=20085 trace_id=13 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.16.44:1->8.8.8.8:2048) from FG-AWS-2. type=8, code=0, id=1, seq=55789."
2023-07-21 10:40:01 id=20085 trace_id=13 func=init_ip_session_common line=5995 msg="allocate a new session-003731c3"
2023-07-21 10:40:01 id=20085 trace_id=13 func=iprope_dnat_check line=5121 msg="in-[FG-AWS-2], out-[]"
2023-07-21 10:40:01 id=20085 trace_id=13 func=iprope_dnat_tree_check line=823 msg="len=0"
2023-07-21 10:40:01 id=20085 trace_id=13 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2023-07-21 10:40:01 id=20085 trace_id=13 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2023-07-21 10:40:01 id=20085 trace_id=13 func=ip_session_handle_no_dst line=6079 msg="trace"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI,
The packet is getting dropped with below error "reverse path check fail, drop", which means Firewall is dropping the traffic as it doesn't have a route back to the source (here the EC2 instance IP) during RPF check. You need to look into your configuration to confirm this.
Best Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know what exactly happen, on theory is not difficult to do this.
I have two static router to find ec2 machine
Yo can see on these pictures
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I can see two routes here. Which one is Active in FIB?
Your traffic enters Firewall on FGT-AWS2, so it should have an active route to AWS EC2 instance via FGT-AWS2 only.
Best Regards,
Regards,
Related Posts
- FortiDeploy for a HA FortiGate cluster 47 Views
- Switch forwards packets to Fortigates as... 157 Views
- How to route ougoing FG traffic... 109 Views
- Convert IPSEC interfaces to SDWAN 127 Views
- FortiGate 61F Blocked Web access after... 180 Views
Labels
-
FortiGate
6,766 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
581 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
346 -
FortiClient EMS
274 -
FortiMail
263 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
SD-WAN
34 -
FortiExtender
33 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
FortiMonitor
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.