Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bendsley
New Contributor II

FortiGate in AWS

I'm trying to get a FortiGate setup and I have an outside subnet and an inside subnet setup on it.  From AWS, I have multiple subnets setup and wish for each of those to start going through the FortiGate. 

 

Can I set these up as VLANs on the FortiGate or do I need to enable a port for each one?  Currently, I have a medium tier FG setup, but it only allows me two interfaces, internal and external.

 

I cannot seem to get the correct configuration where I can have a test machine (instance) in a different subnet/VLAN where it will ping the FGT.

 

Example:

Outside: 172.250.254.254

Inside: 172.250.253.254

Test VLAN: 172.250.250.254 (IP for VLAN interface)

Test Machine 250: 172.250.250.250 (Linux instance)

Test Machine 253: 172.250.253.250 (Linux instance)

 

From Machine 253, I can ping the IP for the inside interface at 172.250.253.254.

From Machine 250, I cannot ping the IP for the VLAN 250 interface at 172.250.250.254.

 

On the Fortigate in cli, I can ping both the inside interface ip and the VLAN 250 interface ip.

 

I really can't find much in the way of how this can be setup with more than one subnet.

9 REPLIES 9
emnoc
Esteemed Contributor III

diag arp list but  are you sure of the VPC subnets or is this a typo

 

 

Inside: 172.250.253.254 Test VLAN: 172.250.250.254 (IP for VLAN interface) Test Machine 250: 172.250.250.250 (Linux instance) Test Machine 253: 172.250.253.250 (Linux instance)

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
bendsley
New Contributor II

Yes, correct about those.

In the VPC, I have subnets 172.250.253.0/24 and 172.250.250.0/24

 

Inside IP of FGT: 172.250.253.254.  Any instance machine I put into the 172.250.253.0 subnet, it works fine.  I can ping both ways.

 

IP of VLAN 250 on FGT: 172.250.250.254.  This is part of the inside port (port2).  Any instance machine I put into 172.250.250.0/24, I cannot ping the VLAN 250 gateway IP (172.250.250.254).

 

 

I guess I'm wondering, do I need to setup my inside IP to cover all of the subnets I need, and then I can VLAN on it...and set my route tables up to include all of the IPs I need?  Right now, the AWS route table for both of those subnets point to the inside interface (port2) on the FGT instance.

emnoc
Esteemed Contributor III

In your VPC do you have two subnet? if that's truly the case than you need interfaces in the AWS instance. How would the AWS-FGT know about the 2nd  subnet if it did not have a route  to it or a 2nd interface ?

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
bendsley
New Contributor II

Yes, the VPC has multiple subnets, which I'm putting as VLAN interfaces on the FGT.

 

I guess my question is...on the FGT, do I need a separate port to attach to each interface for the instance?  I have the medium instance running right now, and it only supports 2 ports (port1 and port2), which I have assigned for Outside and Inside.

 

Would I need to create a bigger instance to add port3, port4, etc.?  I'm going to have multiple subnets in the VPC, so I can't imagine having to add port50...portN just to support all of the subnets.

emnoc
Esteemed Contributor III

You have  a few options;  dual VPC and VPC peering , vpc vpn peeriing,  or stack  teirs within the  VPC

 

subnet1 ( WEB ) subnet2 ( DBS ) subnet3 ( APP ) but yes the   2nd subnet would need reach and fw.policies for it. You can't filter traffic if it doesn't make it to  the firewall ;)

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
bendsley
New Contributor II

I don't guess that makes sense for what I'm trying to accomplish.  I currently have 11 subnets on this VPC.  I would really have to create the firewall instance with 11 ports?  What if I decide to add 50 subnets...how to I get those routed to the Fortigate?  Surely it doesn't support 50 ports?

 

emnoc
Esteemed Contributor III

correct and within the VPC you have routing  natively between subnets defined in the VPC and the main route table. Did you  follow the AWS  deployment guide from  FTNT ?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
bendsley
New Contributor II

I did yes.  I have a route table sending traffic from say the VLAN 250 to the Fortigate.

 

I have the routes, 172.250.0.0/16 ( the main route ) and then 0.0.0.0/0 going to the inside interface on the FGT. 

That route table has two subnet associations with it, the 253 (inside interface main IP), and then the VLAN 250 subnet.

sboonyakiat

Bendsley.  I couldnt even get the Private Interface working on Fortigate. my ping dropped at the public interface and couldn't even get across.  Do you mind sharing your config?

Labels
Top Kudoed Authors