Hot!AWS EC2 Instance

Author
MrJingles
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/11 04:56:28
  • Status: offline
2020/06/11 12:22:09 (permalink)
0

AWS EC2 Instance

Hi Guys
 
Hope this is the correct section to post in.
 
We are testing a fortigate VM64-AWS. We also have a mikrotik cloud hosted router in AWS on EC2 as well within the same VPC and same subnet.
 
I have done the basic config but can't seem to pass traffic to the internet going through the fortigate.
 
I have set my mikrotik as connected on the LAN interface of the Fortigate and they are both in the same subnet. As a test, I just routed 8.8.8.8 from the mikrotik to the fortigate LAN IP but I am not getting internet breakout. 
 
I have done a diag sniffer and can only see the ping from the mik to the forti but not the ping from the mik to google.
 
I have never worked with fortigate previously so not sure if i'm doing something wrong.
 
I have a default route configured on the forti.
 
not sure what I am doing wrong.
 
We basically want to run the forti as the firewall that sits between our mik(where our customers live) and the internet.
 
Please let me know what other info you need.
#1

11 Replies Related Threads

    Patel
    New Member
    • Total Posts : 14
    • Scores: 2
    • Reward points: 0
    • Joined: 2020/05/10 04:04:40
    • Status: offline
    Re: AWS EC2 Instance 2020/06/12 01:41:58 (permalink)
    0
    Hi,
     
    I think you are missing a policy from what you just explained in the post. You might want to create a policy on FortiGate with NAT enabled if configured the WAN interface in that way. You can refer to the link below to setup basic Internet connectivity.
     
    https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/421070/installing-a-fortigate-in-nat-mode
     
    Kind Regards,
    Patel
    #2
    MrJingles
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/11 04:56:28
    • Status: offline
    Re: AWS EC2 Instance 2020/06/12 04:08:57 (permalink)
    0
    Hi Patel
    I already have the NAT rule in place. It is set up exactly as in the cookbook. I've tried everything and I don't know what I am missing. Not sure if it something on the AWS config that could be wrong?
     
    I've disabled the security profiles and spun up a new router vm and new forti just to test with two new instances but I still can't find the problem.
     
    The forti has internet access because I'm accessing it from the WAN side so it must be something small I'm missing.
    #3
    Patel
    New Member
    • Total Posts : 14
    • Scores: 2
    • Reward points: 0
    • Joined: 2020/05/10 04:04:40
    • Status: offline
    Re: AWS EC2 Instance 2020/06/13 17:42:41 (permalink)
    0
    Hi MrJingles,
     
    Apply the debug commands below and see the output. It should show you the message why FortiGate is dropping the packets. If FortiGate is doing that.
     
    # diag debug reset
    # diag debug flow filter clear
    # diag debug flow filter proto 1
    # diag debug flow filter addr 8.8.8.8
    # diag debug console tim en
    # diag debug flow show function-name enable
    # diag debug flow show ip enable
    # diag debug flow trace start 999
    # diag debug enable
     
    After that, try pinging 8.8.8.8 from the internal network
    You will be able to see flow of the packets.
     
    Let me know if if that works or not.
     
    Regards,
    Patel
     
    #4
    MrJingles
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/11 04:56:28
    • Status: offline
    Re: AWS EC2 Instance 2020/06/15 04:51:32 (permalink)
    0
    I have done all the commands but I don't see anything.
     
    If I do a packet sniff on the LAN port I only see the ping from the router to the forti and its reply but nothing else.
     
    cpt01f01 # diagnose sniffer packet port2
    interfaces=[port2]
    filters=[none]
    1.248557 172.18.0.91 -> 172.18.0.145: icmp: echo request
    1.248595 172.18.0.145 -> 172.18.0.91: icmp: echo reply
    2.250308 172.18.0.91 -> 172.18.0.145: icmp: echo request
    2.250346 172.18.0.145 -> 172.18.0.91: icmp: echo reply
    3.250393 172.18.0.91 -> 172.18.0.145: icmp: echo request
    3.250426 172.18.0.145 -> 172.18.0.91: icmp: echo reply
    4.246641 172.18.0.91 -> 172.18.0.145: icmp: echo request
    4.246661 172.18.0.145 -> 172.18.0.91: icmp: echo reply
    5.249164 172.18.0.91 -> 172.18.0.145: icmp: echo request
    5.249187 172.18.0.145 -> 172.18.0.91: icmp: echo reply
    6.249905 172.18.0.91 -> 172.18.0.145: icmp: echo request
    6.249946 172.18.0.145 -> 172.18.0.91: icmp: echo reply
    7.248967 172.18.0.91 -> 172.18.0.145: icmp: echo request
    7.248985 172.18.0.145 -> 172.18.0.91: icmp: echo reply
    8.245807 172.18.0.91 -> 172.18.0.145: icmp: echo request
     
    Thanks
    #5
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: AWS EC2 Instance 2020/06/15 05:57:07 (permalink)
    0
    Please do yourself a favour and use flow debug as mentioned above.
    Packet sniffer won't show you enough information about what happened to the packet.
    #6
    MrJingles
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/11 04:56:28
    • Status: offline
    Re: AWS EC2 Instance 2020/06/15 07:23:24 (permalink)
    0
    Hi, As I said, nothing happens when I do the debug flow for 8.8.8.8. 
     
    If I do it for the host 172.18.0.91 which is the source then I see the ping between the host and the fortigate but if I do 8.8.8.8 I don't see anything on the fortigate.
     
    cpt01f01 # diag debug enable
    cpt01f01 # diag debug flow trace start 999
    cpt01f01 #
     
    nothing happens?
    #7
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: AWS EC2 Instance 2020/06/15 07:30:47 (permalink)
    0
    If you don't see anything in flow debug that means either no packets match your filter(s) or the traffic does not reach the Fortigate at all.
    You could use packet sniffer to verfiy if the fortigate gets those packets. If it does your filter(s) don't match.
     
    Maybe check the settings of your client. Does it use the Fortigate as default gw?
     
    #8
    MrJingles
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/11 04:56:28
    • Status: offline
    Re: AWS EC2 Instance 2020/06/15 07:44:24 (permalink)
    0
    Yes, I have set the default route of the client to point to the fortigate so all traffic should flow to the fortigate.
     
    Both the "client" (cloud hosted router) and the fortigate are on the same VPC and same subnet on AWS and I am able to ping the fortigate from the router but nothing past that. 
     
    I am only seeing the client to fortigate ping on the sniffer, nothing else.
    #9
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: AWS EC2 Instance 2020/06/15 08:10:05 (permalink)
    0
    The client, the FGt and the AWS are in the same subnet? Did I get that right?
    If so you should be able to reach the AWS from the router too.
    Hm FGT should see yur iternet traffic thus. It will not see intra-subnet-traffic (except if it is the destiation) if they are on same subnet.
    So looks more to me as if your filters don't match on flow debug.
     
    #10
    sw2090
    Expert Member
    • Total Posts : 824
    • Scores: 60
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: AWS EC2 Instance 2020/06/15 08:14:55 (permalink)
    0
    hm
    if you do
    diag debug enable
    diag debug flow filter clear
    diag debug flow filter saddr 172.18.0.91
    diag debug flow trace start 999
     
    do you then see anything?
    Then you should see any traffic from 172.18.0.91 to FGT.
     
    you probably will see notibg if you use 172.18.0.91 as saddr and 8.8.8.8 as daddr as tjere is NAT in between them.
    So traffic coming in from 8.8.8.8 will have your wan ip as destitnation and the FGT will then rewrite that.
     
     
    #11
    MrJingles
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/11 04:56:28
    • Status: offline
    Re: AWS EC2 Instance 2020/06/17 18:27:35 (permalink)
    0
    for some reason the traffic is not reaching the fortigate. I tested this with other instances as well other than fortigate and it is producing the same results. I've redone all the route tables and VPCs/ subnets etc without any luck.
     
    I decided to ditch that attempt and rather do IPSEC between the devices which is working.
     
    thanks for all the effort to try and help solve the problem. I think it is the way amazon routing tables work and I'm just not familiar enough with their way of routing to understand and find the problem. IPSEC is working though after some struggling but it does what is needed.
     
    thanks
    #12
    Jump to:
    © 2020 APG vNext Commercial Version 5.5