FortiGate 2-ARM Mode integration with AWS GWLB
ElleryCen
601 views
12 slides
Jul 01, 2024
Slide 1 of 12
1
2
3
4
5
6
7
8
9
10
11
12
About This Presentation
this is a training session for system engineers that would like to deploy FortiGate on AWS and integrate with AWS GWLB in 2-ARM design
Slide Content
Fortigate 2-arM MODE WITH aws gwlb Yitao Cen Head of Product Marketing, APAC, AWS Ambassador
One-arm firewall deployment with Gateway Load Balancer The firewall appliance uses only one network interface to inspect the traffic . Ingress and egress traffic use the same port In this scenario , for outbound traffic , customer needs an additional service such as a NAT Gateway to forward traffic to Internet. In FortiGate deployment a second nic is highly recommended for out - of -band Management purposes . https://aws.amazon.com/es/blogs/networking-and-content-delivery/best-practices-for-deploying-gateway-load-balancer/
T wo-arm firewall deployment modes for egress traffic inspection Two-arm mode: As shown in figure, the firewall is deployed in two-arm mode and performs both inspection as well as NAT. For GWLB integration there’s no need fo r special configuration other than the regular GENEVE tunnel using port 6081. Firewall networking: One network interface - private subnet Second network interface – public subnet GWLB supports two-arm mode where the firewall can also perform NAT. https://aws.amazon.com/es/blogs/networking-and-content-delivery/best-practices-for-deploying-gateway-load-balancer/
Configuration example
Topology Traffic from EC2 to Internet is routed to the GWLB endpoint Traffic sent to the GWLB Traffic goes through the GENEVE tunnel between GWLB and fg-eni-port2 FortiGate handles traffic and send it to fg-eni-port1 applying NAT Returning traffic arrives at FortiGate Returning traffic sent back to the GENEVE tunnel Returning traffic is sent to the GWLB endpoint in customer VPC Returning traffic arrives EC2 from the GWLB endpoint
FortiGate configurations GENEVE tunnel
FortiGate configurations Static routes Primary default route to 0.0.0.0/0 via ‘port1’. In case of having a route to 0.0.0.0/0 via ‘ awsgeneve ’, this needs to be configured with a higher priority to avoid connectivity issues . This route is necessary for one-arm deployments .
FortiGate configurations Policy routes With policy route 3 we force traffic coming from the public interface that is destined to customer VPC is sent to the GENEVE tunnel . Policy route 2 is disabled , as this one would allow the traffic from EC2 to return back to the GENEVE tunnel and then be forwarded to the local IGW ( or NAT Gateway). Policy route 2 is necessary for one-arm deployments .
FortiGate configurations Firewall policies Firewall policy “ geneve-to-public ” allows outbound traffic through FG port1 applying NAT and security profiles .
FortiGate acting as NGFW and NAT Traffic coming from EC2 through the GENEVE tunnel is forwarded to port1 ( public ) applying NAT.
FortiGate acting as NGFW and NAT This topology only works for egress traffic , as we are using a Gateway Load Balancer . This scenario doesn’t work for DNAT, for example , using a VIP in the FG to expose resources “ behind ” the Gateway Load Balancer . If the session doesn’t exist in the GWLB traffic will be dropped . Caveats
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 601
- Slides 12
- Age 519 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views