Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate CNF Administration Guide

    Centralized ingress: inspection after load balancer Example

    Centralized ingress: inspection after load balancer Example

    Scenario objective

    Inbound traffic is inspected by a FortiGate CNF instance after passing through the load balancer.

    Before deployment of FortiGate CNF

    In this scenario, there is a dedicated VPC called Inspection VPC that contains the load balancer. The workloads are in different VPCs (VPC A and VPC B), and traffic between VPCs is routed through a transit gateway.

    The Before deployment of FortiGate CNF traffic flow is as follows:

    1. Traffic originates from an external user and enters through the Internet Gateway.

    2. The Internet Gateway sends the traffic to the Load Balancer located in Public Subnet (10.1.2.0/24).

    3. The Load Balancer send the traffic to the AWS Transit Gateway located in TGW Subnet (10.1.6.0/24).

    4. The AWS Transit Gateway forwards the traffic to VPC A (10.2.0.0./16) or VPC B (10.3.0.0/16).

    Routing tables

    The routing tables are defined as follows.

    Internet Gatway route table
    Destination Target
    10.1.0.0/16 Local
    Public Subnet route table
    Destination Target
    10.1.0.0/16 Local

    10.0.0.0/8

    AWS Transit Gateway
    TGW Subnet route table
    Destination Target
    10.1.0.0/16 Local
    AWS Transit Gateway route table
    Destination Target
    10.1.0.0/16 Inspection VPC
    10.2.0.0/16 VPC A
    10.3.0.0/16 VPC B

    After deployment of FortiGate CNF

    The After deployment of FortiGate CNF traffic flow is as follows:

    1. Traffic originates from an external user and enters through the Internet Gateway.

    2. The Internet Gateway sends the traffic to the Load Balancer located in Public Subnet (10.1.2.0/24).

    3. The Load Balancer sends the traffic to the GWLBe located in CNF Endpoint Subnet (10.1.1.0/24).

    5. GWLBe sends traffic to the FortiGate CNF instance for inspection.

    6. FortiGate CNF sends traffic back to the GWLBe.

    7. GWLBe sends traffic to the AWS Transit Gateway located in TGW Subnet (10.1.6.0/24).

    8. The AWS Transit Gateway forwards the traffic to VPC A (10.2.0.0./16) or VPC B (10.3.0.0/16).

    To deploy the FortiGate CNF instance in this scenario:

    1. In AWS, add a subnet CNF Endpoint Subnet in Inspection VPC along with the associated route table.

      Destination Target
      10.1.0.0/16 Local
      10.0.0.0/8 AWS Transit Gateway

    2. In FortiGate CNF, deploy a GWLBe to this subnet.

    3. In AWS, add a route to the Public Subnet route table where the load balancer resides to route all traffic to 10.0.0.0/8 to the GWLBe.

      Destination Target
      10.1.0.0/16 Local

      0.0.0.0/8

      Internet Gateway

      10.0.0.0/8

      GWLBe

    4. In AWS, add a route to the Transit Gateway Subnet route table to route all traffic to the Load Balancer located in Public Subnet to the GWLBe.

      Destination Target
      10.1.0.0/16 Local
      10.1.2.0/24 GWLBe
    Previous
    Next

    Centralized ingress: inspection after load balancer Example

    Centralized ingress: inspection after load balancer Example

    Scenario objective

    Inbound traffic is inspected by a FortiGate CNF instance after passing through the load balancer.

    Before deployment of FortiGate CNF

    In this scenario, there is a dedicated VPC called Inspection VPC that contains the load balancer. The workloads are in different VPCs (VPC A and VPC B), and traffic between VPCs is routed through a transit gateway.

    The Before deployment of FortiGate CNF traffic flow is as follows:

    1. Traffic originates from an external user and enters through the Internet Gateway.

    2. The Internet Gateway sends the traffic to the Load Balancer located in Public Subnet (10.1.2.0/24).

    3. The Load Balancer send the traffic to the AWS Transit Gateway located in TGW Subnet (10.1.6.0/24).

    4. The AWS Transit Gateway forwards the traffic to VPC A (10.2.0.0./16) or VPC B (10.3.0.0/16).

    Routing tables

    The routing tables are defined as follows.

    Internet Gatway route table
    Destination Target
    10.1.0.0/16 Local
    Public Subnet route table
    Destination Target
    10.1.0.0/16 Local

    10.0.0.0/8

    AWS Transit Gateway
    TGW Subnet route table
    Destination Target
    10.1.0.0/16 Local
    AWS Transit Gateway route table
    Destination Target
    10.1.0.0/16 Inspection VPC
    10.2.0.0/16 VPC A
    10.3.0.0/16 VPC B

    After deployment of FortiGate CNF

    The After deployment of FortiGate CNF traffic flow is as follows:

    1. Traffic originates from an external user and enters through the Internet Gateway.

    2. The Internet Gateway sends the traffic to the Load Balancer located in Public Subnet (10.1.2.0/24).

    3. The Load Balancer sends the traffic to the GWLBe located in CNF Endpoint Subnet (10.1.1.0/24).

    5. GWLBe sends traffic to the FortiGate CNF instance for inspection.

    6. FortiGate CNF sends traffic back to the GWLBe.

    7. GWLBe sends traffic to the AWS Transit Gateway located in TGW Subnet (10.1.6.0/24).

    8. The AWS Transit Gateway forwards the traffic to VPC A (10.2.0.0./16) or VPC B (10.3.0.0/16).

    To deploy the FortiGate CNF instance in this scenario:

    1. In AWS, add a subnet CNF Endpoint Subnet in Inspection VPC along with the associated route table.

      Destination Target
      10.1.0.0/16 Local
      10.0.0.0/8 AWS Transit Gateway

    2. In FortiGate CNF, deploy a GWLBe to this subnet.

    3. In AWS, add a route to the Public Subnet route table where the load balancer resides to route all traffic to 10.0.0.0/8 to the GWLBe.

      Destination Target
      10.1.0.0/16 Local

      0.0.0.0/8

      Internet Gateway

      10.0.0.0/8

      GWLBe

    4. In AWS, add a route to the Transit Gateway Subnet route table to route all traffic to the Load Balancer located in Public Subnet to the GWLBe.

      Destination Target
      10.1.0.0/16 Local
      10.1.2.0/24 GWLBe
    Previous
    Next