Fortinet black logo

Administration Guide

Home FortiGate CNF Administration Guide

Distributed egress: north-south traffic Example

Distributed egress: north-south traffic Example

Scenario objective

The FortiGate CNF instance inspects all traffic outbound to the internet.

Before deployment of FortiGate CNF

The Before deployment of FortiGate CNF traffic flow is as follows:

  1. Workload resources are situated in Private Subnet (10.1.3.0/24).

  2. Outbound traffic goes from Private Subnet to the NAT Gateway located in Public Subnet (10.1.2.0/24).

  3. Traffic then passes out through the Internet Gateway.

Routing tables

The routing tables are defined as follows.

Public Subnet route table
Destination Target
0.0.0.0/0 Internet Gateway
Private Subnet route table
Destination Target
10.1.0.0/16 Local

After deployment of FortiGate CNF

The after topology traffic flow is as follows:

  1. Workload resources are situated in Private Subnet (10.1.3.0/24).

  2. Outbound traffic goes from Private Subnet to the GWLBe located in CNF Endpoint Subnet (10.1.1.0/24).

  3. Traffic is sent to the FortiGate CNF instance for inspection.

  4. FortiGate CNF sends traffic back to the GWLBe.

  5. The GWLBe forwards the traffic to the NAT Gateway located in Public Subnet (10.1.2.0/24).

  6. Traffic then passes out through the Internet Gateway.

To deploy the FortiGate CNF instance in this scenario:

  1. In AWS, add a subnet CNF Endpoint Subnet (10.1.1.0/24) and the associated route table:

    Destination Target
    10.1.0.0/16 Local
    0.0.0.0/0 NAT Gateway

  2. In FortiGate CNF, deploy a GWLBe to this subnet.

  3. In AWS, add a route to the Public Subnet route table to route all traffic to the GWLBe.

    Destination Target
    10.1.0.0/16 GWLBe
    0.0.0.0/0 Internet Gateway

  4. In AWS, add a route to the Private Subnet route table to route all traffic to the GWLBe.

    Destination Target
    10.1.0.0/16 Local

    0.0.0.0/0

    GWLBe

Previous
Next

Distributed egress: north-south traffic Example

Scenario objective

The FortiGate CNF instance inspects all traffic outbound to the internet.

Before deployment of FortiGate CNF

The Before deployment of FortiGate CNF traffic flow is as follows:

  1. Workload resources are situated in Private Subnet (10.1.3.0/24).

  2. Outbound traffic goes from Private Subnet to the NAT Gateway located in Public Subnet (10.1.2.0/24).

  3. Traffic then passes out through the Internet Gateway.

Routing tables

The routing tables are defined as follows.

Public Subnet route table
Destination Target
0.0.0.0/0 Internet Gateway
Private Subnet route table
Destination Target
10.1.0.0/16 Local

After deployment of FortiGate CNF

The after topology traffic flow is as follows:

  1. Workload resources are situated in Private Subnet (10.1.3.0/24).

  2. Outbound traffic goes from Private Subnet to the GWLBe located in CNF Endpoint Subnet (10.1.1.0/24).

  3. Traffic is sent to the FortiGate CNF instance for inspection.

  4. FortiGate CNF sends traffic back to the GWLBe.

  5. The GWLBe forwards the traffic to the NAT Gateway located in Public Subnet (10.1.2.0/24).

  6. Traffic then passes out through the Internet Gateway.

To deploy the FortiGate CNF instance in this scenario:

  1. In AWS, add a subnet CNF Endpoint Subnet (10.1.1.0/24) and the associated route table:

    Destination Target
    10.1.0.0/16 Local
    0.0.0.0/0 NAT Gateway

  2. In FortiGate CNF, deploy a GWLBe to this subnet.

  3. In AWS, add a route to the Public Subnet route table to route all traffic to the GWLBe.

    Destination Target
    10.1.0.0/16 GWLBe
    0.0.0.0/0 Internet Gateway

  4. In AWS, add a route to the Private Subnet route table to route all traffic to the GWLBe.

    Destination Target
    10.1.0.0/16 Local

    0.0.0.0/0

    GWLBe

Previous
Next