Since traffic between the Internet and the application EC2 instance flows through the FortiGate Geneve interface, this example creates a FortiOS firewall policy that allows communication from the Geneve interface to the Geneve interface. The following shows an example policy.
This policy facilitates easy debugging. You should not configure this policy in a production environment.
config firewall policy
set name "test_policy"
set srcintf "az2"
set dstintf "az2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
In this example, the VDOM name is FG-traffic. When multiple VDOM mode (available only on BYOL instances) is enabled, substitute the name of your VDOM here for FG-traffic.
- Run a packet sniffer:
diagnose sniffer packet awsgeneve
- While the packet capture is running, attempt to access/ping a resource in the application subnet (protected subnet). The ping should succeed. The following shows the FortiGate packet capture for this access attempt:
While the packet capture is running, attempt to access/ping an Internet resource from the protected resource. The ping should succeed. The following shows the FortiGate packet capture for this access attempt: