Fortinet black logo

AWS Administration Guide

Home FortiGate Public Cloud 7.0.0 AWS Administration Guide

Validating the configuration

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID e129c4eb-867b-11eb-9995-00505692583a:471874
Download PDF

Validating the configuration

Since traffic between the Internet and the application EC2 instance flows through the FortiGate Geneve interface, this example creates a FortiOS firewall policy that allows communication from the Geneve interface to the Geneve interface. The following shows an example policy.

Caution

This policy facilitates easy debugging and inclusion of IPv6 source and destination addresses. Do not configure this policy in a production environment.
To configure the policy:

config firewall policy

edit 1

set name "test_policy"

set srcintf "awsgeneve"

set dstintf "awsgeneve"

set srcaddr "all"

set dstaddr "all"

set srcaddr6 "all"

set dstaddr6 "all"

set action accept

set schedule "always"

set service "ALL"

next

end

To run a packet sniffer on the Geneve interface created to handle GWLB traffic:

In this example, the virtual domain (VDOM) name is FG-traffic. When multiple VDOM mode (available only on bring your own license instances) is enabled, substitute the name of your VDOM here for FG-traffic.

  1. Run a packet sniffer:

    config vdom

    edit FG-traffic

    diagnose sniffer packet awsgeneve

  2. While the packet capture is running, attempt to access/ping a resource in the application subnet (protected subnet). The ping should succeed. The following shows the FortiGate packet capture for this access attempt:

  3. While the packet capture runs, attempt to access/ping an Internet resource from the protected resource. The ping should succeed. The following shows the FortiGate packet capture for this access attempt:

Previous
Next

Validating the configuration

Since traffic between the Internet and the application EC2 instance flows through the FortiGate Geneve interface, this example creates a FortiOS firewall policy that allows communication from the Geneve interface to the Geneve interface. The following shows an example policy.

Caution

This policy facilitates easy debugging and inclusion of IPv6 source and destination addresses. Do not configure this policy in a production environment.
To configure the policy:

config firewall policy

edit 1

set name "test_policy"

set srcintf "awsgeneve"

set dstintf "awsgeneve"

set srcaddr "all"

set dstaddr "all"

set srcaddr6 "all"

set dstaddr6 "all"

set action accept

set schedule "always"

set service "ALL"

next

end

To run a packet sniffer on the Geneve interface created to handle GWLB traffic:

In this example, the virtual domain (VDOM) name is FG-traffic. When multiple VDOM mode (available only on bring your own license instances) is enabled, substitute the name of your VDOM here for FG-traffic.

  1. Run a packet sniffer:

    config vdom

    edit FG-traffic

    diagnose sniffer packet awsgeneve

  2. While the packet capture is running, attempt to access/ping a resource in the application subnet (protected subnet). The ping should succeed. The following shows the FortiGate packet capture for this access attempt:

  3. While the packet capture runs, attempt to access/ping an Internet resource from the protected resource. The ping should succeed. The following shows the FortiGate packet capture for this access attempt:

Previous
Next