Use case: Traffic inspection with DNI and VLANs
This example uses a new FortiGate-VM and two Linux VM images created with the image conversion, upload, snapshot, and AMI creation steps in Generating a raw image and registering it in OpsHub.
The following table provides the virtual network interface (VNI) entry information for the example deployment in the topology:
|
EC2 instance |
Inside IP address |
Outside IP address |
|---|---|---|
|
FortiGate-VM |
34.233.14.234 |
10.250.0.69 |
To set up this use case:
-
Create two DNIs for the FortiGate specifying the VLAN ID in each command:
Each DNI command run attaches the DNI in ascending order of ports on the FortiGate-VM. For example, the first command attaches the DNI to port2 (VLAN 10) and the second command attaches the DNI to port3 (VLAN 20).
snowballEdge create-direct-network-interface --endpoint https://10.250.0.54 --instance-id s.i-123456 --physical-network-interface-id s.ni-654321 --vlan 10 snowballEdge create-direct-network-interface --endpoint https://10.250.0.54 --instance-id s.i-123456 --physical-network-interface-id s.ni-654321 --vlan 20
- Attach a DNI to the first Linux instance:
snowballEdge create-direct-network-interface --endpoint https://10.250.0.54 --instance-id s.i-789023 --physical-network-interface-id s.ni-654321 --vlan 10
- Attach a DNI to the second Linux instance:
snowballEdge create-direct-network-interface --endpoint https://10.250.0.54 --instance-id s.i-567098 --physical-network-interface-id s.ni-654321 --vlan 20
To configure the FortiGate:
config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping https ssh http fgfm
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 192.168.111.63 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set snmp-index 6
next
edit "port3"
set vdom "root"
set ip 192.168.112.63 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set snmp-index 7
next
end
config firewall policy
edit 1
set uuid ca0d22da-362d-51ee-4b39-36a4d673891f
set srcintf "port2"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set ips-sensor "default"
set application-list "default"
set nat enable
next
end
To test the configuration:
-
From a Linux instance, attempt to transfer a virus test file between the instances. The transfer fails and generates a log that FortiOS blocked the transfer.
-
View logs by using the
execute log displaycommand. The following provides example output for this command:1: date=2023-08-08 time=13:58:37 eventtime=1691528317272831227 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1 poluuid="ca0d22da-362d-51ee-4b39-36a4d673891f" policytype="policy" msg="File is infected." action="blocked" service="HTTP" sessionid=33993 srcip=192.168.111.64 dstip=192.168.112.65 srcport=59168 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" srcuuid="5d4592ce-33ce-51ee-06a6-2ea90a21e46e" dstuuid="5d4592ce-33ce-51ee-06a6-2ea90a21e46e" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://192.168.112.65/eicar.com" profile="default" agent="curl/7.81.0" httpmethod="GET" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"