Use case: Traffic inspection with DNI and VLANs
This example uses a new FortiGate-VM and two Linux VM images created with the image conversion, upload, snapshot, and AMI creation steps in Generating a raw image and registering it in OpsHub.
The following table provides the virtual network interface (VNI) entry information for the example deployment in the topology:
EC2 instance |
Inside IP address |
Outside IP address |
---|---|---|
FortiGate-VM |
34.233.14.234 |
10.250.0.69 |
To set up this use case:
-
Create two DNIs for the FortiGate specifying the VLAN ID in each command:
Each DNI command run attaches the DNI in ascending order of ports on the FortiGate-VM. For example, the first command attaches the DNI to port2 (VLAN 10) and the second command attaches the DNI to port3 (VLAN 20).
snowballEdge create-direct-network-interface --endpoint https://10.250.0.54 --instance-id s.i-123456 --physical-network-interface-id s.ni-654321 --vlan 10 snowballEdge create-direct-network-interface --endpoint https://10.250.0.54 --instance-id s.i-123456 --physical-network-interface-id s.ni-654321 --vlan 20
- Attach a DNI to the first Linux instance:
snowballEdge create-direct-network-interface --endpoint https://10.250.0.54 --instance-id s.i-789023 --physical-network-interface-id s.ni-654321 --vlan 10
- Attach a DNI to the second Linux instance:
snowballEdge create-direct-network-interface --endpoint https://10.250.0.54 --instance-id s.i-567098 --physical-network-interface-id s.ni-654321 --vlan 20
To configure the FortiGate:
config system interface edit "port1" set vdom "root" set mode dhcp set allowaccess ping https ssh http fgfm set type physical set snmp-index 1 next edit "port2" set vdom "root" set ip 192.168.111.63 255.255.255.0 set allowaccess ping https ssh snmp http telnet set type physical set snmp-index 6 next edit "port3" set vdom "root" set ip 192.168.112.63 255.255.255.0 set allowaccess ping https ssh snmp http telnet set type physical set snmp-index 7 next end
config firewall policy edit 1 set uuid ca0d22da-362d-51ee-4b39-36a4d673891f set srcintf "port2" set dstintf "port3" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set av-profile "default" set ips-sensor "default" set application-list "default" set nat enable next end
To test the configuration:
-
From a Linux instance, attempt to transfer a virus test file between the instances. The transfer fails and generates a log that FortiOS blocked the transfer.
-
View logs by using the
execute log display
command. The following provides example output for this command:1: date=2023-08-08 time=13:58:37 eventtime=1691528317272831227 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1 poluuid="ca0d22da-362d-51ee-4b39-36a4d673891f" policytype="policy" msg="File is infected." action="blocked" service="HTTP" sessionid=33993 srcip=192.168.111.64 dstip=192.168.112.65 srcport=59168 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" srcuuid="5d4592ce-33ce-51ee-06a6-2ea90a21e46e" dstuuid="5d4592ce-33ce-51ee-06a6-2ea90a21e46e" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://192.168.112.65/eicar.com" profile="default" agent="curl/7.81.0" httpmethod="GET" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"