Fortinet black logo

New Features

Home FortiGate / FortiOS 6.4.0 New Features

GENEVE support for AWS gateway load balancer 6.4.4

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID de1e129a-0283-11ea-8977-00505692583a:253599
Download PDF

GENEVE support for AWS gateway load balancer 6.4.4

This enhancement adds support for the AWS generic networking for virtual environments (GENEVE) protocol in FortiOS. GENEVE provides a "bump in the wire" service, which diverts traffic within a virtual private cloud (VPC) to an appliance or cluster of appliances. The gateway load balancer (GWLB) accomplishes this by combining L3 gateway and L4 LB features. Users direct VPC route tables to the GWLB, which forwards traffic to a service, such as a web application firewall or next generation firewall. This feature is critical to support, as a table stakes routing feature within AWS for individual deployments, multitenant use cases, autoscaling, and other deployment scenarios for north-south and east-west traffic flows. It also removes the need to use SNAT in many scenarios.

To configure this feature, you must create a GWLB on AWS, configure the related subnet routing table, and add the FortiGate interface IP address as a GWLB-registered target. The following instructions assume that you have configured the GWLB environment in AWS based on the topology:

Creating one GWLB per zone is recommended.

To configure FortiOS for GENEVE support:
  1. Configure the GENEVE interface: 
    config system geneve
    edit "g1"
        set interface "port2"
        set type ppp
        set remote-ip 10.2.1.199
    next
end
  2. Configure a static route and firewall policy: 
    config router static
    edit 1
        set device "g1"
    next
end
    config firewall policy
    edit 1
        set srcintf "g1"
        set dstintf "g1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
  3. Ensure that FortiGate can handle the traffic.
    1. From PC1, ping PC2: 
      root@CtrlPC-1:~# ping 54.201.51.152 -c 1
PING 54.201.51.152 (54.201.51.152) 56(84) bytes of data.
64 bytes from 54.201.51.152: icmp_seq=1 ttl=223 time=14.7 ms
    2. Perform a sniffer trace to determine if packets are traveling the expected route:
      FGT-GWLB-1 (FG-traffic) # diagnose sniffer packet any icmp 4
Using Original Sniffing Mode
interfaces=[any]
filters=[icmp]
1.558522 g1 in 204.101.161.19 -> 10.1.2.10: icmp: echo request
1.558560 g1 out 204.101.161.19 -> 10.1.2.10: icmp: echo request
1.560286 g1 in 10.1.2.10 -> 204.101.161.19: icmp: echo reply
1.560294 g1 out 10.1.2.10 -> 204.101.161.19: icmp: echo reply

FGT-GWLB-1 (FG-traffic) # diagnose sniffer packet port2 'port 6081'
Using Original Sniffing Mode
interfaces=[port2]
filters=[port 6081]
1.029128 10.2.1.199.60004 -> 10.2.1.254.6081: udp 80
1.029157 10.2.1.254.60004 -> 10.2.1.199.6081: udp 80
1.037826 10.2.1.199.60004 -> 10.2.1.254.6081: udp 264
1.037841 10.2.1.254.60004 -> 10.2.1.199.6081: udp 264
Previous
Next

GENEVE support for AWS gateway load balancer 6.4.4

This enhancement adds support for the AWS generic networking for virtual environments (GENEVE) protocol in FortiOS. GENEVE provides a "bump in the wire" service, which diverts traffic within a virtual private cloud (VPC) to an appliance or cluster of appliances. The gateway load balancer (GWLB) accomplishes this by combining L3 gateway and L4 LB features. Users direct VPC route tables to the GWLB, which forwards traffic to a service, such as a web application firewall or next generation firewall. This feature is critical to support, as a table stakes routing feature within AWS for individual deployments, multitenant use cases, autoscaling, and other deployment scenarios for north-south and east-west traffic flows. It also removes the need to use SNAT in many scenarios.

To configure this feature, you must create a GWLB on AWS, configure the related subnet routing table, and add the FortiGate interface IP address as a GWLB-registered target. The following instructions assume that you have configured the GWLB environment in AWS based on the topology:

Creating one GWLB per zone is recommended.

To configure FortiOS for GENEVE support:
  1. Configure the GENEVE interface: 
    config system geneve
    edit "g1"
        set interface "port2"
        set type ppp
        set remote-ip 10.2.1.199
    next
end
  2. Configure a static route and firewall policy: 
    config router static
    edit 1
        set device "g1"
    next
end
    config firewall policy
    edit 1
        set srcintf "g1"
        set dstintf "g1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
  3. Ensure that FortiGate can handle the traffic.
    1. From PC1, ping PC2: 
      root@CtrlPC-1:~# ping 54.201.51.152 -c 1
PING 54.201.51.152 (54.201.51.152) 56(84) bytes of data.
64 bytes from 54.201.51.152: icmp_seq=1 ttl=223 time=14.7 ms
    2. Perform a sniffer trace to determine if packets are traveling the expected route:
      FGT-GWLB-1 (FG-traffic) # diagnose sniffer packet any icmp 4
Using Original Sniffing Mode
interfaces=[any]
filters=[icmp]
1.558522 g1 in 204.101.161.19 -> 10.1.2.10: icmp: echo request
1.558560 g1 out 204.101.161.19 -> 10.1.2.10: icmp: echo request
1.560286 g1 in 10.1.2.10 -> 204.101.161.19: icmp: echo reply
1.560294 g1 out 10.1.2.10 -> 204.101.161.19: icmp: echo reply

FGT-GWLB-1 (FG-traffic) # diagnose sniffer packet port2 'port 6081'
Using Original Sniffing Mode
interfaces=[port2]
filters=[port 6081]
1.029128 10.2.1.199.60004 -> 10.2.1.254.6081: udp 80
1.029157 10.2.1.254.60004 -> 10.2.1.199.6081: udp 80
1.037826 10.2.1.199.60004 -> 10.2.1.254.6081: udp 264
1.037841 10.2.1.254.60004 -> 10.2.1.199.6081: udp 264
Previous
Next