Configuring the VIP to access the remote servers
VIPs, interface IP addresses, and policies are created on the cloud FortiGate-VM to allow access to the remote servers.
To configure additional private IPs on AWS for the FortiGate VIP:
-
On the FortiGate EC2 instance, edit the Elastic Network Interface that corresponds to port2. In this example, Network Interface eth1.
-
Go to Actions > Manage IP Addresses.
-
Add two private IP address in the 10.0.2.0/24 subnet.
These address will be used in the VIPs on the FortiGate. This ensures that traffic to these IP addresses is routed to the FortiGate by AWS.
-
Click Yes, Update.
To configure VIPs on the cloud FortiGate-VM:
-
Go to Policy & Objects > Virtual IPs and select the Virtual IP tab.
-
Click Create new.
-
Configure the following:
Name
VIP-HTTP
Interface
port2
External IP address/range
10.0.2.20
Map to IPv4 address/range
10.0.3.33
-
Click OK.
-
Create a second VIP for the FTP server with the following settings:
Name
VIP-FTP
Interface
port2
External IP address/range
10.0.2.21
Map to IPv4 address/range
10.0.3.44
To configure firewall policies to allow traffic from port2 to port3:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Configure the following:
Name
To-WebServer
Incoming Interface
port2
Outgoing Interface
port3
Source
all
Destination
VIP-HTTP
Schedule
always
Service
ALL
Action
ACCEPT
NAT
Enabled
-
Configure the remaining settings as required.
-
Click OK.
-
Create a second policy for the FTP VIP with the following settings:
Name
To-FTP
Incoming Interface
port2
Outgoing Interface
port3
Source
all
Destination
VIP-FTP
Schedule
always
Service
ALL
Action
ACCEPT
NAT
Enabled
-
Click OK.