Configuring FortiGate in AWS

In this document, we provide an example to set up the FortiGate Next Generation Firewall instance for you to validate that packets are sent to the FortiGate Next Generation Firewall for VPC-to-VPC and from VPC-to-Internet traffic inspection.

The Aviatrix Firewall Network (FireNet) workflow launches a FortiGate Next Generation Firewall instance at this step. After the launch is complete, the console displays the FortiGate Next Generation Firewall instance with the public IP address of its management/egress interface and allows you either to download the .pem file for SSH access to the instance, or to access the FortiGate web page.

Here is the Firewall information in this example for your reference. Please adjust it depending on your requirements.

Below are the steps for initial setup.

After this step in the workflow is completed, select the firewall on the Firewall Setup > List > Firewall page and click Download key in the Actions menu to download the .pem file.

If you get a download error, usually it means the FortiGate Next Generation Firewall instance is not ready. Wait until it is ready, refresh the browser and then try again.

In the Aviatrix Controller, navigate to Firewall Network > List > Firewall and click on the Management UI link. This takes you to the FortiGate Next Generation Firewall you just launched. The username is 'admin' and the default password is the Instance ID of the firewall, which you can copy from the Firewall tab. You are prompted to change this password after logging on.

Once logged in with the default password, it will ask you to set a new password.

After logging in with the new password, go to the page Network  Interfaces to configure Physical Interface port1 as per the following screenshot.

Go to the page Network > Interfaces to configure Physical Interface port2 as per the following screenshot.

Packets to and from TGW VPCs, as well as on-premises, will be hairpinned off the LAN interface. As such, you need to configure appropriate route ranges that you expect traffic for packets that need to be forward back to TGW. For simplicity, you can configure the FW to send all RFC 1918 packets to LAN port, which sends the packets back to the TGW.

In this example, we configure all traffic for RFC 1918 to be sent out of the LAN interface.

In the FortiGate UI, go to Network > Static Routes to create a Static Route as the following screenshot.

Those static routes can also be reviewed by navigating to Monitor > Routing Monitor.

Integrating a FortiGate firewall with the Aviatrix Controller enables the Controller to make automatic route updates to the FortiGate routing tables. You may also manually enable the integration with your CSP management tools. FortiGate integration is supported in AWS, Azure, and GCP clouds.

Integrate the FortiGate firewall with the Aviatrix Controller:

The Aviatrix Controller is now enabled to make automatic route updates to the FortiGate routing tables.

In this step, you will configure a basic traffic security policy that allows traffic to pass through the firewall. Given that Aviatrix Gateways will only forward traffic from the TGW to the LAN port of the Firewall, you can set your policy condition to match any packet that is going in/out of the LAN interface.

Navigate to Policy & Objects > IPv4 Policy > Create New / Edit to configure the policy as shown in the following table.

After validating that your TGW traffic is being routed through your firewall instances, you can customize the security policy to your requirements.

In this step, we will configure a basic traffic security policy that allows Internet traffic to pass through the firewall. Given that Aviatrix Gateways will only forward traffic from the TGW to the LAN port of the Firewall, you can set your policy condition to match any packet that is going into the LAN interface and going out of the WAN interface.

First you enable egress inspection:

You then create the new traffic policy in the FortiGate UI:

After validating that your TGW traffic is being routed through your firewall instances, you can customize the security policy to your requirements.

Now your firewall instance is ready to receive packets.

The next step is to specify which Network Domain needs packet inspection by defining a connection policy that connects to the firewall domain. This operation is done by this step in the Firewall Network workflow. In addition, attach VPC to TGW by Step 1 in the TGW Orchestrator Build workflow.

For example, deploy Spoke-1 VPC in Network_Domain_1 and Spoke-2 VPC in Network_Domain_2. Build a connection policy between the two domains. Build a connection between Network_Domain_2 to Firewall Domain.

You can view if traffic is forwarded to the firewall instance by logging in to the FortiGate Next Generation Firewall console. Go to FortiView > Destinations.

Launch one instance in Spoke-1 VPC and one in Spoke-2 VPC. Start pinging packets from an instance in Spoke-1 VPC to the private IP of another instance in Spoke-2 VPC where one or both of the Network Domains are connected to Firewall Network Domain. The ICMP traffic should go through and be inspected on the firewall.

Launch a private instance in the Spoke VPC (i.e. Spoke-2 VPC) where the Network Domain (i.e. Network_Domain_2) is connected to Firewall Network Domain. Start pinging packets from the private instance to the Internet service to verify egress function. The ICMP traffic should go through and be inspected on the firewall.