FireNet Ingress Traffic Inspection

Ingress Traffic Inspection

Follow the Ingress firewall instructions to deploy the solution for Ingress traffic inspection.

ingress_firewall

Ingress Directly through Firewall

Another often configured Ingress Egress design pattern is to have the traffic forward to firewall instances directly as shown in the diagram below. In this design pattern, each firewall instance must configure SNAT on its LAN interface that connects to the Aviatrix FireNet gateway. The drawback of this design is that the source IP address is not preserved when traffic reaches the application. If you need to preserve source IP address, refer to this recommended design for Ingress.

firenet_ingress_egress

For more information, follow the FireNet workflow.

Ingress Protection via Aviatrix Transit FireNet

This Ingress Protection design pattern is to have the traffic forward to firewall instances directly in Aviatrix Transit FireNet VPC/VNet as shown in the diagram below. In this design pattern, each firewall instance must configure (1) SNAT on its LAN interface that connects to the Aviatrix FireNet Gateway and (2) DNAT to the IP of application server/load balancer. The drawback of this design is that the source IP address is not preserved when traffic reaches the application.

For an example configuration workflow, see Ingress Protection via Aviatrix Transit FireNet with FortiGate.

transit_firenet_ingress