1

Aviatrix FireNet in AWS with Fortinet Firewalls

  • fazil sarfaraz
  • Senior Customer Solutions Architect
  • fazil_sarfaraz
  • updated 1 mth ago

Overview

In this short discussion, I would like to walk through the steps to deploy Fortinet Firewall with Aviatrix transit.

I used simple spoke-transit-spoke topology to demonstrate that intended traffic is passing through the firewall instance.

Please see this link if you want to read about benefits of Aviatrix FireNet deployment model

Assumptions

 For the purpose of this blog, we assume the reader is familiar with the Aviatrix concepts, networking, AWS native cloud constructs, and Fortinet firewalls.

 For additional information read Aviatrix docsFireNet WorkflowTransit FireNet Design Patterns.

Pre-req

  • Aviatrix Controller is deployed in AWS Cloud
  • Spoke VPC and HA spoke gateways are already deployed.
  • Transit Firenet VPC with HA transit gateways are already deployed.
  • Spoke and transit gateways are attached and connected transmission is enabled on transit gateways.

Step by step guide

Before deploying Fortinet firewall, we would need to deploy transit VPC with Firenet feature enabled. By doing so, Aviatrix controller automatically creates appropriate subnets, security rules and interfaces.

 

Step 1:

  • In your AWS account, search for AWS Marketplace Subscriptions.
  • On the AWS Marketplace Subscriptions page, select Discover products.
  • In the search bar,  Enter “Fortigate” to search for a Fortinet firewall instance.
  • From the results, select a bundle and/or license option for the firewall instance you wish to subscribe to. There are different bundle/license options for each instance type that represent different costs and performance offerings.
  • On the next page, click Continue to subscribe to subscribe to the instance.
  • On the next page, click Accept terms to accept the license terms.

Step 2:

Enable Transit Firenet on Aviatrix Transit Gateway

On Aviatrix controller - Firewall Network > Setup > Transit Firenet > 3a

Step 3:

Associate Firewall instance

Aviatrix controller - Firewall Network > Setup > Firewall > 2a

Step 4:

Check your Firewall management UI from Aviatrix controller - Firewall Network > List > Firewall.

Use the UI to login to your firewall

 

Step 5:

Configure your Fortigate VM

Since this VM is launched with Aviatrix controller, required SG, subnets and rules are created with basic “allow-all” policies to serve as initial configuration to validate that intended traffic is passing through the firewall instance.

Each FW instance will have 3 interfaces that will have the following roles:

  • Eth0 → Management Interface
  • Eth1 → Transit Gateways traffic
  • Eth2 → Internet ingress/egress traffic (need to add this network interface and attach to the instance)

Fortigate VM instance interfaces.          Description     Inbound Security Group Rule

eth0 (on subnet -Public-FW-ingress-egress-AZ-a) Egress or Untrusted interface Allow ALL
eth1 (on subnet -dmz-firewall) LAN or Trusted interface Allow ALL (Do not change)

If you need further clarification on FireNet subnets, please see below diagram

Configure Firewall interfaces

  • To configure both Port1 and Port2, go to “Interfaces” tab:
    • Select an interface and click on “Edit”. Enter the following details:
      • Enter an Alias (i.e: LAN/WAN) for the interface
      • Enable DHCP to ensure FW retrieve private IP information from AWS console
      • Disable “Retrieve default gateway from server”
      • Specify appropriate role (LAN/WAN)

 

Configure basic traffic policy to allow traffic

Now your firewall instance is ready to receive packets!

Step 6:

Finally, just enable the transit Firenet policy on Aviatrix controller to define which routes are to be inspected by Firewall.

Aviatrix Controller - Firewall Network > Policy > Manage Transit Firenet Policy > Add

Step 7:

Verification:-

Launch one instance in Spoke-1 VPC and one in Spoke-2 VPC. From one instance, ping the other instance. The ping should go through. 

Verify if traffic is forwarded to firewall instance by going to FortiView

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like1 Follow
  • 1 Likes
  • 1 mth agoLast active
  • 52Views
  • 1 Following