Aviatrix FireNet in AWS with Fortinet Firewalls
Overview
In this short discussion, I would like to walk through the steps to deploy Fortinet Firewall with Aviatrix transit.
I used simple spoke-transit-spoke topology to demonstrate that intended traffic is passing through the firewall instance.
Please see this link if you want to read about benefits of Aviatrix FireNet deployment model
Assumptions
For the purpose of this blog, we assume the reader is familiar with the Aviatrix concepts, networking, AWS native cloud constructs, and Fortinet firewalls.
For additional information read Aviatrix docs, FireNet Workflow, Transit FireNet Design Patterns.
Pre-req
- Aviatrix Controller is deployed in AWS Cloud
- Spoke VPC and HA spoke gateways are already deployed.
- Transit Firenet VPC with HA transit gateways are already deployed.
- Spoke and transit gateways are attached and connected transmission is enabled on transit gateways.
Step by step guide
Before deploying Fortinet firewall, we would need to deploy transit VPC with Firenet feature enabled. By doing so, Aviatrix controller automatically creates appropriate subnets, security rules and interfaces.
Step 1:
- In your AWS account, search for AWS Marketplace Subscriptions.
- On the AWS Marketplace Subscriptions page, select Discover products.
- In the search bar, Enter “Fortigate” to search for a Fortinet firewall instance.
- From the results, select a bundle and/or license option for the firewall instance you wish to subscribe to. There are different bundle/license options for each instance type that represent different costs and performance offerings.
- On the next page, click Continue to subscribe to subscribe to the instance.
- On the next page, click Accept terms to accept the license terms.
Step 2:
Enable Transit Firenet on Aviatrix Transit Gateway
On Aviatrix controller - Firewall Network > Setup > Transit Firenet > 3a
Step 3:
Associate Firewall instance
Aviatrix controller - Firewall Network > Setup > Firewall > 2a
Step 4:
Check your Firewall management UI from Aviatrix controller - Firewall Network > List > Firewall.
Use the UI to login to your firewall
Step 5:
Configure your Fortigate VM
Since this VM is launched with Aviatrix controller, required SG, subnets and rules are created with basic “allow-all” policies to serve as initial configuration to validate that intended traffic is passing through the firewall instance.
Each FW instance will have 3 interfaces that will have the following roles:
- Eth0 → Management Interface
- Eth1 → Transit Gateways traffic
- Eth2 → Internet ingress/egress traffic (need to add this network interface and attach to the instance)
Fortigate VM instance interfaces. Description Inbound Security Group Rule
| eth0 (on subnet -Public-FW-ingress-egress-AZ-a) | Egress or Untrusted interface | Allow ALL |
| eth1 (on subnet -dmz-firewall) | LAN or Trusted interface | Allow ALL (Do not change) |
If you need further clarification on FireNet subnets, please see below diagram
Configure Firewall interfaces
- To configure both Port1 and Port2, go to “Interfaces” tab:
- Select an interface and click on “Edit”. Enter the following details:
- Enter an Alias (i.e: LAN/WAN) for the interface
- Enable DHCP to ensure FW retrieve private IP information from AWS console
- Disable “Retrieve default gateway from server”
- Specify appropriate role (LAN/WAN)
- Select an interface and click on “Edit”. Enter the following details:
Configure basic traffic policy to allow traffic
Now your firewall instance is ready to receive packets!
Step 6:
Finally, just enable the transit Firenet policy on Aviatrix controller to define which routes are to be inspected by Firewall.
Aviatrix Controller - Firewall Network > Policy > Manage Transit Firenet Policy > Add
Step 7:
Verification:-
Launch one instance in Spoke-1 VPC and one in Spoke-2 VPC. From one instance, ping the other instance. The ping should go through.
Verify if traffic is forwarded to firewall instance by going to FortiView
