AWS Gateway Loadbalancer East West inspection with Fortigate Firewall

Рет қаралды 9,799

3 жыл бұрын

AWS Gateway Loadbalancer East West inspection using Fortigate Firewall and Transit gateway hands on demo
This is a step by step configuration of the following components:
1. Fortigate firewall to represent any virtual appliance of your choice behind a gateway loadbalancer
b) Enabling Geneve on the fortigate appliance
2. AWS Gateway loadbalancer and service endpoint setup
3. Transit gateway attachments and routing tables
4. Testing and troubleshooting traffic flow via the central security VPC
Although the demo shows only a single appliance ,a robust production environment will have more than one which might even be in an auto-scaling group.
Below is the debug command i used on the Fortigate :
That my is my favorite command for this device as it call tell you almost anything in relation to traffic flow be it routing or access issues.
Simply paste all lines on your cli
##########################
diagnose debug flow trace stop
diagnose debug enable
diagnose debug flow filter addr 172.31.100.15
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
###############
and to stop the debug : diagnose debug flow trace stop
or If you do not specify a number 10 in the last line for packets to be captured, the command will continue to capture packets until you press Control + C
You may check for more options that you may use with it in Fortigate documentation.
For the above you only need to replace 172.31.100.15 with the ip address that you need to track.
If my video helps you ,show with that subscribe TAB and many more will come

Пікірлер: 56

@ItIsFullyFaltu Жыл бұрын

I searched whole internet but couldn't find a proper video explaining the GWLB in detail and how to use it with Appliances. This video is far most the best today and thank you for the help

@tendaimusonza9547 Жыл бұрын

Glad to hear the material is helpful ,thank you for your support.

@mohammedmustafaali1049 3 жыл бұрын

very very awesome, I have truly enjoyed this more than anything. Thanks very much for your time putting all this together and waiting for more.

@tendaimusonza9547 3 жыл бұрын

I am glad you enjoyed it ,Thank you for the kind words

@davidsonjrg 3 жыл бұрын

Really liking the new content. Thank you Tendai, it's very detailed.

@tendaimusonza9547 3 жыл бұрын

Thanks for the support Davidson

@daphenom 2 жыл бұрын

Thank you for sharing this video! It definitely helps us in our AWS journey!

@tendaimusonza9547 2 жыл бұрын

Glad you liked it ,thanks for the feedback

@daphenom 2 жыл бұрын

@@tendaimusonza9547 do you have any vids on inbound traffic from the internet that passes through the firewall? We have a multi account, multi vpc setup with a central security account/vpc where the firewall lives. Every account/vpc goes through a transit gateway which decides where to route traffic. We want to be able to make public services available to the internet and still traverse the firewall. thanks in advance!

@tendaimusonza9547 2 жыл бұрын

@@daphenom .Thanks for Checking ,I currently do not have a video specifically on both north south and east west inspection however for internet you have to use ingress routing the same way i did on my AWS Network firewall Video ,and this ingress routing is per each VPC to route incoming traffic to the gateway load-balancer endpoint.

@lewismangwanda5329 2 жыл бұрын

I really enjoyed this, well done Tendai .....

@tendaimusonza9547 2 жыл бұрын

Thanks Lewis, Glad you enjoyed the content

@mosesg45 2 жыл бұрын

Awesome Mrr T.. Nicely done with a gentle introduction to the Gateway Load Balancer..

@tendaimusonza9547 2 жыл бұрын

Thanks Gibson

@shepherdmagumo9361 3 жыл бұрын

Always enjoy content. Excellent knowledge and delivery 👏👏

@tendaimusonza9547 3 жыл бұрын

Thank you Shepherd, Glad to hear you enjoyed the demo

@CyberPolice911 2 жыл бұрын

Thanks for the video. It's really helpful.

@tendaimusonza9547 2 жыл бұрын

It's a pleasure, happy you liked it

@andrenelson424 Жыл бұрын

Greetings excellent overview thank you.. I'm building a proof of concept 3 Pairs of Fortigate Firewalls in HA mode Active/Active, across 3 Availability Zones, with AWS load balance, Transit Gateway, FortiManager for centralised management and a FortiAnalyzer as part of the SIEM. (APP VPC, SEC VPC, TRANS VPC)

@aravindviswanathan6884 6 ай бұрын

Really an informative one buddy. Thanks a lot

@kkinyanjui1 2 жыл бұрын

Very helpful my leader!!

@tendaimusonza9547 2 жыл бұрын

Glad to know you liked it ,thanks

@autoholic_rider Жыл бұрын

Very nice step by step walk through.. keep it up. Any idea on how the set up will look like if we have muti AZ Fortigate HA deployment.. I have issues with LB and endpoints when i have multi AZ and the application VPC are in different VPC, it creates issue.. I am checking further on the set up but with Primary works but failover doesn't.

@tendaimusonza9547 Жыл бұрын

Thank you Hitesh ,I am not sure if HA will work in conjunction with a GWLB since the health checks have no visibility to HA status since works only by probing tcp port ,I have used HA in a central security VPC using partly the steps in on fortinet link although this link is just for general HA setup not specific for central security VPC ;docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/229470/deploying-fortigate-vm-active-passive-ha-aws-between-multiple-zones .I used with a transit gateway .hope you will find this helpful

@hellosouvik Жыл бұрын

excellent video, many thanks for sharing with us. one thing which is bugging me is route-table entry for "GWLB-Subnet", why we have to provide two transit gateway entry for both spoke vpc? is it really required for E-W traffic.

@tendaimusonza9547 Жыл бұрын

I provided the TGW as the next hop for both Spoke CIDRS since it is the TGW which knows route back for both spokes in this centralized config ,thank you for your comment , hope i managed to answer your question

@elamateurtube 2 жыл бұрын

Hello Tendai, very useful the explanation in this video. Great! We do you find all the docs and examples for th forti and ENDPOINT and GLWN implemantation? How do i add more fortis to the main as in an HA? thnak you man!

@tendaimusonza9547 2 жыл бұрын

Glad you liked the material and supported the channel with your subscription. Thank you .As far as HA is concerned ,you do it differently from the usual way we do on premise .you can take advantage of the fact that the firewalls are behind a Load balancer and hence with health check mechanism traffic can the be send to only health appliances and if your transit gateway is in appliance mode you will not have asymmetrical routing challenges. The firewalls can also be in an auto scaling group .I also find the following links helpful .aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-gateway-load-balancer-supported-architecture-patterns/ ,docs.fortinet.com/document/fortigate-public-cloud/6.4.0/aws-administration-guide/249812/creating-the-gwlb-and-registering-targets .Hopefully i have given you some clarity. I have not found a complete end to end documentation which shows the fort config scenarios however for multiple firewalls you will need a central manager if policies are to be in sync.

@elamateurtube 2 жыл бұрын

@@tendaimusonza9547 Thank you so much for your answers. My future goal is to use a VPC for security to allow the forti inspect all trafic (north-south and east-west) and a the same time use HA using (i guess) the port1 to go internet trough a IGW. i dont have so clear all details of the implementation. Thank you man!!

@sreyanshbhupal9900 2 жыл бұрын

Great video!! The only thing which is confusing here is the interface. It would great if you specify which is the interface you are using as Target and which one is used for public access. If they are the same then why creating a new interface in a different subnet? Also, the specific Availability zone is not highlighted here. Although it is visible that you have built the complete setup in a single AZ (af-south-1a) but briefly mentioning the limitations of AZ (if any) would be great. Additionally, the purpose of adding static routes on the Fortigate was not clear. If the firewall is going to receive traffic on GENEVE port (UDP/6081) then what role will the static routes play here? The Primary_ENI(Port1) subnet RTB already has the required routes.

@tendaimusonza9547 2 жыл бұрын

Thank you for the feedback. l see your point here, l decided to use the same subnet that was sitting on the gateway load balancer subnet to keep the config short and simple even though the initial plan was to use different subnets for Geneve and for admin. You may also test my setup without adding a route and let me know the outcome ,that decision came after running some debugs and checks on the routes populated automatically after running the get router info on fortigate

@sreyanshbhupal9900 2 жыл бұрын

@@tendaimusonza9547 Thanks. I will try it once and see how the Fortigate local routes influence the GENEVE behavior. I have seen this with PA but no such routing was required. Hence, the question.

@tendaimusonza9547 2 жыл бұрын

@@sreyanshbhupal9900 you are right for Palo it works without doing any of those steps. Give it a trial ,that's how we all learn thru sharing

@hirenpatel2678 2 жыл бұрын

What if I want to use this for north-south traffic? tye default route towards geneve won't help there

@tendaimusonza9547 2 жыл бұрын

Hello Hiren ,Thank you for view the content. As for North south scenario ,the routing needs to change a bit ,in this case default route to geneve up to the TGW is on assumption that its only east-west traffic involved ,however for North south you may choose to have a gateway load balancer route table to send default traffic to a Nat Gateway as illustrated in North south deployment model on link :aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-gateway-load-balancer-supported-architecture-patterns/ .Hopefully I managed to answer your question.

@satdevlpr Жыл бұрын

I am new to AWS VPC..can you make a video on what AWS services offer as network and security services and is there any free or trial lab on AWS cloud to test it

@tendaimusonza9547 Жыл бұрын

Thank you for the feedback ,that will help me in balancing content on my future videos .you may also open an aws free tier account for learning however exercise caution on usage since not everythung is free however aws documentation clearly states how you can stay within free tier

@abdomordy6935 Жыл бұрын

Did you deployed Fortigate on aws with HA active active in multi AZ environment? if yes can you help by a guide or video?

@tendaimusonza9547 Жыл бұрын

Hello Abdo , you do not need forti HA when using the gateway loadbalancer , the GWLB is doing HA for you in a way and you need to make sure the security VPC attachment is in appliance mode to avoid asymmetrical routing . See link : docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html . with a GWLB your Fortis can be in multiple AZ however use fortimanager to make sure your rules are in sync than adding rules manually on each device .hope i answered your question.

@abdomordy6935 Жыл бұрын

@@tendaimusonza9547 thanks for your reply I will try to make it using TG as I'm trying with GWLB and one fortigate only for now.

@rohitpundir348 Жыл бұрын

Can i get the documents ,how you have configured all the vpc and subnet ..etc etc

@tendaimusonza9547 Жыл бұрын

Hi Rohit , if you have worked with Terraform you may find my configs here useful for VPC and subnet config , github.com/tendai-lino/training/tree/main/GWLB-DEMO ,i used this kind of setup in kzbin.info/www/bejne/aJiYapyee95ofrc , Let me know if you require any further assistance

@zeeshanishkay9268 2 жыл бұрын

how can we get fortiguar update in this scenario? port1 i have created geneve for data traffic so how i can communicate with fortiguard for update?? can u help?

@tendaimusonza9547 2 жыл бұрын

Hi Zeeshan ,that's a valid point ,to get updates you have to change the routing ,instead of using default route to geneve use specific routes for VPCs cidrs and then default traffic to a different port with route to internet .i used 0.0.0.0/0 just for quick demo

@randicalib 2 жыл бұрын

is using transit gateway a must for GWLB ?

@tendaimusonza9547 2 жыл бұрын

Hello Randy ,yes Transit Gateway a must only for east west inspection ,that is if you want to send traffic between VPCs thru central security VPC unlike when you do North South inspection i.e internet to VPC.

@randicalib 2 жыл бұрын

thansk for your answer @@tendaimusonza9547 so if only 1 app VPC that need to go through security VPC via GWLB it does not need TGW, right?

@tendaimusonza9547 2 жыл бұрын

@@randicalib ,that's right yes

@chileflake1656 2 жыл бұрын

The reason WHY a TGW is necessary for more than 2 VPCs (1 "users/servers" + 1 "Security with GWLB + FWs in it") is due to the non-transitive VPC peering rule docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html ["VPC peering does not support transitive peering relationships"]. So, you either need a TGW or/and a Transit-VPC design (where NVAs act as the glue between different VPCs). A TGW has its limitations, for example if you need Advanced NAT and/or VRFs to segregate traffic, you would need to use a Transit-VPC with NVAs (Cisco CSRs for example).. or even a mix of both, in this case the "Security VPC" could be the "Transit-VPC" at the same time, with that GWLB too.