AWS Transit VPC Using Fortinet Fortigate-VM64

Pre-requisites

To understand some of the concepts discussed in this post, familiarity with Transit VPC concepts and Terminology is recommended before you start . Please go through our other post titled “Connect VPCs to make Network of Networks in AWS”.

The transitive network can also be achieved by using the high-performance Routers, such as Cisco CSRs in the Transit VPC. To know more about set-up and configuration of Transit VPC using Cisco CSR 1000v router, read our earlier blog post here.

However, the main purpose of running VPN tunnels is to have security and encryption in transit. You also won’t be able to achieve advanced filtering and protection by using the Routers. For that, you need to use a Next-Generation Firewall which also does L7 Application controls, Anti-virus, IPS, Web filtering and VPN etc. This blog focus on to explain the set-up of Fortinet FortiGate Next-Generation Firewall on Transit VPC instead using a Router.

This is a 2 part blog where we cover the launching of the Fortinet device and initial AWS transit VPC setup here. The second part will describe the configuration steps to be done on the FortiGate Firewall to create VPN connections with other VPCs and on-premise networks.

Figure — 1

First, login to the AWS console and set-up your VPC’s as required. And consider one VPC as public-facing and the other as a Private VPC. Treat the public-facing VPC as Transit VPC and other(s) will be Spoke VPCs. To know more about VPC set-up, you should read the AWS provided VPC administrator guide here.

To launch Fortinet FortiGate Next-Generation Firewall on your Transit VPC, you need to select the required AMI from the AWS Marketplace and launch it into an EC2 instance. For that Please follow the below steps:

Go to EC2 console → Instance → Launch Instance

Figure — 2

Click on AWS Marketplace → Type Fortigate on Search bar → And Select the Fortinate Flavors.

Figure — 3

You will get a pop window, it explains the pricing and Instance type of the Fortigate Firewall. Click on Continue

Figure — 4

Next: Select the VPC (Transit VPC) and Subnets. Make it auto-assign Public IP “Disable” (you should attach an Elastic IP later). If you need to specify any particular private IP assign it, else leave blank. Then click on Next: Add Storage.

Figure — 5

Next: By default, storage will be added and make it Root volume as SSD. Also if you have any specification or any other requirements on storage volumes, you can specify here. Then click on Next: Add Tags.

Figure — 6

Add Tags and Click on “Next: Configure Security Group”

Figure — 7

By default, Fortigate Firewall AMI allows the port numbers as per its requirements. You can also add more rules as per your specific requirements. Then, Click on Review and Launch → Click on Launch from next window.

Figure — 8

After Clicking on “Launch” Select or Create a new key pair and then, Launch the instance.

Figure — 9

To access the Fortigate Firewall, create an Elastic IP and Assign to the instance. For that, Go to EC2 console → Elastic IP →Allocate new address

After that, Assign this Elastic IP to the Instance or Network Interface

Figure — 10

From next window, Select the Fortigate instance and associated private IP and then Click on Associate

Figure — 11

Using this Elastic IP, Access Fortigate Firewall through the web browser, for example, https://1.2.3.4.
From next window on your browser Click on ADVANCED → Proceed to 1.2.3.4 (unsafe)

Figure — 12

Next, You will get an authentication Page.
Username: admin
Password: <you fortigate instance ID>

Figure — 13

After the successful authentication, you will get the following window.

Figure — 14

Next, you need to set-up VPN tunnels with Spoke VPC’s and On-premises DC to achieve transitive nature.

VPN Setup: Transit VPC — Spoke VPC

To Set-up VPN tunnel with Spoke VPC’s: First, you need to configure AWS Managed VPN in all the Spoke VPC’s by using the FortiGate Firewall Elastic IP as Customer Gateway. To know more about the set-up of AWS Managed VPN click here.
Download the VPN configuration file from the “VPN Connection Console” and select the vendor: Fortinet → Platform: Fortigate 40+ Series → Software: FortiOS 5.0+ (GUI), Which will help to set-up the VPN tunnel in Fortigate Firewall.

Figure — 15

After that, Set-up VPN connection in the FortiGate Firewall with respect to the configuration file of the AWS Managed VPN set-up. Click here to know more about the VPN set-up in the FortiGate Next-Gen Firewall.

Note: Disable Source/Destination Check

AWS EC2 Console → Select the Fortigate Firewall instance → Actions → Networking → Change Source/Dest. Check → Yes, Disable

Figure — 16

VPN Setup: Transit VPC — On-premises DC

To set-up VPN between Transit VPC and On-premises Data Center (DC) L3 device, you first need to create a VPN configuration in the On-premises L3 device with the details of the FortiGate Firewall public IP. Use our previous blog on VPN Configuration as a reference.

Once the on-premise configuration is completed, use the public IP and Tunnel IP details, configure the VPN, routing protocols, and policies in the AWS FortiGate Next-Gen Firewall (launched above) to form the VPN tunnel with the On-premises L3 device. To know more about the set-up of FortiGate Next-Gen Firewall and VPN, read the second part here.