How to Deploy Multiple EIPs on Fortinet FortiGate NGFW

By Jonathan Peng, Staff Solutions Architect

Most Internet services within a Virtual Private Cloud (VPC) need to have multiple Public IP addresses for customers to access. If we want to protect all public traffic with a secured firewall box, we will face the problem of deploying multiple IPs on a single Elastic Compute Service (ECS) instance-based firewall.

In this article, we will be deploying multiple EIPs with one Fortinet NGFW ECS instance to help Alibaba Cloud users to address this problem.

Use Cases

Here are some of the things that you can do with multiple IP addresses and Fortinet NGFW:

  1. Use URL base filtering policy. We can leverage Fortinet’s URL filtering feature to protect inbound and outbound Internet traffic by using URL instead of IP address.
  2. Protect Web services and more. You can guard against malicious traffic, data loss, and unauthorized access by using this approach. Meanwhile, the Fortinet device deliver a number of security technologies, such as IPS, web filtering, VPN, SSL inspection, identity management integration, bandwidth management, etc.
  3. Optimize network appliances. Network appliances such as firewalls and load balancers generally work better when they have access to multiple public IP addresses on the Internet.

Solution Overall Description

Following diagram illustrate the overall concept of how to deploy this solution, we need to go through following 7 steps:

  1. Create a VPC with 2 different vSwitch for the networking.
  2. Create ECSs for all the frontend services, such as App, Web and Search, in one vSwitch.
  3. Create Fortinet FortiGate NGFW ECSs from Alibaba Cloud marketplace on the other vSwitch.
  4. Create SLBs for different public IP and point to Fortinet NGFW ECS as backend server and point to different private IP and Fortinet NGFW dedicated port.
  5. Add Route Entry into VPC’s Route Table and set default route’s next hop to Fortinet NGFW ECS.
  6. Setup Fortinet NGFW, add SNAT and DNAT with firewall policies to connect different backend ECS.
Image for post

Step-by-Step Demonstration

Step 1:

Login Alibaba Cloud console, in product find VPC and create a new VPC and two vSwitches.

Image for post
Image for post
Image for post
Image for post

Step 2:

In product find ECS and create three different ECS, simulate to provide App 192.168.1.81, Web 192.168.1.82, and Search 192.168.1.80 services.

Image for post

Step 3:

Create ECS by using Marketplace Image, and choose Fortinet FortiGate NGFW image.

Image for post
Image for post
Image for post

Step 4:

Create 3 SLB for App, Web, and Search HTTP services.

Image for post

All listener is set to http 80

Image for post

Different SLB listener need to add the Fortinet Firewall as backend server and point to different port 40001, 40002 and 40003.

Image for post
Image for post
Image for post

Step 5:

Add a default route into the VPC’s vRouter and point to Fortinet ECS.

Image for post
Image for post

Step 6:

Login to Fortinet ECS.

Image for post
Image for post

Add App, Web, and Search private address into Fortinet.

Image for post

Setup inbound DNAT, create 3 Virtual IPs and mapping 40001 port to App 80 port, 40002 port to Web 80 port, and 40003 port to Search 80 port.

Image for post
Image for post
Image for post
Image for post

Set up outbound SNAT firewall policy for internet connection.

Image for post

Set up inbound DNAT firewall policy for internet connection.

Image for post
Image for post

At last, we can connect to these three different service servers by SLB IP address.

Image for post
Image for post
Image for post

If you’ve followed the above steps correctly, you should see all the traffic going through the Fortinet firewall.

Reference:https://www.alibabacloud.com/blog/how-to-deploy-multiple-eips-on-fortinet-fortigate-ngfw_594451?spm=a2c41.12560101.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store