How to Deploy Multiple EIPs on Fortinet FortiGate NGFW

By Jonathan Peng, Staff Solutions Architect

Most Internet services within a Virtual Private Cloud (VPC) need to have multiple Public IP addresses for customers to access. If we want to protect all public traffic with a secured firewall box, we will face the problem of deploying multiple IPs on a single Elastic Compute Service (ECS) instance-based firewall.

In this article, we will be deploying multiple EIPs with one Fortinet NGFW ECS instance to help Alibaba Cloud users to address this problem.

Use Cases

Here are some of the things that you can do with multiple IP addresses and Fortinet NGFW:

  1. Use URL base filtering policy. We can leverage Fortinet’s URL filtering feature to protect inbound and outbound Internet traffic by using URL instead of IP address.

Solution Overall Description

Following diagram illustrate the overall concept of how to deploy this solution, we need to go through following 7 steps:

  1. Create a VPC with 2 different vSwitch for the networking.

Step-by-Step Demonstration

Step 1:

Login Alibaba Cloud console, in product find VPC and create a new VPC and two vSwitches.

Step 2:

In product find ECS and create three different ECS, simulate to provide App, Web, and Search services.

Step 3:

Create ECS by using Marketplace Image, and choose Fortinet FortiGate NGFW image.

Step 4:

Create 3 SLB for App, Web, and Search HTTP services.

All listener is set to http 80

Different SLB listener need to add the Fortinet Firewall as backend server and point to different port 40001, 40002 and 40003.

Step 5:

Add a default route into the VPC’s vRouter and point to Fortinet ECS.

Step 6:

Login to Fortinet ECS.

Add App, Web, and Search private address into Fortinet.

Setup inbound DNAT, create 3 Virtual IPs and mapping 40001 port to App 80 port, 40002 port to Web 80 port, and 40003 port to Search 80 port.

Set up outbound SNAT firewall policy for internet connection.

Set up inbound DNAT firewall policy for internet connection.

At last, we can connect to these three different service servers by SLB IP address.

If you’ve followed the above steps correctly, you should see all the traffic going through the Fortinet firewall.


Follow me to keep abreast with the latest technology news, industry insights, and developer trends.