Access a cloud server using an AWS SDN connector via SSL VPN

Access a cloud server using an AWS SDN connector via SSL VPN

This example provides a sample configuration so that a local client PC can access an FTP server deployed inside an AWS cloud using an AWS SDN connector via SSL VPN.

The FortiGate VM64-AWS is deployed inside an AWS Cloud, and can dynamically resolve the private IP address of the FTP server in the cloud with an AWS SDN connector. The local client PC, with FortiClient installed, can establish an SSL-VPN tunnel to the FortiGate, and then access the FTP server through the tunnel.

To configure the FortiGate VM64-AWS:

  1. Configure an AWS SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New.
    3. Click Amazon Web Services (AWS).
    4. Configure the following:
Name aws1
Status Enabled
Update Interval Use Default
Access key ID <AWS access key ID>
Secret access key <AWS secret access key>
Region name us-east-1
VPC ID disabled
  1. Click OK.
  1. Check the connector status:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click the refresh icon on the configured SDN connector.

A green arrow in the bottom right corner of the connector means that it is connected.

  1. Create a firewall address:
    1. Go to Policy & Objects > Addresses and click Create New > Address.
    2. Configure the following:
Name dynamic-aws
Type Fabric Connector Address
SDN Connector aws1
SDN address type Private
Filter Tag.Name=publicftp

(the name of the FTP server in the AWS cloud)

Interface any
  1. Click OK.
  1. Check the resolved firewall address after the update interval (60 seconds, by default):
    1. Go to Policy & Objects > Addresses.
    2. Hover the cursor over the dynamic-aws

The firewall address resolved by the configured SDN connector is shown (172.331.31.101).

  1. Configure SSL VPN to access the FTP server:
    1. Configure a user and user group:
      1. Go to User& Device > UserDefinition and create a new local user named usera.
      2. Go to User& Device > UserGroups, create a group named sslvpngroup, and add usera to it. Configure SSL VPN:
      3. Go to VPN > SSL-VPN Settings.
      4. Set the Listen on Interface(s) to port1 and the Listen on Port to 10443. Set ServerCertificate to your own certificate, or Fortinet_Factory.
      5. In the Authentication/Portal Mapping section, set the default All OtherUsers/Groups to full-access, and create a new Authentication/Portal Mapping for the sslvpngroup also with full-access. v. Click Apply.
      6. Configure an SSL VPN firewall policy:
    2. Go to Policy & Objects > IPv4 Policy and click Create New.
    3. Configure the following:
Name sslvpn-aws
Incoming interface ssl.root

(the SSL VPN tunnel interface)

Outgoing Interface port1
Source all

sslvpngroup

Destination dynamic-aws
Schedule always
Service ALL
Action Accept
  • Click OK.

To connect an SSL VPN tunnel from the local client PC:

  1. Download FortiClient from forticlient.com and install it.
  2. Open the FortiClient console and go to Remote Access.
  3. Add a new connection
  4. Set VPN to SSL-VPN, and enter a Connection Name and Description.
  5. Set the Remote Gateway to 26.32.219, which is the FortiGate’s port1 public IP address that is configured as the listening interface.
  6. Enable Customize port, and set the port number to 10443.
  7. Click Save.
  8. Use the credentials configured for usera to connect to the tunnel.

Traffic to the SDN connector’s resolved IP address (dynamic-aws, 172.31.31.101) will go through the tunnel, and other traffic will go through the local gateway.

The client PC shows the routing entry for the tunnel:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         172.16.200.1    0.0.0.0         UG    0      0        0 eth1

172.31.31.101 10.212.134.200 255.255.255.255 UGH 0        0        0 ppp0

The FortiGate shows the logged in user and the assigned SSL VPN tunnel virtual IP address :

execute vpn sslvpn list

SSL VPN Login Users:

Index User      Auth Type Timeout         From      HTTP in/out    HTTPS in/out

0        usera 1(1)           284      208.91.115.10     0/0            0/0

SSL VPN sessions:

Index User     Source IP     Duration I/O Bytes     Tunnel/Dest IP

0         usera 208.91.115.10 76        1883/1728     10.212.134.200

Diagnose commands

Show SDN connector status:

FGT-AWS# diagnose sys sdn status

SDN Connector                       Type        Status

————————————————————aws1      aws    connected

Debug the AWS SDN connector to resolve the firewall address:

FGT-AWS-3 # diagnose debug application awsd -1 …

awsd checking firewall address object dynamic-aws, vd 0

address change, new ip list:

172.31.31.101 awsd sdn connector aws1 finish updating IP addresses …

Restart the AWS SDN connector daemon:

FGT-AWS-3 # diagnose test application awsd 99

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.