Access a cloud server using an AWS SDN connector via SSL VPN
This example provides a sample configuration so that a local client PC can access an FTP server deployed inside an AWS cloud using an AWS SDN connector via SSL VPN.
The FortiGate VM64-AWS is deployed inside an AWS Cloud, and can dynamically resolve the private IP address of the FTP server in the cloud with an AWS SDN connector. The local client PC, with FortiClient installed, can establish an SSL-VPN tunnel to the FortiGate, and then access the FTP server through the tunnel.
To configure the FortiGate VM64-AWS:
- Configure an AWS SDN connector:
- Go to Security Fabric > Fabric Connectors.
- Click Create New.
- Click Amazon Web Services (AWS).
- Configure the following:
| Name | aws1 |
| Status | Enabled |
| Update Interval | Use Default |
| Access key ID | <AWS access key ID> |
| Secret access key | <AWS secret access key> |
| Region name | us-east-1 |
| VPC ID | disabled |
- Click OK.
- Check the connector status:
- Go to Security Fabric > Fabric Connectors.
- Click the refresh icon on the configured SDN connector.
A green arrow in the bottom right corner of the connector means that it is connected.
- Create a firewall address:
- Go to Policy & Objects > Addresses and click Create New > Address.
- Configure the following:
| Name | dynamic-aws |
| Type | Fabric Connector Address |
| SDN Connector | aws1 |
| SDN address type | Private |
| Filter | Tag.Name=publicftp
(the name of the FTP server in the AWS cloud) |
| Interface | any |
- Click OK.
- Check the resolved firewall address after the update interval (60 seconds, by default):
- Go to Policy & Objects > Addresses.
- Hover the cursor over the dynamic-aws
The firewall address resolved by the configured SDN connector is shown (172.331.31.101).
- Configure SSL VPN to access the FTP server:
- Configure a user and user group:
- Go to User& Device > UserDefinition and create a new local user named usera.
- Go to User& Device > UserGroups, create a group named sslvpngroup, and add usera to it. Configure SSL VPN:
- Go to VPN > SSL-VPN Settings.
- Set the Listen on Interface(s) to port1 and the Listen on Port to 10443. Set ServerCertificate to your own certificate, or Fortinet_Factory.
- In the Authentication/Portal Mapping section, set the default All OtherUsers/Groups to full-access, and create a new Authentication/Portal Mapping for the sslvpngroup also with full-access. v. Click Apply.
- Configure an SSL VPN firewall policy:
- Go to Policy & Objects > IPv4 Policy and click Create New.
- Configure the following:
- Configure a user and user group:
| Name | sslvpn-aws |
| Incoming interface | ssl.root
(the SSL VPN tunnel interface) |
| Outgoing Interface | port1 |
| Source | all
sslvpngroup |
| Destination | dynamic-aws |
| Schedule | always |
| Service | ALL |
| Action | Accept |
- Click OK.
To connect an SSL VPN tunnel from the local client PC:
- Download FortiClient from forticlient.com and install it.
- Open the FortiClient console and go to Remote Access.
- Add a new connection
- Set VPN to SSL-VPN, and enter a Connection Name and Description.
- Set the Remote Gateway to 26.32.219, which is the FortiGate’s port1 public IP address that is configured as the listening interface.
- Enable Customize port, and set the port number to 10443.
- Click Save.
- Use the credentials configured for usera to connect to the tunnel.
Traffic to the SDN connector’s resolved IP address (dynamic-aws, 172.31.31.101) will go through the tunnel, and other traffic will go through the local gateway.
The client PC shows the routing entry for the tunnel:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.200.1 0.0.0.0 UG 0 0 0 eth1
172.31.31.101 10.212.134.200 255.255.255.255 UGH 0 0 0 ppp0
The FortiGate shows the logged in user and the assigned SSL VPN tunnel virtual IP address :
execute vpn sslvpn list
SSL VPN Login Users:
Index User Auth Type Timeout From HTTP in/out HTTPS in/out
0 usera 1(1) 284 208.91.115.10 0/0 0/0
SSL VPN sessions:
Index User Source IP Duration I/O Bytes Tunnel/Dest IP
0 usera 208.91.115.10 76 1883/1728 10.212.134.200
Diagnose commands
Show SDN connector status:
FGT-AWS# diagnose sys sdn status
SDN Connector Type Status
————————————————————aws1 aws connected
Debug the AWS SDN connector to resolve the firewall address:
FGT-AWS-3 # diagnose debug application awsd -1 …
awsd checking firewall address object dynamic-aws, vd 0
address change, new ip list:
172.31.31.101 awsd sdn connector aws1 finish updating IP addresses …
Restart the AWS SDN connector daemon:
FGT-AWS-3 # diagnose test application awsd 99