1

I've got a Fortigate NGFW sitting in my AWS that my company uses for SSL-VPN & IPSEC access to clients. We've recently started hosting our own EC2 servers behind the Fortigate. They're able to reach through the VPNs just fine but aren't able to hit the wider internet despite all of the correct policies being in place on the Fortigate.

When I run the AWS Reachability Analyzer I get the following error IGW_REJECTS_SPOOFED_TRAFFIC. I've done a fair amount of googling on the issue. My Security Groups look fine, the Fortigate is performing NAT on traffic leaving the box. My AWS routing table has a default route pointed at the Internet Gateway and I've disabled Source/Destination check on the Fortigate. I'm pretty stumped anyone got any ideas?

A-Big-Moose
  • 43
  • 1
  • 4
  • "Gateways reject traffic from network interfaces if the source IP address is not a public IP address associated with the network interface." https://docs.aws.amazon.com/vpc/latest/reachability/explanation-codes.html sounds like the outgoing IP address on packets coming out of the fortigate don't match public IP of fortigate instance. – erik258 May 02 '23 at 15:15
  • The server is sitting in a private aws subnet and I've got NAT enabled on the fortigate internet access policy. – A-Big-Moose May 02 '23 at 16:02

0 Answers0