Fortinet black logo

Administration Guide

Home FortiGate CNF Administration Guide

Protecting workloads with FortiGate CNF

Protecting workloads with FortiGate CNF

For each cloud subnet you are protecting, take the following steps.

Networking

Ensure the traffic is routed correctly, as follows:

  1. Create and deploy a FortiGate CNF instance. See Deploying a FortiGate CNF instance.

  2. Deploy a load balancer endpoint in your cloud account. Typically the endpoint is put in a subnet by itself. See Adding an endpoint to an AWS instance.

  3. Route traffic to the deployed FortiGate CNF instance. The instance must be in the traffic path of your workload. This requires some routing changes in your cloud infrastructure, and has to be done by you as Fortinet does not have access to your infrastructure. Route traffic to the load balancer endpoint, which sends the traffic to the FortiGate CNF instance to be inspected and returned to the load balancer endpoint. For some deployment examples, see Deployment scenarios.

    Consider FortiGate CNF as a bump-in-the-wire, with the load balancer endpoint as the gate.

Security

Ensure the desired security policies are applied to the deployed FortiGate CNF instance.

  1. Create a policy set.

    This process is very similar to the policy creation process on FortiGate. Address, Service, and Security Profile objects are used to form policies, which are grouped in an ordered sequence to form a policy set.

  2. Apply a policy set to one or more FortiGate CNF instances.

    Policy sets can be edited and then updated on deployed instances if needed.

Previous
Next

Protecting workloads with FortiGate CNF

For each cloud subnet you are protecting, take the following steps.

Networking

Ensure the traffic is routed correctly, as follows:

  1. Create and deploy a FortiGate CNF instance. See Deploying a FortiGate CNF instance.

  2. Deploy a load balancer endpoint in your cloud account. Typically the endpoint is put in a subnet by itself. See Adding an endpoint to an AWS instance.

  3. Route traffic to the deployed FortiGate CNF instance. The instance must be in the traffic path of your workload. This requires some routing changes in your cloud infrastructure, and has to be done by you as Fortinet does not have access to your infrastructure. Route traffic to the load balancer endpoint, which sends the traffic to the FortiGate CNF instance to be inspected and returned to the load balancer endpoint. For some deployment examples, see Deployment scenarios.

    Consider FortiGate CNF as a bump-in-the-wire, with the load balancer endpoint as the gate.

Security

Ensure the desired security policies are applied to the deployed FortiGate CNF instance.

  1. Create a policy set.

    This process is very similar to the policy creation process on FortiGate. Address, Service, and Security Profile objects are used to form policies, which are grouped in an ordered sequence to form a policy set.

  2. Apply a policy set to one or more FortiGate CNF instances.

    Policy sets can be edited and then updated on deployed instances if needed.

Previous
Next