FortiGate Next Gen Firewall AWS security groups

SGNjH

2/9/24, 11:16 PM

I'm new to AWS using a FortiGate in front as the gateway. Would you need to utilize the security groups, or could I make one to permit all traffic and attach it since the fortigate handles everything.

1 + 0

security

amazon-web-services

fortigate

security-groups

Score:0

Server

Tim

2/10/24, 12:39 AM

Every ENI (Elastic Network Interface) in AWS has a security group. You can make the security group wide open if you want to, but I would suggest you only allow in the traffic you want. For example you might whitelist http and https for anywhere, ssh from specific IPs, etc.

You can also use Network Access Control Lists (NACLs) which are subnet based to whitelist based on port. The advantage there is if you come under DDOS AWS can push the NACLs out to the network edge, but that might only be if you use AWS Shield Advanced.

In AWS you tend to try to use services rather than servers. Do you really need a Fortigate? There are valid use cases, for example compliance with corporate policies. Consider AWS Network Firewall as an alternative.

+ 4

SGNjH

2/10/24, 1:44 AM

Tim, thanks for the reply. Currently, we are looking to migrate a multitenancy application from on prem to aws to take advantage of things like RDS. We have a FortiGate in front of all our servers now, and will move our app servers to EC2 instances connecting to RDS. Going back and forth with our sys admin who says the fortigate is enough and we could leave a permit all. Where I'm on the fence and doing research thinking both?

Tim

2/10/24, 2:15 AM

Appliances in the cloud is an antipattern unless there's a _very_ good reason to have it there. People with legacy skills initially want those old on-premise appliances, but they're rarely needed in AWS. Security groups and optionally NACLs are good for most circumstances. If you need more control you can use AWS Network Firewall or AWS WAF v2. You might be best off getting professional help from someone experienced with AWS, rather than someone experienced with the old way of doing things.

SGNjH

2/10/24, 3:46 AM

Thanks for the input! This gives me things to think about. The main concern was that it was sensitive data, and so adding the FortiGate gave another layer like the AWS Network Firewall or WAF. My rebuttal was to include both, if necessary due to the nature of the information - a defense in depth approach. Further concern was any potential issues arising by not utilizing Security Groups correctly and scalability, or the transfer to different services as the application advances.

Tim

2/10/24, 4:21 AM

Defense in depth is good practice. Security groups, NACLs, AWS WAF v2, Guard Duty, AWS Inspector, and maybe AWS Network Firewall will probably be more than sufficient.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: FortiGate Next Gen Firewall AWS security groups

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.