Section 5: Traffic Inspection
5.1 Test Spoke-to-Internet Connectivity
In this test, traffic flows from a spoke VPC through the AWS Transit Gateway and FortiGate to the Internet.
In the Amazon EC2 console, locate the public IP address of
Spoke1-VM.
Connect to the instance using the SSH key created earlier.
bashssh -i Student01-key.pem ubuntu@<SPOKE1-PUBLIC-IP>The Ubuntu username is:
textubuntuTest Internet connectivity through the FortiGate:
bashping -c 4 8.8.8.8Test TCP connectivity to the Fortinet website:
bashtelnet www.fortinet.com 443Alternatively, use
curl:bashcurl -I https://www.fortinet.com
INFO
The instances use a wait-for-FortiGate script. Their setup completes only after they can successfully reach the Internet through the FortiGate.

In the FortiGate GUI, go to Log & Report > Forward Traffic.
Locate traffic from source networks beginning with:
text10.1.x.x 10.2.x.xConfirm that the preconfigured egress Internet access policy processed the traffic.

5.2 Test Spoke-to-Spoke Connectivity
In this test, traffic flows from Spoke 1 to Spoke 2 through the Transit Gateway and FortiGate.
In the FortiGate GUI, create a firewall policy that permits east-west traffic between the spoke networks.


From the Spoke 1 instance, initiate ICMP traffic to the Spoke 2 instance:
bashping -c 4 10.2.0.100Test HTTP connectivity to the Spoke 2 web server:
bashcurl http://10.2.0.100
In the FortiGate GUI, go to Log & Report > Forward Traffic.
Confirm that the east-west policy processed the traffic.

5.3 Test Internet-to-Spoke Connectivity
In this test, FortiGate virtual IP objects publish the spoke web servers to the Internet.
Create Virtual IP Objects
Create two virtual IP objects:
| Spoke | External TCP port | Internal web server |
|---|---|---|
| Spoke 1 | 8081 | 10.1.0.100:80 |
| Spoke 2 | 8082 | 10.2.0.100:80 |
Create the virtual IP object for Spoke 1.

Create the virtual IP object for Spoke 2.

Create the Ingress Firewall Policy
Create a firewall policy that permits inbound HTTP traffic from the WAN interface to the two virtual IP objects.


Test Published Web Services
Open the following URLs in a web browser:
texthttp://<FORTIGATE-PUBLIC-IP>:8081texthttp://<FORTIGATE-PUBLIC-IP>:8082

In the FortiGate GUI, go to Log & Report > Forward Traffic.
Confirm that the ingress firewall policy processed the traffic.

Next Step
Continue to Section 6: Resource Cleanup.