Followed this guide:
https://cookbook.fortinet.com/create-routing-table-associate-subnets/
I have EC2 windows instance, also have EC2 FortiGate-FortiGate VM64-AWSONDEMAND
. Fortigate has 2 NIC:
192.168.10.5 (external one)
192.168.30.0 (internal)
In VPC has 2 route tables:
Public and internal
Public route table:
destination:0.0.0.0
target: internet gateway
included subnet:192.168.10.0
Behind FortiGate firewall I have windows instance in 192.168.30.0/24 subnet
Private route table:
destination:0.0.0.0
target: "internal" FortiGate firewall interface
included subnet:192.168.30.0
For all devices on "internal" network default route will be the internal interface of Fortigate FW
Source/destination check disabled on an internal FortiGate interface
I created proxy policy and proxy rule, specified FortiGate internal IP address as a proxy in the browser. I can browse the internet from windows instance, unable to ping 8.8.8.8
I created IPV4 rule to allow all traffic from LAN (192.168.30.0) to any address
static route:
Problem:
If I remove proxy policy and proxy address from the browser I can't search the internet, unable to ping 8.8.8.8
I CAN ping FortiGate internal and external interfaces
but traffic won't pass outside windows machine (192.168.30.49)
Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
0 WIN-0675NFPK57B.eu-west-1.compute.internal [192.168.30.49]
1 * * *
Computing statistics for 0 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 WIN-0675NFPK57B.eu-west-1.compute.internal [192.168.30.49]
PS C:\Users\Administrator> route print
===========================================================================
Interface List
12...06 db ec 01 23 08 ......AWS PV Network Device #0
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.30.1 192.168.30.49 10
192.168.30.1 is AWS gateway
Best Answer
It was metric !, was same for fortigate and windows (10) as you can see from picture above, just reduced default metric in fortigate for static route and all started working