diff --git a/FortiGate/GWLB/6.4/readme.md b/FortiGate/GWLB/6.4/readme.md index 90ec54b..059558d 100644 --- a/FortiGate/GWLB/6.4/readme.md +++ b/FortiGate/GWLB/6.4/readme.md @@ -62,7 +62,7 @@ TGW will route the packets to their final destination in the destination VPC as ![E-W traffic direction](images/EW-direction.png) ### South->North traffic -When a VPC needs to communicate with another VPC, the packets are initiated from the client to its gateway. The local routing table fo the local VPC subnet will route the packets to the TGW via its attachement (depicted in orange as **step1**). As the subnet is associated to the orange routing table, the destination of the packets is checked against that routing table and the packets are forwarded to the security VPC via the referenced attachement link in red. +When a VPC needs to communicate with internet, the packets are initiated from the client to its gateway. The local routing table fo the local VPC subnet will route the packets to the TGW via its attachement (depicted in orange as **step1**). As the subnet is associated to the orange routing table, the destination of the packets is checked against that routing table and the packets are forwarded to the security VPC via the referenced attachement link in red. As **step2**, the packets are now forwarded to the security VPC either via zoneA or zoneB attached subnets. TGW is configured in appliance mode (i.e stateful mode) and will always route packets to the same zone for one established session. Both relay subnets are associated to a local routing table forwarding all packets to the GWLB endpoint interface located in the same local zone. This is **step3**. The packets entering the endpoint are automatically forwarded to the local GWLB component responsible for establishing a tunnel to the local Fortigate device located in the zone. This is **step4**. As **step5**, the local Fortigate device is now receiving the packets on its unique geneve tunnel interface and processes them using all its security filters and modules (AV, IPS, AS, DLP, WAF, ... ). If no Fortigate device is available in that zone, GWLB component is configured to forward traffic to another zone where another Fortigate device will be present. After cleaning, the solution uses its local routing table (pointing to the public subnet via port1) to send packet to public subnet's local router. The public subnet is configured with a default route pointing to the local IGW of the security VPC and routes packets to it as **step6**.