(Connectivity test) Configure FortiGate firewall policies and virtual IPs

This recipe is part of the process of deploying FortiGate for AWS. See below for the rest of the recipes in this process:

This section consists of two connection tests:

Testing incoming access to the Windows server by configuring port forwarding with SNAT for remote desktop login
Testing outgoing access from the Windows server to a sample malware website

In the FortiGate-VM console, select Policy & Objects > IPv4 Policy and create two new policies, as shown in this example. Create one policy for outgoing traffic from the private subnet, through the public subnet, to the Internet. Create another policy for incoming traffic from the Internet, through the public subnet, to the private subnet.
Select Virtual IPs and create a new virtual IP, as shown in the example. This is Static NAT configuration.
Edit the second policy. In the Destination field, select the virtual IP that you created.
In the EC2 Management Console, add an inbound rule to allow RDP for the FortiGate security group (in this example, TCP port 3389). If you don’t do this, you won’t be able to connect to the Windows server through the FortiGate with RDP.
In your Windows Remote Desktop client, specify the public DNS hostname of the FortiGate and log in. This logs you in to the Windows server through the FortiGate.
Now outgoing access can be tested. In a web browser, navigate to https://metal.fortiguard.com/tests.
Scroll down and select a test virus file listed as infected.
The browser should display a blocked page alert because your Internet access is now protected by FortiGate.