Fortinet black logo

Administration Guide

Home FortiGate CNF Administration Guide

Using AWS Firewall Manager

Appendix B - Using AWS Firewall Manager

You can use the AWS Firewall Manager to create and deploy FortiGate CNF instances.

Tooltip

Policies and policy sets must be first created in the FortiGate CNF console before they can be used in AWS Firewall Manager.

See Configuration.
To use AWS Firewall Manager with FortiGate CNF:

  1. Go to the AWS console for the appropriate AWS account.

  2. Search for AWS Firewall Manager service.

  3. In the Third party firewall association status section, ensure that Fortigate Cloud Native Firewall as a Service is listed with a Status of Associated. If Status is Disassociated, select the service and click Associate.

  4. In the left menu, click Security Policies then click Create Policy and follow the on screen wizard:

    1. Under Third-party services, select FortiGate Cloud Native Firewall as a Service.

    2. In Firewall management type, select one of Distributed or Centralized.

    3. Select a region.

  5. Enter a policy name.

  6. In the FortiGate Cloud Native Firewall as a Service policy configuration section, select the appropriate policy set then click Next.

    To configure a policy, select the policy and click Configure policy to open the policy in the FortiGate CNF console.

    To update the list of policy sets, click the refresh button.

  7. Select the availability zones (AZ) where your traffic will be routed. AWS creates a subnet and adds a GWLBe in that subnet.

    Note

    This process adds a GWLBe in this AWS account, but any required routes must be configured manually to route traffic to this endpoint.

  8. In Define policy scope, select the appropriate scope for this policy. If you select Include all accounts, download and run the CloudFormation template found in the lower section in each member account. For Resource type, enable or disable VPC and include or exclude VPCs by tag.

  9. Optionally, add tags to the policy.

  10. Review the policy configuration, then click Create policy.

    You are redirected to the policy list page and AWS calls FortiGate CNF APIs to create the resources, such as the FortiGate CNF instance, the gateway load balancer, and GWLBe. This process can take 10–15 min.

    Click the policy link to view the details.

    In the Accounts within policy scope section, click on a specific AWS account to view the resources being created.

    Caution

    While these resources are being created, the Violation reason column displays the error message: "the FortigateCNF is not previsioned correctly”. This message indicates the resource is not ready yet and is not an actual error.

Previous
Next

Appendix B - Using AWS Firewall Manager

You can use the AWS Firewall Manager to create and deploy FortiGate CNF instances.

Tooltip

Policies and policy sets must be first created in the FortiGate CNF console before they can be used in AWS Firewall Manager.

See Configuration.
To use AWS Firewall Manager with FortiGate CNF:

  1. Go to the AWS console for the appropriate AWS account.

  2. Search for AWS Firewall Manager service.

  3. In the Third party firewall association status section, ensure that Fortigate Cloud Native Firewall as a Service is listed with a Status of Associated. If Status is Disassociated, select the service and click Associate.

  4. In the left menu, click Security Policies then click Create Policy and follow the on screen wizard:

    1. Under Third-party services, select FortiGate Cloud Native Firewall as a Service.

    2. In Firewall management type, select one of Distributed or Centralized.

    3. Select a region.

  5. Enter a policy name.

  6. In the FortiGate Cloud Native Firewall as a Service policy configuration section, select the appropriate policy set then click Next.

    To configure a policy, select the policy and click Configure policy to open the policy in the FortiGate CNF console.

    To update the list of policy sets, click the refresh button.

  7. Select the availability zones (AZ) where your traffic will be routed. AWS creates a subnet and adds a GWLBe in that subnet.

    Note

    This process adds a GWLBe in this AWS account, but any required routes must be configured manually to route traffic to this endpoint.

  8. In Define policy scope, select the appropriate scope for this policy. If you select Include all accounts, download and run the CloudFormation template found in the lower section in each member account. For Resource type, enable or disable VPC and include or exclude VPCs by tag.

  9. Optionally, add tags to the policy.

  10. Review the policy configuration, then click Create policy.

    You are redirected to the policy list page and AWS calls FortiGate CNF APIs to create the resources, such as the FortiGate CNF instance, the gateway load balancer, and GWLBe. This process can take 10–15 min.

    Click the policy link to view the details.

    In the Accounts within policy scope section, click on a specific AWS account to view the resources being created.

    Caution

    While these resources are being created, the Violation reason column displays the error message: "the FortigateCNF is not previsioned correctly”. This message indicates the resource is not ready yet and is not an actual error.

Previous
Next