Fortinet black logo

Administration Guide

Home FortiPAM 1.2.0 Administration Guide
1.2.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

Appendix J: Installation on AWS

Appendix J: Installation on AWS

FortiPAM installation on AWS and initial setup:

  1. Converting qcow2 to a RAW format for AWS import-image tool
  2. Creating an S3 bucket on AWS
  3. Uploading RAW file to the AWS S3 bucket
  4. Creating a snapshot from the RAW file in the AWS S3 bucket
  5. Creating AMI from the snapshot
  6. Configuring a security group
  7. Launching the FortiPAM instance from AMI
  8. Initial configuration
  9. Licensing

Converting qcow2 to a RAW format for AWS import-image tool

To convert qcow2 to a RAW format for AWS import-image tool:
  1. Unzip the FPA_KVM_AWS-v100-buildxxxx-FORTINET.out.kvm.zip file and locate the fortipam.qcow2 file.
  2. On a Linux machine, install qemu-utils package to get the qemu-img tool: 
     $ sudo apt-get install qemu-utils
  3. Use qemu-img to convert the image into RAW format: 
     $ qemu-img convert fortipam.qcow2 fortipam.raw

Creating an S3 bucket on AWS

To create an S3 bucket on AWS:
  1. Select Services and from the list on the left, go to Storage > S3.
  2. Select Create bucket.

    The Create bucket page opens.

  3. In the General configurations pane, enter the following information:

    Bucket name

    The name of the bucket.

    AWS Region

    From the dropdown, select a region where the bucket is stored.

  4. Leave all other settings on default.
  5. Click Create bucket.

Uploading RAW file to the AWS S3 bucket

To upload RAW file to the AWS S3 bucket:
  1. Using the following command, install the AWS CLI : 
     $ sudo pip install awscli --ignore-installed six
  2. Using the following command, add your AWS credential to ~/.aws/config: 
     aws_access_key_id=AKIA4I34XXXXXXXX
 aws_secret_access_key=ACR8XXXXXXXXXXXXXXXXXXXXX
 region = us-west-1

    Note: Access key can be created from Security credentials in your IAM Account.

  3. Using the following command, copy the RAW image to the S3 bucket: 
     $ aws s3 cp fortipam.raw s3://fortipam-doc #fortipam-doc is the S3 bucket created earlier

Creating a snapshot from the RAW file in the AWS S3 bucket

To create a snapshot from the RAW file in the AWS S3 bucket:
  1. Create the vmimport role:
    1. Create a JSON file trust-policy.json with the following content: 
      $ vim trust-policy.json
{				
 "Version": "2012-10-17", 
 "Statement": [
  {
   "Effect": "Allow",
   "Principal":{"Service":"vmie.amazonaws.com" },
   "Action": "sts:AssumeRole",
   "Condition": {
    "StringEquals":{
      "sts:Externalid": "vmimport"
    }
   }
  }
 ]
}
    2. Using the following AWS CLI command, create the vmimport role: 
      $ aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json
  2. Assign a policy for the S3 bucket:
    1. Create a JSON file role-policy.json with the following content:
      $ vim role-policy.json
{
  "Version":"2012-10-17",
  "Statement":[
    {
     "Effect": "Allow",
     "Action": [
       "s3:GetBucketLocation",
       "s3:GetObject",
       "s3:ListBucket"
     ],
     "Resource": [
       "arn:aws:s3:::disk-image-file-bucket",
       "arn:aws:s3:::disk-image-file-bucket/*"
     ]
    },
    {
     "Effect": "Allow",
     "Action": [
       "s3:GetBucketLocation",
       "s3:GetObject",
       "s3:ListBucket",
       "s3:PutObject",
       "s3:GetBucketAcl"
      ],
      "Resource": [
        "arn:aws:s3:::fortipam-doc",
        "arn:aws:s3:::fortipam-doc/*"
      ]
     },
     {
      "Effect": "Allow",
      "Action": [
        "ec2:ModifySnapshotAttribute",
        "ec2:CopySnapshot",
        "ec2:RegisterImage",
        "ec2:Describe*"
        ],
        "Resource": "*"
      }
     ]
    }
    2. Using the following AWS CLI command, assign a policy for the S3 bucket: 
      $ aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json
  3. Create a JSON file container.json with the following content: 
    $ vim container.json 
{
  "Description": "fortipam image",
  "Format": "raw",
  "UserBucket": {
    "S3Bucket": "fortipam-doc",
    "S3Key": "fortipam.raw"
   }
 }
  4. Using the following AWS CLI command, import the FortiPAM image: 
     $ aws ec2 import-snapshot --description "fortipam" --disk-container file://container.json
 {
  "Description": "fortipam",
  "ImportTaskId": "import-snap-0b087779796478a51",
  "SnapshotTaskDetail": {
    "Description": "fortipam",
    "DiskImageSize": 0.0,
    "Progress": "0",
    "Status": "active",
    "StatusMessage": "pending",
    "UserBucket": {
      "S3Bucket": "fortipam-doc",
      "S3Key": "fortipam.raw"
    }
   },
   "Tags": []
  }

    Importing the image may take some time. You can use the following AWS CLI command to monitor the progress of import:

    $ aws ec2 describe-import-snapshot-tasks --import-task-ids import-snap-0b087779796478a51
{
 "ImportSnapshotTasks": [
   {
    "Description": "fortipam",
    "ImportTaskId": "import-snap-0b087779796478a51",
    "SnapshotTaskDetail": {
      "Description": "fortipam",
      "DiskImageSize": 2147483648.0,
      "Format": "RAW",
      "SnapshotId": "snap-0bda3d6b6d21f122c",
      "Status": "completed",
      "UserBucket": {
        "S3Bucket": "fortipam-doc",
        "S3Key": "fortipam.raw"
      }
    },
     "Tags": []
    }
   ]
  }

Creating AMI from the snapshot

To create AMI from snapshot:
  1. In the AWS console, from the Services menu, go to Compute > EC2.

  2. From the menu, go to Elastic Block Store > Snapshots and look for the snapshot ID.

    Alternatively, the describe-import-snapshot-tasks command used to Monitor the progress of FortiPAM image import can be used find the snapshot ID.

  3. Using the following AWS CLI command, create a FortiPAM image: 
    $ aws ec2 register-image \
  --region us-west-1 \
  --name fortipam-uefi-tpm \
  --boot-mode uefi \
  --architecture x86_64 \
  --root-device-name /dev/sda1 \
  --block-device-mappings DeviceName=/dev/sda1,Ebs={SnapshotId= snap-0bda3d6b6d21f122c} \
  --tpm-support v2.0 \
  --ena-support

Configuring a security group

To configure a security group
  1. In the AWS console, search VPC and select VPC from the search result.

    The VPC dashboard opens.

  2. In the VPC dashboard, select Security Groups.

    The Security Groups window opens.

  3. In the Security Groups window, select Create security group.

    The Create security group page opens.

  4. In the Basic details pane, enter the following information:

    Security group name

    The name of the security group.

    Note: The name of the group cannot be changed after creation.

    Description

    The description for the security group.

    VPC

    Search and select the VPC in which to create the security group.

  5. In the Inbound rules pane, add the following inbound rules:

  6. Use the default outbound rule that allows all the traffic.
  7. Click Create security group.

Launching the FortiPAM instance from AMI

To launch the FortiPAM instance:
  1. In the AWS console, from the Services menu, go to Compute > EC2.

    The EC2 Dashboard opens.

  2. Go to Images > AMIs and select Launch instance from AMI.

    The Launch an instance page opens.

  3. In the Name and tags pane, enter the name for the instance.
  4. Ensure that the correct AMI is selected in the Application and OS Images (Amazon Machine Image) pane.

  5. In the Instance type pane, select m5.xlarge.

    You must choose an instance type that supports EC2 Serial Console.

  6. In the Key pair (login) pane, from the dropdown, select Proceed without a key pair (Not recommended).
  7. In the Network settings pane:
    1. In Firewall (security groups), select Select existing security group.
    2. From the Common security groups dropdown, select the security group created in Configuring a security group.
    3. Optionally, click Edit in Network settings to add more interfaces and choose a subnet.
  8. In Configure storage pane:
    1. In the field for root volume, enter 2 (in GB).
    2. Select Add new volume, and in the field, enter 300 (in GB) to add a new volume for the log.
    3. Select Add new volume and in the field enter 1024 (in GB) to add a new volume for video.
  9. Click Launch instance.

Initial configuration

  1. In the AWS console, search VPC and select VPC from the search result.

    The VPC dashboard opens.

  2. In Virtual private cloud on the left, select Elastic IPs.

    The Elastic IP addresses window opens.

  3. In the Elastic IP addresses window, click Allocate to create a new public IP address.
  4. Select an IP address from the elastic IP addresses list, and from the Actions dropdown, select Associate Elastic IP address.

    The Associate Elastic IP address page opens.

  5. In Resource type, select Network interface.
  6. In the Network interface dropdown, select a network interface.
  7. In the Private IP address dropdown, select a private IP address.

  8. Click Associate.
  9. In the AWS console, from the Services menu, go to Compute > EC2.
  10. In the EC2 Dashboard, go to Instances > Instances, select the FortiPAM instance from the list, and then select Connect.
  11. From the EC2 serial console tab, click Connect.

  12. Log in as the administrator with the AWS instance ID password.
  13. FortiPAM asks you to change your password. Enter a new password. Enter the password again to confirm.

  14. Use the following FortiPAM CLI commands to configure the port1, change mode from DHCP to static and set the IP address to the same as the private IP address in steps 4 to 8:

    You can skip this step if FortiPAM is in standalone mode.

     config system interface
  edit "port1"
   set mode static #by default, set as dhcp
   set ip 172.31.100.15/24 #set to the private IP address assigned by AWS in step 7
  next
 end

    The IP address set here is automatically copied to VIP.

  15. Use the following FortiPAM CLI commands to configure a static route if the interface is configured as static mode: 
    config router static
 edit 1
  set gateway 172.31.100.1
  set device port1
 next
end
  16. Optionally, use the following command to verify that you can access the public network: 
     execute ping update.fortiguard.net

    You should receive an echo reply packet similar to the following:

Licensing

To successfully license FortiPAM:
  1. Download the license file (.lic), see Registering and downloading your license.
  2. Upload the license file from the public IP address using SCP, see Uploading the license file using SCP.
  3. After the boot up, the license status changes to valid.

    You can check the license status using the following CLI command:

     get system status

  4. Optional- Customize VIP if default VIP is not preferred: 
     config firewall vip
  edit "fortipam_vip"
   set extip 172.31.100.15 #external visible virtual IP address
  next
 end
  5. You can now use your FortiPAM-VM deployed on AWS.

    On a web browser, go to https://<Public IP> to access the FortiPAM-VM GUI. This is the same IP address set up in step 4 above.

Previous
Next

Appendix J: Installation on AWS

FortiPAM installation on AWS and initial setup:

  1. Converting qcow2 to a RAW format for AWS import-image tool
  2. Creating an S3 bucket on AWS
  3. Uploading RAW file to the AWS S3 bucket
  4. Creating a snapshot from the RAW file in the AWS S3 bucket
  5. Creating AMI from the snapshot
  6. Configuring a security group
  7. Launching the FortiPAM instance from AMI
  8. Initial configuration
  9. Licensing

Converting qcow2 to a RAW format for AWS import-image tool

To convert qcow2 to a RAW format for AWS import-image tool:
  1. Unzip the FPA_KVM_AWS-v100-buildxxxx-FORTINET.out.kvm.zip file and locate the fortipam.qcow2 file.
  2. On a Linux machine, install qemu-utils package to get the qemu-img tool: 
     $ sudo apt-get install qemu-utils
  3. Use qemu-img to convert the image into RAW format: 
     $ qemu-img convert fortipam.qcow2 fortipam.raw

Creating an S3 bucket on AWS

To create an S3 bucket on AWS:
  1. Select Services and from the list on the left, go to Storage > S3.
  2. Select Create bucket.

    The Create bucket page opens.

  3. In the General configurations pane, enter the following information:

    Bucket name

    The name of the bucket.

    AWS Region

    From the dropdown, select a region where the bucket is stored.

  4. Leave all other settings on default.
  5. Click Create bucket.

Uploading RAW file to the AWS S3 bucket

To upload RAW file to the AWS S3 bucket:
  1. Using the following command, install the AWS CLI : 
     $ sudo pip install awscli --ignore-installed six
  2. Using the following command, add your AWS credential to ~/.aws/config: 
     aws_access_key_id=AKIA4I34XXXXXXXX
 aws_secret_access_key=ACR8XXXXXXXXXXXXXXXXXXXXX
 region = us-west-1

    Note: Access key can be created from Security credentials in your IAM Account.

  3. Using the following command, copy the RAW image to the S3 bucket: 
     $ aws s3 cp fortipam.raw s3://fortipam-doc #fortipam-doc is the S3 bucket created earlier

Creating a snapshot from the RAW file in the AWS S3 bucket

To create a snapshot from the RAW file in the AWS S3 bucket:
  1. Create the vmimport role:
    1. Create a JSON file trust-policy.json with the following content: 
      $ vim trust-policy.json
{				
 "Version": "2012-10-17", 
 "Statement": [
  {
   "Effect": "Allow",
   "Principal":{"Service":"vmie.amazonaws.com" },
   "Action": "sts:AssumeRole",
   "Condition": {
    "StringEquals":{
      "sts:Externalid": "vmimport"
    }
   }
  }
 ]
}
    2. Using the following AWS CLI command, create the vmimport role: 
      $ aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json
  2. Assign a policy for the S3 bucket:
    1. Create a JSON file role-policy.json with the following content:
      $ vim role-policy.json
{
  "Version":"2012-10-17",
  "Statement":[
    {
     "Effect": "Allow",
     "Action": [
       "s3:GetBucketLocation",
       "s3:GetObject",
       "s3:ListBucket"
     ],
     "Resource": [
       "arn:aws:s3:::disk-image-file-bucket",
       "arn:aws:s3:::disk-image-file-bucket/*"
     ]
    },
    {
     "Effect": "Allow",
     "Action": [
       "s3:GetBucketLocation",
       "s3:GetObject",
       "s3:ListBucket",
       "s3:PutObject",
       "s3:GetBucketAcl"
      ],
      "Resource": [
        "arn:aws:s3:::fortipam-doc",
        "arn:aws:s3:::fortipam-doc/*"
      ]
     },
     {
      "Effect": "Allow",
      "Action": [
        "ec2:ModifySnapshotAttribute",
        "ec2:CopySnapshot",
        "ec2:RegisterImage",
        "ec2:Describe*"
        ],
        "Resource": "*"
      }
     ]
    }
    2. Using the following AWS CLI command, assign a policy for the S3 bucket: 
      $ aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json
  3. Create a JSON file container.json with the following content: 
    $ vim container.json 
{
  "Description": "fortipam image",
  "Format": "raw",
  "UserBucket": {
    "S3Bucket": "fortipam-doc",
    "S3Key": "fortipam.raw"
   }
 }
  4. Using the following AWS CLI command, import the FortiPAM image: 
     $ aws ec2 import-snapshot --description "fortipam" --disk-container file://container.json
 {
  "Description": "fortipam",
  "ImportTaskId": "import-snap-0b087779796478a51",
  "SnapshotTaskDetail": {
    "Description": "fortipam",
    "DiskImageSize": 0.0,
    "Progress": "0",
    "Status": "active",
    "StatusMessage": "pending",
    "UserBucket": {
      "S3Bucket": "fortipam-doc",
      "S3Key": "fortipam.raw"
    }
   },
   "Tags": []
  }

    Importing the image may take some time. You can use the following AWS CLI command to monitor the progress of import:

    $ aws ec2 describe-import-snapshot-tasks --import-task-ids import-snap-0b087779796478a51
{
 "ImportSnapshotTasks": [
   {
    "Description": "fortipam",
    "ImportTaskId": "import-snap-0b087779796478a51",
    "SnapshotTaskDetail": {
      "Description": "fortipam",
      "DiskImageSize": 2147483648.0,
      "Format": "RAW",
      "SnapshotId": "snap-0bda3d6b6d21f122c",
      "Status": "completed",
      "UserBucket": {
        "S3Bucket": "fortipam-doc",
        "S3Key": "fortipam.raw"
      }
    },
     "Tags": []
    }
   ]
  }

Creating AMI from the snapshot

To create AMI from snapshot:
  1. In the AWS console, from the Services menu, go to Compute > EC2.

  2. From the menu, go to Elastic Block Store > Snapshots and look for the snapshot ID.

    Alternatively, the describe-import-snapshot-tasks command used to Monitor the progress of FortiPAM image import can be used find the snapshot ID.

  3. Using the following AWS CLI command, create a FortiPAM image: 
    $ aws ec2 register-image \
  --region us-west-1 \
  --name fortipam-uefi-tpm \
  --boot-mode uefi \
  --architecture x86_64 \
  --root-device-name /dev/sda1 \
  --block-device-mappings DeviceName=/dev/sda1,Ebs={SnapshotId= snap-0bda3d6b6d21f122c} \
  --tpm-support v2.0 \
  --ena-support

Configuring a security group

To configure a security group
  1. In the AWS console, search VPC and select VPC from the search result.

    The VPC dashboard opens.

  2. In the VPC dashboard, select Security Groups.

    The Security Groups window opens.

  3. In the Security Groups window, select Create security group.

    The Create security group page opens.

  4. In the Basic details pane, enter the following information:

    Security group name

    The name of the security group.

    Note: The name of the group cannot be changed after creation.

    Description

    The description for the security group.

    VPC

    Search and select the VPC in which to create the security group.

  5. In the Inbound rules pane, add the following inbound rules:

  6. Use the default outbound rule that allows all the traffic.
  7. Click Create security group.

Launching the FortiPAM instance from AMI

To launch the FortiPAM instance:
  1. In the AWS console, from the Services menu, go to Compute > EC2.

    The EC2 Dashboard opens.

  2. Go to Images > AMIs and select Launch instance from AMI.

    The Launch an instance page opens.

  3. In the Name and tags pane, enter the name for the instance.
  4. Ensure that the correct AMI is selected in the Application and OS Images (Amazon Machine Image) pane.

  5. In the Instance type pane, select m5.xlarge.

    You must choose an instance type that supports EC2 Serial Console.

  6. In the Key pair (login) pane, from the dropdown, select Proceed without a key pair (Not recommended).
  7. In the Network settings pane:
    1. In Firewall (security groups), select Select existing security group.
    2. From the Common security groups dropdown, select the security group created in Configuring a security group.
    3. Optionally, click Edit in Network settings to add more interfaces and choose a subnet.
  8. In Configure storage pane:
    1. In the field for root volume, enter 2 (in GB).
    2. Select Add new volume, and in the field, enter 300 (in GB) to add a new volume for the log.
    3. Select Add new volume and in the field enter 1024 (in GB) to add a new volume for video.
  9. Click Launch instance.

Initial configuration

  1. In the AWS console, search VPC and select VPC from the search result.

    The VPC dashboard opens.

  2. In Virtual private cloud on the left, select Elastic IPs.

    The Elastic IP addresses window opens.

  3. In the Elastic IP addresses window, click Allocate to create a new public IP address.
  4. Select an IP address from the elastic IP addresses list, and from the Actions dropdown, select Associate Elastic IP address.

    The Associate Elastic IP address page opens.

  5. In Resource type, select Network interface.
  6. In the Network interface dropdown, select a network interface.
  7. In the Private IP address dropdown, select a private IP address.

  8. Click Associate.
  9. In the AWS console, from the Services menu, go to Compute > EC2.
  10. In the EC2 Dashboard, go to Instances > Instances, select the FortiPAM instance from the list, and then select Connect.
  11. From the EC2 serial console tab, click Connect.

  12. Log in as the administrator with the AWS instance ID password.
  13. FortiPAM asks you to change your password. Enter a new password. Enter the password again to confirm.

  14. Use the following FortiPAM CLI commands to configure the port1, change mode from DHCP to static and set the IP address to the same as the private IP address in steps 4 to 8:

    You can skip this step if FortiPAM is in standalone mode.

     config system interface
  edit "port1"
   set mode static #by default, set as dhcp
   set ip 172.31.100.15/24 #set to the private IP address assigned by AWS in step 7
  next
 end

    The IP address set here is automatically copied to VIP.

  15. Use the following FortiPAM CLI commands to configure a static route if the interface is configured as static mode: 
    config router static
 edit 1
  set gateway 172.31.100.1
  set device port1
 next
end
  16. Optionally, use the following command to verify that you can access the public network: 
     execute ping update.fortiguard.net

    You should receive an echo reply packet similar to the following:

Licensing

To successfully license FortiPAM:
  1. Download the license file (.lic), see Registering and downloading your license.
  2. Upload the license file from the public IP address using SCP, see Uploading the license file using SCP.
  3. After the boot up, the license status changes to valid.

    You can check the license status using the following CLI command:

     get system status

  4. Optional- Customize VIP if default VIP is not preferred: 
     config firewall vip
  edit "fortipam_vip"
   set extip 172.31.100.15 #external visible virtual IP address
  next
 end
  5. You can now use your FortiPAM-VM deployed on AWS.

    On a web browser, go to https://<Public IP> to access the FortiPAM-VM GUI. This is the same IP address set up in step 4 above.

Previous
Next