Deploying from BYOL AMI
FortiGate can be deployed outside the marketplace launcher if you want to install it manually from the AMI for some reason, such as if your organization does not allow access to the AWS marketplace website. There are AMI images publicly available in various regions for the versions already listed in the marketplace.
This deployment works only with AMI for BYOL licensing. Deploying from AMI designed for on-demand is not supported.
If you want to install the latest FortiGate versions immediately after release from Fortinet but you do not see them published in the marketplace or publicly available in the AWS portal, you can always deploy older versions of FortiGate available on the marketplace or the AWS portal as publicly available AMIs, then upgrade using the ".out" upgrade files, which are available at Customer Service & Support.
- Log into the AWS EC2 console and navigate to AMIs. Select the appropriate region.
- Find the desired public AMI from the list of AMI IDs corresponding to your region.
- Select the AMI and click Launch.
- Choose a supported instance.
- Click Next: Configure Instance Details.
- In the Network field, select the VPC that you created.
- In the Subnet field, select the public subnet.
- In the Network interfaces section, you see the entry for eth0 that was created for the public subnet. Select Add Device to add another network interface (in this example, eth1), and select the private subnet. It is recommended that you assign static IP addresses.
- When you have two network interfaces, a global IP address isn’t assigned automatically. You must manually assign a global IP address later. Select Review and Launch, then select Launch.
- Click Next: Add Storage.
- In Step 4: Add Storage, you can leave the fields as-is, or change the size of /dev/sdb as desired. The second volume is used for logging.
- Click Next: Add Tags. You can add tags for convenient management.
- Click Next: Configure Security Groups. Here it is important to allow some incoming ports. Allow TCP port 8443 for management from the GUI. You can also allow TCP port 22 for SSH login. Allow other ports where necessary as noted below. The use of ports is explained in the FortiOS Handbook.
Incoming TCP ports allowed
Management using the GUI
Management by FortiManager located outside AWS
Fortinet Single Sign On
You can change the source address later.
- Click Review and Launch. If everything looks good, go to next by clicking Launch.
- Then select the appropriate keypair, then click Launch Instance. It may take 15 to 30 minutes to deploy the instance. To access the FortiGate and complete post-install setup, see Connecting to the FortiGate.