Fortinet Document Library

Version:


Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
6.0.0
Copy Link

Deployment

Before attempting to create a stack with the templates, check the following prerequisites to ensure successful deployment:

  • An AMI subscription must be active for the FortiGate license type being used in the template:
  • The solution requires three EIPs to be created, so ensure the AWS region being used has capacity available. For information on EC2 resource limits and how to request increases, see AWS documentation.
  • If BYOL licensing is to be used, ensure these licenses have been registered on the support site. Reference the VM license registration process PDF in this KB article.

Once the prerequisites have been satisfied, download a local copy of the relevant template for your deployment and log into your account in the AWS console.

  1. On the AWS services page, go to All Services > Management Tools > CloudFormation.
  2. Click Create new stack.
    1. Under Select Template > Choose a Template, select Upload a template to Amazon S3 and browse to your local copy of the chosen deployment template. In this example, we are using the FGT_AP_HA_NewVPYC_BYOL.template.json template.

    2. Under Specify Details, you are prompted for a stack name and parameters for the deployment. In this example, we are using the default values for Parameters > VPC Configuration.

    3. Under FortiGate Instance Configuration, we have selected an AZ and key pair to use for the FortiGates and BYOL licensing. Since we are using a BYOL template, we are prompted for the FortiGate1LicenseFile and FortiGate2LicenseFile.

    4. Under Interface IP Configuration for FortiGate 1 and for FortiGate 2, we use the defaults for this example. These IP addresses will be the primary IPs addresses assigned to the FortiGate ENIs and the HAsync/HAmgmt IPs will be the static IP addresses used in the FortiOS configuration for both FortiGates.

    5. Under Interface IP Configuration for the Cluster, we use the defaults for this example. These IP addresses will be the secondary IP addresses used in the FortiOS configuration for both FortiGates when the cluster has synchronized.

    6. Under Options, scroll to the bottom, then click Next.
    7. On the Review page, confirm that the stack name and parameters are correct. The following shows the parameters for the example. Note the parameter values for the FortiGate license files.

    8. On the Review page, scroll to the capabilities. Acknowledge that the template creates IAM resources by clicking the checkbox, then click Create.
    9. On the main AWS CloudFormation console, your stack is created. Monitor the progress by selecting your stack and going to the Events tab.
  3. Confirm the primary-secondary relationship between FortiGates A and B:
    1. Once the stack is created successfully, go to the Outputs tab to get the login information for the FortiGate instances and cluster.

    2. Using the login information in the stack outputs, log into the primary FortiGate instance with the ClusterLoginURL You have logged into FortiGate A.

    3. Go to the HA status page on the primary FortiGate by going to System > HA. Now you should see both FortiGate A and FortiGate B in the cluster with FortiGate B as the current secondary unit.

    4. Give the HA cluster time to finish synchronizing their configuration and update files. You can confirm that both the primary and secondary FortiGates are in sync by looking at the Synchronized column and confirming there is a green checkmark next to both FortiGates.
      Note

      Due to browser caching issues, the synchronization status icon may not update properly after the cluster is in-sync. Close your browser and log back into the cluster, or verify the HA config sync status with the CLI command get system ha status.

    5. Go to the AWS EC2 console and reference the instance Description tab for FortiGate A. Notice the primary and secondary IP addresses assigned to the instance ENIs as well as the two EIPs associated to the instance, the cluster EIP (35.175.44.85) and the HAmgmt EIP (34.196.24.82).

    6. Now reference the instance Description tab for FortiGate B. Notice that there are only primary IP addresses assigned to the instance ENIs and only one EIP is the HAmgmt EIP (52.0.217.65).

    7. Go to the AWS VPC console and look at the routes for the PrivateRouteTable which is associated to the PrivateSubnet. The default route target is pointing to the ENI1/port2 of FortiGate A.

  4. Go back to the AWS EC2 console and reference the instance Description tab for FortiGate A. Shut down FortiGate A via the EC2 console and refresh the page after a few seconds. Notice that the cluster EIP and secondary IP addresses are no longer assigned to FortiGate A.

  5. Reference the FortiGate B's instance Description tab. Notice that the cluster EIP and secondary IP addresses are now associated with FortiGate B.

  6. Go back to the AWS VPC console and look at the routes for the PrivateRouteTable which is associated to the PrivateSubnet. The default route target now points to FortiGate B's ENI1/port2.

  7. Log back into the ClusterLoginURL and you are placed on the current primary FortiGate, which is FortiGate B.

  8. Turn on FortiGate A and confirms that it joins the cluster successfully as the secondary and that FortiGate B continues to be the primary FortiGate.

Resources

Deployment

Before attempting to create a stack with the templates, check the following prerequisites to ensure successful deployment:

  • An AMI subscription must be active for the FortiGate license type being used in the template:
  • The solution requires three EIPs to be created, so ensure the AWS region being used has capacity available. For information on EC2 resource limits and how to request increases, see AWS documentation.
  • If BYOL licensing is to be used, ensure these licenses have been registered on the support site. Reference the VM license registration process PDF in this KB article.

Once the prerequisites have been satisfied, download a local copy of the relevant template for your deployment and log into your account in the AWS console.

  1. On the AWS services page, go to All Services > Management Tools > CloudFormation.
  2. Click Create new stack.
    1. Under Select Template > Choose a Template, select Upload a template to Amazon S3 and browse to your local copy of the chosen deployment template. In this example, we are using the FGT_AP_HA_NewVPYC_BYOL.template.json template.

    2. Under Specify Details, you are prompted for a stack name and parameters for the deployment. In this example, we are using the default values for Parameters > VPC Configuration.

    3. Under FortiGate Instance Configuration, we have selected an AZ and key pair to use for the FortiGates and BYOL licensing. Since we are using a BYOL template, we are prompted for the FortiGate1LicenseFile and FortiGate2LicenseFile.

    4. Under Interface IP Configuration for FortiGate 1 and for FortiGate 2, we use the defaults for this example. These IP addresses will be the primary IPs addresses assigned to the FortiGate ENIs and the HAsync/HAmgmt IPs will be the static IP addresses used in the FortiOS configuration for both FortiGates.

    5. Under Interface IP Configuration for the Cluster, we use the defaults for this example. These IP addresses will be the secondary IP addresses used in the FortiOS configuration for both FortiGates when the cluster has synchronized.

    6. Under Options, scroll to the bottom, then click Next.
    7. On the Review page, confirm that the stack name and parameters are correct. The following shows the parameters for the example. Note the parameter values for the FortiGate license files.

    8. On the Review page, scroll to the capabilities. Acknowledge that the template creates IAM resources by clicking the checkbox, then click Create.
    9. On the main AWS CloudFormation console, your stack is created. Monitor the progress by selecting your stack and going to the Events tab.
  3. Confirm the primary-secondary relationship between FortiGates A and B:
    1. Once the stack is created successfully, go to the Outputs tab to get the login information for the FortiGate instances and cluster.

    2. Using the login information in the stack outputs, log into the primary FortiGate instance with the ClusterLoginURL You have logged into FortiGate A.

    3. Go to the HA status page on the primary FortiGate by going to System > HA. Now you should see both FortiGate A and FortiGate B in the cluster with FortiGate B as the current secondary unit.

    4. Give the HA cluster time to finish synchronizing their configuration and update files. You can confirm that both the primary and secondary FortiGates are in sync by looking at the Synchronized column and confirming there is a green checkmark next to both FortiGates.
      Note

      Due to browser caching issues, the synchronization status icon may not update properly after the cluster is in-sync. Close your browser and log back into the cluster, or verify the HA config sync status with the CLI command get system ha status.

    5. Go to the AWS EC2 console and reference the instance Description tab for FortiGate A. Notice the primary and secondary IP addresses assigned to the instance ENIs as well as the two EIPs associated to the instance, the cluster EIP (35.175.44.85) and the HAmgmt EIP (34.196.24.82).

    6. Now reference the instance Description tab for FortiGate B. Notice that there are only primary IP addresses assigned to the instance ENIs and only one EIP is the HAmgmt EIP (52.0.217.65).

    7. Go to the AWS VPC console and look at the routes for the PrivateRouteTable which is associated to the PrivateSubnet. The default route target is pointing to the ENI1/port2 of FortiGate A.

  4. Go back to the AWS EC2 console and reference the instance Description tab for FortiGate A. Shut down FortiGate A via the EC2 console and refresh the page after a few seconds. Notice that the cluster EIP and secondary IP addresses are no longer assigned to FortiGate A.

  5. Reference the FortiGate B's instance Description tab. Notice that the cluster EIP and secondary IP addresses are now associated with FortiGate B.

  6. Go back to the AWS VPC console and look at the routes for the PrivateRouteTable which is associated to the PrivateSubnet. The default route target now points to FortiGate B's ENI1/port2.

  7. Log back into the ClusterLoginURL and you are placed on the current primary FortiGate, which is FortiGate B.

  8. Turn on FortiGate A and confirms that it joins the cluster successfully as the secondary and that FortiGate B continues to be the primary FortiGate.