Fortinet Document Library

Version:


Table of Contents

AWS Cookbook

Resources

Upgrade Path Tool

AWS Cookbook

6.4.0
Download PDF
Copy Link

Cloud-init

In Auto Scaling, a FortiGate-VM uses the cloud-init feature to pre-configure the instances when they first come up. During template deployment, an internal API Gateway endpoint will be created.

A FortiGate-VM sends requests to the endpoint to retrieve necessary configurations after initialization. Following are examples from the Master and Slave FortiGate-VMs.

Master FortiGate-VM cloudinit output

FortiGate-VM64-AWSON~AND # diag debug cloudinit show

 >> Checking metadata source aws

 >> AWS curl header: Fos-instance-id: <masked_instance_id>

 >> AWS trying to get config script from https://<masked_api_id>/prod/fgt-asg-handler

 >> AWS download config script successfully

 >> Run config script

 >> Finish running script

 >> FortiGate-VM64-AWSON~AND $ config system dns

 >> FortiGate-VM64-AWSON~AND (dns) $ unset primary

 >> FortiGate-VM64-AWSON~AND (dns) $ unset secondary

 >> FortiGate-VM64-AWSON~AND (dns) $ end

 >> FortiGate-VM64-AWSON~AND $ config system global

 >> FortiGate-VM64-AWSON~AND (global) $ set admin-sport 8443

 >> FortiGate-VM64-AWSON~AND (global) $ end

 >> FortiGate-VM64-AWSON~AND $ config system auto-scale

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set status enable

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set sync-interface "port1"

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set hb-interval 30

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set role master

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set callback-url https://<masked_api_id>/prod/fgt-asg-handler

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set psksecret <masked_psksecret>

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ end

 >> FortiGate-VM64-AWSON~AND $ config system vdom-exception

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object vpn.ipsec.phase1-interface

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object vpn.ipsec.phase2-interface

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object router.bgp

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object router.route-map

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object router.prefix-list

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object firewall.ippool

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router prefix-list

 >> FortiGate-VM64-AWSON~AND (prefix-list) $ edit "pflist-default-route"

 >> FortiGate-VM64-AWSON~AND (pflist-default-route) $ config rule

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 0.0.0.0 0.0.0.0

 >> FortiGate-VM64-AWSON~AND (1) $ unset ge

 >> FortiGate-VM64-AWSON~AND (1) $ unset le

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ end

 >> FortiGate-VM64-AWSON~AND (pflist-default-route) $ next

 >> FortiGate-VM64-AWSON~AND (prefix-list) $ edit "pflist-port1"

 >> FortiGate-VM64-AWSON~AND (pflist-port1) $ config rule

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 192.168.2.150 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (1) $ unset ge

 >> FortiGate-VM64-AWSON~AND (1) $ unset le

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ end

 >> FortiGate-VM64-AWSON~AND (pflist-port1) $ next

 >> FortiGate-VM64-AWSON~AND (prefix-list) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router route-map

 >> FortiGate-VM64-AWSON~AND (route-map) $ edit "rmap-outbound"

 >> FortiGate-VM64-AWSON~AND (rmap-outbound) $ config rule

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set match-ip-address "pflist-default-route"

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 2

 >> FortiGate-VM64-AWSON~AND (2) $ set match-ip-address "pflist-port1"

 >> FortiGate-VM64-AWSON~AND (2) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ end

 >> FortiGate-VM64-AWSON~AND (rmap-outbound) $ next

 >> FortiGate-VM64-AWSON~AND (route-map) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase1-interface

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ edit "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set local-gw 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set keylife 28800

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set net-device enable

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set remote-gw 3.219.71.235

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set psksecret <masked_psksecret>

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set dpd-retryinterval 10

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ next

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase2-interface

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ edit "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set phase1name "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set keylifeseconds 3600

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ next

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config system interface

 >> FortiGate-VM64-AWSON~AND (interface) $ edit "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set ip 169.254.47.226 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set allowaccess ping

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set type tunnel

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set tcp-mss 1379

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set remote-ip 169.254.47.225 255.255.255.252

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ next

 >> FortiGate-VM64-AWSON~AND (interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router bgp

 >> FortiGate-VM64-AWSON~AND (bgp) $ set as 65000

 >> FortiGate-VM64-AWSON~AND (bgp) $ set router-id 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (bgp) $ set ebgp-multipath enable

 >> FortiGate-VM64-AWSON~AND (bgp) $ set network-import-check disable

 >> FortiGate-VM64-AWSON~AND (bgp) $ config neighbor

 >> FortiGate-VM64-AWSON~AND (neighbor) $ edit 169.254.47.225

 >> FortiGate-VM64-AWSON~AND (169.254.47.225) $ set capability-default-originate enable

 >> FortiGate-VM64-AWSON~AND (169.254.47.225) $ set link-down-failover enable

 >> FortiGate-VM64-AWSON~AND (169.254.47.225) $ set description "vpn-02b56c99935bfcbea-1"

 >> FortiGate-VM64-AWSON~AND (169.254.47.225) $ set remote-as 64512

 >> FortiGate-VM64-AWSON~AND (169.254.47.225) $ set route-map-out "rmap-outbound"

 >> FortiGate-VM64-AWSON~AND (169.254.47.225) $ next

 >> FortiGate-VM64-AWSON~AND (neighbor) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ config network

 >> FortiGate-VM64-AWSON~AND (network) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 192.168.2.150 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (network) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase1-interface

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ edit "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set local-gw 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set keylife 28800

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set net-device enable

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set remote-gw 34.197.152.22

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set psksecret <masked_psksecret>

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set dpd-retryinterval 10

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ next

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase2-interface

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ edit "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set phase1name "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set keylifeseconds 3600

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ next

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config system interface

 >> FortiGate-VM64-AWSON~AND (interface) $ edit "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set ip 169.254.45.90 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set allowaccess ping

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set type tunnel

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set tcp-mss 1379

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set remote-ip 169.254.45.89 255.255.255.252

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ next

 >> FortiGate-VM64-AWSON~AND (interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router bgp

 >> FortiGate-VM64-AWSON~AND (bgp) $ set as 65000

 >> FortiGate-VM64-AWSON~AND (bgp) $ set router-id 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (bgp) $ set ebgp-multipath enable

 >> FortiGate-VM64-AWSON~AND (bgp) $ set network-import-check disable

 >> FortiGate-VM64-AWSON~AND (bgp) $ config neighbor

 >> FortiGate-VM64-AWSON~AND (neighbor) $ edit 169.254.45.89

 >> FortiGate-VM64-AWSON~AND (169.254.45.89) $ set capability-default-originate enable

 >> FortiGate-VM64-AWSON~AND (169.254.45.89) $ set link-down-failover enable

 >> FortiGate-VM64-AWSON~AND (169.254.45.89) $ set description "vpn-02b56c99935bfcbea-2"

 >> FortiGate-VM64-AWSON~AND (169.254.45.89) $ set remote-as 64512

 >> FortiGate-VM64-AWSON~AND (169.254.45.89) $ set route-map-out "rmap-outbound"

 >> FortiGate-VM64-AWSON~AND (169.254.45.89) $ next

 >> FortiGate-VM64-AWSON~AND (neighbor) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ config network

 >> FortiGate-VM64-AWSON~AND (network) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 192.168.2.150 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (network) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config firewall ippool

 >> FortiGate-VM64-AWSON~AND (ippool) $ edit "ippool"

 >> FortiGate-VM64-AWSON~AND (ippool) $ set startip 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (ippool) $ set endip 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (ippool) $ next

 >> FortiGate-VM64-AWSON~AND (ippool) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config system zone

 >> FortiGate-VM64-AWSON~AND (zone) $ edit "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (sys-zone-tgw-vpn) $ set interface "tgw-vpn-1" "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (sys-zone-tgw-vpn) $ next

 >> FortiGate-VM64-AWSON~AND (zone) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config firewall policy

 >> FortiGate-VM64-AWSON~AND (policy) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set name "vpc-vpc_access"

 >> FortiGate-VM64-AWSON~AND (1) $ set srcintf "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (1) $ set dstintf "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (1) $ set srcaddr "all"

 >> FortiGate-VM64-AWSON~AND (1) $ set dstaddr "all"

 >> FortiGate-VM64-AWSON~AND (1) $ set action accept

 >> FortiGate-VM64-AWSON~AND (1) $ set schedule "always"

 >> FortiGate-VM64-AWSON~AND (1) $ set service "ALL"

 >> FortiGate-VM64-AWSON~AND (1) $ set fsso disable

 >> FortiGate-VM64-AWSON~AND (1) $ set nat enable

 >> FortiGate-VM64-AWSON~AND (1) $ set ippool enable

 >> FortiGate-VM64-AWSON~AND (1) $ set poolname "ippool"

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (policy) $ edit 2

 >> FortiGate-VM64-AWSON~AND (2) $ set name "vpc-internet_access"

 >> FortiGate-VM64-AWSON~AND (2) $ set srcintf "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (2) $ set dstintf "port1"

 >> FortiGate-VM64-AWSON~AND (2) $ set srcaddr "all"

 >> FortiGate-VM64-AWSON~AND (2) $ set dstaddr "all"

 >> FortiGate-VM64-AWSON~AND (2) $ set action accept

 >> FortiGate-VM64-AWSON~AND (2) $ set schedule "always"

 >> FortiGate-VM64-AWSON~AND (2) $ set service "ALL"

 >> FortiGate-VM64-AWSON~AND (2) $ set fsso disable

 >> FortiGate-VM64-AWSON~AND (2) $ set nat enable

 >> FortiGate-VM64-AWSON~AND (2) $ next

 >> FortiGate-VM64-AWSON~AND (policy) $ end

Slave FortiGate-VM cloudinit output

FortiGate-VM64-AWSON~AND # diag debug cloudinit show

 >> Checking metadata source aws

 >> AWS curl header: Fos-instance-id: <masked_instance_id>

 >> AWS trying to get config script from https://<masked_api_id>/prod/fgt-asg-handler

 >> AWS download config script successfully

 >> Run config script

 >> Finish running script

 >> FortiGate-VM64-AWSON~AND $ config system dns

 >> FortiGate-VM64-AWSON~AND (dns) $ unset primary

 >> FortiGate-VM64-AWSON~AND (dns) $ unset secondary

 >> FortiGate-VM64-AWSON~AND (dns) $ end

 >> FortiGate-VM64-AWSON~AND $ config system global

 >> FortiGate-VM64-AWSON~AND (global) $ set admin-sport 8443

 >> FortiGate-VM64-AWSON~AND (global) $ end

 >> FortiGate-VM64-AWSON~AND $ config system auto-scale

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set status enable

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set sync-interface "port1"

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set hb-interval 30

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set role slave

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set master-ip 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set callback-url https://<masked_api_id>/prod/fgt-asg-handler

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set psksecret <masked_psksecret>

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ end

 >> FortiGate-VM64-AWSON~AND $ config system vdom-exception

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object vpn.ipsec.phase1-interface

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object vpn.ipsec.phase2-interface

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object router.bgp

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object router.route-map

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object router.prefix-list

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object firewall.ippool

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router prefix-list

 >> FortiGate-VM64-AWSON~AND (prefix-list) $ edit "pflist-default-route"

 >> FortiGate-VM64-AWSON~AND (pflist-default-route) $ config rule

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 0.0.0.0 0.0.0.0

 >> FortiGate-VM64-AWSON~AND (1) $ unset ge

 >> FortiGate-VM64-AWSON~AND (1) $ unset le

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ end

 >> FortiGate-VM64-AWSON~AND (pflist-default-route) $ next

 >> FortiGate-VM64-AWSON~AND (prefix-list) $ edit "pflist-port1"

 >> FortiGate-VM64-AWSON~AND (pflist-port1) $ config rule

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 192.168.1.143 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (1) $ unset ge

 >> FortiGate-VM64-AWSON~AND (1) $ unset le

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ end

 >> FortiGate-VM64-AWSON~AND (pflist-port1) $ next

 >> FortiGate-VM64-AWSON~AND (prefix-list) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router route-map

 >> FortiGate-VM64-AWSON~AND (route-map) $ edit "rmap-outbound"

 >> FortiGate-VM64-AWSON~AND (rmap-outbound) $ config rule

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set match-ip-address "pflist-default-route"

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 2

 >> FortiGate-VM64-AWSON~AND (2) $ set match-ip-address "pflist-port1"

 >> FortiGate-VM64-AWSON~AND (2) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ end

 >> FortiGate-VM64-AWSON~AND (rmap-outbound) $ next

 >> FortiGate-VM64-AWSON~AND (route-map) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase1-interface

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ edit "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set local-gw 192.168.1.143

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set keylife 28800

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set net-device enable

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set remote-gw 3.220.220.108

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set psksecret <masked_psksecret>

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set dpd-retryinterval 10

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ next

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase2-interface

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ edit "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set phase1name "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set keylifeseconds 3600

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ next

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config system interface

 >> FortiGate-VM64-AWSON~AND (interface) $ edit "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set ip 169.254.44.14 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set allowaccess ping

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set type tunnel

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set tcp-mss 1379

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set remote-ip 169.254.44.13 255.255.255.252

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ next

 >> FortiGate-VM64-AWSON~AND (interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router bgp

 >> FortiGate-VM64-AWSON~AND (bgp) $ set as 65000

 >> FortiGate-VM64-AWSON~AND (bgp) $ set router-id 192.168.1.143

 >> FortiGate-VM64-AWSON~AND (bgp) $ set ebgp-multipath enable

 >> FortiGate-VM64-AWSON~AND (bgp) $ set network-import-check disable

 >> FortiGate-VM64-AWSON~AND (bgp) $ config neighbor

 >> FortiGate-VM64-AWSON~AND (neighbor) $ edit 169.254.44.13

 >> FortiGate-VM64-AWSON~AND (169.254.44.13) $ set capability-default-originate enable

 >> FortiGate-VM64-AWSON~AND (169.254.44.13) $ set link-down-failover enable

 >> FortiGate-VM64-AWSON~AND (169.254.44.13) $ set description "vpn-023854714704ae854-1"

 >> FortiGate-VM64-AWSON~AND (169.254.44.13) $ set remote-as 64512

 >> FortiGate-VM64-AWSON~AND (169.254.44.13) $ set route-map-out "rmap-outbound"

 >> FortiGate-VM64-AWSON~AND (169.254.44.13) $ next

 >> FortiGate-VM64-AWSON~AND (neighbor) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ config network

 >> FortiGate-VM64-AWSON~AND (network) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 192.168.1.143 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (network) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase1-interface

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ edit "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set local-gw 192.168.1.143

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set keylife 28800

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set net-device enable

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set remote-gw 54.82.184.6

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set psksecret <masked_psksecret>

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set dpd-retryinterval 10

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ next

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase2-interface

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ edit "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set phase1name "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set keylifeseconds 3600

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ next

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config system interface

 >> FortiGate-VM64-AWSON~AND (interface) $ edit "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set ip 169.254.46.194 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set allowaccess ping

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set type tunnel

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set tcp-mss 1379

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set remote-ip 169.254.46.193 255.255.255.252

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ next

 >> FortiGate-VM64-AWSON~AND (interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router bgp

 >> FortiGate-VM64-AWSON~AND (bgp) $ set as 65000

 >> FortiGate-VM64-AWSON~AND (bgp) $ set router-id 192.168.1.143

 >> FortiGate-VM64-AWSON~AND (bgp) $ set ebgp-multipath enable

 >> FortiGate-VM64-AWSON~AND (bgp) $ set network-import-check disable

 >> FortiGate-VM64-AWSON~AND (bgp) $ config neighbor

 >> FortiGate-VM64-AWSON~AND (neighbor) $ edit 169.254.46.193

 >> FortiGate-VM64-AWSON~AND (169.254.46.193) $ set capability-default-originate enable

 >> FortiGate-VM64-AWSON~AND (169.254.46.193) $ set link-down-failover enable

 >> FortiGate-VM64-AWSON~AND (169.254.46.193) $ set description "vpn-023854714704ae854-2"

 >> FortiGate-VM64-AWSON~AND (169.254.46.193) $ set remote-as 64512

 >> FortiGate-VM64-AWSON~AND (169.254.46.193) $ set route-map-out "rmap-outbound"

 >> FortiGate-VM64-AWSON~AND (169.254.46.193) $ next

 >> FortiGate-VM64-AWSON~AND (neighbor) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ config network

 >> FortiGate-VM64-AWSON~AND (network) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 192.168.1.143 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (network) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config firewall ippool

 >> FortiGate-VM64-AWSON~AND (ippool) $ edit "ippool"

 >> FortiGate-VM64-AWSON~AND (ippool) $ set startip 192.168.1.143

 >> FortiGate-VM64-AWSON~AND (ippool) $ set endip 192.168.1.143

 >> FortiGate-VM64-AWSON~AND (ippool) $ next

 >> FortiGate-VM64-AWSON~AND (ippool) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config system zone

 >> FortiGate-VM64-AWSON~AND (zone) $ edit "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (sys-zone-tgw-vpn) $ set interface "tgw-vpn-1" "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (sys-zone-tgw-vpn) $ next

 >> FortiGate-VM64-AWSON~AND (zone) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config firewall policy

 >> FortiGate-VM64-AWSON~AND (policy) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set name "vpc-vpc_access"

 >> FortiGate-VM64-AWSON~AND (1) $ set srcintf "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (1) $ set dstintf "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (1) $ set srcaddr "all"

 >> FortiGate-VM64-AWSON~AND (1) $ set dstaddr "all"

 >> FortiGate-VM64-AWSON~AND (1) $ set action accept

 >> FortiGate-VM64-AWSON~AND (1) $ set schedule "always"

 >> FortiGate-VM64-AWSON~AND (1) $ set service "ALL"

 >> FortiGate-VM64-AWSON~AND (1) $ set fsso disable

 >> FortiGate-VM64-AWSON~AND (1) $ set nat enable

 >> FortiGate-VM64-AWSON~AND (1) $ set ippool enable

 >> FortiGate-VM64-AWSON~AND (1) $ set poolname "ippool"

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (policy) $ edit 2

 >> FortiGate-VM64-AWSON~AND (2) $ set name "vpc-internet_access"

 >> FortiGate-VM64-AWSON~AND (2) $ set srcintf "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (2) $ set dstintf "port1"

 >> FortiGate-VM64-AWSON~AND (2) $ set srcaddr "all"

 >> FortiGate-VM64-AWSON~AND (2) $ set dstaddr "all"

 >> FortiGate-VM64-AWSON~AND (2) $ set action accept

 >> FortiGate-VM64-AWSON~AND (2) $ set schedule "always"

 >> FortiGate-VM64-AWSON~AND (2) $ set service "ALL"

 >> FortiGate-VM64-AWSON~AND (2) $ set fsso disable

 >> FortiGate-VM64-AWSON~AND (2) $ set nat enable

 >> FortiGate-VM64-AWSON~AND (2) $ next

 >> FortiGate-VM64-AWSON~AND (policy) $ end

Master FortiGate-VM VPN output

FortiGate-VM64-AWSON~AND # diag vpn tun list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=tgw-vpn-1 ver=1 serial=1 192.168.2.150:4500->3.219.71.235:4500 dst_mtu=9001

bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

 

proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=/0

stat: rxp=248 txp=250 rxb=33648 txb=15612

dpd: mode=on-demand on=1 idle=10000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=4500

proxyid=tgw-vpn-1 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA:  ref=3 options=10202 type=00 soft=0 mtu=8926 expire=2159/0B replaywin=2048

 seqno=fb esn=0 replaywin_lastseq=000000f8 itn=0 qat=0

life: type=01 bytes=0/0 timeout=3301/3600

dec: spi=d49814e0 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

enc: spi=f65cea35 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

dec:pkts/bytes=248/15161, enc:pkts/bytes=250/34224

------------------------------------------------------

name=tgw-vpn-2 ver=1 serial=2 192.168.2.150:4500->34.197.152.22:4500 dst_mtu=9001

bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

 

proxyid_num=1 child_num=0 refcnt=15 ilast=1 olast=1 ad=/0

stat: rxp=248 txp=250 rxb=33648 txb=15612

dpd: mode=on-demand on=1 idle=10000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=4500

proxyid=tgw-vpn-2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA:  ref=3 options=10202 type=00 soft=0 mtu=8926 expire=2157/0B replaywin=2048

 seqno=fb esn=0 replaywin_lastseq=000000f8 itn=0 qat=0

life: type=01 bytes=0/0 timeout=3300/3600

dec: spi=d49814df esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

enc: spi=b867a1a8 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

dec:pkts/bytes=248/15161, enc:pkts/bytes=250/34224

------------------------------------------------------

name=__autoscale_m_p1 ver=1 serial=3 192.168.2.150:0->0.0.0.0:0 dst_mtu=0

bound_if=3 lgwy=static/1 tun=tunnel/1 mode=dialup/2 encap=none/0 accept_traffic=1

 

proxyid_num=0 child_num=1 refcnt=5 ilast=1142 olast=1142 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

run_tally=0

------------------------------------------------------

name=__autoscale_m_p1_0 ver=1 serial=5 192.168.2.150:0->192.168.1.143:0 dst_mtu=9001

bound_if=3 lgwy=static/1 tun=tunnel/1 mode=dial_inst/3 encap=none/128 options[0080]=rgwy-chg run_state=0 accept_traffic=1

 

parent=__autoscale_m_p1 index=0

proxyid_num=1 child_num=0 refcnt=5 ilast=8 olast=8 ad=/0

stat: rxp=76 txp=75 rxb=18768 txb=8548

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=__autoscale_m_p2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0-255.255.255.255:0

dst: 0:192.168.1.143-192.168.1.143:0

SA:  ref=3 options=202 type=00 soft=0 mtu=8942 expire=42745/0B replaywin=2048

 seqno=4c esn=0 replaywin_lastseq=0000004d itn=0 qat=0

life: type=01 bytes=0/0 timeout=43187/43200

dec: spi=d49814e2 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

enc: spi=dff389cc esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

dec:pkts/bytes=76/13847, enc:pkts/bytes=75/13480

Slave FortiGate-VM VPN output

FortiGate-VM64-AWSON~AND # diag vpn tun list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=tgw-vpn-1 ver=1 serial=1 192.168.1.143:4500->3.220.220.108:4500 dst_mtu=9001

bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

 

proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=/0

stat: rxp=122 txp=124 rxb=16576 txb=7787

dpd: mode=on-demand on=1 idle=10000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=4500

proxyid=tgw-vpn-1 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA:  ref=3 options=10202 type=00 soft=0 mtu=8926 expire=2749/0B replaywin=2048

 seqno=7d esn=0 replaywin_lastseq=0000007a itn=0 qat=0

life: type=01 bytes=0/0 timeout=3301/3600

dec: spi=dff389ca esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

enc: spi=fb2e8342 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

dec:pkts/bytes=122/7488, enc:pkts/bytes=124/17024

------------------------------------------------------

name=tgw-vpn-2 ver=1 serial=2 192.168.1.143:4500->54.82.184.6:4500 dst_mtu=9001

bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

 

proxyid_num=1 child_num=0 refcnt=15 ilast=1 olast=1 ad=/0

stat: rxp=122 txp=124 rxb=16576 txb=7787

dpd: mode=on-demand on=1 idle=10000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=4500

proxyid=tgw-vpn-2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA:  ref=3 options=10202 type=00 soft=0 mtu=8926 expire=2750/0B replaywin=2048

 seqno=7d esn=0 replaywin_lastseq=0000007a itn=0 qat=0

life: type=01 bytes=0/0 timeout=3303/3600

dec: spi=dff389c9 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

enc: spi=c2db9a6d esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

dec:pkts/bytes=122/7488, enc:pkts/bytes=124/17024

------------------------------------------------------

name=__autoscale_s_p1 ver=1 serial=5 192.168.1.143:0->192.168.2.150:0 dst_mtu=9001

bound_if=3 lgwy=dyn/0 tun=tunnel/1 mode=auto/1 encap=none/0 run_state=0 accept_traffic=1

 

proxyid_num=1 child_num=0 refcnt=6 ilast=12 olast=12 ad=/0

stat: rxp=80 txp=81 rxb=14224 txb=14155

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=__autoscale_s_p2 proto=0 sa=1 ref=2 serial=1 auto-negotiate

src: 0:192.168.1.143/255.255.255.255:0

dst: 0:0.0.0.0/0.0.0.0:0

SA:  ref=3 options=18203 type=00 soft=0 mtu=8942 expire=42442/0B replaywin=2048

 seqno=52 esn=0 replaywin_lastseq=00000051 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42903/43200

dec: spi=dff389cc esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

enc: spi=d49814e2 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

dec:pkts/bytes=80/8964, enc:pkts/bytes=81/19400

run_tally=0

Resources

Cloud-init

In Auto Scaling, a FortiGate-VM uses the cloud-init feature to pre-configure the instances when they first come up. During template deployment, an internal API Gateway endpoint will be created.

A FortiGate-VM sends requests to the endpoint to retrieve necessary configurations after initialization. Following are examples from the Master and Slave FortiGate-VMs.

Master FortiGate-VM cloudinit output

FortiGate-VM64-AWSON~AND # diag debug cloudinit show

 >> Checking metadata source aws

 >> AWS curl header: Fos-instance-id: <masked_instance_id>

 >> AWS trying to get config script from https://<masked_api_id>/prod/fgt-asg-handler

 >> AWS download config script successfully

 >> Run config script

 >> Finish running script

 >> FortiGate-VM64-AWSON~AND $ config system dns

 >> FortiGate-VM64-AWSON~AND (dns) $ unset primary

 >> FortiGate-VM64-AWSON~AND (dns) $ unset secondary

 >> FortiGate-VM64-AWSON~AND (dns) $ end

 >> FortiGate-VM64-AWSON~AND $ config system global

 >> FortiGate-VM64-AWSON~AND (global) $ set admin-sport 8443

 >> FortiGate-VM64-AWSON~AND (global) $ end

 >> FortiGate-VM64-AWSON~AND $ config system auto-scale

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set status enable

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set sync-interface "port1"

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set hb-interval 30

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set role master

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set callback-url https://<masked_api_id>/prod/fgt-asg-handler

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set psksecret <masked_psksecret>

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ end

 >> FortiGate-VM64-AWSON~AND $ config system vdom-exception

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object vpn.ipsec.phase1-interface

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object vpn.ipsec.phase2-interface

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object router.bgp

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object router.route-map

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object router.prefix-list

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object firewall.ippool

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router prefix-list

 >> FortiGate-VM64-AWSON~AND (prefix-list) $ edit "pflist-default-route"

 >> FortiGate-VM64-AWSON~AND (pflist-default-route) $ config rule

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 0.0.0.0 0.0.0.0

 >> FortiGate-VM64-AWSON~AND (1) $ unset ge

 >> FortiGate-VM64-AWSON~AND (1) $ unset le

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ end

 >> FortiGate-VM64-AWSON~AND (pflist-default-route) $ next

 >> FortiGate-VM64-AWSON~AND (prefix-list) $ edit "pflist-port1"

 >> FortiGate-VM64-AWSON~AND (pflist-port1) $ config rule

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 192.168.2.150 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (1) $ unset ge

 >> FortiGate-VM64-AWSON~AND (1) $ unset le

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ end

 >> FortiGate-VM64-AWSON~AND (pflist-port1) $ next

 >> FortiGate-VM64-AWSON~AND (prefix-list) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router route-map

 >> FortiGate-VM64-AWSON~AND (route-map) $ edit "rmap-outbound"

 >> FortiGate-VM64-AWSON~AND (rmap-outbound) $ config rule

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set match-ip-address "pflist-default-route"

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 2

 >> FortiGate-VM64-AWSON~AND (2) $ set match-ip-address "pflist-port1"

 >> FortiGate-VM64-AWSON~AND (2) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ end

 >> FortiGate-VM64-AWSON~AND (rmap-outbound) $ next

 >> FortiGate-VM64-AWSON~AND (route-map) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase1-interface

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ edit "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set local-gw 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set keylife 28800

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set net-device enable

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set remote-gw 3.219.71.235

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set psksecret <masked_psksecret>

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set dpd-retryinterval 10

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ next

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase2-interface

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ edit "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set phase1name "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set keylifeseconds 3600

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ next

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config system interface

 >> FortiGate-VM64-AWSON~AND (interface) $ edit "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set ip 169.254.47.226 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set allowaccess ping

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set type tunnel

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set tcp-mss 1379

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set remote-ip 169.254.47.225 255.255.255.252

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ next

 >> FortiGate-VM64-AWSON~AND (interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router bgp

 >> FortiGate-VM64-AWSON~AND (bgp) $ set as 65000

 >> FortiGate-VM64-AWSON~AND (bgp) $ set router-id 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (bgp) $ set ebgp-multipath enable

 >> FortiGate-VM64-AWSON~AND (bgp) $ set network-import-check disable

 >> FortiGate-VM64-AWSON~AND (bgp) $ config neighbor

 >> FortiGate-VM64-AWSON~AND (neighbor) $ edit 169.254.47.225

 >> FortiGate-VM64-AWSON~AND (169.254.47.225) $ set capability-default-originate enable

 >> FortiGate-VM64-AWSON~AND (169.254.47.225) $ set link-down-failover enable

 >> FortiGate-VM64-AWSON~AND (169.254.47.225) $ set description "vpn-02b56c99935bfcbea-1"

 >> FortiGate-VM64-AWSON~AND (169.254.47.225) $ set remote-as 64512

 >> FortiGate-VM64-AWSON~AND (169.254.47.225) $ set route-map-out "rmap-outbound"

 >> FortiGate-VM64-AWSON~AND (169.254.47.225) $ next

 >> FortiGate-VM64-AWSON~AND (neighbor) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ config network

 >> FortiGate-VM64-AWSON~AND (network) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 192.168.2.150 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (network) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase1-interface

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ edit "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set local-gw 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set keylife 28800

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set net-device enable

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set remote-gw 34.197.152.22

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set psksecret <masked_psksecret>

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set dpd-retryinterval 10

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ next

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase2-interface

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ edit "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set phase1name "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set keylifeseconds 3600

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ next

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config system interface

 >> FortiGate-VM64-AWSON~AND (interface) $ edit "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set ip 169.254.45.90 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set allowaccess ping

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set type tunnel

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set tcp-mss 1379

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set remote-ip 169.254.45.89 255.255.255.252

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ next

 >> FortiGate-VM64-AWSON~AND (interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router bgp

 >> FortiGate-VM64-AWSON~AND (bgp) $ set as 65000

 >> FortiGate-VM64-AWSON~AND (bgp) $ set router-id 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (bgp) $ set ebgp-multipath enable

 >> FortiGate-VM64-AWSON~AND (bgp) $ set network-import-check disable

 >> FortiGate-VM64-AWSON~AND (bgp) $ config neighbor

 >> FortiGate-VM64-AWSON~AND (neighbor) $ edit 169.254.45.89

 >> FortiGate-VM64-AWSON~AND (169.254.45.89) $ set capability-default-originate enable

 >> FortiGate-VM64-AWSON~AND (169.254.45.89) $ set link-down-failover enable

 >> FortiGate-VM64-AWSON~AND (169.254.45.89) $ set description "vpn-02b56c99935bfcbea-2"

 >> FortiGate-VM64-AWSON~AND (169.254.45.89) $ set remote-as 64512

 >> FortiGate-VM64-AWSON~AND (169.254.45.89) $ set route-map-out "rmap-outbound"

 >> FortiGate-VM64-AWSON~AND (169.254.45.89) $ next

 >> FortiGate-VM64-AWSON~AND (neighbor) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ config network

 >> FortiGate-VM64-AWSON~AND (network) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 192.168.2.150 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (network) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config firewall ippool

 >> FortiGate-VM64-AWSON~AND (ippool) $ edit "ippool"

 >> FortiGate-VM64-AWSON~AND (ippool) $ set startip 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (ippool) $ set endip 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (ippool) $ next

 >> FortiGate-VM64-AWSON~AND (ippool) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config system zone

 >> FortiGate-VM64-AWSON~AND (zone) $ edit "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (sys-zone-tgw-vpn) $ set interface "tgw-vpn-1" "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (sys-zone-tgw-vpn) $ next

 >> FortiGate-VM64-AWSON~AND (zone) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config firewall policy

 >> FortiGate-VM64-AWSON~AND (policy) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set name "vpc-vpc_access"

 >> FortiGate-VM64-AWSON~AND (1) $ set srcintf "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (1) $ set dstintf "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (1) $ set srcaddr "all"

 >> FortiGate-VM64-AWSON~AND (1) $ set dstaddr "all"

 >> FortiGate-VM64-AWSON~AND (1) $ set action accept

 >> FortiGate-VM64-AWSON~AND (1) $ set schedule "always"

 >> FortiGate-VM64-AWSON~AND (1) $ set service "ALL"

 >> FortiGate-VM64-AWSON~AND (1) $ set fsso disable

 >> FortiGate-VM64-AWSON~AND (1) $ set nat enable

 >> FortiGate-VM64-AWSON~AND (1) $ set ippool enable

 >> FortiGate-VM64-AWSON~AND (1) $ set poolname "ippool"

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (policy) $ edit 2

 >> FortiGate-VM64-AWSON~AND (2) $ set name "vpc-internet_access"

 >> FortiGate-VM64-AWSON~AND (2) $ set srcintf "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (2) $ set dstintf "port1"

 >> FortiGate-VM64-AWSON~AND (2) $ set srcaddr "all"

 >> FortiGate-VM64-AWSON~AND (2) $ set dstaddr "all"

 >> FortiGate-VM64-AWSON~AND (2) $ set action accept

 >> FortiGate-VM64-AWSON~AND (2) $ set schedule "always"

 >> FortiGate-VM64-AWSON~AND (2) $ set service "ALL"

 >> FortiGate-VM64-AWSON~AND (2) $ set fsso disable

 >> FortiGate-VM64-AWSON~AND (2) $ set nat enable

 >> FortiGate-VM64-AWSON~AND (2) $ next

 >> FortiGate-VM64-AWSON~AND (policy) $ end

Slave FortiGate-VM cloudinit output

FortiGate-VM64-AWSON~AND # diag debug cloudinit show

 >> Checking metadata source aws

 >> AWS curl header: Fos-instance-id: <masked_instance_id>

 >> AWS trying to get config script from https://<masked_api_id>/prod/fgt-asg-handler

 >> AWS download config script successfully

 >> Run config script

 >> Finish running script

 >> FortiGate-VM64-AWSON~AND $ config system dns

 >> FortiGate-VM64-AWSON~AND (dns) $ unset primary

 >> FortiGate-VM64-AWSON~AND (dns) $ unset secondary

 >> FortiGate-VM64-AWSON~AND (dns) $ end

 >> FortiGate-VM64-AWSON~AND $ config system global

 >> FortiGate-VM64-AWSON~AND (global) $ set admin-sport 8443

 >> FortiGate-VM64-AWSON~AND (global) $ end

 >> FortiGate-VM64-AWSON~AND $ config system auto-scale

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set status enable

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set sync-interface "port1"

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set hb-interval 30

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set role slave

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set master-ip 192.168.2.150

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set callback-url https://<masked_api_id>/prod/fgt-asg-handler

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ set psksecret <masked_psksecret>

 >> FortiGate-VM64-AWSON~AND (auto-scale) $ end

 >> FortiGate-VM64-AWSON~AND $ config system vdom-exception

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object vpn.ipsec.phase1-interface

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object vpn.ipsec.phase2-interface

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object router.bgp

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object router.route-map

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object router.prefix-list

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ edit 0

 >> FortiGate-VM64-AWSON~AND (0) $ set object firewall.ippool

 >> FortiGate-VM64-AWSON~AND (0) $ next

 >> FortiGate-VM64-AWSON~AND (vdom-exception) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router prefix-list

 >> FortiGate-VM64-AWSON~AND (prefix-list) $ edit "pflist-default-route"

 >> FortiGate-VM64-AWSON~AND (pflist-default-route) $ config rule

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 0.0.0.0 0.0.0.0

 >> FortiGate-VM64-AWSON~AND (1) $ unset ge

 >> FortiGate-VM64-AWSON~AND (1) $ unset le

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ end

 >> FortiGate-VM64-AWSON~AND (pflist-default-route) $ next

 >> FortiGate-VM64-AWSON~AND (prefix-list) $ edit "pflist-port1"

 >> FortiGate-VM64-AWSON~AND (pflist-port1) $ config rule

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 192.168.1.143 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (1) $ unset ge

 >> FortiGate-VM64-AWSON~AND (1) $ unset le

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ end

 >> FortiGate-VM64-AWSON~AND (pflist-port1) $ next

 >> FortiGate-VM64-AWSON~AND (prefix-list) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router route-map

 >> FortiGate-VM64-AWSON~AND (route-map) $ edit "rmap-outbound"

 >> FortiGate-VM64-AWSON~AND (rmap-outbound) $ config rule

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set match-ip-address "pflist-default-route"

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ edit 2

 >> FortiGate-VM64-AWSON~AND (2) $ set match-ip-address "pflist-port1"

 >> FortiGate-VM64-AWSON~AND (2) $ next

 >> FortiGate-VM64-AWSON~AND (rule) $ end

 >> FortiGate-VM64-AWSON~AND (rmap-outbound) $ next

 >> FortiGate-VM64-AWSON~AND (route-map) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase1-interface

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ edit "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set local-gw 192.168.1.143

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set keylife 28800

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set net-device enable

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set remote-gw 3.220.220.108

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set psksecret <masked_psksecret>

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set dpd-retryinterval 10

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ next

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase2-interface

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ edit "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set phase1name "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set keylifeseconds 3600

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ next

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config system interface

 >> FortiGate-VM64-AWSON~AND (interface) $ edit "tgw-vpn-1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set ip 169.254.44.14 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set allowaccess ping

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set type tunnel

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set tcp-mss 1379

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ set remote-ip 169.254.44.13 255.255.255.252

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-1) $ next

 >> FortiGate-VM64-AWSON~AND (interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router bgp

 >> FortiGate-VM64-AWSON~AND (bgp) $ set as 65000

 >> FortiGate-VM64-AWSON~AND (bgp) $ set router-id 192.168.1.143

 >> FortiGate-VM64-AWSON~AND (bgp) $ set ebgp-multipath enable

 >> FortiGate-VM64-AWSON~AND (bgp) $ set network-import-check disable

 >> FortiGate-VM64-AWSON~AND (bgp) $ config neighbor

 >> FortiGate-VM64-AWSON~AND (neighbor) $ edit 169.254.44.13

 >> FortiGate-VM64-AWSON~AND (169.254.44.13) $ set capability-default-originate enable

 >> FortiGate-VM64-AWSON~AND (169.254.44.13) $ set link-down-failover enable

 >> FortiGate-VM64-AWSON~AND (169.254.44.13) $ set description "vpn-023854714704ae854-1"

 >> FortiGate-VM64-AWSON~AND (169.254.44.13) $ set remote-as 64512

 >> FortiGate-VM64-AWSON~AND (169.254.44.13) $ set route-map-out "rmap-outbound"

 >> FortiGate-VM64-AWSON~AND (169.254.44.13) $ next

 >> FortiGate-VM64-AWSON~AND (neighbor) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ config network

 >> FortiGate-VM64-AWSON~AND (network) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 192.168.1.143 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (network) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase1-interface

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ edit "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set local-gw 192.168.1.143

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set keylife 28800

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set net-device enable

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set remote-gw 54.82.184.6

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set psksecret <masked_psksecret>

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set dpd-retryinterval 10

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ next

 >> FortiGate-VM64-AWSON~AND (phase1-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config vpn ipsec phase2-interface

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ edit "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set phase1name "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set proposal aes128-sha1

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set dhgrp 2

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set keylifeseconds 3600

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ next

 >> FortiGate-VM64-AWSON~AND (phase2-interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config system interface

 >> FortiGate-VM64-AWSON~AND (interface) $ edit "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set interface "port1"

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set ip 169.254.46.194 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set allowaccess ping

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set type tunnel

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set tcp-mss 1379

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ set remote-ip 169.254.46.193 255.255.255.252

 >> FortiGate-VM64-AWSON~AND (tgw-vpn-2) $ next

 >> FortiGate-VM64-AWSON~AND (interface) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config router bgp

 >> FortiGate-VM64-AWSON~AND (bgp) $ set as 65000

 >> FortiGate-VM64-AWSON~AND (bgp) $ set router-id 192.168.1.143

 >> FortiGate-VM64-AWSON~AND (bgp) $ set ebgp-multipath enable

 >> FortiGate-VM64-AWSON~AND (bgp) $ set network-import-check disable

 >> FortiGate-VM64-AWSON~AND (bgp) $ config neighbor

 >> FortiGate-VM64-AWSON~AND (neighbor) $ edit 169.254.46.193

 >> FortiGate-VM64-AWSON~AND (169.254.46.193) $ set capability-default-originate enable

 >> FortiGate-VM64-AWSON~AND (169.254.46.193) $ set link-down-failover enable

 >> FortiGate-VM64-AWSON~AND (169.254.46.193) $ set description "vpn-023854714704ae854-2"

 >> FortiGate-VM64-AWSON~AND (169.254.46.193) $ set remote-as 64512

 >> FortiGate-VM64-AWSON~AND (169.254.46.193) $ set route-map-out "rmap-outbound"

 >> FortiGate-VM64-AWSON~AND (169.254.46.193) $ next

 >> FortiGate-VM64-AWSON~AND (neighbor) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ config network

 >> FortiGate-VM64-AWSON~AND (network) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set prefix 192.168.1.143 255.255.255.255

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (network) $ end

 >> FortiGate-VM64-AWSON~AND (bgp) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config firewall ippool

 >> FortiGate-VM64-AWSON~AND (ippool) $ edit "ippool"

 >> FortiGate-VM64-AWSON~AND (ippool) $ set startip 192.168.1.143

 >> FortiGate-VM64-AWSON~AND (ippool) $ set endip 192.168.1.143

 >> FortiGate-VM64-AWSON~AND (ippool) $ next

 >> FortiGate-VM64-AWSON~AND (ippool) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config system zone

 >> FortiGate-VM64-AWSON~AND (zone) $ edit "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (sys-zone-tgw-vpn) $ set interface "tgw-vpn-1" "tgw-vpn-2"

 >> FortiGate-VM64-AWSON~AND (sys-zone-tgw-vpn) $ next

 >> FortiGate-VM64-AWSON~AND (zone) $ end

 >> FortiGate-VM64-AWSON~AND $

 >> FortiGate-VM64-AWSON~AND $ config firewall policy

 >> FortiGate-VM64-AWSON~AND (policy) $ edit 1

 >> FortiGate-VM64-AWSON~AND (1) $ set name "vpc-vpc_access"

 >> FortiGate-VM64-AWSON~AND (1) $ set srcintf "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (1) $ set dstintf "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (1) $ set srcaddr "all"

 >> FortiGate-VM64-AWSON~AND (1) $ set dstaddr "all"

 >> FortiGate-VM64-AWSON~AND (1) $ set action accept

 >> FortiGate-VM64-AWSON~AND (1) $ set schedule "always"

 >> FortiGate-VM64-AWSON~AND (1) $ set service "ALL"

 >> FortiGate-VM64-AWSON~AND (1) $ set fsso disable

 >> FortiGate-VM64-AWSON~AND (1) $ set nat enable

 >> FortiGate-VM64-AWSON~AND (1) $ set ippool enable

 >> FortiGate-VM64-AWSON~AND (1) $ set poolname "ippool"

 >> FortiGate-VM64-AWSON~AND (1) $ next

 >> FortiGate-VM64-AWSON~AND (policy) $ edit 2

 >> FortiGate-VM64-AWSON~AND (2) $ set name "vpc-internet_access"

 >> FortiGate-VM64-AWSON~AND (2) $ set srcintf "sys-zone-tgw-vpn"

 >> FortiGate-VM64-AWSON~AND (2) $ set dstintf "port1"

 >> FortiGate-VM64-AWSON~AND (2) $ set srcaddr "all"

 >> FortiGate-VM64-AWSON~AND (2) $ set dstaddr "all"

 >> FortiGate-VM64-AWSON~AND (2) $ set action accept

 >> FortiGate-VM64-AWSON~AND (2) $ set schedule "always"

 >> FortiGate-VM64-AWSON~AND (2) $ set service "ALL"

 >> FortiGate-VM64-AWSON~AND (2) $ set fsso disable

 >> FortiGate-VM64-AWSON~AND (2) $ set nat enable

 >> FortiGate-VM64-AWSON~AND (2) $ next

 >> FortiGate-VM64-AWSON~AND (policy) $ end

Master FortiGate-VM VPN output

FortiGate-VM64-AWSON~AND # diag vpn tun list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=tgw-vpn-1 ver=1 serial=1 192.168.2.150:4500->3.219.71.235:4500 dst_mtu=9001

bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

 

proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=/0

stat: rxp=248 txp=250 rxb=33648 txb=15612

dpd: mode=on-demand on=1 idle=10000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=4500

proxyid=tgw-vpn-1 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA:  ref=3 options=10202 type=00 soft=0 mtu=8926 expire=2159/0B replaywin=2048

 seqno=fb esn=0 replaywin_lastseq=000000f8 itn=0 qat=0

life: type=01 bytes=0/0 timeout=3301/3600

dec: spi=d49814e0 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

enc: spi=f65cea35 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

dec:pkts/bytes=248/15161, enc:pkts/bytes=250/34224

------------------------------------------------------

name=tgw-vpn-2 ver=1 serial=2 192.168.2.150:4500->34.197.152.22:4500 dst_mtu=9001

bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

 

proxyid_num=1 child_num=0 refcnt=15 ilast=1 olast=1 ad=/0

stat: rxp=248 txp=250 rxb=33648 txb=15612

dpd: mode=on-demand on=1 idle=10000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=4500

proxyid=tgw-vpn-2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA:  ref=3 options=10202 type=00 soft=0 mtu=8926 expire=2157/0B replaywin=2048

 seqno=fb esn=0 replaywin_lastseq=000000f8 itn=0 qat=0

life: type=01 bytes=0/0 timeout=3300/3600

dec: spi=d49814df esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

enc: spi=b867a1a8 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

dec:pkts/bytes=248/15161, enc:pkts/bytes=250/34224

------------------------------------------------------

name=__autoscale_m_p1 ver=1 serial=3 192.168.2.150:0->0.0.0.0:0 dst_mtu=0

bound_if=3 lgwy=static/1 tun=tunnel/1 mode=dialup/2 encap=none/0 accept_traffic=1

 

proxyid_num=0 child_num=1 refcnt=5 ilast=1142 olast=1142 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

run_tally=0

------------------------------------------------------

name=__autoscale_m_p1_0 ver=1 serial=5 192.168.2.150:0->192.168.1.143:0 dst_mtu=9001

bound_if=3 lgwy=static/1 tun=tunnel/1 mode=dial_inst/3 encap=none/128 options[0080]=rgwy-chg run_state=0 accept_traffic=1

 

parent=__autoscale_m_p1 index=0

proxyid_num=1 child_num=0 refcnt=5 ilast=8 olast=8 ad=/0

stat: rxp=76 txp=75 rxb=18768 txb=8548

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=__autoscale_m_p2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0-255.255.255.255:0

dst: 0:192.168.1.143-192.168.1.143:0

SA:  ref=3 options=202 type=00 soft=0 mtu=8942 expire=42745/0B replaywin=2048

 seqno=4c esn=0 replaywin_lastseq=0000004d itn=0 qat=0

life: type=01 bytes=0/0 timeout=43187/43200

dec: spi=d49814e2 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

enc: spi=dff389cc esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

dec:pkts/bytes=76/13847, enc:pkts/bytes=75/13480

Slave FortiGate-VM VPN output

FortiGate-VM64-AWSON~AND # diag vpn tun list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=tgw-vpn-1 ver=1 serial=1 192.168.1.143:4500->3.220.220.108:4500 dst_mtu=9001

bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

 

proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=/0

stat: rxp=122 txp=124 rxb=16576 txb=7787

dpd: mode=on-demand on=1 idle=10000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=4500

proxyid=tgw-vpn-1 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA:  ref=3 options=10202 type=00 soft=0 mtu=8926 expire=2749/0B replaywin=2048

 seqno=7d esn=0 replaywin_lastseq=0000007a itn=0 qat=0

life: type=01 bytes=0/0 timeout=3301/3600

dec: spi=dff389ca esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

enc: spi=fb2e8342 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

dec:pkts/bytes=122/7488, enc:pkts/bytes=124/17024

------------------------------------------------------

name=tgw-vpn-2 ver=1 serial=2 192.168.1.143:4500->54.82.184.6:4500 dst_mtu=9001

bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

 

proxyid_num=1 child_num=0 refcnt=15 ilast=1 olast=1 ad=/0

stat: rxp=122 txp=124 rxb=16576 txb=7787

dpd: mode=on-demand on=1 idle=10000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=4500

proxyid=tgw-vpn-2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA:  ref=3 options=10202 type=00 soft=0 mtu=8926 expire=2750/0B replaywin=2048

 seqno=7d esn=0 replaywin_lastseq=0000007a itn=0 qat=0

life: type=01 bytes=0/0 timeout=3303/3600

dec: spi=dff389c9 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

enc: spi=c2db9a6d esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

dec:pkts/bytes=122/7488, enc:pkts/bytes=124/17024

------------------------------------------------------

name=__autoscale_s_p1 ver=1 serial=5 192.168.1.143:0->192.168.2.150:0 dst_mtu=9001

bound_if=3 lgwy=dyn/0 tun=tunnel/1 mode=auto/1 encap=none/0 run_state=0 accept_traffic=1

 

proxyid_num=1 child_num=0 refcnt=6 ilast=12 olast=12 ad=/0

stat: rxp=80 txp=81 rxb=14224 txb=14155

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=__autoscale_s_p2 proto=0 sa=1 ref=2 serial=1 auto-negotiate

src: 0:192.168.1.143/255.255.255.255:0

dst: 0:0.0.0.0/0.0.0.0:0

SA:  ref=3 options=18203 type=00 soft=0 mtu=8942 expire=42442/0B replaywin=2048

 seqno=52 esn=0 replaywin_lastseq=00000051 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42903/43200

dec: spi=dff389cc esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

enc: spi=d49814e2 esp=aes key=16 <masked_key>

 ah=sha1 key=20 <masked_key>

dec:pkts/bytes=80/8964, enc:pkts/bytes=81/19400

run_tally=0