Fortinet Document Library

Version:


Table of Contents

AWS Cookbook

Resources

Upgrade Path Tool

AWS Cookbook

6.4.0
Download PDF
Copy Link

FortiGate Autoscale for AWS features

Major components

  • The Auto Scaling group. The Auto Scaling group contains 2 to many FortiGate-VMs (On-Demand licensing model). This Auto Scaling group will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale-out threshold and Scale-in threshold. By design, there are a minimum of two instances in this group.
  • The “assets” folder in the S3 Bucket.
    • The configset folder contains files that are loaded as the initial configuration for a new FortiGate-VM instance.
      • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
  • Tables in DynamoDB. These tables are required to store information such as health check monitoring, master election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
  • Networking Components These are the network load balancers, the target group, and the VPC and subnets. You are expected to create your own client and server instances that you want protected by the FortiGate-VM.

Configset placeholders

When the FortiGate-VM requests the configuration from the Auto Scaling Handler function, the placeholders in the table below will be replaced with actual values about the Auto Scaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGate-VMs to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The endpoint URL to interact with the auto scaling handler script.

Automatically generated during CloudFormation deployment.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

Specified during CloudFormation deployment.

{ADMIN_PORT}

Number

A port number specified for admin login.

A positive integer such as 443 etc.

Specified during CloudFormation deployment.

{HEART_BEAT_INTERVAL}

Number

The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

This placeholder is only in the hybrid licensing deployment.

Auto Scaling Handler environment variables

Variable name

Description

RESOURCE_TAG_PREFIX

Descriptions of these variables are identical to those of the related parameters which are described in the section Resource tagging configuration.

  • RESOURCE_TAG_PREFIX: Resource tag prefix
  • CUSTOM_ID: Resource name prefix

CUSTOM_ID

AUTO_SCALING_GROUP_NAME

The Auto Scaling group name.

API_GATEWAY_NAME

The API Gateway name generated during the deployment.

API_GATEWAY_STAGE_NAME

The API Gateway stage. It is always set to prod.

API_GATEWAY_RESOURCE_NAME

The API Gateway resource. It is always set to complete.

UNIQUE_ID

This is a deprecated variable. It should remain as an empty string.

EXPIRE_LIFECYCLE_ENTRY

The value of the CFT parameter Instance lifecycle timeout which is described in the section FortiGate-VM Auto Scaling group configuration.

FORTIGATE_PSKSECRET

Descriptions of these variables are identical to those of the related parameters which are described in the section FortiGate-VM configuration.

  • FORTIGATE_PSKSECRET: FortiGate PSK secret
  • FORTIGATE_ADMIN_PORT: Admin port

FORTIGATE_ADMIN_PORT

FORTIGATE_INTERNAL_ELB_DNS

This is a deprecated variable. It should remain as an empty string.

FORTIGATE_TRAFFIC_PORT

This is reserved for other features. It should remain empty.

HEART_BEAT_INTERVAL

Descriptions of these variables are identical to those of the related parameters which are described in the section Failover configuration.

  • HEART_BEAT_INTERVAL: Heart beat interval
  • HEART_BEAT_LOSS_COUNT: Heart beat loss count

HEART_BEAT_LOSS_COUNT

STACK_ASSETS_S3_BUCKET_NAME

Descriptions of these variables are identical to those of the related parameters which are described in the section Deployment resources configuration.

  • STACK_ASSETS_S3_BUCKET_NAME: S3 bucket name
  • STACK_ASSETS_S3_KEY_PREFIX: S3 key prefix

STACK_ASSETS_S3_KEY_PREFIX

VPC_ID

The VPC ID of the FortiGate Autoscale VPC created in this CFT deployment stack.

REQUIRED_CONFIG_SET

This is a comma delimited string for additional configsets to load. (Reserved for future use.)

FORTIGATE_SYNC_INTERFACE

The FortiGate-VM sync interface. This should always be set to port1.

SCALING_GROUP_NAME_PAYG

This is reserved for other features. Do not modify its value.

SCALING_GROUP_NAME_BYOL

This is reserved for other features. Do not modify its value.

MASTER_SCALING_GROUP_NAME

This is reserved for other features. Do not modify its value.

ENABLE_SECOND_NIC

This is reserved for other features. Do not modify its value.

ENABLE_TGW_VPN

This is the Transit Gateway feature toggle. It should always be set to true.

TGW_ID

The ID of the Transit Gateway used in this deployment.

Resources

FortiGate Autoscale for AWS features

Major components

  • The Auto Scaling group. The Auto Scaling group contains 2 to many FortiGate-VMs (On-Demand licensing model). This Auto Scaling group will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale-out threshold and Scale-in threshold. By design, there are a minimum of two instances in this group.
  • The “assets” folder in the S3 Bucket.
    • The configset folder contains files that are loaded as the initial configuration for a new FortiGate-VM instance.
      • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
  • Tables in DynamoDB. These tables are required to store information such as health check monitoring, master election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
  • Networking Components These are the network load balancers, the target group, and the VPC and subnets. You are expected to create your own client and server instances that you want protected by the FortiGate-VM.

Configset placeholders

When the FortiGate-VM requests the configuration from the Auto Scaling Handler function, the placeholders in the table below will be replaced with actual values about the Auto Scaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGate-VMs to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The endpoint URL to interact with the auto scaling handler script.

Automatically generated during CloudFormation deployment.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

Specified during CloudFormation deployment.

{ADMIN_PORT}

Number

A port number specified for admin login.

A positive integer such as 443 etc.

Specified during CloudFormation deployment.

{HEART_BEAT_INTERVAL}

Number

The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

This placeholder is only in the hybrid licensing deployment.

Auto Scaling Handler environment variables

Variable name

Description

RESOURCE_TAG_PREFIX

Descriptions of these variables are identical to those of the related parameters which are described in the section Resource tagging configuration.

  • RESOURCE_TAG_PREFIX: Resource tag prefix
  • CUSTOM_ID: Resource name prefix

CUSTOM_ID

AUTO_SCALING_GROUP_NAME

The Auto Scaling group name.

API_GATEWAY_NAME

The API Gateway name generated during the deployment.

API_GATEWAY_STAGE_NAME

The API Gateway stage. It is always set to prod.

API_GATEWAY_RESOURCE_NAME

The API Gateway resource. It is always set to complete.

UNIQUE_ID

This is a deprecated variable. It should remain as an empty string.

EXPIRE_LIFECYCLE_ENTRY

The value of the CFT parameter Instance lifecycle timeout which is described in the section FortiGate-VM Auto Scaling group configuration.

FORTIGATE_PSKSECRET

Descriptions of these variables are identical to those of the related parameters which are described in the section FortiGate-VM configuration.

  • FORTIGATE_PSKSECRET: FortiGate PSK secret
  • FORTIGATE_ADMIN_PORT: Admin port

FORTIGATE_ADMIN_PORT

FORTIGATE_INTERNAL_ELB_DNS

This is a deprecated variable. It should remain as an empty string.

FORTIGATE_TRAFFIC_PORT

This is reserved for other features. It should remain empty.

HEART_BEAT_INTERVAL

Descriptions of these variables are identical to those of the related parameters which are described in the section Failover configuration.

  • HEART_BEAT_INTERVAL: Heart beat interval
  • HEART_BEAT_LOSS_COUNT: Heart beat loss count

HEART_BEAT_LOSS_COUNT

STACK_ASSETS_S3_BUCKET_NAME

Descriptions of these variables are identical to those of the related parameters which are described in the section Deployment resources configuration.

  • STACK_ASSETS_S3_BUCKET_NAME: S3 bucket name
  • STACK_ASSETS_S3_KEY_PREFIX: S3 key prefix

STACK_ASSETS_S3_KEY_PREFIX

VPC_ID

The VPC ID of the FortiGate Autoscale VPC created in this CFT deployment stack.

REQUIRED_CONFIG_SET

This is a comma delimited string for additional configsets to load. (Reserved for future use.)

FORTIGATE_SYNC_INTERFACE

The FortiGate-VM sync interface. This should always be set to port1.

SCALING_GROUP_NAME_PAYG

This is reserved for other features. Do not modify its value.

SCALING_GROUP_NAME_BYOL

This is reserved for other features. Do not modify its value.

MASTER_SCALING_GROUP_NAME

This is reserved for other features. Do not modify its value.

ENABLE_SECOND_NIC

This is reserved for other features. Do not modify its value.

ENABLE_TGW_VPN

This is the Transit Gateway feature toggle. It should always be set to true.

TGW_ID

The ID of the Transit Gateway used in this deployment.