Script
FortiADC provides the method to execute any AWS API for users – Users can upload Python script to FortiADC (system > AWS Scripting page)with traffic group setting and execute this script on the FortiADC to which its traffic group belongs.
If two FortiADCs are in different traffic groups for HA-VRRP mode, they can execute script individually, and communicate with AWS when doing the HA switch.
Run script:
- Execute manually from GUI, upload scripts, choose traffic-group, click “Run”
- Traffic-group takes effect in new device and will execute scripts after doing HA switch
Command to check which traffic-group this device belongs: get system traffic-group-status detail
To execute AWS API, set the following on FortiADC:
config system aws
set region us-west-1 (set region name as need)
set accesskey XXXXXXXXXX (get from .csv file when create user on AWS)
set secretkey XXXXXXXXXX (get from .csv file when create user on AWS)
end
Example: This script modifies the default rout in the AWS route table, when the default traffic group works in the new ADC
#!/bin/sh
traffic_group=${TRAFFIC_GROUP_NAME}
eni_id="XXXXXXXXXX"
route_table_id="XXXXXXXXXX"
echo ${TRAFFIC_GROUP_NAME}
if [$traffic_group="default"]
then
aws ec2 replace-route --route-table-id $route_table_id --destination-cidr-block 0.0.0.0/0 --network-interface-id $eni_id
else
echo "do noting"
fi