Fortinet black logo

AWS Administration Guide

Deploying from BYOL AMI

Copy Link
Copy Doc ID 9e3b59dc-ba0b-11e9-a989-00505692583a:287546
Download PDF

Deploying from BYOL AMI

You can deploy FortiGate-VM outside the marketplace launcher if you want to install it manually from the AMI for some reason, such as if your organization does not allow access to the AWS marketplace website. There are AMI images publicly available in various regions for the versions already listed in the marketplace. This deployment works only with AMI for BYOL licensing. Deploying from AMI designed for on-demand is not supported.

If you want to install the latest FortiGate-VM versions immediately after release from Fortinet but you do not see them published in the marketplace or publicly available in the AWS portal, you can always deploy older versions of FortiGate-VM available on the marketplace or the AWS portal as publicly available AMIs, then upgrade using the ".out" upgrade files, which are available at Customer Service & Support.

  1. Log in to the AWS EC2 console and navigate to IMAGES > AMIs. Select the appropriate region.

  2. Find the desired public AMI from the list of AMI IDs corresponding to your region. Select the AMI and click Launch.

  3. Choose a supported instance.

  4. Click Next: Configure Instance Details. Configure instance details:
    1. In the Network field, select the VPC that you created.
    2. In the Subnet field, select the public subnet.
    3. In the Network interfaces section, you will see the entry for eth0 that was created for the public subnet. Select Add Device to add another network interface (in this example, eth1), and select the private subnet. It is recommended that you assign static IP addresses.
    4. When you have two network interfaces, a global IP address isn’t assigned automatically. You must manually assign a global IP address later. Select Review and Launch, then select Launch.

  5. Click Next: Add Storage. In Step 4: Add Storage, you can leave the fields as-is, or change the size of /dev/sdb as desired. The second volume is used for logging.

  6. Click Next: Add Tags. You can add tags for convenient management.

  7. Click Next: Configure Security Groups. Here it is important to allow some incoming ports. Allow TCP port 8443 for management from the GUI. You can also allow TCP port 22 for SSH login. Allow other ports where necessary as noted below. The use of ports is explained in the FortiOS documentation.

    Incoming TCP ports allowed

    Purpose

    22

    SSH

    443

    Management using the GUI

    541

    Management by FortiManager located outside AWS

    8000

    Fortinet Single Sign On

    10443

    SSLVPN

    You can change the source address later.

  8. Click Review and Launch. If everything looks good, go to next by clicking Launch.
  9. Then select the appropriate keypair, then click Launch Instance. It may take 15 to 30 minutes to deploy the instance. To access the FortiGate and complete post-install setup, see Connecting to the FortiGate.

Deploying from BYOL AMI

You can deploy FortiGate-VM outside the marketplace launcher if you want to install it manually from the AMI for some reason, such as if your organization does not allow access to the AWS marketplace website. There are AMI images publicly available in various regions for the versions already listed in the marketplace. This deployment works only with AMI for BYOL licensing. Deploying from AMI designed for on-demand is not supported.

If you want to install the latest FortiGate-VM versions immediately after release from Fortinet but you do not see them published in the marketplace or publicly available in the AWS portal, you can always deploy older versions of FortiGate-VM available on the marketplace or the AWS portal as publicly available AMIs, then upgrade using the ".out" upgrade files, which are available at Customer Service & Support.

  1. Log in to the AWS EC2 console and navigate to IMAGES > AMIs. Select the appropriate region.

  2. Find the desired public AMI from the list of AMI IDs corresponding to your region. Select the AMI and click Launch.

  3. Choose a supported instance.

  4. Click Next: Configure Instance Details. Configure instance details:
    1. In the Network field, select the VPC that you created.
    2. In the Subnet field, select the public subnet.
    3. In the Network interfaces section, you will see the entry for eth0 that was created for the public subnet. Select Add Device to add another network interface (in this example, eth1), and select the private subnet. It is recommended that you assign static IP addresses.
    4. When you have two network interfaces, a global IP address isn’t assigned automatically. You must manually assign a global IP address later. Select Review and Launch, then select Launch.

  5. Click Next: Add Storage. In Step 4: Add Storage, you can leave the fields as-is, or change the size of /dev/sdb as desired. The second volume is used for logging.

  6. Click Next: Add Tags. You can add tags for convenient management.

  7. Click Next: Configure Security Groups. Here it is important to allow some incoming ports. Allow TCP port 8443 for management from the GUI. You can also allow TCP port 22 for SSH login. Allow other ports where necessary as noted below. The use of ports is explained in the FortiOS documentation.

    Incoming TCP ports allowed

    Purpose

    22

    SSH

    443

    Management using the GUI

    541

    Management by FortiManager located outside AWS

    8000

    Fortinet Single Sign On

    10443

    SSLVPN

    You can change the source address later.

  8. Click Review and Launch. If everything looks good, go to next by clicking Launch.
  9. Then select the appropriate keypair, then click Launch Instance. It may take 15 to 30 minutes to deploy the instance. To access the FortiGate and complete post-install setup, see Connecting to the FortiGate.