Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • AWS Administration Guide

    Home FortiGate Public Cloud 6.4.0 AWS Administration Guide
    6.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    AWS services and components

    AWS services and components

    FortiGate-VM for AWS is an Elastic Compute Cloud (EC2) instance with an Elastic Block Store (EBS) volume attached. The following lists AWS services and components that you must understand when deploying FortiGate-VM for different purposes:

    Ordinary FortiGate-VM single instance deployment or FortiGate-native active-passive high availability

    Service/component

    Description

    Virtual private cloud (VPC)

    This is where the FortiGate-VM and protected VMs are situated and users control the network. The public-facing interface is routed to the Internet gateway, which is created within the VPC.

    EC2

    FortiGate-VM for AWS is an EC2 VM instance. Every instance has a unique instance ID.

    Subnets, route tables

    You must appropriately configure FortiGate-VM with subnets and route tables to handle traffic.

    Internet gateways

    The AWS gateway as a VPC component that allows communication between instances in your VPC and the Internet.

    Elastic IP address (EIP)

    At least one public IP address must be allocated to the FortiGate-VM to access and manage it over the Internet.

    Security groups

    AWS public-facing protection. Allow only necessary ports and protocols.

    AMI

    A special type of deployable image used on AWS. You can launch FortiGate-VM (BYOL) directly from the publicly available FortiGate AMI instead of using the marketplace. See Deploying from BYOL AMI.

    The on-demand AMI is launchable but does not allow you to properly boot up as it is not intended to be deployed from AMI.

    CloudFormation Templates (CFT)

    FortiGate instances can be deployed using CFTs where tailor-made resource instantiation is defined. Fortinet provides CFTs for the following use cases:

    • Deploying FortiGate-native A-P HA
    • Customer-required scenarios with particular topologies

    CFTs are available on GitHub.

    Fortinet-provided CFTs are not supported within the regular Fortinet technical support scope. Contact awssales@fortinet.com with questions.

    Additional or alternative HA using AWS mechanisms

    Service/component

    Description

    Auto Scaling

    Auto scaling can automatically scale out by instantiating additional FortiGate-VM instances at times of high workloads. See Deploying auto scaling on AWS.

    To run auto scaling, you must enable/subscribe to coexisting AWS services:

    • Route 53
    • API gateway
    • Load Balancer
    • CloudWatch
    • Lambda
    • SNS
    • DynamoDB
    • Simple Storage Services (S3) (BYOL only)

    These services are not always required for AWS auto scaling in general, but are predefined in Fortinet-provided Lambda scripts.

    Load Balancer

    Also called Elastic Load Balancer (ELB). A network load balancer automatically distributes traffic across multiple FortiGate-VM instances when configured properly. Topologies will be different depending on how you distribute incoming and outgoing traffic and cover AZs. There are two use cases to use LB with FortiGate-VM:

    Monitoring

    Service/component

    Description

    CloudWatch

    Monitoring service for various AWS resources. You can use CloudWatch in three scenarios with FortiGate-VM:

    • Monitor FortiGate-VM instance health and alert when needed.
    • Define auto scaling scale-out triggers to fire alarms
    • Monitor GuardDuty events

    You must subscribe to CloudWatch to use corresponding features.

    Related AWS services used as prerequisites for additional HA or extra features

    Service/component

    Description

    Lambda

    AWS Lambda lets you run certain scripts and codes without provisioning servers. Fortinet provides Lambda scripts for:

    • Running auto scaling
    • GuardDuty integration

    To use the scripts, you must subscribe to Lambda. Fortinet-provided Lambda scripts are not supported within the regular Fortinet technical support scope. Contact awssales@fortinet.com with questions.

    API Gateway

    It acts as a front door by providing a callback URL for the FortiGate-VM to send its API calls and process FortiGate-VM config-sync tasks to synchronize OS configuration across multiple FortiGate-VM instances at the time of auto scaling scale-out. It is required if the config-sync feature needs to be incorporated into auto scaling.

    DynamoDB

    A handy flexible database. Fortinet-provided scripts use DynamoDB to store information about varying states of auto scaling conditions.

    SNS

    Managed message service used to communicate between AWS components. Fortinet-provided scripts use SNS to deliver subscription notifications from CFTs to Lambda for auto scaling.

    GuardDuty

    Managed threat detection service that monitors unwanted behaviors/activities related to AWS resources. Fortinet can leverage externally available lists of malicious IP addresses stored at certain locations. GuardDuty can be used to populate such a list. See Populating threat feeds with GuardDuty. To use this feature, you must subscribe to GuardDuty.

    S3

    AWS storage. You can use S3 in four scenarios with FortiGate-VM:

    • As the location where the list of blocklisted IP addresses is stored which is pointed by the FortiGate-VM in integrating with GuardDuty. See Populating threat feeds with GuardDuty. You must allow the FortiGate-VM access to the S3 bucket/directory on S3 configuration.
    • To store license keys which are parsed when provisioning additional FortiGate-VM instances in the event of auto scaling scale-out.
    • To store a license key and the FortiGate-VM config file to bootstrap the FortiGate-VM at initial boot-up. See Bootstrapping the FortiGate-VM at initial bootup using user data.
    • To store license keys which are parsed when provisioning A-P HA.
    Previous
    Next

    AWS services and components

    AWS services and components

    FortiGate-VM for AWS is an Elastic Compute Cloud (EC2) instance with an Elastic Block Store (EBS) volume attached. The following lists AWS services and components that you must understand when deploying FortiGate-VM for different purposes:

    Ordinary FortiGate-VM single instance deployment or FortiGate-native active-passive high availability

    Service/component

    Description

    Virtual private cloud (VPC)

    This is where the FortiGate-VM and protected VMs are situated and users control the network. The public-facing interface is routed to the Internet gateway, which is created within the VPC.

    EC2

    FortiGate-VM for AWS is an EC2 VM instance. Every instance has a unique instance ID.

    Subnets, route tables

    You must appropriately configure FortiGate-VM with subnets and route tables to handle traffic.

    Internet gateways

    The AWS gateway as a VPC component that allows communication between instances in your VPC and the Internet.

    Elastic IP address (EIP)

    At least one public IP address must be allocated to the FortiGate-VM to access and manage it over the Internet.

    Security groups

    AWS public-facing protection. Allow only necessary ports and protocols.

    AMI

    A special type of deployable image used on AWS. You can launch FortiGate-VM (BYOL) directly from the publicly available FortiGate AMI instead of using the marketplace. See Deploying from BYOL AMI.

    The on-demand AMI is launchable but does not allow you to properly boot up as it is not intended to be deployed from AMI.

    CloudFormation Templates (CFT)

    FortiGate instances can be deployed using CFTs where tailor-made resource instantiation is defined. Fortinet provides CFTs for the following use cases:

    • Deploying FortiGate-native A-P HA
    • Customer-required scenarios with particular topologies

    CFTs are available on GitHub.

    Fortinet-provided CFTs are not supported within the regular Fortinet technical support scope. Contact awssales@fortinet.com with questions.

    Additional or alternative HA using AWS mechanisms

    Service/component

    Description

    Auto Scaling

    Auto scaling can automatically scale out by instantiating additional FortiGate-VM instances at times of high workloads. See Deploying auto scaling on AWS.

    To run auto scaling, you must enable/subscribe to coexisting AWS services:

    • Route 53
    • API gateway
    • Load Balancer
    • CloudWatch
    • Lambda
    • SNS
    • DynamoDB
    • Simple Storage Services (S3) (BYOL only)

    These services are not always required for AWS auto scaling in general, but are predefined in Fortinet-provided Lambda scripts.

    Load Balancer

    Also called Elastic Load Balancer (ELB). A network load balancer automatically distributes traffic across multiple FortiGate-VM instances when configured properly. Topologies will be different depending on how you distribute incoming and outgoing traffic and cover AZs. There are two use cases to use LB with FortiGate-VM:

    Monitoring

    Service/component

    Description

    CloudWatch

    Monitoring service for various AWS resources. You can use CloudWatch in three scenarios with FortiGate-VM:

    • Monitor FortiGate-VM instance health and alert when needed.
    • Define auto scaling scale-out triggers to fire alarms
    • Monitor GuardDuty events

    You must subscribe to CloudWatch to use corresponding features.

    Related AWS services used as prerequisites for additional HA or extra features

    Service/component

    Description

    Lambda

    AWS Lambda lets you run certain scripts and codes without provisioning servers. Fortinet provides Lambda scripts for:

    • Running auto scaling
    • GuardDuty integration

    To use the scripts, you must subscribe to Lambda. Fortinet-provided Lambda scripts are not supported within the regular Fortinet technical support scope. Contact awssales@fortinet.com with questions.

    API Gateway

    It acts as a front door by providing a callback URL for the FortiGate-VM to send its API calls and process FortiGate-VM config-sync tasks to synchronize OS configuration across multiple FortiGate-VM instances at the time of auto scaling scale-out. It is required if the config-sync feature needs to be incorporated into auto scaling.

    DynamoDB

    A handy flexible database. Fortinet-provided scripts use DynamoDB to store information about varying states of auto scaling conditions.

    SNS

    Managed message service used to communicate between AWS components. Fortinet-provided scripts use SNS to deliver subscription notifications from CFTs to Lambda for auto scaling.

    GuardDuty

    Managed threat detection service that monitors unwanted behaviors/activities related to AWS resources. Fortinet can leverage externally available lists of malicious IP addresses stored at certain locations. GuardDuty can be used to populate such a list. See Populating threat feeds with GuardDuty. To use this feature, you must subscribe to GuardDuty.

    S3

    AWS storage. You can use S3 in four scenarios with FortiGate-VM:

    • As the location where the list of blocklisted IP addresses is stored which is pointed by the FortiGate-VM in integrating with GuardDuty. See Populating threat feeds with GuardDuty. You must allow the FortiGate-VM access to the S3 bucket/directory on S3 configuration.
    • To store license keys which are parsed when provisioning additional FortiGate-VM instances in the event of auto scaling scale-out.
    • To store a license key and the FortiGate-VM config file to bootstrap the FortiGate-VM at initial boot-up. See Bootstrapping the FortiGate-VM at initial bootup using user data.
    • To store license keys which are parsed when provisioning A-P HA.
    Previous
    Next