Fortinet black logo

User Guide

AWS

24.1.0
Copy Link
Copy Doc ID af1daa65-c273-11ec-9fd1-fa163e15d75b:769354
Download PDF

AWS

FortiMonitor offers native integration with AWS CloudWatch, enabling FortiMonitor to ingest your CloudWatch monitoring data. As well, FortiMonitor can perform automatic discovery and monitoring of instances within your AWS account. This is configurable by service type and region, and can also be fully customized using your AWS tags.

CloudWatch data should be used as an augmentation of, not a replacement for, the data obtained by the FortiMonitor server agent and external monitoring. The server agent can provide more detailed and accurate data across any OS distribution or application you may be running on your compute instance. As well, our external monitoring ensures you're getting the full picture of your current operating environment as well as a view into what your customers are experiencing.

Connecting FortiMonitor & CloudWatch

To grant FortiMonitor access to your CloudWatch data, you'll need to create an external account role within your AWS account that is tied to FortiMonitor's External AWS Account.

  1. From the navigation menu, click Add. The Infrastructure and Resource Catalog will be displayed.

  2. Select Amazon Web Services.

  3. Enter an a name for the integration.

  4. Follow the on-page instructions to create an IAM Policy and Role for the external FortiMonitor account.

  5. Once you've obtained your ARN, select Verify Connection.

  6. Once your ARN has been validated, you can configure your monitoring settings.

    • Services: Select the AWS services you'd like to monitor. It's better to only select the ones you're using, otherwise, it uses vital API calls.

    • Filter Instances by Tag: You can choose to only import instances that match the AWS tag filters you define.

    • Regions: Only select the regions you operate in, otherwise, it uses vital API calls

    • Options - Import Tags: Enabling tag import will pull in your AWS tags with your AWS instances. You have the option to import only the Value portion of the AWS tag or the entire AWS key-value pair as a single string tag.

    • Options - Import AWS tags as FortiMonitor Attributes: AWS tags will be imported as key-value pairs (attributes within FortiMonitor).

    • Options - Routinely scan for new instances: every 20 minutes, we'll look for new instances in your account and will begin monitoring them assuming they meet your filter criteria. EC2 instances using the FortiMonitor agent can be monitored immediately if you install the agent on boot.

    • Options - Apply Monitoring Policies: Apply a monitoring policy to the imported AWS instances.

    • Options - Destination Group: any time instances are imported, they'll be placed in this group in the control panel. This is great for setting default values which are inherited from their parent group as well as apply default templates.

    • Options - Template: apply a Template to every instance that's imported

  7. Click Complete Integration. We'll start pulling in your instances that meet your filter criteria and begin monitoring them.

API Limits and Throttling

By default, each AWS account gets 1M CloudWatch API calls per month for free. When FortiMonitor makes CloudWatch calls to obtain metrics (every 10 minutes), it utilizes your API calls quota. Due to the highly decoupled design of the CloudWatch API, calls have to be made on a per-instance-per-metric basis - this means API calls add up fast. We encourage you to utilize the FortiMonitor agent on EC2 instances, not only for the cost savings but also for the increased functionality and granularity. You can read more about it here.

Once you exceed 1M CloudWatch calls for the month, AWS will charge your account $10 per 1M calls. You can read more about their pricing here.

In certain large-scale scenarios, AWS could begin throttling API calls. We will begin backing-off at that time. If you expect to utilize close to or the full 1M calls per month, we recommend reaching out to AWS to ask for a limit increase. If you'd like FortiMonitor to collect CloudWatch metrics more often than every 10 minutes, please contact our support team. As well, you can override this at the metric level by editing the metric. Check out Templates to do this in bulk.

Existing Monitoring

If you're running the agent (Linux version > 2017.40, Windows version > 18.34), EC2 metrics will be automatically added to your existing agent-based instances.

Example: if you have a Linux Virtual Machine instance you're already monitoring with the agent, and the agent version is > 2017.40, we won't create a second "EC2" instance with the CloudWatch connection - the new CloudWatch metrics will be added to your existing instance

EC2 Incident Confirmation

If you're monitoring an EC2 instance with external checks - such as HTTP, HTTPS, or Ping - and we identify an incident, we'll first confirm with AWS that the instance is still around. If it was gracefully removed, we will not alert. If the instance was not removed gracefully, we will alert as normal.

AWS integrations

The following AWS integrations are supported (free or charged per instance):

Free

  • Amazon ASG

  • Amazon EBS

  • Amazon FSX

  • AWS Lambda

  • Amazon S3

  • Amazon SNS

  • Amazon SQS

  • AWS VPN

Paid

  • Amazon DynamoDB

  • Amazon RDS

  • Amazon RDS Cluster

  • AWS ELB

  • AWS ELBv2

  • Amazon Redshift

  • Amazon Elasticsearch Service

  • Amazon ElastiCache

  • Amazon EC2

AWS

FortiMonitor offers native integration with AWS CloudWatch, enabling FortiMonitor to ingest your CloudWatch monitoring data. As well, FortiMonitor can perform automatic discovery and monitoring of instances within your AWS account. This is configurable by service type and region, and can also be fully customized using your AWS tags.

CloudWatch data should be used as an augmentation of, not a replacement for, the data obtained by the FortiMonitor server agent and external monitoring. The server agent can provide more detailed and accurate data across any OS distribution or application you may be running on your compute instance. As well, our external monitoring ensures you're getting the full picture of your current operating environment as well as a view into what your customers are experiencing.

Connecting FortiMonitor & CloudWatch

To grant FortiMonitor access to your CloudWatch data, you'll need to create an external account role within your AWS account that is tied to FortiMonitor's External AWS Account.

  1. From the navigation menu, click Add. The Infrastructure and Resource Catalog will be displayed.

  2. Select Amazon Web Services.

  3. Enter an a name for the integration.

  4. Follow the on-page instructions to create an IAM Policy and Role for the external FortiMonitor account.

  5. Once you've obtained your ARN, select Verify Connection.

  6. Once your ARN has been validated, you can configure your monitoring settings.

    • Services: Select the AWS services you'd like to monitor. It's better to only select the ones you're using, otherwise, it uses vital API calls.

    • Filter Instances by Tag: You can choose to only import instances that match the AWS tag filters you define.

    • Regions: Only select the regions you operate in, otherwise, it uses vital API calls

    • Options - Import Tags: Enabling tag import will pull in your AWS tags with your AWS instances. You have the option to import only the Value portion of the AWS tag or the entire AWS key-value pair as a single string tag.

    • Options - Import AWS tags as FortiMonitor Attributes: AWS tags will be imported as key-value pairs (attributes within FortiMonitor).

    • Options - Routinely scan for new instances: every 20 minutes, we'll look for new instances in your account and will begin monitoring them assuming they meet your filter criteria. EC2 instances using the FortiMonitor agent can be monitored immediately if you install the agent on boot.

    • Options - Apply Monitoring Policies: Apply a monitoring policy to the imported AWS instances.

    • Options - Destination Group: any time instances are imported, they'll be placed in this group in the control panel. This is great for setting default values which are inherited from their parent group as well as apply default templates.

    • Options - Template: apply a Template to every instance that's imported

  7. Click Complete Integration. We'll start pulling in your instances that meet your filter criteria and begin monitoring them.

API Limits and Throttling

By default, each AWS account gets 1M CloudWatch API calls per month for free. When FortiMonitor makes CloudWatch calls to obtain metrics (every 10 minutes), it utilizes your API calls quota. Due to the highly decoupled design of the CloudWatch API, calls have to be made on a per-instance-per-metric basis - this means API calls add up fast. We encourage you to utilize the FortiMonitor agent on EC2 instances, not only for the cost savings but also for the increased functionality and granularity. You can read more about it here.

Once you exceed 1M CloudWatch calls for the month, AWS will charge your account $10 per 1M calls. You can read more about their pricing here.

In certain large-scale scenarios, AWS could begin throttling API calls. We will begin backing-off at that time. If you expect to utilize close to or the full 1M calls per month, we recommend reaching out to AWS to ask for a limit increase. If you'd like FortiMonitor to collect CloudWatch metrics more often than every 10 minutes, please contact our support team. As well, you can override this at the metric level by editing the metric. Check out Templates to do this in bulk.

Existing Monitoring

If you're running the agent (Linux version > 2017.40, Windows version > 18.34), EC2 metrics will be automatically added to your existing agent-based instances.

Example: if you have a Linux Virtual Machine instance you're already monitoring with the agent, and the agent version is > 2017.40, we won't create a second "EC2" instance with the CloudWatch connection - the new CloudWatch metrics will be added to your existing instance

EC2 Incident Confirmation

If you're monitoring an EC2 instance with external checks - such as HTTP, HTTPS, or Ping - and we identify an incident, we'll first confirm with AWS that the instance is still around. If it was gracefully removed, we will not alert. If the instance was not removed gracefully, we will alert as normal.

AWS integrations

The following AWS integrations are supported (free or charged per instance):

Free

  • Amazon ASG

  • Amazon EBS

  • Amazon FSX

  • AWS Lambda

  • Amazon S3

  • Amazon SNS

  • Amazon SQS

  • AWS VPN

Paid

  • Amazon DynamoDB

  • Amazon RDS

  • Amazon RDS Cluster

  • AWS ELB

  • AWS ELBv2

  • Amazon Redshift

  • Amazon Elasticsearch Service

  • Amazon ElastiCache

  • Amazon EC2