Fortinet black logo

FortiSandbox VM on AWS

Home FortiSandbox Public Cloud 4.2.3 FortiSandbox VM on AWS

Prepare the AWS environment

4.2.3
4.4.0
4.2.3
4.2.1
4.2.0
4.0.0
3.2.0
3.1.0
3.0.0
Copy Link
Copy Doc ID 86eeaf65-612f-11ed-96f0-fa163e15d75b:444881
Download PDF

Prepare the AWS environment

Before deploying a FortiSandbox instance, some basic steps are required to setup and run the AWS environment.

Start by logging into the AWS management console with a user account that has enough privileges to create a new Virtual Private Cloud (VPC).

Set up the basic AWS environment for FortiSandbox

Create a Virtual Private Cloud (VPC)

  1. Go to VPC Dashboard > Your VPCs and click Create VPC.

    note icon

    Create a new VPC even though there is a default VPC.

  2. Enter the following information, then click Create VPC.

    Name tagEnter a name. For example, FortiSandbox.
    IPv4 CIDR block
  3. Enter a subnet such as 10.0.0.0/16 that will cover the IP ranges this VPC will use.
    4. IPv6 CIDR block Enter a valid IPv6 CIDR block that will cover IP ranges this VPC will use, or select No IPv6 CIDR Block if IPv6 IP address is not used.
    TenancySelect Default.
    • For Name tag,
    • For IPv4 CIDR block, enter a subnet such as 10.0.0.0/16 that will cover the IP ranges this VPC will use.
    • For IPv6 CIDR block, enter a valid IPv6 CIDR block that will cover IP ranges this VPC will use, or select No IPv6 CIDR Block if IPv6 IP address is not used.
    • For Tenancy, select Default.

Create network subnets for FortiSandbox instance

On AWS, FortiSandbox uses Port1 or any other administrative port set through the CLI command set-admin-port as reserved for device management, and Port2 be reserved to communicate with local Windows VM or Linux clones. The other ports are used for file inputs from client devices and inter-communication among cluster nodes. Each port should be on its dedicated subnet.

In a regular setup, these two subnets should be created:

  • Management subnet on which FortiSandbox management interface listens. Client devices can also connect to this subnet to submit files. We will use IPv4 CIDR 10.0.0.0/24 as an example in following sections.
  • Local VM clones communication subnet which FortiSandbox instances use to communicate with local Windows or Linux clones. If you choose to use Windows cloud clones located in Fortinet Data Center, this subnet is not required. We will use IPv4 CIDR 10.0.1.0/24 as example in the following sections.

If needed, you can create more subnets, such as for client devices to submit files, or inter-communications between HA Cluster nodes.

To create a subnet:
  1. Click Subnets > Create Subnet.
  2. In the Create Subnet dialog box, enter the following information, then click Create subnet.
    • For Name tag, enter a meaningful name. For example, Public_FortiSandbox.
    • For VPC, select the VPC you just created.
    • For IPV4 CIDR block, enter a valid block such as 10.0.0.0/24.

Create an internet gateway

If VPC needs to communicate with the Internet, for example, for FortiSandbox instance to get FortiGuard updates from Fortinet, or to access FortiSandbox instance from the Internet, an Internet gateway is needed.

To create an Internet gateway:
  1. Under Virtual Private Cloud > Internet Gateways, click Create Internet Gateway.
  2. For Name tag, enter a name. For example, vpc-gw and click Create internet gateway.

  3. When the Internet Gateway is created, click Attach to VPC.

  4. Select the VPC and click Attach internet gateway.

Create a route table

Appropriate route table entries are needed for the FortiSandbox instance to communicate with other network entities.

To create route table and entries:
  1. Under Virtual Private Cloud > Route Tables, click Create Route Table.

  2. In the Create Route Table dialog box, enter the following information, then click Create route table.
    • For Name tag, enter a name. For example, route_FortiSandboxTest.
    • For VPC, select the VPC you created.

  3. Go to Subnet Associations > Edit subnet associations, select the management subnet you created, then click Save associations..

  4. After the route table is created, you can add static route entries to define how the FortiSandbox instance to communicate with others. For example, to access FortiSandbox instance from the Internet:

    Go to Routes > Add Route, enter the following information, then click Save changes.

    • For Destination, enter 0.0.0.0/0.
    • For Target, select the internet gateway for the management subnet you created.

Create a security group

It's important to limit only valid network traffic to and from FortiSandbox instance. To do that, you will need to create security groups and security rules for traffic.

  1. Under Virtual Private Cloud > Security Groups, click Create security group.
  2. Enter the following information for the Basic details settings.
    • For Security group name, enter a name.
    • For Description, enter a description.
    • For VPC, select the VPC you just created.

  3. Add the following Inbound rules:

    Details

    Value

    Type

    Custom TCP.

    Protocol

    TCP

    Port Range

    Allow the following ports to be accessible:

    • 443 (HTTPS)
    • 22 (if SSH access is needed)
    • 514 (if Fortinet Fabric devices such as FortiGate and FortiMail need to submit jobs)
    • 9833 (for on-demand interactive scans)

    • 21 (FortiSandbox hardcoded port2 to communicate with custom VM clones via FTP)

    More rules can be added. For example, you can add a rule to allow access to FortiSandbox's MTA adapter. For more port information, see Port Information section of the FortiSandbox Administration Guide.

    Source

    Custom.

    For the SourceIP, enter a trusted IP range that can access the FortiSandbox instance.

  4. Allow all traffic for outbound rules, then click Create security group.

Previous
Next

Prepare the AWS environment

Before deploying a FortiSandbox instance, some basic steps are required to setup and run the AWS environment.

Start by logging into the AWS management console with a user account that has enough privileges to create a new Virtual Private Cloud (VPC).

Set up the basic AWS environment for FortiSandbox

Create a Virtual Private Cloud (VPC)

  1. Go to VPC Dashboard > Your VPCs and click Create VPC.

    note icon

    Create a new VPC even though there is a default VPC.

  2. Enter the following information, then click Create VPC.

    Name tagEnter a name. For example, FortiSandbox.
    IPv4 CIDR block
  3. Enter a subnet such as 10.0.0.0/16 that will cover the IP ranges this VPC will use.
    4. IPv6 CIDR block Enter a valid IPv6 CIDR block that will cover IP ranges this VPC will use, or select No IPv6 CIDR Block if IPv6 IP address is not used.
    TenancySelect Default.
    • For Name tag,
    • For IPv4 CIDR block, enter a subnet such as 10.0.0.0/16 that will cover the IP ranges this VPC will use.
    • For IPv6 CIDR block, enter a valid IPv6 CIDR block that will cover IP ranges this VPC will use, or select No IPv6 CIDR Block if IPv6 IP address is not used.
    • For Tenancy, select Default.

Create network subnets for FortiSandbox instance

On AWS, FortiSandbox uses Port1 or any other administrative port set through the CLI command set-admin-port as reserved for device management, and Port2 be reserved to communicate with local Windows VM or Linux clones. The other ports are used for file inputs from client devices and inter-communication among cluster nodes. Each port should be on its dedicated subnet.

In a regular setup, these two subnets should be created:

  • Management subnet on which FortiSandbox management interface listens. Client devices can also connect to this subnet to submit files. We will use IPv4 CIDR 10.0.0.0/24 as an example in following sections.
  • Local VM clones communication subnet which FortiSandbox instances use to communicate with local Windows or Linux clones. If you choose to use Windows cloud clones located in Fortinet Data Center, this subnet is not required. We will use IPv4 CIDR 10.0.1.0/24 as example in the following sections.

If needed, you can create more subnets, such as for client devices to submit files, or inter-communications between HA Cluster nodes.

To create a subnet:
  1. Click Subnets > Create Subnet.
  2. In the Create Subnet dialog box, enter the following information, then click Create subnet.
    • For Name tag, enter a meaningful name. For example, Public_FortiSandbox.
    • For VPC, select the VPC you just created.
    • For IPV4 CIDR block, enter a valid block such as 10.0.0.0/24.

Create an internet gateway

If VPC needs to communicate with the Internet, for example, for FortiSandbox instance to get FortiGuard updates from Fortinet, or to access FortiSandbox instance from the Internet, an Internet gateway is needed.

To create an Internet gateway:
  1. Under Virtual Private Cloud > Internet Gateways, click Create Internet Gateway.
  2. For Name tag, enter a name. For example, vpc-gw and click Create internet gateway.

  3. When the Internet Gateway is created, click Attach to VPC.

  4. Select the VPC and click Attach internet gateway.

Create a route table

Appropriate route table entries are needed for the FortiSandbox instance to communicate with other network entities.

To create route table and entries:
  1. Under Virtual Private Cloud > Route Tables, click Create Route Table.

  2. In the Create Route Table dialog box, enter the following information, then click Create route table.
    • For Name tag, enter a name. For example, route_FortiSandboxTest.
    • For VPC, select the VPC you created.

  3. Go to Subnet Associations > Edit subnet associations, select the management subnet you created, then click Save associations..

  4. After the route table is created, you can add static route entries to define how the FortiSandbox instance to communicate with others. For example, to access FortiSandbox instance from the Internet:

    Go to Routes > Add Route, enter the following information, then click Save changes.

    • For Destination, enter 0.0.0.0/0.
    • For Target, select the internet gateway for the management subnet you created.

Create a security group

It's important to limit only valid network traffic to and from FortiSandbox instance. To do that, you will need to create security groups and security rules for traffic.

  1. Under Virtual Private Cloud > Security Groups, click Create security group.
  2. Enter the following information for the Basic details settings.
    • For Security group name, enter a name.
    • For Description, enter a description.
    • For VPC, select the VPC you just created.

  3. Add the following Inbound rules:

    Details

    Value

    Type

    Custom TCP.

    Protocol

    TCP

    Port Range

    Allow the following ports to be accessible:

    • 443 (HTTPS)
    • 22 (if SSH access is needed)
    • 514 (if Fortinet Fabric devices such as FortiGate and FortiMail need to submit jobs)
    • 9833 (for on-demand interactive scans)

    • 21 (FortiSandbox hardcoded port2 to communicate with custom VM clones via FTP)

    More rules can be added. For example, you can add a rule to allow access to FortiSandbox's MTA adapter. For more port information, see Port Information section of the FortiSandbox Administration Guide.

    Source

    Custom.

    For the SourceIP, enter a trusted IP range that can access the FortiSandbox instance.

  4. Allow all traffic for outbound rules, then click Create security group.

Previous
Next