Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiSandbox VM on AWS

    Home FortiSandbox Public Cloud 4.4.0 FortiSandbox VM on AWS
    4.4.0
    5.0.0
    4.4.0
    4.2.3
    4.2.1
    4.2.0
    4.0.0
    3.2.0
    3.1.0
    3.0.0

    Prepare the AWS environment

    Prepare the AWS environment

    Before deploying a FortiSandbox instance, some basic steps are required to set up and run the AWS environment.

    Start by logging into the AWS management console with a user account that has enough privileges to create a new Virtual Private Cloud (VPC).

    Set up the basic AWS environment for FortiSandbox

    Create a Virtual Private Cloud (VPC)

    1. Go to VPC Dashboard > Your VPCs and click Create VPC.

      note icon

      Create a new VPC even though there is a default VPC.

    2. Enter the following information, then click Create VPC.

      Name tagEnter a name. For example, FortiSandbox.
      IPv4 CIDR block Enter a subnet such as 10.0.0.0/16 that will cover the IP ranges this VPC will use.
      IPv6 CIDR block Enter a valid IPv6 CIDR block that will cover IP ranges this VPC will use, or select No IPv6 CIDR Block if IPv6 IP address is not used.
      TenancySelect Default.

    Create network subnets for FortiSandbox instance

    On AWS, FortiSandbox uses Port1 or any other administrative port set through the CLI command set admin-port as reserved for device management, and Port2 be reserved to communicate with local Windows VM or Linux clones. The other ports are used for file inputs from client devices and inter-communication among cluster nodes. Each port should be on its dedicated subnet.

    In a regular setup, these two subnets should be created:

    • Management subnet on which FortiSandbox management interface listens. Client devices can also connect to this subnet to submit files. We will use IPv4 CIDR 10.0.0.0/24 as an example in the following sections.
    • Local VM clones communication subnet which FortiSandbox instances use to communicate with local Windows or Linux clones. If you choose to use Windows cloud clones located in Fortinet Data Center, this subnet is not required. We will use IPv4 CIDR 10.0.1.0/24 as an example in the following sections.

    If needed, you can create more subnets, such as for client devices to submit files, or inter-communications between HA Cluster nodes, or for dedicated internet access subnet for installed customized VMs.

    To create a subnet:
    1. Click Subnets > Create Subnet.
    2. In the Create Subnet dialog box, enter the following information, then click Create subnet.
      • For Name tag, enter a meaningful name. For example, Public_FortiSandbox.
      • For VPC, select the VPC you just created.
      • For IPV4 CIDR block, enter a valid block such as 10.0.0.0/24.

    Create an internet gateway

    If VPC needs to communicate with the Internet, for example, for FortiSandbox instance to get FortiGuard updates from Fortinet, or to access FortiSandbox instance from the Internet, an Internet gateway is needed.

    To create an Internet gateway:
    1. Under Virtual Private Cloud > Internet Gateways, click Create Internet Gateway.
    2. For Name tag, enter a name. For example, vpc-gw and click Create internet gateway.

    3. When the Internet Gateway is created, click Attach to VPC.

    4. Select the VPC and click Attach internet gateway.

    Create a NAT gateway

    A NAT gateway is used by instances in a private subnet to communicate with the internet. A NAT gateway is required if you need to install a customized VM in AWS.

    To create a NAT gateway:
    1. In the left navigation pane, under Virtual private cloud > NAT gateways, click Create NAT gateway.

    2. In the NAT gateway settings window, enter the following information, then click Create NAT gateway.

      Name

      Enter a name that will allow you to easily recognize the object type.

      Subnet

      Select the public subnet you created.

      Connectivity type

      Select Public.

      Elastic IP allocation ID

      Select an existing available EIP or click Allocate Elastic IP to allocate a new one

    Create two route tables

    Appropriate route table entries are needed for the FortiSandbox instance to communicate with other network entities.

    To create route table and entries:
    1. Under Virtual Private Cloud > Route Tables, click Create Route Table.

    2. In the Create Route Table dialog box, enter the following information, then click Create route table.
      • For Name tag, enter a name. For example, route_FortiSandboxTest.
      • For VPC, select the VPC you created.

    3. Go to Subnet Associations > Edit subnet associations, select the management subnet you created, then click Save associations..

    4. After the route table is created, you can add static route entries to define how the FortiSandbox instance communicates with others. For example, to access FortiSandbox instance from the Internet:

      Go to Routes > Add Route, enter the following information, then click Save changes.

      • For Destination, enter 0.0.0.0/0.
      • For Target, select the internet gateway for the management subnet you created.

    5. Create a second route table:
      1. Repeat steps 1-4 to create a second route table, and associate all the private subnets to it.
      2. Go to Routes > Add Route. Enter the following information, and click Save changes.

        Destination

        Enter 0.0.0.0/0.

        Target

        Select the NAT gateway for the private subnet you created.

    Create two security groups

    It's important to limit only valid network traffic to and from FortiSandbox instances. To do that, you will need to create security groups and security rules for traffic.

    1. Under Virtual Private Cloud > Security Groups, click Create security group.
    2. Enter the following information for the Basic details settings.
      • For Security group name, enter a name.
      • For Description, enter a description.
      • For VPC, select the VPC you just created.

    3. Add the following Inbound rules:

      Details

      Value

      Type

      Custom TCP.

      Protocol

      TCP

      Port Range

      Allow the following ports to be accessible:

      • 443 (HTTPS)
      • 22 (if SSH access is needed)
      • 514 (if Fortinet Fabric devices such as FortiGate and FortiMail need to submit jobs)
      • 9833 (for on-demand interactive scans)

      • 21 (FortiSandbox hardcoded port2 to communicate with custom VM clones via FTP)

      More rules can be added. For example, you can add a rule to allow access to FortiSandbox's MTA adapter. For more port information, see Port Information section of the FortiSandbox Administration Guide.

      Source

      Custom.

      For the SourceIP, enter a trusted IP range that can access the FortiSandbox instance.

    4. Allow all traffic for outbound rules, then click Create security group.

    5. Follow steps 1-4 to create a second security group for your private subnet. You can set both inbound and outbound rules to allow all traffic.
    Previous
    Next

    Prepare the AWS environment

    Prepare the AWS environment

    Before deploying a FortiSandbox instance, some basic steps are required to set up and run the AWS environment.

    Start by logging into the AWS management console with a user account that has enough privileges to create a new Virtual Private Cloud (VPC).

    Set up the basic AWS environment for FortiSandbox

    Create a Virtual Private Cloud (VPC)

    1. Go to VPC Dashboard > Your VPCs and click Create VPC.

      note icon

      Create a new VPC even though there is a default VPC.

    2. Enter the following information, then click Create VPC.

      Name tagEnter a name. For example, FortiSandbox.
      IPv4 CIDR block Enter a subnet such as 10.0.0.0/16 that will cover the IP ranges this VPC will use.
      IPv6 CIDR block Enter a valid IPv6 CIDR block that will cover IP ranges this VPC will use, or select No IPv6 CIDR Block if IPv6 IP address is not used.
      TenancySelect Default.

    Create network subnets for FortiSandbox instance

    On AWS, FortiSandbox uses Port1 or any other administrative port set through the CLI command set admin-port as reserved for device management, and Port2 be reserved to communicate with local Windows VM or Linux clones. The other ports are used for file inputs from client devices and inter-communication among cluster nodes. Each port should be on its dedicated subnet.

    In a regular setup, these two subnets should be created:

    • Management subnet on which FortiSandbox management interface listens. Client devices can also connect to this subnet to submit files. We will use IPv4 CIDR 10.0.0.0/24 as an example in the following sections.
    • Local VM clones communication subnet which FortiSandbox instances use to communicate with local Windows or Linux clones. If you choose to use Windows cloud clones located in Fortinet Data Center, this subnet is not required. We will use IPv4 CIDR 10.0.1.0/24 as an example in the following sections.

    If needed, you can create more subnets, such as for client devices to submit files, or inter-communications between HA Cluster nodes, or for dedicated internet access subnet for installed customized VMs.

    To create a subnet:
    1. Click Subnets > Create Subnet.
    2. In the Create Subnet dialog box, enter the following information, then click Create subnet.
      • For Name tag, enter a meaningful name. For example, Public_FortiSandbox.
      • For VPC, select the VPC you just created.
      • For IPV4 CIDR block, enter a valid block such as 10.0.0.0/24.

    Create an internet gateway

    If VPC needs to communicate with the Internet, for example, for FortiSandbox instance to get FortiGuard updates from Fortinet, or to access FortiSandbox instance from the Internet, an Internet gateway is needed.

    To create an Internet gateway:
    1. Under Virtual Private Cloud > Internet Gateways, click Create Internet Gateway.
    2. For Name tag, enter a name. For example, vpc-gw and click Create internet gateway.

    3. When the Internet Gateway is created, click Attach to VPC.

    4. Select the VPC and click Attach internet gateway.

    Create a NAT gateway

    A NAT gateway is used by instances in a private subnet to communicate with the internet. A NAT gateway is required if you need to install a customized VM in AWS.

    To create a NAT gateway:
    1. In the left navigation pane, under Virtual private cloud > NAT gateways, click Create NAT gateway.

    2. In the NAT gateway settings window, enter the following information, then click Create NAT gateway.

      Name

      Enter a name that will allow you to easily recognize the object type.

      Subnet

      Select the public subnet you created.

      Connectivity type

      Select Public.

      Elastic IP allocation ID

      Select an existing available EIP or click Allocate Elastic IP to allocate a new one

    Create two route tables

    Appropriate route table entries are needed for the FortiSandbox instance to communicate with other network entities.

    To create route table and entries:
    1. Under Virtual Private Cloud > Route Tables, click Create Route Table.

    2. In the Create Route Table dialog box, enter the following information, then click Create route table.
      • For Name tag, enter a name. For example, route_FortiSandboxTest.
      • For VPC, select the VPC you created.

    3. Go to Subnet Associations > Edit subnet associations, select the management subnet you created, then click Save associations..

    4. After the route table is created, you can add static route entries to define how the FortiSandbox instance communicates with others. For example, to access FortiSandbox instance from the Internet:

      Go to Routes > Add Route, enter the following information, then click Save changes.

      • For Destination, enter 0.0.0.0/0.
      • For Target, select the internet gateway for the management subnet you created.

    5. Create a second route table:
      1. Repeat steps 1-4 to create a second route table, and associate all the private subnets to it.
      2. Go to Routes > Add Route. Enter the following information, and click Save changes.

        Destination

        Enter 0.0.0.0/0.

        Target

        Select the NAT gateway for the private subnet you created.

    Create two security groups

    It's important to limit only valid network traffic to and from FortiSandbox instances. To do that, you will need to create security groups and security rules for traffic.

    1. Under Virtual Private Cloud > Security Groups, click Create security group.
    2. Enter the following information for the Basic details settings.
      • For Security group name, enter a name.
      • For Description, enter a description.
      • For VPC, select the VPC you just created.

    3. Add the following Inbound rules:

      Details

      Value

      Type

      Custom TCP.

      Protocol

      TCP

      Port Range

      Allow the following ports to be accessible:

      • 443 (HTTPS)
      • 22 (if SSH access is needed)
      • 514 (if Fortinet Fabric devices such as FortiGate and FortiMail need to submit jobs)
      • 9833 (for on-demand interactive scans)

      • 21 (FortiSandbox hardcoded port2 to communicate with custom VM clones via FTP)

      More rules can be added. For example, you can add a rule to allow access to FortiSandbox's MTA adapter. For more port information, see Port Information section of the FortiSandbox Administration Guide.

      Source

      Custom.

      For the SourceIP, enter a trusted IP range that can access the FortiSandbox instance.

    4. Allow all traffic for outbound rules, then click Create security group.

    5. Follow steps 1-4 to create a second security group for your private subnet. You can set both inbound and outbound rules to allow all traffic.
    Previous
    Next