Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiSandbox VM on AWS

    Home FortiSandbox Public Cloud 4.4.0 FortiSandbox VM on AWS
    4.4.0
    5.0.0
    4.4.0
    4.2.3
    4.2.1
    4.2.0
    4.0.0
    3.2.0
    3.1.0
    3.0.0

    Appendix C - Set up HA health check based on AWS Network Load Balancer in dual-zone

    Appendix C - Set up HA health check based on AWS Network Load Balancer in dual-zone

    Step 1: Create and configure your target group

    1. Open the Amazon EC2 console.

    2. In the navigation pane, under Load Balancing, choose Target Groups.

    3. Click Create target group and configure the group.

      Target typeChoose Instances.
      Target group nameEnter a name for the new target group
      Protocol

      Select TCP and for Port, select 514.

      If the health check needs to be created on Port 443:

      • Select TLS, and for Port, select 443.

      VPC

      Select the VPC that contains your instances.

      Health checks

      • For Health check protocol, choose TCP.

      • For Advanced health check settings, keep the default settings.

    4. Click Next.

    5. On the Register targets page, complete the following steps.

      Tooltip

      This is an optional step to create a target group. However, you must register your targets if you want to test your load balancer and ensure that it is routing traffic to your targets.

      1. For Available instances, select all FortiSandbox instances belonging to this HA Cluster.

      2. Verify the Ports for the selected instances is 514, or If the health check was created on Port 443, verify the Ports for the selected instances is 443

    6. Click Include as pending below, then click Create target group.

    Step 2: Create Network load balancer

    1. On the navigation bar, choose a Region for your load balancer. Be sure to choose the same Region that you used for your FortiSandbox instances
    2. In the navigation pane, under Load Balancing, choose Load Balancers.
    3. Choose Create load balancer and then select the Network Load Balancer.
    4. For Network Load Balancer, click Create.

    Step 3: Configure network load balancer and listener

    1. Configure the following settings:

      Load balancer nameEnter a name for your load balancer.
      Scheme and IP address typeKeep the default values.
      Network mapping
      1. Select the VPC that you used for your FortiSandbox instances.
      2. Select all Availability Zones that you deployed FortiSandbox instances on.
      3. Select the FortiSandbox port1 subnets under the selected Availability Zones.
      4. For the IPv4 address, keep the default settings.
      Listeners and routing
      1. For Protocol, choose TCP.

        • If the target group health check was created on Port 443, for Protocol, choose TLS.

      2. For Port, choose 514.

        • If the target group health check was created on Port 443, for Port, choose 443.

        • For Secure listener settings, refer to Health check on 443 Secure listener settings.

      3. For Default action, select the target group you created and registered previously
    2. Review your configuration, and click Create load balancer. A few default attributes are applied to your load balancer during creation. You can view and edit them after creating the load balancer

    Step 4: Test your load balancer on TCP Port 514

    1. After you are notified that your load balancer was created successfully, click Close.
    2. In the navigation pane, under Load Balancing, choose Target Groups.
    3. Select the newly created target group
    4. Choose Targets and verify that your instances are ready. If the status of an instance is initial, it is likely because the instance is still in the process of being registered, or it has not passed the minimum number of health checks to be considered healthy. After the status of at least one instance is healthy, you can test your load balancer.
    5. In the navigation pane, under Load Balancing, choose Load Balancers.
    6. Select the name of the newly created load balancer to open its details page.
    7. Copy the DNS name of the load balancer (for example, my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com).
    8. Telnet the DNS name. For example, telnet my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com 514

    Health check for 443 Secure listener settings

    To import certificate:

    1. Open the Amazon EC2 console.

    2. In the navigation pane, under AWS Certificate Manager (ACM), choose Import certificate.

    3. Follows the AWS import certificate steps and complete the certificate import.

    To configure network load balancer and listener on port 443
    1. Follow the steps in Create and configure your target group. Where applicable:

      • For Protocol select TCP/TLS.

      • For Port select 443.

    2. Follow steps 1-3 in Step 3: Configure network load balancer and listener.
    3. For Listeners and routing:
      1. For Protocol, choose TLS.
      2. For Port, choose 443.
      3. For Default action, select the target group you created and registered previously.
    4. For Secure listener settings:
      1. For Security policy, select the AWS recommended. For example, ELBSecurityPolicy-TLS13-1-2-2021-06 (recommended).
      2. For Default SSL/TLS certificate, choose From ACM and select the imported certificate
      3. For ALPN policy, keep the default settings (None).
    5. Review your configuration, and click Create load balancer.
    To test your load balancer on TLS Port 443:

    1. Open the target group details page, wait all members status change to healthy.

    2. On the details page of newly created load balancer:

      1. Copy the DNS name of the load balancer.

      2. Paste the DNS name into the address field of an internet-connected web browser. If everything is working, the browser displays the default page of your server.

        For example, https://my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com

    Previous
    Next

    Appendix C - Set up HA health check based on AWS Network Load Balancer in dual-zone

    Appendix C - Set up HA health check based on AWS Network Load Balancer in dual-zone

    Step 1: Create and configure your target group

    1. Open the Amazon EC2 console.

    2. In the navigation pane, under Load Balancing, choose Target Groups.

    3. Click Create target group and configure the group.

      Target typeChoose Instances.
      Target group nameEnter a name for the new target group
      Protocol

      Select TCP and for Port, select 514.

      If the health check needs to be created on Port 443:

      • Select TLS, and for Port, select 443.

      VPC

      Select the VPC that contains your instances.

      Health checks

      • For Health check protocol, choose TCP.

      • For Advanced health check settings, keep the default settings.

    4. Click Next.

    5. On the Register targets page, complete the following steps.

      Tooltip

      This is an optional step to create a target group. However, you must register your targets if you want to test your load balancer and ensure that it is routing traffic to your targets.

      1. For Available instances, select all FortiSandbox instances belonging to this HA Cluster.

      2. Verify the Ports for the selected instances is 514, or If the health check was created on Port 443, verify the Ports for the selected instances is 443

    6. Click Include as pending below, then click Create target group.

    Step 2: Create Network load balancer

    1. On the navigation bar, choose a Region for your load balancer. Be sure to choose the same Region that you used for your FortiSandbox instances
    2. In the navigation pane, under Load Balancing, choose Load Balancers.
    3. Choose Create load balancer and then select the Network Load Balancer.
    4. For Network Load Balancer, click Create.

    Step 3: Configure network load balancer and listener

    1. Configure the following settings:

      Load balancer nameEnter a name for your load balancer.
      Scheme and IP address typeKeep the default values.
      Network mapping
      1. Select the VPC that you used for your FortiSandbox instances.
      2. Select all Availability Zones that you deployed FortiSandbox instances on.
      3. Select the FortiSandbox port1 subnets under the selected Availability Zones.
      4. For the IPv4 address, keep the default settings.
      Listeners and routing
      1. For Protocol, choose TCP.

        • If the target group health check was created on Port 443, for Protocol, choose TLS.

      2. For Port, choose 514.

        • If the target group health check was created on Port 443, for Port, choose 443.

        • For Secure listener settings, refer to Health check on 443 Secure listener settings.

      3. For Default action, select the target group you created and registered previously
    2. Review your configuration, and click Create load balancer. A few default attributes are applied to your load balancer during creation. You can view and edit them after creating the load balancer

    Step 4: Test your load balancer on TCP Port 514

    1. After you are notified that your load balancer was created successfully, click Close.
    2. In the navigation pane, under Load Balancing, choose Target Groups.
    3. Select the newly created target group
    4. Choose Targets and verify that your instances are ready. If the status of an instance is initial, it is likely because the instance is still in the process of being registered, or it has not passed the minimum number of health checks to be considered healthy. After the status of at least one instance is healthy, you can test your load balancer.
    5. In the navigation pane, under Load Balancing, choose Load Balancers.
    6. Select the name of the newly created load balancer to open its details page.
    7. Copy the DNS name of the load balancer (for example, my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com).
    8. Telnet the DNS name. For example, telnet my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com 514

    Health check for 443 Secure listener settings

    To import certificate:

    1. Open the Amazon EC2 console.

    2. In the navigation pane, under AWS Certificate Manager (ACM), choose Import certificate.

    3. Follows the AWS import certificate steps and complete the certificate import.

    To configure network load balancer and listener on port 443
    1. Follow the steps in Create and configure your target group. Where applicable:

      • For Protocol select TCP/TLS.

      • For Port select 443.

    2. Follow steps 1-3 in Step 3: Configure network load balancer and listener.
    3. For Listeners and routing:
      1. For Protocol, choose TLS.
      2. For Port, choose 443.
      3. For Default action, select the target group you created and registered previously.
    4. For Secure listener settings:
      1. For Security policy, select the AWS recommended. For example, ELBSecurityPolicy-TLS13-1-2-2021-06 (recommended).
      2. For Default SSL/TLS certificate, choose From ACM and select the imported certificate
      3. For ALPN policy, keep the default settings (None).
    5. Review your configuration, and click Create load balancer.
    To test your load balancer on TLS Port 443:

    1. Open the target group details page, wait all members status change to healthy.

    2. On the details page of newly created load balancer:

      1. Copy the DNS name of the load balancer.

      2. Paste the DNS name into the address field of an internet-connected web browser. If everything is working, the browser displays the default page of your server.

        For example, https://my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com

    Previous
    Next