Fortinet Document Library

Version:


Table of Contents

6.3.7
Download PDF
Copy Link

Creating Security Group

A security group is a set of firewall rules that control the traffic for your VM instances. Amazon by default has your VPC behind a basic firewall. When you create a VPC, a default Security Group protects instances in it. It's recommended to create a custom security group, then add inbound rules so that the traffic will be allowed to flow on the specified ports.

To Create a Security Group:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Security Groups.
  3. Choose Create Security Group.
  4. Enter a name of the security group (for example, FWB-group) and provide a description. Select the ID of your VPC from the VPC menu and choose Yes, Create.

To add inbound rules:

  1. Select the security group you have created.
  2. On the Inbound Rules tab, choose Edit. Click Add another rule. In the Type menu, choose Custom TCP Rule. Fill in the form, then click Save to save the rules.
    In order for FortiWeb-VM to connect and run properly, it's recommended to add the following inbound rules.
    Set the Protocol and Port range as shown in the table; set the source as 0.0.0.0/0 or ::/0 to allow access to the specified ports from all IPv4 or IPv6 addresses.
  3. Protocol Port range Purpose
    TCP 80 Allow inbound HTTP web traffic access from all IPv4 and IPv6 addresses.
    It's required to add this rule and set the port range as 80.
    TCP 443 Allow inbound HTTPS web traffic access from all IPv4 and IPv6 addresses.
    It's required to add this rule and set the port range as 443.
    TCP 995

    Allow inbound configuration synchronization requests sent by the peer/remote FortiWeb-VM from all IPv4 and IPv6 addresses.
    Add this rule if you want to use the Config Synchronization feature of FortiWeb. The port range should be set as 995.

    TCP 22 Allow inbound SSH access from all IPv4 and IPv6 addresses.
    Add this rule if you want to access FortiWeb-VM through CLI. You can set the port range according to your own needs.
    TCP 90 Allow inbound access requests sent by FortiWeb Manager from all IPv4 and IPv6 addresses.
    Add this rule only if you use FortiWeb Manager to manage your FortiWeb-VMs. The port range should be set as 90.
    TCP 8080 Allow inbound HTTP access to FortiWeb GUI from all IPv4 and IPv6 addresses.
    Add this rule if you want to access FortiWeb-VM through GUI. You can set the port range according to your own needs.

    The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't allow HTTP alone, it should be allowed along with HTTPS.

    TCP 8443 Allow inbound HTTPS access to FortiWeb GUI from all IPv4 and IPv6 addresses.
    Add this rule if you want to access FortiWeb-VM through GUI. You can set the port range according to your own needs.

In addition to the ports listed above, FortiWeb uses other ports for incoming traffic (listening) depending on different purposes. See Appendix A: Port numbers for more information.

Creating Security Group

A security group is a set of firewall rules that control the traffic for your VM instances. Amazon by default has your VPC behind a basic firewall. When you create a VPC, a default Security Group protects instances in it. It's recommended to create a custom security group, then add inbound rules so that the traffic will be allowed to flow on the specified ports.

To Create a Security Group:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Security Groups.
  3. Choose Create Security Group.
  4. Enter a name of the security group (for example, FWB-group) and provide a description. Select the ID of your VPC from the VPC menu and choose Yes, Create.

To add inbound rules:

  1. Select the security group you have created.
  2. On the Inbound Rules tab, choose Edit. Click Add another rule. In the Type menu, choose Custom TCP Rule. Fill in the form, then click Save to save the rules.
    In order for FortiWeb-VM to connect and run properly, it's recommended to add the following inbound rules.
    Set the Protocol and Port range as shown in the table; set the source as 0.0.0.0/0 or ::/0 to allow access to the specified ports from all IPv4 or IPv6 addresses.
  3. Protocol Port range Purpose
    TCP 80 Allow inbound HTTP web traffic access from all IPv4 and IPv6 addresses.
    It's required to add this rule and set the port range as 80.
    TCP 443 Allow inbound HTTPS web traffic access from all IPv4 and IPv6 addresses.
    It's required to add this rule and set the port range as 443.
    TCP 995

    Allow inbound configuration synchronization requests sent by the peer/remote FortiWeb-VM from all IPv4 and IPv6 addresses.
    Add this rule if you want to use the Config Synchronization feature of FortiWeb. The port range should be set as 995.

    TCP 22 Allow inbound SSH access from all IPv4 and IPv6 addresses.
    Add this rule if you want to access FortiWeb-VM through CLI. You can set the port range according to your own needs.
    TCP 90 Allow inbound access requests sent by FortiWeb Manager from all IPv4 and IPv6 addresses.
    Add this rule only if you use FortiWeb Manager to manage your FortiWeb-VMs. The port range should be set as 90.
    TCP 8080 Allow inbound HTTP access to FortiWeb GUI from all IPv4 and IPv6 addresses.
    Add this rule if you want to access FortiWeb-VM through GUI. You can set the port range according to your own needs.

    The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't allow HTTP alone, it should be allowed along with HTTPS.

    TCP 8443 Allow inbound HTTPS access to FortiWeb GUI from all IPv4 and IPv6 addresses.
    Add this rule if you want to access FortiWeb-VM through GUI. You can set the port range according to your own needs.

In addition to the ports listed above, FortiWeb uses other ports for incoming traffic (listening) depending on different purposes. See Appendix A: Port numbers for more information.