Fortinet white logo
Fortinet white logo

Cookbook

Bootstrapping a FortiGate-AWS

Bootstrapping a FortiGate-AWS

If you are installing and configuring your applications on Amazon Elastic Compute Cloud (EC2) dynamically at instance launch time, you will typically need to pull and install packages, deploy files, and ensure services are started. This bootstrapping instruction helps simplify, automate, and centralize FortiGate next-generation firewall deployment directly from the configuration scripts stored in AWS Simple Storage Services (S3).

1. Storing configuration and license information

On the AWS console, create an Amazon S3 bucket at the root level for the bootstrap files. If the folder is nested, bootstraping will fail because you cannot specify a path to the files.

2. Setting up IAM roles

IAM roles need S3 bucket read access. In this example, you are applying the existing policy AmazonS3ReadOnlyAccess to the role by adding the following code:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

If you need further instructions, please refer to the AWS documentation on IAM Roles for Amazon EC2.

3. Creating S3 buckets with license and firewall configurations

Upload the license file and configuration file(s) to the S3 bucket. In this example, one license file and two configuration files are uploaded.

Amazon S3 creates bucket in a region you specify. You can choose any AWS Region that is geographically close to you to optimize latency, minimize costs, or address regulatory requirements. To choose a region, use the following code:

{
    "bucket" : "confftnt",
    "region" : "us-west-2",
    "license" : "/FGVM080000066848.lic",
    "config" : "/configfirewall.conf",
}

Although the S3 bucket and the firewall can be in different regions, it is highly recommended that they are in the same region in order to speed up the bootstrapping process.

4. Launching the instance using roles and user data

Follow the normal procedure to launch the instance from the AWS marketplace.

When selecting the VPC subnet, the instance needs to be with the role that was created and must specify the information about the license file and configuration file from the AWS S3 bucket previously configured under Advanced Settings.

5. Result

After the instance is launched, check the FortiGate’s System Information widget and verify that the settings and the license information are correct.

For more information on how to bootstrap the FortiGate firewall with configuration and license files within the S3 bucket, please email aws@fortinet.com.

Bootstrapping a FortiGate-AWS

Bootstrapping a FortiGate-AWS

If you are installing and configuring your applications on Amazon Elastic Compute Cloud (EC2) dynamically at instance launch time, you will typically need to pull and install packages, deploy files, and ensure services are started. This bootstrapping instruction helps simplify, automate, and centralize FortiGate next-generation firewall deployment directly from the configuration scripts stored in AWS Simple Storage Services (S3).

1. Storing configuration and license information

On the AWS console, create an Amazon S3 bucket at the root level for the bootstrap files. If the folder is nested, bootstraping will fail because you cannot specify a path to the files.

2. Setting up IAM roles

IAM roles need S3 bucket read access. In this example, you are applying the existing policy AmazonS3ReadOnlyAccess to the role by adding the following code:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

If you need further instructions, please refer to the AWS documentation on IAM Roles for Amazon EC2.

3. Creating S3 buckets with license and firewall configurations

Upload the license file and configuration file(s) to the S3 bucket. In this example, one license file and two configuration files are uploaded.

Amazon S3 creates bucket in a region you specify. You can choose any AWS Region that is geographically close to you to optimize latency, minimize costs, or address regulatory requirements. To choose a region, use the following code:

{
    "bucket" : "confftnt",
    "region" : "us-west-2",
    "license" : "/FGVM080000066848.lic",
    "config" : "/configfirewall.conf",
}

Although the S3 bucket and the firewall can be in different regions, it is highly recommended that they are in the same region in order to speed up the bootstrapping process.

4. Launching the instance using roles and user data

Follow the normal procedure to launch the instance from the AWS marketplace.

When selecting the VPC subnet, the instance needs to be with the role that was created and must specify the information about the license file and configuration file from the AWS S3 bucket previously configured under Advanced Settings.

5. Result

After the instance is launched, check the FortiGate’s System Information widget and verify that the settings and the license information are correct.

For more information on how to bootstrap the FortiGate firewall with configuration and license files within the S3 bucket, please email aws@fortinet.com.