Fortinet Document Library

Version:


Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
6.0.0
Copy Link

Parameters when deploying into an existing VPC

Network configuration

Parameter label (name)

Default

Description

VPC ID (VpcId)

Requires input

The existing VPC ID where you deploy the Auto Scaling group and related resources. The VPC must have the option DNS hostnames enabled.

VPC CIDR (VPCCIDR)

Requires input

The CIDR block for the selected VPC.

FortiGate subnet 1 (PublicSubnet1)

Requires input

Public (DMZ) subnet 1, which is located in AZ 1.

FortiGate subnet 2 (PublicSubnet2)

Requires input

Public (DMZ) subnet 1, which is located in AZ 2.

Protected subnet 1 (PrivateSubnet1)

Requires input

Private subnet, which is located in AZ 1.

Protected subnet 2 (PrivateSubnet2)

Requires input

Private subnet, which is located in AZ 2.

Route table 1 ID (PrivateSubnet1RouteTable)

Requires input

Route table ID associated with the private subnet 1.

Route table 2 ID (PrivateSubnet2RouteTable)

Requires input

Route table ID associated with the private subnet 2.

FortiGate-VM configuration

Parameter label (name)

Default

Description

Resource name prefix (CustomIdentifier)

fgtASG

A custom identifier as a resource name prefix. Must contain uppercase letters, lowercase letters, and numbers.

Maximum length is 10.

Instance type (FortiGateInstanceType)

c5.large

Instance type to launch as FortiGate On-Demand (PAYG) instances. There are t2.small and compute-optimized instances such as c4 and c5 available with different vCPU sizes and bandwidths. For more information about instance types, see Instance Types.

FortiGate PSK secret (FortiGatePskSecret)

Requires input

A secret key for the FortiGate-VM instances to securely communicate with each other. Must contain numbers and letters.

Maximum length is 128.

Note

Changes to the PSK secret after FortiGate Autoscale for AWS has been deployed are not reflected here. For new instances to be spawned with the changed PSK secret, this environment variable will need to be manually updated.

Admin port (FortiGateAdminPort)

8443

A port number for FortiGate-VM administration.

Minimum is 1. Maximum is 65535.

Do not use the FortiGate reserved ports 443, 541, 514, or 703.

Admin CIDR block (FortiGateAdminCidr)

Requires input

CIDR block for external admin management access.

Warning

0.0.0.0/0 accepts connections from any IP address. We recommend that you use a constrained CIDR range to reduce the potential of inbound attacks from unknown IP addresses.

Key pair name (KeyPairName)

Requires input

Amazon EC2 Key Pair for admin access.

FortiGate-VM Auto Scaling group configuration

Parameter label (name)

Default

Description

Instance lifecycle expiry (ExpireLifecycleEntry)

400

FortiGate-VM instance lifecycle expiry entry (in seconds). This is the time between the FortiGate-VM instance launching and when it starts to send the first request to the callback endpoint.

Minimum is 60. Maximum is 3600.

Desired capacity (FortiGateAsgDesiredCapacity)

2

The number of FortiGate-VM instances the Auto Scaling group should have at any time. For High Availability, ensure at least 2 FortiGates are in the group.

Minimum is 2.

Minimum group size (FortiGateAsgMinSize)

2

Minimum number of FortiGate-VM instances in the Auto Scaling group.

Minimum is 2.

Maximum group size (FortiGateAsgMaxSize)

4

Maximum number of FortiGate-VM instances in the Auto Scaling group.

Minimum is 2.

Health check grace period (FortiGateAsgHealthCheckGracePeriod)

300

The length of time (in seconds) that Auto Scaling waits before checking an instance's health status.

Minimum is 60.

Scaling cool down period (FortiGateAsgCooldown)

300

The Auto Scaling group waits for the cool down period (in seconds) to complete before resuming scaling activities.

Minimum is 60. Maximum is 3600.

Scale-out threshold (FortiGateAsgScaleOutThreshold)

80

The threshold (in percentage) for the FortiGate-VM Auto Scaling group to scale out (add) 1 instance.

Minimum is 1. Maximum is 100.

Scale-in threshold (FortiGateAsgScaleInThreshold)

25

The threshold (in percentage) for the FortiGate-VM Auto Scaling group to scale in (remove) 1 instance.

Minimum is 1. Maximum is 100.

Healthy threshold (FortiGateElbTgHealthyThreshold)

3

The number of consecutive health check failures required before considering a FortiGate-VM instance unhealthy.

Minimum is 3.

Failover configuration

Parameter label (name)

Default

Description

Heart beat loss count (HeartBeatLossCount)

3

Number of consecutively lost heartbeats. When the Heartbeat loss count has been reached, the FortiGate-VM is deemed unhealthy and failover activities will commence.

Load balancing configuration

Parameter label (name)

Default

Description

Internal ELB options (InternalLoadBalancingOptions)

add a new internal load balancer

(Optional) Add a predefined load balancer to route traffic to web service in the private subnets.

Internal ELB DNS name (InternalLoadBalancerDnsName)

Conditionally requires input

Required when Internal ELB options is set to "use an existing load balancer". It is the DNS Name of the Elastic Load Balancer to be used in the private subnets.

Web service traffic port (BalanceWebTrafficOverPort)

443

If an internal ELB is selected, specify the port over which web service traffic is balanced.

Minimum is 1. Maximum is 65535.

AWS Quick Start configuration

Parameter label (name)

Default

Description

Quick Start S3 bucket name (QSS3BucketName)

Requires input

S3 bucket name for the Quick Start assets. Can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).

Quick Start S3 key prefix (QSS3KeyPrefix)

Requires input

S3 key prefix for the Quick Start assets. Can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). It must end with a trailing slash (/).

Note

The “Quick Start S3 bucket name” (QSS3BucketName) refers to the S3 bucket you created (fortigate-autoscale in the example above) and the “Quick Start S3 key prefix (QSS3KeyPrefix)” refers to the subfolder you created (deployment-package in the example above) in the S3 bucket.

Resources

Parameters when deploying into an existing VPC

Network configuration

Parameter label (name)

Default

Description

VPC ID (VpcId)

Requires input

The existing VPC ID where you deploy the Auto Scaling group and related resources. The VPC must have the option DNS hostnames enabled.

VPC CIDR (VPCCIDR)

Requires input

The CIDR block for the selected VPC.

FortiGate subnet 1 (PublicSubnet1)

Requires input

Public (DMZ) subnet 1, which is located in AZ 1.

FortiGate subnet 2 (PublicSubnet2)

Requires input

Public (DMZ) subnet 1, which is located in AZ 2.

Protected subnet 1 (PrivateSubnet1)

Requires input

Private subnet, which is located in AZ 1.

Protected subnet 2 (PrivateSubnet2)

Requires input

Private subnet, which is located in AZ 2.

Route table 1 ID (PrivateSubnet1RouteTable)

Requires input

Route table ID associated with the private subnet 1.

Route table 2 ID (PrivateSubnet2RouteTable)

Requires input

Route table ID associated with the private subnet 2.

FortiGate-VM configuration

Parameter label (name)

Default

Description

Resource name prefix (CustomIdentifier)

fgtASG

A custom identifier as a resource name prefix. Must contain uppercase letters, lowercase letters, and numbers.

Maximum length is 10.

Instance type (FortiGateInstanceType)

c5.large

Instance type to launch as FortiGate On-Demand (PAYG) instances. There are t2.small and compute-optimized instances such as c4 and c5 available with different vCPU sizes and bandwidths. For more information about instance types, see Instance Types.

FortiGate PSK secret (FortiGatePskSecret)

Requires input

A secret key for the FortiGate-VM instances to securely communicate with each other. Must contain numbers and letters.

Maximum length is 128.

Note

Changes to the PSK secret after FortiGate Autoscale for AWS has been deployed are not reflected here. For new instances to be spawned with the changed PSK secret, this environment variable will need to be manually updated.

Admin port (FortiGateAdminPort)

8443

A port number for FortiGate-VM administration.

Minimum is 1. Maximum is 65535.

Do not use the FortiGate reserved ports 443, 541, 514, or 703.

Admin CIDR block (FortiGateAdminCidr)

Requires input

CIDR block for external admin management access.

Warning

0.0.0.0/0 accepts connections from any IP address. We recommend that you use a constrained CIDR range to reduce the potential of inbound attacks from unknown IP addresses.

Key pair name (KeyPairName)

Requires input

Amazon EC2 Key Pair for admin access.

FortiGate-VM Auto Scaling group configuration

Parameter label (name)

Default

Description

Instance lifecycle expiry (ExpireLifecycleEntry)

400

FortiGate-VM instance lifecycle expiry entry (in seconds). This is the time between the FortiGate-VM instance launching and when it starts to send the first request to the callback endpoint.

Minimum is 60. Maximum is 3600.

Desired capacity (FortiGateAsgDesiredCapacity)

2

The number of FortiGate-VM instances the Auto Scaling group should have at any time. For High Availability, ensure at least 2 FortiGates are in the group.

Minimum is 2.

Minimum group size (FortiGateAsgMinSize)

2

Minimum number of FortiGate-VM instances in the Auto Scaling group.

Minimum is 2.

Maximum group size (FortiGateAsgMaxSize)

4

Maximum number of FortiGate-VM instances in the Auto Scaling group.

Minimum is 2.

Health check grace period (FortiGateAsgHealthCheckGracePeriod)

300

The length of time (in seconds) that Auto Scaling waits before checking an instance's health status.

Minimum is 60.

Scaling cool down period (FortiGateAsgCooldown)

300

The Auto Scaling group waits for the cool down period (in seconds) to complete before resuming scaling activities.

Minimum is 60. Maximum is 3600.

Scale-out threshold (FortiGateAsgScaleOutThreshold)

80

The threshold (in percentage) for the FortiGate-VM Auto Scaling group to scale out (add) 1 instance.

Minimum is 1. Maximum is 100.

Scale-in threshold (FortiGateAsgScaleInThreshold)

25

The threshold (in percentage) for the FortiGate-VM Auto Scaling group to scale in (remove) 1 instance.

Minimum is 1. Maximum is 100.

Healthy threshold (FortiGateElbTgHealthyThreshold)

3

The number of consecutive health check failures required before considering a FortiGate-VM instance unhealthy.

Minimum is 3.

Failover configuration

Parameter label (name)

Default

Description

Heart beat loss count (HeartBeatLossCount)

3

Number of consecutively lost heartbeats. When the Heartbeat loss count has been reached, the FortiGate-VM is deemed unhealthy and failover activities will commence.

Load balancing configuration

Parameter label (name)

Default

Description

Internal ELB options (InternalLoadBalancingOptions)

add a new internal load balancer

(Optional) Add a predefined load balancer to route traffic to web service in the private subnets.

Internal ELB DNS name (InternalLoadBalancerDnsName)

Conditionally requires input

Required when Internal ELB options is set to "use an existing load balancer". It is the DNS Name of the Elastic Load Balancer to be used in the private subnets.

Web service traffic port (BalanceWebTrafficOverPort)

443

If an internal ELB is selected, specify the port over which web service traffic is balanced.

Minimum is 1. Maximum is 65535.

AWS Quick Start configuration

Parameter label (name)

Default

Description

Quick Start S3 bucket name (QSS3BucketName)

Requires input

S3 bucket name for the Quick Start assets. Can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).

Quick Start S3 key prefix (QSS3KeyPrefix)

Requires input

S3 key prefix for the Quick Start assets. Can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). It must end with a trailing slash (/).

Note

The “Quick Start S3 bucket name” (QSS3BucketName) refers to the S3 bucket you created (fortigate-autoscale in the example above) and the “Quick Start S3 key prefix (QSS3KeyPrefix)” refers to the subfolder you created (deployment-package in the example above) in the S3 bucket.