Fortinet Document Library

Version:

6.0.0
FortiGate / FortiOS FortiAnalyzer FortiManager FortiWeb FortiTester FortiAuthenticator FortiSandbox FortiWeb Manager

Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
Home Amazon Web Service FortiGate / FortiOS
6.2 6.0 5.6

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

6.0.0
6.0.0
Copy Link

CFT parameters

In Step 2 Specify stack details, you enter the stack name and CFT parameters.

CFT parameters

The following sections provide descriptions of the available parameters. After entering all required parameters, click Next.

Resource tagging configuration

Parameter label (name)

Default

Description

Resource tag prefix (ResourceTagPrefix)

Requires input

The ResourceGroup Tag Key used on all resources and as the name prefix of all applicable resources. Can only contain numbers, lowercase letters, uppercase letters, ampersat(@), hyphens (-), period (.), and hash (#).

Maximum length is 50.

Resource name prefix (CustomIdentifier)

fgtASG

An alternative name prefix to be used on a resource that the Resource tag prefix cannot apply to. Can only contain uppercase letters, lowercase letters, and numbers.

Maximum length is 10.

Network configuration (New VPC)

Parameter label (name)

Default

Description

Availability Zones (AvailabilityZones)

Requires input

The list of AZs to use for the subnets in the VPC. The FortiGate Autoscale solution uses two AZs from your list and preserves the logical order you specify.

VPC CIDR (VpcCidr)

192.168.0.0/16

The CIDR block for the FortiGate Autoscale VPC.

Autoscale subnet 1 CIDR (PublicSubnet1CIDR)

192.168.0.0/24

The CIDR block for the subnet located in AZ 1 where the FortiGate Autoscale instances will be deployed to.

Autoscale subnet 2 CIDR (PublicSubnet2CIDR)

192.168.1.0/24

The CIDR block for the subnet located in AZ 2 where the FortiGate Autoscale instances will be deployed to.

Protected subnet 1 CIDR (PrivateSubnet1CIDR)

192.168.2.0/24

The CIDR block for the private subnet located in AZ 1 where it is protected by the FortiGates in the public subnet of the same AZ.

Protected subnet 2 CIDR (PrivateSubnet2CIDR)

192.168.3.0/24

The CIDR block for the private subnet located in AZ 2 where it is protected by the FortiGates in the public subnet of the same AZ.

Network configuration (Existing VPC)

Parameter label (name)

Default

Description

VPC ID (VpcId)

Requires input

The ID of the existing VPC where FortiGate Autoscale will be deployed. The VPC must have the option DNS hostnames enabled and each of the two AZs in the VPC must have at least 1 public subnet and at least 1 private subnet.

VPC CIDR (VPCCIDR)

Requires input

The CIDR block of the selected existing VPC. This can be found in parentheses in the VPC ID parameter selection.

FortiGate subnet 1 (PublicSubnet1)

Requires input

The ID of the public subnet 1 located in AZ 1 of the selected existing VPC.

FortiGate subnet 2 (PublicSubnet2)

Requires input

The ID of the public subnet 2 located in AZ 2 of the selected existing VPC.

Protected subnet 1 (PrivateSubnet1)

Requires input

The ID of the private subnet 1 located in AZ 1 of the selected existing VPC. This subnet will be protected by the FortiGates in the public subnet of the same AZ.

Protected subnet 2 (PrivateSubnet2)

Requires input

The ID of the private subnet 2 located in AZ 2 of the selected existing VPC. This subnet will be protected by the FortiGates in the public subnet of the same AZ.

Route table ID (PrivateSubnetRouteTable)

Requires input

Route table ID associated with the two private subnets.

FortiGate-VM configuration

Parameter label (name)

Default

Description

Instance type (FortiGateInstanceType)

c5.large

Instance type for the FortiGates in the Auto Scaling group. There are t2.small and compute-optimized instances such as c4 and c5 available with different vCPU sizes and bandwidths. For more information about instance types, see Instance Types.

FortiOS version (FortiOSVersion)

6.2.1

FortiOS version supported by FortiGate Autoscale for AWS.

FortiGate PSK secret (FortiGatePskSecret)

Requires input

A secret key for the FortiGate-VM instances to securely communicate with each other. Must contain numbers and letters and may contain special characters.

Maximum length is 128.

Note

Changes to the PSK secret after FortiGate Autoscale for AWS has been deployed are not reflected here. For new instances to be spawned with the changed PSK secret, this environment variable will need to be manually updated.

Admin port (FortiGateAdminPort)

8443

A port number for FortiGate-VM administration.

Do not use the FortiGate reserved ports 443, 541, 514, or 703.

Minimum is 1. Maximum is 65535.

Admin CIDR block (FortiGateAdminCidr)

Requires input

CIDR block for external admin management access.

Warning

0.0.0.0/0 accepts connections from any IP address. We recommend that you use a constrained CIDR range to reduce the potential of inbound attacks from unknown IP addresses.

Key pair name (KeyPairName)

Requires input

Amazon EC2 Key Pair for admin access.

FortiGate-VM Auto Scaling group configuration

Parameter label (name)

Default

Description

Desired capacity (BYOL) (FgtAsgDesiredCapacityByol)

2

The number of FortiGate-VM instances the BYOL Auto Scaling group should have at any time.

For High Availability in BYOL-only and Hybrid use cases, ensure at least 2 FortiGate-VMs are in the group.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Minimum group size (BYOL) (FgtAsgMinSizeByol)

2

Minimum number of FortiGate-VM instances in the BYOL Auto Scaling group.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Note

For BYOL-only and hybrid licensing deployments, this parameter must be at least 2. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

Maximum group size (BYOL) (FgtAsgMaxSizeByol)

2

Maximum number of FortiGate-VM instances in the BYOL Auto Scaling group.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing. This number must be greater than or equal to the Minimum group size (BYOL).

Desired capacity (PAYG) (FgtAsgDesiredCapacityPayg)

0

The number of FortiGate-VM instances the PAYG Auto Scaling group should have at any time.

For High Availability in a PAYG-only use case, ensure at least 2 FortiGate-VMs are in the group.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Minimum group size (PAYG) (FgtAsgMinSizePayg)

0

Minimum number of FortiGate-VM instances in the PAYG Auto Scaling group.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Note

For PAYG-only deployments, this parameter must be at least 2. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

Maximum group size (PAYG) (FgtAsgMaxSizePayg)

0

Maximum number of FortiGate-VM instances in the PAYG Auto Scaling group.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing. This number must be greater than or equal to the Minimum group size (PAYG).

Scale-out threshold (FgtAsgScaleOutThreshold)

80

The threshold (in percentage) for the FortiGate-VM Auto Scaling group to scale out (add) 1 instance.

Minimum is 1. Maximum is 100.

Scale-in threshold (FgtAsgScaleInThreshold)

25

The threshold (in percentage) for the FortiGate-VM Auto Scaling group to scale in (remove) 1 instance.

Minimum is 1. Maximum is 100.

Master election timeout (MasterElectionTimeout)

300

The maximum time (in seconds) to wait for a master election to complete.

Minimum is 30. Maximum is 3600.

Get license grace period (GetLicenseGracePeriod)

600

The minimum time (in seconds) permitted before a distributed license can be revoked from a non-responsive FortiGate and re-distributed.

Minimum is 300.

Health check grace period (FgtAsgHealthCheckGracePeriod)

300

The length of time (in seconds) that Auto Scaling waits before checking an instance's health status.

Minimum is 60.

Scaling cool down period (FgtAsgCooldown)

300

The Auto Scaling group waits for the cool down period (in seconds) to complete before resuming scaling activities.

Minimum is 60. Maximum is 3600.

Instance lifecycle timeout (LifecycleHookTimeout)

480

The amount of time (in seconds) that can elapse before the FortiGate Autoscale lifecycle hook times out.

Minimum is 60. Maximum is 3600.

Load balancing configuration

Parameter label (name)

Default

Description

Traffic protocol (LoadBalancingTrafficProtocol)

HTTPS

Use this protocol to load balance traffic.

Traffic port (LoadBalancingTrafficPort)

443

Balance web service traffic over this port if the internal web-service load balancer is enabled.

Minimum is 1. Maximum is 65535.

Health check threshold (LoadBalancingHealthCheckThreshold)

3

The number of consecutive health check failures required before considering a FortiGate instance unhealthy.

Minimum 3.

Internal ELB options (InternalLoadBalancingOptions)

add a new internal load balancer

Add an optional pre-defined load balancer to route traffic to web service in the private subnets. You can optionally use your own one or decide to not need one.

Health check path (InternalTargetGroupHealthCheckPath)

/

Optional. The destination path for health checks. This path must begin with a '/' character, and can be at most 1024 characters in length.

Internal ELB DNS name (InternalLoadBalancerDnsName)

Requires input

Optional. Specify the DNS Name of an existing internal load balancer used to route traffic from a FortiGate to targets in a specified target group. Leave it blank if you don't use an existing load balancer.

Failover management configuration

Parameter label (name)

Default

Description

Heart beat interval (HeartBeatInterval)

30

The length of time (in seconds) that a FortiGate-VM waits between sending heartbeat requests to the Autoscale handler.

Minimum is 30. Maximum is 90.

Heart beat loss count (HeartBeatLossCount)

3

Number of consecutively lost heartbeats. When the Heartbeat loss count has been reached, the FortiGate-VM is deemed unhealthy and failover activities will commence.

Heart beat delay allowance (HeartBeatDelayAllowance)

2

The maximum amount of time (in seconds) allowed for network latency of the FortiGate-VM heartbeat arriving at the Autoscale handler.

Minimum is 0.

Deployment resources configuration

Parameter label (name)

Default

Description

S3 bucket name (S3BucketName)

Requires input

Name of the S3 bucket (created in step 4 of Obtaining the deployment package) that contains the FortiGate Autoscale deployment package. Can only contain numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).

S3 resource folder (S3KeyPrefix)

Requires input

Name of the S3 folder (created in step 5 of Obtaining the deployment package) that stores the FortiGate Autoscale deployment resources. Can only contain numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). If provided, it must end with a forward slash (/).

Resources

Upgrade Path Tool

CFT parameters

In Step 2 Specify stack details, you enter the stack name and CFT parameters.

CFT parameters

The following sections provide descriptions of the available parameters. After entering all required parameters, click Next.

Resource tagging configuration

Parameter label (name)

Default

Description

Resource tag prefix (ResourceTagPrefix)

Requires input

The ResourceGroup Tag Key used on all resources and as the name prefix of all applicable resources. Can only contain numbers, lowercase letters, uppercase letters, ampersat(@), hyphens (-), period (.), and hash (#).

Maximum length is 50.

Resource name prefix (CustomIdentifier)

fgtASG

An alternative name prefix to be used on a resource that the Resource tag prefix cannot apply to. Can only contain uppercase letters, lowercase letters, and numbers.

Maximum length is 10.

Network configuration (New VPC)

Parameter label (name)

Default

Description

Availability Zones (AvailabilityZones)

Requires input

The list of AZs to use for the subnets in the VPC. The FortiGate Autoscale solution uses two AZs from your list and preserves the logical order you specify.

VPC CIDR (VpcCidr)

192.168.0.0/16

The CIDR block for the FortiGate Autoscale VPC.

Autoscale subnet 1 CIDR (PublicSubnet1CIDR)

192.168.0.0/24

The CIDR block for the subnet located in AZ 1 where the FortiGate Autoscale instances will be deployed to.

Autoscale subnet 2 CIDR (PublicSubnet2CIDR)

192.168.1.0/24

The CIDR block for the subnet located in AZ 2 where the FortiGate Autoscale instances will be deployed to.

Protected subnet 1 CIDR (PrivateSubnet1CIDR)

192.168.2.0/24

The CIDR block for the private subnet located in AZ 1 where it is protected by the FortiGates in the public subnet of the same AZ.

Protected subnet 2 CIDR (PrivateSubnet2CIDR)

192.168.3.0/24

The CIDR block for the private subnet located in AZ 2 where it is protected by the FortiGates in the public subnet of the same AZ.

Network configuration (Existing VPC)

Parameter label (name)

Default

Description

VPC ID (VpcId)

Requires input

The ID of the existing VPC where FortiGate Autoscale will be deployed. The VPC must have the option DNS hostnames enabled and each of the two AZs in the VPC must have at least 1 public subnet and at least 1 private subnet.

VPC CIDR (VPCCIDR)

Requires input

The CIDR block of the selected existing VPC. This can be found in parentheses in the VPC ID parameter selection.

FortiGate subnet 1 (PublicSubnet1)

Requires input

The ID of the public subnet 1 located in AZ 1 of the selected existing VPC.

FortiGate subnet 2 (PublicSubnet2)

Requires input

The ID of the public subnet 2 located in AZ 2 of the selected existing VPC.

Protected subnet 1 (PrivateSubnet1)

Requires input

The ID of the private subnet 1 located in AZ 1 of the selected existing VPC. This subnet will be protected by the FortiGates in the public subnet of the same AZ.

Protected subnet 2 (PrivateSubnet2)

Requires input

The ID of the private subnet 2 located in AZ 2 of the selected existing VPC. This subnet will be protected by the FortiGates in the public subnet of the same AZ.

Route table ID (PrivateSubnetRouteTable)

Requires input

Route table ID associated with the two private subnets.

FortiGate-VM configuration

Parameter label (name)

Default

Description

Instance type (FortiGateInstanceType)

c5.large

Instance type for the FortiGates in the Auto Scaling group. There are t2.small and compute-optimized instances such as c4 and c5 available with different vCPU sizes and bandwidths. For more information about instance types, see Instance Types.

FortiOS version (FortiOSVersion)

6.2.1

FortiOS version supported by FortiGate Autoscale for AWS.

FortiGate PSK secret (FortiGatePskSecret)

Requires input

A secret key for the FortiGate-VM instances to securely communicate with each other. Must contain numbers and letters and may contain special characters.

Maximum length is 128.

Note

Changes to the PSK secret after FortiGate Autoscale for AWS has been deployed are not reflected here. For new instances to be spawned with the changed PSK secret, this environment variable will need to be manually updated.

Admin port (FortiGateAdminPort)

8443

A port number for FortiGate-VM administration.

Do not use the FortiGate reserved ports 443, 541, 514, or 703.

Minimum is 1. Maximum is 65535.

Admin CIDR block (FortiGateAdminCidr)

Requires input

CIDR block for external admin management access.

Warning

0.0.0.0/0 accepts connections from any IP address. We recommend that you use a constrained CIDR range to reduce the potential of inbound attacks from unknown IP addresses.

Key pair name (KeyPairName)

Requires input

Amazon EC2 Key Pair for admin access.

FortiGate-VM Auto Scaling group configuration

Parameter label (name)

Default

Description

Desired capacity (BYOL) (FgtAsgDesiredCapacityByol)

2

The number of FortiGate-VM instances the BYOL Auto Scaling group should have at any time.

For High Availability in BYOL-only and Hybrid use cases, ensure at least 2 FortiGate-VMs are in the group.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Minimum group size (BYOL) (FgtAsgMinSizeByol)

2

Minimum number of FortiGate-VM instances in the BYOL Auto Scaling group.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Note

For BYOL-only and hybrid licensing deployments, this parameter must be at least 2. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

Maximum group size (BYOL) (FgtAsgMaxSizeByol)

2

Maximum number of FortiGate-VM instances in the BYOL Auto Scaling group.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing. This number must be greater than or equal to the Minimum group size (BYOL).

Desired capacity (PAYG) (FgtAsgDesiredCapacityPayg)

0

The number of FortiGate-VM instances the PAYG Auto Scaling group should have at any time.

For High Availability in a PAYG-only use case, ensure at least 2 FortiGate-VMs are in the group.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Minimum group size (PAYG) (FgtAsgMinSizePayg)

0

Minimum number of FortiGate-VM instances in the PAYG Auto Scaling group.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Note

For PAYG-only deployments, this parameter must be at least 2. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

Maximum group size (PAYG) (FgtAsgMaxSizePayg)

0

Maximum number of FortiGate-VM instances in the PAYG Auto Scaling group.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing. This number must be greater than or equal to the Minimum group size (PAYG).

Scale-out threshold (FgtAsgScaleOutThreshold)

80

The threshold (in percentage) for the FortiGate-VM Auto Scaling group to scale out (add) 1 instance.

Minimum is 1. Maximum is 100.

Scale-in threshold (FgtAsgScaleInThreshold)

25

The threshold (in percentage) for the FortiGate-VM Auto Scaling group to scale in (remove) 1 instance.

Minimum is 1. Maximum is 100.

Master election timeout (MasterElectionTimeout)

300

The maximum time (in seconds) to wait for a master election to complete.

Minimum is 30. Maximum is 3600.

Get license grace period (GetLicenseGracePeriod)

600

The minimum time (in seconds) permitted before a distributed license can be revoked from a non-responsive FortiGate and re-distributed.

Minimum is 300.

Health check grace period (FgtAsgHealthCheckGracePeriod)

300

The length of time (in seconds) that Auto Scaling waits before checking an instance's health status.

Minimum is 60.

Scaling cool down period (FgtAsgCooldown)

300

The Auto Scaling group waits for the cool down period (in seconds) to complete before resuming scaling activities.

Minimum is 60. Maximum is 3600.

Instance lifecycle timeout (LifecycleHookTimeout)

480

The amount of time (in seconds) that can elapse before the FortiGate Autoscale lifecycle hook times out.

Minimum is 60. Maximum is 3600.

Load balancing configuration

Parameter label (name)

Default

Description

Traffic protocol (LoadBalancingTrafficProtocol)

HTTPS

Use this protocol to load balance traffic.

Traffic port (LoadBalancingTrafficPort)

443

Balance web service traffic over this port if the internal web-service load balancer is enabled.

Minimum is 1. Maximum is 65535.

Health check threshold (LoadBalancingHealthCheckThreshold)

3

The number of consecutive health check failures required before considering a FortiGate instance unhealthy.

Minimum 3.

Internal ELB options (InternalLoadBalancingOptions)

add a new internal load balancer

Add an optional pre-defined load balancer to route traffic to web service in the private subnets. You can optionally use your own one or decide to not need one.

Health check path (InternalTargetGroupHealthCheckPath)

/

Optional. The destination path for health checks. This path must begin with a '/' character, and can be at most 1024 characters in length.

Internal ELB DNS name (InternalLoadBalancerDnsName)

Requires input

Optional. Specify the DNS Name of an existing internal load balancer used to route traffic from a FortiGate to targets in a specified target group. Leave it blank if you don't use an existing load balancer.

Failover management configuration

Parameter label (name)

Default

Description

Heart beat interval (HeartBeatInterval)

30

The length of time (in seconds) that a FortiGate-VM waits between sending heartbeat requests to the Autoscale handler.

Minimum is 30. Maximum is 90.

Heart beat loss count (HeartBeatLossCount)

3

Number of consecutively lost heartbeats. When the Heartbeat loss count has been reached, the FortiGate-VM is deemed unhealthy and failover activities will commence.

Heart beat delay allowance (HeartBeatDelayAllowance)

2

The maximum amount of time (in seconds) allowed for network latency of the FortiGate-VM heartbeat arriving at the Autoscale handler.

Minimum is 0.

Deployment resources configuration

Parameter label (name)

Default

Description

S3 bucket name (S3BucketName)

Requires input

Name of the S3 bucket (created in step 4 of Obtaining the deployment package) that contains the FortiGate Autoscale deployment package. Can only contain numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).

S3 resource folder (S3KeyPrefix)

Requires input

Name of the S3 folder (created in step 5 of Obtaining the deployment package) that stores the FortiGate Autoscale deployment resources. Can only contain numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). If provided, it must end with a forward slash (/).