CFT parameters
On the Specify stack details page, enter the stack name and CFT parameters.
The following sections provide descriptions of the available parameters. Some parameters are specific to certain templates, and are only displayed when that template is selected.
Resource tagging configuration
Parameter label (name) |
Default |
Description |
---|---|---|
Resource tag prefix (ResourceTagPrefix) |
Requires input |
The ResourceGroup Tag Key used on all resources and as the name prefix of all applicable resources. Can only contain uppercase letters, lowercase letters, and numbers, ampersat(@), hyphens (-), period (.), and hash (#). Maximum length is 50. |
Resource name prefix (CustomIdentifier) |
fgtASG |
An alternative name prefix to be used on a resource that the Resource tag prefix cannot apply to. Can only contain uppercase letters, lowercase letters, and numbers. Maximum length is 10. |
Network configuration (New VPC, no Transit Gateway)
Parameter label (name) |
Default |
Description |
---|---|---|
Availability Zones (AvailabilityZones) |
Requires input |
The list of Availability Zones to use for the subnets in the VPC. The FortiGate Autoscale solution uses two Availability Zones from your list and preserves the logical order you specify. |
VPC CIDR (VPCCIDR) |
192.168.0.0/16 |
The Classless Inter-Domain Routing (CIDR) block for the FortiGate Autoscale VPC. |
Autoscale subnet 1 CIDR (PublicSubnet1CIDR) |
192.168.0.0/24 |
The CIDR block for the subnet located in Availability Zone 1 where FortiGate Autoscale instances will be deployed to. |
Autoscale subnet 2 CIDR (PublicSubnet2CIDR) |
192.168.1.0/24 |
The CIDR block for the subnet located in Availability Zone 2 where FortiGate Autoscale instances will be deployed to. |
Protected subnet 1 CIDR (PrivateSubnet1CIDR) |
192.168.2.0/24 |
The CIDR block for the private subnet located in Availability Zone 1 where it is protected by the FortiGates in the public subnet of the same Availability Zone. |
Protected subnet 2 CIDR (PrivateSubnet2CIDR) |
192.168.3.0/24 |
The CIDR block for the private subnet located in Availability Zone 2 where it is protected by the FortiGates in the public subnet of the same Availability Zone. |
Network configuration (Existing VPC, no Transit Gateway)
Parameter label (name) |
Default |
Description |
---|---|---|
VPC ID (VPCID) |
Requires input |
The ID of the existing VPC where FortiGate Autoscale will be deployed. The VPC must have the option DNS hostnames enabled and each of the two Availability Zones in the VPC must have at least 1 public subnet and at least 1 private subnet. |
VPC CIDR (VPCCIDR) |
Requires input |
The CIDR block of the selected existing VPC. This can be found in parentheses in the VPC ID parameter selection. |
Autoscale subnet 1 ID (PublicSubnet1) |
Requires input |
The ID of the public subnet 1 located in Availability Zone 1 of the selected existing VPC. |
Autoscale subnet 2 ID (PublicSubnet2) |
Requires input |
The ID of the public subnet 2 located in Availability Zone 2 of the selected existing VPC. |
Private subnet 1 (PrivateSubnet1) |
Requires input |
The ID of the private subnet 1 located in Availability Zone 1 of the selected existing VPC. This subnet will be protected by the FortiGates in the public subnet of the same Availability Zone. |
Private subnet 2 (PrivateSubnet2) |
Requires input |
The ID of the private subnet 2 located in Availability Zone 2 of the selected existing VPC. This subnet will be protected by the FortiGates in the public subnet of the same Availability Zone. |
Private subnet route table (PrivateSubnetRouteTable) |
Requires input |
Route table ID associated with the two private subnets. |
Network configuration (Transit Gateway integration)
Parameter label (name) |
Default |
Description |
---|---|---|
Availability Zones (AvailabilityZones) |
Requires input |
The list of Availability Zones to use for the subnets in the VPC. The FortiGate Autoscale solution uses two Availability Zones from your list and preserves the logical order you specify. |
VPC CIDR (VPCCIDR) |
192.168.0.0/16 |
The Classless Inter-Domain Routing (CIDR) block for the FortiGate Autoscale VPC. |
Autoscale subnet 1 CIDR (PublicSubnet1CIDR) |
192.168.0.0/24 |
The CIDR block for the subnet located in Availability Zone 1 where FortiGate Autoscale instances will be deployed to. |
Autoscale subnet 2 CIDR (PublicSubnet2CIDR) |
192.168.1.0/24 |
The CIDR block for the subnet located in Availability Zone 2 where FortiGate Autoscale instances will be deployed to. |
FortiGate configuration
Parameter label (name) |
Default |
Description |
||
---|---|---|---|---|
Instance type (FortiGateInstanceType) |
c5.large |
Instance type for the FortiGates in the Auto Scaling group. There are t2.small and compute-optimized instances such as c4 and c5 available with different vCPU sizes and bandwidths. For more information about instance types, see Instance Types. |
||
FortiOS version (FortiOSVersion) |
6.2.3 |
FortiOS version supported by FortiGate Autoscale for AWS. |
||
FortiGate PSK secret (FortiGatePskSecret) |
Requires input |
A secret key for the FortiGate instances to securely communicate with each other. Must contain numbers and letters and may contain special characters. Maximum length is 128.
|
||
Admin port (FortiGateAdminPort) |
8443 |
A port number for FortiGate administration. Minimum is 1. Maximum is 65535. Do not use the FortiGate reserved ports 443, 541, 514, or 703. |
||
Admin CIDR block (FortiGateAdminCidr) |
Requires input |
CIDR block for external admin management access.
|
||
Key pair name (KeyPairName) |
Requires input |
Amazon EC2 Key Pair for admin access. |
||
BGP ASN (BgpAsn) |
65000 |
The Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the Customer Gateway of each FortiGate instance in the Auto Scaling group. This value ranges from 64512 to 65534.
|
FortiGate Auto Scaling group configuration
Parameter label (name) |
Default |
Description |
||
---|---|---|---|---|
Desired capacity (BYOL) (FgtAsgDesiredCapacityByol) |
2 |
The number of FortiGate instances the BYOL Auto Scaling group should have at any time. For High Availability in BYOL-only and Hybrid use cases, ensure at least 2 FortiGates are in the group. For specific use cases, set to 0 for On-Demand-only, and >= 2 for BYOL-only or hybrid licensing. |
||
Minimum group size (BYOL) (FgtAsgMinSizeByol) |
2 |
Minimum number of FortiGate instances in the BYOL Auto Scaling group. For specific use cases, set to 0 for On-Demand-only, and >= 2 for BYOL-only or hybrid licensing.
|
||
Maximum group size (BYOL) (FgtAsgMaxSizeByol) |
2 |
Maximum number of FortiGate instances in the BYOL Auto Scaling group. For specific use cases, set to 0 for On-Demand-only, and >= 2 for BYOL-only or hybrid licensing. This number must be greater than or equal to the Minimum group size (BYOL). |
||
Desired capacity (On-Demand instances) (FgtAsgDesiredCapacityPayg) |
0 |
The number of FortiGate instances the On-Demand-only Auto Scaling group should have at any time. For High Availability in an On-Demand-only use case, ensure at least 2 FortiGates are in the group. For specific use cases, set to 0 for BYOL-only, >= 2 for On-Demand-only, and >= 0 for hybrid licensing. |
||
Minimum group size (On-Demand instances) (FgtAsgMinSizePayg) |
0 |
Minimum number of FortiGate instances in the On-Demand-only Auto Scaling group. For specific use cases, set to 0 for BYOL-only, >= 2 for On-Demand-only, and >= 0 for hybrid licensing.
|
||
Maximum group size (On-Demand instances) (FgtAsgMaxSizePayg) |
0 |
Maximum number of FortiGate instances in the On-Demand-only Auto Scaling group. For specific use cases, set to 0 for BYOL-only, >= 2 for On-Demand-only, and >= 0 for hybrid licensing. This number must be greater than or equal to the Minimum group size (On-Demand-only instances). |
||
Scale-out threshold (FgtAsgScaleOutThreshold) |
80 |
The threshold (in percentage) for the FortiGate Auto Scaling group to scale out (add) 1 instance. Minimum is 1. Maximum is 100. |
||
Scale-in threshold (FgtAsgScaleInThreshold) |
25 |
The threshold (in percentage) for the FortiGate Auto Scaling group to scale in (remove) 1 instance. Minimum is 1. Maximum is 100. |
||
Primary election timeout (PrimaryElectionTimeout) |
300 |
The maximum time (in seconds) to wait for the election of the primary instance to complete. Minimum is 30. Maximum is 3600. |
||
Get license grace period (GetLicenseGracePeriod) |
600 |
The minimum time (in seconds) permitted before a distributed license can be revoked from a non-responsive FortiGate and re-distributed. Minimum is 300. |
||
Health check grace period (FgtAsgHealthCheckGracePeriod) |
300 |
The length of time (in seconds) that Auto Scaling waits before checking an instance's health status. Minimum is 60. |
||
Scaling cooldown period (FgtAsgCooldown) |
300 |
The Auto Scaling group waits for the cooldown period (in seconds) to complete before resuming scaling activities. Minimum is 60. Maximum is 3600. |
||
Instance lifecycle timeout (LifecycleHookTimeout) |
480 |
The amount of time (in seconds) that can elapse before the FortiGate Autoscale lifecycle hook times out. Minimum is 60. Maximum is 3600. |
Transit Gateway configuration (Transit Gateway integration)
Parameter label (name) |
Default |
Description |
---|---|---|
Transit Gateway support (TransitGatewaySupportOptions) |
create one |
Create a Transit Gateway for the FortiGate Autoscale VPC to attach to, or specify to use an existing one. |
Transit Gateway ID (TransitGatewayId) |
Conditionally requires input |
Required when Transit Gateway support is set to "use an existing one". It is the ID of the Transit Gateway that the FortiGate Autoscale VPC will be attached to. |
Load balancing configuration (no Transit Gateway integration)
Parameter label (name) |
Default |
Description |
---|---|---|
Traffic protocol (LoadBalancingTrafficProtocol) |
HTTPS |
The protocol used to load balance traffic. |
Traffic port (LoadBalancingTrafficPort) |
443 |
The port number used to balance web service traffic if the internal web service load balancer is enabled. Minimum is 1. Maximum is 65535. |
Health check threshold (LoadBalancingHealthCheckThreshold) |
3 |
The number of consecutive health check failures required before considering a FortiGate instance unhealthy. Minimum 3. |
Internal ELB options (InternalLoadBalancingOptions) |
add a new internal load balancer |
(Optional) Add a predefined Elastic Load Balancer (ELB) to route traffic to web service in the private subnets. You can optionally use your own one or decide to not need one. |
Health check path (InternalTargetGroupHealthCheckPath) |
/ |
(Optional) The destination path for health checks. This path must begin with a '/' character, and can be at most 1024 characters in length. |
Internal ELB DNS name (InternalLoadBalancerDnsName) |
Requires input |
(Optional) Specify the DNS Name of an existing internal load balancer used to route traffic from a FortiGate to targets in a specified target group. Leave it blank if you don't use an existing load balancer. |
Failover management configuration
Parameter label (name) |
Default |
Description |
---|---|---|
Heart beat interval (HeartBeatInterval) |
30 |
The length of time (in seconds) that a FortiGate instance waits between sending heartbeat requests to the Autoscale handler. Minimum is 30. Maximum is 90. |
Heart beat loss count (HeartBeatLossCount) |
3 |
Number of consecutively lost heartbeats. When the Heartbeat loss count has been reached, the FortiGate is deemed unhealthy and failover activities will commence. |
Heart beat delay allowance (HeartBeatDelayAllowance) |
2 |
The maximum amount of time (in seconds) allowed for network latency of the FortiGate heartbeat arriving at the Autoscale handler. Minimum is 0. |
Custom asset location configuration
Parameter label (name) |
Default |
Description |
---|---|---|
Use custom asset location (UseCustomAssetLocation) |
no |
Set to yes to use a custom S3 location for custom assets such as licenses and customized configsets. |
Custom asset S3 bucket (CustomAssetContainer) |
Requires input |
Name of the S3 bucket that contains your custom assets. Required if 'Use custom asset location' is set to 'yes'. Can only contain numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-)." |
Custom asset folder (CustomAssetDirectory) |
Requires input |
The sub path within the 'custom asset container' that serves as the top level directory of all your custom assets. If 'Use custom asset location' is set to 'yes', and this value is left empty, the 'custom asset container' will serve as the top level directory. Can only contain numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). If provided, it must end with a forward slash (/). |
Deployment resources configuration
Parameter label (name) |
Default |
Description |
---|---|---|
S3 bucket name (S3BucketName) |
Requires input |
Name of the S3 bucket (created in step 4 of Obtaining the deployment package) that contains the FortiGate Autoscale deployment package. Can only contain numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). |
S3 resource folder (S3KeyPrefix) |
Requires input |
Name of the S3 folder (created in step 5 of Obtaining the deployment package) that stores the FortiGate Autoscale deployment resources. Can only contain numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). If provided, it must end with a forward slash (/). |
After entering all required parameters, click Next.