Fortinet Document Library

Version:


Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
6.0.0
Copy Link

FortiGate Autoscale for AWS features

Major components

  • The Auto Scaling group. The Auto Scaling group contains 2 to many FortiGate virtual machines (PAYG licensing model). This Auto Scaling group will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale-out threshold and Scale-in threshold. By design, there are a minimum of two instances in this group.
  • The “assets” folder in the S3 Bucket. The configset folder contains files that are loaded as the initial configuration for a new FortiGate instance.
    • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
  • Tables in DynamoDB. These tables are required to store information such as health check monitoring, master election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.

Configset placeholders

When the FortiGate requests the configuration from the Auto Scaling Handler function, the placeholders in the table below will be replaced with actual values about the Auto Scaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGates to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The endpoint URL to interact with the auto scaling handler script.

Automatically generated during CloudFormation deployment.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

Specified during CloudFormation deployment.

{ADMIN_PORT}

Number

A port number specified for admin login.

A positive integer such as 443 etc.

Specified during CloudFormation deployment.

Auto Scaling Handler environment variables

Variable name

Description

AUTO_SCALING_GROUP_NAME

The Auto Scaling group name.

API_GATEWAY_NAME

The API Gateway name generated during the deployment.

API_GATEWAY_STAGE_NAME

The API Gateway stage. It is always set to prod.

API_GATEWAY_RESOURCE_NAME

The API Gateway resource. It is always set to complete.

UNIQUE_ID

The value of the random string automatically generated during the deployment.

EXPIRE_LIFECYCLE_ENTRY

The value of the CFT parameter Instance lifecycle expiry which is described in the section “FortiGate Auto Scaling group configuration”.

CUSTOM_ID

Descriptions of these variables are identical to those of the related parameters which are described in the section “FortiGate configuration”.

  • CUSTOM_ID: Resource name prefix
  • FORTIGATE_PSKSECRET: FortiGate PSK secret
  • FORTIGATE_ADMIN_PORT: Admin port

FORTIGATE_PSKSECRET

FORTIGATE_ADMIN_PORT

FORTIGATE_INTERNAL_ELB_DNS

Descriptions of these variables are identical to those of the related parameters which are described in the section “Load Balancing configuration”.

  • FORTIGATE_INTERNAL_ELB_DNS: Internal ELB options
  • FORTIGATE_TRAFFIC_PORT: Web service traffic port

FORTIGATE_TRAFFIC_PORT

HEART_BEAT_LOSS_COUNT

The value of the CFT parameter Heart beat loss count which is described in the section “Failover Configuration”.

STACK_ASSETS_S3_BUCKET_NAME

Descriptions of these variables are identical to those of the related parameters which are described in the section “AWS Quick Start configuration”.

  • STACK_ASSETS_S3_BUCKET_NAME: Quick Start S3 bucket name
  • STACK_ASSETS_S3_KEY_PREFIX: Quick Start S3 key prefix

STACK_ASSETS_S3_KEY_PREFIX

VPC_ID

The value of the CFT parameter VPC ID which is described in the section "Network configuration".

REQUIRED_CONFIG_SET

This is a comma delimited string for additional configsets to load. (Reserved for future use.)

FORTIGATE_SYNC_INTERFACE

The FortiGate sync interface. This should always be set to port1.

SCALING_GROUP_NAME_PAYG

This should always be the same as AUTO_SCALING_GROUP_NAME.

SCALING_GROUP_NAME_BYOL

This should always be the same as AUTO_SCALING_GROUP_NAME.

MASTER_SCALING_GROUP_NAME

This should always be the same as AUTO_SCALING_GROUP_NAME.

Resources

FortiGate Autoscale for AWS features

Major components

  • The Auto Scaling group. The Auto Scaling group contains 2 to many FortiGate virtual machines (PAYG licensing model). This Auto Scaling group will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale-out threshold and Scale-in threshold. By design, there are a minimum of two instances in this group.
  • The “assets” folder in the S3 Bucket. The configset folder contains files that are loaded as the initial configuration for a new FortiGate instance.
    • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
  • Tables in DynamoDB. These tables are required to store information such as health check monitoring, master election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.

Configset placeholders

When the FortiGate requests the configuration from the Auto Scaling Handler function, the placeholders in the table below will be replaced with actual values about the Auto Scaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGates to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The endpoint URL to interact with the auto scaling handler script.

Automatically generated during CloudFormation deployment.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

Specified during CloudFormation deployment.

{ADMIN_PORT}

Number

A port number specified for admin login.

A positive integer such as 443 etc.

Specified during CloudFormation deployment.

Auto Scaling Handler environment variables

Variable name

Description

AUTO_SCALING_GROUP_NAME

The Auto Scaling group name.

API_GATEWAY_NAME

The API Gateway name generated during the deployment.

API_GATEWAY_STAGE_NAME

The API Gateway stage. It is always set to prod.

API_GATEWAY_RESOURCE_NAME

The API Gateway resource. It is always set to complete.

UNIQUE_ID

The value of the random string automatically generated during the deployment.

EXPIRE_LIFECYCLE_ENTRY

The value of the CFT parameter Instance lifecycle expiry which is described in the section “FortiGate Auto Scaling group configuration”.

CUSTOM_ID

Descriptions of these variables are identical to those of the related parameters which are described in the section “FortiGate configuration”.

  • CUSTOM_ID: Resource name prefix
  • FORTIGATE_PSKSECRET: FortiGate PSK secret
  • FORTIGATE_ADMIN_PORT: Admin port

FORTIGATE_PSKSECRET

FORTIGATE_ADMIN_PORT

FORTIGATE_INTERNAL_ELB_DNS

Descriptions of these variables are identical to those of the related parameters which are described in the section “Load Balancing configuration”.

  • FORTIGATE_INTERNAL_ELB_DNS: Internal ELB options
  • FORTIGATE_TRAFFIC_PORT: Web service traffic port

FORTIGATE_TRAFFIC_PORT

HEART_BEAT_LOSS_COUNT

The value of the CFT parameter Heart beat loss count which is described in the section “Failover Configuration”.

STACK_ASSETS_S3_BUCKET_NAME

Descriptions of these variables are identical to those of the related parameters which are described in the section “AWS Quick Start configuration”.

  • STACK_ASSETS_S3_BUCKET_NAME: Quick Start S3 bucket name
  • STACK_ASSETS_S3_KEY_PREFIX: Quick Start S3 key prefix

STACK_ASSETS_S3_KEY_PREFIX

VPC_ID

The value of the CFT parameter VPC ID which is described in the section "Network configuration".

REQUIRED_CONFIG_SET

This is a comma delimited string for additional configsets to load. (Reserved for future use.)

FORTIGATE_SYNC_INTERFACE

The FortiGate sync interface. This should always be set to port1.

SCALING_GROUP_NAME_PAYG

This should always be the same as AUTO_SCALING_GROUP_NAME.

SCALING_GROUP_NAME_BYOL

This should always be the same as AUTO_SCALING_GROUP_NAME.

MASTER_SCALING_GROUP_NAME

This should always be the same as AUTO_SCALING_GROUP_NAME.