Fortinet Document Library

Version:


Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
6.0.0
Copy Link

FortiGate Autoscale for AWS features

Major components

  • The BYOL Auto Scaling group. This Auto Scaling group contains 0 to many FortiGate-VMs of the BYOL licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale-out threshold and Scale-in threshold. For each instance you must provide a valid license purchased from FortiCare.
    Note

    For BYOL-only and hybrid licensing deployments, the Minimum group size (FgtAsgMinSizeByol) must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The PAYG Auto Scaling group. This Auto Scaling group contains 0 to many FortiGate-VMs of the PAYG licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale-out threshold and Scale-in threshold.
    Note

    For PAYG-only deployments, the Minimum group size (FgtAsgMinSizePayg) must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The “assets” folder in the S3 Bucket.
    • The configset folder contains files that are loaded as the initial configuration for a new FortiGate-VM instance.
      • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
    • The fgt-asg-license container contains BYOL license files.

  • Tables in DynamoDB. These tables are required to store information such as health check monitoring, master election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
  • Networking Components These are the network load balancers, the target group, and the VPC and subnets. You are expected to create your own client and server instances that you want protected by the FortiGate-VM.

Configset placeholders

When the FortiGate-VM requests the configuration from the Auto Scaling Handler function, the placeholders in the table below will be replaced with actual values about the Auto Scaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGate-VMs to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The endpoint URL to interact with the auto scaling handler script.

Automatically generated during CloudFormation deployment.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

Specified during CloudFormation deployment.

{ADMIN_PORT}

Number

A port number specified for admin login.

A positive integer such as 443 etc.

Specified during CloudFormation deployment.

{HEART_BEAT_INTERVAL}

Number

The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

Auto Scaling Handler environment variables

Variable name

Description

UNIQUE_ID

Reserved, empty string.

CUSTOM_ID

Reserved, empty string.

RESOURCE_TAG_PREFIX

The value of the CFT parameter Resource tag prefix which is described in the section Resource tagging configuration.

Resources

FortiGate Autoscale for AWS features

Major components

  • The BYOL Auto Scaling group. This Auto Scaling group contains 0 to many FortiGate-VMs of the BYOL licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale-out threshold and Scale-in threshold. For each instance you must provide a valid license purchased from FortiCare.
    Note

    For BYOL-only and hybrid licensing deployments, the Minimum group size (FgtAsgMinSizeByol) must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The PAYG Auto Scaling group. This Auto Scaling group contains 0 to many FortiGate-VMs of the PAYG licensing model and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale-out threshold and Scale-in threshold.
    Note

    For PAYG-only deployments, the Minimum group size (FgtAsgMinSizePayg) must be at least 2. These FortiGate-VMs are the main instances and are fixed and running 7x24. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

  • The “assets” folder in the S3 Bucket.
    • The configset folder contains files that are loaded as the initial configuration for a new FortiGate-VM instance.
      • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
    • The fgt-asg-license container contains BYOL license files.

  • Tables in DynamoDB. These tables are required to store information such as health check monitoring, master election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
  • Networking Components These are the network load balancers, the target group, and the VPC and subnets. You are expected to create your own client and server instances that you want protected by the FortiGate-VM.

Configset placeholders

When the FortiGate-VM requests the configuration from the Auto Scaling Handler function, the placeholders in the table below will be replaced with actual values about the Auto Scaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGate-VMs to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The endpoint URL to interact with the auto scaling handler script.

Automatically generated during CloudFormation deployment.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

Specified during CloudFormation deployment.

{ADMIN_PORT}

Number

A port number specified for admin login.

A positive integer such as 443 etc.

Specified during CloudFormation deployment.

{HEART_BEAT_INTERVAL}

Number

The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

Auto Scaling Handler environment variables

Variable name

Description

UNIQUE_ID

Reserved, empty string.

CUSTOM_ID

Reserved, empty string.

RESOURCE_TAG_PREFIX

The value of the CFT parameter Resource tag prefix which is described in the section Resource tagging configuration.