Fortinet Document Library

Version:


Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
6.0.0
Copy Link

Cloud-init

In Auto Scaling, a FortiGate-VM uses the cloud-init feature to pre-configure the instances when they first come up. During template deployment, an internal API Gateway endpoint will be created.

A FortiGate-VM sends requests to the endpoint to retrieve necessary configurations after initialization. Following are examples from the Master and Slave FortiGate-VMs.

Master FortiGate-VM cloudinit output

FGVM4VTM19000025 # diagnose debug cloudinit show

>> Checking metadata source aws

>> AWS curl header: Fos-instance-id: <the_masked_instance_id>

>> AWS trying to get config script from https://<the_masked_api_id>.amazonaws.com/prod/fgt-asg-handler

>> AWS download config script successfully

>> Run config script

>> Finish running script

>> FGVM4VTM19000025 $ config sys interface

>> FGVM4VTM19000025 (interface) $ edit "port2"

>> FGVM4VTM19000025 (port2) $ set mode dhcp

>> FGVM4VTM19000025 (port2) $ set defaultgw disable

>> FGVM4VTM19000025 (port2) $ set allowaccess ping https ssh http fgfm

>> FGVM4VTM19000025 (port2) $ # work around for FortiOS 6.0.4 #0543036 mtu values from DNS interfere with HA checksum.

>> FGVM4VTM19000025 (port2) $ set mtu-override enable

>> FGVM4VTM19000025 (port2) $ set mtu 9001

>> FGVM4VTM19000025 (port2) $ next

>> FGVM4VTM19000025 (interface) $ end

>> FGVM4VTM19000025 $ config system dns

>> FGVM4VTM19000025 (dns) $ unset primary

>> FGVM4VTM19000025 (dns) $ unset secondary

>> FGVM4VTM19000025 (dns) $ end

>> FGVM4VTM19000025 $ config system global

>> FGVM4VTM19000025 (global) $ set admin-sport 8443

>> FGVM4VTM19000025 (global) $ end

>> FGVM4VTM19000025 $ config system auto-scale

>> FGVM4VTM19000025 (auto-scale) $ set status enable

>> FGVM4VTM19000025 (auto-scale) $ set sync-interface "port1"

>> FGVM4VTM19000025 (auto-scale) $ set hb-interval 30

>> FGVM4VTM19000025 (auto-scale) $ set role master

>> FGVM4VTM19000025 (auto-scale) $ set callback-url https://<the_masked_api_id>.amazonaws.com/prod/fgt-asg-handler

>> FGVM4VTM19000025 (auto-scale) $ set psksecret <the_masked_psksecret>

>> FGVM4VTM19000025 (auto-scale) $ end

>> FGVM4VTM19000025 $

>> FGVM4VTM19000025 $ config firewall address

>> FGVM4VTM19000025 (address) $ edit internal-elb-web

>> FGVM4VTM19000025 (internal-elb-web) $ set type fqdn

>> FGVM4VTM19000025 (internal-elb-web) $ set fqdn "<the_masked_elb_dns>"

>> FGVM4VTM19000025 (internal-elb-web) $ set associated-interface "port1"

>> FGVM4VTM19000025 (internal-elb-web) $ next

>> FGVM4VTM19000025 (address) $ end

>> FGVM4VTM19000025 $

>> FGVM4VTM19000025 $ config firewall vip

>> FGVM4VTM19000025 (vip) $ edit internal-web

>> FGVM4VTM19000025 (internal-web) $ set type fqdn

>> FGVM4VTM19000025 (internal-web) $ set mapped-addr internal-elb-web

>> FGVM4VTM19000025 (internal-web) $ set portforward enable

>> FGVM4VTM19000025 (internal-web) $ set extintf port1

>> FGVM4VTM19000025 (internal-web) $ set extport 443

>> FGVM4VTM19000025 (internal-web) $ set mappedport 443

>> FGVM4VTM19000025 (internal-web) $ next

>> FGVM4VTM19000025 (vip) $ end

>> FGVM4VTM19000025 $

>> FGVM4VTM19000025 $ config firewall policy

>> FGVM4VTM19000025 (policy) $ edit 2

>> FGVM4VTM19000025 (2) $ set name "internal-web-https"

>> FGVM4VTM19000025 (2) $ set srcintf "port1"

>> FGVM4VTM19000025 (2) $ set dstintf "port2"

>> FGVM4VTM19000025 (2) $ set srcaddr "all"

>> FGVM4VTM19000025 (2) $ set dstaddr "internal-web"

>> FGVM4VTM19000025 (2) $ set action accept

>> FGVM4VTM19000025 (2) $ set schedule "always"

>> FGVM4VTM19000025 (2) $ set service "HTTPS"

>> FGVM4VTM19000025 (2) $ set fsso disable

>> FGVM4VTM19000025 (2) $ set nat enable

>> FGVM4VTM19000025 (2) $ next

>> FGVM4VTM19000025 (policy) $ end

Slave FortiGate-VM cloudinit output

FortiGate-VM64-AWSON~AND # diagnose debug cloudinit show

>> Checking metadata source aws

>> AWS curl header: Fos-instance-id: <the_masked_instance_id>

>> AWS trying to get config script from https://<the_masked_api_id>.amazonaws.com/prod/fgt-asg-handler

>> AWS download config script successfully

>> Run config script

>> Finish running script

>> FGVM4VTM19000027 $ config sys interface

>> FGVM4VTM19000027 (interface) $ edit "port2"

>> FGVM4VTM19000027 (port2) $ set mode dhcp

>> FGVM4VTM19000027 (port2) $ set defaultgw disable

>> FGVM4VTM19000027 (port2) $ set allowaccess ping https ssh http fgfm

>> FGVM4VTM19000027 (port2) $ # work around for FortiOS 6.0.4 #0543036 mtu values from DNS interfere with HA checksum.

>> FGVM4VTM19000027 (port2) $ set mtu-override enable

>> FGVM4VTM19000027 (port2) $ set mtu 9001

>> FGVM4VTM19000027 (port2) $ next

>> FGVM4VTM19000027 (interface) $ end

>> FGVM4VTM19000027 $ config system dns

>> FGVM4VTM19000027 (dns) $ unset primary

>> FGVM4VTM19000027 (dns) $ unset secondary

>> FGVM4VTM19000027 (dns) $ end

>> FGVM4VTM19000027 $ config system global

>> FGVM4VTM19000027 (global) $ set admin-sport 8443

>> FGVM4VTM19000027 (global) $ end

>> FGVM4VTM19000027 $ config system auto-scale

>> FGVM4VTM19000027 (auto-scale) $ set status enable

>> FGVM4VTM19000027 (auto-scale) $ set sync-interface "port1"

>> FGVM4VTM19000027 (auto-scale) $ set hb-interval 30

>> FGVM4VTM19000027 (auto-scale) $ set role slave

>> FGVM4VTM19000027 (auto-scale) $ set callback-url https://<the_masked_api_id>.amazonaws.com/prod/fgt-asg-handler

>> FGVM4VTM19000027 (auto-scale) $ set psksecret <the_masked_psksecret>

>> FGVM4VTM19000027 (auto-scale) $ end

>> FGVM4VTM19000027 $

>> FGVM4VTM19000027 $ config firewall address

>> FGVM4VTM19000027 (address) $ edit internal-elb-web

>> FGVM4VTM19000027 (internal-elb-web) $ set type fqdn

>> FGVM4VTM19000027 (internal-elb-web) $ set fqdn "<the_masked_elb_dns>"

>> FGVM4VTM19000027 (internal-elb-web) $ set associated-interface "port1"

>> FGVM4VTM19000027 (internal-elb-web) $ next

>> FGVM4VTM19000027 (address) $ end

>> FGVM4VTM19000027 $

>> FGVM4VTM19000027 $ config firewall vip

>> FGVM4VTM19000027 (vip) $ edit internal-web

>> FGVM4VTM19000027 (internal-web) $ set type fqdn

>> FGVM4VTM19000027 (internal-web) $ set mapped-addr internal-elb-web

>> FGVM4VTM19000027 (internal-web) $ set portforward enable

>> FGVM4VTM19000027 (internal-web) $ set extintf port1

>> FGVM4VTM19000027 (internal-web) $ set extport 443

>> FGVM4VTM19000027 (internal-web) $ set mappedport 443

>> FGVM4VTM19000027 (internal-web) $ next

>> FGVM4VTM19000027 (vip) $ end

>> FGVM4VTM19000027 $

>> FGVM4VTM19000027 $ config firewall policy

>> FGVM4VTM19000027 (policy) $ edit 2

>> FGVM4VTM19000027 (2) $ set name "internal-web-https"

>> FGVM4VTM19000027 (2) $ set srcintf "port1"

>> FGVM4VTM19000027 (2) $ set dstintf "port2"

>> FGVM4VTM19000027 (2) $ set srcaddr "all"

>> FGVM4VTM19000027 (2) $ set dstaddr "internal-web"

>> FGVM4VTM19000027 (2) $ set action accept

>> FGVM4VTM19000027 (2) $ set schedule "always"

>> FGVM4VTM19000027 (2) $ set service "HTTPS"

>> FGVM4VTM19000027 (2) $ set fsso disable

>> FGVM4VTM19000027 (2) $ set nat enable

>> FGVM4VTM19000027 (2) $ next

>> FGVM4VTM19000027 (policy) $ end

Wait for a bit for Auto Scaling to bring up and sync the configuration between the instances.

VPN output

name=__autoscale_m_p1_0 ver=1 serial=3 10.0.0.177:0->10.0.2.235:0

bound_if=3 lgwy=static/1 tun=tunnel/1 mode=dial_inst/3 encap=none/128 options[0080]=rgwy-chg

parent=__autoscale_m_p1 index=0

proxyid_num=1 child_num=0 refcnt=5 ilast=30 olast=30 ad=/0

stat: rxp=47 txp=39 rxb=5896 txb=2892

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=__autoscale_m_p2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0-255.255.255.255:0

dst: 0:10.0.2.235-10.0.2.235:0

SA: ref=3 options=226 type=00 soft=0 mtu=8942 expire=42771/0B replaywin=2048

seqno=28 esn=0 replaywin_lastseq=00000030 itn=0

life: type=01 bytes=0/0 timeout=43186/43200

dec: spi=28b967de esp=aes key=16 <masked_key>

ah=sha1 key=20 7<masked_key>

enc: spi=97a7fc49 esp=aes key=16 <masked_key>

ah=sha1 key=20 <masked_key>

dec:pkts/bytes=47/2828, enc:pkts/bytes=39/5448

Resources

Cloud-init

In Auto Scaling, a FortiGate-VM uses the cloud-init feature to pre-configure the instances when they first come up. During template deployment, an internal API Gateway endpoint will be created.

A FortiGate-VM sends requests to the endpoint to retrieve necessary configurations after initialization. Following are examples from the Master and Slave FortiGate-VMs.

Master FortiGate-VM cloudinit output

FGVM4VTM19000025 # diagnose debug cloudinit show

>> Checking metadata source aws

>> AWS curl header: Fos-instance-id: <the_masked_instance_id>

>> AWS trying to get config script from https://<the_masked_api_id>.amazonaws.com/prod/fgt-asg-handler

>> AWS download config script successfully

>> Run config script

>> Finish running script

>> FGVM4VTM19000025 $ config sys interface

>> FGVM4VTM19000025 (interface) $ edit "port2"

>> FGVM4VTM19000025 (port2) $ set mode dhcp

>> FGVM4VTM19000025 (port2) $ set defaultgw disable

>> FGVM4VTM19000025 (port2) $ set allowaccess ping https ssh http fgfm

>> FGVM4VTM19000025 (port2) $ # work around for FortiOS 6.0.4 #0543036 mtu values from DNS interfere with HA checksum.

>> FGVM4VTM19000025 (port2) $ set mtu-override enable

>> FGVM4VTM19000025 (port2) $ set mtu 9001

>> FGVM4VTM19000025 (port2) $ next

>> FGVM4VTM19000025 (interface) $ end

>> FGVM4VTM19000025 $ config system dns

>> FGVM4VTM19000025 (dns) $ unset primary

>> FGVM4VTM19000025 (dns) $ unset secondary

>> FGVM4VTM19000025 (dns) $ end

>> FGVM4VTM19000025 $ config system global

>> FGVM4VTM19000025 (global) $ set admin-sport 8443

>> FGVM4VTM19000025 (global) $ end

>> FGVM4VTM19000025 $ config system auto-scale

>> FGVM4VTM19000025 (auto-scale) $ set status enable

>> FGVM4VTM19000025 (auto-scale) $ set sync-interface "port1"

>> FGVM4VTM19000025 (auto-scale) $ set hb-interval 30

>> FGVM4VTM19000025 (auto-scale) $ set role master

>> FGVM4VTM19000025 (auto-scale) $ set callback-url https://<the_masked_api_id>.amazonaws.com/prod/fgt-asg-handler

>> FGVM4VTM19000025 (auto-scale) $ set psksecret <the_masked_psksecret>

>> FGVM4VTM19000025 (auto-scale) $ end

>> FGVM4VTM19000025 $

>> FGVM4VTM19000025 $ config firewall address

>> FGVM4VTM19000025 (address) $ edit internal-elb-web

>> FGVM4VTM19000025 (internal-elb-web) $ set type fqdn

>> FGVM4VTM19000025 (internal-elb-web) $ set fqdn "<the_masked_elb_dns>"

>> FGVM4VTM19000025 (internal-elb-web) $ set associated-interface "port1"

>> FGVM4VTM19000025 (internal-elb-web) $ next

>> FGVM4VTM19000025 (address) $ end

>> FGVM4VTM19000025 $

>> FGVM4VTM19000025 $ config firewall vip

>> FGVM4VTM19000025 (vip) $ edit internal-web

>> FGVM4VTM19000025 (internal-web) $ set type fqdn

>> FGVM4VTM19000025 (internal-web) $ set mapped-addr internal-elb-web

>> FGVM4VTM19000025 (internal-web) $ set portforward enable

>> FGVM4VTM19000025 (internal-web) $ set extintf port1

>> FGVM4VTM19000025 (internal-web) $ set extport 443

>> FGVM4VTM19000025 (internal-web) $ set mappedport 443

>> FGVM4VTM19000025 (internal-web) $ next

>> FGVM4VTM19000025 (vip) $ end

>> FGVM4VTM19000025 $

>> FGVM4VTM19000025 $ config firewall policy

>> FGVM4VTM19000025 (policy) $ edit 2

>> FGVM4VTM19000025 (2) $ set name "internal-web-https"

>> FGVM4VTM19000025 (2) $ set srcintf "port1"

>> FGVM4VTM19000025 (2) $ set dstintf "port2"

>> FGVM4VTM19000025 (2) $ set srcaddr "all"

>> FGVM4VTM19000025 (2) $ set dstaddr "internal-web"

>> FGVM4VTM19000025 (2) $ set action accept

>> FGVM4VTM19000025 (2) $ set schedule "always"

>> FGVM4VTM19000025 (2) $ set service "HTTPS"

>> FGVM4VTM19000025 (2) $ set fsso disable

>> FGVM4VTM19000025 (2) $ set nat enable

>> FGVM4VTM19000025 (2) $ next

>> FGVM4VTM19000025 (policy) $ end

Slave FortiGate-VM cloudinit output

FortiGate-VM64-AWSON~AND # diagnose debug cloudinit show

>> Checking metadata source aws

>> AWS curl header: Fos-instance-id: <the_masked_instance_id>

>> AWS trying to get config script from https://<the_masked_api_id>.amazonaws.com/prod/fgt-asg-handler

>> AWS download config script successfully

>> Run config script

>> Finish running script

>> FGVM4VTM19000027 $ config sys interface

>> FGVM4VTM19000027 (interface) $ edit "port2"

>> FGVM4VTM19000027 (port2) $ set mode dhcp

>> FGVM4VTM19000027 (port2) $ set defaultgw disable

>> FGVM4VTM19000027 (port2) $ set allowaccess ping https ssh http fgfm

>> FGVM4VTM19000027 (port2) $ # work around for FortiOS 6.0.4 #0543036 mtu values from DNS interfere with HA checksum.

>> FGVM4VTM19000027 (port2) $ set mtu-override enable

>> FGVM4VTM19000027 (port2) $ set mtu 9001

>> FGVM4VTM19000027 (port2) $ next

>> FGVM4VTM19000027 (interface) $ end

>> FGVM4VTM19000027 $ config system dns

>> FGVM4VTM19000027 (dns) $ unset primary

>> FGVM4VTM19000027 (dns) $ unset secondary

>> FGVM4VTM19000027 (dns) $ end

>> FGVM4VTM19000027 $ config system global

>> FGVM4VTM19000027 (global) $ set admin-sport 8443

>> FGVM4VTM19000027 (global) $ end

>> FGVM4VTM19000027 $ config system auto-scale

>> FGVM4VTM19000027 (auto-scale) $ set status enable

>> FGVM4VTM19000027 (auto-scale) $ set sync-interface "port1"

>> FGVM4VTM19000027 (auto-scale) $ set hb-interval 30

>> FGVM4VTM19000027 (auto-scale) $ set role slave

>> FGVM4VTM19000027 (auto-scale) $ set callback-url https://<the_masked_api_id>.amazonaws.com/prod/fgt-asg-handler

>> FGVM4VTM19000027 (auto-scale) $ set psksecret <the_masked_psksecret>

>> FGVM4VTM19000027 (auto-scale) $ end

>> FGVM4VTM19000027 $

>> FGVM4VTM19000027 $ config firewall address

>> FGVM4VTM19000027 (address) $ edit internal-elb-web

>> FGVM4VTM19000027 (internal-elb-web) $ set type fqdn

>> FGVM4VTM19000027 (internal-elb-web) $ set fqdn "<the_masked_elb_dns>"

>> FGVM4VTM19000027 (internal-elb-web) $ set associated-interface "port1"

>> FGVM4VTM19000027 (internal-elb-web) $ next

>> FGVM4VTM19000027 (address) $ end

>> FGVM4VTM19000027 $

>> FGVM4VTM19000027 $ config firewall vip

>> FGVM4VTM19000027 (vip) $ edit internal-web

>> FGVM4VTM19000027 (internal-web) $ set type fqdn

>> FGVM4VTM19000027 (internal-web) $ set mapped-addr internal-elb-web

>> FGVM4VTM19000027 (internal-web) $ set portforward enable

>> FGVM4VTM19000027 (internal-web) $ set extintf port1

>> FGVM4VTM19000027 (internal-web) $ set extport 443

>> FGVM4VTM19000027 (internal-web) $ set mappedport 443

>> FGVM4VTM19000027 (internal-web) $ next

>> FGVM4VTM19000027 (vip) $ end

>> FGVM4VTM19000027 $

>> FGVM4VTM19000027 $ config firewall policy

>> FGVM4VTM19000027 (policy) $ edit 2

>> FGVM4VTM19000027 (2) $ set name "internal-web-https"

>> FGVM4VTM19000027 (2) $ set srcintf "port1"

>> FGVM4VTM19000027 (2) $ set dstintf "port2"

>> FGVM4VTM19000027 (2) $ set srcaddr "all"

>> FGVM4VTM19000027 (2) $ set dstaddr "internal-web"

>> FGVM4VTM19000027 (2) $ set action accept

>> FGVM4VTM19000027 (2) $ set schedule "always"

>> FGVM4VTM19000027 (2) $ set service "HTTPS"

>> FGVM4VTM19000027 (2) $ set fsso disable

>> FGVM4VTM19000027 (2) $ set nat enable

>> FGVM4VTM19000027 (2) $ next

>> FGVM4VTM19000027 (policy) $ end

Wait for a bit for Auto Scaling to bring up and sync the configuration between the instances.

VPN output

name=__autoscale_m_p1_0 ver=1 serial=3 10.0.0.177:0->10.0.2.235:0

bound_if=3 lgwy=static/1 tun=tunnel/1 mode=dial_inst/3 encap=none/128 options[0080]=rgwy-chg

parent=__autoscale_m_p1 index=0

proxyid_num=1 child_num=0 refcnt=5 ilast=30 olast=30 ad=/0

stat: rxp=47 txp=39 rxb=5896 txb=2892

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=__autoscale_m_p2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0-255.255.255.255:0

dst: 0:10.0.2.235-10.0.2.235:0

SA: ref=3 options=226 type=00 soft=0 mtu=8942 expire=42771/0B replaywin=2048

seqno=28 esn=0 replaywin_lastseq=00000030 itn=0

life: type=01 bytes=0/0 timeout=43186/43200

dec: spi=28b967de esp=aes key=16 <masked_key>

ah=sha1 key=20 7<masked_key>

enc: spi=97a7fc49 esp=aes key=16 <masked_key>

ah=sha1 key=20 <masked_key>

dec:pkts/bytes=47/2828, enc:pkts/bytes=39/5448