Fortinet Document Library

Version:


Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
6.0.0
Copy Link

FortiGate Auto Scaling HA topology

Cloud-init

In Auto Scaling, FortiGate uses the cloud-init feature to pre-configure the instances when they first come up. During template deployment, an internal API Gateway endpoint will be created.

FortiGate sends requests to the endpoint to retrieve necessary configurations after initialization. Following are examples from the Master and Slave FortiGates.

Master FortiGate cloudinit output

FGTAWS00084FEF38 # diag debug cloudinit show

>> Checking metadata source aws

>> AWS curl header: Fos-instance-id: <the_masked_instance_id>

>> AWS trying to get config script from https://<the_masked_api_id> .execute-api.us-west-1.amazonaws.com/prod/get-config

>> AWS download config script successfully

>> Run config script

>> Finish running script

>> FGTAWS00084FEF38 $ config sys interface

>> FGTAWS00084FEF38 (interface) $ edit "port2"

>> FGTAWS00084FEF38 (port2) $ set mode dhcp

>> FGTAWS00084FEF38 (port2) $ set defaultgw disable

>> FGTAWS00084FEF38 (port2) $ set allowaccess ping https ssh http fgfm

>> FGTAWS00084FEF38 (port2) $ # the following two lines of configuration relate to HA checksum is not calculated properly

>> FGTAWS00084FEF38 (port2) $ # after interface mtu value is changed. Do not remove until this bug is fixed.

>> FGTAWS00084FEF38 (port2) $ set mtu-override enable

>> FGTAWS00084FEF38 (port2) $ set mtu 9001

>> FGTAWS00084FEF38 (port2) $ next

>> FGTAWS00084FEF38 (interface) $ end

>> FGTAWS00084FEF38 $ config system dns

>> FGTAWS00084FEF38 (dns) $ unset primary

>> FGTAWS00084FEF38 (dns) $ unset secondary

>> FGTAWS00084FEF38 (dns) $ end

>> FGTAWS00084FEF38 $ config system global

>> FGTAWS00084FEF38 (global) $ set admin-sport 8443

>> FGTAWS00084FEF38 (global) $ end

>> FGTAWS00084FEF38 $ config system auto-scale

>> FGTAWS00084FEF38 (auto-scale) $ set status enable

>> FGTAWS00084FEF38 (auto-scale) $ set sync-interface "port1"

>> FGTAWS00084FEF38 (auto-scale) $ set role master

>> FGTAWS00084FEF38 (auto-scale) $ set callback-url https://<the_masked_api_id>.execute-api.us-west-1.amazonaws.com/prod/complete

>> FGTAWS00084FEF38 (auto-scale) $ set psksecret <the_masked_psksecret>

>> FGTAWS00084FEF38 (auto-scale) $ end

>> FGTAWS00084FEF38 $

>> FGTAWS00084FEF38 $ config firewall address

>> FGTAWS00084FEF38 (address) $ edit internal-elb-web

>> FGTAWS00084FEF38 (internal-elb-web) $ set type fqdn

>> FGTAWS00084FEF38 (internal-elb-web) $ set fqdn "<the_masked_elb_id>.elb.us-west-1.amazonaws.com"

>> FGTAWS00084FEF38 (internal-elb-web) $ set associated-interface "port1"

>> FGTAWS00084FEF38 (internal-elb-web) $ next

>> FGTAWS00084FEF38 (address) $ end

>> FGTAWS00084FEF38 $

>> FGTAWS00084FEF38 $ config firewall vip

>> FGTAWS00084FEF38 (vip) $ edit internal-web

>> FGTAWS00084FEF38 (internal-web) $ set type fqdn

>> FGTAWS00084FEF38 (internal-web) $ set mapped-addr internal-elb-web

>> FGTAWS00084FEF38 (internal-web) $ set portforward enable

>> FGTAWS00084FEF38 (internal-web) $ set extintf port1

>> FGTAWS00084FEF38 (internal-web) $ set extport 443

>> FGTAWS00084FEF38 (internal-web) $ set mappedport 443

>> FGTAWS00084FEF38 (internal-web) $ next

>> FGTAWS00084FEF38 (vip) $ end

>> FGTAWS00084FEF38 $

>> FGTAWS00084FEF38 $ config firewall policy

>> FGTAWS00084FEF38 (policy) $ edit 2

>> FGTAWS00084FEF38 (2) $ set name "internal-web-https"

>> FGTAWS00084FEF38 (2) $ set srcintf "port1"

>> FGTAWS00084FEF38 (2) $ set dstintf "port2"

>> FGTAWS00084FEF38 (2) $ set srcaddr "all"

>> FGTAWS00084FEF38 (2) $ set dstaddr "internal-web"

>> FGTAWS00084FEF38 (2) $ set action accept

>> FGTAWS00084FEF38 (2) $ set schedule "always"

>> FGTAWS00084FEF38 (2) $ set service "HTTPS"

>> FGTAWS00084FEF38 (2) $ set fsso disable

>> FGTAWS00084FEF38 (2) $ set nat enable

>> FGTAWS00084FEF38 (2) $ next

>> FGTAWS00084FEF38 (policy) $ end

Slave FortiGate cloudinit output

>> Checking metadata source aws [14/99]

>> AWS curl header: Fos-instance-id: <the_masked_instance_id>

>> AWS trying to get config script from https://<the_masked_api_id>.execute-api.us-west-1.amazonaws.com/prod/get-config

>> AWS download config script successfully

>> Run config script

>> Finish running script

>> FGTAWS00091BFEAB $ config sys interface

>> FGTAWS00091BFEAB (interface) $ edit "port2"

>> FGTAWS00091BFEAB (port2) $ set mode dhcp

>> FGTAWS00091BFEAB (port2) $ set defaultgw disable

>> FGTAWS00091BFEAB (port2) $ set allowaccess ping https ssh http fgfm

>> FGTAWS00091BFEAB (port2) $ # the following two lines of configuration relate to HA checksum is not calculated properly

>> FGTAWS00091BFEAB (port2) $ # after interface mtu value is changed. Do not remove until this bug is fixed.

>> FGTAWS00091BFEAB (port2) $ set mtu-override enable

>> FGTAWS00091BFEAB (port2) $ set mtu 9001

>> FGTAWS00091BFEAB (port2) $ next

>> FGTAWS00091BFEAB (interface) $ end

>> FGTAWS00091BFEAB $ config system dns

>> FGTAWS00091BFEAB (dns) $ unset primary

>> FGTAWS00091BFEAB (dns) $ unset secondary

>> FGTAWS00091BFEAB (dns) $ end

>> FGTAWS00091BFEAB $ config system global

>> FGTAWS00091BFEAB (global) $ set admin-sport 8443

>> FGTAWS00091BFEAB (global) $ end

>> FGTAWS00091BFEAB $ config system auto-scale

>> FGTAWS00091BFEAB (auto-scale) $ set status enable

>> FGTAWS00091BFEAB (auto-scale) $ set sync-interface "port1"

>> FGTAWS00091BFEAB (auto-scale) $ set role slave

>> FGTAWS00091BFEAB (auto-scale) $ set master-ip 10.0.0.177

>> FGTAWS00091BFEAB (auto-scale) $ set callback-url https://<the_masked_api_id>.execute-api.us-west-1.amazonaws.com/prod/complete

>> FGTAWS00091BFEAB (auto-scale) $ set psksecret <the_masked_psksecret>

>> FGTAWS00091BFEAB (auto-scale) $ end

>> FGTAWS00091BFEAB $

>> FGTAWS00091BFEAB $ config firewall address

>> FGTAWS00091BFEAB (address) $ edit internal-elb-web

>> FGTAWS00091BFEAB (internal-elb-web) $ set type fqdn

>> FGTAWS00091BFEAB (internal-elb-web) $ set fqdn "<the_masked_elb_id>.elb.us-west-1.amazonaws.com"

>> FGTAWS00091BFEAB (internal-elb-web) $ set associated-interface "port1"

>> FGTAWS00091BFEAB (internal-elb-web) $ next

>> FGTAWS00091BFEAB (address) $ end

>> FGTAWS00091BFEAB $

>> FGTAWS00091BFEAB $ config firewall vip

>> FGTAWS00091BFEAB (vip) $ edit internal-web

>> FGTAWS00091BFEAB (internal-web) $ set type fqdn

>> FGTAWS00091BFEAB (internal-web) $ set mapped-addr internal-elb-web

>> FGTAWS00091BFEAB (internal-web) $ set portforward enable

>> FGTAWS00091BFEAB (internal-web) $ set extintf port1

>> FGTAWS00091BFEAB (internal-web) $ set extport 443

>> FGTAWS00091BFEAB (internal-web) $ set mappedport 443

>> FGTAWS00091BFEAB (internal-web) $ next

>> FGTAWS00091BFEAB (vip) $ end

>> FGTAWS00091BFEAB $

>> FGTAWS00091BFEAB $ config firewall policy

>> FGTAWS00091BFEAB (policy) $ edit 2

>> FGTAWS00091BFEAB (2) $ set name "internal-web-https"

>> FGTAWS00091BFEAB (2) $ set srcintf "port1"

>> FGTAWS00091BFEAB (2) $ set dstintf "port2"

>> FGTAWS00091BFEAB (2) $ set srcaddr "all"

>> FGTAWS00091BFEAB (2) $ set dstaddr "internal-web"

>> FGTAWS00091BFEAB (2) $ set action accept

>> FGTAWS00091BFEAB (2) $ set schedule "always"

>> FGTAWS00091BFEAB (2) $ set service "HTTPS"

>> FGTAWS00091BFEAB (2) $ set fsso disable

>> FGTAWS00091BFEAB (2) $ set nat enable

>> FGTAWS00091BFEAB (2) $ next

>> FGTAWS00091BFEAB (policy) $ end

Wait for a bit for Auto Scaling to bring up and sync the configuration between the instances.

VPN output

name=__autoscale_m_p1_0 ver=1 serial=3 10.0.0.177:0->10.0.2.235:0

bound_if=3 lgwy=static/1 tun=tunnel/1 mode=dial_inst/3 encap=none/128 options[0080]=rgwy-chg

parent=__autoscale_m_p1 index=0

proxyid_num=1 child_num=0 refcnt=5 ilast=30 olast=30 ad=/0

stat: rxp=47 txp=39 rxb=5896 txb=2892

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=__autoscale_m_p2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0-255.255.255.255:0

dst: 0:10.0.2.235-10.0.2.235:0

SA: ref=3 options=226 type=00 soft=0 mtu=8942 expire=42771/0B replaywin=2048

seqno=28 esn=0 replaywin_lastseq=00000030 itn=0

life: type=01 bytes=0/0 timeout=43186/43200

dec: spi=28b967de esp=aes key=16 69589204c4a396bad0e48f5d9d3b0a76

ah=sha1 key=20 79d940c0fdef3cb12983b126c37a2c4be9084239

enc: spi=97a7fc49 esp=aes key=16 cd793dc5c688f3565988f2a9539c0980

ah=sha1 key=20 529dcc4b5e61d4f9d36d3da873140abf58b682a7

dec:pkts/bytes=47/2828, enc:pkts/bytes=39/5448

Resources

FortiGate Auto Scaling HA topology

Cloud-init

In Auto Scaling, FortiGate uses the cloud-init feature to pre-configure the instances when they first come up. During template deployment, an internal API Gateway endpoint will be created.

FortiGate sends requests to the endpoint to retrieve necessary configurations after initialization. Following are examples from the Master and Slave FortiGates.

Master FortiGate cloudinit output

FGTAWS00084FEF38 # diag debug cloudinit show

>> Checking metadata source aws

>> AWS curl header: Fos-instance-id: <the_masked_instance_id>

>> AWS trying to get config script from https://<the_masked_api_id> .execute-api.us-west-1.amazonaws.com/prod/get-config

>> AWS download config script successfully

>> Run config script

>> Finish running script

>> FGTAWS00084FEF38 $ config sys interface

>> FGTAWS00084FEF38 (interface) $ edit "port2"

>> FGTAWS00084FEF38 (port2) $ set mode dhcp

>> FGTAWS00084FEF38 (port2) $ set defaultgw disable

>> FGTAWS00084FEF38 (port2) $ set allowaccess ping https ssh http fgfm

>> FGTAWS00084FEF38 (port2) $ # the following two lines of configuration relate to HA checksum is not calculated properly

>> FGTAWS00084FEF38 (port2) $ # after interface mtu value is changed. Do not remove until this bug is fixed.

>> FGTAWS00084FEF38 (port2) $ set mtu-override enable

>> FGTAWS00084FEF38 (port2) $ set mtu 9001

>> FGTAWS00084FEF38 (port2) $ next

>> FGTAWS00084FEF38 (interface) $ end

>> FGTAWS00084FEF38 $ config system dns

>> FGTAWS00084FEF38 (dns) $ unset primary

>> FGTAWS00084FEF38 (dns) $ unset secondary

>> FGTAWS00084FEF38 (dns) $ end

>> FGTAWS00084FEF38 $ config system global

>> FGTAWS00084FEF38 (global) $ set admin-sport 8443

>> FGTAWS00084FEF38 (global) $ end

>> FGTAWS00084FEF38 $ config system auto-scale

>> FGTAWS00084FEF38 (auto-scale) $ set status enable

>> FGTAWS00084FEF38 (auto-scale) $ set sync-interface "port1"

>> FGTAWS00084FEF38 (auto-scale) $ set role master

>> FGTAWS00084FEF38 (auto-scale) $ set callback-url https://<the_masked_api_id>.execute-api.us-west-1.amazonaws.com/prod/complete

>> FGTAWS00084FEF38 (auto-scale) $ set psksecret <the_masked_psksecret>

>> FGTAWS00084FEF38 (auto-scale) $ end

>> FGTAWS00084FEF38 $

>> FGTAWS00084FEF38 $ config firewall address

>> FGTAWS00084FEF38 (address) $ edit internal-elb-web

>> FGTAWS00084FEF38 (internal-elb-web) $ set type fqdn

>> FGTAWS00084FEF38 (internal-elb-web) $ set fqdn "<the_masked_elb_id>.elb.us-west-1.amazonaws.com"

>> FGTAWS00084FEF38 (internal-elb-web) $ set associated-interface "port1"

>> FGTAWS00084FEF38 (internal-elb-web) $ next

>> FGTAWS00084FEF38 (address) $ end

>> FGTAWS00084FEF38 $

>> FGTAWS00084FEF38 $ config firewall vip

>> FGTAWS00084FEF38 (vip) $ edit internal-web

>> FGTAWS00084FEF38 (internal-web) $ set type fqdn

>> FGTAWS00084FEF38 (internal-web) $ set mapped-addr internal-elb-web

>> FGTAWS00084FEF38 (internal-web) $ set portforward enable

>> FGTAWS00084FEF38 (internal-web) $ set extintf port1

>> FGTAWS00084FEF38 (internal-web) $ set extport 443

>> FGTAWS00084FEF38 (internal-web) $ set mappedport 443

>> FGTAWS00084FEF38 (internal-web) $ next

>> FGTAWS00084FEF38 (vip) $ end

>> FGTAWS00084FEF38 $

>> FGTAWS00084FEF38 $ config firewall policy

>> FGTAWS00084FEF38 (policy) $ edit 2

>> FGTAWS00084FEF38 (2) $ set name "internal-web-https"

>> FGTAWS00084FEF38 (2) $ set srcintf "port1"

>> FGTAWS00084FEF38 (2) $ set dstintf "port2"

>> FGTAWS00084FEF38 (2) $ set srcaddr "all"

>> FGTAWS00084FEF38 (2) $ set dstaddr "internal-web"

>> FGTAWS00084FEF38 (2) $ set action accept

>> FGTAWS00084FEF38 (2) $ set schedule "always"

>> FGTAWS00084FEF38 (2) $ set service "HTTPS"

>> FGTAWS00084FEF38 (2) $ set fsso disable

>> FGTAWS00084FEF38 (2) $ set nat enable

>> FGTAWS00084FEF38 (2) $ next

>> FGTAWS00084FEF38 (policy) $ end

Slave FortiGate cloudinit output

>> Checking metadata source aws [14/99]

>> AWS curl header: Fos-instance-id: <the_masked_instance_id>

>> AWS trying to get config script from https://<the_masked_api_id>.execute-api.us-west-1.amazonaws.com/prod/get-config

>> AWS download config script successfully

>> Run config script

>> Finish running script

>> FGTAWS00091BFEAB $ config sys interface

>> FGTAWS00091BFEAB (interface) $ edit "port2"

>> FGTAWS00091BFEAB (port2) $ set mode dhcp

>> FGTAWS00091BFEAB (port2) $ set defaultgw disable

>> FGTAWS00091BFEAB (port2) $ set allowaccess ping https ssh http fgfm

>> FGTAWS00091BFEAB (port2) $ # the following two lines of configuration relate to HA checksum is not calculated properly

>> FGTAWS00091BFEAB (port2) $ # after interface mtu value is changed. Do not remove until this bug is fixed.

>> FGTAWS00091BFEAB (port2) $ set mtu-override enable

>> FGTAWS00091BFEAB (port2) $ set mtu 9001

>> FGTAWS00091BFEAB (port2) $ next

>> FGTAWS00091BFEAB (interface) $ end

>> FGTAWS00091BFEAB $ config system dns

>> FGTAWS00091BFEAB (dns) $ unset primary

>> FGTAWS00091BFEAB (dns) $ unset secondary

>> FGTAWS00091BFEAB (dns) $ end

>> FGTAWS00091BFEAB $ config system global

>> FGTAWS00091BFEAB (global) $ set admin-sport 8443

>> FGTAWS00091BFEAB (global) $ end

>> FGTAWS00091BFEAB $ config system auto-scale

>> FGTAWS00091BFEAB (auto-scale) $ set status enable

>> FGTAWS00091BFEAB (auto-scale) $ set sync-interface "port1"

>> FGTAWS00091BFEAB (auto-scale) $ set role slave

>> FGTAWS00091BFEAB (auto-scale) $ set master-ip 10.0.0.177

>> FGTAWS00091BFEAB (auto-scale) $ set callback-url https://<the_masked_api_id>.execute-api.us-west-1.amazonaws.com/prod/complete

>> FGTAWS00091BFEAB (auto-scale) $ set psksecret <the_masked_psksecret>

>> FGTAWS00091BFEAB (auto-scale) $ end

>> FGTAWS00091BFEAB $

>> FGTAWS00091BFEAB $ config firewall address

>> FGTAWS00091BFEAB (address) $ edit internal-elb-web

>> FGTAWS00091BFEAB (internal-elb-web) $ set type fqdn

>> FGTAWS00091BFEAB (internal-elb-web) $ set fqdn "<the_masked_elb_id>.elb.us-west-1.amazonaws.com"

>> FGTAWS00091BFEAB (internal-elb-web) $ set associated-interface "port1"

>> FGTAWS00091BFEAB (internal-elb-web) $ next

>> FGTAWS00091BFEAB (address) $ end

>> FGTAWS00091BFEAB $

>> FGTAWS00091BFEAB $ config firewall vip

>> FGTAWS00091BFEAB (vip) $ edit internal-web

>> FGTAWS00091BFEAB (internal-web) $ set type fqdn

>> FGTAWS00091BFEAB (internal-web) $ set mapped-addr internal-elb-web

>> FGTAWS00091BFEAB (internal-web) $ set portforward enable

>> FGTAWS00091BFEAB (internal-web) $ set extintf port1

>> FGTAWS00091BFEAB (internal-web) $ set extport 443

>> FGTAWS00091BFEAB (internal-web) $ set mappedport 443

>> FGTAWS00091BFEAB (internal-web) $ next

>> FGTAWS00091BFEAB (vip) $ end

>> FGTAWS00091BFEAB $

>> FGTAWS00091BFEAB $ config firewall policy

>> FGTAWS00091BFEAB (policy) $ edit 2

>> FGTAWS00091BFEAB (2) $ set name "internal-web-https"

>> FGTAWS00091BFEAB (2) $ set srcintf "port1"

>> FGTAWS00091BFEAB (2) $ set dstintf "port2"

>> FGTAWS00091BFEAB (2) $ set srcaddr "all"

>> FGTAWS00091BFEAB (2) $ set dstaddr "internal-web"

>> FGTAWS00091BFEAB (2) $ set action accept

>> FGTAWS00091BFEAB (2) $ set schedule "always"

>> FGTAWS00091BFEAB (2) $ set service "HTTPS"

>> FGTAWS00091BFEAB (2) $ set fsso disable

>> FGTAWS00091BFEAB (2) $ set nat enable

>> FGTAWS00091BFEAB (2) $ next

>> FGTAWS00091BFEAB (policy) $ end

Wait for a bit for Auto Scaling to bring up and sync the configuration between the instances.

VPN output

name=__autoscale_m_p1_0 ver=1 serial=3 10.0.0.177:0->10.0.2.235:0

bound_if=3 lgwy=static/1 tun=tunnel/1 mode=dial_inst/3 encap=none/128 options[0080]=rgwy-chg

parent=__autoscale_m_p1 index=0

proxyid_num=1 child_num=0 refcnt=5 ilast=30 olast=30 ad=/0

stat: rxp=47 txp=39 rxb=5896 txb=2892

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=__autoscale_m_p2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0-255.255.255.255:0

dst: 0:10.0.2.235-10.0.2.235:0

SA: ref=3 options=226 type=00 soft=0 mtu=8942 expire=42771/0B replaywin=2048

seqno=28 esn=0 replaywin_lastseq=00000030 itn=0

life: type=01 bytes=0/0 timeout=43186/43200

dec: spi=28b967de esp=aes key=16 69589204c4a396bad0e48f5d9d3b0a76

ah=sha1 key=20 79d940c0fdef3cb12983b126c37a2c4be9084239

enc: spi=97a7fc49 esp=aes key=16 cd793dc5c688f3565988f2a9539c0980

ah=sha1 key=20 529dcc4b5e61d4f9d36d3da873140abf58b682a7

dec:pkts/bytes=47/2828, enc:pkts/bytes=39/5448