Fortinet Document Library

Version:


Table of Contents

FortiSandbox VM on AWS

3.1.0
Download PDF
Copy Link

Optional: HA-Cluster support

FortiSandbox for AWS supports HA-Clustering, allowing multiple FortiSandbox instances to be used together in a load-balancing high availability (HA) cluster. Please refer to the FortiSandbox Administration Guide for more information on HA-Cluster usage.

Configuring and launching an HA-Cluster

To launch the FortiSandbox instances on AWS:
  1. Follow the instructions in the Setting up an AWS Account for FortiSandbox section of this guide to configure a VPC and get an AWS API key. The 10.0.1.0/24 Subnet is for HA communication only, so configuring options for a NAT Gateway and DHCP are not required.
  2. On the AWS Launch Instances page, search FortiSandbox on-demand in the marketplace and select it.
  3. On the Configure Instance Details page of the setup wizard, assign port1 to 10.0.0.210, and port2 to 10.0.1.210.
  4. For the instance that is to become the Master, assign the HA external communication IP as a second private IP address to its port1.
  5. Complete the setup wizard and launch the instance.
  6. Return to the AWS Launch Instances page and set up the remaining FSA instances that are to be included in the HA-Cluster using different corresponding port1 and port2 IP setup.
To configure the FortiSandbox instances:
  1. After all instances are created, assign an Elastic IP (EIP) to the eth0 so that they can be accessed.
  2. Download the most recent FSA AWS firmware by logging in to the FSA WebGUI using the EIPs. Perform a firmware upgrade for each FSA instance and wait for it to be completed.
    Note

    In order to support the HA feature on AWS, the firmware version is required to be at least 3.0.

  3. In the FSA GUI, update the WindowsCloudVM clone number. HA mode currently only supports using WindowsCloudVMs.
  4. On the AWS Config page, fill in the AWS API key information. This must be done prior to performing the HA config in the CLI.
  5. On AWS Console Instances, for each FSA instance, click the eth1 link of at the bottom of the Instance Details section, which prompts the details for the interface. Click the interface-id, and on the next page click its Security Groups link.
  6. On the Inbound settings tab of the security group, add:
    • TCP 2015 0.0.0.0/0
    • TCP 2018 0.0.0.0/0
To setup the HA-Cluster in the FortiSandbox CLI:
  1. Enter the CLI and perform the following HA config, where n represents the alias and c represents the cluster name, and both can be customized to your preferred naming convention. In the instructions below, 10.0.0.211 is an example of an HA external communication IP.
    • For the Master Node:
      • hc-settings -sc -tM -nMyHAMaster -cClusterName -p123 -iport2
      • hc-settings -si -iport1 -a10.0.0.211/24
    • For the Primary Slave:
      • hc-settings -sc -tP -nMyPSlave -cClusterName -p123 -iport2
      • hc-slave -a -sMASTER_Port2_IP -p123
    • For the first Regular Slave:
      • hc-settings -sc -tR -nMyRSlave1 -cClusterName -p123 -iport2
      • hc-slave -a -sMASTER_Port2_IP -p123
    • For consecutive Regular Slaves:
      • hc-settings -sc -tR -nMyRSlave2 -cClusterName -p123 -iport2
      • hc-slave -a -sMASTER_Port2_IP -p123
  2. Confirm the status of your HA-Cluster by entering the CLI command hc-status -l on the Master Node. The status for all units within the cluster will be displayed. If the Clone number for any instance is 0 or not displayed, the instance has not been set up with WindowsCloudVM correctly.

Using an HA-Cluster with an Amazon Elastic IP

To use an HA-Cluster with an EIP:
  1. On the AWS EC2 console, navigate to Elastic IPs.
  2. Right-click on your available EIPs, then on Associate Address. If Associate Address is not present, click Allocate New Address instead.
  3. Select the resource type: Instance.
  4. Select the instance of your HA Master and enter your HA external communication IP as Private IP.
  5. Click Associate. You will now have access to your HA Master from the Elastic IP.
    Note

    When a Master failover occurs to a Primary Slave, the Elastic IP will follow the private IP binding so that it will be automatically switched to the Primary Slave.

Optional: HA-Cluster support

FortiSandbox for AWS supports HA-Clustering, allowing multiple FortiSandbox instances to be used together in a load-balancing high availability (HA) cluster. Please refer to the FortiSandbox Administration Guide for more information on HA-Cluster usage.

Configuring and launching an HA-Cluster

To launch the FortiSandbox instances on AWS:
  1. Follow the instructions in the Setting up an AWS Account for FortiSandbox section of this guide to configure a VPC and get an AWS API key. The 10.0.1.0/24 Subnet is for HA communication only, so configuring options for a NAT Gateway and DHCP are not required.
  2. On the AWS Launch Instances page, search FortiSandbox on-demand in the marketplace and select it.
  3. On the Configure Instance Details page of the setup wizard, assign port1 to 10.0.0.210, and port2 to 10.0.1.210.
  4. For the instance that is to become the Master, assign the HA external communication IP as a second private IP address to its port1.
  5. Complete the setup wizard and launch the instance.
  6. Return to the AWS Launch Instances page and set up the remaining FSA instances that are to be included in the HA-Cluster using different corresponding port1 and port2 IP setup.
To configure the FortiSandbox instances:
  1. After all instances are created, assign an Elastic IP (EIP) to the eth0 so that they can be accessed.
  2. Download the most recent FSA AWS firmware by logging in to the FSA WebGUI using the EIPs. Perform a firmware upgrade for each FSA instance and wait for it to be completed.
    Note

    In order to support the HA feature on AWS, the firmware version is required to be at least 3.0.

  3. In the FSA GUI, update the WindowsCloudVM clone number. HA mode currently only supports using WindowsCloudVMs.
  4. On the AWS Config page, fill in the AWS API key information. This must be done prior to performing the HA config in the CLI.
  5. On AWS Console Instances, for each FSA instance, click the eth1 link of at the bottom of the Instance Details section, which prompts the details for the interface. Click the interface-id, and on the next page click its Security Groups link.
  6. On the Inbound settings tab of the security group, add:
    • TCP 2015 0.0.0.0/0
    • TCP 2018 0.0.0.0/0
To setup the HA-Cluster in the FortiSandbox CLI:
  1. Enter the CLI and perform the following HA config, where n represents the alias and c represents the cluster name, and both can be customized to your preferred naming convention. In the instructions below, 10.0.0.211 is an example of an HA external communication IP.
    • For the Master Node:
      • hc-settings -sc -tM -nMyHAMaster -cClusterName -p123 -iport2
      • hc-settings -si -iport1 -a10.0.0.211/24
    • For the Primary Slave:
      • hc-settings -sc -tP -nMyPSlave -cClusterName -p123 -iport2
      • hc-slave -a -sMASTER_Port2_IP -p123
    • For the first Regular Slave:
      • hc-settings -sc -tR -nMyRSlave1 -cClusterName -p123 -iport2
      • hc-slave -a -sMASTER_Port2_IP -p123
    • For consecutive Regular Slaves:
      • hc-settings -sc -tR -nMyRSlave2 -cClusterName -p123 -iport2
      • hc-slave -a -sMASTER_Port2_IP -p123
  2. Confirm the status of your HA-Cluster by entering the CLI command hc-status -l on the Master Node. The status for all units within the cluster will be displayed. If the Clone number for any instance is 0 or not displayed, the instance has not been set up with WindowsCloudVM correctly.

Using an HA-Cluster with an Amazon Elastic IP

To use an HA-Cluster with an EIP:
  1. On the AWS EC2 console, navigate to Elastic IPs.
  2. Right-click on your available EIPs, then on Associate Address. If Associate Address is not present, click Allocate New Address instead.
  3. Select the resource type: Instance.
  4. Select the instance of your HA Master and enter your HA external communication IP as Private IP.
  5. Click Associate. You will now have access to your HA Master from the Elastic IP.
    Note

    When a Master failover occurs to a Primary Slave, the Elastic IP will follow the private IP binding so that it will be automatically switched to the Primary Slave.