Fortinet Document Library

Version:


Table of Contents

FortiSandbox VM on AWS

3.1.0
Download PDF
Copy Link

Optional: Using HA-Cluster

You can set up multiple FortiSandbox instances in a load-balancing HA (high availability) cluster.

For information on using HA clusters, see the FortiSandbox Administration Guide.

Configuring and launching an HA-Cluster

To launch the FortiSandbox instances on AWS:
  1. Configure a VPC and get an AWS API key using the instructions in Setting up an AWS account for FortiSandbox.

    The 10.0.1.0/24 subnet is for HA communication only so the configuration options for a NAT gateway and DHCP are not required.

  2. On the AWS Launch Instances page, search for FortiSandbox on-demand in the marketplace and select it.
  3. On the Configure Instance Details page of the setup wizard, assign port1 to 10.0.0.x, and port2 to 10.0.1.x.
  4. For the primary (formerly master) instance, assign the HA external communication IP as a second private IP address to its port1.
  5. Complete the setup wizard and launch the instance.
  6. Return to the AWS Launch Instances page and set up the remaining FortiSandbox instances for the HA-Cluster using different port1 and port2 IP setup.
To configure FortiSandbox instances:
  1. After all instances are created, assign an Elastic IP (EIP) to FortiSandbox AWS port1 so that they can be accessed.
  2. Log into FortiSandbox using the EIP and download the most recent FortiSandbox AWS firmware (version 3.0 or later).
  3. Perform a firmware upgrade for each FSA instance.
  4. In the FortiSandbox GUI, update the WindowsCloudVM clone number.

    Currently, HA mode only supports WindowsCloudVMs. If the clone number for any instance is 0 or not displayed, the instance is not set up with WindowsCloudVM correctly.

  5. On the AWS Config page, fill in the AWS API key information.

    You must do this before setting up HA-Cluster in the CLI.

  6. On AWS Console Instances, for each FSA instance, click the FSA AWS port2 link at the bottom of the Instance Details section, which prompts for the details for the interface. Click the interface-id, and on the next page, click its Security Groups link.
  7. On the Inbound settings tab of the security group, add:
    • TCP 2015 0.0.0.0/0
    • TCP 2018 0.0.0.0/0
To set up HA-Cluster in the FortiSandbox CLI:
  1. Use CLI commands to configure the HA cluster.

    In this example, n is the alias and c is the cluster name. You can customize both n and c to your naming convention. In the instructions below, 10.0.0.211 is an example of an HA external communication IP.

    • For the primary (formerly master) node:
      • hc-settings -sc -tM -nMyHAPrimary -cClusterName -p123 -iport2
      • hc-settings -si -iport1 -a10.0.0.211/24
    • For the secondary (formerly primary slave):
      • hc-settings -sc -tP -nMyPWorker -cClusterName -p123 -iport2
      • hc-slave -a -sPrimary_Port2_IP -p123
    • For the first worker (formerly slave or regular slave):
      • hc-settings -sc -tR -nMyRWorker1 -cClusterName -p123 -iport2
      • hc-slave -a -sPrimary_Port2_IP -p123
    • For consecutive workers (formerly slaves or regular slaves):
      • hc-settings -sc -tR -nMyRWorker2 -cClusterName -p123 -iport2
      • hc-slave -a -sPrimary_Port2_IP -p123
  2. Confirm the status of your HA-Cluster using the CLI command hc-status -l on the primary node.

    The status of all units in the cluster displays. If the clone number of any instance is 0 or not displayed, the instance is not set up with WindowsCloudVM correctly.

Using an HA-Cluster with Amazon Elastic IP

To use an HA-Cluster with an EIP:
  1. On the AWS EC2 console, go to Elastic IPs.
  2. Right-click your available EIPs and select Associate Address.

    If there is no Associate Address, click Allocate New Address.

  3. For resource type, select Network Interface.
  4. Select the Network Interface of your HA primary and choose your HA external communication IP as Private IP.
  5. Click Associate.

    You now have access to your HA primary from the Elastic IP.

    Note

    When a primary failover occurs to a secondary (formerly primary slave), the Elastic IP follows the private IP binding so that it automatically switches to the secondary node.

Optional: Using HA-Cluster

You can set up multiple FortiSandbox instances in a load-balancing HA (high availability) cluster.

For information on using HA clusters, see the FortiSandbox Administration Guide.

Configuring and launching an HA-Cluster

To launch the FortiSandbox instances on AWS:
  1. Configure a VPC and get an AWS API key using the instructions in Setting up an AWS account for FortiSandbox.

    The 10.0.1.0/24 subnet is for HA communication only so the configuration options for a NAT gateway and DHCP are not required.

  2. On the AWS Launch Instances page, search for FortiSandbox on-demand in the marketplace and select it.
  3. On the Configure Instance Details page of the setup wizard, assign port1 to 10.0.0.x, and port2 to 10.0.1.x.
  4. For the primary (formerly master) instance, assign the HA external communication IP as a second private IP address to its port1.
  5. Complete the setup wizard and launch the instance.
  6. Return to the AWS Launch Instances page and set up the remaining FortiSandbox instances for the HA-Cluster using different port1 and port2 IP setup.
To configure FortiSandbox instances:
  1. After all instances are created, assign an Elastic IP (EIP) to FortiSandbox AWS port1 so that they can be accessed.
  2. Log into FortiSandbox using the EIP and download the most recent FortiSandbox AWS firmware (version 3.0 or later).
  3. Perform a firmware upgrade for each FSA instance.
  4. In the FortiSandbox GUI, update the WindowsCloudVM clone number.

    Currently, HA mode only supports WindowsCloudVMs. If the clone number for any instance is 0 or not displayed, the instance is not set up with WindowsCloudVM correctly.

  5. On the AWS Config page, fill in the AWS API key information.

    You must do this before setting up HA-Cluster in the CLI.

  6. On AWS Console Instances, for each FSA instance, click the FSA AWS port2 link at the bottom of the Instance Details section, which prompts for the details for the interface. Click the interface-id, and on the next page, click its Security Groups link.
  7. On the Inbound settings tab of the security group, add:
    • TCP 2015 0.0.0.0/0
    • TCP 2018 0.0.0.0/0
To set up HA-Cluster in the FortiSandbox CLI:
  1. Use CLI commands to configure the HA cluster.

    In this example, n is the alias and c is the cluster name. You can customize both n and c to your naming convention. In the instructions below, 10.0.0.211 is an example of an HA external communication IP.

    • For the primary (formerly master) node:
      • hc-settings -sc -tM -nMyHAPrimary -cClusterName -p123 -iport2
      • hc-settings -si -iport1 -a10.0.0.211/24
    • For the secondary (formerly primary slave):
      • hc-settings -sc -tP -nMyPWorker -cClusterName -p123 -iport2
      • hc-slave -a -sPrimary_Port2_IP -p123
    • For the first worker (formerly slave or regular slave):
      • hc-settings -sc -tR -nMyRWorker1 -cClusterName -p123 -iport2
      • hc-slave -a -sPrimary_Port2_IP -p123
    • For consecutive workers (formerly slaves or regular slaves):
      • hc-settings -sc -tR -nMyRWorker2 -cClusterName -p123 -iport2
      • hc-slave -a -sPrimary_Port2_IP -p123
  2. Confirm the status of your HA-Cluster using the CLI command hc-status -l on the primary node.

    The status of all units in the cluster displays. If the clone number of any instance is 0 or not displayed, the instance is not set up with WindowsCloudVM correctly.

Using an HA-Cluster with Amazon Elastic IP

To use an HA-Cluster with an EIP:
  1. On the AWS EC2 console, go to Elastic IPs.
  2. Right-click your available EIPs and select Associate Address.

    If there is no Associate Address, click Allocate New Address.

  3. For resource type, select Network Interface.
  4. Select the Network Interface of your HA primary and choose your HA external communication IP as Private IP.
  5. Click Associate.

    You now have access to your HA primary from the Elastic IP.

    Note

    When a primary failover occurs to a secondary (formerly primary slave), the Elastic IP follows the private IP binding so that it automatically switches to the secondary node.