Customize the CFT template

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

This recipe is part of the process of deploying FortiGate HA for AWS. See below for the rest of the recipes in this process:

  1. Customize the CFT template
  2. Check the prerequisites
  3. Review the network failover diagram
  4. Invoke the CFT template
  5. Connect to the FortiGates
  6. [Connectivity test] Configure FortiGate firewall policy
  7. [Failover test] Shut down FortiGate A

Before invoking the CFT template to create FortiGate instances, you must download the original template provided by Fortinet and customize it according to your environment. This recipe covers the following customizations:

  • Customization 1: Naming an S3 bucket where FortiGate license and configuration files are placed
  • Customization 2: Pointing to the FortiGate AMI located at the desired region

The CFT template is written in JSON. If you modify something, it is recommended you check the syntax using a JSON editor, some of which are available online for free. Fix any errors. Typical errors include missing signs (comma, colon, brackets, backslash, and so on) or incorrect signs (using single instead of double quotation marks).

Customization 1

  1. If you purchased Bring Your Own License (BYOL) licenses, register the serial numbers on https://support.fortinet.com and place the two FortiGate license files under the S3 bucket.

    The FortiGate license file names must be included in the CFT template. Ensure the bucket is accessible to the AWS account invoking the CFT template. Modify the following lines as shown below. Modified values are shown bolded:

    466     "UserData" : { "Fn::Base64" : { "Fn::Join" : ["",
    467          "{\n",
    468          "\"bucket\": \"yourbucketname\",\n",
    469          "\"region\": \"us-east-2\",\n",
    470          "\"license\": \"\/FGVM329999199999.lic\",\n",
    471          "\"config\": \"master.txt\"\n",
    472          "}\n"
    473     ]]}}

    506     "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
    507          "{\n",
    508          "\"bucket\": \"yourbucketname\",\n",
    509          "\"region\": \"us-east-2\",\n",
    510          "\"license\": \"\/FGVM32999999998.lic\",\n",
    511          "\"config\": \"slave.txt\"\n",
    512          "}\n"
    513     ]]}}

  2. The primary and secondary FortiGate each have a plain text configuration file. You can specify the file name. These files contain FortiGate CLI commands and are triggered for the first time when FortiGate instances boot up. Download the original text files and modify whesre necessary.  The default configuration can function without any modification. You can modify the following:
    1. Hostname
    2. Subnets and IP addresses. These appear on the AWS screen by default. You can enter these values when proceeding with the deployment on AWS. Subnets and IP addresses specified in invoking the CFT template and written in the configuration files must match.
    3. HA group name
    4. Port number (port1, port2, port3, port4), although it is recommended to keep the default purpose of each port:
      1. Port 1 (eth0): public-facing subnet
      2. Port 2 (eth1): internal protected subnet
      3. Port 3 (eth2): heartbeat
      4. Port 4 (eth3): management (access FortiGate via GUI or SSH)

    The below is an example of the configuration file for the primary FortiGate (FortiGate A), with modifications shown bolded. . “Peer IP” is FortiGate B’s port 3 IP address. For the gateway on port 1 and 4 in this example, you can usually specify x.x.x.1 in the subnet:

    config sys glo
    set hostname FGT001A-master
    end
    config system interface
    edit port1
    set mode static
    set ip 192.168.1.13 255.255.255.0
    set allowaccess https ping ssh fgfm
    set alias external
    next
    edit port2
    set mode static
    set ip 192.168.2.13 255.255.255.0
    set allowaccess https ping ssh fgfm
    set alias internal
    next
    edit port3
    set mode static
    set ip 192.168.3.11 255.255.255.0
    set allowaccess https ping ssh fgfm
    set alias hasync
    next
    edit port4
    set mode static
    set ip 192.168.4.11 255.255.255.0
    set allowaccess https ping ssh fgfm
    set alias hamgmt
    next
    end
    config router static
    edit 1
    set device port1
    set gateway 192.168.1.1
    next
    end
    config system dns
    set primary 8.8.8.8
    end
    config firewall policy
        edit 0
            set name "outgoing"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic disable
            set nat enable
        next
    end
    config system ha
        set group-name "test001
        set mode a-p
        set hbdev "port3" 50
        set session-pickup enable
        set ha-mgmt-status enable
        config ha-mgmt-interface
            edit 1
                set interface port4
                set gateway 192.168.4.1
            next
        end
        set override disable
        set priority 255
        set unicast-hb enable
        set unicast-hb-peerip 192.168.3.12

    The below is an example of the configuration file for the secondary FortiGate (FortiGate B), with modifications shown bolded. The hostname, ports, IP addresses, netmasks, first firewall policy name, HA group name, and so on should all be identical to the primary FortiGate’s. Change the peer IP address of the heartbeat. This is FortiGate A’s port3 IP address. For the gateway on ports 1 and 4 in this example, you can usually specify x.x.x.1 in the subnet:

    config sys glo
    set hostname FGT001B-slave
    end
    config system interface
    edit port1
    set mode static
    set ip 192.168.1.12 255.255.255.0
    set allowaccess https ping ssh fgfm
    set alias external
    next
    edit port2
    set mode static
    set ip 192.168.2.12 255.255.255.0
    set allowaccess https ping ssh fgfm
    set alias internal
    next
    edit port3
    set mode static
    set ip 192.168.3.12 255.255.255.0
    set allowaccess https ping ssh fgfm
    set alias hasync
    next
    edit port4
    set mode static
    set ip 192.168.4.12 255.255.255.0
    set allowaccess https ping ssh fgfm
    set alias hamgmt
    next
    end
    config router static
    edit 1
    set device port1
    set gateway 192.168.1.1
    next
    end
    config system dns
    set primary 8.8.8.8
    end
    config firewall policy
        edit 0
            set name "outgoing"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic disable
            set nat enable
        next
    end
    config system ha
        set group-name "test001
        set mode a-p
        set hbdev "port3" 50
        set session-pickup enable
        set ha-mgmt-status enable
        config ha-mgmt-interface
            edit 1
                set interface port4
                set gateway 192.168.4.1
            next
        end
        set override disable
        set priority 1
        set unicast-hb enable
        set unicast-hb-peerip 192.168.3.11
    end

Customization 2

You must modify the CFT template to point to the FortiGate AMI located at the same region. The FortiGate AMI image is publicly available. You must obtain the region name and the AMI ID.

  1. Find your region name at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions.
  2. Find the FortiGate AMI ID made public in the selected region. You can find this ID in the list file linked here.
  3. Modify the line that shows the region us-east-x and the AMI ID ami-xxxx with the ones found in step 1 and 2 above. In the example, this is line 131, but may differ in your case. Modifications are shown bolded:

    129 "Mappings" : {
    130     "RegionMap" : {
    131          "us-east-2"      : { "fgtami" : "ami-1c260d79"}
    132          }},

Latest posts by In Hye Lee (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
  • Was this helpful?
  • Yes   No