Deploying FortiGate-VM virtual appliance in Amazon Web Services

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

The FortiGate Enterprise Firewall for Amazon Web Services (AWS) is deployed as a virtual appliance in AWS (IaaS). This recipe shows you how to install and configure a single instance FortiGate-VM virtual appliance in AWS to provide a full NGFW/UTM security solution to protect your workloads in the AWS IaaS. 

Networking is a core component in using AWS services, and using virtual private clouds (VPCs), subnets, and virtual gateways help you to secure your resources at the networking level.

This recipe covers the deployment of simple web servers, but this type of deployment can be used for any type of public resource protection, with only slight modifications. With this architecture as a starting point, you can implement more advanced solutions, including multi-tiered solutions.

In this recipe, two subnets are created: Subnet1, which is used to connect the FortiGate-VM to the AWS Virtual Gateway on the public-facing side, and Subnet2, which is used to connect the FortiGate-VM and the Windows server on the private side.

1. Determining your licensing model

FortiGate-VM for AWS supports both on-demand (PAYG) and bring-your-own-license (BYOL) licensing models.

On-demand users don’t need to register from the FortiGate GUI console. If you’re using an on-demand licensing model, once you create the FortiGate-VM instance in AWS, contact Fortinet Customer Support (http://www.fortinet.com/support/contact_support.html) with the following information:

If you’re deploying a FortiGate-VM in the AWS Marketplace with BYOL, you must obtain a license to activate it.

2. Registering and downloading your license (BYOL)

Licenses for the BYOL licensing model can be obtained through any Fortinet partner. If you don’t have a partner, contact aws@fortinet.com for assistance in purchasing a license.

After you purchase a license or obtain an evaluation license (60-day term), you will receive a PDF with an activation code.

Go to https://support.fortinet.com/ and either create a new account or log in with an existing account.

Go to Asset > Register/Renew to start the registration process.

In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product. Enter your details in the other fields.

At the end of the registration process, download the license (.lic) file to your computer. You will upload this license later (in step 6) to activate the FortiGate-VM.

After registering a license, Fortinet servers may take up to 30 minutes to fully recognize the new license. When you upload the license (.lic) file to activate the FortiGate-VM, if you get an error that the license is invalid, wait 30 minutes and try again.

3. Creating an AWS VPC

This section shows you how to create an AWS VPC and create two subnets in it. For many of the steps, you will have a choice to make that can be specific to your own environment.

Log in to the AWS Management Console.

In the Networking & Content Delivery section, select VPC.

In the Virtual Private Cloud menu, select Your VPCs, then select Create VPC.

In the Name tag field, set a name for your VPC.

In the CIDR block field, specify an IPv4 address range for your VPC.

In the Tenancy field, select Default.

Select Yes, Create.

In the Virtual Private Cloud menu, select Subnets, then select Create Subnet. Create a public subnet (in this example, Subnet1) and a private subnet (Subnet2), as shown in this example.

Both subnets belong to the VPC that you created.

4. Connect the new VPC to the Internet gateway

This section shows you how to connect the new VPC to the Internet gateway. Note that if you’re using the default VPC, the Internet gateway should already exist.

In the Virtual Private Cloud menu, select Internet Gateways, then select Create Internet Gateway.

In the Name tag field, set a name for the Internet gateway, then select Yes, Create.

Select the Internet gateway, then select Attach to VPC.

Select the VPC that you created and select Yes, Attach.

The state of the Internet gateway will change from detached to attached.

 

5.   Subscribing to the FortiGate-VM

This section shows you how to subscribe to and configure the FortiGate-VM. 

Go to the AWS Marketplace’s page for Fortinet FortiGate-VM (BYOL) or FortiGate-VM (PAYG). Select Continue.
Select Manual Launch
Select Launch with EC2 Console beside the Region you want to launch.
Select an Instance Type, then select Next: Configure Instance Details.

In the Network field, select the VPC that you created.

In the Subnet field, select the public subnet.

In the Network interfaces section, you will see the entry for eth0 that was created for the public subnet. Select Add Device to add another network interface (in this example, eth1), and select the private subnet. It is recommended that you assign static IP addresses.

When you have two network interfaces, a global IP address isn’t assigned automatically. You must manually assign a global IP address later.

Select Review and Launch, then select Launch.

Select an existing key pair or create a new key pair. Select the acknowledgement check box. Select Launch Instances.

To easily identify the instance, set a name for it in the Name field.

In the Network & Security menu, select Elastic IPs, then select a global IP address that is available for you to use. Select Actions > Associate Address.

If you don’t have a global IP address available to use, create one.

In the Resource type section, select Network Interface

In the Network interface field, select the Interface ID of the network interface that you created for the public subnet (in this example, eth0). In the Private IP field, select the IP address that belongs to the public subnet. To find these values, go to the EC2 Management Console, select Instances, and select the interface in the Network interfaces section in the lower pane of the page (Interface ID and Private IP Address fields). Select Associate.

A message is displayed indicating the address association was successful. Note that if the Internet Gateway isn’t associated with a VPC, the elastic IP assignment will fail.

Next, configure the routing tables. Since the FortiGate has two interfaces, one for the public subnet and one for the private subnet, you must configure two routing tables.

To configure the routing table for the public subnet, select VPC in the Networking & Content Delivery section of the AWS Management Console. In the VPC Dashboard, select Your VPCs, and select the VPC you created. In the Summary tab in the lower pane, select the route table ID located in the Route table field. To easily identify the route table, set a name for it in the Name field.

In the Routes tab, select Edit, then select Add another route. In the Destination field, type 0.0.0.0/0. In the Target field, type ig and select the Internet Gateway from the auto-complete suggestions. Select Save

The default route on the public interface in this VPC is now the Internet Gateway.

In the Subnet Associations tab, select Edit, and select the public subnet to associate it with this routing table. Select Save.

To configure the routing table for the private subnet, select Create Route Table. To easily identify the route table, set a name for it in the Name field. Select the VPC you created. Select Yes, Create.

In the Routes tab, select Edit, then select Add another route. In the Destination field, type 0.0.0.0/0. In the Target field, enter the interface ID of the private network interface. To find the interface ID, go to the EC2 Management Console, select Instances, and select the interface in the Network interfaces section in the lower pane of the page (Interface ID field). Select Save.

The default route on the private subnet in this VPC is now the private network interface of the FortiGate.

In the Subnet Associations tab, select Edit, select the private subnet to associate it with this routing table. Select Save.

Two routing tables, one for the public segment and one for the private segment, have now been created with default routes.

In the EC2 Management Console, select Instances, and select the network interface that you created for the private subnet (in this example, eth1) in the Network interfaces section in the lower pane. Select the interface ID.

Select the network interface, select the Actions drop-down menu, select Change Source/Dest. Check. Select Disabled. Select Save.

6. Connecting to the FortiGate-VM  

To connect to the FortiGate-VM, you need your login credentials and its public DNS address.

The default username is admin and the default password is the instance ID.

You can find the public DNS address in the EC2 Management Console. Select Instances and look at the Public DNS (IPv4) field in the lower pane. If you don’t see the DNS address, you may need to enable DNS host assignment on your VPC. In this case, go back to the VPC Management Console, select Your VPCs, and select your VPC. Select the Action drop-down menu, and select Edit DNS Hostnames. Select Yes. Select Save.

Open an HTTPS session using the public DNS address of the FortiGate-VM in your browser (https://<public DNS>). You will see a certificate error message from your browser, which is normal because the default FortiGate certificate is self-signed and isn’t recognized by browsers. Proceed past this error. At a later time, you can upload a publicly-signed certificate to avoid this error.

Log in to the FortiGate-VM with your username and password (the login credentials mentioned above).

If you’re using a BYOL license, upload your license (.lic) file to activate the FortiGate-VM. 

The FortiGate-VM will automatically restart. After it restarts, log in again.

You will now see the FortiGate-VM dashboard.

Depending on your license type, the information in the license widget on the dashboard may vary.

Select Network > Interfaces, and edit the interfaces, if required. If the IP address or subnet mask is missing for port 1 or port 2, configure these values.

7. Setting up the Windows server

In the AWS Management Console, select EC2. Select Launch Instance, then select the Microsoft Windows Server 2012 R2 that applies to your environment.

You will use this to test connectivity with Remote Desktop access.

In the Configure Instance Details step, in the Network field, select the VPC of the FortiGate. In the Subnet field, select the private subnet.

In the Configure Security Group step, configure a security group for the Windows server so that it allows Internet access. In this example, we use Remote Desktop TCP port 3389, and other ports are optional. Select Review and Launch.

Select a key pair, select the acknowledgement check box, and select Launch Instances.

8. Configuring FortiGate firewall policies

In the FortiGate-VM console, select Policy & Objects > IPv4 Policy and create two new policies, as shown in this example. 

Create one policy for outgoing traffic from the private subnet, through the public subnet, to the Internet. Create another policy for incoming traffic from the Internet, through the public subnet, to the private subnet.

Select Virtual IPs and create a new virtual IP, as shown in the example. This is Static NAT configuration.
Edit the second policy. In the Destination field, select the virtual IP that you created.
In the EC2 Management Console, add an inbound rule to allow RDP for the FortiGate security group (in this example, TCP port 3389). If you don’t do this, you won’t be able to connect to the Windows server through the FortiGate with RDP.

In your Windows Remote Desktop client, specify the public DNS hostname of the FortiGate and log in. This logs you in to the Windows server through the FortiGate.

9. Results

Open a web browser and try to access the following site: metal.fortiguard.com/tests

Scroll down the page and select one of the test virus files that are listed as infected.

You should see a blocked page alert because your Internet access is now protected by FortiGate.

Karyn Jacobs

Technical Writer at Fortinet
Karyn Jacobs is a technical writer on the FortiOS Technical Documentation team. She has a B.A.H. in English and a B.Ed. from Queen’s University, and has worked as a technical writer for the past 20 years at various high tech companies.
  • Was this helpful?
  • Yes   No