FortiGate AutoScaling for New VPC with Mixed BYOL and On-Demand Deployment

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will deploy FortiGate Autoscaling into a new VPC with mixed BYOL and On-Demand Deployment for Amazon Web Services (AWS).

If you are not using an existing VPC for your deployment and have not purchased BYOL licenses from Fortinet, you need to launch the a new cloud formation template. These templates can be found on GitHub.

In most cases, the defaults provided in the template should be sufficient. See AWS Documentation for the parameter types if you need to change from defaults.

You must make your BYOL licenses available to the autoscale script buy uploading the license file(s) to a predetermined S3 bucket. The template wizard will prompt you for the name of the S3 bucket. This can be done in advance of deploying the template or after the template is deployed. If the licenses are made available after the stack is deployed, the autoscale script will “sleep” until the licenses are available in the S3 bucket assigned by the template wizard.

1. Uploading BYOL licenses

In the AWS Services Menu, select S3 to create an S3 bucket to store licenses.

 
Select Create Bucket to add an S3 bucket to store licenses. Set a unique Bucket name and select your Region.  
Select the link for the new S3 bucket, then upload the FortiGate licenses. You can use either the AWS GUI or CLI to upload the licenses. The license file must have a “.lic” suffix.

 

2. Uploading the template

In the AWS Management Console, go to CloudFormation Service and select Create New Stack.

Under Choose a template, enable Select a sample template, then browse to the template’s location on local storage.

 

3. Configuring Autoscaling

In Specify Details, set the Stack Name to a Region Unique name. Set ASQueue to an SQS Queue Name that is unique within the scope of your queues.

Set AZForFirewall1 and AZForFirewall2 to Availability Zones with the region you wish to place FortiGate 1 and FortiGate 2 respectively.

 
In VPC Configuration, select a CIDR block (if different from the defaults provided) that will hold the subnets specified for Public1, Private1, Public2, Private2 subnets. Provide unique subnet range for each of the public and private subnets.   

In FortiGate Instance Configuration, select an Instance Type for initial FortiGates. Set CIDRForFortiGateAccess to define the Security Group for FortiGate Access and FortiGateKeyPair to allow SSH access to the FortiGate instances.

Provide the name of the S3LicenseBucket. If the S3 bucket does not currently exist, provide a valid S3 bucket name and create the bucket and upload the licenses after this template is deployed. The autoscale script will “sleep” waiting for the creation of the S3 bucket and the licenses to be uploaded.

 
In ELB Configuration, if you need to change the default values, refer to AWS Documentation.  
In Worker Node Instance Configuration, set ASKeypair to allow SSH access to the FortiGate instances and CIDRForASAccess to define the Security Group for FortiGate Access.  
In Options, you can add additional Tags, Permissions, or Advanced Notification Options as desires. For more information, refer to AWS Documentation.  
Review your parameters and acknowledge the IAM resources notification. Select Create.  

3. Results

Verify that the stack’s Status is shown as CREATE_IN_PROGRESS.  
You can also monitor Stack Creation Events.  
  • Was this helpful?
  • Yes   No
Availabilty Zone may not support the instance size of the FortiGate instance. If you get a warning that a specific instance size is not supported, choose a different size or choose a different zone.