Bootstrapping a FortiGate-AWS

1. Storing configuration and license information

On the AWS console, create an Amazon S3 bucket at the root level for the bootstrap files.

2. Setting up IAM roles

IAM roles need S3 bucket read access. In this example, you are applying the existing policy AmazonS3ReadOnlyAccess to the role by adding the following code:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

If you need further instructions, please refer to the AWS documentation on IAM Roles for Amazon EC2.

3. Creating S3 buckets with license and firewall configurations

Upload the license file and configuration file(s) to the S3 bucket. In this example, one license file and two configuration files are uploaded.

Amazon S3 creates bucket in a region you specify. You can choose any AWS Region that is geographically close to you to optimize latency, minimize costs, or address regulatory requirements. To choose a region, use the following code:

{
  "bucket" : "confftnt",
  "region" : "us-west-2",
  "license" : "/FGVM080000066848.lic",
  "config" : "/configfirewall.conf",
}

Although the S3 bucket and the firewall can be in different regions, it is highly recommended that they are in the same region in order to speed up the bootstrapping process.

4. Launching the instance using roles and user data

Follow the normal procedure to launch the instance from the AWS marketplace.

When selecting the VPC subnet, the instance needs to be with the role that was created and must specify the information about the license file and configuration file from the AWS S3 bucket previously configured under Advanced Settings.

5. Result

After the instance is launched, check the FortiGate’s System Information widget and verify that the settings and the license information are correct.