Bring Your Own License (BYOL) is annual perpetual licensing as opposed to On-Demand, which is an hourly subscription. The BYOL license is available from resellers or your distributors.
In this recipe, you will deploy FortiAnalyzer VM in Amazon Web Services (AWS) in one of two ways:
- 1-Click Launch on the AWS Marketplace
- Manual Launch on the AWS Marketplace (for those who require custom configuration)
Note 1-Click Launch creates the minimum size of EBS storage for quick setup and viewing. For production purposes, you will need more storage later. To have more storage initially, use Manual Launch. You can also manually add storage after the launch as described further below.
FortiAnalyzer VMs can be deployed on the AWS Elastic Compute Cloud (EC2). Prior to deploying the VM, an Amazon EC2 account is required. You can deploy the FortiAnalyzer VM using the AWS Marketplace launch or directly from the EC2 console.
1a. Deploying FortiAnalyzer VM using 1-Click Launch
Go to the AWS Marketplace’s page for FortiAnalyzer VM. Select Continue.
Select the desired region and instance type. Ensure the instance type fits the size of your deployment and potential future growth.
Select a VPC and subnet as required. Under Security Group, ensure Create new based on seller settings is selected from the dropdown list. The only open port required for the VM’s initial configuration is port 443, which allows for an HTTPS connection to the GUI. The remaining ports can also be opened to allow for all potential FortiAnalyzer communication.
Provide the Key Pair, then click Accept Terms & Launch with 1-Click to deploy the instance. The next page displays a thank you message, and you also receive an email from AWS Marketplace about the subscription. Close the page and go to the EC2 console.
The public DNS address is used to connect to and configure the FortiAnalyzer VM via the GUI.
To connect to the FortiAnalyzer VM management GUI, open a web browser and use the public DNS IPv4 address as the URL: https://<public DNS IPv4 address>. Log in with the default username admin and the instance ID as the password to configure your FortiAnalyzer VM.
1b. Deploying FortiAnalyzer VM using Manual Launch
Go to the AWS Marketplace’s page for FortiAnalyzer VM. Select Continue, then select Manual Launch.
Click the Launch with EC2 Console button beside your desired region.
Select an instance type. Ensure the instance type fits the size of your deployment and potential future growth. Click Next: Configure Instance Details.
Configure the various attributes:
- Network (ensure to select a VPC connected to Internet Gateway; by default, VPCs are connected to Internet Gateway)
- Subet
- Enable Auto-assign Public IP
- Others as needed depending on your IT infrastructure requirements
Continue to adding storage. You can configure the volume type as EBS and the device as /dev/sdb and the size based on your requirements.
The FortiAnalyzer system reserves a certain portion of disk space for system use and unexpected quota overflow. The remaining space is available for allocation to devices. Reports are stored in the reserved space. The following describes the reserved disk quota relative to the total available disk size (other than the root device):
- Small disk (less than or equal to 500 GB): system reserves 20% or 50 GB of disk space, whichever is smaller.
- Medium disk (less than or equal to 1 TB): system reserves 15% or 100 GB of disk space, whichever is smaller.
- Medium to large disk (less than or equal to 5 TB): system reserves 10% or 200 GB of disk space, whichever is smaller.
- Large disk (less than 5 TB): system reserves 5% or 300 GB of disk space, whichever is smaller.
To add additional storage at this point, follow the instructions in step 3.
Click Next: Tag Instance. A tag consists of a key-value pair. It is useful to create tags to quickly identify instances in the EC2 console.
Click Next: Configure Security Group. The default provided security group is based on recommended settings for the FortiAnalyzer VM.
Click Review and Launch. If there is no change needed, click Launch.
You are prompted to choose a key pair. Click the checkbox, then click Launch Instances.
The public DNS IPv4 address is used to connect to and configure the FortiAnalyzer VM via the GUI. You can find the public DNS IPv4 address by locating the FortiAnalyzer VM instance in the EC2 console.
To connect to the FortiAnalyzer VM management GUI, open a web browser and use the public DNS IPv4 address as the URL: https://<public DNS IPv4 address>. Log in with the default username admin and the instance ID as the password to configure your FortiAnalyzer VM.
2. Adding additional storage (optional)
It is possible to add additional storage to FortiAnalyzer after launch. Create an EBS storage and attach it to the FortiAnalyzer instance on EC2 console, then access FortiAnalyzer via SSH to run the command exec lvm extend to add the storage.
For details, refer to http://kb.fortinet.com/kb/viewContent.do?externalId=FD34953.
Log into the FortiAnalyzer GUI and add the volume.
3. Installing a valid license
By default, the license expires 14 days after deployment. Go to System Settings.
In the License Information widget on the Dashboard, click the Upload License button.
In the Upload Device License window, click Browse, locate the license file (.lic) on your computer, then click OK to upload the license file. A reboot message is shown, then the FortiAnalyzer VM system reboots and loads the license file. The license file is available once you register on the Fortinet Support Portal.
Refresh the browser and log back into the FortiAnalyzer VM with the username admin. The registration status appears differently than before, reflecting the license in the License Information widget once the license has been validated.
As part of the license validation process, the FortiAnalyzer VM compares its IP address with the IP information in the license file. If a new license file has been imported or the FortiAnalyzer’s IP address has been changed, the FortiAnalyzer VM must be rebooted for the system to validate the change and operate with a valid license.
If the IP address in the license file and the IP configured in the FortiAnalyzer VM do not match, you receive an error message when you log back into the VM.
If this occurs, you must change the IP address in the Fortinet Customer Service & Support portal to match the management IP and re-download the license file.
After an invalid license file has been loaded onto the FortiAnalyzer VM, the GUI is locked until a valid license file is uploaded. You can upload a new license file via the CLI.
4. Configuring your FortiAnalyzer VM
Click the top-right menu icon to access FortiAnalyzer Online Help and the Basic Setup Video. Refer to these and the FortiAnalyzer Administration Guide for more detailed configuration: http://docs.fortinet.com/d/fortianalyzer-5.6.0-administration-guide.
The post Deploying FortiAnalyzer VM in AWS (BYOL) appeared first on Fortinet Cookbook.