Customize the CFT template

This recipe is part of the process of deploying FortiGate HA for AWS. See below for the rest of the recipes in this process:

1. Customize the CFT template
2. Check the prerequisites
3. Review the network failover diagram
4. Invoke the CFT template
5. Connect to the FortiGates
6. [Connectivity test] Configure FortiGate firewall policy
7. [Failover test] Shut down FortiGate A

Before invoking the CFT template to create FortiGate instances, you must download the original template provided by Fortinet and customize it according to your environment. This recipe covers the following customizations:

• Customization 1: Naming an S3 bucket where FortiGate license and configuration files are placed
• Customization 2: Pointing to the FortiGate AMI located at the desired region

The CFT template is written in JSON. If you modify something, it is recommended you check the syntax using a JSON editor, some of which are available online for free. Fix any errors. Typical errors include missing signs (comma, colon, brackets, backslash, and so on) or incorrect signs (using single instead of double quotation marks).

Customization 1

1. If you purchased Bring Your Own License (BYOL) licenses, register the serial numbers on https://support.fortinet.com and place the two FortiGate license files under the S3 bucket.
   
   The FortiGate license file names must be included in the CFT template. Ensure the bucket is accessible to the AWS account invoking the CFT template. Modify the following lines as shown below. Modified values are shown bolded:

   466     "UserData" : { "Fn::Base64" : { "Fn::Join" : ["",
467          "{\n",
468          "\"bucket\": \"yourbucketname\",\n",
469          "\"region\": \"us-east-2\",\n",
470          "\"license\": \"\/FGVM329999199999.lic\",\n",
471          "\"config\": \"master.txt\"\n",
472          "}\n"
473     ]]}}

   506     "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
507          "{\n",
508          "\"bucket\": \"yourbucketname\",\n",
509          "\"region\": \"us-east-2\",\n",
510          "\"license\": \"\/FGVM32999999998.lic\",\n",
511          "\"config\": \"slave.txt\"\n",
512          "}\n"
513     ]]}}

2. The primary and secondary FortiGate each have a plain text configuration file. You can specify the file name. These files contain FortiGate CLI commands and are triggered for the first time when FortiGate instances boot up. Download the original text files and modify whesre necessary.  The default configuration can function without any modification. You can modify the following:
   1. Hostname
   2. Subnets and IP addresses. These appear on the AWS screen by default. You can enter these values when proceeding with the deployment on AWS. Subnets and IP addresses specified in invoking the CFT template and written in the configuration files must match.
   3. HA group name
   4. Port number (port1, port2, port3, port4), although it is recommended to keep the default purpose of each port:
      1. Port 1 (eth0): public-facing subnet
      2. Port 2 (eth1): internal protected subnet
      3. Port 3 (eth2): heartbeat
      4. Port 4 (eth3): management (access FortiGate via GUI or SSH)

   The below is an example of the configuration file for the primary FortiGate (FortiGate A), with modifications shown bolded. . “Peer IP” is FortiGate B’s port 3 IP address. For the gateway on port 1 and 4 in this example, you can usually specify x.x.x.1 in the subnet:

   config sys glo
set hostname FGT001A-master
end
config system interface
edit port1
set mode static
set ip 192.168.1.13 255.255.255.0
set allowaccess https ping ssh fgfm
set alias external
next
edit port2
set mode static
set ip 192.168.2.13 255.255.255.0
set allowaccess https ping ssh fgfm
set alias internal
next
edit port3
set mode static
set ip 192.168.3.11 255.255.255.0
set allowaccess https ping ssh fgfm
set alias hasync
next
edit port4
set mode static
set ip 192.168.4.11 255.255.255.0
set allowaccess https ping ssh fgfm
set alias hamgmt
next
end
config router static
edit 1
set device port1
set gateway 192.168.1.1
next
end
config system dns
set primary 8.8.8.8
end
config firewall policy
    edit 0
        set name "outgoing"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set nat enable
    next
end
config system ha
    set group-name "test001”
    set mode a-p
    set hbdev "port3" 50
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interface
        edit 1
            set interface port4
            set gateway 192.168.4.1
        next
    end
    set override disable
    set priority 255
    set unicast-hb enable
    set unicast-hb-peerip 192.168.3.12


   The below is an example of the configuration file for the secondary FortiGate (FortiGate B), with modifications shown bolded. The hostname, ports, IP addresses, netmasks, first firewall policy name, HA group name, and so on should all be identical to the primary FortiGate’s. Change the peer IP address of the heartbeat. This is FortiGate A’s port3 IP address. For the gateway on ports 1 and 4 in this example, you can usually specify x.x.x.1 in the subnet:

   config sys glo
set hostname FGT001B-slave
end
config system interface
edit port1
set mode static
set ip 192.168.1.12 255.255.255.0
set allowaccess https ping ssh fgfm
set alias external
next
edit port2
set mode static
set ip 192.168.2.12 255.255.255.0
set allowaccess https ping ssh fgfm
set alias internal
next
edit port3
set mode static
set ip 192.168.3.12 255.255.255.0
set allowaccess https ping ssh fgfm
set alias hasync
next
edit port4
set mode static
set ip 192.168.4.12 255.255.255.0
set allowaccess https ping ssh fgfm
set alias hamgmt
next
end
config router static
edit 1
set device port1
set gateway 192.168.1.1
next
end
config system dns
set primary 8.8.8.8
end
config firewall policy
    edit 0
        set name "outgoing"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set nat enable
    next
end
config system ha
    set group-name "test001”
    set mode a-p
    set hbdev "port3" 50
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interface
        edit 1
            set interface port4
            set gateway 192.168.4.1
        next
    end
    set override disable
    set priority 1
    set unicast-hb enable
    set unicast-hb-peerip 192.168.3.11
end

Customization 2

You must modify the CFT template to point to the FortiGate AMI located at the same region. The FortiGate AMI image is publicly available. You must obtain the region name and the AMI ID.

1. Find your region name at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions.
2. Find the FortiGate AMI ID made public in the selected region. You can find this ID in the list file linked here.
3. Modify the line that shows the region us-east-x and the AMI ID ami-xxxx with the ones found in step 1 and 2 above. In the example, this is line 131, but may differ in your case. Modifications are shown bolded:

   129 "Mappings" : {
130     "RegionMap" : {
131          "us-east-2"      : { "fgtami" : "ami-1c260d79"}
132          }},

The post Customize the CFT template appeared first on Fortinet Cookbook.