Chapter 10- Cloud Technologies

10-5 Deploy FortiGate in AWS

Learning Objectives

  • Create a VPC, public and private subnet, Internet Gateway, route tables
  • Create a FortiGate firewall in AWS through Market Place
  • Identify FortiGate subnets in AWS
Scenario: In this lab, we’ll learn how to deploy FortiGate in AWS.

AWS Configuration

 1- Create a VPC

Step1 - Create a VPC
Figure 10-107: Step1 – Create a VPC
Create a VPC named "AWS-VPC"
Figure 10-108: Step 2 – Create a VPC named “AWS-VPC”

2- Create a subnet

Step1 - Create a subnet
Figure 10-109: Step1 – Create a subnet
Create a public subnet under AWS-VPC
Figure 10-110: Step2 – Create a public subnet under AWS-VPC
Figure 10-111: Step3 – Create a private subnet under AWS-VPC

3- Create an Internet Gateway

Step1 - Create an Internet Gateway
Figure 10-112: Step1 – Create an Internet Gateway
Create an Internet Gateway
Figure 10-113: Step2 – Create an Internet Gateway
Attach an Internet Gateway to VPC
Figure 10-114: Step3 – Attach an Internet Gateway to VPC
Step4 - Attach an Internet Gateway to VPC
Figure 10-115: Step4 – Attach an Internet Gateway to VPC

4- Create a new Public Route

By default, name of the “built-in route” is “-“. Rename it to Private Route

Step1 - Change this route to Private Route
Figure 10-116: Step1 – Edit Private Route

Go to Route tables> create route table

 

Step2 - Create a Public Route
Figure 10-117: Step 2 – Create a Public Route
Edit routes on Public Route
Figure 10-118: Step 3 – Edit routes on Public Route
Figure 10-119: Step 4 – Create a new default route to the Internet Gateway
Step5 – Associate Public Subnet to Public Route
Figure 10-120: Step 5 – Associate Public Subnet to Public Route
Step5 – Associate Public Subnet to Public Route
Figure 10-121: Step 6 – Associate Public Subnet to Public Route

5- Create Key Pair

Go to EC2- Key Pairs > Create Key Pair

Create a key pair
Figure 10-122: Create a key pair

6- Create Instances

Go to EC2 – Instances >Launch instances

Launch a FortiGate instance
Figure 10-123: Step1 – Launch a FortiGate instance
Select Fortinet FortiGate Next-Generation Firewall
Figure 10-124: Step2 – Select Fortinet FortiGate Next-Generation Firewall
Accept FortiGate license
Figure 10-125: Step3 – Accept FortiGate license
Select FortiGate instance type
Figure 10-126: Step4 – Select FortiGate instance type
Select “Enable” on Auto-Assign Public IP
Figure 10-127: Step5 – Select Network is “AWS-VPC”, Subnet is “Public Subnet” and Auto-assign Public IP is “Enable”
Leave the Add storage as the default
Figure 10-128: Step6 – Leave the Add storage as the default
Assign Tag with Key is Name and Value is FG
Figure 10-129: Step7 – Assign Tag with Key is Name and Value is FG
Change to FortiGate Security Group and add RDP and ICMP to the SG
Figure 10-130: Step8 – Change to FortiGate Security Group and add RDP and ICMP to the Security Group
Accept key pair and launch instances
Figure 10-131: Step9 – Accept key pair and launch instances
FG instance has been launched successfully
Figure 10-132: Step10 – FG instance has been launched successfully

 

Figure 10-133: Step11 – Change default interface name to FG Public Subnet

7- Add a new private subnet interface

 

Step1 - Create FG Private Subnet
Figure 10-134: Step1 – Create FG Private Subnet
Step2 - Create FG Private Subnet
Figure 10-135: Step2 – Create FG Private Subnet
Attach the FG Private Subnet to FG.
Figure 10-136: Step3 – Change to FG Private Subnet
Attach the FG Private Subnet to FG.
Figure 10-137: Step4 – Attach the FG Private Subnet to FG.
Figure 10-138: Step5 – Attach the FG Private Subnet to FG.

8- Disable Source and Destination check on both FG Private and Public Subnet

Figure 10-139: Step1– Disable source/destination check on FG Private Subnet.
Figure 10-140: Step2 – Disable Source/destination check on FG Private Subnet.
Figure 10-141: Step3 – Disable source/destination check on FG Public Subnet.

 

Figure 10-142: Step4 – Disable source/destination check on FG Public Subnet.

9- Edit private route table.

Figure 10-143: Step1 – Edit Private Route
Figure 10-144: Step2 – Add a default route- Select Network Interface
Figure 10-145: Step3 – Add a default route to target FG Private Subnet

10- Verify Public and Private IP address of FG

 

Figure 10-146: Verify Public and Private IP address of FG

11- Accessing FortiGate on AWS

Type the IP address in the browser. You should be able to see the FortiGate credentials page. Enter your username and password to login to the firewall.

Figure 10-147: Step1 – Access FortiGate
Figure 10-148: Step2 – Access FortiGate
Figure 10-149: Step3 – username is admin and password is instance ID of FortiGate
Figure 10-150: Step4 – Change password
Figure 10-151: FortiGate dashboard

You should set port1 and port2 as DHCP client to receive an IP address from External and LAN subnet. Port1 is belong to External subnet or the Internet and port2 is belong to the LAN.

Table 10-5 : Port1 and Port2 description
Subnet Description
Port1 External subnet used to connect the FortiGate-VM to the Internet.
Port2 LAN subnet used to deploy services.
Figure 10-152: Change port2 to DHCP Client
Figure 10-153: FortiGate interfaces

 

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall: Practical Guidance and Hands-On Labs by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book