fortianalyzer-aws-ha-singleaz-cloudformation

Version:
Last updated: Mon, Jul 7, 2025 14:21:27 UTC
Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Subsections of fortianalyzer-aws-ha-singleaz-cloudformation

Introduction

Welcome

The purpose of this site is to provide a quick start guide for using Infrastructure as Code (IaC) templates located in the repo fortianalyzer-aws-ha-singleaz-cloudformation.

Reference the prerequisites and deployment sections on this site to get started.

For other documentation needs such as FortiOS administration and additional use cases, please reference docs.fortinet.com.

Prerequisites

Before attempting to create a stack with the template, a few prerequisites should be checked to ensure a successful deployment:

  1. An AMI subscription must be active for the FortiAnalyzer license type being used in the template.

  2. The solution requires 3 EIP to be created so ensure the AWS region being used has available capacity. Reference AWS Documentation for more information on EC2 resource limits and how to request increases.

  3. If BYOL licensing is to be used, ensure these licenses have been registered on the support site.

  4. Create a new S3 bucket in the same region where the template will be deployed. If the bucket is in a different region than the template deployment, bootstrapping will fail.

  5. If BYOL licensing is to be used, upload these licenses to the root directory of the same S3 bucket from the step above.

  6. Ensure that the PublicSubnet’s AWS route table has a default route to an AWS Internet Gateway, otherwise bootstrapping and licensing will fail. Reference AWS Documentation for further information.

  7. If using the existing VPC template and you are deploying into private subnets, ensure an S3 endpoint is deployed in that subnet and that a VPC route allows reachability to FortiCloud for license validation and PAYG registration.

  8. If PAYG licensing is to be used, you will need to configure HA peers as the serial numbers are generated on first boot. First login via SSH or serial console and get the serial number get system status, then register this in FortiCloud. Next, reboot the instances exec reboot. In the GUI navigate to Sytem Settings > HA and add the primary interface IP and serial number of the HA peer on both instances.

Deployment

Once the prerequisites have been satisfied proceed with the deployment steps below.

  1. To download the template, you can either clone the repo with the git command below, or download the repo as a ZIP archive. The template is in the /cloudformation folder
git clone https://github.com/FortinetCloudCSE/fortianalyzer-aws-ha-singleaz-cloudformation.git

  1. Login to your AWS account. In the AWS services page under All Services > Management Tools, select CloudFormation.

  2. Select Create Stack then select with new resources.

  3. On the Select Template page, under the Choose a Template section select Upload a template to Amazon S3 and browse to your local copy of the chosen deployment template.

  4. On the Specify Details page, you will be prompted for a stack name and parameters for the deployment. We are using the ‘FortiAnalyzer_HA_singleaz_NewVPC.template.json’ template which deploys FAZ into a new VPC’s public subnets and gives options for configuring the instance settings.

  1. In the FortiAnalyzer Instance Configuration parameters section, we have selected an Instance Type and Key Pair to use, chose to encrypt both OS and Log disks, as well as Flex licensing. Notice we are prompted for the licensing type which we are going with BYOL. In our case we do not need to fill out the InitS3Bucket parameter.

  2. In the Interface IP Configuration for the FortiAnalyzer parameters section, we are going with the defaults in this example as the subnet addressing matches. This IP will be the primary IP assigned to the FortiAnalyzer ENI.

  3. On the Options page, scroll down to the capabilities section. As the template will create IAM resources, you need to acknowledge this by checking the box next to ‘I acknowledge that AWS CloudFormation might create IAM resources’ and then click Next.

  4. On the Review page, you can scroll to the bottom and select Submit.

  5. On the main AWS CloudFormation console, you will now see your stack being created. You can monitor the progress by selecting your stack and then select the Events tab.

  1. Once the stack creation has completed successfully, select the Outputs tab to get the login information for the FortiAnalyzer instances.

  1. This concludes the template deployment example.