fortigate-aws-gwlb-cloudformation

Version:
Last updated: Thu, May 22, 2025 22:22:06 UTC
Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Subsections of fortigate-aws-gwlb-cloudformation

Introduction

Example Diagram Example Diagram

Example Diagram Example Diagram

Welcome

The purpose of this site is to provide a quick start guide for using Infrastructure as Code (IaC) templates located in the repo fortigate-aws-gwlb-cloudformation.

Reference the prerequisites and deployment sections on this site to get started.

For detailed documentation on FortiGates with GWLB in AWS, walk through of a post deployment failover, and additional use cases, please reference CSE Team GWLB in AWS.

For other documentation needs such as FortiOS administration, please reference docs.fortinet.com.

Prerequisites

Before attempting to create a stack with the templates, a few prerequisites should be checked to ensure a successful deployment:

  1. An AMI subscription must be active for the FortiGate license type being used in the template.

  2. The solution requires 1 EIP per FGT to be created so ensure the AWS region being used has available capacity. Reference AWS Documentation for more information on EC2 service quotas and how to request increases.

  3. If BYOL licensing is to be used, ensure these licenses have been registered on the support site.

  4. If BYOL licensing is to be used, create a new S3 bucket in the same region where the template will be deployed. If the bucket is in a different region than the template deployment, bootstrapping will fail and the FGTs will be inaccessible.

  5. If BYOL licensing is to be used, upload these licenses to the root directory of the same S3 bucket from the step above.

Deployment

Once the prerequisites have been satisfied proceed with the deployment steps below.

  1. To download the templates, you can either clone the repo with the git command below or download the repo as a ZIP archive. The templates themselves are located in the /cloudformation folder

    git clone https://github.com/FortinetCloudCSE/fortigate-aws-gwlb-cloudformation.git

  2. Login to your AWS account. In the AWS services page under All Services > Management Tools, select CloudFormation.

  3. Select Create Stack then select with new resources.

  4. On the Select Template page, under the Specify Template section select Upload a template file to Amazon S3 and browse to your local copy of the chosen deployment template.

  5. On the Specify Details page, you will be prompted for a stack name and parameters for the deployment. We are using the ‘SecurityVPC_FGT_GWLB_MultiAZ.template.json’ template which deploys a new VPC, gives options for TGW integration, and deploys multiple FGTs as well.

    Tip

    We are choosing to deploy TGW so we have set both ‘TgwAttach’ and ‘TgwCreation’ to ‘Yes’ and setting the tgw route to 0.0.0.0/0 for centralized egress and east/west. Note you can also attach to an existing TGW by changing ‘TgwCreation’ to ‘No’ and providing the appropriate values for the ‘TgwExisting…’ parameters.

  6. In the FortiGate Instance Configuration parameters section, we have selected the number of FGTs per AZ to 2 and Key Pair to use for the FGTs as well as Flex licensing. Since we are using FLEX licensing, we can leave the InitS3Bucket empty but need to specify the Flex tokens to use. Then select Next.

    Tip

    Since we are deploying 2 FGTs per AZ, we are specifying the first set of Flex tokens for FGT1a and FGT2a in FortiFlexTokensFor1stFgtPerAZ and then the second set for FGT1b and FGT2b in FortiFlexTokensFor2ndFgtPerAZ.

  7. On the Options page, you can scroll to the bottom and select Next. On the Review page, scroll down to the capabilities section. As the template will create IAM resources, you need to acknowledge this by checking the box next to ‘I acknowledge that AWS CloudFormation might create IAM resources’ and then click Submit.

  8. On the main AWS CloudFormation console, you will now see your stack being created. You can monitor the progress by selecting your stack and then select the Events tab.

  9. Once the stack creation has completed successfully, select the Outputs tab to get the login information for the FGT instances. If you chose to deploy a new TGW as part of the deployment you will see the IDs of your Transit Gateway and TGW Route Tables. These will be used as inputs for the ‘SpokeVPC_TGW_MultiAZ.template.json’ template.

  10. Select the Outputs tab of the security stack to get the login information for the FGT instances.

  11. This concludes the template deployment example.