fortigate-aws-ha-dualaz-terraform

Example Diagram Example Diagram

Example Diagram Example Diagram

Version:
Last updated: Thu, May 22, 2025 22:03:26 UTC
Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Subsections of fortigate-aws-ha-dualaz-terraform

Introduction

Example Diagram Example Diagram

Example Diagram Example Diagram

Welcome

The purpose of this site is to provide a quick start guide for using Infrastructure as Code (IaC) templates located in the repo fortigate-aws-ha-dualaz-terraform.

Reference the prerequisites and deployment sections on this site to get started.

For detailed documentation on FGCP in AWS, walk through of a post deployment failover, and additional use cases, please reference CSE Team FGCP in AWS.

For other documentation needs such as FortiOS administration, please reference docs.fortinet.com.

Prerequisites

Before attempting to create a stack with the templates, a few prerequisites should be checked to ensure a successful deployment:

  1. An AMI subscription must be active for the FortiGate license type being used in the template.

  2. The solution requires 3 EIPs to be created so ensure the AWS region being used has available capacity. Reference AWS Documentation for more information on EC2 resource limits and how to request increases.

  3. If BYOL licensing is to be used, ensure these licenses have been registered on the support site and license files downloaded locally.

  4. Ensure that all of the PublicSubnet’s and HAmgmtSubnet’s AWS route tables have a default route to an AWS Internet Gateway. Reference AWS Documentation for further information. Otherwise you must set the variable only_private_ec2_api to ’true’.

Deployment

Once the prerequisites have been satisfied proceed with the deployment steps below.

  1. Clone this repo with the command below.
git clone https://github.com/FortinetCloudCSE/fortigate-aws-ha-dualaz-terraform.git
  1. Change directories and modify the terraform.tfvars file with your credentials and deployment information.
Note

In the terraform.tfvars file, the comments explain what inputs are expected for the variables. For further details on a given variable or to see all possible variables, reference the variables.tf file.

cd fortigate-aws-ha-dualaz-terraform/terraform
nano terraform.tfvars
  1. When ready to deploy, use the commands below to run through the deployment.
terraform init
terraform validate
terraform apply --auto-approve
  1. When the deployment is complete, you will see login information for the FortiGates like so.
Apply complete! Resources: 33 added, 0 changed, 0 destroyed.

Outputs:

fgt_login_info = <<EOT

  # fgt username: admin
  # fgt initial password: i-0eb689028cc992e41
  # cluster login url: https://13.56.40.46
  
  # fgt1 login url: https://52.8.158.219
  # fgt2 login url: https://54.241.49.19
  
  # tgw_creation: no

EOT