Sign in Subscribe
AWS

How to deploy FortiGate in AWS

7 min read
How to deploy FortiGate in AWS

FortiGate devices can be seamlessly deployed in Amazon Web Services (AWS) to protect your cloud infrastructure. By combining the scalability of AWS with FortiGate robust security features, you can secure your workloads, implement advanced threat protection, and create site-to-site VPNs for hybrid deployment.

In this guide, we will carry on with our previous post on setting up an IPsec VPN Tunnel from On-Prem FortiGate to AWS. I would recommend you read that post before continuing, as we will be working from the same configuration from that post. You can find the post linked below.

Setting up an IPsec VPN Tunnel from On-Prem FortiGate to AWS
Setting up an IPsec VPN tunnel between an on-premises FortiGate device and AWS enables secure communication between your local network and resources hosted in the AWS cloud. This configuration is commonly used to extend an enterprise network to the cloud, allowing seamless and encrypted data exchange for hybrid environments. AWS
NetSec-InsightDylan Hughes

Objectives:

  • Adding Private subnet and associating routes in the routing table.
  • Deploy a FortiGate firewall in AWS via the Marketplace.
  • Define and configure subnets for the FortiGate in AWS.

AWS Configuration

  1. Log into AWS Management Console

At the moment, we have two Public and Private subnets.

Public and Private subnets

 2. We need to create a Private route in our route table.

Virtual private cloud > Route tables
  1. Create new route table called Private Route
Create Private Route table
  1. Now we can rename the route that was in there from before to Public Route.
Rename route to Public Route
  1. We need to subnet associate the Public subnet to the public route.
Click edit subnet associations
Add the Public subnet
Now they are associated.
  1. Now we need to set up our Key Pair for the VM, go to EC2 - Key Pairs > Create Key Pair.
Type EC2 in the search bar
Go to Network & Security > Key Pairs
Create the Key Pair as AWS-Lab and .pem
  1. Now we can go to the Launch section and launch are instance.
Go to dashboard.
Launch instance
  1. Click Browse more AMIs.
Click Browse more AMIs
  1. search for Fortinet and select the Fortinet FortiGate Next-Generation Firewall.
Search FortiGate Next-Generation Firewall
  1. Press Subscribe now.
Press Subscribe now
  1. Make sure the OS has been selected in the options. You should see the FortiGate-VM64.
AMI catalog shows FortiGate-VM64
  1. T2.small is the free version, lasts for 30 days. Set the key pair to AWS-LAB.
t2.small setting - Key pair - AWS-Lab
  1. This is the network configuration section. We will configure it to what we have created beforehand.
  • VPC: VPC AWS Subnet
  • Subnet: Public Subnet
  • Auto-assign public IP: Enable
  • Create Security group:  Name: FortiGate Security Group, Description: FortiGate Security Group
Network settings
  1. All source types are custom and linked to 0.0.0.0/0 which is our internet gateway.
Source type: custom - Source 0.0.0.0/0
Source type: custom - Source 0.0.0.0/0
  1. Add two new Security Group rules, one for RDP and one for All ICMP Ipv4. Linked to 0.0.0.0/0
Add RDP and ALL ICMP -IPv4
  1. Storage should be set to 2 and 30 by default.
Default storage
  1. Launch instance.
Launch instance
  1. Rename the instance to FortiGate.
Rename instance to FortiGate
  1. Now we need to go to Network & Security > Network Interfaces.
Network & Security > Network Interfaces
  1. Rename the interface in there to FortiGate Public Subnet.
Rename the interface to FortiGate Public Subnet
  1. Now we need to create a new Network Interface.
Create new network interface
  1. Name the Interface FortiGate Private Subnet and link the Private subnet to it.
FortiGate Private Subnet > link Private subnet
Add FortiGate Security Group
FortiGate Public and Private subnets
  1. Click on the FortiGate Private subnet and then click on attach.
Click attach on FortiGate Private Subnet.
  1. Choose the FortiGate Instance
Choose FortiGate instance
  1. Click the FortiGate Private Subnet and then Change Source/Dest Check.
Click Change Source/Dest Check on FortiGate Private Subnet
  1. Now disable the Source/Destination check and click save.
Disable the Source/Destination check
  1. Do the same for the FortiGate Public Subnet.
Click Change Source/Dest Check on FortiGate Public Subnet
Disable the Source/Destination check
  1. Go back to the VPC and go to Route tables, click the private route and edit routes.
Route table > Click Private route > Edit routes
  1. Add route 0.0.0.0/0 and select Network interface.
0.0.0.0/0 > Network Interface
  1. Select the Private subnet as the network interface. Click Save changes.
Select the Private subnet
  1. Now if we go back to the FortiGate instance, we can see the public IP address of the device, and the private address of the device. We can now right-click our public IP address to bring up are FortiGate VM in our browser.
FortiGate instance with new Private IP and Public IP to get to the FortiGate

FortiGate Configuration

  1. Login in with the username admin and the instance ID
Login with admin and the instance ID
Login
  1. Change the password.
Change the password to the FortiGate
  1. Now we are logged into the FortiGate, we can see our main dashboard.
FortiGate instance dashboard
  1. We will now configure are port 2 on the FortiGate to be our LAN port. Port 1 on the device is being used for our external subnet back to the internet.
  2. Go to Network > Interfaces > Click Port 2

Change port 2 from manual to DHCP
  1. We can now see our port 2 connected to our private subnet and setup as DHCP
Port 2 setup as DHCP and allocated an IP of 10.0.1.182/24

Conclusion

In this guide, we demonstrated how to deploy a FortiGate firewall in AWS, configure its networking, and prepare it for integration with your on-premises network. From setting up public and private subnets to attaching network interfaces and configuring routing, each step was crucial in establishing a functional environment for secure connectivity.

Hope you enjoyed this guide and happy Networking!

Read more