Skip to main content
avinash_v
Staff
avinash_v
Staff
July 25, 2025

Technical Tip: Bootstrapping FortiGate VM using FortiFlex license in AWS using cloudinit

  • July 25, 2025
  • 0 replies
  • 568 views
Description This article describes launching FortiGate VM with a FortiFlex license in AWS using cloudinit.
Scope FortiGate VM.
Solution

Set up IAM roles as this needs S3 bucket read access.

 

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"s3:Get*",

"s3:List*"

],

"Resource": "*"

}

]

}

 

To install a FortiFlex license during bootstrap, the following script can be used, also upload the FortiFlex token and pre-config and post-config files. Pre-config file is important so that the FortiGate VM can connect to the FortiFlex and download the license file.

 

{

 "bucket": "mybucket",        <--- S3 bucket name.

 "region": "us-east-1",

 "license-token":"<FortiFlex Token>",

 "config": "/FGT-Config.txt"  <--- FortiGate config file.

}

 

When using pre-config, JSON format is not supported in user data, hence it is recommended to use MIME multipart as below.

 

Content-Type: multipart/mixed; boundary="==AWS=="
MIME-Version: 1.0

--==AWS==
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Disposition: attachment; filename="preconfig"

config system global
set hostname AWS-Single
end

--==AWS==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="license"

LICENSE-TOKEN: XXXXXXX

--==AWS==
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Disposition: attachment; filename="post"

config system interface
    edit port1
        set alias untrust
    next
end

--==AWS==--

 

Below is the output, post successful execution.


AWS-Single # diagnose debug cloudinit show
>> Checking metadata source aws
>> MIME parsed preconfig script
>> MIME parsed VM token
>> MIME parsed config script
>> Run preconfig script
>> FortiGate-VM64-AWS config system global
>> FortiGate-VM64-AWS (global) set hostname AWS-Single
>> FortiGate-VM64-AWS (global) end
>> Finish running preconfig script
>> Trying to install vmlicense ...
>> License-token: XXXXXXXXXXXXXXXX
>> VM license install succeeded. Rebooting firewall.
>> Run config script
>> AWS-Single config system interface
>> AWS-Single (interface) edit port1
>> AWS-Single (port1) set alias untrust
>> AWS-Single (port1) next
>> AWS-Single (interface) end
>> Finish running config script

 

Related document:

Bootstrapping the FortiGate-VM at initial bootup using user data 
    Terms & ConditionsAccessibility statement