Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

plokesh
Staff
Staff

Login to the AWS FortiGate Firewall.

Please see the note from AWS below. The instance-id length is changing from 10 to 19. The FortiGate-VM in AWS use the instance id as the password for initial login to the device. 

As of March 7, 2016, newly created AWS accounts will use longer EC2 instance and reservation IDs by default in the following regions: US East (Northern Virginia), US West (Oregon), US West (Northern California), EU (Ireland), and EU (Frankfurt).  In other regions, new accounts will use longer EC2 instance and reservation IDs by default starting in mid-April 2016.

If you create a new AWS account on or after March 7, 2016, your new account will receive longer EC2 instance and reservation IDs by default in the regions noted above. We recommend testing longer IDs before transitioning; however, if you have not yet tested your systems for compatibility with the longer format, you still have the option to opt out and receive shorter IDs until early December 2016.  Longer EBS volume and snapshot IDs will be available in April.

For more details, and for instructions on how to adjust your ID format settings, visit theAWS Blog, the EC2 FAQ, and the EC2 User Guide. If you have questions, contact the AWS support team.

Sincerely,
The Amazon Web Services Team

Based on this, there needs some changes to the way we can login to the FortiGate-VM in AWS.

Short instance-id(10 digits):

Use the instance-id to login to the AWS FortiGate-VM instances as always.

Long instance-id(19 digits):

For the long instance id, launch the instance with a AWS keypair. There are two ways to login to the the instance in this scenario.

1) Please use the first 11 characters of the instance id.

2) You can use the private key to login to the firewall through ssh. From there you can change the admin password to login through http/https through the GUI.

Example to login using private key of the firewall:

From a Linux console.

#ssh -i privatekey.pem admin@[ip of the firewall]

 

5 REPLIES 5
40james_FTNT
Staff
Staff

Great info, thank you! 

I did find, however, that Option#2 does not seem to work. When the Fortigate first comes up it does not have all the CLI commands enabled (aka - "config system admin" missing). 

FortiGate-VM64-AWS # config system ?
central-management    Configure central management.
dns                   Configure DNS.
interface             Configure interfaces.
settings              Configure VDOM settings.
FortiGate-VM64-AWS #

Maybe if you register via cli (if possible) or via the central management options?

James (Jim) Hilving
Consulting Systems Engineer - CSE Team
plokesh

James,

    Can you specify what region that you tried launching this in? Also let me know if this is BYOL or OnDemand. 

40james_FTNT

Hi Praveen,

This was in Region "US East (N. Virginia)", us-east-1 I think, and the image was BYOL. I attached the image that was launched. 

Thanks!

J

James (Jim) Hilving
Consulting Systems Engineer - CSE Team
plokesh


James,

  They ssh keypair method should work for FortiGate. Can you verify? 

40james_FTNT



In Reply to Praveen Lokesh:


James,

  They ssh keypair method should work for FortiGate. Can you verify? 

I can login but it is the same problem I mentioned above. There is not a way, that I can see, for me to change the admin password via SSH. I can get in but then I can only config the bare minumum. I suspect once I have a license loaded it opens up more. 

ssh -i ~/.ssh/awskey.pem admin@ec2-54-174-198-63.compute-1.amazonaws.com

FortiGate-VM64-AWS # config  system ?
autoupdate            Configure automatic updates.
central-management    Configure central management.
dns                   Configure DNS.
interface             Configure interfaces.
settings              Configure VDOM settings.

James (Jim) Hilving
Consulting Systems Engineer - CSE Team
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.