Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
avinash_v
Staff
Staff

Created on ‎07-25-2025 07:20 AM Edited on ‎08-27-2025 01:04 AM By Moderator

Article Id 403541

Technical Tip: Bootstrapping FortiGate VM using FortiFlex license in AWS using cloudinit

Description This article describes launching FortiGate VM with a FortiFlex license in AWS using cloudinit.
Scope FortiGate VM.
Solution

Set up IAM roles as this needs S3 bucket read access.

 

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"s3:Get*",

"s3:List*"

],

"Resource": "*"

}

]

}

 

To install a FortiFlex license during bootstrap, the following script can be used, also upload the FortiFlex token and pre-config and post-config files. Pre-config file is important so that the FortiGate VM can connect to the FortiFlex and download the license file.

 

{

 "bucket": "mybucket",        <--- S3 bucket name.

 "region": "us-east-1",

 "license-token":"<FortiFlex Token>",

 "config": "/FGT-Config.txt"  <--- FortiGate config file.

}

 

When using pre-config, JSON format is not supported in user data, hence it is recommended to use MIME multipart as below.

 

Content-Type: multipart/mixed; boundary="==AWS=="
MIME-Version: 1.0

--==AWS==
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Disposition: attachment; filename="preconfig"

config system global
set hostname AWS-Single
end

--==AWS==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="license"

LICENSE-TOKEN: XXXXXXX

--==AWS==
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Disposition: attachment; filename="post"

config system interface
    edit port1
        set alias untrust
    next
end

--==AWS==--

 

Below is the output, post successful execution.


AWS-Single # diagnose debug cloudinit show
>> Checking metadata source aws
>> MIME parsed preconfig script
>> MIME parsed VM token
>> MIME parsed config script
>> Run preconfig script
>> FortiGate-VM64-AWS config system global
>> FortiGate-VM64-AWS (global) set hostname AWS-Single
>> FortiGate-VM64-AWS (global) end
>> Finish running preconfig script
>> Trying to install vmlicense ...
>> License-token: XXXXXXXXXXXXXXXX
>> VM license install succeeded. Rebooting firewall.
>> Run config script
>> AWS-Single config system interface
>> AWS-Single (interface) edit port1
>> AWS-Single (port1) set alias untrust
>> AWS-Single (port1) next
>> AWS-Single (interface) end
>> Finish running config script

 

Related document:

Bootstrapping the FortiGate-VM at initial bootup using user data 
350
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.