Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
steveshaw
New Contributor

AWS Autoscale Deployment

Hello Fortinet Community

 

I am currently evaluating FortiGate VM for AWS. Our project will be completely hosted in cloud.

We will go in-production from next month. Prior to finalizing the design, I have few questions on the Fortinet offering for AWS.

 

1. Which templates are officially supported by Fortinet TAC  https://github.com/fortinetsolutions/AWS-CloudFormationTemplates

2. Can FortiManager manage multiple autoscaled solution across the AWS regions -  couldn’t find any documentation on how to add new FortiGate-VM (due to autoscaling) to FortiManager.

3. Are there any documents showcasing Fortinet VMs with new AWS LBs - ALB and NLB

4. Any performance numbers (FW throughput, IPsec VPN throughput) of FortiGate-VMs specific to AWS - this will help us to choose appropriate EC2 instance 

5. When 5.6 version will be available on AWS ?

6. Can Chef/Ansible be leveraged for automating policies configuration ?

7. I saw on GitHub there are Terraform templates but there are no details on how to use them.

8. I read FortiCloud can manage configuration of virtual appliances but its not listed in marketplace, so for AWS setup, my option is only FortiManager ?

 

I would appreciate if some one can point me to resources for above queries.

 

Thanks,

Steve Shaw

Security Architect

Internet Security Solutions

5 REPLIES 5
dmcquade
New Contributor III

Hi Steve,

 

I currently run VMs in AWS running 5.4 platform (I believe the BYOL can run 5.6 platform). We manage these VMs via FortiManager just like any other firewall. I don't believe you can autoscale across regions. Here is a good reference from Fortinet specific to AWS

https://www.fortinet.com/products/aws-azure-security/fortigate-aws.html

 

Like any other Internet based service, performance is hard to predict because it is dependent on your connection to the Internet. We have high speed links and our performance meets our needs. For each region, we build our VMs and assign them to the same policy within FortiManager. We also utilize ther "per device mapping" feature to dynamically assign values based on the firewall the policy is deployed to which helps a lot.

 

Sorry I am not able to provide feedback to all of your questions but I hope this helps.

 

Regards,

d

steveshaw

Hello Dmcquade

 

Appreciate your reply. Thank you.

In your setup, do you use autoscaling ? i believe each FortiGate-VM needs to be manually assigned to FortiManager ?

 

Thanks

Steve

dmcquade
New Contributor III

No on the auto scaling. Most of the implementations I have done involve site to site IPSEC VPN tunnels to an on-prem site. Typically we'll create 2 Fortigate VMs in a Transit VPC. Each VM will have a tunnel to the on-prem (preferrably 2 distinct locations for DR / Load balancing). For this reason we did not do auto scaling.

 

Sorry

d

 

steveshaw

Thank you

imverylame

Building out a transit VPC as well, looking at FortiGate's - Did you build out two separate ( non h/a non config sync ) instances in the same AZ, different AZ's, different VPC's?

 

I want the availability of cross AZ subnets, but it looks like I can't get H/A or sync capabilities if they're in different subnets...  I can handle the management of different IPSEC configs, but don't want to deal with the separate management of the FW policy side...

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors