Bootstrap Configuration Example for FortiGate Firewall in AWS

Using the bootstrap option significantly simplifies Fortinet FortiGate initial configuration setup.

In this document, we provide a bootstrap example to set up an "Allow All" and Egress NAT policy for the FortiGate to validate that traffic is indeed sent to the FortiGate for VPC-to-VPC traffic inspection.

For a manual setup, follow the manual setup example.

After you enable bootstrap configuration for your AWS FortiGate firewall, you can select either AWS S3 Bucket or User Data. If you select AWS S3 Bucket, you must have already completed the following sections in your AWS Console (steps provided below):

If you select User Data, click here to complete the bootstrap configuration.

Creating an IAM Role and Policy

  1. Log in to the AWS console and create an IAM role with the name: for example, "bootstrap-FortiGate-S3-role".

  2. Attach an IAM policy with the name: for example, "bootstrap-FortiGate-S3-policy". The policy has the following statements.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

Creating Bootstrap Bucket Structure

In AWS S3, at the top level create a bucket for bootstrap with a unique name, for example "bootstrap-fortigate-bucket", with the following structure:

bootstrap-fortigate-bucket/
    init.conf
    license.lic

Upload Config Files

  1. The example init.conf file contains the "Allow All" setup. To download the file, click init.conf.

  2. For the example license.lic file, click license.lic. For Metered AMI, this file is not required.

You must specify the password in the example init.conf file. For initial Fortigate login information, go to Credentials for FortiGate Initial Login. You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com.

  1. Upload these two files to your config folder in the bootstrap-fortigate-bucket.

  2. Navigate to Security > FireNet > Firewall to launch and deploy your FortiGate firewall using the bootstrap configuration (selecting the AWS S3 Bucket option).

Configuring Static Routes

Follow the instructions here to configure the static routes.

Ready to Go

Now your firewall instance is ready to receive packets.

The next step is to specify which Network Domain needs packet inspection by defining a connection policy that connects to the firewall domain. This is done by this step in the Firewall Network workflow.