By Manny Fernandez

April 22, 2020

Deploying FortiAnalyzer in AWS

I have been playing with AWS a lot since the pandemic.  I wrote another article about adding some VIPs using Elastic IPs.  Here I will walk through deploying FAZ in my AWS lab environment.

Here is my AWS environment.  Note: I am not an AWS master yet so don’t flame me so bad because of my design 😀

AWS Network Diagram v2

AWS Console

Lets connect to your AWS console.  Once there you will need to make sure you are in the correct region.  Go to your EC2 instances.

2020-04-22_10-10-28

Here you can see my VPCs.  I will be deploying this FAZ in VPC-A

2020-04-22_10-12-36

Under my EC2 tab, I can see a FortiGate and an Ubuntu Desktop I use as a jump box.

Choose the Launch Instance button on the top.

2020-04-22_10-13-40

In the search box, type Fortinet and hit Enter

You will see the following screen

2020-04-22_11-09-28

Choose the AWS Marketplace option

2020-04-22_10-14-21

Search for the BYOL option (if you are in fact bringing your license)

2020-04-22_10-14-50

You will get the typical Instance Type and their associated costs.

2020-04-22_10-15-25

Choose your instance type from the list.

2020-04-22_10-16-49

As you can see, I chose the VPC-A from the Network drop down list.  I also chose the subnet I want to use.  In my case, I named them as priv and pub and referenced the Availability Zone

I like to add the IP Address myself and NOT use the DHCP option by AWS.  In my case, 10.100.2.30.

2020-04-22_10-20-58

2020-04-22_10-19-27

Next, choose Review and Launch

2020-04-22_10-21-26

Here you can review your info and hit Launch

2020-04-22_10-23-35

You will need to either assign an existing key pair or create a new one.  In my case, I reused one.  Now hit Launch Instances

2020-04-22_10-39-58

Once finished, you can choose the instance and on the bottom half of the screen, you will see the IP address you assigned to the instance.

2020-04-22_10-43-01

If you follow my VIP article, it will show you how to provision an Elastic IP.  In my case, the External subnet is 10.100.1.0/24 and the VIP is associated to an IP in that subnet.  I will then map that external IP address to my internal FAZ IP address.

Ensure you have a policy that permits HTTPS.  Also ensure that your Security Group is also permitting that traffic.  I normally have a permit of SSH from my home IP only and then open everything else up to the FortiGate.

2020-04-22_10-47-34

A couple of things you will need to do.  First, register the license you received usually as a PDF for Fortinet or your partner. And the second thing is to copy the instance ID.

Once you have registered the key, you will need to enter the IP address

2020-04-22_10-50-28

As this point, you should be able to download the lic file by choosing the link.

2020-04-22_10-51-36

2020-04-22_10-52-18

Choose the license file and choose Upload

2020-04-22_10-52-43

If after a few minutes, the page does not refresh automatically, just manually refresh.

2020-04-22_10-54-59

Note: Here, you will need the instance-id from your EC2 section.

2020-04-22_10-55-21

This is a screenshot from my EC2 section.  Copy the Instance ID

2020-04-22_10-56-17

After logging in with USERNAME admin and PASSWORD %the_instance_id% you will receive the Change Password screen.  Set your new password and click OK.

 

Hope this helps

Recent posts