I am attempting to deploy 6.0 HA via the stack and am getting the following errors:

Is there anything that can be done to correct this?

Upgrade cloudformation stack from Release 1.3.4 to 1.3.5 fails with this error:

• Requested update requires the creation of a new physical resource; hence creating one.

• Interface: [eni-0d8e33be47b7c09f8, eni-0fbca93efff6f9b59, eni-0967d23928c013fe2, eni-082daabcfd8230cd5] in use. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidNetworkInterface.InUse; Request ID: f6852944-9fc9-48ef-988d-59ef95f8d069)

Basically, cloudformation changeset wants to create new EC2 instances and fails as eni's are in use by previous (active) instances.

Using Ingress Routing (Edge Associations) breaks this config due to the HAMgmt interface no longer being able to reach AWS.

I'm working on getting this set up using the DualAZ config. Everything worked well, until we wanted to expose a back-end server to the Internet. I then configured an ingress route table, with an Edge Association (as detailed here https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/).

This works extremely well, except for the fact that it breaks access to the Standby Cluster Member, and it breaks failover.
The issue lies with the fact that the automatic update (SDN Connector?) is changing a route that must remain static.

In this route table:

• The two /20s are the private subnets, those should both be pointing to the same interface (ending in 793) - the Public (interface 1) of the currently active FW.
• 10.19.226.0/24 is FGT1's HAMgmt subnet - target of FGT2's HAMgmt Interface <- This is the issue
• 10.19.242.0/24 is FGT2's HAMgmt subnet - target of FGT2's HAMgmt Interface (ending in 3df)

awsd checking ha status for vdom root
awsd checking elastic ip for port1
awsd checking elastic ip for port2
awsd update route table rtb-03XXXXXXXXXXba1, replace route of dst 10.19.226.0/24 to eni-0b2XXXXXXXX3df
awsd update route successfully
awsd reap child pid: 17044
XXXX-AWS-FW2 # diag deb app awsd 0

TLDR

The /24 routes need to remain static, pointing to their individual gateway. But due to the automatic update, they are both pointing to the currently active member. On failover the newly active member cannot access AWS on the HAMgmt interface and the Elastic IP is never moved to the newly active FGT.

Is there maybe a way to exempt a specific route? Or something in AWS itself that I'm missing?

Does this deployment template use network loadbalancer w/ vpc endpoints? Does the SDN connector update all routing tables? I.e. routing tables in sub accounts?

Does this deployment support east/west inspection with TGW?

When using BYOL licensing, the ImageFunction is returning an AMI ID for the "Fortinet Federal FortiGate (BYOL) Next-Generation Firewall" (https://aws.amazon.com/marketplace/pp/prodview-y7diw5udavvhy). Since customers subscribed to the Fortinet BYOL listing, this produces an error in launching the template. Further, the Federal offering does not support c5.size instances, so if you go ahead and subscribe to the Fortinet Federal listing, half the instance choices do not work with it.

I haven't looked into region availability of the Fortinet Federal listing, I just confirmed that the ImageFunction is mapping to the Federal listing in us-west-1 specifically. Other regions may be affected. Confirmed this behavior for 7.4.x, both dualAZ and singleAZ.

Desired outcome: HA cloudformation templates should launch AMI's associated with the Fortinet FortiGate BYOL listing.

After allowing outbound traffic on FortigateSecGrp the first instance will start (PAYG). However the second (passive) instance will not because it's unable to download a license file. The second instance only has an EIP on port4/eni3. (ClusterEIP is assigned to active instance).

How does the second instance get it's license so that it can join the cluster?

I'm confused - the FortiOS Cookbook indicates that the Fabric Connector must be setup before HA can work. However the UserData config file that is applied to the instance does not have a sdn-connector section. How is this supposed to work? I can see that the IAM role is applied to the instance but the active node (the only one I can get to start) does not have a Aws fabric connector configured.

Getting such error when running CF, 7.0:

RunImageFunction ERROR

{
"Status": "FAILED",
"Reason": "See the details in CloudWatch Log Stream: 2022/03/16/[$LATEST]786ee947e4d84923935a99224406f956",
"PhysicalResourceId": "2022/03/16/[$LATEST]786ee947e4d84923935a99224406f956",
"StackId": "arn:aws:cloudformation:eu-central-1:729267244622:stack/FGStack/73419f90-a550-11ec-87d7-0275f7a88d18",
"RequestId": "d002c7c1-86f5-41c3-91e9-67d47c15f483",
"LogicalResourceId": "RunImageFunction",
"NoEcho": false,
"Data": {
"msg": "error"
}
}

PLEASE CHECK QUICKLy, THX

For the FortiGate2 parameters, the description references the wrong subnets.
Line 177, 184, 191, 198 all should read "...Subnet2" instead of "...Subnet1"

Non impacting as long as the correct subnets are referenced, but confusing for users.

During stack creation, receiving the following error:
The following resource(s) failed to create: [RunInitFunction]. I believe this is related to the HA portion.

Please help!

New to github, not sure if this is the correct way to ask a question?

According to the documentation at the end of the Multi AZ 6.4 template it states that secondary EIPs should failover as well. Does this actually apply to a MultiAZ deployment?

**Does FGCP support having multiple Cluster EIPs and secondary IPs on ENI0\port1?

Yes. FGCP will move over any secondary IPs associated to ENI0\port1 and EIPs associated to those secondary IPs to the new master FortiGate instance. You will need to configure secondary IPs on the ENI via the AWS EC2 Console and in FortiOS for port1. The private IPs configured on the ENI and FortiOS must match.**

In FGCP_DualAZ_ExistingVPC.template what am I supposed to put in for FortiGate1PublicIP,FortiGate1PrivateIP,FortiGate1HAsyncIP,FortiGate1HAmgmtIP and the FortiGate2 versions? I have tried the same subnet CIDR as the subnets used for each type of IP. I have also tried a single ip with a /32 that is in the same CIDR range. Each and every time I get the following error:
"Address does not fall within the subnet's address range (Service: Ec2, Status Code: 400, Request ID: 2e533981-aa8b-4bbb-acdc-a02b44c13307)".

Thanks

Due to requirements I need this IaaC to be slightly modified.
I need two EIPs to be assigned - appreciate if someone more knowledgable can help! thx.

Existing:

fgt1eni0: ClusterEIP - associated with PublicIP of Active FG

Interface IP Configuration for FortiGate 1:
FortiGate1PublicIP - 10.0.1.10/24

Interface IP Configuration for FortiGate 2:
FortiGate2PublicIP - 10.0.10.10/24

Expected:

Interface IP Configuration for FortiGate 1:
FortiGate1PublicIP - 10.0.1.10/24
FortiGate1PublicIP - 10.0.1.11/24 - secondary address

Interface IP Configuration for FortiGate 2:
FortiGate2PublicIP - 10.0.10.10/24
FortiGate2PublicIP - 10.0.10.11/24 - secondary address

fgt1eni0: ClusterEIP - associated with PublicIP of Active FG
fgt1eni0: ClusterEIP2 - associated with second PublicIP of Active FG

We are having Fortinet Flex Token based licences.
We want to deploy fortinent firewall at AWS Cloud in HA mode.
I found template which uses PAYG & BYOL with .lic file but I don't found any template which make use of Flex token based licence.

I have used dualAZ template however traffic from my instances is not reaching to fortinet firewall cluster..i am not seeing any logs in forward traffic console..i have verified the vpc routing and it seems fine, default route is pointing towards active member.do i need to add some routes in "Static Routes" section as well inside the firewalls ?

Template

LambdaAA-RouteFailover/6.0/FGT_LambdaAA-RouteFailover_ExistingVPC_BYOL.template.json
Lambda function - python.3.8
FGT v6.2.3 build8404

Successful deployment with modified "fgtami" values in template file, API keys also proper.

When FGT1 is stopped from EC2, FGT1-private route table goes to "blackhole", instead of automatically updating to FGT2-private-eni as per the template.

On FGT -> Automation -> Create Automation Stitch -> Name: "health-check" -> Trigger FortiOS Event Log -> Event: Link Monitor Status -> Action AWS Lambda -> 1st Action Name: "healthcheck-action" -> API Gateway, API Key, ID, Region, etc... are correct.

Hi All,

We are facing issues while deploying this CFT template in AWS China region. Please suggest

2 Errors:

[ERROR] 2022-06-28T12:32:26.256Z 74510861-6c86-41a1-8a82-cc4b037ce51b <--!! Exception: An error occurred (AccessDenied) when calling the PutObject operation: User: arn:aws-cn:sts::xxxxxxxxx:assumed-role/ec2cnbfortigate-LambdaRole-SU3TB0KACIDM/ec2cnbfortigate-InitFunction-k0ups0YllBeU is not authorized to perform: kms:GenerateDataKey on resource: arn:aws-cn:kms:cn-north-1:xxxxxxxx:key/acbcd-c6cb-4a90-8798-asdasdasf123 because no identity-based policy allows the kms:GenerateDataKey action

[ERROR] 2022-06-28T12:32:01.679Z c2a620ae-d73f-45bf-ba08-06e8ef98b6ec !!--> Unable to find AMI in response! {'Images': [], 'ResponseMetadata': {'RequestId': 'ab5f7568-dd5d-460e-98a5-9d643d3c46a8', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': 'ab5f7568-dd5d-460e-98a5-9d643d3c46a8', 'cache-control': 'no-cache, no-store', 'strict-transport-security': 'max-age=31536000; includeSubDomains', 'content-type': 'text/xml;charset=UTF-8', 'content-length': '219', 'date': 'Tue, 28 Jun 2022 12:32:01 GMT', 'server': 'AmazonEC2'}, 'RetryAttempts': 0}}

For the Dual AZ solution, surely the security group FortigateSecGrp needs an "any" egress rule? Without this the PAYG instances have the following System Log:

System is starting...

Serial number is FGVM00UNLICENSED

FortiGate-VM64-AWSONDEMAND login: AWS instance id: i-XXXXXXXXXXXXXXXXX

curl forticare failed, 7
curl forticare failed, 7
curl forticare failed, 7

cloudinit failed to request forticare license 7

The system is going down NOW !!

The system is halted.
Power down.