Awesome
Introduction
ForitGate CloudFormation resources allow you to interact with components of the FortiGate API through AWS CloudFormation.
Requirements
- AWS CLI
- FortiGate must have a public IP address that is reachable from the Internet.
Set up
- Install the
cfn
package. - Download the ZIP file for the required resource from S3. The Following resources are currently availble: Create an Admin user<br> Create a Vlan interface<br> Update DNS<br>
- Locate the downloaded package and upload it to AWS CloudFormation using the command:
cfn submit -v --region <region>
- Use the token output to monitor the registration process:
aws cloudformation describe-type-registration --registration-token <token>
- Once the registration is marked as complete you will be able to view the resource in your respective region.
- Example CloudFormation Templates are available in the Templates folder. These will provide a starting point for the resource used in CloudFormation.
The API key
In order to use the custom FortiGate CloudFormation resources you will need to set up an API key on the FortiGate.
Create an Administrator profile
- Log in to your FortiGate.
- Select System > Admin Profiles > Create new.
- Populate the fields as show in the image:<br>
- Click OK.
Create the REST API Admin
- Select System > Administrators > Create new > REST API Admin.
- Use the Administrtor Profile you created.
- Add these Trusted Hosts:
- 63.0.0.0/3
- 64.0.0.0/2
- 128.0.0.0/1
Note: The 0.0.0.0/0 range is not supported. A call may come from many different AWS IP addresses. A full list of AWS ranges is available here.
- Click OK.
Usage
To use a resource in AWS CloudFormation you will need to supply the required parameters. A resource schema can be viewed from the registry in AWS CloudFormation.
Each FortiGate resource requires an API key and a FortiGate IP address or hostname. Dynamic secrets are not currently supported.
- In the AWS console, click Services > Management & Governance > CloudFormation.
- Click Create Stack.
- Upload your CloudFormation Template. Examples can be found here.
- Specify the required parameters as shown in the image:<br>
Troubleshooting
A Log group in CloudWatch is automatically created when submitting the resource. To locate it, look in CloudWatch under the resource name.
Following are potential errors that may be returned by the FortiGate:
- 400 : Bad Request: Request cannot be processed by the AP
- 401 : Not Authorized: Request without successful login session
- 403 : Forbidden: Request is missing CSRF token or administrator is missing access profile permissions.
- 404 : Resource Not Found: Unable to find the specified resource.
- 405 : Method Not Allowed: Specified HTTP method is not allowed for this resource.
- 424 : Failed Dependency: Fail dependency can be duplicate resource, missing required parameter, missing required attribute, invalid attribute value.
Further troubleshooting can be done by logging into the FortiGate via ssh
and entering the following commands:
diagnose debug enable
diagnose debug application httpsd -1
This will print debugging information when an API request is made.
Support
Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services. For direct issues, please refer to the Issues tab of this GitHub project. For other questions related to this project, contact github@fortinet.com.
License
License © Fortinet Technologies. All rights reserved.