fortinet / aws-cloudformation-templates

Cloud Formation Templates for getting you started in AWS with Fortinet.
MIT License
34 stars 67 forks source link

Egress rule needed on FortigateSecGrp? #2

Closed pmcevoy closed 5 years ago

pmcevoy commented 5 years ago

For the Dual AZ solution, surely the security group FortigateSecGrp needs an "any" egress rule? Without this the PAYG instances have the following System Log:

System is starting...

Serial number is FGVM00UNLICENSED

FortiGate-VM64-AWSONDEMAND login: AWS instance id: i-XXXXXXXXXXXXXXXXX

curl forticare failed, 7
curl forticare failed, 7
curl forticare failed, 7

cloudinit failed to request forticare license 7

The system is going down NOW !!

The system is halted.
Power down.
hgaberra commented 5 years ago

The FortiGateSecGrp utilizes the default rule to allow all protocols to 0.0.0.0/0. Reference the 'Remove Default Rule' section of the AWS documentation referenced below.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html

For the issue you are seeing, this is actually due to a new FortiCare license download and validation process that was added in FortiOS 6.2.2 for PAYG instances.

This is a known issue (Mantis #590555) that is being addressed in FortiOS code, however in the mean time we will be setting the CF templates to use 6.2.1 GA code until a newer GA patch of code with the relevant fix will be available. The push for the new templates should be completed by the end of the week.

In the mean time, for your existing deployments, you can simply assign an EIP to the primary IP of eni0 on the slave\FGT2 for it to complete the FortiCare license download and validation process. Once this process is completed, you can disassociate and release that EIP from the slave\FGT2 eni0 and begin failover testing after the cluster in sync status.

pmcevoy commented 5 years ago

Thanks. I actually figured out that solution in the end using 6.2.2

BTW, I'm using Terraform to setup which is a lot easier to follow than CloudFormation. If you like, I can submit