Login to the AWS FortiGate Firewall.

plokesh · ‎05-20-2016

Please see the note from AWS below. The instance-id length is changing from 10 to 19. The FortiGate-VM in AWS use the instance id as the password for initial login to the device.

As of March 7, 2016, newly created AWS accounts will use longer EC2 instance and reservation IDs by default in the following regions: US East (Northern Virginia), US West (Oregon), US West (Northern California), EU (Ireland), and EU (Frankfurt). In other regions, new accounts will use longer EC2 instance and reservation IDs by default starting in mid-April 2016.

If you create a new AWS account on or after March 7, 2016, your new account will receive longer EC2 instance and reservation IDs by default in the regions noted above. We recommend testing longer IDs before transitioning; however, if you have not yet tested your systems for compatibility with the longer format, you still have the option to opt out and receive shorter IDs until early December 2016. Longer EBS volume and snapshot IDs will be available in April.

For more details, and for instructions on how to adjust your ID format settings, visit theAWS Blog, the EC2 FAQ, and the EC2 User Guide. If you have questions, contact the AWS support team.

Sincerely,
The Amazon Web Services Team

Based on this, there needs some changes to the way we can login to the FortiGate-VM in AWS.

Short instance-id(10 digits):

Use the instance-id to login to the AWS FortiGate-VM instances as always.

Long instance-id(19 digits):

For the long instance id, launch the instance with a AWS keypair. There are two ways to login to the the instance in this scenario.

1) Please use the first 11 characters of the instance id.

2) You can use the private key to login to the firewall through ssh. From there you can change the admin password to login through http/https through the GUI.

Example to login using private key of the firewall:

From a Linux console.

#ssh -i privatekey.pem admin@[ip of the firewall]

40james_FTNT · ‎05-25-2016

Great info, thank you!

I did find, however, that Option#2 does not seem to work. When the Fortigate first comes up it does not have all the CLI commands enabled (aka - "config system admin" missing).

FortiGate-VM64-AWS # config system ?
central-management Configure central management.
dns Configure DNS.
interface Configure interfaces.
settings Configure VDOM settings.
FortiGate-VM64-AWS #

Maybe if you register via cli (if possible) or via the central management options?

James (Jim) Hilving
Consulting Systems Engineer - CSE Team

plokesh · ‎05-31-2016

James,

Can you specify what region that you tried launching this in? Also let me know if this is BYOL or OnDemand.

40james_FTNT · ‎06-01-2016

Hi Praveen,

This was in Region "US East (N. Virginia)", us-east-1 I think, and the image was BYOL. I attached the image that was launched.

Thanks!

J

James (Jim) Hilving
Consulting Systems Engineer - CSE Team

plokesh · ‎07-21-2016

James,

They ssh keypair method should work for FortiGate. Can you verify?

40james_FTNT · ‎07-25-2016

In Reply to Praveen Lokesh:

James,

They ssh keypair method should work for FortiGate. Can you verify?

I can login but it is the same problem I mentioned above. There is not a way, that I can see, for me to change the admin password via SSH. I can get in but then I can only config the bare minumum. I suspect once I have a license loaded it opens up more.

ssh -i ~/.ssh/awskey.pem admin@ec2-54-174-198-63.compute-1.amazonaws.com

FortiGate-VM64-AWS # config system ?
autoupdate Configure automatic updates.
central-management Configure central management.
dns Configure DNS.
interface Configure interfaces.
settings Configure VDOM settings.

James (Jim) Hilving
Consulting Systems Engineer - CSE Team