Hello,

Trying with the gcp template 6.2.5 and got this error when it comes to vm deployment :

google_compute_instance.default: Creating...

Error: Error creating instance: googleapi: Error 412: Constraint constraints/compute.requireShieldedVm violated for project projects/myproject. The boot disk's 'initialize_params.source_image' field specifies a non-Shielded
image: projects/fortigcp-project-001/global/images/fortinet-fgt-625-20200831-001-w-license. See https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints for more information.
More details:
Reason: conditionNotMet, Message: Constraint constraints/compute.requireShieldedVm violated for project projects/myproject. The boot disk's 'initialize_params.source_image' field specifies a non-Shielded image: projects/fortigcp-project-001/global/images/fortinet-fgt-625-20200831-001-w-license. See https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints for more information.
Reason: conditionNotMet, Message: Constraint constraints/compute.vmExternalIpAccess violated for project 346696193484. Add instance projects/myproject/zones/asia-southeast1-a/instances/myforti to the constraint to use external IP with it.

can you advise please

variables.tf comment under var.IAM profile links to a dead cookbook link.

Is there updated deployment code for FortiGate 6.4 ?

6.4.5 is not available in marketplace anymore. None of the templates still using 6.4.5 are valid for new subscribers.

When attempting to change the VM size the Standard F4 size failed to update to Standard F4 v2 due to the number of NIC's allowed.

Error as follows.

Error: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="NetworkInterfaceCountExceeded" Message="The number of network interfaces for virtual machine fgt-b-vm-fgt exceeds the maximum allowed for the virtual machine size Standard_F4s_v2. The number of network interfaces is 4 and the maximum allowed is 2. " Details=[]
with azurerm_virtual_machine.fgt_b_vm
on 03-fortigate.tf line 470, in resource "azurerm_virtual_machine" "fgt_b_vm":
resource "azurerm_virtual_machine" "fgt_b_vm" {
Error: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="NetworkInterfaceCountExceeded" Message="The number of network interfaces for virtual machine vm-fgt-a exceeds the maximum allowed for the virtual machine size Standard_F4s_v2. The number of network interfaces is 4 and the maximum allowed is 2. " Details=[]
with azurerm_virtual_machine.fgt_a_vm
on 03-fortigate.tf line 281, in resource "azurerm_virtual_machine" "fgt_a_vm":
resource "azurerm_virtual_machine" "fgt_a_vm" {

Good morning,

are the AWS templates only for PAYG setups? If so, what should I do to add BYOL functionality? The Cloudformation templates have an s3 bucket with lic-files and endpoint and pass this information on as UserData to the fortigate.

I assume an S3 bucket is not required with Terraform, but how to insert the license(file)?

Cheers,

David

We strongly desire to deploy a HA config with a single CPU per instance for cost reasons which limits us to 2 vNICs per instance and all the examples use 3 or 4 vNICs. We don't want to expose the management interface to the internet and have a shared VPC as our internal (protected) network. I assume that we can manage the appliance via the internal interface. I am however unsure if there is a hard requirement in the appliance to have a dedicated vNIC for the HA/Sync traffic. Can the HA/Sync use the internal or external vNIC instead of a dedicated vNIC?

Hello,

FortiOS 6.4.3 image is not available in AWS (Frankfurt eu-central-1), but it is needed according to your Terraform template:

We tried running 6.4.4 and 6.4.5 instead but we are unable to access the firewalls in any way (SSH, Browser, Telnet etc.). We are getting timeout - we checked security policies etc. seems to be a FortiGate configuration issue.

Is the AWS/6.4/ha template up to date and working and what is the correct image that has to be used for Pay as you go license ?

Thank you

Hello, I deployed it but when I power off Firewall-A, external ip didn't change to firewall-b

I have deployed the FortiGate HA solution multiple times and it seems that there is some timing issue where secondary NICs are attached to FortiGate VM after a delay of ranging 40-50 seconds and by that time cloud-init (user-data) script is already triggered during FortiGate VM first reboot. During this reboot time since some of the Secondary NICs are not available (still being created) , not all interfaces in FortiGate VM are configured and as a result HA configuration is also failed. It worked sometime but sometime does not work probably OCI cloud API response timing/delays or quick VM reboot time etc. I tried to add delay in cloud-init script by adding "fnsysctl sleep 120" , however this is not recognized by FortiGate CLI/shell and getting following error:
FortiGate-A # fnsysctl sleep 120
can not find command sleep

Did someone else encountered this issue and were able to find work around?

Following is the timing for one of the run:

2023-03-09T03:47:41.0033865Z oci_core_instance.vm-a[0]: Creation complete after 37s
2023-03-09T03:47:41.0075511Z oci_core_vnic_attachment.vnic_attach_untrust_a[0]: Creating...
2023-03-09T03:47:55.9809283Z oci_core_vnic_attachment.vnic_attach_untrust_a[0]: Creation complete after 15s
2023-03-09T03:47:55.9901000Z oci_core_vnic_attachment.vnic_attach_trust_a[0]: Creating...
2023-03-09T03:48:10.8680863Z oci_core_vnic_attachment.vnic_attach_trust_a[0]: Creation complete after 15s
2023-03-09T03:48:10.8729656Z oci_core_vnic_attachment.vnic_attach_hb_a[0]: Creating...
2023-03-09T03:48:25.9414560Z oci_core_vnic_attachment.vnic_attach_hb_a[0]: Creation complete after 15s

Thanks

Hi, mobilesuitzero

Good day, related to the following Terraform with Alicloud + FortiGate-VM kindly help amend the Fosversion from 7.0.5 to 7.2.2 to overcome CVE-2020 incident, many thanks!

https://github.com/fortinet/fortigate-terraform-deploy/tree/main/alicloud/7.0

// FortiOS Version
variable "fosversion" {
default = "7.0.5"
}

The terraform google provider does not require a service account key, and it is security worst practice to use or distribute downloaded service account key material or rely on it in any way.
Could we please refactor this TF to either:
a) run as the current user
b) run with service account impersonation or ADC
c) use temporary OAUTH

Hello all,

by deloying this
https://github.com/fortinet/fortigate-terraform-deploy/tree/main/azure/7.4/azurevwan

i get this error:

fortios_vpnipsec_phase1interface.vwan1phase1: Creating...
fortios_vpnipsec_phase1interface.vwan2phase1: Creating...
╷
│ Error: Error creating VpnIpsecPhase1Interface resource: Internal Server Error - Internal error when processing the request (500)
│
│ with fortios_vpnipsec_phase1interface.vwan1phase1,
│ on fortigate.tf line 1, in resource "fortios_vpnipsec_phase1interface" "vwan1phase1":
│ 1: resource "fortios_vpnipsec_phase1interface" "vwan1phase1" {
│
╵
╷
│ Error: Error creating VpnIpsecPhase1Interface resource: Internal Server Error - Internal error when processing the request (500)
│
│ with fortios_vpnipsec_phase1interface.vwan2phase1,
│ on fortigate.tf line 33, in resource "fortios_vpnipsec_phase1interface" "vwan2phase1":
│ 33: resource "fortios_vpnipsec_phase1interface" "vwan2phase1" {
│
╵

I do note something Case Sensitive related (can't tell if this is the issue), yet can anyone assist what's the probleme here?

The mentioned Lines in fortigate.tf remained untouched .
Thank you!

Hi,

terraform.tfstate.txt

Running into issue when executing Fortigate Terraform
AWS gwlb solution. Please check the error below. I don't have any prior LB or TG created in the region.

Any thoughts ??

aws_lb.gateway_lb: Creating...
aws_lb_target_group.fgt_target: Creating...

Error: error creating gateway Load Balancer: DuplicateLoadBalancerName: A load balancer with the same name 'gatewaylb' exists, but with different settings
status code: 400, request id: 45ffa03a-738e-40f6-8bfd-a3b7be89bd5a

on network.tf line 208, in resource "aws_lb" "gateway_lb":
208: resource "aws_lb" "gateway_lb" {

Error: error creating LB Target Group: DuplicateTargetGroupName: A target group with the same name 'fgttarget' exists, but with different settings
status code: 400, request id: d9916dab-014b-4004-9f07-6c3058b0ce79

on network.tf line 217, in resource "aws_lb_target_group" "fgt_target":
217: resource "aws_lb_target_group" "fgt_target" {

Hi all,

We've used https://github.com/fortinet/fortigate-terraform-deploy/tree/main/aws/7.2/ha-single-az-existing to provision a pair of Fortigate devices. No problems, the instances were provisioned and config deployed in them.

But when we tried to actually reach the ip addresses generated and use them, we couldn't.

After a few hours of troubleshooting, we realised that the IP addresses in "active-port1" and "active-port2" were the other way around.

Our variables.tf values look like this

variable "activeport1" {
  default = "10.10.1.21"
}

variable "activeport1float" {
  default = "10.10.1.20"
}

variable "activeport2" {
  default = "10.10.4.21"
}

variable "activeport2float" {
  default = "10.10.4.20"
}

For active-port1 we expected a network interface with private ipv4 address = 10.10.1.21 and secondary private ipv4 address = 10.10.1.20. Unfortunately, the actual network interface created by terraform has private ipv4 address = 10.10.1.20 and secondary private ipv4 address = 10.10.1.21.

Same for active-port2, instead of private ipv4 address = 10.10.4.21 and secondary private ipv4 address = 10.10.4.20 the actual network interface created by terraform has private ipv4 address = 10.10.4.20 and secondary private ipv4 address = 10.10.4.21.

It all comes down to terraform not guaranteeing the order of ip addresses when using "private_ips" in the aws_network_interface resource

quoting from https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_interface#example-of-managing-multiple-ips-on-a-network-interface (emphasis is mine)

By default, private IPs are managed through the private_ips and private_ips_count arguments which manage IPs as a set of IPs that are configured without regard to order. For a new network interface, the same primary IP address is consistently selected from a given set of addresses, regardless of the order provided. However, modifications of the set of addresses of an existing interface will not alter the current primary IP address unless it has been removed from the set.

In order to manage the private IPs as a sequentially ordered list, configure private_ip_list_enabled to true and use private_ip_list to manage the IPs. This will disable the private_ips and private_ips_count settings, which must be removed from the config file but are still exported. Note that changing the first address of private_ip_list, which is the primary, always requires a new interface.

So please, for the sake of other people who will hit the same problem, consider switching to private_ip_list instead of private_ips in the code.

cause of name change in 7.x from master --> primary the config templates are wrong
should be:
AWS-FGTA # show system auto-scale
config system auto-scale
set status enable
set role primary
set sync-interface "port1"

AWS-FGTB # show system auto-scale
config system auto-scale
set status enable
set sync-interface "port1"
set primary-ip 10.1.0.10

For fortigate-terraform-deploy/aws/7.0/transitgwy/

I found that I had to add the aws_key_pair as a TF resource before it would work. Simply calling the key name via the variable did not work for me

not working despite setting the below to either the key name or key ID

variable "keypair" {
description = "Provide a keypair for accessing the FortiGate instances"
default = ""
}

what worked for me, change all references to keypair to below resource

resource "aws_key_pair" "FortiAWSKey" {
key_name = "name of key"
public_key = "xxxxxxx"
}

Hi,

Error: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_instance.go:480: Resource alicloud_instance RunInstances Failed!!!
[SDK alibaba-cloud-sdk-go ERROR]:
│ SDK.ServerError
│ ErrorCode: InvalidParameter.NotMatch
│ Recommend: https://next.api.aliyun.com/troubleshoot?q=InvalidParameter.NotMatch&product=Ecs
│ RequestId: BD7FF8F3-1B58-3EC4-B0EE-5AF627947926
│ Message: the provided 'InstanceType -> cpu: 2' and 'Image -> cpu: [8 8]' are not matched.
│
│ with alicloud_instance.Fortigate,
│ on main.tf line 107, in resource "alicloud_instance" "Fortigate":
│ 107: resource "alicloud_instance" "Fortigate" {
│

Hi everyone,

I'm trying to deploy the single example, but I'm getting the error "Error creating Image: googleapi: Error 403: Required 'compute.images.create' permission for 'projects/fortigcp-project-001/global/images/fgtvmgvnic-image', forbidden"

My doubt is about this permission for the fortigcp-project, it is a public project that I can get the image? How should I have permission there to create the image or am I missing something?

Hello,

What is the purpose of this permission ?

This reference cookbook doesn't mention that permission : https://docs.fortinet.com/vm/aws/fortigate/6.4/aws-cookbook/6.4.0/229470/deploying-fortigate-vm-active-passive-ha-aws-between-multiple-zones

Summary

An internal route is missing on port2 ; it makes half of the private addressing unreachable at any time.

Step to reproduce

With commit 59ee5c1

• $ terraform deploy
• login to the Fortigate, add a firewall rule to allow private->public trafic with NAT. For testing, just allow 0.0.0.0/0 from internal to external on all ports. Enable all logging of matching trafic.
• spin up two EC2 instances with the latest ubuntu version and an SSM role ; one in az1, one in az2
• the ec2 instance in az1 can access internet thus be accessible via SSM session manager whereas the other cannot. This can be confirmed by looking at trafic logs (on the active Fortinet, "Log & Report" > "Forward Traffic". You'll see only trafic coming from the az1 ec2 going to internet, with the subnet being 20.1.1.0/24)
• Trigger an HA failover (restart of primary gw for instance) ; now the test ec2 in az1 cannot reach internet and is unreachable ; the ec2 in az2 now reaches internet and is now reachable via ssm sessions manager. This can be confirmed by looking at trafic logs (on the active Fortinet, "Log & Report" > "Forward Traffic". You'll see only trafic coming from the az2 ec2 going to internet, with the subnet being 20.1.11.0/24)

Suggested fix

On each Fortigate, add a route on the internal port (port2) to the VPC subnet with that subnet's gateway as pointed by step 2c in this cookbook.

Hello,

Is there anything in 6.4.3 that would prevent me from accessing the Web UI of the firewall after deployment ? (Virtual FGT in Azure) ? SSH to the FGT is working fine.

6.2 deployment is also working fine (SSH + GUI).

I created a policy that allows everything, I can see that my traffic is reaching the firewall and the firewall responds with psh packet back.. but my browser is timing out..

Maybe there’s something new in 6.4 ?

Thanks 😉

Hi, Terraform Guru

https://github.com/fortinet/fortigate-terraform-deploy/blob/main/oci/7.2/ha/terraform.tfvars.example

Is any good to retrieve the fingerprint & private_key_path in OCI console. I try to access it by using
Identity=> Federation => Identity Provider Details=> Users => User Details under Resource should have the API but not able to get it in OCI console. Any good command to retrieve fingerprint & private_key_path ?? Thanks.

"// Change to your own variables
tenancy_ocid = ""ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55ck3a""
compartment_ocid = ""ocid1.compartment.oc1..aaaaaaaadftsplqvrt2e63vvfgu4zalufpu4e5b2lfsfnr4p7nv72sz6umqq""
user_ocid = ""8f57478b49da4f91b40944f698e24d92""
fingerprint = """"
private_key_path = """"
region = ""ap-singapore-1"""

Error: Error launching source instance: InvalidKeyPair.NotFound: The key pair 'taskcat' does not exist
status code: 400, request id: c59a3ab1-1f54-4fa9-937d-c58e8b55017a

Error: Error launching source instance: InvalidKeyPair.NotFound: The key pair 'taskcat' does not exist
status code: 400, request id: 5189029b-f7fe-4d9e-ad7e-245ffd2a03b7

Error: Error launching source instance: InvalidKeyPair.NotFound: The key pair 'taskcat' does not exist
status code: 400, request id: 35e76ce6-e6c0-4606-9759-918e8bf89375

Error: Error launching source instance: OptInRequired: In order to use this AWS Marketplace product you need to accept terms and subscribe. To do so please visit https://aws.amazon.com/marketplace/pp?sku=2wqkpek696qhdeo7lbbjncqli
status code: 401, request id: 6abef3ab-acc3-4155-9085-77085c1aae20

Error: Error launching source instance: OptInRequired: In order to use this AWS Marketplace product you need to accept terms and subscribe. To do so please visit https://aws.amazon.com/marketplace/pp?sku=2wqkpek696qhdeo7lbbjncqli
status code: 401, request id: fef34c55-6f02-4cbf-b726-a6bb82d3346b

bootstrap config is not working, please provide example of config.txt in the example used here

The latest image for GCP is 7.2.4 but the repo is using 7.2.3. Is image 7.2.4 available at?
projects/fortigcp-project-001/global/images/
If so can you please either provide the link or allow compute.images.list to this project

Is it possible there's a minor typo in the architecture diagram? Or am I misunderstanding something after much head scratching? In the Ingress RTB I see:

however in the private subnets that the code indicates are the targets of the ingress RTB I see:

So, the code (network.tf) says:

Could the private subnets and their RTB CIDRs be mislabeled?

Using the Terraform HA example, I'm facing one issue with the instances I've attached to my private subnet. When I try to ping a domain such as gmail.com or google.com from one of the instances that are being routed through FortiGate, the public IP of the destination is different from the test instances, and from FortiGate instances (from FortiGate, the ping is ok), seems a DNS issue, but I'd like to understand what is a best practice with FortiGate on GCP since they use the internal metadata server (169.254.169.254) for DNS and how to configure on FortiGate?

One important detail, I've also deployed FortiGate from the GCP marketplace, and one thing that is different and probably the fix for the issue is that I can see on the network/DNS the "Dynamically Obtained DNS Servers" with the interface "Port1" and the DNS Server as "169.254.169.254", and this value in the Terraform HA example I don't have it. Maybe it is a problem with the SDN connector or a permission, but I've tried to find it in the Fortinet documentation and didn't find anything related.

The docs say the forwarding rule will fail over to the passive instance if the active instance is unavailable, but unless I'm missing something it looks like it just forwards all traffic to the first instance (google_compute_instance.default.id)
Am I missing something, or is this a bug? I'm also curious as to why this setup has the forwarding rule and all the other HA examples don't have this. Is this superfluous?

The config-active.conf is missing the vdom-exception cli statements that restrict the synchronization of interface, static route, and vip config.

https://github.com/fortinet/fortigate-terraform-deploy/blob/main/aws/6.2/ha/config-active.conf and https://github.com/fortinet/fortigate-terraform-deploy/blob/main/aws/6.2/ha/config-passive.conf

config system vdom-exception
edit 1
set object system.interface
next
edit 2
set object router.static
next
edit 3
set object firewall.vip
next
end

HI,

Tried terraform script for 7.0 HA.

https://github.com/fortinet/fortigate-terraform-deploy/tree/main/aws/7.0/ha

Provided values in terraform.tfvars and variables.tf

Variables.tf

//AWS Configuration
variable access_key {}
variable secret_key {}

variable "region" {
  default = "ap-southeast-2"
}

// Availability zone 1 for the region
variable "az1" {
  default = "ap-southeast-2a"
}

// Availability zone 2 for the region
variable "az2" {
  default = "ap-southeast-2c"
}

// IAM role that has proper permission for HA
// Refer to https://docs.fortinet.com/vm/aws/fortigate/6.2/aws-cookbook/6.2.0/229470/deploying-fortigate-vm-active-passive-ha-aws-between-multiple-zones
variable "iam" {
  default = "Fortinet_HA_Role"
}

variable "vpccidr" {
  default = "20.1.0.0/16"
}

variable "publiccidraz1" {
  default = "20.1.0.0/24"
}

variable "privatecidraz1" {
  default = "20.1.1.0/24"
}

variable "hasynccidraz1" {
  default = "20.1.2.0/24"
}

variable "hamgmtcidraz1" {
  default = "20.1.3.0/24"
}

variable "publiccidraz2" {
  default = "20.1.10.0/24"
}

variable "privatecidraz2" {
  default = "20.1.11.0/24"
}

variable "hasynccidraz2" {
  default = "20.1.12.0/24"
}

variable "hamgmtcidraz2" {
  default = "20.1.13.0/24"
}

// License Type to create FortiGate-VM
// Provide the license type for FortiGate-VM Instances, either byol or payg.
variable "license_type" {
  default = "payg"
}

// AMIs are for FGTVM-AWS(PAYG) - 7.0.1
variable "fgtvmami" {
  type = map
  default = {
    us-west-2      = "ami-0450a759578d5f9e8"
    us-west-1      = "ami-0bed74e557899b316"
    us-east-1      = "ami-0b9c648555f605b8a"
    us-east-2      = "ami-048fa209a6f531c8e"
    ap-east-1      = "ami-0ba7332b78dedfdf0"
    ap-south-1     = "ami-0f8da603aeae144f0"
    ap-northeast-2 = "ami-0d90068740a70e960"
    ap-southeast-1 = "ami-0aa8b7bcf2a04ad1f"
    ap-southeast-2 = "ami-0793fa38bb58f353e"
    ap-northeast-1 = "ami-0e45541bf4f626eb8"
    ca-central-1   = "ami-0e92233e968a00d5a"
    eu-central-1   = "ami-0c48bc0e23f9042fc"
    eu-west-1      = "ami-066f47e167e4090e0"
    eu-west-2      = "ami-073e93d6afc52ee0e"
    eu-west-3      = "ami-07a5212e5d2fee5ed"
    eu-north-1     = "ami-0f21240140d3d2866"
    me-south-1     = "ami-0694965772c0df593"
    sa-east-1      = "ami-0c80c01c54651d66e"
  }
}


// AMIs are for FGTVM AWS(BYOL) - 7.0.1
variable "fgtvmbyolami" {
  type = map
  default = {
    us-west-2      = "ami-0070ab4edc735c379"
    us-west-1      = "ami-09e5387cc293153c1"
    us-east-1      = "ami-02678839ab63d47a1"
    us-east-2      = "ami-01fc50db5a27388fa"
    ap-east-1      = "ami-069022a0b0042e2b8"
    ap-south-1     = "ami-00609a13c17b3cf5d"
    ap-northeast-2 = "ami-0a0e4c41637e6936f"
    ap-southeast-1 = "ami-0d9a129903b7ba964"
    ap-southeast-2 = "ami-0b9ef7623fc628069"
    ap-northeast-1 = "ami-0bfb0a297a846758d"
    ca-central-1   = "ami-0f5966c7ff86c1cb6"
    eu-central-1   = "ami-09ca8648996694d40"
    eu-west-1      = "ami-01118ca5692326739"
    eu-west-2      = "ami-073e5153688b42f25"
    eu-west-3      = "ami-00e8ba0a04789ad0e"
    eu-north-1     = "ami-0907f64a7bbfb94ff"
    me-south-1     = "ami-098b025df177bd3d4"
    sa-east-1      = "ami-01abe8a3a6cd165e7"
  }
}

variable "size" {
  default = "c5n.xlarge"
}

//  Existing SSH Key on the AWS 
variable "keyname" {
  default = "vishawskey"
}

// HTTPS access port
variable "adminsport" {
  default = "8443"
}

variable "activeport1" {
  default = "20.1.0.10"
}

variable "activeport1mask" {
  default = "255.255.255.0"
}

variable "activeport2" {
  default = "20.1.1.10"
}

variable "activeport2mask" {
  default = "255.255.255.0"
}

variable "activeport3" {
  default = "20.1.2.10"
}

variable "activeport3mask" {
  default = "255.255.255.0"
}

variable "activeport4" {
  default = "20.1.3.10"
}

variable "activeport4mask" {
  default = "255.255.255.0"
}

variable "passiveport1" {
  default = "20.1.10.10"
}

variable "passiveport1mask" {
  default = "255.255.255.0"
}

variable "passiveport2" {
  default = "20.1.11.10"
}

variable "passiveport2mask" {
  default = "255.255.255.0"
}

variable "passiveport3" {
  default = "20.1.12.10"
}

variable "passiveport3mask" {
  default = "255.255.255.0"
}

variable "passiveport4" {
  default = "20.1.13.10"
}

variable "passiveport4mask" {
  default = "255.255.255.0"
}

variable "activeport1gateway" {
  default = "20.1.0.1"
}

variable "activeport2gateway" {
  default = "20.1.1.1"
}

variable "activeport4gateway" {
  default = "20.1.3.1"
}

variable "passiveport1gateway" {
  default = "20.1.10.1"
}

variable "passiveport2gateway" {
  default = "20.1.11.1"
}

variable "passiveport4gateway" {
  default = "20.1.13.1"
}


variable "bootstrap-active" {
  // Change to your own path
  type    = string
  default = "config-active.conf"
}

variable "bootstrap-passive" {
  // Change to your own path
  type    = string
  default = "config-passive.conf"
}

// license file for the active fgt
variable "license" {
  // Change to your own byol license file, license.lic
  type    = string
  default = "license.lic"
}

// license file for the passive fgt
variable "license2" {
  // Change to your own byol license file, license2.lic
  type    = string
  default = "license2.lic"
}

Executed terraform apply. Got the below error.

│ Error: Error in function call
│
│   on output.tf line 7, in output "FGTClusterPublicFQDN":
│    7:   value = "${join("", list("https://", "${aws_eip.ClusterPublicIP.public_dns}", ":", "${var.adminsport}"))}"
│     ├────────────────
│     │ aws_eip.ClusterPublicIP.public_dns will be known only after apply
│     │ var.adminsport will be known only after apply
│
│ Call to function "list" failed: the "list" function was deprecated in Terraform v0.12 and is no longer available; use
│ tolist([ ... ]) syntax to write a literal list.

I've deployed FortiGate using the ha-dualloadbalancer template, but I'm facing issues when configuring the VPN. Enabling the debug on FortiGate, I cannot see the traffic reaching the instances, and even if I configure in a different port (such as 10443) and enable this port on GCP firewall rule that will be applied to the FortiGate instances in the unstrust VPC I can't reach it.
I'm wondering if there is something different to be able to use VPN with the ha-dualloadbalancer since deploying the HA template I can configure without any problems? Here is a screenshot of how I'm configuring the VPN setting and the firewall policy (this config works in the HA template but not in the internal/external one):

Hello,

When deploying via Terraform we get the following error:

Error: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=404 -- Original Error: Code="PlatformImageNotFound" Message="The platform image 'fortinet:fortinet_fortigate-vm_v5:fortinet_fg-vm_payg_20190624:6.2.3' is not available. Verify that all fields in the storage profile are correct. For more details about storage profile information, please refer to https://aka.ms/storageprofile" Target="imageReference"

on active.tf line 66, in resource "azurerm_virtual_machine" "activefgtvm":
66: resource "azurerm_virtual_machine" "activefgtvm" {

Do we need to manually add the .vhd image to a storage account ? We are unsure what the issue might be.

Previously we had the following error:

Error: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="ResourcePurchaseValidationFailed" Message="User failed validation to purchase resources. Error message: 'You have not accepted the legal terms on this subscription: 'fec6bc-a270-4638-8b10-8c4b32c4' for this plan. Before the subscription can be used, you need to accept the legal terms of the image. To read and accept legal terms, use the Azure CLI commands described at https://go.microsoft.com/fwlink/?linkid=2110637 or the PowerShell commands available at https://go.microsoft.com/fwlink/?linkid=862451. Alternatively, deploying via the Azure portal provides a UI experience for reading and accepting the legal terms. Offer details: publisher='fortinet' offer = 'fortinet_fortigate-vm_v5', sku = 'fortinet_fg-vm_payg_20190624', Correlation Id: '55105-fbca-4864-a65a-0c8125b7b'.'"

We resolved it by running:
az vm image terms accept --publisher fortinet --offer fortinet_fortigate-vm_v5 --plan fortinet_fg-vm_payg_20190624

Could that somehow affected the finding of the Fortigate images ?

Thank you :)

Am I missing something? Shouldn't there be an example with transit and crossaz? I believe the gwlb-transit example does not create the routing tables correctly for multi az.

It's possible I am mistaken, if so please let me know

Thank you,

I deployed the gwlb-transit options for 6.4 and 7.0. In either cases following successful deployment, I cannot not connect in any way with the fortigate instances. I opened up the SGs to allow pings and that does not work either. Does the fortigate need a route to be defined on the public interface for the subnet gateway.? I am at loss of what to do at this point

Using the Terraform example I'm able to see the HA configured correctly, but I'm facing some issues:
If I create any instance in the private VPC and try to reach the internet, its not possible (all packages are lost). I've already tried to create a new Firewall policy to grant access to everything on the internet, I can see the logs coming in the Fortigate firewall granting the access using my policy, but from the instance test perspective, I only receive a package loss.

I wondering if you can try to deploy using this example, create a test instance on private VPC and try to reach the internet with a simple ping?

Thank you

Hello folks,

In the current HA example, there is one private subnet in which each FortiGate instance has one nic and one GCP route that FortiGate will change automatically if the primary server fails to route to the second one. I'm wondering if I need to create a second private VPC that will also be private and attach each FortiGate instance with a nic in this new subnet, I'll have to create another route to do the same (change from primary to the secondary), what it the necessary configuration that I need to do on FortiGate to change this new route automatically, is it possible to do that?

Thank you.

On 2/16/21 I launched this in AWS successfully, however; now when I try to initiate "terraform destroy" I get the following error:
Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: RequestError: send request failed
caused by: Post "https://sts.amazonaws.com/": dial tcp: lookup sts.amazonaws.com on [::1]:53: read udp [::1]:57965->[::1]:53: read: connection refused

I get the same error when trying to issue "terraform plan"

Hello, when I deploy with terraform the solution, all the vpc, subnets, etc...it was deployed but I had this fail:

"Error: Error launching source instance: InvalidParameterValue: Value (arn:aws:iam::084053122642:role/rol_ha_fortinet) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name
status code: 400, request id: e178084c-fb0d-4663-ace6-14f43790e3da"

Reviewing the doc, I had to create a role with this permission:

"{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"ec2:Describe*",

"ec2:AssociateAddress",

"ec2:AssignPrivateIpAddresses",

"ec2:UnassignPrivateIpAddresses",

"ec2:ReplaceRoute"

],

"Resource": "*",

"Effect": "Allow"

}

]

}"

I did it, I created that role with a associate policy with that permission (also I tried with full permission)

Can you help me?

Regards

Hi,

╷
│ Error: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_instance.go:480: Resource alicloud_instance RunInstances Failed!!! [SDK alibaba-cloud-sdk-go ERROR]:
│ SDK.ServerError
│ ErrorCode: InvalidRamRole.NotFound
│ Recommend: https://next.api.aliyun.com/troubleshoot?q=InvalidRamRole.NotFound&product=Ecs
│ RequestId: BD5C6764-0244-3D6C-9CD8-7F92FD5D684B
│ Message: The specified parameter "RAMRoleName" does not exist.
│
│ with alicloud_instance.Fortigate2,
│ on main.tf line 220, in resource "alicloud_instance" "Fortigate2":
│ 220: resource "alicloud_instance" "Fortigate2" {

The documentation that links to the loadbalancer code is labeled as an active-active configuration, but the code implies active-passive. Is this a miscommunication?

Hello ,

I have a question about the master and slave configuration files, how we can download the configuration with terraform, in the terraform file I don't see a call of the configuration files

thank you

Hi, I provisioned FortinetVM via Terraform. Then, when I changed some configuration inside the file "fgtvm.conf", I found that Terraform will destroy AWS EC2 and create a new EC2 again.

Could I have an option to change the configuration of FortinetVM in the same EC2 VM?

EU-WEST-1 AMI is not recognised anymore.

When using the EU-WEST-1 AMI you get the following error:

│ Error: error collecting instance settings: empty result
│
│ with aws_instance.fgtactive,
│ on instance-active.tf line 58, in resource "aws_instance" "fgtactive":
│ 58: resource "aws_instance" "fgtactive" {

If you switch to a modern 7.0 AMI it passes if you remove the instance profile from the terraform resource

Few issues I'm facing with 7.4 deployments on GCP:

1. Variable "vpc_cidr" is not used anywhere, and should be removed from the template
   

2. Template is missing the default route in private VPC to point to fortigate instance, you need something like this or similar: resource "google_compute_route" "defaultrouteprivate" {
   name = "defaultrouteprivate"
   dest_range = "0.0.0.0/0"
   network = google_compute_network.vpc_network2.name
   next_hop_instance = google_compute_instance.default.name
   next_hop_instance_zone = var.zone
   priority = 0
   }
   

3. It's better to define vpc names as public and private instead of using the random string, which could be confusing to new users

test

As far as I can tell all the GCP modules output the instance ID as the admin password. I assume this is something that is baked into the image, but it seems like a terrible idea from a security standpoint since anyone with minimal permissions on the project can get the admin password and it's very hard to fix afterwards. It would be a lot better if the terraform generated a random password and configured this as the admin password at deployment time.