1 | P a g e

FortiGate UTM Auto Scaling

New VPC Deployment Guidelines

April 2016

2 | P a g e

Problem Statement o How do you protect dynamically scaling AWS compute resources with advanced UTM security postures without

purchasing multiple firewalls that sit idle in non-peak sessions? How can you leverage AWS elasticity for true pay-as-you-go cloud networking protected with advanced network security?

Problem Resolution - Fortinet’s FortiGate UTM Auto Scaling in AWS

o Security has become an essential enabler of application and service delivery in cloud environments. For organizations contemplating the migration of essential activities to the cloud, the ability to match security to workloads is a key business consideration. The effective application of AWS cloud security requires an ability to scale up and down in concert with the workload. The most operationally advantageous way to support this dynamic need is with automation. As organizations migrate their production infrastructure to the cloud, many leverage AWS’s Auto Scaling capabilities to automatically scale their cloud compute resources according to conditions they define. This provides an excellent means of optimizing cloud costs, detecting faulty instances, identifying unhealthy applications and automating replacement. As cloud workloads are scaled-out, the concerns of secured data protection persist and require a security-scaling automation capability aligned to flexing compute resources. To address this situation, Fortinet has developed an Auto Scaling CloudFormation template which adds enterprise firewall instances automatically based on user defined criteria while using AWS integrated scripts and templates to maintain a familiar UI and initiate security elasticity for optimal network utilization. Solution Highlights

o Provides timely protection as workloads scale horizontally o Delivers automatic scaling for best-in-class advanced security in AWS o Pre-tunes “minimum” and “maximum” security parameters to provide refined security policies o Minimizes Cloud instance over-subscription and OPEX spending o Eliminates error-prone manual intervention in security configurations

o Fortinet maps your security postures to scale up & down with your EC2 in an AWS CloudFormation template

o You define the min / max quantity to scale + type of instance and the security flexes to your parameters o Flex criteria: CPU Utilization, Memory Utilization, Concurrent Sessions or Session Setup Rate o Template available for new VPC deployments in AWS

3 | P a g e

Design Criteria o The Auto Scaling solution requires a Route53 domain be set-up prior to creating the CloudFormation Stack o 3 Elastic IPs are needed for the initial launch o Auto Scaling works with instances with 2 interfaces. 1-instance is used for Public / 1-instance is used for routing

internal subnets o The initial instance can be different than the Auto Scaling instances. For example, start with a c3.2xlarge (Hourly

or Annual) and set the Auto Scaling Group to incorporate c3.large (all Scaling instances being On Demand Hourly).

o The CloudFormation template and Worker Node scripts are integrated closely; therefore, it is important to maintain the set parameters/resources naming conventions

o Inbound traffic is distributed equally based on the Route53 load balancing policy / Outbound traffic goes through 2-instances (the number of instances in the Auto Scaling group does not change this)

o Source NAT is used at the FortiOS level for inbound traffic o At this time the FortiGate Auto Scaling CloudFormation template:

Only supports On Demand instances (does not support BYOL) Only supports deployment into a new VPC (does not support installing into an existing VPC)

Functionality

o To ensure availability and optimization of FortiNet’s advanced threat protection over the entire Auto Scaling group, Fortinet maps your AWS security postures to scale up and down with your EC2 in an AWS CloudFormation template. This template can be held in a repository, making it reproducible and easily deployable as new instances require secure elasticity.

4 | P a g e

o The FortiGate UTM Auto Scaling solution utilizes AWS native tools, templates and infrastructure including: o CloudFormation: Enables you to use a template file to create and provision a collection of resources

together as a single unit (a stack) predictably and repeatedly. o CloudWatch: Monitors your AWS resources and the applications you run on AWS in real-time. o IAM: Identity and Access Management (IAM) is an AWS service that enables managing users and user

permissions in AWS. o Route53: A highly available and scalable Domain Name System (DNS) web service. o SQS: A messaging queue service that handles message or workflows between components in a system. o EC2: Elastic Compute Cloud (EC2) is a service that provides resizeable computing capacity—literally,

servers in Amazon's data centers—that you use to build and host your software systems. o AZs: The AWS infrastructure is built around Regions and Availability Zones (“AZs”). A Region is a physical

location with multiple Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking and connectivity, housed in separate facilities. These Availability Zones offer you the ability to operate production applications and databases which are more highly available, fault tolerant and scalable than would be possible from a single data center.

o VPC: Virtual Private Cloud (VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

How it All Works Together in the FortiGate UTM Auto Scaling Solution

o From AWS Marketplace Clusters & Resources/Security and Networking Infrastructure https://aws.amazon.com/mp/clusters/ - select the FortiGate UTM Auto Scaling CloudFormation template.

o The FortiGate Auto Scaling CloudFormation template performs the following actions in the set-up: (2) FortiGates are launched in (2) Availability Zones (AZs) in a High Availability (HA) architecture An EC2 worker node instance is launched (t2micro) The Launch Configuration is created for the AutoScaling Group A LifeCycle Hook is created to post to the SQS Queue when a scaling event occurs AutoScaling Group Scaling policies are created CloudWatch Alarms are created for ScaleUp and ScaleDown triggering An SQS queue is created with Auto Scaling instance launch permission events Dynamic IAM roles are created for both EC2 launch and also to write to the SQS queue for

AutoScaling LifeCycle Hook Route53 record sets for each firewall in the Hosted Zone are created

o The (2) FortiGate Worker Node scripts perform the following actions in the set-up (Worker Node utilizes an AWS t2micro EC2 instance):

ec2.py script clears the SQS queue and adds the instances created via the CloudFormation template to the AutoScaling Group. It then starts monitoring the instances & parameters while writing to the correct CloudWatch metric using the parameters selected in the CloudFormation template. For outbound connectivity, the script monitors the health of the primary instance. In the event of instance being down, the Route Table associations (associated with that instance) are automatically transferred to an available instance in the Autoscaling Group.

autoscaling.py script monitors the SQS queue for any messages, receives messages, parses out the instance id and deletes the messages. It then completes the AutoScaling action for that instance, completes the processing necessary to put the instance into service, starts a new thread to monitor the parameter selected in the CloudFormation template and posts it to the correct CloudWatch metric.

o Your FortiGate Auto Scaling policy is now set up in this 20-30 minute process, no further input needed. The CloudWatch set threshold for ScaleOut will raise an alarm and trigger the ScaleOut policy. The CloudWatch set threshold for ScaleIn will raise an alarm and trigger the ScaleIn policy.

5 | P a g e

o Summary: AutoScaling components are created via the CloudFormation Template with specific automation steps completed via Python scripts in the t2micro ‘Worker Node’ (see diagram)

FortiGate UTM Auto Scaling SET-UP Step 1: Launch the CloudFormation Template.

o From the AWS Management Console, navigate to the CloudFormation service, create a new stack and launch the CloudFormation template.

o Template available at: AWS Marketplace, http://aws.amazon.com/mp/clusters/

o Select Template

6 | P a g e

o Specify Details

o Input CloudFormation Template user-defined parameters to create the resources: Stack Name Scaling Parameter ScaleUp Threshold ScaleDown Threshold FortiGate Instance Type and Size AutoScaling Group information The region in which the instances will launch Network information including the VPC CIDR, public and private subnets Size of the instance to be used in the scaling process Keypair used for scaling purposes Route53 Domain Hozted Zone information DNS prefix that is being used in the setup.

7 | P a g e

o Scaling Guidelines (FortiGate On Demand c3 / c4 / m3 Instances) o Suggested Scale Up / Scale Down Criteria Parameters

Template: CPU Utilization Medium Instance FG-VM01-AWS

Large Instance FG-VM02-AWS

Xlarge Instance FG-VM04-AWS

2Xlarge Instance FG-VM08-AWS

Scale Up Threshold 80 80 80 80

Scale Down Threshold 70 70 70 70

Template: Memory Utilization Medium Instance FG-VM01-AWS

Large Instance FG-VM02-AWS

Xlarge Instance FG-VM04-AWS

2Xlarge Instance FG-VM08-AWS

Scale Up Threshold 80 80 80 80

Scale Down Threshold 70 70 70 70

Template: Concurrent Sessions Medium Instance FG-VM01-AWS

Large Instance FG-VM02-AWS

Xlarge Instance FG-VM04-AWS

2Xlarge Instance FG-VM08-AWS

Scale Up Threshold 1500 8000 30,000 120,000

Scale Down Threshold 1200 6000 24,000 100,000

Template: Session Set-Up Rate Medium Instance FG-VM01-AWS

Large Instance FG-VM02-AWS

Xlarge Instance FG-VM04-AWS

2Xlarge Instance FG-VM08-AWS

Scale Up Threshold 320,000 450,000 1,000,000 3,000,000

Scale Down Threshold 270,000 400,000 8,000,000 2,400,000

o The CloudFormation template creates the stack and outputs seen in the screen shot:

8 | P a g e

Step 2: Connect to the EC2 Worker Node o Connect to the EC2 Worker Node - for AWS detail on connecting to EC2, see AWS documentation at:

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html o The EC2, AutoScaling python scripts are located in the worker node at: /home/ec2-user/autoscaling

Step 3: Run the EC2 Script Second

o Run the ec2.py script with a runtime argument of CloudFormation Stack name. o The results of the ec2.py script look like:

9 | P a g e

Step 4: Run the AutoScaling Script Third o Run the autoscaling.py script with the runtime argument of CloudFormation Stack name. o The results of the autoscaling.py script look like:

Congratulations - AutoScaling Set-up is Now Complete! ---------------------------------------------------------------------------------------------------------------------------------------------------------------

Reminders: AutoScaling Products / Supported Regions / Contact Resources

o FortiGate UTM Auto Scaling is Based on AWS On Demand Bring Your Own License (BYOL), the Fortinet-AWS-VM perpetual license, is not yet supported in this Auto

Scaling Solution. On Demand is a subscription based transaction via the AWS Marketplace (Annual / Hourly). The “Scaling” instances, that scale in and out per selected criteria, are also On Demand.

o FortiGate On Demand in AWS Marketplace

Instance Size: m3. medium, large, xlarge, 2xlarge | m4/c3/c4.large, xlarge, 2xlarge Instances can be purchased through AWS Marketplace as either Hourly or Annual subscriptions. In

Marketplace, https://aws.amazon.com/marketplace/, search ‘Fortinet’ for listings. Select your region(s) and subscription preference. Fortinet can provide guidance on instance sizing

based on subscriber count, bandwidth requirements and concurrent sessions.

o FortiGate BYOL-VM in AWS FortiGate SKUs: FG-VM01-AWS, FG-VM02-AWS, FG-VM04-AWS, FG-VM08-AWS

See www.Fortinet.com/AWS for more detail AWS BYOL-VMs can pe purchased through certified Fortinet resale partners, contact Fortinet Sales at

awssales@fortinet.com or call our worldwide offices for more information

10 | P a g e

o Fortinet Global Sales Offices

Americas EMEA

US: +1-866-868-3678 Austria: +43 1 22787 120

US Federal Government: +1-703-915-3817 Belgium/Luxembourg: +32 (0)2 716 49 27

Canada: +1-866-868-3678 press 1, then press 5 Czech Republic: +420 773 788 788

Latin America Finland: +358 40 744 9531

Latin American HQ (FL): 1-954-368-9990 France: +33-1-8003-1655

Mexico: +52-(55) 5524-8428 Germany: +49 69 310 192 0

APAC Ireland: +353 1 6087703

Australia: +61 2 8007 6000 Israel: +972 77-6935670

China: 8610-6296 0376 Italy (Rome): +39 06-51573-330

Hong Kong: +852 3708 3500 Italy (Milano): +39 039 687211

India: 080 41321689/ 99 Poland: +48 22 449 00 29

Indonesia: (62) 21 2358 4548 Russia: +7 499 9552499

Japan: +81-3-6434-8531 Saudi Arabia: +966 1 261 1402

Korea: +82-2-559-9500 Spain: +34 915 024 874

Malaysia: +603-2723 0300 Sweden: +46 70 237 9090

Philippines: +632-808-8798 Switzerland: +41 44 833 68 48

Singapore: +65-6395-2788 The Netherlands: +31 (0)33 454 67 50

Taiwan: +886-2-27961666 Turkey: +90 (216) 250 3259 / 60

Thailand: +66 2 658 658 12 United Arab Emirates: +971 4 423 9601

United Kingdom: +44 (0) 203 752 6880

o AWS Global Region Support

11 | P a g e

UTM Auto Scaling Product Description Next Generation UTM Firewall:

o FortiGate: Comprehensive Firewall protection with enterprise-grade security technologies including, VPN (IPsec and SSL), intrusion prevention and detection (IPS/IDS), data loss prevention (DLP) and antivirus/anti-spyware/anti-spam technologies

Additional Fortinet-AWS Certified Security Products Web Application Firewall (WAF):

o FortiWeb: Web Application Firewall – Identifies vulnerabilities instantly in web applications without false positives, many options for reverse proxy security for applications, SQL injection and zero-day middleware and database protection, X509 certificate authentication for Single-Sign On options

Security Management:

o FortiManager: Seamless hybrid deployment and security posture management with a single console for both premise and AWS based FortiGate deployments. Offers centralized configuration, policy-based provisioning, update managemen, VPN policy/configuration, end-to-end network monitoring and distribution for software and policy updates

Security Analytics:

o FortiAnalyzer: Aggregates log data from Fortinet devices and other syslog-compatible devices. Using a comprehensive suite of easily-customized reports, users can filter and review records, including traffic, event, virus, attack, Web content, and email data, mining the data to determine your security stance and assure regulatory compliance.

Security Email Gateway:

o FortiMail: Provides a single solution to protect against inbound attacks - including advanced malware, as well as outbound threats and data loss with a wide range of top-rated security capabilities including: antispam, antiphishing, anti-malware, sandboxing, data leakage prevention (DLP), identity based encryption (IBE), and message archiving. FortiMail's inbound filtering engines block spam and malware before they can clog your network or compromise your systems. Its outbound inspection technology reduces the loss of sensitive information, maintains compliance and prevents your organization and users from being blacklisted.