Egress rule needed on FortigateSecGrp?
pmcevoy opened this issue · 2 comments
For the Dual AZ solution, surely the security group FortigateSecGrp needs an "any" egress rule? Without this the PAYG instances have the following System Log:
System is starting...
Serial number is FGVM00UNLICENSED
FortiGate-VM64-AWSONDEMAND login: AWS instance id: i-XXXXXXXXXXXXXXXXX
curl forticare failed, 7
curl forticare failed, 7
curl forticare failed, 7
cloudinit failed to request forticare license 7
The system is going down NOW !!
The system is halted.
Power down.
The FortiGateSecGrp utilizes the default rule to allow all protocols to 0.0.0.0/0. Reference the 'Remove Default Rule' section of the AWS documentation referenced below.
For the issue you are seeing, this is actually due to a new FortiCare license download and validation process that was added in FortiOS 6.2.2 for PAYG instances.
This is a known issue (Mantis #590555) that is being addressed in FortiOS code, however in the mean time we will be setting the CF templates to use 6.2.1 GA code until a newer GA patch of code with the relevant fix will be available. The push for the new templates should be completed by the end of the week.
In the mean time, for your existing deployments, you can simply assign an EIP to the primary IP of eni0 on the slave\FGT2 for it to complete the FortiCare license download and validation process. Once this process is completed, you can disassociate and release that EIP from the slave\FGT2 eni0 and begin failover testing after the cluster in sync status.
Thanks. I actually figured out that solution in the end using 6.2.2
BTW, I'm using Terraform to setup which is a lot easier to follow than CloudFormation. If you like, I can submit