Version: 1.0.0 Last Updated on 2018-09-28
There are two configurable environment variables in this deployment template.
| Variable Name | Type | Description |
|---|---|---|
| ApiGatewayResource | Text | API Gateway resource name. It's an additional section added to the API Gateway url. See the {resource} part of the example. Example: https://{api}.execute-api.{region}.amazonaws.com/{stage}/{resource}/. Default to log |
| ApiGatewayStage | Text | API Gateway stage name. It's an additional section added to the API Gateway url. See the {stage} part of the example. Example: https://{api}.execute-api.{region}.amazonaws.com/{stage}/{resource}/. Default to dev |
Either of the following two methods can be used to prepare the deployment package:
- Download the latest version of the complete deployment package file: aws-lambda-logstorage.zip from the project release page
- Build it yourself by cloning this project from GitHub and building the deployment package with a simple bash command.
To build the deployment package yourself, clone this project into the fortigate-autoscale folder in your current local directory, enter the project directory, and execute the following bash commands:
git clone https://github.com/fortinet/aws-lambda-logstorage.git aws-lambda-logstorage
cd aws-lambda-logstorage
npm run buildYou can find the deployment package (aws-lambda-logstorage.zip) from the dist directory.
The file structure is:
You need to create an S3 bucket in an AWS Region where you want to deploy this project to. This S3 bucket is created for deployment use and can be deleted once the deployment is completed.
In order to setup the deployment environment, you need to install the AWS CLI, set your AWS working region, and set the BUCKET and STACK environment variables for the current Bash CLI session.
Please see install the AWS Command Line Interface and Configuring the AWS CLI - Quick Configuration for instructions.
Set the AWS working region and the FortiGate Autoscale will be deployed to this region. For information about AWS Regions, please see AWS Regions and Endpoints. The bash shell command to use is (Note: square brackets must be omitted.):
aws configure set region [REPLACE_WITH_YOUR_PREFERRED_REGION]Set the deployment stack name and the S3 bucket name by running these commands (Note: square brackets must be omitted.):
export STACK=[REPLACE_WITH_YOUR_PREFERRED_STACK_NAME]
export BUCKET=[REPLACE_WITH_YOUR_PREFERRED_BUCKET_NAME]If you want to define your ApiGatewayResource and ApiGatewayStage parameters for the deployment, create a file named logstorage_params.txt and place it along with the deploy_logstorage.sh file. Without the logstorage_params.txt, deployment will start with the parameters having their default value. A sample file sample.logstorage_params.txt is provided in the templates directory for your reference.
Note:
-
No spaces should be next to “=” on either sides. If spaces exists in any ParameterValue, the entire ParameterValue should be wrapped within double-quotation marks. For example: ParameterKey=”This is just an example”
-
Template parameter overriding only happens when the logstorage_params.txt file is found on the same directory as deploy_logstorage.sh. If dollar sign (
$) appears on any parameters, it must be escaped as $ . This is critical to the deployment process.
Start the deployment by executing this command:
./deploy_logstorage.shTo verify the deployment result and see the details, you can find the stack from AWS CloudFormation console by the stack name you specified. Click into it to check the details.
Expand the Stack Resource section and find the resource of type AWS::ApiGateway::RestApi. Click the link on its Physical ID section to navigate to the APIGateway and move on to the next step.
Find the invoke URL:
Find the API Key, click on show to see it.
- Choose DynamoDB from AWS services.
- Create table.
- Choose a recognizable table name. In this case, it could be
FosLog. Take a note of this table name, we will use it later in Lambda function code. - Note that primary partition key and primary sort key need to match the code in Lambda function. In order to get the Primary sort key, need to check the Add sort key checkbox. In this case, we will use:
- Primary partition key:
logId(must use a data type of: String) - Primary sort key:
timestamp(must use a data type of: Number)
- Primary partition key:
- Check use default settings if the default quota works for you.
- Choose a recognizable table name. In this case, it could be
- Choose Lambda from AWS services.
- Create function.
- Choose Author from scratch
- Name your Lambda function reasonably, like
fLogStorage. Take a note of this function name, we will use it later in API Gateway configuration. - Use Node.js 6.10 as runtime.
- Select create new role from template(s). You can select Choose an existing role or Create a custom role if that works for you. For Create a custom role:
- Name the role according to its functionality, like
fLogStorageRole. - Select
Simple Microservice permissionsin Policy templates.
- Name the role according to its functionality, like
- Click on Create Function button to create an empty function.
- A default index.js file was created. Replace its content with the content of index.js in this repository.
- In Environment variables, input a key-value pair: TABLE_NAME as key and
FosLogas value (or your own table name). - Click on the Save button on the top right to complete.
- Choose API Gateway from AWS services.
- Create API.
- Select New API. Input an API name like
FortiOS Log Storageand save. For Endpoint type choice, please refer to this post. - From the actions dropdown menu, choose 'create resource', like
log. - select the created resource, then from the actions dropdown menu, choose 'create method' to create a POST method on the newly created resource. Select Lambda Function as the Integration type. Then type in the name of the Lambda function and select it from the autocomplete dropdown menu. Save it afterward.
- In Method Request, set API Key Required to
true. - From the actions dropdown menu, choose 'Deploy API'.
- from the Deploy API popup window, on Deployment stage, choose [new stage], name the stage like: prod (for a production stage), dev (for a development stage), or test (for a testing stage). Click on 'Deploy' button. (see the screenshot below)
- from the Deploy API popup window, on Deployment stage, choose [new stage], name the stage like: prod (for a production stage), dev (for a development stage), or test (for a testing stage). Click on 'Deploy' button. (see the screenshot below)
- From the APIs > Stages section, you can find the stage you just deployed. Expand it and click on the POST method under the resource
log(or whatever resource name you gave it.). See the screenshot below.
- Take a note of the invoke URL. It should look like: <aws-api-id>.execute-api.<aws-region>.amazonaws.com/<aws-api-stage>/<aws-api-resource>
- Select New API. Input an API name like
- Create a new API Key from APIs > API Keys.
- Choose Auto Generate.
- Take a note of the API Key.
- Create a new Usage Plan from APIs > Usage plan. Then click next. The settings for Throttling and Quota are recommended as below:
- Throttling:
- Rate: 100 request per second
- Burst: 200 requests
- Quota: 10000 requests Monthly
- Associate the created API Stage. Choose the created api and corresponding stage. Click next.
- Add the created API Key to the Usage Plan. Click done.
- See the screenshots below
- Throttling:
- In Security Fabric -> Settings, enable FortiGate Telemetry.
- In Security Fabric -> Automation, click Create New.
- Choose a trigger.
- Select AWS Lambda for Action.
- Select URL for API Gateway and input the invoke URL.
- Input the API Key.
- Click OK to save the configuration.
Note Fortinet-provided scripts (in this GitHub project and others) are not supported within regular Fortinet technical support scope. For direct issues, please refer to the Issues tab of this GitHub project. For other questions related to the Lambda scripts, contact github@fortinet.com.
License © Fortinet Technologies. All rights reserved.