Enterprise-grade Infrastructure as Code (IaC) templates for automated FortiProxy Web Application Firewall deployment across AWS and Azure cloud platforms
Deploy Fortinet FortiProxy - the industry-leading Web Application Firewall (WAF) and SSL VPN solution - instantly across cloud environments using Terraform Infrastructure as Code. This repository provides production-ready, enterprise-tested deployment templates for both single-instance and high-availability configurations.
- β Multi-Cloud Support: Deploy on Azure and AWS with identical configurations
- β Version Flexibility: Support for FortiProxy 7.2, 7.4, and 7.6
- β Deployment Options: Single-instance and HA active-passive clusters
- β Production-Ready: Enterprise-tested templates with security best practices
- β Infrastructure as Code: Version-controlled, repeatable deployments
- β Zero-Downtime HA: Cross-zone high availability configurations
- β Easy Customization: Modular design with comprehensive variable support
- β Authentication Testing: Complete AD integration with Ubuntu client for Kerberos/LDAP testing
| Deployment Type | Description | Use Case | Availability Zones |
|---|---|---|---|
| Single Instance | Standalone FortiProxy deployment | Development, Testing, POC | Single Zone |
| HA Active-Passive | High-availability cluster | Production, Critical workloads | Cross-Zone |
| HA with Management | HA cluster with dedicated mgmt | Enterprise, Compliance | Cross-Zone |
| AD + Client Environment | Windows AD + Ubuntu client | Authentication Testing, LDAP/Kerberos | Cross-Zone |
- Regions: All Azure regions with availability zone support
- VM Sizes: Standard_F4, Standard_B4ms, and larger
- Networking: VNet with multiple subnets, NSGs, Load Balancers
- Storage: Managed disks with diagnostics
- Regions: All AWS regions with Multi-AZ support
- Instance Types: M5, C5, and T3 families
- Networking: VPC with public/private subnets, Security Groups
- Storage: EBS volumes with CloudWatch integration
- Terraform β₯ 1.0 installed (Download)
- Cloud CLI configured:
- FortiProxy BYOL License (for production deployments)
fortiproxy-terraform/
βββ azure/
β βββ 7.2/
β β βββ single/ # Single instance deployment
β β βββ ha-ap-port1-mgmt-crosszone/ # HA cluster deployment
β βββ 7.4/
β β βββ single/ # Single instance deployment
β β βββ ha-ap-port1-mgmt-crosszone/ # HA cluster deployment
β βββ 7.6/
β β βββ single/ # Single instance deployment
β β βββ ha-ap-port1-mgmt-crosszone/ # HA cluster deployment
β βββ win2019-ad/ # Windows Server 2019 AD + Ubuntu client for authentication testing
βββ aws/
β βββ 7.0/
β βββ ha-active-passive/ # AWS HA deployment
βββ CLAUDE.md # AI-assisted development guide
# 1. Clone the repository
git clone https://github.com/fortinet/fortiproxy-terraform.git
cd fortiproxy-terraform/azure/7.6/single
# 2. Configure your deployment
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your Azure credentials and preferences
# 3. Deploy with Terraform
terraform init
terraform plan
terraform apply
# 4. Access your FortiProxy
# URL, username, and password will be displayed after deployment# Navigate to HA deployment
cd fortiproxy-terraform/azure/7.6/ha-ap-port1-mgmt-crosszone
# Configure and deploy
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your configuration
terraform init
terraform plan
terraform apply| Variable | Description | Example | Required |
|---|---|---|---|
subscription_id |
Azure Subscription ID | 12345678-1234-... |
β |
client_id |
Azure Service Principal ID | 87654321-4321-... |
β |
location |
Azure region | eastus2, westeurope |
β |
fpxversion |
FortiProxy version | 7.6.0, 7.4.4 |
β |
license |
License file path | ./license.lic |
β |
size |
VM size | Standard_F4s_v2 |
# terraform.tfvars example
subscription_id = "your-subscription-id"
client_id = "your-client-id"
client_secret = "your-client-secret"
tenant_id = "your-tenant-id"
# Deployment customization
location = "eastus2"
size = "Standard_F4s_v2"
fpxversion = "7.6.0"
# Network configuration
vnetcidr = "172.16.0.0/16"
publiccidr = "172.16.0.0/24"
privatecidr = "172.16.1.0/24"
# License files
license = "./license-active.lic"
license2 = "./license-passive.lic"Scenario: High-traffic web application protection Recommended: Azure 7.6 HA Active-Passive
cd azure/7.6/ha-ap-port1-mgmt-crosszone
# Configure for Standard_F8s_v2 or larger
# Enable all security featuresScenario: Application development and testing Recommended: Azure 7.6 Single Instance
cd azure/7.6/single
# Configure for Standard_B4ms (cost-effective)
# Simplified configurationScenario: Regulated industries, PCI-DSS compliance Recommended: Azure 7.6 HA with Active Directory
cd azure/7.6/ha-ap-port1-mgmt-crosszone
cd ../win2019-ad # Deploy AD for authentication
# Configure LDAP/RADIUS integrationScenario: Testing FortiProxy LDAP/Kerberos authentication Recommended: Azure AD + Ubuntu Client Environment
cd azure/win2019-ad
# Complete testing environment with:
# - Windows Server 2019 Active Directory
# - Ubuntu 20.04 client with Kerberos/LDAP tools
# - Pre-configured test users and scripts
# - Comprehensive authentication testing suite- Default Deny: All NSGs/Security Groups use explicit allow rules
- Segmentation: Separate management and data plane networks
- Encryption: All traffic encrypted in transit and at rest
- Monitoring: Built-in logging and diagnostics
- Secrets Management: Use Azure Key Vault or AWS Secrets Manager
- Access Control: Implement RBAC with least privilege
- Monitoring: Enable Azure Monitor or CloudWatch integration
- Backup: Automated configuration backups
Error: SkuNotAvailable: Standard_F4 not available in westus2
Solution: Use different VM size or region:
size = "Standard_B4ms"
location = "eastus2"Error: no file exists at "license.txt"
Solution: Create placeholder or provide valid license:
echo "# Placeholder license" > license.txtError: NicReservedForAnotherVm
Solution: Wait 3 minutes and retry terraform destroy
- Documentation: Check individual README files in deployment folders
- Community: FortiProxy Documentation
- Issues: GitHub Issues
- Commercial Support: Contact Fortinet Support
# Validate Terraform configuration
terraform validate
# Check security compliance
tfsec .
# Test deployment (dry-run)
terraform plan -out=plan.tfplan- β Web GUI accessible via HTTPS
- β SSH access to management interface
- β HA synchronization (for cluster deployments)
- β Log forwarding to SIEM systems
We welcome contributions! Here's how you can help:
- π Report Bugs: Use GitHub Issues for bug reports
- π‘ Feature Requests: Suggest new deployment scenarios
- π Documentation: Improve README files and examples
- π§ Code: Submit pull requests for enhancements
# Fork and clone the repository
git clone https://github.com/yourusername/fortiproxy-terraform.git
# Create feature branch
git checkout -b feature/new-deployment-type
# Make changes and test
terraform validate
terraform plan
# Submit pull request
git push origin feature/new-deployment-type- π― FortiProxy 7.8 support
- π― Google Cloud Platform deployments
- π― Kubernetes integration
- π― Ansible automation playbooks
- π― CI/CD pipeline templates
- v3.0 (Current): FortiProxy 7.6 support, single deployments
- v2.0: FortiProxy 7.4 support, enhanced HA
- v1.0: Initial release with FortiProxy 7.2
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services.
- Community Support: GitHub Issues
- Documentation: Fortinet Documentation Library
- Commercial Support: FortiCare Support
- Contact: [email protected]
Made with β€οΈ by the Fortinet Community