Deploy Fortigate Firewall with Trial/Evaluation License to Azure Free Tier VM - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Saturday, January 8, 2022

Deploy Fortigate Firewall with Trial/Evaluation License to Azure Free Tier VM

There are lots of limitation for you to deploy Azure marketplace's Fortigate VM , such as VM size requirement, license requirement, also only for Pay As You Go subscription. For my lab, not for test drive, I might need to deploy a Fortigate firewall into 1vCPU, 1GB Ram B1S size VM, and I will need to use my azure credit or student subscription to play with it. 

That won't be able to happen if you are using Marketplace's product.

This post is going to show you how to download a proper Fortigate VM file and how to load it into Azure to create your own customized VM with minimum VM size and cost.


Azure Market - Free Fortigate License for One Month


You will find different types of Fortinet FortiGate Next-Generation Firewall from Azure Marketplace.

The one on the left provides options to deploy the four architectures shown below. Each of the options provides choices to use BYOL or PAYG, create a connection to FortiManager, chose VM instance type, chose Availability Set or Zone where applicable, and more.

Additionally when the FortiGate(s) are deployed a baseline configuration is applied to support the selected architecture.

You can view the ARM templates that support these architectures here,

This tile is the recommended way to deploy a FortiGate Solution.

- Single FortiGate
- Active/Passive HA FortiGate pair that uses the Azure API to manage failover using the FortiGate Azure SDN Connector
- Active/Passive HA FortiGate pair that uses Azure Load Balancers to direct traffic to the Active FortiGate
- Active/ Active FortiGate pair that uses Azure Load Balancers for traffic distribution

The one right with (VM) is used for FortiGate PAYG Software reservations. IT IS NOT an Azure Managed Application. Can you deploy a single or multiple FortiGate VMs from it? Yes, should you? If you are well versed in FortiGate on Azure and you are looking to deploy PAYG, then go ahead.

FortiGate on Azure docs are here,

It does not have Reservation discount on PAGY VM. 

Create a virtual machine using Fortinet FortiGate Next-Generation Firewall (VM), just like the process to create a normal vm in azure.

Create a virtual machine using Fortinet FortiGate Next-Generation Firewall 

The wizard is to deploy an application with a template which has pre-configured settings. 

Download Fortigate VM

FortiGate-VM VHD image files are available from Fortinet Customer Service & Support.

  • Go to Download > VM Image, then select FortiGate as the Product and Azure for the Platform.
  • The file name for ARM64 CPUs is FGT_ARM64_AZURE-v7-build, where XXXX is the build number.
  • The file name for the x86 CPUs is, where XXXX is the build number. Once the download is complete, unzip the file and locate the fortios.vhd file. To upload the fortios.vhd you need to have access to Azure CLI logged on to your Azure Subscription from the system that has the fortios.vhd downloaded.

After logged into FortiCloud, you can find out VM Images download link from Support menu.

From VM Images page, you can filter download link based on your corresponding product, platform and version :

Based on my testing, you can choose either Azure platform or Hyper-V platform to download. The difference will be, for Azure platform, it does not have trial license and you will be prompted to add your own license. 

For Hyper-V platform vm image (version 6.4.8, not 7.0.3), it already has a 15 days trial license in it. As long as you started vm, 15 days trial license will be activated.

By default, the FortiGate-VM virtual appliance includes a limited 15-day evaluation license that supports:

  • 1 CPU maximum
  • 1024 MB memory maximum
  • Low encryption only (no HTTPS administrative access)
  • All features except FortiGuard updates

Covert Dynamic Disk to Fixed Size Disk

Since the downloaded VM image only has dynamic disks inside it, we will need to convert it to fixed size disk. That can be done by Hyper-V manager.

Select the file name : fortios.vhd, which is about 110MB file size. 

VHD format only supports disk to 2GB in size. 

You will get a 2GB VHD file which can be uploaded to Azure blob storage.

Upload 2GB VHD File to Blob Container

Create Image Based on 2GB VHD

Search Images service and create an image based on the VHD file uploaded to Blob.

Create VM using new image

Access Fortigate VM

Once VM deployed using the image, you will get a public ip to access your vm. 

If you are using Azure Fortigate VM, you will  have following wo ways to access it, either using browser to open url https://<public ip> or using SSH client to ssh to it.

If you want to view Fortigate DHCP address (from CLI)

The syntax required is;

config system interface
edit ?

The username and password is the one you put in during creating VM.

From browser, after you logged in, you will get a license invalid error and it will not allow you continue until you uploaded a valid license. 

I will suggest to use Hyper-VM VHD file (version 6.4.8) to create image , then create VM. In that case, you will have default username and passoword : admin/null

SSH into VM first, then you will need to open HTTP port to access URL.

For system interface port1, add http to be allowaccess. 

config system interface
edit port1
append allowaccess http

After that, you will be able to access http web gui from your browser. 

But you will automatically load with a trial license for 15 days.

Obtain the permanent VM trial license from FortiCare:

execute vm-license-options account-id [email protected]
execute vm-license-options account-password xxxxxxx
execute vm-license
This VM is using the evaluation license. This license does not expire.
Limitations of the Evaluation VM license include:
  1.Support for low encryption operation only
  2.Maximum of 1 CPU and 2GiB of memory
  3.Maximum of three interfaces, firewall policies, and routes each
  4.No FortiCare Support
This operation will reboot the system !
Do you want to continue? (y/n)y

You can check the Eval License from your FortiCloud Asset management portal to find out if it has been used. You can decommission it if it has been allocated to previous vm. After decommissioned the eval license vm, you will be able to add new vm to use this permanent eval license. 

You also can use Web Gui to add permanent evaluation license.

Adding Second NIC on VM

A subnet is a range of IP addresses in the virtual network. You can divide a virtual network into multiple subnets for organization and security. Each NIC in a VM is connected to one subnet in one virtual network. NICs connected to subnets (same or different) within a virtual network can communicate with each other without any extra configuration. By default all Azure subnet traffic will go to Azure default gateway for that subnet, which is .1 ip address. 

Create a new subnet for your LAN network, which will be used for your new NIC card.

To add a new network card for Fortigate VM, you will need to stop the VM. 

Create a new routing table for LAN network

Add a new route:

This new route will route all traffic in associated subnet(s) to Fortigate's LAN NIC IP.

Associate the LAN subnet with this new route.

Note: There aren't security boundaries by default between subnets. Virtual machines in each of these subnets can communicate. If your deployment requires security boundaries, use Network Security Groups (NSGs), which control the traffic flow to and from subnets and to and from VMs.

Enable IP Forwarding on Firewall interface

With all above configuration, you have to enable NAT on the firewall rule to allow traffic to pass through Firewall and access lan as show below. That is because ip forwarding was not enabled on the LAN interface.

To fix this NAT issue, you will need to Enable IP Forwarding on LAN interface of FGT:

Some Online Discussion About Fortigate Azure VM


  • License (BYOL): you could go for the vm-v license but maybe the subscription based (vm-s) license is a better choice. This license can be upgraded from a VM01s to VM02s for example if needed. Let's say the VM01 is too slow, you can then order a VM02 at any point and they will deduct the rest value of the VM01. Once the license is upgraded, you can shutdown the VM and resize it like you would with a PAYG (marketplace license) machine.

  • Software version: if you leave the template/wizard on latest, you will get 7.0 but 6.4.5 is also available but it depends on how up to date the template is, if 6.4.5 is in the selection list or not. You could modify the template and set it to 6.4.5 yourself.

  • Accelerated networking: Everything is essentially an ARM template made by Fortinet, even the marketplace entries. These templates have accelerated networking enabled by default, if possible. If you make/modify your own template, you need to enable it yourself in the template. FYI, you can deploy both BYOL and PAYG from the marketplace, it's an option in the wizard. You can find these templates on their GitHub.

  • VM01 and Accelerated networking: No, it doesn't support it but that's because it's an Azure limitation. Accelerated networking is an Azure feature. Here you can see that you a VM size with at least two CPU cores. Use this link to check which sizes support it and which don't. This might be a reason to go for a VM02, because the price difference between VM01 - VM02 is very small but the performance difference is 2x-3x times due the accelerated networking.


Download and Deploy Fortigate Firewall into VMWare Workstation Lab

Step by Step Guide to Deploy Fortigate VM with Trial License in Azure

Deploy Fortigate Firewall VM Using Azure Marketplace and From A VHD File with VM Size (1vCPU,1G RAM)

Fortinet Fortigate Next-Generation Firewall VM Test Drive in Azure


No comments:

Post a Comment