There are lots of limitation for you to deploy Azure marketplace's Fortigate VM , such as VM size requirement, license requirement, also only for Pay As You Go subscription. For my lab, not for test drive, I might need to deploy a Fortigate firewall into 1vCPU, 1GB Ram B1S size VM, and I will need to use my azure credit or student subscription to play with it.Â
That won't be able to happen if you are using Marketplace's product.Topology
Azure Market - Free Fortigate License for One Month
From:Â https://azuremarketplace.microsoft.com/en-us/marketplace/apps?search=fortinet&page=1
You will find different types of Fortinet FortiGate Next-Generation Firewall from Azure Marketplace.
The one on the left provides options to deploy the four architectures shown below. Each of the options provides choices to use BYOL or PAYG, create a connection to FortiManager, chose VM instance type, chose Availability Set or Zone where applicable, and more.
Additionally when the FortiGate(s) are deployed a baseline configuration is applied to support the selected architecture.
You can view the ARM templates that support these architectures here, https://github.com/fortinet/azure-templates/tree/main/FortiGate
This tile is the recommended way to deploy a FortiGate Solution.
- Single FortiGate
- Active/Passive HA FortiGate pair that uses the Azure API to manage failover using the FortiGate Azure SDN Connector
- Active/Passive HA FortiGate pair that uses Azure Load Balancers to direct traffic to the Active FortiGate
- Active/ Active FortiGate pair that uses Azure Load Balancers for traffic distribution
The one right with (VM) is used for FortiGate PAYG Software reservations. IT IS NOT an Azure Managed Application. Can you deploy a single or multiple FortiGate VMs from it? Yes, should you? If you are well versed in FortiGate on Azure and you are looking to deploy PAYG, then go ahead.
FortiGate on Azure docs are here, https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/azure-administration-guide/562841/instance-type-support
It does not have Reservation discount on PAGY VM.Â
Create a virtual machine using Fortinet FortiGate Next-Generation Firewall (VM), just like the process to create a normal vm in azure.
Create a virtual machine using Fortinet FortiGate Next-Generation FirewallÂ
The wizard is to deploy an application with a template which has pre-configured settings.Â
Download Fortigate VM
FortiGate-VM VHD image files are available from Fortinet Customer Service & Support.
- Go to Download > VM Image, then select FortiGate as the Product and Azure for the Platform.
- The file name for ARM64 CPUs is FGT_ARM64_AZURE-v7-build XXXX-FORTINET.out.hyperv.zip, where XXXX is the build number.
- The file name for the x86 CPUs is FGT_VM64_AZURE-v7-buildXXXX-FORTINET.out.hyperv.zip, where XXXX is the build number. Once the download is complete, unzip the file and locate the fortios.vhd file. To upload the fortios.vhd you need to have access to Azure CLI logged on to your Azure Subscription from the system that has the fortios.vhd downloaded.
By default, the FortiGate-VM virtual appliance includes a limited 15-day evaluation license that supports:
- 1 CPU maximum
- 1024 MB memory maximum
- Low encryption only (no HTTPS administrative access)
- All features except FortiGuard updates
Covert Dynamic Disk to Fixed Size Disk
Since the downloaded VM image only has dynamic disks inside it, we will need to convert it to fixed size disk. That can be done by Hyper-V manager.
Upload 2GB VHD File to Blob Container
Create Image Based on 2GB VHD
Search Images service and create an image based on the VHD file uploaded to Blob.
Create VM using new image
Access Fortigate VM
Once VM deployed using the image, you will get a public ip to access your vm.Â
If you are using Azure Fortigate VM, you will have following wo ways to access it, either using browser to open url https://<public ip> or using SSH client to ssh to it.
If you want to view Fortigate DHCP address (from CLI)
The syntax required is;
config system interface edit ?
The username and password is the one you put in during creating VM.
From browser, after you logged in, you will get a license invalid error and it will not allow you continue until you uploaded a valid license.Â
I will suggest to use Hyper-VM VHD file (version 6.4.8) to create image , then create VM. In that case, you will have default username and passoword : admin/null
SSH into VM first, then you will need to open HTTP port to access URL.
For system interface port1, add http to be allowaccess.Â
config system interface
edit port1
append allowaccess http
end
After that, you will be able to access http web gui from your browser.Â
But you will automatically load with a trial license for 15 days.Â
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/441460
Obtain the permanent VM trial license from FortiCare:
execute vm-license-options account-id [email protected]
execute vm-license-options account-password xxxxxxx
execute vm-license This VM is using the evaluation license. This license does not expire. Limitations of the Evaluation VM license include: 1.Support for low encryption operation only 2.Maximum of 1 CPU and 2GiB of memory 3.Maximum of three interfaces, firewall policies, and routes each 4.No FortiCare Support This operation will reboot the system ! Do you want to continue? (y/n)y
You can check the Eval License from your FortiCloud Asset management portal to find out if it has been used. You can decommission it if it has been allocated to previous vm. After decommissioned the eval license vm, you will be able to add new vm to use this permanent eval license.Â
You also can use Web Gui to add permanent evaluation license.
Adding Second NIC on VM
A subnet is a range of IP addresses in the virtual network. You can divide a virtual network into multiple subnets for organization and security. Each NIC in a VM is connected to one subnet in one virtual network. NICs connected to subnets (same or different) within a virtual network can communicate with each other without any extra configuration. By default all Azure subnet traffic will go to Azure default gateway for that subnet, which is .1 ip address.Â
Create a new subnet for your LAN network, which will be used for your new NIC card.
To add a new network card for Fortigate VM, you will need to stop the VM.Â
Create a new routing table for LAN network
Add a new route:
This new route will route all traffic in associated subnet(s) to Fortigate's LAN NIC IP.
Associate the LAN subnet with this new route.
Enable IP Forwarding on Firewall interface
With all above configuration, you have to enable NAT on the firewall rule to allow traffic to pass through Firewall and access lan as show below. That is because ip forwarding was not enabled on the LAN interface.
To fix this NAT issue, you will need to Enable IP Forwarding on LAN interface of FGT:
Some Online Discussion About Fortigate Azure VM
License (BYOL): you could go for the vm-v license but maybe the subscription based (vm-s) license is a better choice. This license can be upgraded from a VM01s to VM02s for example if needed. Let's say the VM01 is too slow, you can then order a VM02 at any point and they will deduct the rest value of the VM01. Once the license is upgraded, you can shutdown the VM and resize it like you would with a PAYG (marketplace license) machine.
Software version: if you leave the template/wizard on latest, you will get 7.0 but 6.4.5 is also available but it depends on how up to date the template is, if 6.4.5 is in the selection list or not. You could modify the template and set it to 6.4.5 yourself.
Accelerated networking: Everything is essentially an ARM template made by Fortinet, even the marketplace entries. These templates have accelerated networking enabled by default, if possible. If you make/modify your own template, you need to enable it yourself in the template. FYI, you can deploy both BYOL and PAYG from the marketplace, it's an option in the wizard. You can find these templates on their GitHub. https://github.com/fortinet/azure-templates/tree/main/FortiGate/
VM01 and Accelerated networking: No, it doesn't support it but that's because it's an Azure limitation. Accelerated networking is an Azure feature. https://docs.microsoft.com/en-us/azure/virtual-network/create-vm-accelerated-networking-cli#supported-vm-instances Here you can see that you a VM size with at least two CPU cores. Use this link to check which sizes support it and which don't. https://docs.microsoft.com/en-us/azure/virtual-machines/sizes This might be a reason to go for a VM02, because the price difference between VM01 - VM02 is very small but the performance difference is 2x-3x times due the accelerated networking.
Videos
References
- Azure Fortigate VM Test Drive
- Download and Launch Fortigate Virtual Machine in VMWare WorkStation
- Fortigate 60D High Availability Configuration Steps
- GitHub FortiGate Azure templates.
- FortiGate Azure datasheet.
- Tehnical Tip: Installing and configuring FortiGate Autoscale for Azure.
- Technical Tip: Resizing an Azure FortiGate VM instance
- Upload VHD
- Deployment Guide
- Datasheet - FortiGate Next Generation Firewall for Azure
- FortiOS Handbook
- ARM and Terraform template on GitHub
- Register your license
![[5 Mins Docker] Deploy FreshRSS Using Docker Run Command and Deploy To Fly.io](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uI2ygv-KHwjSMN3sG3Nw2ThCRaSlzJtBtwF7Ie2X1Uq1irIzLZLIc0YBqXRMH_xf4Ob9C4tlp6n5Ric4h8-pZGAXbWxrmN10ewVmw1TqrR9Q)
No comments:
Post a Comment