Deploy Fortigate Firewall with Trial License to Azure Free Tier VM

There are lots of limitation for you to deploy Azure marketplace's Fortigate VM , such as VM size requirement, license requirement, also only for Pay As You Go subscription. For my lab, not for test drive, I might need to deploy a Fortigate firewall into 1vCPU, 1GB Ram B1S size VM, and I will need to use my azure credit or student subscription to play with it. 

That won't be able to happen if you are using Marketplace's product.

This post is going to show you how to download a proper Fortigate VM file and how to load it into Azure to create your own customized VM with minimum VM size and cost.

Topology

Azure Market

From: https://azuremarketplace.microsoft.com/en-us/marketplace/apps?search=fortinet&page=1

You will find different types of Fortinet FortiGate Next-Generation Firewall from Azure Marketplace.

The one on the left provides options to deploy the four architectures shown below. Each of the options provides choices to use BYOL or PAYG, create a connection to FortiManager, chose VM instance type, chose Availability Set or Zone where applicable, and more.

Additionally when the FortiGate(s) are deployed a baseline configuration is applied to support the selected architecture.

You can view the ARM templates that support these architectures here, https://github.com/fortinet/azure-templates/tree/main/FortiGate

This tile is the recommended way to deploy a FortiGate Solution.

- Single FortiGate
- Active/Passive HA FortiGate pair that uses the Azure API to manage failover using the FortiGate Azure SDN Connector
- Active/Passive HA FortiGate pair that uses Azure Load Balancers to direct traffic to the Active FortiGate
- Active/ Active FortiGate pair that uses Azure Load Balancers for traffic distribution

The one right is used for FortiGate PAYG Software reservations. IT IS NOT an Azure Managed Application. Can you deploy a single or multiple FortiGate VMs from it? Yes, should you? If you are well versed in FortiGate on Azure and you are looking to deploy PAYG, then go ahead.

FortiGate on Azure docs are here, https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/azure-administration-guide/562841/instance-type-support

Download Fortigate VM

FortiGate-VM VHD image files are available from Fortinet Customer Service & Support.

• Go to Download > VM Image, then select FortiGate as the Product and Azure for the Platform.
• The file name for ARM64 CPUs is FGT_ARM64_AZURE-v7-build XXXX-FORTINET.out.hyperv.zip, where XXXX is the build number.
• The file name for the x86 CPUs is FGT_VM64_AZURE-v7-buildXXXX-FORTINET.out.hyperv.zip, where XXXX is the build number. Once the download is complete, unzip the file and locate the fortios.vhd file. To upload the fortios.vhd you need to have access to Azure CLI logged on to your Azure Subscription from the system that has the fortios.vhd downloaded.

After logged into FortiCloud, you can find out VM Images download link from Support menu.

From VM Images page, you can filter download link based on your corresponding product, platform and version :

Based on my testing, you can choose either Azure platform or Hyper-V platform to download. The difference will be, for Azure platform, it does not have trial license and you will be prompted to add your own license. 

For Hyper-V platform vm image (version 6.4.8, not 7.0.3), it already has a 15 days trial license in it. As long as you started vm, 15 days trial license will be activated.

Covert Dynamic Disk to Fixed Size Disk

Since the downloaded VM image only has dynamic disks inside it, we will need to convert it to fixed size disk. That can be done by Hyper-V manager.

You will get a 2GB VHD file which can be uploaded to Azure blob storage.

Upload 2GB VHD File to Blob Container

Create Image Based on 2GB VHD

Search Images service and create an image based on the VHD file uploaded to Blob.

Create VM using new image

Access Fortigate VM

Once VM deployed using the image, you will get a public ip to access your vm. 

If you are using Azure Fortigate VM, you will  have following wo ways to access it, either using browser to open url https://<public ip> or using SSH client to ssh to it.

If you want to view Fortigate DHCP address (from CLI)

The syntax required is;

config system interface
edit ?

The username and password is the one you put in during creating VM.

From browser, after you logged in, you will get a license invalid error and it will not allow you continue until you uploaded a valid license. 

I will suggest to use Hyper-VM VHD file (version 6.4.8) to create image , then create VM. In that case, you will have default username and passoword : admin/null

SSH into VM first, then you will need to open HTTP port to access URL.

For system interface port1, add http to be allowaccess. 

config system interface
edit port1
append allowaccess http
end

After that, you will be able to access http web gui from your browser. 

But you will automatically load with a trial license for 15 days. 

Adding Second NIC on VM

A subnet is a range of IP addresses in the virtual network. You can divide a virtual network into multiple subnets for organization and security. Each NIC in a VM is connected to one subnet in one virtual network. NICs connected to subnets (same or different) within a virtual network can communicate with each other without any extra configuration. By default all Azure subnet traffic will go to Azure default gateway for that subnet, which is .1 ip address. 

Create a new subnet for your LAN network, which will be used for your new NIC card.

To add a new network card for Fortigate VM, you will need to stop the VM. 

Create a new routing table for LAN network

Add a new route:

This new route will route all traffic in associated subnet(s) to Fortigate's LAN NIC IP.

Associate the LAN subnet with this new route.

Note: There aren't security boundaries by default between subnets. Virtual machines in each of these subnets can communicate. If your deployment requires security boundaries, use Network Security Groups (NSGs), which control the traffic flow to and from subnets and to and from VMs.

Some Online Discussion About Fortigate Azure VM

From: https://www.reddit.com/r/fortinet/comments/ndzgcd/fortigate_vm_azure_deployment_sizing/

• License (BYOL): you could go for the vm-v license but maybe the subscription based (vm-s) license is a better choice. This license can be upgraded from a VM01s to VM02s for example if needed. Let's say the VM01 is too slow, you can then order a VM02 at any point and they will deduct the rest value of the VM01. Once the license is upgraded, you can shutdown the VM and resize it like you would with a PAYG (marketplace license) machine.

• Software version: if you leave the template/wizard on latest, you will get 7.0 but 6.4.5 is also available but it depends on how up to date the template is, if 6.4.5 is in the selection list or not. You could modify the template and set it to 6.4.5 yourself.

• Accelerated networking: Everything is essentially an ARM template made by Fortinet, even the marketplace entries. These templates have accelerated networking enabled by default, if possible. If you make/modify your own template, you need to enable it yourself in the template. FYI, you can deploy both BYOL and PAYG from the marketplace, it's an option in the wizard. You can find these templates on their GitHub. https://github.com/fortinet/azure-templates/tree/main/FortiGate/

• VM01 and Accelerated networking: No, it doesn't support it but that's because it's an Azure limitation. Accelerated networking is an Azure feature. https://docs.microsoft.com/en-us/azure/virtual-network/create-vm-accelerated-networking-cli#supported-vm-instances Here you can see that you a VM size with at least two CPU cores. Use this link to check which sizes support it and which don't. https://docs.microsoft.com/en-us/azure/virtual-machines/sizes This might be a reason to go for a VM02, because the price difference between VM01 - VM02 is very small but the performance difference is 2x-3x times due the accelerated networking.

Videos

Download and Deploy Fortigate Firewall into VMWare Workstation Lab

Step by Step Guide to Deploy Fortigate VM with Trial License in Azure

Deploy Fortigate Firewall VM Using Azure Marketplace and From A VHD File with VM Size (1vCPU,1G RAM)

Fortinet Fortigate Next-Generation Firewall VM Test Drive in Azure

References

• Azure Fortigate VM Test Drive
• Download and Launch Fortigate Virtual Machine in VMWare WorkStation
• Fortigate 60D High Availability Configuration Steps
• GitHub FortiGate Azure templates.
• FortiGate Azure datasheet.
• Tehnical Tip: Installing and configuring FortiGate Autoscale for Azure.
• Technical Tip: Resizing an Azure FortiGate VM instance
• Upload VHD
• Deployment Guide
• Datasheet - FortiGate Next Generation Firewall for Azure
• FortiOS Handbook
• ARM and Terraform template on GitHub
• Register your license