Deploy Fortigate Firewall VM into Azure Step By Step - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Monday, May 6, 2024

Deploy Fortigate Firewall VM into Azure Step By Step

Fortinet FortiGate firewall technology delivers complete content and network protection by combining stateful inspection with a comprehensive suite of powerful security features. Application control, antivirus, IPS, Web filtering and VPN along with advanced features such as an extreme threat database, vulnerability management and flow-based inspection work in concert to identify and mitigate the latest complex security threats. The security-hardened FortiOS operating system is purpose-built for inspection and identification of malware.



FortiGate delivers:

  • End-to-end security across the full attack cycle
  • Top-rated security validated by third-party testing
  • Tight integration and multitenancy with Azure
  • Centralized management across physical, virtual, and cloud deployments
  • Automation templates for rapid deployment

FortiGate virtual appliances offer protection from a broad array of threats, with support for all of the security and networking services offered by the FortiOS operating system.

IPS technology protects against current and emerging network-level threats. In addition to signature-based threat detection, IPS performs anomaly-based detection which alerts users to any traffic that matches attack behavior profiles.



BYOL License:

On-demand licensing is a highly flexible option for both initial deployments and growing them 
as needed. With a wide selection of supported instance types, there is a solution for every use 
case. This license offers FortiOS with a UTP bundle.

Fortinet FortiGuard Unified Threat Protection (UTP) bundle license
  • FortiCare Premium Support
  • FortiGuard App Control Service
  • FortiGuard IPS Service
  • FortiGuard Advanced Malware Protection
  • FortiGuard Web Filtering Service
  • FortiGuard Antispam Service


VM Cost in Azure:
  • DS1_v2 - 1vCPU, 3.5GiB RAM, 2 vNIC - $41.61/Month
  • DS2_v2 - 2vCPU, 7GiB RAM, 2 vNIC - $83.22/Month
  • DS3_v2 - 4vCPU, 14GiB RAM, 4 vNIC - $167.17/Month

FortiGate Subscription Cost

  • 1 vCPU - $0.36/hr - $260 / Month
  • 2 vCPU - $0.88/hr - $634 / Month
  • 4 vCPU - $1.02/hr - $735 / Month


Not this one Fortinet FortiGate Next-Generation Firewall(VM)

It is this one:Fortinet FortiGate Next-Generation Firewall


Create Single VM

Change VM size to save some cost if it is for Dev / Test environment.
Standard B1S is not allowed for this type of VM because of network card limitation. 
The cheapest one is DS1_v2 with 1vCPU and 3.5 GB RAM.

Configuring networks

Create your new Public IP for your FortiGate Firewall, which will be 1:1 NAT to your External Interface IP on FortiGate

Connect to FortiManager:

Following 6 resources will be created into your Resource Group:

Deployment details
Note: NSG has allowed any ip and any service port in and out. 

Login to Web GUI 

Interfaces: https://<VM's Public IP>

Firewall Policy:

SSL-VPN Settings:

Note: Further SSL VPN configuration can be found in this post: 

Change admin password

From the GUI, you can change the admin account from super admin to prof admin, change the password without knowing the original, then change it back to super admin.

Register Product to FortiCloud

Even with a PAYG license, you will need to register your product into FortiCloud and you will be able to get free license and support / product portal for it. Here are all steps you will need to do:

1. From FortiGate Portal to create an account

2. Directly create a FortiCare / FortiCloud account
Here is how to register your VM product to FortiCloud:

To register your new deployed FortiGate VM product, you will need Serial Number and VM ID.
Serial number can be get from following command or Web Gui dashboard:
# diagnose debug cloudinit show
# diagnose debug vm-print-license 
# execute vm-license 
PAYG license exists.
  1. Obtain the VM ID:
    • In FortiOS, run diagnose test application azd 6 and search for the VM Instance ID.
    • In Azure, run az vm show -g Resource-Group-Name -n PAYG-VM-Name --query vmId -o tsv.
    • It may take up to an hour for the registration status to synchronize and update in the FortiOS GUI.

You also can get your VM ID / Instance ID from System Firmware & Registration page:

  1. Go Dashboard > Status and in the Licenses widget verify the FortiCare Support status.

  2. Once the registration is complete, you can log in to a FortiGate Cloud account and download the two free tokens that come standard with FortiGates (see FortiTokens).
After you activated your FortiGate Cloud from Dashboard, you will see Activated in status. 

then you can see details in FortiGuard license information page. Currently we are using a free license:

From FortiCloud:

Get system status 

NETSEC-FGT # get sys status
Version: FortiGate-VM64-AZURE v7.4.3,build2573,240201 (GA.F)
First GA patch build date: 230509
Security Level: 1
Firmware Signature: certified
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-ETDB: 6.00741(2015-12-01 02:30)
Proxy-APP-DB: 6.00741(2015-12-01 02:30)
FMWP-DB: 24.00040(2024-04-22 17:59)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2022-08-17 17:31)
OT-Detect-DB: 0.00000(2001-01-01 00:00)
OT-Patch-DB: 0.00000(2001-01-01 00:00)
OT-Threat-DB: 6.00741(2015-12-01 02:30)
IPS-Engine: 7.00524(2023-11-27 18:30)
Serial-Number: FGTAZabcdefghi
License Status: Valid
VM Resources: 1 CPU, 3443 MB RAM
Log hard disk: Available
Hostname: KS-FGT
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 2573
Release Version Information: GA
FortiOS x86-64: Yes
System time: Thu May  2 21:16:54 2024
Last reboot reason: warm reboot

Monitoring and Alarming

We can configure an automated stitch to send an e-mail every time a threshold is reached on a FortiGate.

For CPU it could be:

1. First configure a threshold for CPU use:

config system global

    set cpu-use-threshold <percent> <- 80% in this case.


2. On the FortiGate

Security Fabric -> Automation -> Stitch -> Create New -> Add Trigger -> High CPU.

Add Action -> Email Notification.

For memory usage:

1. Security Fabric -> Automation -> Stitch -> Create New -> Add Trigger -> Conserve Mode.

 Add Action -> Email Notification.

For the moment Automation Stitch does not count for event log for session count.


No comments:

Post a Comment