Deploying a FortiGate Firewall VM: A Step-by-Step Guide

This guide provides a clear and comprehensive walkthrough for deploying a FortiGate firewall as a virtual machine (VM). Deploying a FortiGate VM allows you to use Fortinet’s powerful security features within your virtualized data center or cloud environment, offering flexibility and scalability.

We will cover the general steps applicable to various virtualization platforms and cloud providers. While specific steps might vary slightly depending on your chosen environment, this guide aims to provide a solid foundation. Always refer to the official Fortinet documentation for the most up-to-date and platform-specific instructions.

Prerequisites

Before you start the deployment, make sure you have the following:

• FortiGate VM License:
  • You need the correct license file (.lic) or activation code for your FortiGate VM. This license determines the features, performance (like how much traffic it can handle), and support you get.
  • Licenses are typically BYOL (Bring Your Own License), meaning you buy the license separately, or PAYG (Pay-As-You-Go), which is often found in cloud marketplaces where the software cost is part of the hourly/monthly fee.
• Virtualization Platform or Cloud Account:
  • You need access to a supported virtualization platform (like VMware vSphere, Microsoft Hyper-V, KVM) or a public cloud account (like AWS, Azure, GCP).
  • Ensure you have administrative access to create VMs, set up networks, and manage storage.
• FortiGate VM Image:
  • Download the correct FortiGate VM image file for your platform from the Fortinet Support portal.
  • Common image formats include:
    • VMware: .ova (a single file for easy deployment) or .ovf/.vmdk.
    • Microsoft Hyper-V: .vhd or .vhdx.
    • KVM: .qcow2.
    • Public Clouds: Images are usually available directly in their marketplaces.
  • Important: After downloading, it’s good practice to verify the file’s integrity using a checksum (MD5 or SHA256). Compare the checksum you calculate with the one provided on the Fortinet Support portal.
• System Resources:
  • Ensure your virtualization environment or cloud account has enough CPU, RAM, storage, and network interfaces for the VM. Refer to the FortiGate VM datasheet for minimum and recommended specifications.
  • CPU: At least 1 virtual CPU, but 2 or more are recommended for better performance.
  • RAM: At least 2GB, but 4GB or more is often recommended, especially if you plan to use many security features.
  • Storage: A system disk is included with the image. You might need additional virtual disks for logging.
  • Network Interfaces: FortiGate VMs need multiple virtual network interfaces (vNICs) to connect to different parts of your network (e.g., management, internal network, external internet connection).
• Network Configuration Plan:
  • Before you start, plan your network setup carefully.
  • Decide on IP addresses, subnet masks, default gateways, and DNS servers for each FortiGate interface (e.g., management, internal, external).
  • Consider if you’ll use VLANs (Virtual Local Area Networks) or advanced features like Link Aggregation (LAG) for network redundancy or increased speed.
  • Plan your security zones (e.g., internal, external, DMZ) which will help organize your firewall rules.

Deployment Steps

The deployment process generally involves importing the VM image into your virtualization environment or launching it in the cloud, followed by initial setup.

Step 1: Download and Verify the FortiGate VM Image

1. Log in to the Fortinet Support portal.
2. Go to ‘Download’ > ‘Firmware Images’.
3. Select ‘FortiGate’ as the product.
4. Choose the FortiOS version and the correct image for your platform (e.g., FGT_VM64 for VMware, FGT_VM64_HV for Hyper-V, FGT_VM64_KVM for KVM, or the relevant cloud image).
5. Download the VM image file.
6. Verify the Download: To ensure the file isn’t corrupted, calculate its checksum.# Example for Linux/macOS md5sum /path/to/your/fortigate_vm.ova sha256sum /path/to/your/fortigate_vm.ova
Compare the result with the checksum listed on the Fortinet Support portal. If they don’t match, download the file again.

Step 2: Deploy the VM Image on Your Platform

The way you deploy the image changes depending on your virtualization or cloud platform.

For VMware vSphere (using OVA)

An OVA file is a bundled package that makes deployment easy.

1. In the vSphere Client, right-click your Datacenter or Cluster and select ‘Deploy OVF Template…’.
2. Choose ‘Local file’ and browse to your downloaded .ova file. Click ‘Next’.
3. Give your virtual machine a name and choose where to store it. Click ‘Next’.
4. Select the host or cluster where the VM will run. Click ‘Next’.
5. Review the template details. Click ‘Next’.
6. Configuration: If the OVA offers different VM sizes (e.g., different CPU/RAM), choose the one that matches your license and resource plan. Click ‘Next’.
7. Storage: Select the datastore for the VM files.
   • Disk Provisioning: ‘Thin Provision’ is recommended to save disk space, as the disk grows only as data is written.
   • Click ‘Next’.
8. Network Mapping: This is crucial. Map the networks in the OVA template (like Network 1, Network 2) to your actual network port groups in vSphere (e.g., VM Network, Internal_VLAN10). Ensure that Network 1 from the OVA maps to the network you want to use for the FortiGate’s port1 (the default management interface). Click ‘Next’.
9. Review all settings and click ‘Finish’ to start the deployment.

For Microsoft Hyper-V (using VHD/VHDX)

You’ll create a new VM and attach the downloaded virtual hard disk.

1. Open Hyper-V Manager.
2. In the Actions pane, select ‘New’ > ‘Virtual Machine…’. Click ‘Next’.
3. Give the VM a name. Click ‘Next’.
4. Specify Generation: FortiGate VMs typically support ‘Generation 1’. Check Fortinet’s documentation for your specific VM version if you’re unsure. Click ‘Next’.
5. Assign Memory: Set the amount of RAM for the VM. Click ‘Next’.
6. Configure Networking: Connect the first network adapter (which will be FortiGate’s port1) to a virtual switch that allows access to your management network. You can add more network adapters later. Click ‘Next’.
7. Connect Virtual Hard Disk: Select ‘Use an existing virtual hard disk’ and browse to your downloaded .vhd or .vhdx file. Click ‘Next’.
8. Review the summary and click ‘Finish’.

After the VM is created, you might need to go into its settings in Hyper-V Manager to add more network adapters and connect them to your internal or external virtual switches. The order in which you add these adapters will typically determine which FortiGate port they map to (e.g., the second adapter added maps to port2).

For KVM (using QCOW2)

KVM deployment often involves using command-line tools like virt-install.

1. Make sure you have KVM packages installed (qemu-kvm, libvirt-daemon, libvirt-clients, virt-install).
2. Copy the downloaded .qcow2 image file to a suitable location on your KVM host (e.g., /var/lib/libvirt/images/).
3. Use the virt-install command to create the VM. Adjust the values as needed:sudo virt-install \ --name FortiGateVM \ --memory 4096 \ --vcpus 2 \ --disk path=/var/lib/libvirt/images/fortigate.qcow2,format=qcow2,bus=virtio \ --network bridge=br0,model=virtio \ --network bridge=br1,model=virtio \ --import \ --os-type linux \ --os-variant rhel7 \ --graphics none \ --console pty,target_type=serial
   • --name: Name of your VM.
   • --memory: RAM in MB.
   • --vcpus: Number of virtual CPUs.
   • --disk: Path to the QCOW2 image. bus=virtio improves disk performance.
   • --network: Configures network interfaces. bridge=br0 connects to your host’s network bridge. model=virtio improves network performance. Add more --network lines for additional interfaces. The order of these lines matters for FortiGate port mapping (first is port1, second is port2, etc.).
   • --import: Tells it to use an existing disk image.
   • --graphics none: Disables graphical console.
   • --console pty,target_type=serial: Sets up a serial console, which is how you’ll initially access the FortiGate CLI on KVM.

Make sure your KVM host has the necessary network bridges (br0, br1, etc.) configured and connected to your physical networks or VLANs.

For Public Clouds (AWS, Azure, GCP)

Deployment in the cloud involves launching an instance from the marketplace and configuring its networking and security.

1. Log in to your cloud provider’s management console (AWS, Azure, or Google Cloud).
2. Go to the service for launching virtual machines (e.g., EC2 in AWS, Virtual Machines in Azure, Compute Engine in GCP).
3. Start the process to launch a new instance/VM.
4. Choose Image: Search the Marketplace for “FortiGate” and select the appropriate image (BYOL or PAYG).
5. Choose Instance Type: Select a VM size (instance type) that meets the CPU and RAM requirements for your FortiGate VM and expected traffic.
6. Network Configuration:
   • Select the Virtual Private Cloud (VPC) or Virtual Network (VNet) where the FortiGate will be.
   • Choose the Subnet for the primary network interface (this will typically be FortiGate’s port1 for management).
   • Add more Network Interfaces and assign them to subnets for your internal, external, or DMZ networks. Pay close attention to the order you add interfaces, as this maps to FortiGate’s port numbering (e.g., eth0 in the cloud VM maps to port1 on FortiGate, eth1 maps to port2, etc.).
   • Configure Security Groups (AWS), Network Security Groups (NSGs) (Azure), or Firewall Rules (GCP) to allow necessary access to the FortiGate’s management interface (HTTPS, SSH, Ping) from your administrative network. Limit access as much as possible.
   • Configure Route Tables in your VPC/VNet to direct network traffic through the FortiGate. This is essential for the FortiGate to act as a firewall/gateway.
7. Storage: Configure the size and type of the main disk.
8. Review and launch the instance.

Cloud deployments often require more careful planning for networking and security rules compared to on-premises setups.

Step 3: Power On the VM and Initial Configuration

After the VM is deployed, power it on and access its console for the first-time setup.

1. Power On: Start the virtual machine from your virtualization platform’s or cloud provider’s console.
2. Access Console:
   • VMware: Open the VM console tab.
   • Hyper-V: Right-click the VM and select ‘Connect’.
   • KVM: Use virsh console <VM_Name> from your KVM host’s command line.
   • Public Clouds: Use the cloud provider’s serial console feature (e.g., EC2 Serial Console, Azure Serial Console, GCP Serial Port).
3. Initial Login: The FortiGate VM will boot up. When you see the login prompt:FortiGate-VM login:
Type admin and press Enter.FortiGate-VM login: admin Password:
Press Enter again (there’s no default password).
4. Set New Password: You will be immediately asked to set a new password for the admin user. This is required.You are required to change your password immediately. New password:
Enter a strong password and press Enter. Confirm it when prompted.
5. Initial Network Configuration (CLI): It’s best to configure the management interface (port1) using the command-line interface (CLI) first.config system interface edit port1 set mode static set ip 192.168.1.99/24 # Replace with your desired IP and subnet set allowaccess ping http https ssh fgfm # Enable access for web, SSH, etc. set description "Management Interface" next end config router static edit 1 set gateway 192.168.1.1 # Replace with your network's default gateway set device port1 next end config system dns set primary 8.8.8.8 # Replace with your primary DNS server set secondary 8.8.4.4 # Replace with your secondary DNS server end # Save the configuration end
   • set allowaccess: Allows protocols like HTTP/HTTPS (for the web interface), SSH (for CLI), and Ping.
   • config router static: Sets up a default route so the FortiGate can reach other networks, including the internet for licensing.
   • config system dns: Configures DNS servers for name resolution.
6. Access Web-based Manager: Once port1 has an IP address and a default route, you can access the FortiGate’s web interface from a web browser.https://<FortiGate_Management_IP>
You might see a certificate warning, which you can safely bypass for now. Log in with admin and the password you just set.

Step 4: Upload the License File

Applying the license activates all features and enables FortiGuard updates (for threat intelligence) and support.

1. Access the FortiGate web-based manager via HTTPS.
2. Go to System > Dashboard > Status. You’ll see the license status (e.g., “Unlicensed”).
3. Click the ‘Upload License’ button or link.
4. Browse to the .lic license file you downloaded from the Fortinet Support portal.
5. Upload the file. The FortiGate will verify it.
6. The FortiGate will usually need to reboot after the license is applied. Confirm the reboot.
7. After rebooting, log back into the web interface. The Dashboard should now show your license details.

If you have an activation code (common in some cloud or subscription licenses), you might activate it via the GUI or CLI:

# Example CLI command to register with FortiCare (requires internet access)
execute license update <activation_code>

Step 5: Basic Network and Security Configuration

With the license active, you can now configure the FortiGate to protect your network.

1. Interface Configuration:
   • Go to Network > Interfaces.Configure the other interfaces (port2, port3, etc.) that connect to your internal networks, the internet, and any DMZs.Set their IP addresses, subnet masks, and allowed access protocols.If you’re using VLANs, configure VLAN sub-interfaces.Consider assigning interfaces to Zones (Network > Zones) to simplify your firewall policies.

   config system interface edit port2 set mode static set ip 10.10.10.1/24 set allowaccess ping https ssh set description "Internal LAN" next edit port3 set mode static set ip 203.0.113.2/29 # Example Public IP set allowaccess ping https ssh # Less access typically on external interfaces set description "External WAN" next # Example: Configure VLAN sub-interface if needed edit port2.10 set vlanid 10 set mode static set ip 10.10.20.1/24 set allowaccess ping https set description "Internal VLAN 10" next end

2. Firewall Policies:
   • Go to Policy & Objects > Firewall Policy.Create rules (policies) to control which traffic is allowed or denied between your interfaces/zones. Policies are processed from top to bottom.For each policy, define:
     • Source Interface/Zone and Destination Interface/ZoneSource Address(es) and Destination Address(es)Service(s) (ports/protocols)Action (Accept or Deny)

     Apply Security Profiles (like Antivirus, Web Filter, Intrusion Prevention System) to policies to enable advanced threat protection.

   config firewall policy edit 0 # 0 means create a new policy at the top set name "LAN_to_WAN_Outbound" set srcintf "Internal LAN" # Or the specific port, e.g., port2 set dstintf "External WAN" # Or the specific port, e.g., port3 set srcaddr "all" set dstaddr "all" set service "ALL" # Be more specific in a production environment set action accept set nat enable # Enable Network Address Translation for outbound internet access set profile-protocol-options "default" set av-profile "default" # Apply Antivirus scanning set webfilter-profile "default" # Apply Web Filtering set ips-sensor "default" # Apply Intrusion Prevention set application-list "default" # Apply Application Control set ssl-ssh-profile "certificate-inspection" # Basic SSL inspection set logtraffic all # Log all traffic matching this policy next # Example: A general deny policy (often placed at the bottom of the list) edit 0 set name "Deny_All_Implicit" set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set service "ALL" set action deny set logtraffic all next end

3. Routing:
   • Go to Network > Static Routes.
   • Verify the default route you configured. Add any other static routes needed to reach specific networks not directly connected to the FortiGate.
   • If you need dynamic routing (like OSPF or BGP), configure it under Router.
4. System Settings:
   • Configure System > Settings (e.g., hostname, time zone, operation mode).
   • Set up System > FortiGuard for security updates.
   • Configure System > NTP for accurate time synchronization.
   • Set up Log & Report > Log Settings to send logs to a FortiAnalyzer, FortiManager, or syslog server for monitoring.

Conclusion

You have successfully deployed and performed the initial configuration of your FortiGate Firewall VM. This includes getting the image, setting up its resources, configuring basic network access through the command line, licensing the device, and setting up essential network interfaces and firewall rules using the web interface.

This is just the beginning. The true power of the FortiGate comes from its wide range of security features. Your next steps should involve further detailed configuration to customize security policies, VPNs, user authentication, and logging to meet your specific network and security needs.

Key Next Steps:

• Configure more detailed security profiles (Antivirus, IPS, Web Filter, Application Control).
• Implement SSL/SSH Inspection for encrypted traffic.
• Set up VPNs (IPsec or SSL) for secure remote access or site-to-site connections.
• Configure user authentication (e.g., Local users, RADIUS, LDAP).
• Set up centralized logging and monitoring (e.g., with FortiAnalyzer).
• Consider configuring High Availability (HA) if you need redundancy (requires two FortiGate VMs).
• Regularly update FortiOS firmware and FortiGuard definitions to stay protected against new threats.

Always refer to the official FortiGate documentation and the Fortinet Knowledge Base for detailed information on advanced configurations, troubleshooting, and best practices for your specific FortiOS version and deployment environment.