Skip to content
Fortinet

Deploying a FortiGate Firewall VM: An In-Depth Technical Guide

Deploying a FortiGate firewall VM takes five steps: download and verify the image, import or launch it, run first-time CLI setup, apply your license, then configure interfaces and policies. Covers VMware, Hyper-V, KVM, and public cloud on FortiOS 7.4/7.6.

Maxim Kazachek Maxim Kazachek · · · 14 min read

How do you deploy a FortiGate firewall VM?

Deploying a FortiGate firewall VM comes down to five steps: download and verify the correct FortiGate-VM image for your platform, import or launch it, run the first-time console setup to bring up the management interface, apply your license, then build out your interfaces and firewall policies. The exact clicks vary by hypervisor or cloud, but the sequence is the same everywhere. This guide walks through each step for VMware vSphere, Microsoft Hyper-V, KVM, and the major public clouds, using current FortiOS releases.

FortiGate-VM

FortiGate-VM is the virtual-machine edition of Fortinet’s FortiGate next-generation firewall. It runs the same FortiOS as the hardware appliances, so you get firewall policies, IPS, antivirus, web filtering, and VPN inside a virtualized data center or public cloud instead of on a physical box. Licensing is decoupled from the image: you deploy the image, then activate features and performance tiers with a license.

The image is free to download but does nothing useful until licensed. Decide your license model (BYOL, PAYG, or FortiFlex) and your FortiOS branch before you deploy, because on public cloud the license type is fixed for the life of the instance. As a Fortinet Advanced Partner since 2003, we deploy and manage FortiGate firewalls for mid-market clients across the GTA every week; the notes below reflect what actually trips people up.

Which FortiOS version should you deploy in 2026?

For production, deploy on FortiOS 7.4 or 7.6. These are the mature, widely deployed branches; 7.6.7 is the newest 7.6 patch, and many teams standardize on a slightly earlier, well-soaked release such as 7.6.6. FortiOS 8.0 was announced at Accelerate 2026 as the newest feature release, but it is not yet a production recommendation, so keep it in the lab for now.

If you are still on FortiOS 7.2.x, plan your upgrade now: 7.2 reaches end-of-support in September 2026, after which it stops receiving fixes and vulnerability patches. Choosing the right branch at deploy time avoids a forced migration a few months later.

Sept 2026

FortiOS 7.2.x reaches end-of-support; move new and existing FortiGate-VMs to 7.4 or 7.6 before then (Fortinet EOS notice).

Warning:

Fortinet is removing SSL VPN tunnel mode from FortiOS on the 7.6+ and 8.0 branches. Do not build a new remote-access design around SSL VPN. Use IPsec VPN for tunnel-based remote access and site-to-site connections, and ZTNA for per-application access. If you are migrating an older FortiGate, budget time to convert existing SSL VPN users to IPsec.

What do you need before deploying a FortiGate VM?

Before you start the deployment, make sure you have the following:

  • FortiGate VM License:
    • You need the correct license file (.lic), activation code, or FortiFlex token for your FortiGate VM. This determines the features, performance (how much traffic it can handle), and support you get.
    • Licenses are typically BYOL (Bring Your Own License), meaning you buy the license separately, or PAYG / on-demand (Pay-As-You-Go), found in cloud marketplaces where the software cost is part of the hourly or monthly fee. FortiFlex is a points-based usage model for organizations running many VMs. See the comparison below.
  • Virtualization Platform or Cloud Account:
    • You need access to a supported virtualization platform (like VMware vSphere, Microsoft Hyper-V, KVM) or a public cloud account (like AWS, Azure, GCP).
    • Ensure you have administrative access to create VMs, set up networks, and manage storage.
  • FortiGate VM Image:
    • Download the correct FortiGate VM image file for your platform from the Fortinet Support portal.
    • Common image formats include:
      • VMware: .ova (a single file for easy deployment) or .ovf/.vmdk.
      • Microsoft Hyper-V: .vhd or .vhdx.
      • KVM: .qcow2.
      • Public Clouds: Images are usually available directly in their marketplaces.
    • Important: After downloading, verify the file’s integrity using a checksum (SHA256 is preferred; MD5 is also published). Compare the checksum you calculate with the one provided on the Fortinet Support portal.
  • System Resources:
    • Ensure your virtualization environment or cloud account has enough CPU, RAM, storage, and network interfaces for the VM. Refer to the FortiGate VM datasheet for minimum and recommended specifications.
    • CPU: At least 1 virtual CPU, but 2 or more are recommended for better performance.
    • RAM: At least 2GB, but 4GB or more is often recommended, especially if you plan to use many security features.
    • Storage: A system disk is included with the image. You might need additional virtual disks for logging.
    • Network Interfaces: FortiGate VMs need multiple virtual network interfaces (vNICs) to connect to different parts of your network (e.g., management, internal network, external internet connection).
  • Network Configuration Plan:
    • Before you start, plan your network setup carefully.
    • Decide on IP addresses, subnet masks, default gateways, and DNS servers for each FortiGate interface (e.g., management, internal, external).
    • Consider if you’ll use VLANs (Virtual Local Area Networks) or advanced features like Link Aggregation (LAG) for network redundancy or increased speed.
    • Plan your security zones (e.g., internal, external, DMZ) which will help organize your firewall rules.

BYOL vs PAYG vs FortiFlex: which license do you pick?

On public cloud the license type is fixed for the life of the instance, so choose deliberately. BYOL suits predictable, long-running deployments and unlocks the full feature set and virtual domains; PAYG is fastest to stand up and best for short-lived or bursty workloads; FortiFlex fits organizations juggling many VMs that want pooled, usage-based consumption.

License modelHow you payBest forNotes
BYOLBuy the license up front, apply the .lic file or tokenPredictable, long-running VMs on any platformFull feature set and VDOM support; portable across environments
PAYG / on-demandHourly or monthly via the cloud marketplaceShort-lived, test, or bursty cloud workloadsPackaged as unified threat management; no VDOMs; type is fixed for the instance’s life
FortiFlexPoints-based, consumption metered dailyEnterprises and MSSPs running many VMsApply a FortiFlex token; supports vCPU hot-add up to the entitlement

How do you deploy the FortiGate VM image, step by step?

The deployment process generally involves importing the VM image into your virtualization environment or launching it in the cloud, followed by initial setup. The five steps below take you from download to a licensed, policy-enforcing firewall.

Step 1: Download and Verify the FortiGate VM Image

  1. Log in to the Fortinet Support portal.
  2. Go to ‘Download’ > ‘Firmware Images’.
  3. Select ‘FortiGate’ as the product.
  4. Choose a supported FortiOS version (7.4 or 7.6) and the correct image for your platform (e.g., FGT_VM64 for VMware, FGT_VM64_HV for Hyper-V, FGT_VM64_KVM for KVM, or the relevant cloud image).
  5. Download the VM image file.
  6. Verify the Download: To ensure the file isn’t corrupted, calculate its checksum.# Example for Linux/macOS md5sum /path/to/your/fortigate_vm.ova sha256sum /path/to/your/fortigate_vm.ova
    Compare the result with the checksum listed on the Fortinet Support portal. If they don’t match, download the file again.

Step 2: Deploy the VM Image on Your Platform

The way you deploy the image changes depending on your virtualization or cloud platform.

For VMware vSphere (using OVA)

An OVA file is a bundled package that makes deployment easy.

  1. In the vSphere Client, right-click your Datacenter or Cluster and select ‘Deploy OVF Template…’.
  2. Choose ‘Local file’ and browse to your downloaded .ova file. Click ‘Next’.
  3. Give your virtual machine a name and choose where to store it. Click ‘Next’.
  4. Select the host or cluster where the VM will run. Click ‘Next’.
  5. Review the template details. Click ‘Next’.
  6. Configuration: If the OVA offers different VM sizes (e.g., different CPU/RAM), choose the one that matches your license and resource plan. Click ‘Next’.
  7. Storage: Select the datastore for the VM files.
    • Disk Provisioning: ‘Thin Provision’ is recommended to save disk space, as the disk grows only as data is written.
    • Click ‘Next’.
  8. Network Mapping: This is crucial. Map the networks in the OVA template (like Network 1, Network 2) to your actual network port groups in vSphere (e.g., VM Network, Internal_VLAN10). Ensure that Network 1 from the OVA maps to the network you want to use for the FortiGate’s port1 (the default management interface). Click ‘Next’.
  9. Review all settings and click ‘Finish’ to start the deployment.

Interface order equals port order. Whatever hypervisor or cloud you use, the first vNIC becomes port1, the second becomes port2, and so on. Map your management network to the first interface, and add the rest in the order you want them numbered. Getting this wrong is the most common reason a fresh FortiGate-VM is unreachable after boot.

For Microsoft Hyper-V (using VHD/VHDX)

You’ll create a new VM and attach the downloaded virtual hard disk.

  1. Open Hyper-V Manager.
  2. In the Actions pane, select ‘New’ > ‘Virtual Machine…’. Click ‘Next’.
  3. Give the VM a name. Click ‘Next’.
  4. Specify Generation: FortiGate VMs typically support ‘Generation 1’. Check Fortinet’s documentation for your specific VM version if you’re unsure. Click ‘Next’.
  5. Assign Memory: Set the amount of RAM for the VM. Click ‘Next’.
  6. Configure Networking: Connect the first network adapter (which will be FortiGate’s port1) to a virtual switch that allows access to your management network. You can add more network adapters later. Click ‘Next’.
  7. Connect Virtual Hard Disk: Select ‘Use an existing virtual hard disk’ and browse to your downloaded .vhd or .vhdx file. Click ‘Next’.
  8. Review the summary and click ‘Finish’.

After the VM is created, you might need to go into its settings in Hyper-V Manager to add more network adapters and connect them to your internal or external virtual switches. The order in which you add these adapters will typically determine which FortiGate port they map to (e.g., the second adapter added maps to port2).

For KVM (using QCOW2)

KVM deployment often involves using command-line tools like virt-install.

  1. Make sure you have KVM packages installed (qemu-kvm, libvirt-daemon, libvirt-clients, virt-install).
  2. Copy the downloaded .qcow2 image file to a suitable location on your KVM host (e.g., /var/lib/libvirt/images/).
  3. Use the virt-install command to create the VM. Adjust the values as needed:sudo virt-install --name FortiGateVM --memory 4096 --vcpus 2 --disk path=/var/lib/libvirt/images/fortigate.qcow2,format=qcow2,bus=virtio --network bridge=br0,model=virtio --network bridge=br1,model=virtio --import --os-variant generic --graphics none --console pty,target_type=serial
    • --name: Name of your VM.
    • --memory: RAM in MB.
    • --vcpus: Number of virtual CPUs.
    • --disk: Path to the QCOW2 image. bus=virtio improves disk performance.
    • --network: Configures network interfaces. bridge=br0 connects to your host’s network bridge. model=virtio improves network performance. Add more --network lines for additional interfaces. The order of these lines matters for FortiGate port mapping (first is port1, second is port2, etc.).
    • --import: Tells it to use an existing disk image.
    • --os-variant generic: A safe, portable value; run osinfo-query os if you want to pick a closer match for your host.
    • --graphics none: Disables graphical console.
    • --console pty,target_type=serial: Sets up a serial console, which is how you’ll initially access the FortiGate CLI on KVM.

Make sure your KVM host has the necessary network bridges (br0, br1, etc.) configured and connected to your physical networks or VLANs.

For Public Clouds (AWS, Azure, GCP)

Deployment in the cloud involves launching an instance from the marketplace and configuring its networking and security.

  1. Log in to your cloud provider’s management console (AWS, Azure, or Google Cloud).
  2. Go to the service for launching virtual machines (e.g., EC2 in AWS, Virtual Machines in Azure, Compute Engine in GCP).
  3. Start the process to launch a new instance/VM.
  4. Choose Image: Search the Marketplace for “FortiGate” and select the appropriate image (BYOL or PAYG). Remember the license type is fixed once the instance is running.
  5. Choose Instance Type: Select a VM size (instance type) that meets the CPU and RAM requirements for your FortiGate VM and expected traffic.
  6. Network Configuration:
    • Select the Virtual Private Cloud (VPC) or Virtual Network (VNet) where the FortiGate will be.
    • Choose the Subnet for the primary network interface (this will typically be FortiGate’s port1 for management).
    • Add more Network Interfaces and assign them to subnets for your internal, external, or DMZ networks. Pay close attention to the order you add interfaces, as this maps to FortiGate’s port numbering (e.g., eth0 in the cloud VM maps to port1 on FortiGate, eth1 maps to port2, etc.).
    • Configure Security Groups (AWS), Network Security Groups (NSGs) (Azure), or Firewall Rules (GCP) to allow necessary access to the FortiGate’s management interface (HTTPS, SSH, Ping) from your administrative network. Limit access as much as possible.
    • Configure Route Tables in your VPC/VNet to direct network traffic through the FortiGate. This is essential for the FortiGate to act as a firewall/gateway.
  7. Storage: Configure the size and type of the main disk.
  8. Review and launch the instance.

Cloud deployments often require more careful planning for networking and security rules compared to on-premises setups.

Step 3: Power On the VM and Initial Configuration

After the VM is deployed, power it on and access its console for the first-time setup.

  1. Power On: Start the virtual machine from your virtualization platform’s or cloud provider’s console.
  2. Access Console:
    • VMware: Open the VM console tab.
    • Hyper-V: Right-click the VM and select ‘Connect’.
    • KVM: Use virsh console <VM_Name> from your KVM host’s command line.
    • Public Clouds: Use the cloud provider’s serial console feature (e.g., EC2 Serial Console, Azure Serial Console, GCP Serial Port).
  3. Initial Login: The FortiGate VM will boot up. When you see the login prompt:FortiGate-VM login:
    Type admin and press Enter.FortiGate-VM login: admin Password:
    Press Enter again (there’s no default password).
  4. Set New Password: You will be immediately asked to set a new password for the admin user. This is required.You are required to change your password immediately. New password:
    Enter a strong password and press Enter. Confirm it when prompted.
  5. Initial Network Configuration (CLI): It’s best to configure the management interface (port1) using the command-line interface (CLI) first.config system interface edit port1 set mode static set ip 192.168.1.99/24 # Replace with your desired IP and subnet set allowaccess ping http https ssh fgfm # Enable access for web, SSH, etc. set description "Management Interface" next end config router static edit 1 set gateway 192.168.1.1 # Replace with your network's default gateway set device port1 next end config system dns set primary 8.8.8.8 # Replace with your primary DNS server set secondary 8.8.4.4 # Replace with your secondary DNS server end # Save the configuration end
    • set allowaccess: Allows protocols like HTTP/HTTPS (for the web interface), SSH (for CLI), and Ping.
    • config router static: Sets up a default route so the FortiGate can reach other networks, including the internet for licensing.
    • config system dns: Configures DNS servers for name resolution.
  6. Access Web-based Manager: Once port1 has an IP address and a default route, you can access the FortiGate’s web interface from a web browser.https://<FortiGate_Management_IP>
    You might see a certificate warning, which you can safely bypass for now. Log in with admin and the password you just set.

Step 4: Upload the License File

Applying the license activates all features and enables FortiGuard updates (for threat intelligence) and support.

  1. Access the FortiGate web-based manager via HTTPS.
  2. Go to System > Dashboard > Status. You’ll see the license status (e.g., “Unlicensed”).
  3. Click the ‘Upload License’ button or link. For FortiFlex, enter your token instead of a file.
  4. Browse to the .lic license file you downloaded from the Fortinet Support portal.
  5. Upload the file. The FortiGate will verify it.
  6. The FortiGate will usually need to reboot after the license is applied. Confirm the reboot.
  7. After rebooting, log back into the web interface. The Dashboard should now show your license details.

If you have an activation code (common in some cloud or subscription licenses), you might activate it via the GUI or CLI:

# Example CLI command to register with FortiCare (requires internet access)
execute license update <activation_code>

Step 5: Basic Network and Security Configuration

With the license active, you can now configure the FortiGate to protect your network.

  1. Interface Configuration:
    • Go to Network > Interfaces.Configure the other interfaces (port2, port3, etc.) that connect to your internal networks, the internet, and any DMZs.Set their IP addresses, subnet masks, and allowed access protocols.If you’re using VLANs, configure VLAN sub-interfaces.Consider assigning interfaces to Zones (Network > Zones) to simplify your firewall policies.


    config system interface edit port2 set mode static set ip 10.10.10.1/24 set allowaccess ping https ssh set description "Internal LAN" next edit port3 set mode static set ip 203.0.113.2/29 # Example Public IP set allowaccess ping https ssh # Less access typically on external interfaces set description "External WAN" next # Example: Configure VLAN sub-interface if needed edit port2.10 set vlanid 10 set mode static set ip 10.10.20.1/24 set allowaccess ping https set description "Internal VLAN 10" next end

  2. Firewall Policies:
    • Go to Policy & Objects > Firewall Policy.Create rules (policies) to control which traffic is allowed or denied between your interfaces/zones. Policies are processed from top to bottom.For each policy, define:
      • Source Interface/Zone and Destination Interface/ZoneSource Address(es) and Destination Address(es)Service(s) (ports/protocols)Action (Accept or Deny)
      Apply Security Profiles (like Antivirus, Web Filter, Intrusion Prevention System) to policies to enable advanced threat protection.

    config firewall policy edit 0 # 0 means create a new policy at the top set name "LAN_to_WAN_Outbound" set srcintf "Internal LAN" # Or the specific port, e.g., port2 set dstintf "External WAN" # Or the specific port, e.g., port3 set srcaddr "all" set dstaddr "all" set service "ALL" # Be more specific in a production environment set action accept set nat enable # Enable Network Address Translation for outbound internet access set profile-protocol-options "default" set av-profile "default" # Apply Antivirus scanning set webfilter-profile "default" # Apply Web Filtering set ips-sensor "default" # Apply Intrusion Prevention set application-list "default" # Apply Application Control set ssl-ssh-profile "certificate-inspection" # Basic SSL inspection set logtraffic all # Log all traffic matching this policy next # Example: A general deny policy (often placed at the bottom of the list) edit 0 set name "Deny_All_Implicit" set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set service "ALL" set action deny set logtraffic all next end

  3. Routing:
    • Go to Network > Static Routes.
    • Verify the default route you configured. Add any other static routes needed to reach specific networks not directly connected to the FortiGate.
    • If you need dynamic routing (like OSPF or BGP), configure it under Router.
  4. System Settings:
    • Configure System > Settings (e.g., hostname, time zone, operation mode).
    • Set up System > FortiGuard for security updates.
    • Configure System > NTP for accurate time synchronization.
    • Set up Log & Report > Log Settings to send logs to a FortiAnalyzer, FortiManager, or syslog server for monitoring.

What should you configure after the FortiGate VM is running?

You have deployed and performed the initial configuration of your FortiGate Firewall VM: you got the image, set up its resources, configured basic network access through the CLI, licensed the device, and set up essential interfaces and firewall rules. The real value of the FortiGate comes from the security features you build on top of this base.

Recommended next steps:

  • Configure more detailed security profiles (Antivirus, IPS, Web Filter, Application Control).
  • Implement SSL/SSH Inspection for encrypted traffic.
  • Set up VPNs for secure connectivity. Use IPsec VPN for remote access and site-to-site tunnels, and ZTNA for per-application access. Do not build on SSL VPN tunnel mode, which Fortinet is removing from FortiOS 7.6+ and 8.0.
  • Configure user authentication (e.g., Local users, RADIUS, LDAP).
  • Set up centralized logging and monitoring (e.g., with FortiAnalyzer).
  • Consider configuring High Availability (HA) if you need redundancy (requires two FortiGate VMs).
  • Keep FortiOS and FortiGuard definitions current, and stay on a supported branch (7.4 or 7.6) so you continue receiving patches.

If you would rather have this designed, deployed, and monitored for you, our managed firewall services and Fortinet solutions cover the full lifecycle, from sizing and licensing to policy tuning and 24/7 monitoring. Always refer to the official FortiGate documentation for your specific FortiOS version and deployment environment.

Sources

Written by Maxim Kazachek

Sr. Systems Engineer

Maxim is a core member of the technical team at BALANCED+, responsible for architecting, deploying, and maintaining the systems infrastructure that clients depend on every day. From on-premises server environments to hybrid cloud deployments, he ensures that every system is configured for performance, security, and resilience. His deep technical knowledge spans Windows and Linux server […]

Frequently Asked Questions

Need IT Expertise?

Our team is ready to help. Book a free consultation and see how we can support your business.