Chapter 28 – VM Installation

Chapter 28 – VM Installation

This document describes how to deploy a FortiGate virtual appliance in several virtualization server environments. This includes how to configure the virtual hardware settings of the virtual appliance.

 

This document assumes:

  •  you have already successfully installed the virtualization server on the physical machine,
  • lyou have installed appropriate VM management software on either the physical server or a computer to be used for VM management.

This document does not cover configuration and operation of the virtual appliance after it has been successfully installed and started. For these issues, see the FortiGate 5.2 Handbook.

 

This document includes the following sections:

  • FortiGate VM Overview
  • Deployment example – VMware
  • Deployment example – MS Hyper-V
  • Deployment example – KVM
  • Deployment example – OpenXen
  • Deployment example – Citrix XenServer

 

What’s new in FortiOS 5.4

 

FortiGate VM Overview

  • The following topics are included in this section: FortiGate VM models and licensing
  • Registering FortiGate VM with Customer Service & Support Downloading the FortiGate VM deployment package Deployment package contents
  • Deploying the FortiGate VM appliance

 

FortiGate VM models and licensing

Fortinet offers the FortiGate VM in five virtual appliance models determined by license. When configuring your FortiGate VM, be sure to configure hardware settings within the ranges outlined below. Contact your Fortinet Authorized Reseller for more information.

 

FortiGate VM model information

Technical Specification                               FG-VM00   FG-VM01   FG-VM02   FG-VM04   FG-VM08

Virtual CPUs

(min / max)

1 / 1             1 / 1             1 / 2             1 / 4             1 / 8

 

Virtual Network

Interfaces (min / max)

2 / 10

 

Virtual Memory

(min / max)

1GB /1GB

1GB /2GB

1GB /4GB

1GB /6GB

1GB/12GB

 

Virtual Storage

(min / max)

 

Managed Wireless APs

(tunnel mode / global)

30GB / 2TB

 

 

32 / 32         32 / 64       256 / 512     256 / 512        1024 /

4096

 

Virtual Domains

(default / max)

1 / 1           10 / 10         10 / 25         10 / 50        10 / 250

 

After placing an order for FortiGate VM, a license registration code is sent to the email address used on the order form. Use the registration number provided to register the FortiGate VM with Customer Service & Support and then download the license file. Once the license file is uploaded to the FortiGate VM and validated, your FortiGate VM appliance is fully functional.

 

FortiGate VM evaluation license

FortiGate VM includes a limited embedded 15-day trial license that supports:

  • 1 CPU maximum
  • 1024 MB memory maximum
  • low encryption only (no HTTPS administrative access)
  • all features except FortiGuard updates

You cannot upgrade the firmware, doing so will lock the Web-based Manager until a license is uploaded. Technical support is not included. The trial period begins the first time you start FortiGate VM. After the trial license expires, functionality is disabled until you upload a license file.

 

Registering FortiGate VM with Customer Service & Support

To obtain the FortiGate VM license file you must first register your FortiGate VM with Customer Service & Support.

 

To register your FortiGate VM:

1. Log in to the Customer Service & Support portal using an existing support account or select Sign Up to create a new account.

2. In the main page, under Asset, select Register/Renew.

 

The Registration page opens.

3. Enter the registration code that was emailed to you and select Register. A registration form will display.

4. After completing the form, a registration acknowledgement page will appear.

5. Select the License File Download link.

6. You will be prompted to save the license file (.lic) to your local computer. See “Upload the license file” for instructions on uploading the license file to your FortiGate VM via the Web-based Manager.

 

 

Downloading the FortiGate VM deployment package

FortiGate VM deployment packages are included with FortiGate firmware images on the Customer Service & Support site. First, see the following table to determine the appropriate VM deployment package for your VM platform.

 

Selecting the correct FortiGate VM deployment package for your VM platform

VM Platform                                                              FortiGate VM Deployment File

Citrix XenServer v5.6sp2, 6.0 and later                          FGT_VM64-v500-buildnnnn-FORTINET. out.CitrixXen.zip

OpenXen v3.4.3, 4.1                                                      FGT_VM64-v500-buildnnnn-FORTINET. out.OpenXen.zip

Microsoft Hyper-V Server 2008R2 and 2012                   FGT_VM64-v500-buildnnnn-FORTINET. out.hyperv.zip

KVM (qemu 0.12.1)                                                        FGT_VM64-v500-buildnnnn-FORTINET. out.kvm.zip

 

VM Platform                                                              FortiGate VM Deployment File

VMware ESX 4.0, 4.1

ESXi 4.0/4.1/5.0/5.1/5.5

FGT_VM32-v500-buildnnnn-FORTINET. out.ovf.zip (32-bit)

FGT_VM64-v500-buildnnnn-FORTINET. out.ovf.zip

 

For more information see the FortiGate product datasheet available on the Fortinet web site, http://www.fortinet.com/products/fortigate/virtualappliances.html.

The firmware images FTP directory is organized by firmware version, major release, and patch release. The firmware images in the directories follow a specific naming convention and each firmware image is specific to the device model. For example, the FGT_VM32-v500-build0151-FORTINET.out.ovf.zip image found in the v5.0 Patch Release 2 directory is specific to the FortiGate VM 32-bit environment.

You can also download the FortiOS Release Notes, FORTINET-FORTIGATE MIB file, FSSO images, and SSL VPN client in this directory. The Fortinet Core MIB file is loc- ated in the main FortiGate v5.00 directory.

 

To download the FortiGate VM deployment package:

1. In the main page of the Customer Service & Support site, select Download > Firmware Images.

 

The Firmware Images page opens.

2. In the Firmware Images page, select FortiGate.

3. Browse to the appropriate directory on the FTP site for the version that you would like to download.

4. Download the appropriate .zip file for your VM server platform.

 

You can also download the FortiGate Release Notes.

5. Extract the contents of the deployment package to a new file folder.

 

Deployment package contents

 

Citrix XenServer

The FORTINET.out.CitrixXen.zip file contains:

  • fortios.vhd: the FortiGate VM system hard disk in VHD format
  • fortios.xva: binary file containing virtual hardware configuration settings
  • in the ovf folder:
  • FortiGate-VM64.ovf: Open Virtualization Format (OVF) template file, containing virtual hardware settings for Xen
  • fortios.vmdk: the FortiGate VM system hard disk in VMDK format
  • datadrive.vmdk: the FortiGate VM log disk in VMDK format

The ovf folder and its contents is an alternative method of installation to the .xva and VHD disk image.

 

OpenXEN

The FORTINET.out.OpenXen.zip file contains only fortios.qcow2, the FortiGate VM system hard disk in qcow2 format. You will need to manually:

  • create a 30GB log disk
  • specify the virtual hardware settings

 

Microsoft Hyper-V

The FORTINET.out.hyperv.zip file contains:

  • in the Virtual Hard Disks folder:
  • fortios.vhd: the FortiGate VM system hard disk in VHD format
  • DATADRIVE.vhd: the FortiGate VM log disk in VHD format
  • In the Virtual Machines folder:
  • fortios.xml: XML file containing virtual hardware configuration settings for Hyper-V. This is compatible with Windows Server 2012.
  • Snapshots folder: optionally, Hyper-V stores snapshots of the FortiGate VM state here

 

KVM

The FORTINET.out.kvm.zip contains only fortios.qcow2, the FortiGate VM system hard disk in qcow2 format. You will need to manually:

  • create a 30GB log disk
  • specify the virtual hardware settings

 

VMware ESX/ESXi

The FORTINET.out.ovf.zip file contains:

  • fortios.vmdk: the FortiGate VM system hard disk in VMDK format
  • datadrive.vmdk: the FortiGate VM log disk in VMDK format
  • Open Virtualization Format (OVF) template files:
  • FortiGate-VM64.ovf: OVF template based on Intel e1000 NIC driver
  • FortiGate-VM64.hw04.ovf: OVF template file for older (v3.5) VMware ESX server
  • FortiGate-VMxx.hw07_vmxnet2.ovf: OVF template file for VMware vmxnet2 driver
  • FortiGate-VMxx.hw07_vmxnet3.ovf: OVF template file for VMware vmxnet3 driver

 

Use the VMXNET3 interface (FortiGate-VMxx.hw07_vmxnet3.ovf template) if the virtual appliance will distribute workload to multiple processor cores.

 

Deploying the FortiGate VM appliance

Prior to deploying the FortiGate VM appliance, the VM platform must be installed and configured so that it is ready to create virtual machines. The installation instructions for FortiGate VM assume that

  • You are familiar with the management software and terminology of your VM platform.
  • An Internet connection is available for FortiGate VM to contact FortiGuard to validate its license or, for closed environments, a FortiManager can be contacted to validate the FortiGate VM license. See “Validate the FortiGate VM license with FortiManager”.

For assistance in deploying FortiGate VM, refer to the deployment chapter in this guide that corresponds to your VMware environment. You might also need to refer to the documentation provided with your VM server. The deployment chapters are presented as examples because for any particular VM server there are multiple ways to create a virtual machine. There are command line tools, APIs, and even alternative graphical user interface tools.

Before you start your FortiGate VM appliance for the first time, you might need to adjust virtual disk sizes and networking settings. The first time you start FortiGate VM, you will have access only through the console window of your VM server environment. After you configure one FortiGate network interface with an IP address and administrative access, you can access the FortiGate VM web-based manager.

After deployment and license validation, you can upgrade your FortiGate VM appliance’s firmware by downloading either FGT_VM32-v500-buildnnnn-FORTINET.out (32-bit) or FGT_VM64-v500-buildnnnn- FORTINET.out (64-bit) firmware. Firmware upgrading on a VM is very similar to upgrading firmware on a hardware FortiGate unit.

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.