Monthly Archives: January 2017

Using Device Definitions To Make FortiGate Policy More Granular

2 Replies

One of the things that I see a lot of people doing is leaving their policies super vague. This is all fun and games in a home environment where you don’t have any critical data but if you are running your business in this manner you may have issues coming up soon. Make your policies as granular as possible so you can sleep better at night!

Deployment example – Citrix XenServer

Leave a reply

Deployment example – Citrix XenServer

Once you have downloaded the FORTINET.out.CitrixXen.zip file and extracted the files, you can create the virtual machine in your Citrix Xen environment.

The following topics are included in this section:

  • Create the FortiGate VM virtual machine (XenCenter)
  • Configure virtual hardware

 

Create the FortiGate VM virtual machine (XenCenter)

 

To create the FortiGate VM virtual machine from the OVF file

1. Launch XenCenter on your management computer.

The management computer can be any computer that can run Citrix XenCenter, a Windows application.

2. If you have not already done so, select ADD a server. Enter your Citrix XenServer IP address and the root logon credentials required to manage that server.

Your Citrix XenServer is added to the list in the left pane. The Virtual Machine Manager home page opens.

3. Go to File > Import. An import dialog will appear.

4. Click the Browse button, find the FortiGate-VM64-Xen.ovf template file, then click Open.

5. Select Next.

6. Accept the FortiGate Virtual Appliance EULA, then select Next.

7. Choose the pool or standalone server that will host the VM, then select Next.

8. Select the storage location for FortiGate VM disk drives or accept the default. Select Next.

9. Configure how each vNIC (virtual network adapter) in FortiGate VM will be mapped to each vNetwork on the Citrix XenServer, then click Next.

10. Click Next to skip OS fixup.

11. Select Next to use the default network settings for transferring the VM to the host.

12. Select Finish.

 

The Citrix XenServer imports the FortiGate VM files and configures the VM as specified in the OVF template. Depending on your computer’s hardware speed and resource load, and also on the file size and speed of the network connection, this might take several minutes to complete.

When VM import is complete, the XenCenter left pane includes the FortiGate VM in the list of deployed VMs for your Citrix XenServer.

 

Configure virtual hardware

Before you start your FortiGate-VM for the first time, you need to adjust your virtual machine’s virtual hardware settings to meet your network requirements.

 

Configuring number of CPUs and memory size

Your FortiGate-VM license limits the number CPUs and amount of memory that you can use. The amounts you allocate must not exceed your license limits.

 

To access virtual machine settings

1. Open XenCenter.

2. Select your FortiGate VM in the left pane.

The tabs in the right pane provide access to the virtual hardware configuration. The Console tab provides access to the FortiGate console.

1. To set the number of CPUs

2. In the XenCenter left pane, right-click the FortiGate VM and select Properties.

The Properties window opens.

3. In the left pane, select CPU.

4. Adjust Number of CPUs and then select OK.

XenCenter will warn if you select more CPUs than the Xen host computer contains. Such a configuration might reduce performance.

 

To set memory size

1. In the XenCenter left pane, select the FortiGate VM.

2. In the right pane, select the Memory tab.

3. Select Edit, modify the value in the Set a fixed memory of field and select OK.

 

Configuring disk storage

By default the FortiGate VM data disk 30GB. You will probably want to increase this. Disk resizing must be done before you start the VM for the first time.

 

To resize the FortiGate data disk

1. In the XenCenter left pane, select the FortiGate VM.

2. Select the Storage tab. Select Hard disk 2 (the 30GB drive), then select Properties.

The Hard disk 2’ Properties window opens.

3. Select Size and Location. Adjust Size and select OK.

Deployment example – OpenXen

Leave a reply

Deployment example – OpenXen

Once you have downloaded the FORTINET.out.OpenXen.zip file and extracted virtual hard drive image file fortios.qcow2, you can create the virtual machine in your OpenXen environment.

The following topics are included in this section: Create the FortiGate VM virtual machine (VMM)

 

Create the FortiGate VM virtual machine (VMM)

 

To create the FortiGate VM virtual machine:

1. Launch Virtual Machine Manager (virt-manager) on your OpenXen host server.

 

The Virtual Machine Manager home page opens.

2. In the toolbar, select Create a new virtual machine.

3. Enter a Name for the VM, FGT-VM for example.

4. Ensure that Connection is localhost. (This is the defaul)

5. Select Import existing disk image.

6. Select Forward.

7. In OS Type select Linux.

8. In Version, select Generic 2.4.x.kernel.

9. Select Browse.

 

The Locate or create storage volume window opens.

10. Select Browse Local, find the fortios.qcow2 disk image file.

11. Select fortios.qcow2 and select Choose Volume.

12. Select Forward.

13. Specify the amount of memory and number of CPUs to allocate to this virtual machine. The amounts must not exceed your license limits.

14. Select Forward.

15. Select Customize configuration before install. This enables you to make some hardware configuration changes before VM creation is started.

16. Expand Advanced options. A new virtual machine includes one network adapter by default. Select Specify shared device name and enter the name of the bridge interface on the OpenXen host. Optionally, set a specific MAC address for the virtual network interface. Virt Type and Architecture are set by default and should be correct.

17. Select Finish.

 

The virtual machine hardware configuration window opens.

You can use this window to add hardware such as network interfaces and disk drives.

18. Select Add Hardware. In the Add Hardware window select Storage.

19. Select Create a disk image on the computer’s harddrive and set the size to 30GB.

If you know your environment will expand in the future, it is recommended to increase the hard disk size beyond 30GB. The VM license limit is 2TB.

20. Enter:

Device type                                Virtio disk

Cache mode                               Default

Storage format                          raw

21. Select Network to configure add more the network interfaces. The Device type must be Virtio.

A new virtual machine includes one network adapter by default. You can add more through the Add Hardware window. FortiGate VM requires four network adapters. You can configure network adapters to connect to a virtual switch or to network adapters on the host computer.

22. Select Finish.

23. Select Begin Installation. After the installation completes successfully, the VM starts and the console window opens.

Deployment example – KVM

Leave a reply

Deployment example – KVM

Once you have downloaded the FORTINET.out.kvm.zip file and extracted virtual hard drive image file fortios.qcow2, you can create the virtual machine in your KVM environment.

The following topics are included in this section: Create the FortiGate VM virtual machine

  • Configure FortiGate VM hardware settings
  • Start the FortiGate VM

 

Create the FortiGate VM virtual machine

To create the FortiGate VM virtual machine:

1. Launch Virtual Machine Manager (virt-manager) on your KVM host server.

The Virtual Machine Manager home page opens.

2. In the toolbar, select Create a new virtual machine.

3. Enter a Name for the VM, FGT-VM for example.

4. Ensure that Connection is localhost. (This is the defaul)

5. Select Import existing disk image.

6. Select Forward.

7. In OS Type select Linux.

8. In Version, select a Generic version with virtio.

9. Select Browse.

10. If you copied the fortios.qcow2 file to /var/lib/libvirt/images, it will be visible on the right. If you saved it somewhere else on your server, select Browse Local and find it.

11. Choose Choose Volume.

12. Select Forward.

13. Specify the amount of memory and number of CPUs to allocate to this virtual machine. The amounts must not exceed your license limits. See FortiGate VM Overview on page 2677.

14. Select Forward.

15. Expand Advanced options. A new virtual machine includes one network adapter by default. Select a network adapter on the host computer. Optionally, set a specific MAC address for the virtual network interface. Set Virt Type to virtio and Architecture to qcow2.

16. Select Finish.

Pages: 1 2

Deployment example – MS Hyper-V

Leave a reply

Deployment example – MS Hyper-V

Once you have downloaded the FGT_VMxx_HV-v5-build0xxx-FORTINET.out.hyperv.zip file and extracted the package contents to a folder on your Microsoft server, you can deploy the VHD package to your Microsoft Hyper-V environment.

The following topics are included in this section: Create the FortiGate VM virtual machine

Configure FortiGate VM hardware settings High Availability Hyper-V configuration Start the FortiGate VM

 

Create the FortiGate VM virtual machine

To create the FortiGate VM virtual machine:

1. Launch the Hyper-V Manager in your Microsoft server.

The HyperV Manager home page opens.

2. Select the server in the right-tree menu. The server details page is displayed.

3. Right-click the server and select New and select Virtual Machine from the menu. Optionally, in the Actionmenu, select New and select Virtual Machine from the menu.

The New Virtual Machine Wizard opens.

4. Select Next to create a virtual machine with a custom configuration.

The Specify Name and Location page is displayed.

5. Enter a name for this virtual machine. The name is displayed in the Hyper-V Manager.

Select Next to continue. The Assign Memory page is displayed.

6. Specify the amount of memory to allocate to this virtual machine. The default memory for FortiGate VM is 1GB (1024MB).

Select Next to continue. The Configure Networking page is displayed.

7. Each new virtual machine includes a network adapter. You can configure the network adapter to use a virtual switch, or it can remain disconnected. FortiGate VM requires four network adapters. You must configure network adapters in the Settings page.

Select Next to continue. The Connect Virtual Hard Disk page is displayed.

8. Select to use an existing virtual hard disk and browse for the vhd file that you downloaded from the Fortinet Customer Service & Support portal.

Select Next to continue. The Summary page is displayed.

9. To create the virtual machine and close the wizard, select Finish.

Pages: 1 2

Deployment example – VMware

Leave a reply

Deployment example – VMware

Once you have downloaded the FGT_VMxx-v5-build0xxx-FORTINET.out.ovf.zip file from http://support.fortinet.com and extracted the package contents to a folder on your local computer, you can use the vSphere client to create the virtual machine from the deployment package OVF template.

The following topics are included in this section:

  • Open the FortiGate VM OVF file with the vSphere client
  • Configure FortiGate VM hardware settings Transparent mode VMware configuration High Availability VMware configuration Power on your FortiGate VM

Open the FortiGate VM OVF file with the vSphere client

 

To deploy the FortiGate VM OVF template:

1. Launch the VMware vSphere client, enter the IP address or host name of your server, enter your user name and password and select Login.

The vSphere client home page opens.

2. Select File > Deploy OVF Template to launch the OVF Template wizard.

The OVF Template Source page opens.

3. Select the source location of the OVF file. Select Browse and locate the OVF file on your computer. Select Nexto continue.

 

The OVF Template Details page opens.

4. Verify the OVF template details. This page details the product name, download size, size on disk, and description.

Select Next to continue.

 

The OVF Template End User License Agreement page opens.

5. Read the end user license agreement for FortiGate VM. Select Accept and then select Next to continue.

 

The OVF Template Name and Location page opens.

6. Enter a name for this OVF template. The name can contain up to 80 characters and it must be unique within the inventory folder. Select Next to continue.

 

The OVF Template Disk Format page opens.

7. Select one of the following:

  • Thick Provision Lazy Zeroed: Allocates the disk space statically (no other volumes can take the space), but does not write zeros to the blocks until the first write takes place to that block during runtime (which includes a full disk format).
  • Thick Provision Eager Zeroed: Allocates the disk space statically (no other volumes can take the space), and writes zeros to all the blocks.
  • Thin Provision: Allocates the disk space only when a write occurs to a block, but the total volume size is reported by VMFS to the OS. Other volumes can take the remaining space. This allows you to float space between your servers, and expand your storage when your size monitoring indicates there is a problem. Note that once a Thin Provisioned block is allocated, it remains on the volume regardless if you have deleted data, etc.

8. Select Next to continue.

 

The OVF Template Network Mapping page opens.

9. Map the networks used in this OVF template to networks in your inventory. Network 1 maps to port1 of the FortiGate VM. You must set the destination network for this entry to access the device console. Select Next to continue.

 

The OVF Template Ready to Complete page opens.

10. Review the template configuration. Make sure that Power on after deployment is not enabled. You might need to configure the FortiGate VM hardware settings prior to powering on the FortiGate VM.

11. Select Finish to deploy the OVF template. You will receive a Deployment Completed Successfully dialog box once the FortiGate VM OVF template wizard has finished.

 

Configure FortiGate VM hardware settings

Before powering on your FortiGate VM you must configure the virtual memory, virtual CPU, and virtual disk configuration to match your FortiGate VM license.

 

Transparent mode VMware configuration

If you want to use your FortiGate-VM in transparent mode, your VMware server’s virtual switches must operate in promiscuous mode. This permits these interfaces to receive traffic that will pass through the FortiGate unit but was not addressed to the FortiGate unit.

 

In VMware, promiscuous mode must be explicitly enabled:

1. In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.

2. In Hardware, select Networking.

3. Select Properties of vSwitch0.

4. In the Properties window left pane, select vSwitch and then select Edit.

5. Select the Security tab, set Promiscuous Mode to Accept, then select OK.

6. Select Close.

7. Repeat steps 3 through 6 for other vSwitches that your transparent mode FortiGate-VM uses.

 

High Availability VMware configuration

If you want to combine two or more FortiGate-VM instances into a FortiGate Clustering Protocol (FGCP) High Availability (HA) cluster the VMware server’s virtual switches used to connect the heartbeat interfaces must operate in promiscuous mode. This permits HA heartbeat communication between the heartbeat interfaces. HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8890. The FGCP uses link-local IP4 addresses in the 169.254.0.x range for HA heartbeat interface IP addresses.

 

To enable promiscuous mode in VMware:

1. In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.

2. In Hardware, select Networking.

3. Select Properties of a virtual switch used to connect heartbeat interfaces.

4. In the Properties window left pane, select vSwitch and then select Edit.

5. Select the Security tab, set Promiscuous Mode to Accept, then select OK.

6. Select Close.

 

You must also set the virtual switches connected to other FortiGate interfaces to allow MAC address changes and to accept forged transmits. This is required because the FGCP sets virtual MAC addresses for all FortiGate interfaces and the same interfaces on the different VM instances in the cluster will have the same virtual MAC addresses.

To make the required changes in VMware:

1. In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.

2. In Hardware, select Networking.

3. Select Properties of a virtual switch used to connect FortiGate VM interfaces.

4. Set MAC Address ChangestoAccept.

5. Set Forged Transmits to Accept.

 

Power on your FortiGate VM

You can now proceed to power on your FortiGate VM. There are several ways to do this:

  • Select the name of the FortiGate VM you deployed in the inventory list and select Power on the virtual machine in the Getting Started tab.
  • In the inventory list, right-click the name of the FortiGate VM you deployed, and select Power > Power On.
  • Select the name of the FortiGate VM you deployed in the inventory list. Click the Power On button on the toolbar.

Select the Console tab to view the console. To enter text, you must click in the console pane. The mouse is then captured and cannot leave the console screen. As the FortiGate console is text-only, no mouse pointer is visible. To release the mouse, press Ctrl-Alt.

Chapter 28 – VM Installation

Leave a reply

Chapter 28 – VM Installation

This document describes how to deploy a FortiGate virtual appliance in several virtualization server environments. This includes how to configure the virtual hardware settings of the virtual appliance.

 

This document assumes:

  •  you have already successfully installed the virtualization server on the physical machine,
  • lyou have installed appropriate VM management software on either the physical server or a computer to be used for VM management.

This document does not cover configuration and operation of the virtual appliance after it has been successfully installed and started. For these issues, see the FortiGate 5.2 Handbook.

 

This document includes the following sections:

  • FortiGate VM Overview
  • Deployment example – VMware
  • Deployment example – MS Hyper-V
  • Deployment example – KVM
  • Deployment example – OpenXen
  • Deployment example – Citrix XenServer

 

What’s new in FortiOS 5.4

 

FortiGate VM Overview

  • The following topics are included in this section: FortiGate VM models and licensing
  • Registering FortiGate VM with Customer Service & Support Downloading the FortiGate VM deployment package Deployment package contents
  • Deploying the FortiGate VM appliance

 

FortiGate VM models and licensing

Fortinet offers the FortiGate VM in five virtual appliance models determined by license. When configuring your FortiGate VM, be sure to configure hardware settings within the ranges outlined below. Contact your Fortinet Authorized Reseller for more information.

 

FortiGate VM model information

Technical Specification                               FG-VM00   FG-VM01   FG-VM02   FG-VM04   FG-VM08

Virtual CPUs

(min / max)

1 / 1             1 / 1             1 / 2             1 / 4             1 / 8

 

Virtual Network

Interfaces (min / max)

2 / 10

 

Virtual Memory

(min / max)

1GB /1GB

1GB /2GB

1GB /4GB

1GB /6GB

1GB/12GB

 

Virtual Storage

(min / max)

 

Managed Wireless APs

(tunnel mode / global)

30GB / 2TB

 

 

32 / 32         32 / 64       256 / 512     256 / 512        1024 /

4096

 

Virtual Domains

(default / max)

1 / 1           10 / 10         10 / 25         10 / 50        10 / 250

 

After placing an order for FortiGate VM, a license registration code is sent to the email address used on the order form. Use the registration number provided to register the FortiGate VM with Customer Service & Support and then download the license file. Once the license file is uploaded to the FortiGate VM and validated, your FortiGate VM appliance is fully functional.

 

FortiGate VM evaluation license

FortiGate VM includes a limited embedded 15-day trial license that supports:

  • 1 CPU maximum
  • 1024 MB memory maximum
  • low encryption only (no HTTPS administrative access)
  • all features except FortiGuard updates

You cannot upgrade the firmware, doing so will lock the Web-based Manager until a license is uploaded. Technical support is not included. The trial period begins the first time you start FortiGate VM. After the trial license expires, functionality is disabled until you upload a license file.

 

Registering FortiGate VM with Customer Service & Support

To obtain the FortiGate VM license file you must first register your FortiGate VM with Customer Service & Support.

 

To register your FortiGate VM:

1. Log in to the Customer Service & Support portal using an existing support account or select Sign Up to create a new account.

2. In the main page, under Asset, select Register/Renew.

 

The Registration page opens.

3. Enter the registration code that was emailed to you and select Register. A registration form will display.

4. After completing the form, a registration acknowledgement page will appear.

5. Select the License File Download link.

6. You will be prompted to save the license file (.lic) to your local computer. See “Upload the license file” for instructions on uploading the license file to your FortiGate VM via the Web-based Manager.

 

 

Downloading the FortiGate VM deployment package

FortiGate VM deployment packages are included with FortiGate firmware images on the Customer Service & Support site. First, see the following table to determine the appropriate VM deployment package for your VM platform.

 

Selecting the correct FortiGate VM deployment package for your VM platform

VM Platform                                                              FortiGate VM Deployment File

Citrix XenServer v5.6sp2, 6.0 and later                          FGT_VM64-v500-buildnnnn-FORTINET. out.CitrixXen.zip

OpenXen v3.4.3, 4.1                                                      FGT_VM64-v500-buildnnnn-FORTINET. out.OpenXen.zip

Microsoft Hyper-V Server 2008R2 and 2012                   FGT_VM64-v500-buildnnnn-FORTINET. out.hyperv.zip

KVM (qemu 0.12.1)                                                        FGT_VM64-v500-buildnnnn-FORTINET. out.kvm.zip

 

VM Platform                                                              FortiGate VM Deployment File

VMware ESX 4.0, 4.1

ESXi 4.0/4.1/5.0/5.1/5.5

FGT_VM32-v500-buildnnnn-FORTINET. out.ovf.zip (32-bit)

FGT_VM64-v500-buildnnnn-FORTINET. out.ovf.zip

 

For more information see the FortiGate product datasheet available on the Fortinet web site, http://www.fortinet.com/products/fortigate/virtualappliances.html.

The firmware images FTP directory is organized by firmware version, major release, and patch release. The firmware images in the directories follow a specific naming convention and each firmware image is specific to the device model. For example, the FGT_VM32-v500-build0151-FORTINET.out.ovf.zip image found in the v5.0 Patch Release 2 directory is specific to the FortiGate VM 32-bit environment.

You can also download the FortiOS Release Notes, FORTINET-FORTIGATE MIB file, FSSO images, and SSL VPN client in this directory. The Fortinet Core MIB file is loc- ated in the main FortiGate v5.00 directory.

 

To download the FortiGate VM deployment package:

1. In the main page of the Customer Service & Support site, select Download > Firmware Images.

 

The Firmware Images page opens.

2. In the Firmware Images page, select FortiGate.

3. Browse to the appropriate directory on the FTP site for the version that you would like to download.

4. Download the appropriate .zip file for your VM server platform.

 

You can also download the FortiGate Release Notes.

5. Extract the contents of the deployment package to a new file folder.

 

Deployment package contents

 

Citrix XenServer

The FORTINET.out.CitrixXen.zip file contains:

  • fortios.vhd: the FortiGate VM system hard disk in VHD format
  • fortios.xva: binary file containing virtual hardware configuration settings
  • in the ovf folder:
  • FortiGate-VM64.ovf: Open Virtualization Format (OVF) template file, containing virtual hardware settings for Xen
  • fortios.vmdk: the FortiGate VM system hard disk in VMDK format
  • datadrive.vmdk: the FortiGate VM log disk in VMDK format

The ovf folder and its contents is an alternative method of installation to the .xva and VHD disk image.

 

OpenXEN

The FORTINET.out.OpenXen.zip file contains only fortios.qcow2, the FortiGate VM system hard disk in qcow2 format. You will need to manually:

  • create a 30GB log disk
  • specify the virtual hardware settings

 

Microsoft Hyper-V

The FORTINET.out.hyperv.zip file contains:

  • in the Virtual Hard Disks folder:
  • fortios.vhd: the FortiGate VM system hard disk in VHD format
  • DATADRIVE.vhd: the FortiGate VM log disk in VHD format
  • In the Virtual Machines folder:
  • fortios.xml: XML file containing virtual hardware configuration settings for Hyper-V. This is compatible with Windows Server 2012.
  • Snapshots folder: optionally, Hyper-V stores snapshots of the FortiGate VM state here

 

KVM

The FORTINET.out.kvm.zip contains only fortios.qcow2, the FortiGate VM system hard disk in qcow2 format. You will need to manually:

  • create a 30GB log disk
  • specify the virtual hardware settings

 

VMware ESX/ESXi

The FORTINET.out.ovf.zip file contains:

  • fortios.vmdk: the FortiGate VM system hard disk in VMDK format
  • datadrive.vmdk: the FortiGate VM log disk in VMDK format
  • Open Virtualization Format (OVF) template files:
  • FortiGate-VM64.ovf: OVF template based on Intel e1000 NIC driver
  • FortiGate-VM64.hw04.ovf: OVF template file for older (v3.5) VMware ESX server
  • FortiGate-VMxx.hw07_vmxnet2.ovf: OVF template file for VMware vmxnet2 driver
  • FortiGate-VMxx.hw07_vmxnet3.ovf: OVF template file for VMware vmxnet3 driver

 

Use the VMXNET3 interface (FortiGate-VMxx.hw07_vmxnet3.ovf template) if the virtual appliance will distribute workload to multiple processor cores.

 

Deploying the FortiGate VM appliance

Prior to deploying the FortiGate VM appliance, the VM platform must be installed and configured so that it is ready to create virtual machines. The installation instructions for FortiGate VM assume that

  • You are familiar with the management software and terminology of your VM platform.
  • An Internet connection is available for FortiGate VM to contact FortiGuard to validate its license or, for closed environments, a FortiManager can be contacted to validate the FortiGate VM license. See “Validate the FortiGate VM license with FortiManager”.

For assistance in deploying FortiGate VM, refer to the deployment chapter in this guide that corresponds to your VMware environment. You might also need to refer to the documentation provided with your VM server. The deployment chapters are presented as examples because for any particular VM server there are multiple ways to create a virtual machine. There are command line tools, APIs, and even alternative graphical user interface tools.

Before you start your FortiGate VM appliance for the first time, you might need to adjust virtual disk sizes and networking settings. The first time you start FortiGate VM, you will have access only through the console window of your VM server environment. After you configure one FortiGate network interface with an IP address and administrative access, you can access the FortiGate VM web-based manager.

After deployment and license validation, you can upgrade your FortiGate VM appliance’s firmware by downloading either FGT_VM32-v500-buildnnnn-FORTINET.out (32-bit) or FGT_VM64-v500-buildnnnn- FORTINET.out (64-bit) firmware. Firmware upgrading on a VM is very similar to upgrading firmware on a hardware FortiGate unit.