Category Archives: Administration Guides

FortiWIFI & FortiAP What’s new in FortiOS 5.6

Leave a reply

What’s new in FortiOS 5.6

The following section describes new WiFi features added to FortiOS 5.6.0.

Captive Portal Authentication with FortiAP in Bridge Mode (408915)

The FortiGate can operate as a web captive portal server to serve the captive portal local bridge mode.

A new CLI command has been added under config wireless-controller vap to set the captive portal type to CMCC, a wireless cipher.

CLI syntax

config wireless-controller vap edit <name> set portal-type { … | cmcc}

next

end

802.11kv(r) support (405498, 395037)

New CLI commands have been added under config wireless-controller vap to set various 802.11kvr settings, or Voice Enterprise (802.11kv) and Fast Basic Service Set (BSS) Transition (802.11r), to provide faster and more intelligent roaming for the client.

CLI syntax

config wireless-controller vap edit <name> set voice-enterprise {enable | disable} set fast-bss-transition {enable | disable} set ft-mobility-domain set ft-r0-key-lifetime [1-65535] set ft-over-ds {enable | disable}

next

end

External Captive Portal authentication with FortiAP in Bridge Mode (403115, 384872)

New CLI commands have been added under config wireless-controller vap to set various options for external captive portal with FortiAP in Bridge Mode. The commands set the standalone captive portal server category, the server’s domain name or IP address, secret key to access the RADIUS server, and the standalone captive portal Access Controller (AC) name.

Note that these commands are only available when local-standalone is set to enable and security is set to captive-portal.

CLI syntax

config wireless-controller vap edit <name>

 

set captive-portal-category {FortiCloud | CMCC} Default is FortiCloud. set captive-portal-radius-server <server> set captive-portal-radius-secret <password> set captive-portal-ac-name <name>

next

end

Japan DFS support for FAP-421E/423E/S421E/S423E (402287, 401434)

Korea and Japan Dynamic Frequency Selection (DFS) certification has been added for FAP-

421E/423E/S421E/S423E. DFS is a mechanism that allows WLANs to select a frequency that does not interfere with certain radar systems while operating in the 5 GHz band.

802.3az support on WAVE2 WiFi APs (400558)

A new CLI command has been added under config wireless-controller wtp-profile to enable or disable use of Energy-Efficient Ethernet (EEE) on WTP, allowing for less power consumption during periods of low data activity.

CLI syntax

config wireless-controller wtp-profile edit <profile-name> set energy-efficient-ethernet {enable|disable}

end

CLI command update made in wids-profile (400263)

The CLI command rogue-scan under config wireless-controller wids-profile has been changed to sensor-mode and allows easier configuration of radio sensor mode. Note that while foreign enables radio sensor mode on foreign channels only, both enables the feature on foreign and home channels.

CLI syntax

config wireless-controller wids-profile edit <example> set sensor-mode {disable|foreign|both}

end

Channel utilization, FortiPresence support on AP mode, QoS enhancement for voice (399134, 377562)

A new CLI command has been added, config wireless-controller qos-profile, to configure

quality of service (QoS) profiles where you can add WiFi multi-media (WMM) control and Differentiated Services Code Point (DSCP) mapping.

Note that:

  • call-capacity and bandwidth-admission-control are only available when call-admissioncontrol is set to enable. l bandwidth-capacity is only available when bandwidth-admission-control is set to enable. l All DSCP mapping options are only available when dscp-wmm-mapping is set to enable.
  • wmm is already set to enable by default. If wmm is set to disable, the following entries are not available: wmm-

uapsd, call-admission-control, and dscp-wmm-mapping.

CLI syntax

config wireless-controller qos-profile edit <example> set comment <comment> set uplink [0-2097152] Default is 0 Kbps. set downlink [0-2097152] Default is 0 Kbps. set uplink-sta [0-2097152] Default is 0 Kbps. set downlink-sta [0-2097152] Default is 0 Kbps. set burst {enable|disable} Default is disable. set wmm {enable|disable} Default is enable. set wmm-uapsd {enable|disable} Default is enable.

set call-admission-control {enable|disable} Default is disable. set call-capacity [0-60] Default is 10 phones.

set bandwidth-admission-control {enable|disable} Default is disable.

set bandwidth-capacity [1-600000] Default is 2000 Kbps. set dscp-wmm-mapping {enable|disable} Default is disable. set dscp-wmm-vo [0-63] Default is 48 56. set dscp-wmm-vi [0-63] Default is 32 40. set dscp-wmm-be [0-63] Default is 0 24. set dscp-wmm-bk [0-63] Default is 8 16.

QoS profiles can be assigned under the config wireless-controller vap command using qosprofile.

FortiCloud managed APs can now be applied a bandwidth restriction or rate limitation based on SSID. For instance if guest and employee SSIDs are available, you can rate limit guest access to a certain rate to accommodate for employees. This feature also applies a rate limit based on the application in use, as APs are application aware.

FAP-U421E and FAP-U423E support (397900)

Two Universal FortiAP models support FortiOS 5.6. Their default profiles are added under config wirelesscontroller wtp-profiles, as shown below:

CLI syntax

config wireless-controller wtp-profile edit “FAPU421E-default” config platform set type U421E

end set ap-country US config radio-1 set band 802.11n

end config radio-2 set band 802.11ac

end

next

end config wireless-controller wtp-profile edit “FAPU423E-default” config platform set type U423E

end set ap-country US config radio-1 set band 802.11n

end config radio-2 set band 802.11ac

end

next

end

Minor reorganization of WiFi GUI entries (396497)

WiFi & Switch Controller GUI entries Managed FortiAPs, SSID, FortiAP Profiles, and WIDS Profiles have been reorganized.

Multiple PSK support for WPA personal (393320, 264744)

New CLI commands have been added, under config wireless-controller vap, to configure multiple WiFi Protected Access Pre-Shared Keys (WPA-PSKs), as PSK is more secure without all devices having to share the same PSK.

Note that, for the following multiple PSK related commands to become available, vdom, ssid, and passhphrase all have to be set first.

CLI syntax

config wireless-controller vap edit <example> set mpsk {enable|disable} set mpsk-concurrent-clients [0-65535] Default is 0. config mpsk-key edit key-name <example> set passphrase <wpa-psk> set concurrent-clients [0-65535] Default is empty. set comment <comments>

next

end

end

Use the mpsk-concurrent-clients entry to set the maximum number of concurrent connected clients for each mpsk entry. Use the mpsk-key configuration method to configure multiple mpsk entries.

Table size of qos-profile has VDOM limit (388070)

The command config wireless-controller qos-profile now has VDOM table limit; there is no longer an unlimited number of entries within each VDOM.

Add “dhcp-lease-time” setting to local-standalone-nat VAP (384229)

When a Virtual Access Point (VAP) has been configured for a FortiAP, a DHCP server is automatically configured on the FortiAP side with a hard lease time. A new CLI command under config wireless-controller vap has been added to customize the DHCP lease time for NAT IP address. This is to solve issues where the DHCP IP pool was exhausted when the number of clients grew too large for the lease time span.

Note that the new command, dhcp-lease-time, is only available when local-standalone is set to enable, then setting local-standalone-nat to enable.

CLI syntax

config wireless-controller vap edit <example> set local-standalone {enable|disable} set local-standalone-nat {enable|disable} set dhcp-lease-time [300-8640000] Default is 2400 seconds.

end

New CLI command to configure LDPC for FortiAP (383864)

Previously, LDPC value on FortiAP could only be changed on FortiAP local CLI. Syntax has been added in FortiOS CLI under the ‘wireless-controller.vap’ entry to configure the LDPC value on FortiAP.

CLI Syntax

configure wireless-controller vap edit 1 set ldpc [enable|rx|tx|disable]

end

New region code/SKU for Indonesia (382926)

A new country region code, F, has been added to meet Indonesia’s WiFi channel requirements. Indonesia previously belonged to region code W.

FortiAP RMA support added (381936)

New CLI command fortiap added under exe replace-device to replace an old FortiAP’s serial number with a new one.

CLI Syntax execute replace-device fortiap <old-fortiap-id> <new-fortiap-id>

Support fixed-length 64-hex digit for WPA-Personal passphrase (381030)

WPA-Personal passphrase now supports a fixed-length of 64 hexadecimal digits.

Allow FortiGates to manage cloud-based FortiAPs (380150)

FortiGates can now manage cloud-based FortiAPs using the new fapc-compatibility command under wireless-controller setting.

If enabled, default FAP-C wtp-profiles will be added. If disabled, FAP-C related CMDB configurations will be removed: wtp-group in vap’s vlan-pool, wtp-group, ws, wtp, wtp-profile.

CLI syntax

config wireless-controller setting set country CN

set fapc-compatibility [enable|disable] end

You will receive an error message when trying to change country while fapccompatibility is enabled. You need to disable fapc-compatibility before changing to an FAPC unsupported country.

Use IPsec instead of DTLS to protect CAPWAP tunnels (379502)

This feature is to utilize FortiAP hardware to improve the throughput of tunneled data traffic by using IPsec when data security is enabled.

“AES-256-CBC & SHA256” algorithm and “dh_group 15” are used for both CAPWAP IPsec phase1 and phase 2.

FAP320B will not support this feature due to its limited capacity of free flash.

New option added to support only one IP per one endpoint association (378207)

When users change configuration, the radiusd will reset all configurations and refresh all logons in the kernel. All these actions are done in the one loop. A CLI option has been added to enable/disable replacement of an old IP address with a new IP address for the same endpoint on RADIUS accounting start.

CLI Syntax

configure user radius edit radius-root set rsso-ep-one-ip-only [enable|disable]

next

end

FAP-222C-K DFS support (377795)

Dynamic Frequency Selection (DFS) bands can now be configured for FortiAP 222C-K.

Note that this FortiAP model has the Korean region code (K), but ap-country under config wirelesscontroller wtp-profile still needs to be set to KR.

CLI syntax config wireless-controller wtp-profile edit <K-FAP222C> config platform set type <222C>

end set ap-country KR config radio-2 set band <802.11ac> set vap-all <disable> set vaps “vap-vd-07”

set channel “52” “56” “60” “64” “100” “104” “108” “112” “116” “120” “124” “128”

“132” “136” “140” end

next

end

Dynamic VLAN support in standalone mode (377298)

Dynamic VLAN is now supported in standalone mode. Previously, dynamic VLAN only worked in local bridge mode.

CLI-only features added to GUI (376891)

Previously CLI-only features have been added to the GUI under FortiAP Profiles, Managed FortiAPs, and SSID. Also fixed issue where the correct value is displayed when viewing the WIDS Profile notification icon under FortiAP Profiles.

Managed AP GUI update (375376)

Upgraded Managed FortiAPs dialog page to a newer style, including icons for SSID and LAN port.

Bonjour gateway support (373659)

Bonjour gateway now supported for WiFi networks.

Syntax

config wireless-controller bonjour-profile edit 0 set comment “comment” config policy-list edit 1 set description “description” set from-vlan [0-4094] Default is 0. set to-vlan [0-4094|all] Default is all.

set services [all|airplay|afp|bittorrent|ftp|ichat|itunes|printers|samba|scanners|ssh|chromecast]

next

end

next end

FAP421E/423E wave2 support (371374)

Previously removed wave2 FAP421E and FAP423E models have been reinstated and are now supported again. The models are available again through the CLI and GUI. These models are listed under the Platform dropdown menu when creating a new FortiAP Profile under WiFi & Switch Controller > FortiAP Profiles.

CLI syntax

config wireless-controller wtp-profile edit <example> config platform set type <…|421E|423E>

end

end

WiFi Health Monitor GUI changes (308317)

The Wifi Health Monitor page has been improved, including the following changes:

  • Flowchart used for diagrams l Chart used for interference and AP clients l Removed spectrum analysis l Added functionality to upgrade FortiAP firmware
  • Added option to view both 2.4GHz and 5GHz data simultaneously

AP Profile GUI page updates (298266)

The AP Profile GUI page has been upgraded to a new style including AngularJS code.

1+1 Wireless Controller HA (294656)

Instances of failover between FortiAP units was too long and lead to extended periods of time where WiFi users were without network connection. Because WiFi is considered a primary network connection in today’s verticals (including enterprise, retail, education, warehousing, healthcare, government, and more), it is necessary for successful failover to occur as fast as possible.

You can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects the FortiGate. This process was previously decided on load-based detection, but can now be defined by each unit’s pre-determined priority. In addition, heartbeat intervals have been lowered to further improve FortiAP awareness and successful failover.

Syntax

config wireless-controller inter-controller set inter-controller-mode {disable | l2-roaming | 1+1} Default is disable. set inter-controller-key <password> set inter-controller-pri {primary | secondary} Default is primary. set fast-failover-max [3-64] Default is 10. set fast-failover-wait [10-86400] Default is 10. config inter-controller-peer edit <name> set peer-ip <ip-address>

set peer-port [1024-49150] Default is 5246.

set peer-priority {primary | secondary} Default is primary. next

end

end

Support for duplicate SSID names on tunnel and bridge mode interfaces (278955)

When duplicate-ssid is enabled in the CLI, this feature allows VAPs to use the same SSID name in the same VDOM. When disabled, all SSIDs in WLAN interface will be checked—if duplicate SSIDs exist, an error message will be displayed. When duplicate-ssid is enabled in the CLI, duplicate SSID check is removed in “Edit SSID” GUI page.

Syntax

config wireless-controller setting set duplicate-ssid [enable|disable] next

end

Controlled failover between wireless controllers (249515)

Instances of failover between FortiAP units was too long and lead to extended periods of time where WiFi users were without network connection. Because WiFi is considered a primary network connection in today’s verticals (including enterprise, retail, education, warehousing, healthcare, government, and more), it is necessary for successful failover to occur as fast as possible.

Administrators can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects the FortiGate. This process was decided on load-based detection, but can now be defined by each unit’s pre-determined priority. In addition, heartbeat intervals have been lowered to further improve FortiAP awareness and successful failover.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWIFI and FortiAP Configuration Guide

Leave a reply

Introduction

Welcome and thank you for selecting Fortinet products for your network protection. This document describes how to configure wireless networks with FortiWiFi, FortiGate, and FortiAP units.

This chapter contains the following topics:

l Before you begin l How this guide is organized

Before you begin

Before you begin using this guide, please ensure that:

l You have administrative access to the web-based manager and/or CLI. l The FortiGate unit is integrated into your network. l The operation mode has been configured. l The system time, DNS settings, administrator password, and network interfaces have been configured. l Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed. l FortiGuard Analysis & Management Service is properly configured.

While using the instructions in this guide, note that administrators are assumed to be super_admin administrators unless otherwise specified. Some restrictions will apply to other administrators.

How this guide is organized

This FortiOS Handbook chapter contains the following sections:

Introduction to wireless networking explains the basic concepts of wireless networking and how to plan your wireless network.

Configuring a WiFi LAN explains how to set up a basic wireless network, prior to deploying access point hardware.

Access point deployment explains how to deploy access point hardware and add it to your wireless network configuration.

Wireless Mesh explains how to configure a Wi-Fi network where access points are connected to the Wi-Fi controller wirelessly instead of by Ethernet.

Combining WiFi and wired networks with a software switch shows how to use the FortiAP Wi-Fi-Ethernet bridge feature.

Protecting the WiFi Network explains the Wireless Intrusion Detection System (WIDS).

Wireless network monitoring explains how to monitor your wireless clients and how to monitor other wireless access points, potentially rogues, in your coverage area.

Introduction                                                                                                                 How this guide is organized

Configuring wireless network clients explains how to configure typical wireless clients to work with a WPAEnterprise protected network.

Wireless network examples provides two examples. The first is a simple Wi-Fi network using automatic configuration. The second is a more complex example of a business with two Wi-Fi networks, one for employees and another for guests or customers.

Using a FortiWiFi unit as a client explains how to use a FortiWiFi unit as a wireless client to connect to other Wi-Fi networks. This connection can take the place of an Ethernet connection where wired access to a network or to the Internet is not available.

Support for location-based services explains how Fortinet supports location-based services that collect information about devices near FortiGate-managed access points, even if the devices don’t associate with the network.

Reference provides information about Wi-Fi radio channels.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate VM Initial Configuration

Leave a reply

FortiGate VM Initial Configuration

Before you can connect to the FortiGate VM web-based manager you must configure a network interface in the

FortiGate VM console. Once an interface with administrative access is configured, you can connect to the FortiGate VM web-based Manager and upload the FortiGate VM license file that you downloaded from the Customer Service & Support website.

The following topics are included in this section:

Set FortiGate VM port1 IP address

Connect to the FortiGate VM Web-based Manager

Upload the FortiGate VM license file

Validate the FortiGate VM license with FortiManager

Configure your FortiGate VM

Set FortiGate VM port1 IP address

Hypervisor management environments include a guest console window. On the FortiGate VM, this provides access to the FortiGate console, equivalent to the console port on a hardware FortiGate unit. Before you can access the Web-based manager, you must configure FortiGate VM port1 with an IP address and administrative access.

To configure the port1 IP address:

  1. In your hypervisor manager, start the FortiGate VM and access the console window. You might need to press Return to see a login prompt.

Example of FortiGate VM console access:

Set FortiGate VM port1 IP address

  1. At the FortiGate VM login prompt enter the username admin. By default there is no password. Just press Return.
  2. Using CLI commands, configure the port1 IP address and netmask. Also, HTTP access must be enabled because until it is licensed the FortiGate VM supports only low-strength encryption. HTTPS access will not work.

For example:

config system interface edit port1 set ip 192.168.0.100 255.255.255.0 append allowaccess http

end

You can also use the append allowaccess CLI command to enable other access protocols, such as auto-ipsec, http, probe-response, radius-acct, snmp, and telnet. The ping, https, ssh, and fgfm protocols are enabled on the port1 interface by default.

  1. To configure the default gateway, enter the following CLI commands: config router static edit 1 set device port1 set gateway <class_ip>

end

Set FortiGate VM port1 IP address

You must configure the default gateway with an IPv4 address. FortiGate VM needs to access the Internet to contact the FortiGuard Distribution Network (FDN) to validate its license.

  1. To configure your DNS servers, enter the following CLI commands:

config system dns set primary <Primary DNS server> set secondary <Secondary DNS server>

end

  1. To upload the FortiGate VM license from an FTP or TFTP server, use the following CLI command:

execute restore vmlicense {ftp | tftp} <VM license file name> <Server IP or FQDN> [:server port]

Web-based Manager and Evaluation License dialog box

Connect to the FortiGate VM Web-based Manager

Connect to the FortiGate VM Web-based Manager

When you have configured the port1 IP address and netmask, launch a web browser and enter the IP address that you configured for port1. At the login page, enter the username admin and password field and select Login. The default password is no password. The Web-based Manager will appear with an Evaluation License dialog box.

Upload the FortiGate VM license file

Every Fortinet VM includes a 15-day trial license. During this time the FortiGate VM operates in evaluation mode. Before using the FortiGate VM you must enter the license file that you downloaded from the Customer Service & Support website upon registration.

To upload the FortiGate VM licence file:

  1. In the Evaluation License dialog box, select Enter License.

License upload page:

  1. Select Browse and locate the license file (.lic) on your computer. Select OK to upload the license file.
  2. Refresh the browser to login.

Validate the FortiGate VM license with FortiManager

  1. Enter admin in the Name field and select Login. The VM registration status appears as valid in the License Information widget once the license has been validated by the FortiGuard Distribution Network (FDN) or FortiManager for closed networks.

Validate the FortiGate VM license with FortiManager

You can validate your FortiGate VM license with some models of FortiManager. To determine whether your

FortiManager unit has the VM Activation feature, see Features section of the FortiManager Product Data sheet.

To validate your FortiGate VM with your FortiManager:

  1. To configure your FortiManager as a closed network, enter the following CLI command on your FortiManager:

config fmupdate publicnetwork set status disable end

  1. To configure FortiGate VM to use FortiManager as its override server, enter the following CLI commands on your FortiGate VM:

config system central-management set mode normal set type fortimanager

set fmg <IPv4 address of the FortiManager device>

set fmg-source-ip <Source IPv4 address when connecting to the FortiManager device> set include-default-servers disable

set vdom <Enter the name of the VDOM to use when communicating with the FortiManager device>

end

  1. Load the FortiGate VM license file in the Web-based Manager. Go to System > Dashboard > Status. In the License Information widget, in the Registration Status field, select Update. Browse for the .lic license file and select OK.
  2. To activate the FortiGate VM license, enter the following CLI command on your FortiGate VM: execute update-now
  3. To check the FortiGate VM license status, enter the following CLI commands on your FortiGate VM:

get system status

The following output is displayed:

Version: Fortigate-VM v5.0,build0099,120910 (Interim)

Virus-DB: 15.00361(2011-08-24 17:17)

Extended DB: 15.00000(2011-08-24 17:09)

Extreme DB: 14.00000(2011-08-24 17:10)

IPS-DB: 3.00224(2011-10-28 16:39)

FortiClient application signature package: 1.456(2012-01-17 18:27)

Serial-Number: FGVM02Q105060000

License Status: Valid

BIOS version: 04000002

Log hard disk: Available

Hostname: Fortigate-VM

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Configure your FortiGate VM

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Distribution: International

Branch point: 511

Release Version Information: MR3 Patch 4 System time: Wed Jan 18 11:24:34 2012

diagnose hardware sysinfo vm full

The following output is displayed:

UUID: 564db33a29519f6b1025bf8539a41e92

valid: 1 status: 1

code: 200 (If the license is a duplicate, code 401 will be displayed) warn: 0 copy: 0 received: 45438 warning: 0 recv: 201201201918 dup:

Configure your FortiGate VM

Once the FortiGate VM license has been validated you can begin to configure your device. You can use the Wizard located in the top toolbar for basic configuration including enabling central management, setting the admin password, setting the time zone, and port configuration.

For more information on configuring your FortiGate VM see the FortiOS Handbook at http://docs.fortinet.com.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate VM Deployment example – Citrix XenServer

Leave a reply

Deployment example – Citrix XenServer

Once you have downloaded the FORTINET.out.CitrixXen.zip file and extracted the files, you can create the virtual machine in your Citrix Xen environment.

The following topics are included in this section:

Create the FortiGate VM virtual machine (XenCenter) Configure virtual hardware

Create the FortiGate VM virtual machine (XenCenter)

To create the FortiGate VM virtual machine from the OVF file

  1. Launch XenCenter on your management computer.

The management computer can be any computer that can run Citrix XenCenter, a Windows application.

  1. If you have not already done so, select ADD a server. Enter your Citrix XenServer IP address and the root logon credentials required to manage that server.

Your Citrix XenServer is added to the list in the left pane.

The Virtual Machine Manager home page opens.

  1. Go to File > Import. An import dialog will appear.

 

Create the FortiGate VM virtual machine (XenCenter)

  1. Click the Browse button, find the FortiGate-VM64-Xen.ovf template file, then click Open.
  2. Select Next.

(XenCenter)

  1. Accept the FortiGate Virtual Appliance EULA, then select Next.
  2. Choose the pool or standalone server that will host the VM, then select Next.
  3. Select the storage location for FortiGate VM disk drives or accept the default. Select Next.

Create the FortiGate VM virtual machine (XenCenter)

  1. Configure how each vNIC (virtual network adapter) in FortiGate VM will be mapped to each vNetwork on the Citrix XenServer, then click Next.
  2. Click Next to skip OS fixup.
  3. Select Next to use the default network settings for transferring the VM to the host.
  4. Select Finish.

The Citrix XenServer imports the FortiGate VM files and configures the VM as specified in the OVF template. Depending on your computer’s hardware speed and resource load, and also on the file size and speed of the network connection, this might take several minutes to complete.

When VM import is complete, the XenCenter left pane includes the FortiGate VM in the list of deployed VMs for your Citrix XenServer.

 

Configure virtual hardware

Configure virtual hardware

Before you start your FortiGate-VM for the first time, you need to adjust your virtual machine’s virtual hardware settings to meet your network requirements.

Configuring number of CPUs and memory size

Your FortiGate-VM license limits the number CPUs and amount of memory that you can use. The amounts you allocate must not exceed your license limits.

To access virtual machine settings

  1. Open XenCenter.
  2. Select your FortiGate VM in the left pane.

The tabs in the right pane provide access to the virtual hardware configuration. The Console tab provides access to the FortiGate console.

  1. To set the number of CPUs
  2. In the XenCenter left pane, right-click the FortiGate VM and select Properties. The Properties window opens.
  3. In the left pane, select CPU.
  4. Adjust Number of CPUs and then select OK.

Configure virtual hardware

XenCenter will warn if you select more CPUs than the Xen host computer contains. Such a configuration might reduce performance.

To set memory size

  1. In the XenCenter left pane, select the FortiGate VM.
  2. In the right pane, select the Memory
  3. Select Edit, modify the value in the Set a fixed memory of field and select OK.

Configuring disk storage

By default the FortiGate VM data disk 30GB. You will probably want to increase this. Disk resizing must be done before you start the VM for the first time.

To resize the FortiGate data disk

  1. In the XenCenter left pane, select the FortiGate VM.
  2. Select the Storage Select Hard disk 2 (the 30GB drive), then select Properties.

The ‘Hard disk 2’ Properties window opens.

Configure virtual hardware

  1. Select Size and Location. Adjust Size and select OK.

 

Set FortiGate VM port1 IP address


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate VM Deployment example – OpenXen

Leave a reply

Deployment example – OpenXen

Once you have downloaded the FORTINET.out.OpenXen.zip file and extracted virtual hard drive image file fortios.qcow2, you can create the virtual machine in your OpenXen environment.

The following topics are included in this section:

Create the FortiGate VM virtual machine (VMM)

Create the FortiGate VM virtual machine (VMM)

To create the FortiGate VM virtual machine:

  1. Launch Virtual Machine Manager (virt-manager) on your OpenXen host server.

The Virtual Machine Manager home page opens.

  1. In the toolbar, select Create a new virtual machine.
  2. Enter a Name for the VM, FGT-VM for example.
  3. Ensure that Connection is localhost. (This is the default.)
  4. Select Import existing disk image.

6.

  1. In OS Type select Linux.
  2. In Version, select Generic 2.4.x.kernel.
  3. Select Browse.

The Locate or create storage volume window opens.

  1. Select Browse Local, find the fortios.qcow2 disk image file.
  2. Select fortios.qcow2 and select Choose Volume.

12.

  1. Specify the amount of memory and number of CPUs to allocate to this virtual machine. The amounts must not exceed your license limits.

14.

  1. Select Customize configuration before install. This enables you to make some hardware configuration changes before VM creation is started.
  2. Expand Advanced options. A new virtual machine includes one network adapter by default. Select Specify shared device name and enter the name of the bridge interface on the OpenXen host. Optionally, set a specific MAC address for the virtual network interface. Virt Type and Architecture are set by default and should be correct.
  3. Select Finish.

The virtual machine hardware configuration window opens.

 

You can use this window to add hardware such as network interfaces and disk drives.

  1. Select Add Hardware. In the Add Hardware window select Storage.
  2. Select Create a disk image on the computer’s harddrive and set the size to 30GB.
  3. Enter:
Device type Virtio disk
Cache mode Default
Storage format raw
  1. Select Network to configure add more the network interfaces. The Device type must be Virtio.

A new virtual machine includes one network adapter by default. You can add more through the Add Hardware window. FortiGate VM requires four network adapters. You can configure network adapters to connect to a virtual switch or to network adapters on the host computer.

  1. Select Finish.
  2. Select Begin Installation. After the installation completes successfully, the VM starts and the console window opens.

(XenCenter)


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate VM Deployment example – KVM

Leave a reply

Deployment example – KVM

Once you have downloaded the FORTINET.out.kvm.zip file and extracted virtual hard drive image file fortios.qcow2, you can create the virtual machine in your KVM environment.

The following topics are included in this section:

Create the FortiGate VM virtual machine

Configure FortiGate VM hardware settings

Start the FortiGate VM

Create the FortiGate VM virtual machine

To create the FortiGate VM virtual machine:

  1. Launch Virtual Machine Manager (virt-manager) on your KVM host server.

The Virtual Machine Manager home page opens.

  1. In the toolbar, select Create a new virtual machine.
  2. Enter a Name for the VM, FGT-VM for example.
  3. Ensure that Connection is localhost. (This is the default.)
  4. Select Import existing disk image.

KVM                                                                       Create the FortiGate VM virtual machine

  1. Forward.
  2. In OS Type select Linux.
  3. In Version, select a Generic version with virtio.

Configure                       hardware settings                                                                    Deployment example – KVM

  1. Select Browse.
  2. If you copied the fortios.qcow2 file to /var/lib/libvirt/images, it will be visible on the right. If you saved it somewhere else on your server, select Browse Local and find it.
  3. Choose Choose Volume.
  4. Select Forward.
  5. Specify the amount of memory and number of CPUs to allocate to this virtual machine. The amounts must not exceed your license limits. See FortiGate VM Overview on page 10.
  6. Select Forward.
  7. Expand Advanced options. A new virtual machine includes one network adapter by default. Select a network adapter on the host computer. Optionally, set a specific MAC address for the virtual network interface. Set Virt Type to virtio and Architecture to qcow2.
  8. Select Finish.

Configure FortiGate VM hardware settings

Before powering on your FortiGate VM you must add the log disk and configure the virtual hardware of your FortiGate VM.

To configure settings for FortiGate VM on the server:

  1. In the Virtual Machine Manager, locate the name of the virtual machine and then select Open from the toolbar.
  2. Select Add Hardware. In the Add Hardware window select Storage.

KVM                                                                                                Start the FortiGate VM

  1. Create a disk image on the computer’s harddrive and set the size to 30GB.
  2. Enter:
Device type Virtio disk
Cache mode Default
Storage format raw
  1. Select Network to configure add more the network interfaces. The Device type must be Virtio.

A new virtual machine includes one network adapter by default. You can add more through the Add Hardware window. FortiGate VM requires four network adapters. You can configure network adapters to connect to a virtual switch or to network adapters on the host computer.

  1. Select Finish.

Start the FortiGate VM

You can now proceed to power on your FortiGate VM. Select the name of the FortiGate VM in the list of virtual machines. In the toolbar, select Console and then select Start.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate VM High Availability Hyper-V configuration

Leave a reply

High Availability Hyper-V configuration

Promiscuous mode and support for MAC address spoofing is required for FortiGate-VM for Hyper-V to support FortiGate Clustering Protocol (FGCP) high availability (HA). By default the FortiGate-VM for Hyper-V has promiscuous mode enabled in the XML configuration file in the FortiGate-VM Hyper-V image. If you have problems with HA mode, confirm that this is still enabled.

In addition, because the FGCP applies virtual MAC addresses to FortiGate data interfaces and because these virtual MAC addresses mean that matching interfaces of different FortiGate-VM instances will have the same virtual MAC addresses you have to configure Hyper-V to allow MAC spoofing. But you should only enable MAC spoofing for FortiGate-VM data interfaces. You should not enable MAC spoofing for FortiGate HA heartbeat interfaces.

With promiscuous mode enabled and the correct MAC spoofing settings you should be able to configure HA between two or more FortiGate-VM for Hyper-V instances.

Start the FortiGate VM

You can now proceed to power on your FortiGate VM. Select the name of the FortiGate VM in the list of virtual machines, right-click, and select Start in the menu. Optionally, you can select the name of the FortiGate VM in the list of virtual machines and select Start in the Actions menu.

Create the                       virtual machine                                                                       Deployment example – KVM


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate VM Deployment example – MS Hyper-V

Leave a reply

Deployment example – MS Hyper-V

Once you have downloaded the FGT_VMxx_HV-v5-build0xxx-FORTINET.out.hyperv.zip file and extracted the package contents to a folder on your Microsoft server, you can deploy the VHD package to your Microsoft Hyper-V environment.

The following topics are included in this section:

Create the FortiGate VM virtual machine

Configure FortiGate VM hardware settings

Create the FortiGate VM virtual machine

To create the FortiGate VM virtual machine:

  1. Launch the Hyper-V Manager in your Microsoft server.

The Hyper-V Manager home page opens.

  1. Select the server in the right-tree menu. The server details page is displayed.
  2. Right-click the server and select New and select Virtual Machine from the menu. Optionally, in the Actions menu, select New and select Virtual Machine from the menu.

The New Virtual Machine Wizard opens.

  1. Select Next to create a virtual machine with a custom configuration.

The Specify Name and Location page is displayed.

  1. Enter a name for this virtual machine. The name is displayed in the Hyper-V Manager.

Select Next to continue. The Assign Memory page is displayed.

  1. Specify the amount of memory to allocate to this virtual machine. The default memory for FortiGate VM is 1GB (1024MB).

Select Next to continue. The Configure Networking page is displayed.

  1. Each new virtual machine includes a network adapter. You can configure the network adapter to use a virtual switch, or it can remain disconnected. FortiGate VM requires four network adapters. You must configure network adapters in the Settings

Select Next to continue. The Connect Virtual Hard Disk page is displayed.

  1. Select to use an existing virtual hard disk and browse for the vhd file that you downloaded from the Fortinet Customer Service & Support portal.

 

Select Next to continue. The Summary page is displayed.

  1. To create the virtual machine and close the wizard, select Finish.

Configure FortiGate VM hardware settings

Before powering on your FortiGate VM you must configure the virtual memory, virtual CPU, and virtual disk configuration to match your FortiGate VM license.

To configure settings for FortiGate VM on the server:

  1. In the Hyper-V Manager, locate the name of the virtual machine, right-click the entry, and select Settings from the menu. Optionally, you can select the virtual machine and select Settings in the Actions

The Settings page is displayed.

  1. Configure virtual processors, network adapters, and virtual hard drive settings.
  2. Select Apply to save the settings and then select OK to close the settings page.

FortiGate VM virtual processors

You must configure FortiGate VM virtual processors in the server settings page. The number of processors is dependent on your server environment.

Configure FortiGate VM virtual processors:

  1. In the Settings page, select Processor from the Hardware

The Processor page is displayed.

  1. Configure the number of virtual processors for the FortiGate VM virtual machine. Optionally, you can use resource controls to balance resources among virtual machines.
  2. Select Apply to save the settings.

FortiGate VM network adapters

You must configure FortiGate VM network adapters in the server settings page. FortiGate VM supports four network adapters.

Configure FortiGate VM network adapters:

  1. In the Settings page, select Add Hardware from the Hardware menu, select Network Adapter in the device list, and select the Add button.

The Network Adapter page is displayed.

  1. You must manually configure four network adapters for FortiGate VM in the settings page. For each network adapter, select the virtual switch from the drop-down list.
  2. Select Apply to save the settings.

FortiGate VM virtual hard disk

You must configure the FortiGate VM virtual hard disk in the server settings page.

If you know your environment will expand in the future, it is recommended to increase the hard disk size beyond 30GB. The VM license limit is 2TB.

Configure a FortiGate VM virtual hard drive:

  1. In the Settings page, select IDE Controller 0 > Hard Drive from the Hardware

The Hard Drive page is displayed.

  1. Select New to create a new virtual hard disk.

The New Virtual Hard Disk Wizard opens.

  1. This wizard helps you to create a new virtual hard disk.

Select Next to continue. The Choose Disk Format page opens.

  1. Select to use VHDX format virtual hard disks. This format supports virtual disks up to 64TB and is resilient to consistency issues that might occur from power failures. This format is not supported in operating systems earlier than Windows Server 2012. Note that FortiGate-VM does not support hard disks larger than 2TB.

Select Next to continue. The Choose Disk Type page opens.

  1. Select the type of virtual disk you want to use. Select one of the following disk types:
    • Fixed size: This type of disk provides better performance and is recommended for servers running applications with high levels of disk activity. The virtual hard disk file that is created initially uses the size of the virtual hard disk and does not change when data is deleted or added.
    • Dynamic expanding: This type of disk provides better use of physical storage space and is recommended for servers running applications that are not disk intensive. The virtual disk file that is created is small initially and changes as data is added.
    • Differencing: This type of disk is associated in a parent-child relationship with another disk that you want to leave intact. You can make changes to the data or operating system without affecting the parent disk, so that you can revert the changes easily. All children must have the same virtual hard disk format as the parent (VHD or VHDX).

Select Next to continue. The Specify Name and Location page opens.

  1. Specify the name and location of the virtual hard disk file. Use the Browse button to select a specific file folder on your server.

Select Next to continue. The Configure Disk page opens.

  1. Select to Create a new blank virtual hard disk and enter the size of the disk in GB. The maximum size is dependent on your server environment.

Select Next to continue. The Summary page opens.

  1. The summary page provides details of the virtual hard disk. Select Finish to create the virtual hard disk.
  2. Select Apply to save the settings and select OK to exit the settings page.

 

High Availability Hyper-V configuration                                                                                    Start the FortiGate VM


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!