Category Archives: FortiGate

FortiGate Authentication 5.6

Leave a reply

Introduction

Welcome and thank you for selecting Fortinet products for your network protection.

This chapter contains the following topics:

l Before you begin l How this guide is organized

Before you begin

Before you begin using this guide, please ensure that:

l You have administrative access to the web-based manager and/or CLI. l The FortiGate unit is integrated into your network. l The operation mode has been configured. l The system time, DNS settings, administrator password, and network interfaces have been configured. l Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed. l Any third-party software or servers have been configured using their documentation.

While using the instructions in this guide, note that administrators are assumed to be super_admin administrators unless otherwise specified. Some restrictions will apply to other administrators.

How this guide is organized

This Handbook chapter contains the following sections:

Introduction to authentication describes some basic elements and concepts of authentication.

Authentication servers describes external authentication servers, where a FortiGate unit fits into the topology, and how to configure a FortiGate unit to work with that type of authentication server.

Users and user groups describes the different types of user accounts and user groups. Authenticated access to resources is based on user identities and user group membership. Two-factor authentication methods, including FortiToken, provide additional security.

Managing Guest Access explains how to manage temporary accounts for visitors to your premises.

Configuring authenticated access provides detailed procedures for setting up authenticated access in security policies and authenticated access to VPNs.

Captive portals describes how to authenticate users through a web page that the FortiGate unit presents in response to any HTTP request until valid credentials are entered. This can be used for wired or WiFi network interfaces.

Certificate-based authentication describes authentication by means of X.509 certificates.

Single Sign-On using a FortiAuthenticator unit describes how to use a FortiAuthenticator unit as an SSO agent that can integrate with external network authentication systems such as RADIUS and LDAP to gather user logon information and send it to the FortiGate unit. Users can also log on through a FortiAuthenticator-based web portal or the FortiClient SSO Mobility Agent.

Single Sign-On to Windows AD describes how to set up Single Sign-On in a Windows AD network by configuring the FortiGate unit to poll domain controllers for information user logons and user privileges.

Agent-based FSSO describes how to set up Single Sign-On in Windows AD, Citrix, or Novell networks by installing Fortinet Single Sign On (FSSO) agents on domain controllers. The FortiGate unit receives information about user logons and allows access to network resources based on user group memberships.

SSO using RADIUS accounting records describes how to set up Single Sign-On in a network that uses RADIUS authentication. In this configuration, the RADIUS server send RADIUS accounting records to the FortiGate unit when users log on or off the network. The record includes a user group name that can be used in FortiGate security policies to determine which resources each user can access.

Monitoring authenticated users describes FortiOS authenticated user monitor screens.

Examples and Troubleshooting provides configuration examples and troubleshooting suggestions.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

WIFI Dynamic user VLAN assignment

Leave a reply

Dynamic user VLAN assignment

Clients connecting to the WiFi network can be assigned to a VLAN. You can do this with RADIUS attributes when the user authenticates or with VLAN pooling when the client associates with a particular FortiAP. You cannot use both of these methods at the same time.

VLAN assignment by RADIUS

You can assign each individual user to a VLAN based on information stored in the RADIUS authentication server. If the user’s RADIUS record does not specify a VLAN ID, the user is assigned to the default VLAN for the SSID.

The RADIUS user attributes used for the VLAN ID assignment are:

IETF 64 (Tunnel Type)—Set this to VLAN.

IETF 65 (Tunnel Medium Type)—Set this to 802

IETF 81 (Tunnel Private Group ID)—Set this to the VLAN ID.  To configure dynamic VLAN assignment, you need to:

  1. Configure access to the RADIUS server.
  2. Create the SSID and enable dynamic VLAN assignment.
  3. Create a FortiAP Profile and add the local bridge mode SSID to it.
  4. Create the VLAN interfaces and their DHCP servers.
  5. Create security policies to allow communication from the VLAN interfaces to the Internet.
  6. Authorize the FortiAP unit and assign the FortiAP Profile to it.

Dynamic user VLAN assignment

To configure access to the RADIUS server

  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter a Name, the name or IP address in Primary Server IP/Name, and the server secret in Primary Server Secret.
  3. Select OK.

To create the dynamic VLAN SSID

  1. Go to WiFi & Switch Controller > SSID, select Create New > SSID and enter:
Name An identifier, such as dynamic_vlan_ssid.
Traffic Mode Local bridge or Tunnel, as needed.
SSID An identifier, such as DYNSSID.
Security Mode WPA2 Enterprise
Authentication RADIUS Server. Select the RADIUS server that you configured.
  1. Select OK.
  2. Enable dynamic VLAN in the CLI. Optionally, you can also assign a VLAN ID to set the default VLAN for users without a VLAN assignment.

config wireless-controller vap edit dynamic_vlan_ssid set dynamic-vlan enable set vlanid 10

end

To create the FortiAP profile for the dynamic VLAN SSID

  1. Go to WiFi & Switch Controller > FortiAP Profiles, select Create New and enter:
Name A name for the profile, such as dyn_vlan_profile.
Platform The FortiAP model you are using. If you use more than one model of FortiAP, you will need a FortiAP Profile for each model.
Radio 1 and Radio 2
SSID Select the SSID you created (example dynamic_vlan_ssid). Do not add other SSIDs.
  1. Adjust other radio settings as needed.
  2. Select OK.

To create the VLAN interfaces

  1. Go to Network > Interfaces and select Create New > Interface.
  2. Enter:

Dynamic user VLAN assignment

Name A name for the VLAN interface, such as VLAN100.
Interface The physical interface associated with the VLAN interface.
VLAN ID The numeric VLAN ID, for example 100.
Addressing mode Select Manual and enter the IP address / Network Mask for the virtual interface.
DHCP Server Enable and then select Create New to create an address range.
  1. Select OK.
  2. Repeat the preceding steps to create other VLANs as needed.

Security policies determine which VLANs can communicate with which other interfaces. These are the simple Firewall Address policy without authentication. Users are assigned to the appropriate VLAN when they authenticate.

To connect and authorize the FortiAP unit

  1. Connect the FortiAP unit to the FortiGate unit.
  2. Go to WiFi & Switch Controller > Managed FortiAPs.
  3. When the FortiAP unit is listed, double-click the entry to edit it.
  4. In FortiAP Profile, select the FortiAP Profile that you created.
  5. Select Authorize.
  6. Select OK.

VLAN assignment by VLAN pool

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN pool can

l assign a specific VLAN based on the AP’s FortiAP Group, usually for network configuration reasons, or l assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)

To assign a VLAN by FortiAP Group – CLI

In this example, VLAN 101, 102, or 103 is assigned depending on the AP’s FortiAP Group.

config wireless-controller vap edit wlan set vlan-pooling wtp-group config vlan-pool edit 101 set wtp-group wtpgrp1

next edit 102 set wtp-group wtpgrp2

next edit 101 set wtp-group wtpgrp3

end

end end

Configuring user authentication

Load balancing

There are two VLAN pooling methods used for load balancing: The choice of VLAN can be based on any one of the following criteria:

l round-robin – from the VLAN pool, choose the VLAN with the smallest number of clients l hash – choose a VLAN from the VLAN pool based on a hash of the current number of SSID clients and the number of entries in the VLAN pool

If the VLAN pool contains no valid VLAN ID, the SSID’s static VLAN ID setting is used.

To assign a VLAN by round-robin selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the round-robin method:

config wireless-controller vap edit wlan set vlan-pooling round-robin config vlan-pool edit 101 next edit 102 next edit 103 end

end

end

To assign a VLAN by hash-based selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the hash method:

config wireless-controller vap edit wlan set vlan-pooling hash config vlan-pool edit 101 next edit 102 next edit 103 end

end

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Defining SSID Groups

Leave a reply

Defining SSID Groups

Optionally, you can define SSID Groups. An SSID Group has SSIDs as members and can be specified just like an SSID in a FortiAP Profile.

To create an SSID Group – GUI

Go to WiFi & Switch Controller > SSID and select Create New > SSID Group. Give the group a Name and choose Members (SSIDs, but not SSID Groups).

To create an SSID Group – CLI:

config wireless-controller vap-group edit vap-group-name set vaps “ssid1” “ssid2”

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate VM Initial Configuration

Leave a reply

FortiGate VM Initial Configuration

Before you can connect to the FortiGate VM web-based manager you must configure a network interface in the

FortiGate VM console. Once an interface with administrative access is configured, you can connect to the FortiGate VM web-based Manager and upload the FortiGate VM license file that you downloaded from the Customer Service & Support website.

The following topics are included in this section:

Set FortiGate VM port1 IP address

Connect to the FortiGate VM Web-based Manager

Upload the FortiGate VM license file

Validate the FortiGate VM license with FortiManager

Configure your FortiGate VM

Set FortiGate VM port1 IP address

Hypervisor management environments include a guest console window. On the FortiGate VM, this provides access to the FortiGate console, equivalent to the console port on a hardware FortiGate unit. Before you can access the Web-based manager, you must configure FortiGate VM port1 with an IP address and administrative access.

To configure the port1 IP address:

  1. In your hypervisor manager, start the FortiGate VM and access the console window. You might need to press Return to see a login prompt.

Example of FortiGate VM console access:

Set FortiGate VM port1 IP address

  1. At the FortiGate VM login prompt enter the username admin. By default there is no password. Just press Return.
  2. Using CLI commands, configure the port1 IP address and netmask. Also, HTTP access must be enabled because until it is licensed the FortiGate VM supports only low-strength encryption. HTTPS access will not work.

For example:

config system interface edit port1 set ip 192.168.0.100 255.255.255.0 append allowaccess http

end

You can also use the append allowaccess CLI command to enable other access protocols, such as auto-ipsec, http, probe-response, radius-acct, snmp, and telnet. The ping, https, ssh, and fgfm protocols are enabled on the port1 interface by default.

  1. To configure the default gateway, enter the following CLI commands: config router static edit 1 set device port1 set gateway <class_ip>

end

Set FortiGate VM port1 IP address

You must configure the default gateway with an IPv4 address. FortiGate VM needs to access the Internet to contact the FortiGuard Distribution Network (FDN) to validate its license.

  1. To configure your DNS servers, enter the following CLI commands:

config system dns set primary <Primary DNS server> set secondary <Secondary DNS server>

end

  1. To upload the FortiGate VM license from an FTP or TFTP server, use the following CLI command:

execute restore vmlicense {ftp | tftp} <VM license file name> <Server IP or FQDN> [:server port]

Web-based Manager and Evaluation License dialog box

Connect to the FortiGate VM Web-based Manager

Connect to the FortiGate VM Web-based Manager

When you have configured the port1 IP address and netmask, launch a web browser and enter the IP address that you configured for port1. At the login page, enter the username admin and password field and select Login. The default password is no password. The Web-based Manager will appear with an Evaluation License dialog box.

Upload the FortiGate VM license file

Every Fortinet VM includes a 15-day trial license. During this time the FortiGate VM operates in evaluation mode. Before using the FortiGate VM you must enter the license file that you downloaded from the Customer Service & Support website upon registration.

To upload the FortiGate VM licence file:

  1. In the Evaluation License dialog box, select Enter License.

License upload page:

  1. Select Browse and locate the license file (.lic) on your computer. Select OK to upload the license file.
  2. Refresh the browser to login.

Validate the FortiGate VM license with FortiManager

  1. Enter admin in the Name field and select Login. The VM registration status appears as valid in the License Information widget once the license has been validated by the FortiGuard Distribution Network (FDN) or FortiManager for closed networks.

Validate the FortiGate VM license with FortiManager

You can validate your FortiGate VM license with some models of FortiManager. To determine whether your

FortiManager unit has the VM Activation feature, see Features section of the FortiManager Product Data sheet.

To validate your FortiGate VM with your FortiManager:

  1. To configure your FortiManager as a closed network, enter the following CLI command on your FortiManager:

config fmupdate publicnetwork set status disable end

  1. To configure FortiGate VM to use FortiManager as its override server, enter the following CLI commands on your FortiGate VM:

config system central-management set mode normal set type fortimanager

set fmg <IPv4 address of the FortiManager device>

set fmg-source-ip <Source IPv4 address when connecting to the FortiManager device> set include-default-servers disable

set vdom <Enter the name of the VDOM to use when communicating with the FortiManager device>

end

  1. Load the FortiGate VM license file in the Web-based Manager. Go to System > Dashboard > Status. In the License Information widget, in the Registration Status field, select Update. Browse for the .lic license file and select OK.
  2. To activate the FortiGate VM license, enter the following CLI command on your FortiGate VM: execute update-now
  3. To check the FortiGate VM license status, enter the following CLI commands on your FortiGate VM:

get system status

The following output is displayed:

Version: Fortigate-VM v5.0,build0099,120910 (Interim)

Virus-DB: 15.00361(2011-08-24 17:17)

Extended DB: 15.00000(2011-08-24 17:09)

Extreme DB: 14.00000(2011-08-24 17:10)

IPS-DB: 3.00224(2011-10-28 16:39)

FortiClient application signature package: 1.456(2012-01-17 18:27)

Serial-Number: FGVM02Q105060000

License Status: Valid

BIOS version: 04000002

Log hard disk: Available

Hostname: Fortigate-VM

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Configure your FortiGate VM

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Distribution: International

Branch point: 511

Release Version Information: MR3 Patch 4 System time: Wed Jan 18 11:24:34 2012

diagnose hardware sysinfo vm full

The following output is displayed:

UUID: 564db33a29519f6b1025bf8539a41e92

valid: 1 status: 1

code: 200 (If the license is a duplicate, code 401 will be displayed) warn: 0 copy: 0 received: 45438 warning: 0 recv: 201201201918 dup:

Configure your FortiGate VM

Once the FortiGate VM license has been validated you can begin to configure your device. You can use the Wizard located in the top toolbar for basic configuration including enabling central management, setting the admin password, setting the time zone, and port configuration.

For more information on configuring your FortiGate VM see the FortiOS Handbook at http://docs.fortinet.com.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate VM Deployment example – Citrix XenServer

Leave a reply

Deployment example – Citrix XenServer

Once you have downloaded the FORTINET.out.CitrixXen.zip file and extracted the files, you can create the virtual machine in your Citrix Xen environment.

The following topics are included in this section:

Create the FortiGate VM virtual machine (XenCenter) Configure virtual hardware

Create the FortiGate VM virtual machine (XenCenter)

To create the FortiGate VM virtual machine from the OVF file

  1. Launch XenCenter on your management computer.

The management computer can be any computer that can run Citrix XenCenter, a Windows application.

  1. If you have not already done so, select ADD a server. Enter your Citrix XenServer IP address and the root logon credentials required to manage that server.

Your Citrix XenServer is added to the list in the left pane.

The Virtual Machine Manager home page opens.

  1. Go to File > Import. An import dialog will appear.

 

Create the FortiGate VM virtual machine (XenCenter)

  1. Click the Browse button, find the FortiGate-VM64-Xen.ovf template file, then click Open.
  2. Select Next.

(XenCenter)

  1. Accept the FortiGate Virtual Appliance EULA, then select Next.
  2. Choose the pool or standalone server that will host the VM, then select Next.
  3. Select the storage location for FortiGate VM disk drives or accept the default. Select Next.

Create the FortiGate VM virtual machine (XenCenter)

  1. Configure how each vNIC (virtual network adapter) in FortiGate VM will be mapped to each vNetwork on the Citrix XenServer, then click Next.
  2. Click Next to skip OS fixup.
  3. Select Next to use the default network settings for transferring the VM to the host.
  4. Select Finish.

The Citrix XenServer imports the FortiGate VM files and configures the VM as specified in the OVF template. Depending on your computer’s hardware speed and resource load, and also on the file size and speed of the network connection, this might take several minutes to complete.

When VM import is complete, the XenCenter left pane includes the FortiGate VM in the list of deployed VMs for your Citrix XenServer.

 

Configure virtual hardware

Configure virtual hardware

Before you start your FortiGate-VM for the first time, you need to adjust your virtual machine’s virtual hardware settings to meet your network requirements.

Configuring number of CPUs and memory size

Your FortiGate-VM license limits the number CPUs and amount of memory that you can use. The amounts you allocate must not exceed your license limits.

To access virtual machine settings

  1. Open XenCenter.
  2. Select your FortiGate VM in the left pane.

The tabs in the right pane provide access to the virtual hardware configuration. The Console tab provides access to the FortiGate console.

  1. To set the number of CPUs
  2. In the XenCenter left pane, right-click the FortiGate VM and select Properties. The Properties window opens.
  3. In the left pane, select CPU.
  4. Adjust Number of CPUs and then select OK.

Configure virtual hardware

XenCenter will warn if you select more CPUs than the Xen host computer contains. Such a configuration might reduce performance.

To set memory size

  1. In the XenCenter left pane, select the FortiGate VM.
  2. In the right pane, select the Memory
  3. Select Edit, modify the value in the Set a fixed memory of field and select OK.

Configuring disk storage

By default the FortiGate VM data disk 30GB. You will probably want to increase this. Disk resizing must be done before you start the VM for the first time.

To resize the FortiGate data disk

  1. In the XenCenter left pane, select the FortiGate VM.
  2. Select the Storage Select Hard disk 2 (the 30GB drive), then select Properties.

The ‘Hard disk 2’ Properties window opens.

Configure virtual hardware

  1. Select Size and Location. Adjust Size and select OK.

 

Set FortiGate VM port1 IP address


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate VM Deployment example – OpenXen

Leave a reply

Deployment example – OpenXen

Once you have downloaded the FORTINET.out.OpenXen.zip file and extracted virtual hard drive image file fortios.qcow2, you can create the virtual machine in your OpenXen environment.

The following topics are included in this section:

Create the FortiGate VM virtual machine (VMM)

Create the FortiGate VM virtual machine (VMM)

To create the FortiGate VM virtual machine:

  1. Launch Virtual Machine Manager (virt-manager) on your OpenXen host server.

The Virtual Machine Manager home page opens.

  1. In the toolbar, select Create a new virtual machine.
  2. Enter a Name for the VM, FGT-VM for example.
  3. Ensure that Connection is localhost. (This is the default.)
  4. Select Import existing disk image.

6.

  1. In OS Type select Linux.
  2. In Version, select Generic 2.4.x.kernel.
  3. Select Browse.

The Locate or create storage volume window opens.

  1. Select Browse Local, find the fortios.qcow2 disk image file.
  2. Select fortios.qcow2 and select Choose Volume.

12.

  1. Specify the amount of memory and number of CPUs to allocate to this virtual machine. The amounts must not exceed your license limits.

14.

  1. Select Customize configuration before install. This enables you to make some hardware configuration changes before VM creation is started.
  2. Expand Advanced options. A new virtual machine includes one network adapter by default. Select Specify shared device name and enter the name of the bridge interface on the OpenXen host. Optionally, set a specific MAC address for the virtual network interface. Virt Type and Architecture are set by default and should be correct.
  3. Select Finish.

The virtual machine hardware configuration window opens.

 

You can use this window to add hardware such as network interfaces and disk drives.

  1. Select Add Hardware. In the Add Hardware window select Storage.
  2. Select Create a disk image on the computer’s harddrive and set the size to 30GB.
  3. Enter:
Device type Virtio disk
Cache mode Default
Storage format raw
  1. Select Network to configure add more the network interfaces. The Device type must be Virtio.

A new virtual machine includes one network adapter by default. You can add more through the Add Hardware window. FortiGate VM requires four network adapters. You can configure network adapters to connect to a virtual switch or to network adapters on the host computer.

  1. Select Finish.
  2. Select Begin Installation. After the installation completes successfully, the VM starts and the console window opens.

(XenCenter)


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate VM Deployment example – KVM

Leave a reply

Deployment example – KVM

Once you have downloaded the FORTINET.out.kvm.zip file and extracted virtual hard drive image file fortios.qcow2, you can create the virtual machine in your KVM environment.

The following topics are included in this section:

Create the FortiGate VM virtual machine

Configure FortiGate VM hardware settings

Start the FortiGate VM

Create the FortiGate VM virtual machine

To create the FortiGate VM virtual machine:

  1. Launch Virtual Machine Manager (virt-manager) on your KVM host server.

The Virtual Machine Manager home page opens.

  1. In the toolbar, select Create a new virtual machine.
  2. Enter a Name for the VM, FGT-VM for example.
  3. Ensure that Connection is localhost. (This is the default.)
  4. Select Import existing disk image.

KVM                                                                       Create the FortiGate VM virtual machine

  1. Forward.
  2. In OS Type select Linux.
  3. In Version, select a Generic version with virtio.

Configure                       hardware settings                                                                    Deployment example – KVM

  1. Select Browse.
  2. If you copied the fortios.qcow2 file to /var/lib/libvirt/images, it will be visible on the right. If you saved it somewhere else on your server, select Browse Local and find it.
  3. Choose Choose Volume.
  4. Select Forward.
  5. Specify the amount of memory and number of CPUs to allocate to this virtual machine. The amounts must not exceed your license limits. See FortiGate VM Overview on page 10.
  6. Select Forward.
  7. Expand Advanced options. A new virtual machine includes one network adapter by default. Select a network adapter on the host computer. Optionally, set a specific MAC address for the virtual network interface. Set Virt Type to virtio and Architecture to qcow2.
  8. Select Finish.

Configure FortiGate VM hardware settings

Before powering on your FortiGate VM you must add the log disk and configure the virtual hardware of your FortiGate VM.

To configure settings for FortiGate VM on the server:

  1. In the Virtual Machine Manager, locate the name of the virtual machine and then select Open from the toolbar.
  2. Select Add Hardware. In the Add Hardware window select Storage.

KVM                                                                                                Start the FortiGate VM

  1. Create a disk image on the computer’s harddrive and set the size to 30GB.
  2. Enter:
Device type Virtio disk
Cache mode Default
Storage format raw
  1. Select Network to configure add more the network interfaces. The Device type must be Virtio.

A new virtual machine includes one network adapter by default. You can add more through the Add Hardware window. FortiGate VM requires four network adapters. You can configure network adapters to connect to a virtual switch or to network adapters on the host computer.

  1. Select Finish.

Start the FortiGate VM

You can now proceed to power on your FortiGate VM. Select the name of the FortiGate VM in the list of virtual machines. In the toolbar, select Console and then select Start.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate VM High Availability Hyper-V configuration

Leave a reply

High Availability Hyper-V configuration

Promiscuous mode and support for MAC address spoofing is required for FortiGate-VM for Hyper-V to support FortiGate Clustering Protocol (FGCP) high availability (HA). By default the FortiGate-VM for Hyper-V has promiscuous mode enabled in the XML configuration file in the FortiGate-VM Hyper-V image. If you have problems with HA mode, confirm that this is still enabled.

In addition, because the FGCP applies virtual MAC addresses to FortiGate data interfaces and because these virtual MAC addresses mean that matching interfaces of different FortiGate-VM instances will have the same virtual MAC addresses you have to configure Hyper-V to allow MAC spoofing. But you should only enable MAC spoofing for FortiGate-VM data interfaces. You should not enable MAC spoofing for FortiGate HA heartbeat interfaces.

With promiscuous mode enabled and the correct MAC spoofing settings you should be able to configure HA between two or more FortiGate-VM for Hyper-V instances.

Start the FortiGate VM

You can now proceed to power on your FortiGate VM. Select the name of the FortiGate VM in the list of virtual machines, right-click, and select Start in the menu. Optionally, you can select the name of the FortiGate VM in the list of virtual machines and select Start in the Actions menu.

Create the                       virtual machine                                                                       Deployment example – KVM


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!