Skip to main content
H
Staff
HariAhme
Staff
April 28, 2026

Technical Tip: Deploying FortiAuthenticator-VM on Google Cloud Platform

  • April 28, 2026
  • 0 replies
  • 41 views

Description


This article describes how to deploy a FortiAuthenticator-VM on Google Cloud Platform (GCP) using a KVM disk image, including image conversion, upload, Compute Engine image creation, and initial route verification.


Scope


FortiAuthenticator-VM, Google Cloud Platform.


Prerequisites:

  • qemu-tools.

  • gcloud CLI and a GCP account.

  • tar GNU version required (not the macOS built-in).


Solution

Set the following environment variables before proceeding:


export PROJECT="NAME_OF_GOOGLE_PROJECT"
export STORAGE="NAME_OF_GOOGLE_STORAGE_ACCOUNT"
export REGION="NAME_OF_GOOGLE_REGION_TO_USE"


Step 1: Download the KVM image.


Obtain the KVM image from the Fortinet support portal. For example:


FAC_VM_KVM-v8-build0033-FORTINET.out.kvm.zip


Step 2: Unpack, convert, repack, and upload the image.


Convert the qcow2 disk image to raw format, create a GNU tar archive, and upload it to the GCS bucket.


unzip FAC_VM_KVM-v8-build0033-FORTINET.out.kvm.zip
cd FAC_VM_KVM-v8-build0033-FORTINET.out.kvm
qemu-img convert -f qcow2 -O raw fackvm.qcow2 disk.raw
tar --format=oldgnu -Sczf fac-v8-build0033.tar.gz disk.raw
gsutil cp fac-v8-build0033.tar.gz gs://$STORAGE


Step 3: Create a Google Compute image.

Import the uploaded archive as a custom Compute Engine disk image.

gcloud compute images create fac-v8-buid0033 --source-uri=https://storage.googleapis.com/$STORAGE/fac-v8-build0033.tar.gz --storage-location=$REGION


Step 4: Create a VM from the custom image.


In the Google Cloud Console or via gcloud, create a new VM instance based on the custom image created in Step 3. Attach a secondary empty disk to the instance.


Step 5: Log in via serial console.


Access the VM using the GCP serial console. This is required for initial configuration since network access may not yet be available.


Step 6: Verify static route configuration.


Run the following command to check that the static route is present in the FortiAuthenticator configuration:


show router static


The route should appear in the configuration output.


Step 7: Verify the route is not yet active in the routing table.


Run the following command to confirm the route is inactive in the kernel routing table at this stage:


diagnose netlink route list


The route should not appear as active. This is expected behavior at this point in the deployment.


Note: The difference between Steps 6 and 7 confirms that the static route exists in the FortiAuthenticator configuration but has not yet been installed into the active routing table. This is normal during initial deployment.

    Terms & ConditionsAccessibility statement