Azure FAQ

Which products are currently supported in Azure?

1. FortiGate (version 5.2, BYOL)
2. FortiWeb (version 5.7, BYOL)
3. FortiMail (version 5.3, BYOL)
4. FortiAnalyzer (version 5.4, BYOL)
5. FortiManager (version 5.4, BYOL)

Will there be an on-demand/pay as you go option in Azure?

Yes. FortiGate will be the first PAYG offer in Azure, and we have plans to support FortiWeb PAYG as well.

When will Azure support FortiGate version 5.4 or 5.6?

We are working on an Azure special build of 5.4, which should be published in Q2 of CY 2017.  5.6.1 for Azure is expected to be released some time this summer.

Is there an HA option in Azure for FortiGate?

Yes, but the configuration is unique to public cloud. See (https://fusecommunity.fortinet.com/p/fo/st/thread=8346&post=23125&posted=1#p23125) for details.

The Azure marketplace offerings don't fit my architecture, can I upload an Hyper-V image and do a custom deployment?

Technically, this should work, but it would not be a supported deployment.  The marketplace image is certified by both Microsoft and Fortinet for Azure deployments.  It also contains a custom, hardened Azure agent. 

You can, however, use the Azure marketplace image with a custom deployment.  Here are some customized template sets:
https://github.com/fortinetclouddev/FortigateAzureTemplate/tree/8NICSingleVM
https://github.com/fortinetclouddev/FortigateAzureTemplate/tree/5.3.5wAvailSetOption
https://github.com/fortinetclouddev/FortigateAzureTemplate/tree/USGovCloudSingleVM

I want more network interfaces.  How do I add interfaces to a virtual appliance in Azure?

Azure doesn't support adding an interface after the fact.  There are some instructions on third party sites for doing this, however results vary.

This recently changed.  Azure now supports adding secondary vNICs after initial deployment.  For more information, see the sub-heading "Add NIC to existing VM" in the following support document: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/multiple-nics

How many network interfaces can I have?

Azure supports different numbers of network interfaces depending on instance size selected.  For D2 or D2v2, Azure supports up to 2 NICs; For D3 or D3v2, Azure supports up to 4 NICs; For D4 or D4v2, Azure supports up to 8 NICs.

If I redeploy, will my license still work?

Yes, the same license file will work provided you only have one virtual appliance running with that license at a time.

You can re-download the license from support.fortinet.com if you no longer have it.

I want to add a FortiGate to an existing availability set.  How can I do this?

Because Azure no longer allows template sets in the marketplace to deploy to existing resource groups, this requires a custom template deployment.  Here's a sample template set for this purpose:
https://github.com/fortinetclouddev/FortigateAzureTemplate/tree/5.3.5wAvailSetOption

How do I use a custom template?

1. Access the Azure portal and sign in with an Azure account that has administrative privileges.
2. In the left navigation pane, select (+) New
3. In the "search the marketplace" field, enter "template"
4. Select "Template deployment"
5. In the "Results" section returned, select "Template deployment"
6. Select "Create"

You will now be in the "Deploy from a custom template" section :

1. Select "Edit"
2. In the template set samples linked above, there is a maintemplate.json. The other templates are used when the template branches.  For example, if you are deploying to a new virtual network, the vnet-new file gets called. To deploy one of these go to the raw version of the maintemplate (example: https://raw.githubusercontent.com/fortinetclouddev/FortigateAzureTemplate/5.3.5wAvailSetOption/mainT...).
3. Copy the contents of this JSON file (ALL 300+ lines of code)
4. Paste this content into the "Edit template" section, replacing the contents that is already there (6 lines of code)
5. Select "Save"
6. Now complete the parameters (which are environment specific variables)

Once you have entered and completed the information required :

1. Select "I agree to the terms and conditions stated above"
2. Select "Purchase"

Why does my license show up as invalid?

When you acquire a license (either eval or purchased), you will receive a pdf file with an activation code and instructions for registering.  This is not a license file, and if you try to use it, you will get an error.  To register the license, and download the .lic file, go to support.fortinet.com.

Once a license is registered, it can take up to 30 minutes for it to become active on the FortiGuard servers.  If you deploy the license file within the 30 minute window, you will get an error.  Should that happen, you don't need to take any action - after the 30 minutes the license will begin to function and you should be able to login.

Another possible reason for license error is if you have purchased the wrong license for the Azure instance type.  Fortinet licenses are based on the number of CPUs, so a VM02 license will only work on a D2 or D2v2 instance. VM04 will work on D2, D2v2, D3, or D3v2.  VM08, will work on any D2/D2v2 through D4/D4v2 instance type.

Is it possible to support more security zones without adding network interfaces?

Yes.  The Azure virtual switch, which is the core network component of all IaaS deployments, can route packets from any subnet to the FortiGate.  So, a subnet which is not directly attached can still have a FortiGate IP as a next hop, configured in a user defined route table.  You can create a separate route table for each subnet.  As such you could send packets from subnet 3 to subnet 4 through port2 of the FortiGate, and you could send packets from subnet 4 to subnet 3 through the same port (port2) of the FortiGate.  On the FortiGate, you would need to configure a route to subnets 3 and 4 out port2 (the gateway would be the first IP of port2's subnet), and you would need to configure a policy allowing and/or inspecting traffic inbound on port2 from subnet 3 and outbound on port2 to subnet4.  This can be difficult to understand, but does work well.