Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

MartTwom
Staff
Staff

FortiGate Azure VM Deployment Step by Step

See the attached pdf for screenshots.

Step 1: Log in to Azure Preview Portal (https://portal.azure.com)

Step 2: Click “New”

Step 3: Select “MarketPlace”

Step 4: Search for FortiGate

Step 5: Click Create

Step 6: Fill in Basics

Step 7: Configure Network and Storage Settings

Virtual Network: Here, you can either create a new Virtual Network or select an existing one. If you select an existing virtual network, it will need to have at least two subnets in order for the FortiGate to route between them. In a typical deployment, the “outside” subnet just connects the FortiGate outside interface to the Azure Public Load Balancer. Thus, it does not need to be very large.

Machine Size: The prices listed for machine sizes are for the instance usage only. The FortiGate license must be purchased through a Fortinet partner. The machine size is limited to those options which support multiple NICs. As MS adds more interfaces to smaller instance types, we will enable them. If more than two NICs are required, you will need to deploy a custom template at this point. Please contact the Azure team (azuretech@fortinet.com) for assistance.

Storage Account: You can create a new storage account or select an existing one. All resources should be in the same location (in this example: East US).

Step 8: Configure IP Settings

Public IP Address: Typically, this will be associated with a load balancer and will be used to access your FortiGate from the internet (as well as resources behind it). If you are using an ExpressRoute or Azure VPN to access your virtual network, you may prefer to select “none”

Public IP Address Type: A ‘Static’ public IP address will be reserved across reboots and shut down states. A ‘Dynamic’ address will be reassigned.

Outside and Inside Addresses: These fields are prepopulated with the first useable address in the subnet (Azure uses the first three addresses in each subnet). However, if deploying to an existing subnet, this address may be in use already. You must verify that the IP addresses are available and in the correct subnet as this level of verification is not yet available within the Marketplace deployment logic.

Step 9: View Summary

Step 10: Click “Create”

Note: Purchase just means that you are going to be paying Azure for the virtual machine use time. You still must obtain a license separately from Fortinet (See Step 15).

Step 11: Wait

This typically takes around 10 minutes, but may vary depending on location and number of resources requested.

Step 12: Once Deployed, you should be redirected to a screen which shows all the resources instantiated by the template.

Step 13: Select the public IP resource to get your DNS name or public IP address

Step 14: Connect to your Azure FortiGate virtual appliance via HTTPS or SSH

Note: The template also redirects ports 500, 4500, and 1701 to the FortiGate in order to support VPN connections. Additional ports can be added in the load balancer NAT rules post deployment.

Step 15: License your Azure FortiGate virtual appliance

Currently our Azure Marketplace deployment only supports BYOL licenses. This means, you will need to purchase Azure specific licenses for the  virtual appliance. The licenses are FG-VM02-AZ,  FG-VM04-AZ and FG-VM08-AZ.

Note: If you have a mismatch between the VM size and the license (ie. more CPUs assigned to the VM than are licensed), you will receive an error message, and the FortiGate configuration will not be accessible.

For information on adding NAT Rules to the load balancer see the attached PDF (AzureNATRules.pdf).

1 REPLY 1
Tyrovan
New Contributor

Can you automate this process?

Tyrone

 


In Reply to Martin Twombly:

See the attached pdf for screenshots.

Step 1: Log in to Azure Preview Portal (https://portal.azure.com)

Step 2: Click “New”

Step 3: Select “MarketPlace”

Step 4: Search for FortiGate

Step 5: Click Create

Step 6: Fill in Basics

Step 7: Configure Network and Storage Settings

Virtual Network: Here, you can either create a new Virtual Network or select an existing one. If you select an existing virtual network, it will need to have at least two subnets in order for the FortiGate to route between them. In a typical deployment, the “outside” subnet just connects the FortiGate outside interface to the Azure Public Load Balancer. Thus, it does not need to be very large.

Machine Size: The prices listed for machine sizes are for the instance usage only. The FortiGate license must be purchased through a Fortinet partner. The machine size is limited to those options which support multiple NICs. As MS adds more interfaces to smaller instance types, we will enable them. If more than two NICs are required, you will need to deploy a custom template at this point. Please contact the Azure team (azuretech@fortinet.com) for assistance.

Storage Account: You can create a new storage account or select an existing one. All resources should be in the same location (in this example: East US).

Step 8: Configure IP Settings

Public IP Address: Typically, this will be associated with a load balancer and will be used to access your FortiGate from the internet (as well as resources behind it). If you are using an ExpressRoute or Azure VPN to access your virtual network, you may prefer to select “none”

Public IP Address Type: A ‘Static’ public IP address will be reserved across reboots and shut down states. A ‘Dynamic’ address will be reassigned.

Outside and Inside Addresses: These fields are prepopulated with the first useable address in the subnet (Azure uses the first three addresses in each subnet). However, if deploying to an existing subnet, this address may be in use already. You must verify that the IP addresses are available and in the correct subnet as this level of verification is not yet available within the Marketplace deployment logic.

Step 9: View Summary

Step 10: Click “Create”

Note: Purchase just means that you are going to be paying Azure for the virtual machine use time. You still must obtain a license separately from Fortinet (See Step 15).

Step 11: Wait

This typically takes around 10 minutes, but may vary depending on location and number of resources requested.

Step 12: Once Deployed, you should be redirected to a screen which shows all the resources instantiated by the template.

Step 13: Select the public IP resource to get your DNS name or public IP address

Step 14: Connect to your Azure FortiGate virtual appliance via HTTPS or SSH

Note: The template also redirects ports 500, 4500, and 1701 to the FortiGate in order to support VPN connections. Additional ports can be added in the load balancer NAT rules post deployment.

Step 15: License your Azure FortiGate virtual appliance

Currently our Azure Marketplace deployment only supports BYOL licenses. This means, you will need to purchase Azure specific licenses for the  virtual appliance. The licenses are FG-VM02-AZ,  FG-VM04-AZ and FG-VM08-AZ.

Note: If you have a mismatch between the VM size and the license (ie. more CPUs assigned to the VM than are licensed), you will receive an error message, and the FortiGate configuration will not be accessible.

For information on adding NAT Rules to the load balancer see the attached PDF (AzureNATRules.pdf).

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.