| Description |
This article describes how to deploy a FortiGate-VM in Hyper-V on Windows 10 to test a FortiGate in a simple setup.
A few documents and blog exist about FortiGate-VM deployment on Hyper-V. |
| Scope |
FortiGate VM, Windows 10, Hyper-V.
Note that using an evaluation license of FortiGate-VM has some limitations:
It is still possible to use a fully licensed FortiGate-VM if what needed to test is not available in the evaluation license or to have a more permanent 'lab setup' in the Hyper-V. |
| Solution |
Enable Hyper-V on the Windows 10 computer: https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
Download the FortiGate-VM from Fortinet:
Go to Support -> Downloads -> VM Images. Select Product -> FortiGate. Select Platform -> Hyper-V.
Select the version needed. Download the one zipped with hyperv in the name.
Unzip the downloaded file in the Hyper-V directory.
Note the default path used by Hyper-V should be: C:\Users\Public\Documents\Hyper-V\
In this scenario, a C:\Hyper-V\ directory has been created. Pros and cons of using the C:\Users\Documents\ tree versus the C:\ drive is out of scope, let's say in this case, a directory has been used for which there are no backup, because there will be a few VMs with different Fortinet products and OS eventually.
- Open Hyper-V Manager, edit Virtual Switch: Go to Action -> Virtual Switch Manager.
There is a Default Switch configured as Internal Network in Hyper-V, it gives VM access to the computer's network using NAT. A network is created and DHCP is available to procure an IP to the VM.
A new virtual network switch of the type External network will be configured to bind one port of the FortiGate-VM with its own dedicated IP on the LAN in the same network as the Windows 10 computer. Using 'External' in the name of this virtual switch make sense. In this scenario, a Wi-Fi adapter has been used, adapt with the computer NIC to use in the setup.
Go to Name -> External Virtual Switch Wi-Fi, select 'External networks' and then select the appropriate network adapter. Do not deselect Allow management operating system to share the network adapter.
Configure another virtual switch of type Private network if needed. This type is internal only to Hyper-V (no communication can exit computer).
- Create the FortiGate-VM: Go to Actions -> New -> Virtual Machine.
Next >
Names -> FGT-VM1. Next >
Generation 1. Next >
Startup memory -> 2048 MB (default of 1024 may work will older version). Next >
Connections -> External Virtual Switch. Next >
Select Use an existing virtual hard disk. Select the fortios.vhd file (where it is unzipped). Next >
Finish.
- Start the FortiGate-VM. FGT-VM1 -> Start.
- Connect with the console.
- Log in an configure password. Default username/password are admin/[empty], input a new password as requested.
This network uses DHCP, the VM got an IP directly on the LAN (External virtual switch):
Even Google DNS is 'pingnable', good (may vary in your setup if you don't have direct Internet access).
In a CMD prompt, use ipconfig /all will identify the 2 virtual switches.
Note the Default switch uses a network configured automatically. This network is now attached internally to Hyper-V, so collision may happen if a real network with the same IP is used in the topology.
Port2 of the FortiGate-VM has not been yet attached to an internal switch, so just the External Virtual Switch is used.
Let's go back in the VM console, note the output of the command show that exhibit the configuration under # config system interface. The dhcp config permitted to obtain an IP address, and there are http and https access methods.
Let's try from GUI.
With newer version, it will be necessary to provide the FortiCloud credentials to activate the evaluation license.
There is now, a one-armed FortiGate-VM. This is probably not the topology wanted. Stop the VM in Hyper-V Manager. Edit its settings and via Add Hardware add a Network Adapter if needed.
Do not forget to configure DHCP under Port2 if the Network Adapter added is using the Default Switch (type internal). Recap, type internal is using NAT to exit the computer.
Modify routing in the FortiGate-VM, a default route is configured with the default gateway provided by DHCP on the External Virtual switch (i.e. LAN).
- How it looks with Port2 configured in Default switch:
Note that the IP used by the NAT of the Default Switch and the IP used by the computer are the same. By using an External Virtual switch, it is possible to use DHCP from the Wi-Fi router or configure a static IP from the LAN.
Related document: |
