| Description |
This article describes how to deploy a FortiGate-VM in Hyper-V on Windows 10 to test a FortiGate in a simple setup.
A few documents and blog exist about FortiGate-VM deployment on Hyper-V. |
| Scope |
FortiGate VM, Windows 10, Hyper-V.
Note that using an evaluation license of FortiGate-VM has some limitations:
It is still possible to use a fully licensed FortiGate-VM if the feature or scaling for being tested for is not available in the evaluation license, or to have a more permanent 'lab setup' in the Hyper-V. |
| Solution |
To enable Hyper-V on the Windows 10 computer, see the Microsoft learn article.
Download the FortiGate-VM from the Fortinet support page:
Go to Support -> Downloads -> VM Images. Select Product -> FortiGate. Select Platform -> Hyper-V.
Select the version needed. Download the .zip file with hyperv in the name.
Unzip the downloaded file in the Hyper-V directory.
Note the default path used by Hyper-V should be as follows:
C:\Users\Public\Documents\Hyper-V\
In this scenario, a C:\Hyper-V\ directory has been created. The pros and cons of using the C:\Users\Documents\ tree versus the C:\ drive is beyond the scope of this article. For example, if a directory has been used for which there are no backups because there will be multiple VMs with different Fortinet products and OSes eventually.
Open the Hyper-V Manager and edit Virtual Switch: Go to Action -> Virtual Switch Manager.
There is a Default Switch configured as Internal Network in Hyper-V which gives the VM access to the computer's network using NAT. A network is created and DHCP is available to procure an IP to the VM.
A new virtual network switch with the External network type will be configured to bind one port of the FortiGate-VM with its own dedicated IP on the LAN in the same network as the Windows 10 computer. Using 'External' in the name of this virtual switch is recommended. In this scenario, a Wi-Fi adapter has been used with the computer NIC to use in the setup.
Go to Name -> External Virtual Switch Wi-Fi, select External networks and then select the appropriate network adapter. Do not deselect 'Allow management operating system to share the network adapter'.
Configure another virtual switch with the Private network type if needed. This type is internal only to Hyper-V (no communication can exit computer).
Create the FortiGate-VM:
Go to Actions -> New -> Virtual Machine.
Select Next.
Under Names, enter 'FGT-VM1' (in this example).
Select Next.
Select Generation 1.
Select Next.
Under Startup memory, specify 2048 MB (a default value of 1024 MB may be enough for older versions).
Select Next.
Under Connection, select External Virtual Switch.
Select Next.
Select Use an existing virtual hard disk.
Select the fortios.vhd file (where it is unzipped).
Select Next.
Select Finish.
Start the FortiGate-VM by navigating to FGT-VM1 -> Start in the Hyper-V Manager.
Connect with the console.
Log in and configure a password. The default username/password combination is admin/[empty] (submit an empty password when prompted). Input a new password as requested.
This network uses DHCP. The VM received an IP directly on the LAN (external virtual switch):
Test to ensure Google DNS is 'pingable'. This step's results will differ in a setup that does not have direct Internet access.
In a CMD prompt, use ipconfig /all to identify the 2 virtual switches.
Note the Default switch uses a network configured automatically. This network is now attached internally to Hyper-V, so collision may occur if a real network with the same IP is used in the topology.
Port2 of the FortiGate-VM has not been yet attached to an internal switch, so only the External Virtual Switch is used.
Next, return to the VM console. Note the output of the command show that exhibits the configuration under config system interface. The dhcp config is permitted to obtain an IP address, and there are http and https access methods.
Next, try this from the GUI.
With newer versions, it will be necessary to provide the FortiCloud credentials to activate the evaluation license.
There is now a one-armed FortiGate-VM. This is probably not the topology desired. Stop the VM in Hyper-V Manager. Edit its settings and add a network adapter through Add Hardware if needed.
Do not forget to configure DHCP under Port2 if the Network Adapter added is using the Default Switch (with the internal type). The internal type uses NAT to exit the computer.
Modify routing in the FortiGate-VM. A default route is configured with the default gateway provided by DHCP on the External Virtual switch (LAN).
The topology will look like this with Port2 configured in the default switch:
Note that the IP used by the NAT of the Default Switch and the IP used by the computer are the same. By using an External Virtual switch, it is possible to use DHCP from the Wi-Fi router or configure a static IP from the LAN.
Related document: Fortinet's Private FortiGate Cloud Microsoft Hyper-V administration guide. |
