Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Francesko
Staff
Staff

Created on ‎12-22-2024 11:27 PM

Article Id 365907

Technical Tip: Add additional interface on Azure FortiGate Single VM Appliance

Description This article describes how to add and configure additional interfaces for 'Single VM' deployments of FortiGate in Azure.
Scope FortiGate, Single-VM FortiGate Azure.
Solution

By default, FortiGate deployments in Azure have only 2 NICs associated with them.

 

To add NIC, the following requirements should be met:

  1. Virtual Machine size should support more than 2 NICs. Refer to the 'Sizes for virtual machines in Azure' documentation to determine the maximum number of NICs supported for each VM Series: Sizes for virtual machines in Azure
  2. A new interface should be created in the same resource group and region as the FortiGate VM.
  3. If a public IP is associated with the new NIC, it should have the same SKU as other public IPs attached to the FortiGate VM.
  4. To attach the interface to the FortiGate, the VM must be in a stopped state. This will cause downtime and a maintenance window is recommended to implement the changes.

 

The following steps must be followed to add interface to the FortiGate VM:

Step 1: Create a new dedicated subnet in the FortiGate VNET. The size of the subnet may differ for each case, depending on the initial deployment.

1_Create_Subnet.png

 

Step 2: Create a new network interface by searching for 'Network interfaces' in the Azure search bar.

  • Virtual Network: Select FortiGate VNET.
  • Subnet: Select the new subnet created in step 1.
  • Private IPv4 address: First three (3) IP addresses of the new subnet are reserved and cannot be used here.

 

2_Create_Network_Interface.png

 

Step 3: In the newly created interface, enable IP forwarding and optionally, associate a public IP address to it.

 

4_Enable_IP_Forwarding_AssignPubIP.png

 

Step 4: On the same interface, under the Network Security Group settings, select the NSG (Network Security Group) which the other FortiGate interfaces are part of.


5_Associate_NSG_To_Interface.png

 

Step 5: Stop the VM and attach the new interface to FortiGate by going to FortiGate VM -> Networking -> Network Settings -> Attach Network Interface.

6_Attach_Interface_toVM.png

 

Step 6: Turn on the VM and configure the network interface on the FortiGate side, with the IP and subnet used in Step 2.

7_Configure_Interface_in_FGT.png

 

Step 7: Adjust the static routes to match the newly created subnet and create a new default route to prevent asymmetric routing if a public IP is associated with the new interface.


Note:

The gateway IP for the new subnet is the first usable IP address.

8_Static_Route_adjustment.png

 

If everything is configured correctly, both interfaces should be reachable from the internet.

9_Test1.png

 

9a_Result1.png

 

9b_Test2.png

 

9c_Result2.png


'sriovslv1' in the packet sniffer means that the 'Accelerated Networking' feature is enabled for the NIC on Azure.
441
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.