Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nivedha
Staff
Staff

Created on ‎06-03-2025 11:05 PM

Article Id 392982

Technical Tip: Azure Role Requirements for FortiGate-VM

Description

This article describes how to reduce the Azure role permissions for a FortiGate-VM deployed in Microsoft Azure.

It outlines the minimum required permissions to support basic FortiGate functionality, along with guidance for deployments that include high availability or SDN connectors.
Scope FortiGate-VM in Microsoft Azure environments/
Solution

By default, FortiGate-VM may be assigned the Contributor role during deployment, which grants broad permissions across the resource group or subscription. This level of access can be excessive for a firewall appliance and may not align with the principle of least privilege.

 

The following example shows how to define a custom role in Azure with minimal required permissions for basic FortiGate-VM operation.

 

Minimal Required Permissions (Custom Role).


The JSON definition below includes only the permissions necessary for FortiGate-VM to operate in a basic configuration:

 

{ "Name": "FortiGateMinimalRole", "IsCustom": true, "Description": "Minimal permissions for FortiGate firewall in Azure.", "Actions": [ "Microsoft.Network/networkInterfaces/*", "Microsoft.Network/publicIPAddresses/*", "Microsoft.Network/routeTables/*", "Microsoft.Network/networkSecurityGroups/*", "Microsoft.Network/virtualNetworks/*", "Microsoft.Compute/virtualMachines/read", "Microsoft.Resources/subscriptions/resourceGroups/read" ], "NotActions": [], "AssignableScopes": ["/subscriptions/{your-subscription-id}"]

 

Replace/subscriptions/{your-subscription-id} with the appropriate subscription ID.

 

Additional Permissions (If Required).

Additional permissions may be required depending on specific deployment features:

  • High Availability: Microsoft.Compute/availabilitySets/* Microsoft.Network/loadBalancers/*
  • Diagnostics or SDN Connector: Microsoft.Insights/* Microsoft.Authorization/roleAssignments/read

 

Related documents:
Deploying FortiGate-VM on Azure

SDN connector integration with Azure

HA for FortiGate-VM on Azure
272
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.