Technical Tip: Deploy a FortiManager instance on Oracle Cloud (OCI)

The following steps describe how to deploy a new FortiManager instance on the Oracle Cloud (OCI).

1. Access the Oracle Cloud OCI interface at https://www.oracle.com/mx/cloud/sign-in.html.

2. From the Oracle OCI go to Networking -> Virtual cloud networks.

Create a Compartment if needed.

                         

3. To create a new compartment, go to the Oracle OCI Identify & Security -> Identity -> Compartments. Select 'Create compartment'.
4. Complete the Name and description on the fields, and also confirm Compartment creation.
5. Go back to Networking -> Virtual Cloud Networks -> Select 'Start VCN Wizard'.

                         

6. Fill the fields as described below and select Next:

Basic information -> VCN name: internal_lab.

Compartment: ETAC-LATAM.

Configure VCN -> VCN IPv4 CIDR block: 10.0.0.0/16.

DNS resolution -> Check the 'Use DNS hostnames in this VCN' option.

Configure public subnet -> IPv4 CIDR block: 10.0.0.0/24.

Configure private subnet -> IPv4 CIDR block:  10.0.1.0/24.

7. Review the configuration and select 'create'. When the wizard is used the Instance will receive a dynamic IP address from the public subnet.
8. From the Networking -> Virtual Cloud Networks -> Select the internal_lab VCN.
9. Go to Resources menu -> Security Lists -> Default Security List for internal_lab -> Ingress Rules -> Select 'Add Ingress Rules' and fill in the fields as shown below:

Source Type: CIDR.

Source CIDR: 0.0.0.0/0  < -- all possible IPs.

IP Protocol: TCP.

Source Port Range: All.

Destination Port Range: 443.

10. Select 'Add Ingress Rule':

                           

11. Go to the https://support.fortinet.com/ support site and Select Support -> Firmware Download -> FortiManager -> Download  -> 7.0.0 -> 7.0 -> 7.0.6.
12. Download the file FMG_VM64_OPC-v7.0.6-build0372-FORTINET.out.OpenXen.zip.
13. Unzip the file to access the image fmg.qcow2.
14. In OCI go to Storage -> Object Storage & Archive Storage -> Select 'Create Bucket'.

Fill in the fields as follows:

Bucket name bucket-fmg.

Default Storage Tier: Standard.

Encryption: Encrypt using the Oracle Managed Keys.

Select Create Bucket.

                            

15. Select the Bucket 'bucket-fmg' and Upload.

                         

16. Select the image fmg.qcow2 already downloaded, and then Upload.

                         

17. Select the Object FMGIMAGEfmgqcow2 and then the menu options. Select View Object Details:

                                  

18. Copy the URL Path (URI): https://objectstorage.us-ashburn-1.oraclecloud.com/n/fortinetoraclecloud1/b/bucket-fmg/o/FMGIMAGEfmg...
19. From OCI go to Compute -> Custom Images, select 'Import image', and fill in the fields as follows:

Create in Compartment: ETAC-LATAM.

Name: imported-image-20230606-2004-FortiManager.

Operating system: Generic Linux.

Import from an Object Storage URL: https://objectstorage.us-ashburn-1.oraclecloud.com/n/fortinetoraclecloud1/b/bucket-fmg/o/FMGIMAGEfmg...

Image Type: QCOW2.

Launch mode: Emulated type.

20. Select 'Import Image'.

                          

21. Select 'Create Instance' and fill in the following information:

Name: instance-20230606-2022-FortiManager.

Create in Compartment: ETAC-LATAM.

Placement.

Availability Domain: AD1.

Leave 'show advanced options' as default.

Leave Security as default.

                          

On the Image and shape confirm the image is imported-image-20230606-2004-FortiManager. Select Change shape -> Browse all shapes -> Instance Type: Virtual Machine

Shape series: Select Specialty and previous generation.

                          

Select the shape: VM.Standard 2.2 ( VM.Standard 2.2 is only an example of the shape that should be selected based on the needs).

                           

Networking:

Select the virtual cloud network: internal_lab, select the Subnet: public subnet-internal_lab, Public IPv4 Address: Enable Assign a public IPv4 Address.

Show advanced options: it is possible to assign an IP address to the instance beforehand. Select Show Advanced Options.

                                

For this example leave OCI assigns the IP dynamically so leave as default the 'show Advanced options'.

This address does not change during the instance's lifetime and cannot be removed from the instance. The private IP object is terminated when the instance is terminated.

22. Save the SSH keys.

                           

23. Select Create and wait until the instance is initialized, once in a running state notice that the public and private IP addresses are shown.
24. Access FortiManager GUI interface: https://<public IPv4 address>.

Use admin as user and OCID as password:

                               

                               

25. Change the default password to a new one.
26. From the FortiManager GUI go to System Settings -> Dashboard -> Upload license file.

Make sure that the license file matches the IP address assigned to the instance, to edit the IP address for the license file go to the support site -> Asset Management -> View Products -> FortiManager serial number -> Edit Product Information -> IP address:

                              

27. Add a disk to FortiManager. From the OCI menu go to Storage -> Block Storage -> Block Volumes -> Create Block Volumes:

Fill in the fields as follows:

Name: LogDiskFMG.

Create in Compartment: ETAC-LATAM.

Availability domain: www:l:US-ASHBURN-AD-1.

Volume size and performance: Custom.

Volume size: 200 GB.

Leave the rest of the fields as default.

                          

28. Confirm Create Block Volume.
29. Go back to the FortiManager instance, from Compute -> Instances -> Select instance-20230608-2040-FortiManager -> Resources -> Attached block volumes.
30. Attach block Volume, choose the following options, and select attach:

Volume: Select the volume.

Attachment Type: Emulated.

Access: Read/write.

                          

31. Reboot FortiManager and access the CLI widget on the GUI interface. Confirm that the 200GB disk is shown as used, if unused is shown then execute the following command: exec lvm start system will reboot.

                             

32. Upgrade the system if needed. From the FortiManager GUI go to System Settings -> Dashboard -> System Information

On Firmware version select v7.0.7 and OK.

                                

Monitor the upgrade process on the cloud shell console connection.

Troubleshooting.

Development Tools:

Test GUI access: From the Chrome browser -> Settings -> Development Tools -> Console.

Try to access FortiManager GUI over port 443 and look for the status code.

                         

Security Lists:

Validate if the access list ingress/egress is allowing the traffic to go through OCI.

Below is the response when there is no access rule allowing the traffic on port 443.

                             

Oracle Cloud Shell:

From the OCI Go to Compute -> Instances -> Instance details -> Resources -> Console connection.

Select Launch Cloud Shell connection.

                         

Access FortiManager by using the admin user and password defined in previous steps.

Egress connectivity:

1. Get the gateway IP by executing the following command :

FMG-VM64-OPC # diag sys route list

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 port1

10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 port1

169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 svr_fgfm

169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 svr_fgfm

169.254.169.254 169.254.169.254 255.255.255.255 UGH   0      0        0 port1

2. Ping the gateway by executing the following command:

FMG-VM64-OPC # exec ping 169.254.169.254

PING 169.254.169.254 (169.254.169.254): 56 data bytes

64 bytes from 169.254.169.254: seq=0 ttl=64 time=0.426 ms

^C

--- 169.254.169.254 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss

round-trip min/avg/max = 0.426/0.426/0.426 ms

3. Traceroute a public IP address like a public DNS.

FMG-VM64-OPC # exec traceroute 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 32 hops max, 84 byte packets

 1  140.204.193.178  0 ms  1 ms  0 ms

 2  4.16.72.246  11 ms  15 ms  46 ms

 3  4.16.72.245  0 ms  1 ms  1 ms

 4  4.69.140.117  1 ms  1 ms  0 ms

 5  4.2.2.2  0 ms  0 ms  0 ms

Ingress connectivity: 

Run a sniffer and try to access the FortiManager GUI, Capture the traffic while trying to access FortiManager GUI, and Check if the TCP connection is established.

FMG-VM64-OPC # diag sniffer packet any ' port 443 ' 3

interfaces=[any]

filters=[ port 443 ]

20.422874 200.94.81.XX.62672 -> 10.0.0.XX.443: syn 2437467793

0x0000   0000 0000 0001 0000 1749 ec62 0800 4500        .........I.b..E.

0x0010   0034 e9c0 4000 6d06 0023 c85e 5155 0a00        .4..@.m..#.^QU..

0x0020   002d f4d0 01bb 9148 ce91 0000 0000 8002        .-.....H........

0x0030   faf0 f9d8 0000 0204 05b4 0103 0308 0101        ................

0x0040   0402                                           ..

20.422932 10.0.0.XX.443 -> 200.94.81.XX.62672: syn 419992761 ack 2437467794

0x0000   0000 0000 0000 0200 1715 5ad4 0800 4500        ..........Z...E.

0x0010   0034 0000 4000 4006 16e4 0a00 002d c85e        .4..@.@......-.^

0x0020   5155 01bb f4d0 1908 94b9 9148 ce92 8012        QU.........H....

0x0030   6900 2407 0000 0204 2300 0101 0402 0103        i.$.....#.......

0x0040   030a                                           ..

20.490948 200.94.81.XX.62672 -> 10.0.0.XX.443: ack 419992762

0x0000   0000 0000 0001 0000 1749 ec62 0800 4500        .........I.b..E.

0x0010   0028 e9c1 4000 6d06 002e c85e 5155 0a00        .(..@.m....^QU..

0x0020   002d f4d0 01bb 9148 ce92 1908 94ba 5010        .-.....H......P.

0x0030   0402 83c8 0000 0000 0000 0000                  ............