Description
This article describes the basic steps to deploy a new FortiManager, FortiAnalyzer under the KVM environment.
Scope
FortiManager and FortiAnalyzer.
Solution
A kernel-based Virtual Machine (KVM) is a software part of the Linux kernel. With the QEMU, it can create a virtual environment.
KVM – providing the infrastructure.
QEMU – controlling the virtualization.
libvirt – allows managing virtual machines independently of the virtualization system.
To achieve this deployment, it needs to go through a few steps:
Download the Installation file from the support portal VMImages.
For new installations, use the file that ends with '.kvm.zip'.
Requirements:
This example is made under the Debian GNU/Linux host OS.
The following command will install the applications/services to run the VM.
root@DebTestFr:/srv/VMs# apt install qemu-utils qemu-system libguestfs-tools libnss-libvirt libvirt-clients libvirt-daemon-system virtinst virt-viewer virt-manager
The users who will be working with the VMs should be added to the 'libvirt' group.
root@DebTestFr # usermod -aG libvirt root
The libvirt-qemu user under which is started the libvirtd service must have r-x rights under the directory where the VM files are stored. With the following command, this can be achieved.
root@DebTestFr# setfacl -R --modify "u:libvirt-qemu:rx" /srv/VMs
After downloading the file from the support portal unzip it in the directory where VM will be created.
root@DebTestFr:/srv/VMs# ls
FMG_VM64_KVM-v7.2.3-build1405-FORTINET.out.kvm.zip
root@DebTestFr:/srv/VMs# unzip FMG_VM64_KVM-v7.2.3-build1405-FORTINET.out.kvm.zip
Archive: FMG_VM64_KVM-v7.2.3-build1405-FORTINET.out.kvm.zip
inflating: fmg.qcow2
A new '.qcow2' file needs to be created to host the VM.
For FortiManager the initial drive should be at least 80 GB. Regarding the FortiAnalyzer, review the following article for more information: Technical Tip: How to estimate disk space needed for Archive and Analytics Logs.
root@DebTestFr:/srv/VMs# qemu-img create -f qcow2 “fortimanager.qcow2” 80G
Formatting 'fortimanager.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=85899345920 lazy_refcounts=off refcount_bits=16
|
qemu-img |
The program that is used to create the image. |
|
create |
The action. |
|
-f qcow2 |
Specifies the output disk image format at 'qcow2'. |
|
fortimanager.qcow2 |
The name and the path to store the file. |
|
80G |
Defines the size of the image as 20 gigabytes. K, M, G, and T can be used. |
Proceeding with the creation of the VM.
Link with the minimum requirements for FortiManager/ FortiAnalyzer.
root@DebTestFr:/srv/VMs# virt-install --noautoconsole --name FMGinternal --memory 16384 --vcpus 8 --virt-type kvm --import --disk fmg.qcow2 --disk fortimanager.qcow2,size=1 --network bridge=virbr0 --osinfo detect=on,require=off
WARNING Using --osinfo generic, VM performance may suffer. Specify an accurate OS for optimal results.
Starting install...
Creating domain... | 0 B 00:00:00
Domain creation completed.
|
--name |
Defines a name for the virtual machine. |
|
--memory |
Allocate a specific amount of RAM for the VM. |
|
--vcpus |
How many vCPUs are to be present in the VM. |
|
--disk |
The image file that represents the VM HDD. |
|
--network |
Specifies how the virtual network card integrates into the host's network configuration. The default behavior (which is explicitly forced in the example) is to integrate it into any pre-existing network bridge. The virtual machine will only reach the physical network through NAT, so it gets an address in a private subnet range (192.168.122.0/24).. |
root@DebTestFr:/srv/VMs# virsh list
Id Name State
-----------------------------
1 FMGinternal running
root@Kamaran23:/home/vm/FMG# virsh domiflist FMGinternal
Interface Type Source Model MAC
----------------------------------------------------------
vnet0 bridge virbr0 e1000 52:54:00:21:ed:26
Connecting to the newly installed FortiManager:
root@DebTestFr:/srv/VMs# virsh console FMGinternal
Connected to domain 'FMGinternal'
Escape character is ^] (Ctrl + ])
FMG-VM64-KVM login: admin
Password:
You are forced to change your password!
New Password:********
Re-enter New Password:********
The FortiManager/FortiAnalyzer are set with static IP addresses, static routes, and DNS settings.
The default settings are:
Port1 has an IP address 192.168.1.99/24.
User: admin; password: (no password).
Under the host OS, it is possible to make a redirect to the internal VM interface using SNAT and DNAT.
This link will provide the full list of the default ports and service-related FQDNs.
To allow forwarding network packets between interfaces, modify some kernel parameters:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.forwarding=1" >> /etc/sysctl.conf
sysctl -p
Configuring 'Port1' under FortiManager:
config system interface
edit port1
set status enable
set ip 192.168.122.99/24
set allowaccess ping https snmp ssh soc-fabric
end
And the static route:
config system route
edit 1
set device "port1"
set gateway 192.168.122.1
next
end
Direct traffic from the external interface to internal and back (1-to1 NAT) with 'iptables':
iptables -t nat -A PREROUTING -d 192.168.0.11 -j DNAT --to-destination 192.168.122.99
iptables -t nat -A POSTROUTING -s 192.168.122.99 -j SNAT --to-source 192.168.0.11
The IP addresses are just for example. It could be any IP address bound to the network interface of the host OS.
How to stop and remove the VM instance:
root@DebTestFr:/srv/VMs# virsh shutdown FMGinternal
root@DebTestFr:/srv/VMs# virsh undefine FMGinternal
root@DebTestFr:/srv/VMs# rm fortimanager.qcow2
Related documents:
- DOCS: About FortiAnalyzer on KVM.
- DOCS: Creating the virtual machine under GUI.
- Technical Tip: Adding/extending additional disk under a KVM/QEMU environment to FortiManager and For....
- Technical Tip: How to estimate disk space needed for Archive and Analytics Logs.
- Technical Tip: Reducing VM Storage Size / Removing Disk from LVM.
