Fortigate VM Install 50

FortiOS Handbook
VM Installation for FortiOS 5.0

VM Installation for FortiOS 5.0
January 24, 2014
01-506-203906-20140124
Copyright 2014 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the
extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a
purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise
this publication without notice, and the most current version of the publication shall be
applicable.
Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback techdocs@fortinet.com
Table of Contents
Change Log....................................................................................................... 5
Introduction....................................................................................................... 6
Document scope...................................................................................................... 6
FortiGate VM Overview .................................................................................... 7
FortiGate VM models and licensing......................................................................... 7
FortiGate VM evaluation license ........................................................................ 7
Registering FortiGate VM with Customer Service & Support .................................. 8
Downloading the FortiGate VM deployment package............................................. 9
Deployment package contents .............................................................................. 10
Citrix XenServer ............................................................................................... 10
OpenXEN ......................................................................................................... 10
Hyper-V ............................................................................................................ 11
KVM ................................................................................................................. 11
VMware ESX Server ......................................................................................... 11
Deploying the FortiGate VM appliance .................................................................. 11
Deployment example: VMware ESXi ............................................................ 13
Open the FortiGate VM OVF file with the vSphere client....................................... 13
Configure FortiGate VM hardware settings ........................................................... 19
Transparent mode configuration...................................................................... 19
Power on your FortiGate VM ................................................................................. 20
Deployment example: MS Hyper-V ............................................................... 21
Create the FortiGate VM virtual machine............................................................... 21
FortiGate VM virtual processors ...................................................................... 27
FortiGate VM network adapters....................................................................... 27
FortiGate VM virtual hard disk ......................................................................... 28
Start the FortiGate VM ........................................................................................... 33
Deployment example: KVM ........................................................................... 34
Create the FortiGate VM virtual machine............................................................... 34
Start the FortiGate VM ........................................................................................... 36
Deployment example: OpenXen.................................................................... 37
Create the FortiGate VM virtual machine (VMM) ................................................... 37
Deployment example: Citrix Xen................................................................... 42
Create the FortiGate VM virtual machine (XenCenter)........................................... 42
Page 3
Configure virtual hardware..................................................................................... 44
Configuring number of CPUs and memory size .............................................. 44
Configuring disk storage.................................................................................. 46
FortiGate VM Initial Configuration ................................................................ 47
Set FortiGate VM port1 IP address........................................................................ 47
Connect to the FortiGate VM Web-based Manager .............................................. 49
Upload the FortiGate VM license file ..................................................................... 49
Validate the FortiGate VM license with FortiManager............................................ 50
Configure your FortiGate VM ................................................................................. 52
Table of Contents Page 4 FortiOS Handbook (VMware) VM Installation for FortiOS 5.0
Change Log
Date Change Description
2013-05-01 Initial release.
2013-05-29 Minor document update.
2013-11-07 Conversion to FortiOS Handbook chapter which will include additional VM platforms.
2014-01-24 Published.
Page 5
Introduction
FortiGate virtual appliances allow you to mitigate blind spots by implementing critical security
controls within your virtual infrastructure. They also allow you to rapidly provision security
infrastructure whenever and wherever it is needed. FortiGate virtual appliances feature all of the
security and networking services common to traditional hardware-based FortiGate appliances.
With the addition of virtual appliances from Fortinet, you can deploy a mix of hardware and
virtual appliances, operating together and managed from a common centralized management
platform.
Document scope
This document describes how to deploy a FortiGate virtual appliance in several virtualization
server environments. This includes how to configure the virtual hardware settings of the virtual
appliance.
This document assumes:
you have already successfully installed the virtualization server on the physical machine,
you have installed appropriate VM management software on either the physical server or a
computer to be used for VM management.
This document does not cover configuration and operation of the virtual appliance after it has
been successfully installed and started. For these issues, see the FortiGate 5.0 Handbook.
This document includes the following sections:
FortiGate VM Overview
Deployment example: VMware ESXi
Deployment example: MS Hyper-V
Deployment example: KVM
Deployment example: OpenXen
Deployment example: Citrix Xen
Introduction Page 6 VM Installation for FortiOS 5.0

FortiGate VM Overview
The following topics are included in this section:

FortiGate VM models and licensing
Registering FortiGate VM with Customer Service & Support
Downloading the FortiGate VM deployment package
Deployment package contents
Deploying the FortiGate VM appliance
FortiGate VM models and licensing
Fortinet offers the FortiGate VM in five virtual appliance models determined by license. When
configuring your FortiGate VM, be sure to configure hardware settings within the ranges
outlined in Table 1. Contact your Fortinet Authorized Reseller for more information.
Table 1: FortiGate VM model information
Technical Specification FG-VM00 FG-VM01 FG-VM02 FG-VM04 FG-VM08
Virtual CPUs (min/max) 1/1 1/1 1/2 1/4 1/8
Virtual Network Interfaces (min/max) 2 / 10
Virtual Memory (min/max) 1 GB / 1 GB 1 GB / 2 GB 1 GB / 4 GB 1 GB / 6 GB 1 GB /

12 GB
Virtual Storage (min/max) 30 GB / 2 TB
Managed Wireless Access Points 32 / 32 32 / 64 256 / 512 256 / 512 1024 / 4096
(tunnel mode / global)
Virtual Domains (default / max) 1/1 10 / 10 10 / 25 10 / 50 10 / 250
After placing an order for FortiGate VM, a license registration code is sent to the email address
used on the order form. Use the registration number provided to register the FortiGate VM with
Customer Service & Support and then download the license file. Once the license file is
uploaded to the FortiGate VM and validated, your FortiGate VM appliance is fully functional.
FortiGate VM evaluation license

FortiGate VM includes a limited embedded 15-day trial license that supports:
1 CPU maximum
1024 MB memory maximum
low encryption only (no HTTPS administrative access)
all features except FortiGuard updates
You cannot upgrade the firmware, doing so will lock the Web-based Manager until a license is
uploaded. Technical support is not included. The trial period begins the first time you start
FortiGate VM Overview Page 7 VM Installation for FortiOS 5.0

FortiGate VM. After the trial license expires, functionality is disabled until you upload a license
file.
Registering FortiGate VM with Customer Service & Support
To obtain the FortiGate VM license file you must first register your FortiGate VM with Customer
Service & Support.
To register your FortiGate VM:

1. Log in to the Customer Service & Support portal using an existing support account or select
Sign Up to create a new account.
2. In the main page, in the Asset Management quadrant, select Register/Renew.
The Registration page opens.
Figure 1: Registration page
3. Enter the registration number that was emailed to you and select Register. A registration
form will appear.
4. After completing the form, a registration acknowledgement page will appear.
5. Select the License File Download link.
Figure 2: VM license download link
6. You will be prompted to save the license file (.lic) to your local computer. See Upload the
FortiGate VM license file on page 49 for instructions on uploading the license file to your
FortiGate VM via the Web-based Manager.

Downloading the FortiGate VM deployment package
FortiGate VM deployment packages are included with FortiGate firmware images on the
Customer Service & Support site. First, see Table 2 to determine the appropriate VM
deployment package for your VM platform.
Table 2: Selecting the correct FortiGate VM deployment package for your VM platform
VM Platform FortiGate VM Deployment File
Citrix Xen FGT_VM64-v500-buildnnnn-FORTINET.out.CitrixXen.zip
OpenXen FGT_VM64-v500-buildnnnn-FORTINET.out.OpenXen.zip
Hyper-V FGT_VM64-v500-buildnnnn-FORTINET.out.hyperv.zip
KVM FGT_VM64-v500-buildnnnn-FORTINET.out.kvm.zip
VMware ESX/ESXi FGT_VM32-v500-buildnnnn-FORTINET.out.ovf.zip (32-bit)

4.0/4.1/5.0/5.1/5.5
FGT_VM64-v500-buildnnnn-FORTINET.out.ovf.zip
For more information see the FortiGate product datasheet available on the Fortinet web site,
http://www.fortinet.com/products/fortigate/virtualappliances.html.
The firmware images FTP directory is organized by firmware version, major release, and patch
release. The firmware images in the directories follow a specific naming convention and each
firmware image is specific to the device model. For example, the
FGT_VM32-v500-build0151-FORTINET.out.ovf.zip image found in the v5.0 Patch Release 2
directory is specific to the FortiGate VM 32-bit environment.
You can also download the FortiGate Release Notes, FORTINET-FORTIGATE MIB file, FSSO
images, and SSL VPN client in this directory. The Fortinet Core MIB file is located in the main
FortiGate v5.00 directory.
To download the FortiGate VM deployment package:

1. In the main page of the Customer Service & Support site, select Download > Firmware
Images.
The Firmware Images page opens.

Figure 3: Firmware image page
2. In the Firmware Images page, select FortiGate.

3. Browse to the appropriate directory on the FTP site for the version that you would like to
download.
4. Download the appropriate .zip file for your VM server platform.
You can also download the FortiGate Release Notes.
5. Extract the contents of the deployment package to a new file folder.
Deployment package contents
Citrix XenServer
The FORTINET.out.CitrixXen.zip file contains:
fortios.vhd: the FortiGate VM system hard disk in VHD format
fortios.xva: binary file containing virtual hardware configuration settings
in the ovf folder:
FortiGate-VM64.ovf: Open Virtualization Format (OVF) template file, containing virtual
hardware settings for Xen
fortios.vmdk: the FortiGate VM system hard disk in VMDK format
datadrive.vmdk: the FortiGate VM log disk in VMDK format
The ovf folder and its contents is an alternative method of installation to the .xva and VHD disk
image.
OpenXEN
The FORTINET.out.OpenXen.zip file contains only fortios.qcow2, the FortiGate VM system hard
disk in qcow2 format. You will need to manually:
create a 30GB log disk
specify the virtual hardware settings

Hyper-V
The FORTINET.out.hyperv.zip file contains:
in the Virtual Hard Disks folder:
fortios.vhd: the FortiGate VM system hard disk in VHD format
DATADRIVE.vhd: the FortiGate VM log disk in VHD format
In the Virtual Machines folder:
fortios.xml: XML file containing virtual hardware configuration settings for Hyper-V. This is
compatible with Windows Server 2012.
Snapshots folder: optionally, Hyper-V stores snapshots of the FortiGate VM state here
KVM
The FORTINET.out.kvm.zip contains only fortios.qcow2, the FortiGate VM system hard disk in
qcow2 format. You will need to manually:
create a 30GB log disk
specify the virtual hardware settings
VMware ESX Server

The FORTINET.out.ovf.zip file contains:
fortios.vmdk: the FortiGate VM system hard disk in VMDK format
datadrive.vmdk: the FortiGate VM log disk in VMDK format
Open Virtualization Format (OVF) template files:
FortiGate-VM64.ovf: OVF template based on Intel e1000 NIC driver
FortiGate-VM64.hw04.ovf: OVF template file for older (v3.5) VMware ESX server
FortiGate-VMxx.hw07_vmxnet2.ovf: OVF template file for VMware vmxnet2 driver
FortiGate-VMxx.hw07_vmxnet3.ovf: OVF template file for VMware vmxnet3 driver
Deploying the FortiGate VM appliance
Prior to deploying the FortiGate VM appliance, the VM platform must be installed and
configured so that it is ready to create virtual machines. The installation instructions for
FortiGate VM assume that
You are familiar with the management software and terminology of your VM platform.
An Internet connection is available for FortiGate VM to contact FortiGuard to validate its
license or, for closed environments, a FortiManager can be contacted to validate the
FortiGate VM license. See Validate the FortiGate VM license with FortiManager on
page 50.
For assistance in deploying FortiGate VM, refer to the deployment chapter in this guide that
corresponds to your VMware environment. You might also need to refer to the documentation
provided with your VM server. The deployment chapters are presented as examples because for
any particular VM server there are multiple ways to create a virtual machine. There are
command line tools, APIs, and even alternative graphical user interface tools.
Before you start your FortiGate VM appliance for the first time, you might need to adjust virtual
disk sizes and networking settings. The first time you start FortiGate VM, you will have access
only through the console window of your VM server environment. After you configure one

FortiGate network interface with an IP address and administrative access, you can access the
FortiGate VM web-based manager.
After deployment and license validation, you can upgrade your FortiGate VM appliances
firmware by downloading either FGT_VM32-v500-buildnnnn-FORTINET.out (32-bit) or
FGT_VM64-v500-buildnnnn-FORTINET.out (64-bit) firmware. Firmware upgrading on a VM is
very similar to upgrading firmware on a hardware FortiGate unit.

Deployment example: VMware ESXi
Once you have downloaded the FGT_VMxx-v500-build0xxx-FORTINET.out.ovf.zip file and

extracted the package contents to a folder on your local computer, you can use the vSphere
client to create the virtual machine from the deployment package OVF template.
Open the FortiGate VM OVF file with the vSphere client
Configure FortiGate VM hardware settings
Power on your FortiGate VM
Open the FortiGate VM OVF file with the vSphere client
To deploy the FortiGate VM OVF template:

1. Launch the VMware vSphere client, enter the IP address or host name of your server, enter
your user name and password and select Login.
The vSphere client home page opens.
Figure 4: vSphere client home page
2. Select File > Deploy OVF Template to launch the OVF Template wizard.
Deployment example: VMware ESXi Page 13 VM Installation for FortiOS 5.0

The OVF Template Source page opens.
3. Select the source location of the OVF file. Select Browse and locate the OVF file on your
computer. Select Next to continue.
The OVF Template Details page opens.
Figure 5: Details page
4. Verify the OVF template details. This page details the product name, download size, size on
disk, and description. Select Next to continue.
The OVF Template End User License Agreement page opens.
Deployment example: VMware ESXi Page 14 FortiOS Handbook (VMware) VM Installation for FortiOS 5.0
Figure 6: End user license agreement page
5. Read the end user license agreement for FortiGate VM. Select Accept and then select Next
to continue.
The OVF Template Name and Location page opens.
Figure 7: Name and location page
6. Enter a name for this OVF template. The name can contain up to 80 characters and it must
be unique within the inventory folder. Select Next to continue.
The OVF Template Disk Format page opens.
Figure 8: Disk format page
7. Select one of the following:

Thick Provision Lazy Zeroed: Allocates the disk space statically (no other volumes can
take the space), but does not write zeros to the blocks until the first write takes place to
that block during runtime (which includes a full disk format).
Thick Provision Eager Zeroed: Allocates the disk space statically (no other volumes can
take the space), and writes zeros to all the blocks.
Thin Provision: Allocates the disk space only when a write occurs to a block, but the total
volume size is reported by VMFS to the OS. Other volumes can take the remaining space.
This allows you to float space between your servers, and expand your storage when your
size monitoring indicates there is a problem. Note that once a Thin Provisioned block is
allocated, it remains on the volume regardless if you have deleted data, etc.
8. Select Next to continue.
The OVF Template Network Mapping page opens.
Figure 9: Network mapping page
9. Map the networks used in this OVF template to networks in your inventory. Network 1 maps
to port1 of the FortiGate VM. You must set the destination network for this entry to access
the device console. Select Next to continue.
The OVF Template Ready to Complete page opens.
10.Review the template configuration. Make sure that Power on after deployment is not
enabled. You might need to configure the FortiGate VM hardware settings prior to powering
on the FortiGate VM.
11.Select Finish to deploy the OVF template. You will receive a Deployment Completed
Successfully dialog box once the FortiGate VM OVF template wizard has finished.
Before powering on your FortiGate VM you must configure the virtual memory, virtual CPU, and
virtual disk configuration to match your FortiGate VM license. See Table 1 on page 7 for
FortiGate VM model information.
Transparent mode configuration

If you want to use your FortiGate-VM in transparent mode, your VMware servers virtual
switches must operate in promiscuous mode. This permits these interfaces to receive traffic
that will pass through the FortiGate unit but was not addressed to the FortiGate unit.
In VMware, promiscuous mode must be explicitly enabled:
1. In the vSphere client, select your VMware server in the left pane and then select the
Configuration tab in the right pane.
2. In Hardware, select Networking.
3. Select Properties of vSwitch0.
4. In the Properties window left pane, select vSwitch and then select Edit.
5. Select the Security tab, set Promiscuous Mode to Accept, then select OK.
6. Select Close.
7. Repeat steps 3 through 6 for other vSwitches that your transparent mode FortiGate-VM
uses.
Power on your FortiGate VM
You can now proceed to power on your FortiGate VM. There are several ways to do this:
Select the name of the FortiGate VM you deployed in the inventory list and select Power on
the virtual machine in the Getting Started tab.
In the inventory list, right-click the name of the FortiGate VM you deployed, and select
Power > Power On.
Select the name of the FortiGate VM you deployed in the inventory list. Click the Power On
button on the toolbar.
Select the Console tab to view the console. To enter text, you must click in the console pane.
The mouse is then captured and cannot leave the console screen. As the FortiGate console is
text-only, no mouse pointer is visible. To release the mouse, press Ctrl-Alt.
Deployment example: MS Hyper-V
Once you have downloaded the .hyperv.zip file and extracted the package contents to a
folder on your Microsoft server, you can deploy the VHD package to your Microsoft Hyper-V
environment.
Create the FortiGate VM virtual machine
Start the FortiGate VM
To create the FortiGate VM virtual machine:

1. Launch the Hyper-V Manager in your Microsoft server.
The Hyper-V Manager home page opens.
Figure 12:Hyper-V Manager home page
2. Select the server in the right-tree menu. The server details page is displayed.
Deployment example: MS Hyper-V Page 21 VM Installation for FortiOS 5.0

Figure 13:Server page
3. Right-click the server and select New and select Virtual Machine from the menu. Optionally,
in the Actions menu, select New and select Virtual Machine from the menu.
The New Virtual Machine Wizard opens.
Figure 14:New Virtual Machine Wizard
4. Select Next to create a virtual machine with a custom configuration.

The Specify Name and Location page is displayed.
Deployment example: MS Hyper-V Page 22 FortiOS Handbook (VMware) VM Installation for FortiOS 5.0
Figure 15:Specify Name and Location page
5. Enter a name for this virtual machine. The name is displayed in the Hyper-V Manager.
Select Next to continue. The Assign Memory page is displayed.
Figure 16:Assign Memory page
6. Specify the amount of memory to allocate to this virtual machine. The default memory for
FortiGate VM is 2GB (2048MB).
Select Next to continue. The Configure Networking page is displayed.
Figure 17:Configure Networking page
7. Each new virtual machine includes a network adapter. You can configure the network
adapter to use a virtual switch, or it can remain disconnected. FortiGate VM requires four
network adapters. You must configure network adapters in the Settings page.
Select Next to continue. The Connect Virtual Hard Disk page is displayed.
Figure 18:Connect Virtual Hard Disk page
8. Select to use an existing virtual hard disk and browse for the fmg.vhd file that you
downloaded from the Fortinet Customer Service & Support portal.
Select Next to continue. The Summary page is displayed.
Figure 19:Summary page
9. To create the virtual machine and close the wizard, select Finish.
Before powering on your FortiGate VM you must configure the virtual memory, virtual CPU, and
virtual disk configuration to match your FortiGate VM license. See Table 1 on page 7 for
FortiGate VM model information.
To configure settings for FortiGate VM on the server:

1. In the Hyper-V Manager, locate the name of the virtual machine, right-click the entry, and
select Settings from the menu. Optionally, you can select the virtual machine and select
Settings in the Actions menu.
Figure 20:Hyper-V Manager
The Settings page is displayed.
Figure 21:Settings page
2. Configure virtual processors, network adapters, and virtual hard drive settings.
3. Select Apply to save the settings and then select OK to close the settings page.
FortiGate VM virtual processors
You must configure FortiGate VM virtual processors in the server settings page. The number of
processors is dependent on your server environment.
Configure FortiGate VM virtual processors:

1. In the Settings page, select Processor from the Hardware menu.
The Processor page is displayed.
Figure 22:Processor page
2. Configure the number of virtual processors for the FortiGate VM virtual machine. Optionally,
you can use resource controls to balance resources among virtual machines.
3. Select Apply to save the settings.
FortiGate VM network adapters

You must configure FortiGate VM network adapters in the server settings page. FortiGate VM
supports four network adapters.
Configure FortiGate VM network adapters:

1. In the Settings page, select Add Hardware from the Hardware menu, select Network Adapter
in the device list, and select the Add button.
The Network Adapter page is displayed.
Figure 23:Network Adapter page
2. You must manually configure four network adapters for FortiGate VM in the settings page.
For each network adapter, select the virtual switch from the drop-down list.
3. Select Apply to save the settings.
FortiGate VM virtual hard disk

If you know your environment will expand in the future, it is recommended to add hard disks
larger than the 30GB FortiGate VM base license requirement. This will allow your environment to
be expanded as required while not taking up more space in the SAN than is needed.
You must configure the FortiGate VM virtual hard disk in the server settings page.
larger than the 30GB FortiGate VM base license requirement. This will allow your environment
to be expanded as required while not taking up more space in the SAN than is needed.
Configure a FortiGate VM virtual hard drive:

1. In the Settings page, select IDE Controller 0 > Hard Drive from the Hardware menu.
The Hard Drive page is displayed.
Figure 24:Hard Drive page
2. Select New to create a new virtual hard disk.

The New Virtual Hard Disk Wizard opens.
Figure 25:New Virtual Hard Disk Wizard
3. This wizard helps you to create a new virtual hard disk.

Select Next to continue. The Choose Disk Format page opens.
Figure 26:Choose Disk Format page
4. Select to use VHDX format virtual hard disks. This format supports virtual disks up to 64TB
and is resilient to consistency issues that might occur from power failures. This format is not
supported in operating systems earlier than Windows Server 2012.
Select Next to continue. The Choose Disk Type page opens.
Figure 27:Choose Disk Type page
5. Select the type of virtual disk you want to use. Select one of the following disk types:
Fixed size: This type of disk provides better performance and is recommended for
servers running applications with high levels of disk activity. The virtual hard disk file
that is created initially uses the size of the virtual hard disk and does not change when
data is deleted or added.
Dynamic expanding: This type of disk provides better use of physical storage space
and is recommended for servers running applications that are not disk intensive. The
virtual disk file that is created is small initially and changes as data is added.
Differencing: This type of disk is associated in a parent-child relationship with another
disk that you want to leave intact. You can make changes to the data or operating
system without affecting the parent disk, so that you can revert the changes easily. All
children must have the same virtual hard disk format as the parent (VHD or VHDX).
Select Next to continue. The Specify Name and Location page opens.
Figure 28:Specify Name and Location
6. Specify the name and location of the virtual hard disk file. Use the Browse button to select a
specific file folder on your server.
Select Next to continue. The Configure Disk page opens.
Figure 29:Configure Disk page
7. Select to create a new blank virtual hard disk and enter the size of the disk in GB. The
maximum size is dependent on your server environment.
Select Next to continue. The Summary page opens.
Figure 30:Summary page
8. The summary page provides details of the virtual hard disk. Select Finish to create the virtual
hard disk.
9. Select Apply to save the settings and select OK to exit the settings page.
You can now proceed to power on your FortiGate VM. Select the name of the FortiGate VM in
the list of virtual machines, right-click, and select Start in the menu. Optionally, you can select
the name of the FortiGate VM in the list of virtual machines and select Start in the Actions menu.
Figure 31:Start the FortiGate VM virtual machine
Deployment example: KVM
Once you have downloaded the FORTINET.out.kvm.zip file and extracted virtual hard drive
image file fortios.qcow2, you can create the virtual machine in your KVM environment.

1. Launch Virtual Machine Manager (virt-manager) on your KVM host server.
The Virtual Machine Manager home page opens.
2. In the toolbar, select Create a new virtual machine.
3. Enter a Name for the VM, FGT-VM for example.

4. Ensure that Connection is localhost. (This is the default.)
5. Select Import existing disk image.
Deployment example: KVM Page 34 VM Installation for FortiOS 5.0

6. Select Forward.
7. In OS Type select Linux.

8. In Version, select Generic 2.4.x.kernel.
9. Select Browse.
10.If you copied the fortios.qcow2 file to /var/lib/libvirt/images, it will be visible on the
right. If you saved it somewhere else on your server, select Browse Local and find it.
11.Choose Choose Volume.
12.Select Forward.
13.Specify the amount of memory and number of CPUs to allocate to this virtual machine. The
amounts must not exceed your license limits. See FortiGate VM models and licensing on
page 7.
14.Select Forward.
15.Expand Advanced options. A new virtual machine includes one network adapter by default.
Select a network adapter on the host computer. Optionally, set a specific MAC address for
the virtual network interface. Set Virt Type to ??? and Architecture to ???.
Deployment example: KVM Page 35 FortiOS Handbook (VMware) VM Installation for FortiOS 5.0
16.Select Finish.
Before powering on your FortiGate VM you must add the log disk and configure the virtual
hardware of your FortiGate VM.
To configure settings for FortiGate VM on the server:

1. In the Virtual Machine Manager, locate the name of the virtual machine and then select Open
from the toolbar.
2. Select Add Hardware. In the Add Hardware window select Storage.
3. Select Create a disk image on the computers harddrive and set the size to 30GB.
4. Enter:
Device type Virtio disk
Cache mode Default
Storage format raw
FortiGate VM allows for eight log disks to be added to a deployed instance. After adding
additional hard disks to your FortiGate VM, you must use the following FortiGate CLI command
to extend the LVM logical volume:
execute lvm start
execute lvm extend <arg ..>
5. Select Network to configure add more the network interfaces. The Device type must be
Virtio.
A new virtual machine includes one network adapter by default. You can add more through
the Add Hardware window. FortiGate VM requires four network adapters. You can configure
network adapters to connect to a virtual switch or to network adapters on the host
computer.
6. Select Finish.
You can now proceed to power on your FortiGate VM. Select the name of the FortiGate VM in
the list of virtual machines. In the toolbar, select Console and then select Start.
Figure 32:Start the FortiGate VM virtual machine
Deployment example: KVM Page 36 FortiOS Handbook (VMware) VM Installation for FortiOS 5.0
Deployment example: OpenXen
This chapter is preliminary.

Once you have downloaded the FORTINET.out.OpenXen.zip file and extracted virtual hard drive
image file fortios.qcow2, you can create the virtual machine in your OpenXen environment.
Create the FortiGate VM virtual machine (VMM)
Create the FortiGate VM virtual machine (VMM)

1. Launch Virtual Machine Manager (virt-manager) on your OpenXen host server.
2. In the toolbar, select Create a new virtual machine.
3. Enter a Name for the VM, FGT-VM for example.

4. Ensure that Connection is localhost. (This is the default.)
5. Select Import existing disk image.
Deployment example: OpenXen Page 37 VM Installation for FortiOS 5.0

6. Select Forward.
7. In OS Type select Linux.

8. In Version, select Generic 2.4.x.kernel.
9. Select Browse.
The Locate or create storage volume window opens.
10.Select Browse Local, find the fortios.qcow2 disk image file.
11.Select fortios.qcow2 and select Choose Volume.
12.Select Forward.
13.Specify the amount of memory and number of CPUs to allocate to this virtual machine. The
amounts must not exceed your license limits. See FortiGate VM models and licensing on
page 7.
Deployment example: OpenXen Page 38 FortiOS Handbook (VMware) VM Installation for FortiOS 5.0
14.Select Forward.
15.Select Customize configuration before install. This enables you to make some hardware
configuration changes before VM creation is started.
16.Expand Advanced options. A new virtual machine includes one network adapter by default.
Select Specify shared device name and enter the name of the bridge interface on the
OpenXen host. Optionally, set a specific MAC address for the virtual network interface.
Virt Type and Architecture are set by default and should be correct.
17.Select Finish.
The virtual machine hardware configuration window opens.
You can use this window to add hardware such as network interfaces and disk drives.
18.Select Add Hardware. In the Add Hardware window select Storage.
19.Select Create a disk image on the computers harddrive and set the size to 30GB.
20.Enter:
Device type Virtio disk
Cache mode Default
Storage format raw
FortiGate VM allows for eight log disks to be added to a deployed instance. After adding
additional hard disks to your FortiGate VM, you must use the following FortiGate CLI command
to extend the LVM logical volume:
execute lvm start
execute lvm extend <arg ..>
21.Select Network to configure add more the network interfaces. The Device type must be
Virtio.
A new virtual machine includes one network adapter by default. You can add more through
the Add Hardware window. FortiGate VM requires four network adapters. You can configure
network adapters to connect to a virtual switch or to network adapters on the host
computer.
22.Select Finish.
23.Select Begin Installation. After the installation completes successfully, the VM starts and the
console window opens.
Deployment example: Citrix Xen
This chapter is preliminary.

Once you have downloaded the FORTINET.out.CitrixXen.zip file and extracted the files, you can
create the virtual machine in your Citrix Xen environment.
Create the FortiGate VM virtual machine (XenCenter)
Create the FortiGate VM virtual machine (XenCenter)
To create the FortiGate VM virtual machine from the OVF file

1. Launch XenCenter on your management computer.
The management computer can be any computer that can run Citrix XenCenter, a Windows
application.
2. If you have not already done so, select ADD a server. Enter your XenServer IP address and
the root logon credentials required to manage that server.
Your XenServer is added to the list in the left pane.
3. Go to File > Import. An import dialog will appear.
4. Click the Browse button, find the FortiGate-VM64-Xen.ovf template file, then click Open.
5. Select Next.
Deployment example: Citrix Xen Page 42 VM Installation for FortiOS 5.0

6. Accept the FortiGate Virtual Appliance EULA, then select Next.
7. Choose the pool or standalone server that will host the VM, then select Next.
8. Select the storage location for FortiGate VM disk drives or accept the default. Select Next.
9. Configure how each vNIC (virtual network adapter) in FortiGate VM will be mapped to each
vNetwork on the XenServer, then click Next.
10.Click Next to skip OS fixup.
Deployment example: Citrix Xen Page 43 FortiOS Handbook (VMware) VM Installation for FortiOS 5.0
11.Select Next to use the default network settings for transferring the VM to the host.
12.select Finish.
The XenServer imports the FortiGate VM files and configures the VM as specified in the OVF
template. Depending on your computers hardware speed and resource load, and also on the
file size and speed of the network connection, this might take several minutes to complete.
When VM import is complete, the XenCenter left pane includes the FortiGate VM in the list of
deployed VMs for your XenServer.
Configure virtual hardware
Before you start your FortiGate-VM for the first time, you need to adjust your virtual machines
virtual hardware settings to meet your network requirements.
Configuring number of CPUs and memory size

Your FortiGate-VM license limits the number CPUs and amount of memory that you can use.
The amounts you allocate must not exceed your license limits. See FortiGate VM models and
licensing on page 7.
To access virtual machine settings

1. Open XenCenter.
2. Select your FortiGate VM in the left pane.
The tabs in the right pane provide access to the virtual hardware configuration. The Console
tab provides access to the FortiGate console.
To set the number of CPUs

1. In the XenCenter left pane, right-click the FortiGate VM and select Properties.
The Properties window opens.
2. In the left pane, select CPU.
3. Adjust Number of CPUs and then select OK.

XenCenter will warn if you select more CPUs than the Xen host computer contains. Such a
configuration might reduce performance.
To set memory size

1. In the XenCenter left pane, select the FortiGate VM.
2. In the right pane, select the Memory tab.
3. Select Edit, modify the value in the Set a fixed memory of field and select OK.
Configuring disk storage
By default the FortiGate VM data disk 30GB. You will probably want to increase this. Disk
resizing must be done before you start the VM for the first time.
To resize the FortiGate data disk

1. In the XenCenter left pane, select the FortiGate VM.
2. Select the Storage tab. Select Hard disk 2 (the 30GB drive), then select Properties.
The Hard disk 2 Properties window opens.
3. Select Size and Location. Adjust Size and select OK.
FortiGate VM Initial Configuration
Before you can connect to the FortiGate VM web-based manager you must configure a network
interface in the FortiGate VM console. Once an interface with administrative access is
configured, you can connect to the FortiGate VM web-based Manager and upload the FortiGate
VM license file that you downloaded from the Customer Service & Support website.
Set FortiGate VM port1 IP address
Connect to the FortiGate VM Web-based Manager
Upload the FortiGate VM license file
Configure your FortiGate VM
Set FortiGate VM port1 IP address
Hypervisor management environments include a guest console window. On the FortiGate VM,
this provides access to the FortiGate console, equivalent to the console port on a hardware
FortiGate unit. Before you can access the Web-based manager, you must configure FortiGate
VM port1 with an IP address and administrative access.
To configure the port1 IP address:

1. In your hypervisor manager, start the FortiGate VM and access the console window.
You might need to press Return to see a login prompt.
Figure 33:Example of FortiGate VM console access
FortiGate VM Initial Configuration Page 47 VM Installation for FortiOS 5.0

2. At the FortiGate VM login prompt enter the username admin. By default there is no
password. Just press Return.
3. Using CLI commands, configure the port1 IP address and netmask. Also, HTTP access must
be enabled because until it is licensed the FortiGate VM supports only low-strength
encryption. HTTPS access will not work.
For example:
config system interface
edit port1
set ip 192.168.0.100 255.255.255.0
append allowaccess http
end
You can also use the append allowaccess CLI command to enable other access protocols,
such as auto-ipsec, http, probe-response, radius-acct, snmp, and telnet. The
ping, https, ssh, and fgfm protocols are enabled on the port1 interface by default.
4. To configure the default gateway, enter the following CLI commands:

config router static
edit 1
set device port1
set gateway <class_ip>
end
You must configure the default gateway with an IPv4 address. FortiGate VM needs to access
the Internet to contact the FortiGuard Distribution Network (FDN) to validate its license.
5. To configure your DNS servers, enter the following CLI commands:

config system dns
set primary <Primary DNS server>
set secondary <Secondary DNS server>
end
The default DNS servers are 208.91.112.53 and 208.91.112.52.
6. To upload the FortiGate VM license from an FTP or TFTP server, use the following CLI
command:
execute restore vmlicense {ftp | tftp} <VM license file name>
<Server IP or FQDN>[:server port]
You can also upload the license in the FortiGate VM Web-based Manager. See Upload the
FortiGate VM license file on page 49.

Connect to the FortiGate VM Web-based Manager
When you have configured the port1 IP address and netmask, launch a web browser and enter
the IP address that you configured for port1. At the login page, enter the username admin and
password field and select Login. The default password is no password. The Web-based
Manager will appear with an Evaluation License dialog box, see Figure 34.
Figure 34:Web-based Manager and Evaluation License dialog box
Upload the FortiGate VM license file
Every Fortinet VM includes a 15-day trial license. During this time the FortiGate VM operates in
evaluation mode. Before using the FortiGate VM you must enter the license file that you
downloaded from the Customer Service & Support website upon registration.
To upload the FortiGate VM licence file:

1. In the Evaluation License dialog box, select Enter License.
You can also upload the license file via the CLI using the following CLI command:
execute restore vmlicense [ftp | tftp] <filenmame string> <ftp
server>[:ftp port]

The license upload page opens.
Figure 35:License upload page
2. Select Browse and locate the license file (.lic) on your computer. Select OK to upload the
license file.
3. Refresh the browser to login.
4. Enter admin in the Name field and select Login. The VM registration status appears as valid
in the License Information widget once the license has been validated by the FortiGuard
Distribution Network (FDN) or FortiManager for closed networks.
Validate the FortiGate VM license with FortiManager
You can validate your FortiGate VM license with some models of FortiManager. To determine
whether your FortiManager unit has the VM Activation feature, see Features section of the
FortiManager Product Data sheet.
To validate your FortiGate VM with your FortiManager:

1. To configure your FortiManager as a closed network, enter the following CLI command on
your FortiManager:
config fmupdate publicnetwork
set status disable
end
2. To configure FortiGate VM to use FortiManager as its override server, enter the following CLI
commands on your FortiGate VM:
config system central-management
set mode normal
set type fortimanager
set fmg <IPv4 address of the FortiManager device>

set fmg-source-ip <Source IPv4 address when connecting to the
FortiManager device>
set fortimanager-fds-override enable
set vdom <Enter the name of the VDOM to use when communicating
with the FortiManager device>
end
3. Load the FortiGate VM license file in the Web-based Manager. Go to System > Dashboard >
Status. In the License Information widget, in the Registration Status field, select Update.
Browse for the .lic license file and select OK.
4. To activate the FortiGate VM license, enter the following CLI command on your FortiGate
VM:
execute update-now
5. To check the FortiGate VM license status, enter the following CLI commands on your
FortiGate VM:
get system status
The following output is displayed:
Version: Fortigate-VM v5.0,build0099,120910 (Interim)
Virus-DB: 15.00361(2011-08-24 17:17)
Extended DB: 15.00000(2011-08-24 17:09)
Extreme DB: 14.00000(2011-08-24 17:10)
IPS-DB: 3.00224(2011-10-28 16:39)
FortiClient application signature package: 1.456(2012-01-17 18:27)
Serial-Number: FGVM02Q105060000
License Status: Valid
BIOS version: 04000002
Log hard disk: Available
Hostname: Fortigate-VM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 511
Release Version Information: MR3 Patch 4
System time: Wed Jan 18 11:24:34 2012
diagnose hardware sysinfo vm full

The following output is displayed:
UUID: 564db33a29519f6b1025bf8539a41e92
valid: 1
status: 1
code: 200 (If the license is a duplicate, code 401 will be
displayed)
warn: 0
copy: 0
received: 45438

warning: 0
recv: 201201201918
dup:
Configure your FortiGate VM
Once the FortiGate VM license has been validated you can begin to configure your device. You
can use the Wizard located in the top toolbar for basic configuration including enabling central
management, setting the admin password, setting the time zone, and port configuration.
For more information on configuring your FortiGate VM see the FortiOS Handbook at
http://docs.fortinet.com.

Fortigate VM Install 50

Uploaded by

Copyright:

Available Formats

Fortigate VM Install 50

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortigate VM Install 50

Uploaded by

Copyright:

Available Formats

FortiOS Handbook

VM Installation for FortiOS 5.0

Technical Documentation docs.fortinet.com

Date Change Description

2013-05-01 Initial release.

2013-05-29 Minor document update.

Introduction Page 6 VM Installation for FortiOS 5.0

The following topics are included in this section:

FortiGate VM models and licensing

Technical Specification FG-VM00 FG-VM01 FG-VM02 FG-VM04 FG-VM08

Virtual CPUs (min/max) 1/1 1/1 1/2 1/4 1/8

Virtual Network Interfaces (min/max) 2 / 10

Virtual Memory (min/max) 1 GB / 1 GB 1 GB / 2 GB 1 GB / 4 GB 1 GB / 6 GB 1 GB /

Virtual Storage (min/max) 30 GB / 2 TB

Virtual Domains (default / max) 1/1 10 / 10 10 / 25 10 / 50 10 / 250

FortiGate VM evaluation license

FortiGate VM Overview Page 7 VM Installation for FortiOS 5.0

Registering FortiGate VM with Customer Service & Support

To register your FortiGate VM:

Figure 1: Registration page

Figure 2: VM license download link

FortiGate VM Overview Page 8 VM Installation for FortiOS 5.0

VM Platform FortiGate VM Deployment File

Citrix Xen FGT_VM64-v500-buildnnnn-FORTINET.out.CitrixXen.zip

VMware ESX/ESXi FGT_VM32-v500-buildnnnn-FORTINET.out.ovf.zip (32-bit)

To download the FortiGate VM deployment package:

FortiGate VM Overview Page 9 VM Installation for FortiOS 5.0

2. In the Firmware Images page, select FortiGate.

Deployment package contents

FortiGate VM Overview Page 10 VM Installation for FortiOS 5.0

VMware ESX Server

Deploying the FortiGate VM appliance

FortiGate VM Overview Page 11 VM Installation for FortiOS 5.0

FortiGate VM Overview Page 12 VM Installation for FortiOS 5.0

Once you have downloaded the FGT_VMxx-v500-build0xxx-FORTINET.out.ovf.zip file and

Open the FortiGate VM OVF file with the vSphere client

To deploy the FortiGate VM OVF template:

Figure 4: vSphere client home page

Deployment example: VMware ESXi Page 13 VM Installation for FortiOS 5.0

Figure 5: Details page

Figure 7: Name and location page

7. Select one of the following:

Transparent mode configuration

Create the FortiGate VM virtual machine

To create the FortiGate VM virtual machine:

Figure 12:Hyper-V Manager home page

Deployment example: MS Hyper-V Page 21 VM Installation for FortiOS 5.0

Figure 14:New Virtual Machine Wizard

4. Select Next to create a virtual machine with a custom configuration.

Figure 16:Assign Memory page

Figure 18:Connect Virtual Hard Disk page

Configure FortiGate VM hardware settings

To configure settings for FortiGate VM on the server:

The Settings page is displayed.

Figure 21:Settings page

Configure FortiGate VM virtual processors:

Figure 22:Processor page

FortiGate VM network adapters

Configure FortiGate VM network adapters: