FortiGate-VM

System Guide

FG 4.0 MR2

FortiGate-VM System Guide

FG 4.0 MR2
01-420-129664-20101011
Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Contents
Overview of FortiGate-VM

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Architecture of the FortiGate-VM . . . . . . . . . . . . . . . . . . . . . . . 4
Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . 4
Customer service & technical support . . . . . . . . . . . . . . . . . . . . 5
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Comments on Fortinet technical documentation . . . . . . . . . . . . . 5

Installing FortiGate-VM

Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Installing FortiGate-VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Getting the FortiGate-VM software . . . . . . . . . . . . . . . . . 8
Deploying the FortiGate-VM software . . . . . . . . . . . . . . . . 8
Logging in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Configuring Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . 12
Configuring Network Adapters . . . . . . . . . . . . . . . . . . . . . 12
Configuring the number of CPUs . . . . . . . . . . . . . . . . . . . . . . 13
Powering on FortiGate-VM . . . . . . . . . . . . . . . . . . . . . . . . . 14
Uploading the License . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

FortiGate-VM System Guide 4.0 MR2

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

Contents

FortiGate-VM System Guide 4.0 MR2

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

Overview of FortiGate-VM

Prerequisites

Overview of FortiGate-VM
Fortinet is the leading provider of ASIC-accelerated unified threat management (UTM)
solutions that provide a comprehensive suite of security services at the highest levels of
network protection and performance.
This chapter provides an overview of the FortiGate-VM and the prerequisites to installing
the FortiGate-VM.

Prerequisites
This guide assumes that the reader has a thorough understanding of VMware concepts,
procedures, and terminology. VMware vSphere Hypervisor (ESX/ESXi) software MUST
be installed prior to installing FortiGate-VM.
See Table 1 for requirements.
Table 1: FortiGate-VM requirements.
Requirement

Value

VMware vSphere Hypervisor

VMware ESXi/ESX 3.5/4.0/4.1

Memory

A minimum 512 MB of RAM, maximum of 3GB

CPU

2 virtual CPUs, maximum of 8 virtual CPUs

10/100/1000 Interfaces

A minimum of 2 virtual NICS, a maximum of 10 virtual NICs

10 GB E Interface

Supported

Storage

A minimum of 30GB

Valid internet connection to

connect to FortiGuard Services

DNS lookup; RBL lookup UDP 53

FortiGuard Licensing TCP/443

Other useful FortiGuard ports

FortiGuard Antispam or Web Filtering rating lookup

UDP 53 or UDP 8888
FDN server list UDP 53 (default) or UDP 8888, and
UDP 1027 or UDP 1031
Configuration backup to FortiManager unit or FortiGuard
Analysis and Management Service TCP 22
SMTP alert email; encrypted virus sample auto-submit
TCP 25
LDAP or PKI authentication TCP 389 or TCP 636
FortiGuard Antivirus or IPS update TCP 443
FortiGuard Analysis and Management Service TCP 443
FortiGuard Analysis and Management Service log
transmission (OFTP) TCP 514
SSL management tunnel to FortiGuard Analysis and
Management Service (FortiOS v3.0 MR6 or later) TCP
541
FortiGuard Analysis and Management Service contract
validation TCP 10151

Caution: VMware Player, VMware Fusion and VMware Workstation

maybe used for evaluation purposes, however they are not supported by
Fortinet.

FortiGate-VM System Guide 4.0 MR2

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

Architecture of the FortiGate-VM

Overview of FortiGate-VM

Architecture of the FortiGate-VM

FortiGate-VM works in conjunction with VMware vSphere to leverage the power of
virtualization to protect your business against network, content, and application-level
threats without degrading network availability and uptime.
The FortiGate-VM runs on the VMware ESX/ESXi server and is managed using the Web
Config GUI running on the management computer. See Figure 1.
Figure 1: FortiGate-VM architecture.

VMware ESXi Server

VLAN1
Internet

VM1

VLAN2
Virtual switch

VM2
VLAN3

VM3

FortiGate-VM
FortiGuard Services

Management Computer
Physical NIC

Licensing
When you placed an order for FortiGate-VM, a registration number is sent to the email
address used on the order form. Use the registration number to register with FortiCare
(www. support.fortinet.com) and to obtain a license file, which is used to activate the
FortiGate-VM.
For a new installations, the CLI and Web Config are locked until you enter a license. Once
a license is entered and validated by FortiGuard services, the CLI and Web Config are
unlocked and fully functional.
If FortiGuard discovers that the license is expired, pirated, or cloned, FortiGuard returns
an invalid status back to the FortiGate-VM and the device remains in locked state.

Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your
Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.

FortiGate-VM System Guide 4.0 MR2

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

Overview of FortiGate-VM

Customer service & technical support

Customer service & technical support

Fortinet Technical Support provides services designed to make sure that you can install
your Fortinet products quickly, configure them easily, and operate them reliably in your
network.
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Base article Fortinet Technical
Support Requirements.

Training
Fortinet Training Services provides classes that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training
Services web site at http://campus.training.fortinet.com, or email them at
training@fortinet.com.

Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
Fortinet Knowledge Base
The Fortinet Knowledge Base provides additional Fortinet technical documentation, such
as troubleshooting and how-to-articles, examples, FAQs, technical notes, and more. Visit
the Fortinet Knowledge Base at http://kb.fortinet.com.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this technical document to
techdoc@fortinet.com.

FortiGate-VM System Guide 4.0 MR2

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

Documentation

Overview of FortiGate-VM

FortiGate-VM System Guide 4.0 MR2

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Installation Overview

Installing FortiGate-VM
FortiGate-VM software must be installed on the VMware vSphere Hypervisor
(ESX/ESXi) server that is used to host the FortiGate-VM device. The installation
instructions for FortiGate-VM assume you are familiar with VMware ESXi server and
terminology. Refer to http://www.vmware.com/products/vsphere-hypervisor/index.html for
information.
This chapter provides the details of installing the FortiGate-VM.

Installation Overview
Figure 2 outlines the basic steps of installing the FortiGate-VM.
Figure 2: Overview of Installing FortiGate-VM
Set up VMware vSphere
Hypervisor (ESXi) server

Download and install

vSphere client on Management Computer

Deploy Fortigate-VM.ovf file

in VMware vSphere client

Get FortiGate-VM license

from Fortinet

Login to Web Config in a

web browser and upload
license file

License is validated through

FortiGuard

No

Yes

FortiGate-VM unlocked and

fully functional

FortiGate-VM System Guide4.0 MR2

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Installing FortiGate-VM

Installing FortiGate-VM
Ensure the following prerequisites are met before installing FortiGate-VM:

The VMware vSphere Hypervisor software must be installed on a server prior to

installing the FortiGate-VM. This documentation does not cover how to install the
VMware server. Go to http://www.vmware.com/products/vsphere-hypervisor/index.html
for installation details.

The VMware vSphere Client is installed on the Management Computer. This could
be a desktop or a laptop that will be used to manage the devices.

A valid internet connection between the FortiGuard and the FortiGate is necessary in
order to validate the FortiGate-VM license. If you do not have a valid license, your
device will not be functional.

Getting the FortiGate-VM software

The FortiGate-VM software is provided by Fortinet.
1 From the link provided by Fortinet, save the FGT_VM-v400-buildxxxxFORTINET.out.ovf.zip file to the management computer.
2 Extract the zipped files to a folder. The following table describes the files in the folder:
Table 2:
Filename

Description

datadrive.vmdk

Virtual disk.

FortiGate-VM.hw04.ovf

This is an *.ovf file using hardware version 4 and is

deployed for VMware ESX/ESXi 3.5.

FortiGate-VM.ovf

This is a *.ovf file using hardware version 7.0 and is

deployed for ESX/ESXi3.5/4.0/4.1.

fgt.vmdk

Virtual disk.

Deploying the FortiGate-VM software

In order to install the Fortigate-VM.ovf file, it needs to be deployed using the VMware
vSphere Client.
To deploy the software
Open the vSphere Client on your computer, and deploy the *.ovf template:
1 Login to the VMware vSphere Client. Enter the IP address, user name, and password
of the ESXi server.

FortiGate-VM 4.0 MR2 System Guide

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Installing FortiGate-VM

Figure 3: Logging into VMware vSphere Client.

2 Go to File > Deploy OVF Template.

3 In the Browse to OVF Template window, locate the Fortigate-VM.ovf file, and click
Next.
Figure 4: Deploying *.OVF file

4 Review the OVF template details and click Next.

5 Read the End User License Agreement and click Accept at the bottom. Then click
Next.
6 Enter the name of the for the FortiGate-VM virtual device and click Next.

FortiGate-VM System Guide4.0 MR2

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Installing FortiGate-VM

7 Select the format you want to store the virtual disks and click Next.

Thin provisioned format The storage is allocated on demand as data is written to

the virtual disks. This is supported only on VMFS3 and newer datastores. Other
types of datastores might create thick disks.

Thick provisioned format All storage is allocated immediately. Uses

approximately 30GB.

For more information, click Help.

Figure 5: Select the virtual disk format.

10

FortiGate-VM 4.0 MR2 System Guide

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Logging in

8 Map the networks used in the FortiGate-VM to the networks in your inventory. For each
Source Network, select a Destination Network from the drop-down list.
Figure 6: Map networks.

9 Click Finish after verifying the settings.

10 After the deployment is complete, click Close.
Figure 7: Complete the deployment.

Logging in
After installing the FortiGate-VM, log in and configure the FortiGate-VM.
To log in to the FortiGate-VM:
1 Open the Client.
2 Enter the IP address, user name, and password and click Login.

FortiGate-VM System Guide4.0 MR2

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

11

Configuring Virtual Networks

Installing FortiGate-VM

Figure 8: Entering login information

3 When you login, the first screen shows the Getting Started tab. From here you can do
the following:
In the left pane, click the + (plus) sign and you will see the FortiGate-VM you added
during deployment.
Click Edit virtual machine settings to edit details of the CPUs, interfaces, video
cards and other hardware information.
Do not power on the FortiGate-VM if you want to configure the ports on the ESXi
server.

Configuring Virtual Networks

Mapping virtual network machine to the physical ports depends on your existing virtual
environment. When you deploy the FortiGate-VM OVF file, one Virtual Network Interface
Card (vNIC) is automatically mapped to a port on the ESXi/ESX server. You can change
the mapping, or map the other vNICs if required. The following diagram provides an
example of how vNICs may be mapped to the ports on the VMware ESXi server.
Table 3 is an example of the network mapping.
Table 3: Network mapping example
ESX Server-OS
Physical Adapter

Network Mapping:
ESXi Server vNetwork VM Port
Group

FortiGate-VM
Settings Network
Adapter

FortiGate-VM OS Port

eth0

VM Network 1

Network Adapter 1

Port 1

eth1

VM Network 2

Network Adapter 2

Port 2

For more information, see the VMware vSphere documentation at

http://www.vmware.com/products/vsphere-hypervisor/index.html

Configuring Network Adapters

The virtual ports can be mapped to the virtual network ports on the ESXi server. To map
virtual ports or change the existing virtual ports, use Edit Virtual Machine Settings link in
the Getting Started tab.

12

FortiGate-VM 4.0 MR2 System Guide

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Configuring the number of CPUs

To map the network adaptors

1 Login to the VMware vSphere Client and select the FortiGate-VM, and click Edit
Settings in the General tab
2 Do Not power on the FortiGate-VM.
3 Network Adapters in VMNetworks are mapped to the FortiGate-VM ports.
4 Click the Network Adaptor to see its details.
5 Select the Network Adaptor and map it to the appropriate VM Network. This depends
on your configuration. For example, in the illustration below, Management network 1 is
mapped to VM Network 1.
Figure 9: Mapping network adapters.

6 Click OK when done.

Configuring the number of CPUs

You may have 2, 4, or 8 CPUs depending on the type of license you purchased. You can
change the number of CPUs that the virtual machine is using by changing the number of
virtual processors.
For more information, see the VMware vSphere documentation at
http://www.vmware.com/products/vsphere-hypervisor/index.html
To change the number of CPUs
1 In the Virtual Machine Properties window > Hardware tab, select CPUs.
2 Select the number of virtual processors for the virtual machine.
FortiGate-VM System Guide4.0 MR2
01-420-129664-20101011
http://docs.fortinet.com/ Feedback

13

Powering on FortiGate-VM

Installing FortiGate-VM

3 Click OK.

Powering on FortiGate-VM
Once FortiGate-VM has been deployed, you can power on the virtual machine and log in
using the Console.
In the Console, you are extremely limited to the type of commands you can enter until a
valid license is entered through the Web Config. You can configure the internal interface,
system DNS, and the static router.
To power on FortiGate-VM
1 Open the vSphere Client and enter the IP address, user name, and password. Click
Login.
2 Select the FortiGate-VM from the tree.
3 In the Getting Started tab, click Power on the virtual machine.
4 Select the Console tab. It may take a few minutes for the FortiGate-VM software to
format.
5 At the FortiGate-VM login prompt, type admin. There is no password.
6 Configure the FortiGate internal interface. Type:
config system interface
edit port1
set ip <intf_ip>/<netmask_ip>
end
7 Configure the primary and secondary DNS server IP addresses. Type:
config system dns
set primary <dns-server_ip>
set secondary <dns-server_ip>
end
8 Configure the default gateway. Type:
config router static
edit 1
set device port1
set gateway <gateway_ip>
end
Note: To access Web Config in the web browser, only https is allowed; http is not allowed.

Uploading the License

Once the system interface has been configured in the Console, you can enter the license
through a web browser in the Web Config. A license cannot be entered in the CLI.
You cannot perform any actions in the Web Config until a license has been uploaded. After
a valid license has been uploaded and verified by FortiGuard services, the Web Config
and the CLI are unlocked and fully functional. For more information about licenses and
FortiGuard, see Licensing on page 4. You must have a valid connection to the internet in
order to activate the license.

14

FortiGate-VM 4.0 MR2 System Guide

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Uploading the License

To upload the license

1 Open a web browser and type the IP address you configured in the console. For
example, https://192.168.1.99.
2 Type admin in the Name field and click Login.The Install FortiGate-VM License File tab
opens.
Figure 10: Install FortiGate-VM License File.

3 Browse for the license file and click OK.

The system will restart. This will take a few minutes.
4 You will get the message, License has already been uploaded, please wait for
authentication with registration servers. Click OK.
Figure 11: License uploaded message.

5 Refresh the web browser to login.

6 Type admin in the Name field and click Login. The FortiGate-VM Web Config opens.
The VM License Registration Status and number of CPUs detected are shown in the
FortiGate-VM dashboard.
Figure 12: FortiGate-VM in Web Config.

FortiGate-VM System Guide4.0 MR2

01-420-129664-20101011
http://docs.fortinet.com/ Feedback

15

Uploading the License

Installing FortiGate-VM

CAUTION: You will need to set up firewall policies in FortiGate-VM. There are no firewall
policies by default; therefore no traffic will flow until firewall policies are created.

For more information on how to set up and use the FortiGate-VM features, see the
FortiGate Administration Guide or visit http://docs.fortinet.com/fgt.html for all FortiOS
documentation.

16

FortiGate-VM 4.0 MR2 System Guide

01-420-129664-20101011
http://docs.fortinet.com/ Feedback