FortiGate-VM v4.

0 MR3 patch 1
Install Guide

25 August 2011 01-431-0147862-20110713 Copyright 2011 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.

Trademarks ABACAS, APSecure, Dynamic Threat Prevention System (DTPS), FortiAnalyzer, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiDB, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiMail, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiScan, FortiShield, FortiVoIP, FortiWeb, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Visit these links for more information and documentation for your Fortinet product: Technical Documentation - http://docs/fortinet.com Fortinet Knowledge Center - http://kb.fortinet.com Technical Support - http://support.fortinet.com Training Services - http://training.fortinet.com

Table of Contents
Contents

Overview of FortiGate-VM ..................................................................... 7

Architecture of FortiGate-VM............................................................................ Licensing........................................................................................................... Registering your Fortinet product..................................................................... Customer service and technical support.......................................................... Training ............................................................................................................. Documentation ................................................................................................. Fortinet Knowledge Base............................................................................ Comments on Fortinet technical documentation ....................................... 7 8 8 8 9 9 9 9

Installing FortiGate-VM

...................................................................... 11
11 12 12 18 19 20 21 22 23 23 24 26

Overview of the Installation....................................................................... Downloading FortiGate-VM ............................................................................ Deploying the FortiGate-VM software ............................................................ Logging in ....................................................................................................... Before powering on FortiGate-VM Virtual Appliance...................................... Resize disk (VMDK)................................................................................... Configure the number of vCPUs............................................................... Setting the virtual RAM ............................................................................. Configuring Virtual Networks .................................................................... Configure the virtual network adaptor(s) .................................................. Powering on FortiGate-VM ............................................................................. Uploading the License ....................................................................................

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

Table of Figures

FortiGate-VM architecture ................................................................................. 7 Overview of Installing FortiGate-VM ................................................................ 11 Entering login information................................................................................ 12 Deploying *.OVF file ......................................................................................... 13 Browsing to a *.OVF file................................................................................... 13 Entering the OVF template details ................................................................... 14 Accepting the End User Agreement ................................................................ 14 Entering the name of the FortiGate-VM........................................................... 15 Selecting the datastore.................................................................................... 15 Formatting virtual disks ................................................................................... 16 Mapping networks ........................................................................................... 17 Verifying the details. ........................................................................................ 17 Completing the deployment. ........................................................................... 18 Logging in to the ESX/ESXi host ..................................................................... 18 Selecting the FortiGate-VM instance............................................................... 19 Editing settings ................................................................................................ 19 Changing drive sizing ...................................................................................... 21 Editing CPU settings........................................................................................ 22 Editing memory settings .................................................................................. 23 Mapping network adapters.............................................................................. 24 Powering on the FortiGate-VM ........................................................................ 25 Opening the console........................................................................................ 25 Browsing the license file .................................................................................. 26 License validated ............................................................................................. 27

Figures

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

1. Overview of FortiGate-VM

FortiGate-VM works in conjunction with VMware vSphere to leverage the power of virtualization to protect your business against network, content and application-level threats without degrading network availability and uptime. FortiGate-VM runs on the VMware ESX/ESXi Server (hypervisor) and is managed using FortiManager or the web-based manager running on the management computer.
Chapter 1

Architecture of FortiGate-VM
Figure 1 shows the architecture of the FortiGate-VM.
Figure 1: FortiGate-VM architecture

Table 1: FortiGate-VM model information Technical Specifications Hypervisor Support Max vCPU Support Network Interface Support (Minimum/Maximum) VM Memory Support (Minimum/Maximum) 1 2 / 10 512 MB / 512 MB 1 2 / 10 512 MB / 1 GB FortiGate-VM00 FortiGate-VM01 FortiGate-VM02 FortiGate-VM04 FortiGate-VM08

VMware ESX/ESXi 3.5/4.0/4.1 2 2 / 10 512 MB / 3 GB 4 2 / 10 512 MB / 4 GB 8 2 / 10 512 MB / 4 GB

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

Licensing

Overview of FortiGate-VM

Table 1: FortiGate-VM model information (Continued) VM Storage Required (Minimum) FortiGuard Services & Port Information 30 GB 30 GB 30 GB 30 GB 30 GB

DNS lookup; RBL lookup - UDP 53 FortiGuard Licensing - TCP 443 FortiGuard Antispam or Web Filtering rating lookup - UDP 53 or UDP 8888 FDN server list - UDP 53 (default) or UDP 8888, UDP 1027 or UDP 1031 Configuration backup to FortiManager unit or FortiGuard Analysis and Management Service TCP 22 SMTP alert email; encrypted virus sample auto-submit - TCP 25 LDAP or PKI authentication - TCP 389 or TCP 636 FortiGuard Antivirus or IPS update - TCP 443 FortiGuard Analysis and Management Service - TCP 443 FortiGuard Analysis and Management Service log transmission (OFTP) - TCP 514 SSL management tunnel to FortiGuard Analysis and Management Service - TCP 541 FortiGuard Analysis and Management Service contract validation - TCP 10151

Chapter 1

Licensing
After placing an order for FortiGate-VM, a registration number is sent to the email address used on the order form. Use the registration number provided to register the FortiGate-VM with FortiCare (https://support.fortinet.com). You will need this file to activate your FortiGate-VM instance. For new installations, the CLI and web-based manager are locked until you load the license file. Once loaded and validated by FortiManager or FortiGuard services, the CLI and web-based manager are unlocked and fully functional. If FortiManager or FortiGuard discovers that the license has expired, was pirated or cloned, an invalid status is returned to the FortiGate-VM and the device remains in a locked state.

Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site: https://support.fortinet.com. Many Fortinet customer services such as firmware updates, technical support, FortiGuard Antivirus and other FortiGuard services require product registration.

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that you can install your Fortinet products quickly, configure them easily, and operate them reliably in your network.

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

Overview of FortiGate-VM

Training

To learn about the technical support services Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article Fortinet Technical Support Requirements.

Training
Chapter 1

Fortinet Training Services provides classes that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email them at training@fortinet.com.

Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.

Fortinet The Fortinet Knowledge Base provides additional Fortinet technical documentation, Knowledge Base such as troubleshooting and how-to-articles, examples, FAQs, technical notes, and
more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.

Comments on Please send information about any error or omissions in this technical document to Fortinet technical techdoc@fortinet.com. documentation

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

10

2. Installing FortiGate-VM

Prior to deploying the FortiGate-VM virtual appliance, VMware vSphere Hypervisor (ESX/ESXi) must be installed and configured. The installation instructions for FortiGateVM assume you are familiar with VMware ESX/ESXi server and terminology. Ensure the following prerequisites are met before installing FortiGate-VM: The VMware vSphere ESX/ESXi Hypervisor software must be installed and configured. For more details, refer to http://www.vmware.com/products/esxi. The VMware vSphere Client is installed on the management computer. An Internet connection is available for FortiGate-VM to contact FortiGuard to validate its license or, for closed environments, a FortiManager can be contacted to validate the FortiGate-VM license (please see FortiManager Install and Configure guide for these prerequisites).
Chapter 2

Overview of the Install the FortiGate-VM after installing the VMware ESX/ESXi server. The following Installation flowchart outlines the basic steps of installing the FortiGate-VM.
Figure 2: Overview of Installing FortiGate-VM
Start

Install VMware ESX/ESXi server software

Install VMware vSphere Client

All prerequisites met?

Y

Install FortiGate-VM

Configure FortiGate-VM

Install License

Connect to FortiGate-VM

End

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

11

Downloading FortiGate-VM

Installing FortiGate-VM

Downloading FortiGate-VM
When you purchase FortiGate-VM, you are provided a link to download the FortiGateVM software/image. From the link provided, save the FGT_VM-v400-build0458FORTINET.out.ovf.zip file to the management computer and extract the files to a folder.
Table 2: Extracted files. Filename datadrive.vmdk FortiGate-VM.hw04.ovf
Chapter 2

Description Virtual disk OVF file formatted to VMware VM version 4 (ESX/ESXi 3.5/4.0/4.1) OVF file formatted to VMware VM version 7 (ESX/ESXi 4.0/4.1) OVF file formatted to VMware VM version 7 utilizing VMXNET2 NICs (ESX/ESXi 4.0/4.1) Virtual disk

FortiGate-VM.ovf FortiGateVM.hw07.vmxnet2.ovf fortios.vmdk

Deploying the FortiGate-VM software

The VMware vSphere Client is used to deploy the FortiGate-VM.ovf file. To deploy the software 1 Open the VMware vSphere Client installed on the management computer. 2 Enter the IP address, user name and password of the ESX/ESXi server.
Figure 3: Entering login information

3 Click Login. FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

12

Installing FortiGate-VM

Deploying the FortiGate-VM software

4 Go to File > Deploy OVF Template.

Figure 4: Deploying *.OVF file

5 Select Browse and locate the applicable FortiGate-VM.ovf file and select Next.
Figure 5: Browsing to a *.OVF file

Chapter 2

6 Verify the OVF template details and click Next.

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

13

Deploying the FortiGate-VM software

Installing FortiGate-VM

Figure 6: Entering the OVF template details

Chapter 2

7 Read the End User License Agreement and click Accept at the bottom, then click Next.
Figure 7: Accepting the End User Agreement

14

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Deploying the FortiGate-VM software

8 Enter a name for the deployed template and click Next.

Figure 8: Entering the name of the FortiGate-VM

Chapter 2

9 Choose the proper datastore to locate the FortiGate-VM.

Figure 9: Selecting the datastore

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

15

Deploying the FortiGate-VM software

Installing FortiGate-VM

10 Choose your disk format option.

Figure 10: Formatting virtual disks

Chapter 2

11 Map the networks then click Next. By default, one source network is automatically mapped to the destination source network. For each source network, select a destination network from the drop down list.

16

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Deploying the FortiGate-VM software

Figure 11: Mapping networks

Chapter 2

12 After verifying the settings, click Finish. If you want to change the settings, click the Back button to return to a previous screen and change them.
Figure 12: Verifying the details.

13 After the Deployment Completed Successfully message is shown, click Close.

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

17

Logging in

Installing FortiGate-VM

Figure 13: Completing the deployment.

Logging in
After installing the FortiGate-VM, log in to the VMware vSphere Hypervisor (ESX/ESXi) and configure the FortiGate-VM settings.
Chapter 2

To log in to the ESX/ESXi host 1 Open the VMware vSphere Client and enter the IP address, user name and password. 2 Click Login.
Figure 14: Logging in to the ESX/ESXi host

3 Highlight the FortiGate-VM in the left pane.

18

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Before powering on FortiGate-VM Virtual Appliance

Figure 15: Selecting the FortiGate-VM instance

4 Click Edit Settings to edit details regarding CPUs, RAM, Interfaces, video cards and other virtual hardware information.
Figure 16: Editing settings

Chapter 2

5 Do NOT power on the FortiGate-VM if you want/need to change its default configuration.

Before powering on FortiGate-VM Virtual Appliance

If necessary, resize the disk (VMDK); see Resize disk (VMDK) on page 20.

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

19

Before powering on FortiGate-VM Virtual Appliance

Installing FortiGate-VM

Configure the number of CPUs; see Configure the number of vCPUs on page 21. Set the RAM on virtual appliance; Setting the virtual RAM on page 22. Configure the virtual network adaptor(s); see Configure the virtual network adaptor(s) on page 23.

Resize disk For your convenience, the FortiGate-VM deploys with pre-sized VMDKs (Virtual (VMDK) Machine Disk Format). After you deploy the FortiGate-VM (see Deploying the
FortiGate-VM software on page 12), you can change the size of the files before the initial startup and configuration. This may be necessary if you are planning to do a large amount of local logging. Before doing so, you need to understand the size limitations of your VMFS VM datastore (not relevant to NFS datastores). During the creation of a VM datastore, you have the following formatting options: 1 MB block size 256 GB maximum file size
Chapter 2

2 MB block size 512 GB maximum file size 4 MB block size 1024 GB maximum file size 8 MB block size 2048 GB maximum file size For example, if you select an 800 GB datastore which has been formatted with 1 MB block size, you wont be able to size a single virtual disk (VMDK) greater than 256 GB on your FortiGate-VM. For more information of VMFS block sizing and recommendations, please see http://communities.vmware.com/docs/DOC-11920. To resize the disk 1 Log in to the ESX/ESXi host 2 Open the VMware vSphere Client and enter the IP address, user name and password. 3 Click Login. 4 Highlight the FortiGate-VM in the left pane and click Edit Settings. 5 Click on Hard disk 2 and edit the Provisioned Size as necessary up to VMwares limit.

20

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Before powering on FortiGate-VM Virtual Appliance

Figure 17: Changing drive sizing

Chapter 2

6 Click Ok.

Configure the Depending on the FortiGate-VM model you deploy, you may configure any vCPU value number of vCPUs up to your licensed maximum. As an example, if you purchase a FortiGate-VM08, you
may configure this to be any value from 1 vCPU to 8 vCPUs dependent on your VMware license level. For more information, see the VMware vSphere documentation at http://www.vmware.com/products/vsphere-hypervisor/index.html. To change the number of vCPUs 1 Log in to the ESX/ESXi host 2 Open the VMware vSphere Client and enter the IP address, user name and password. 3 Click Login. 4 Highlight the FortiGate-VM in the left pane and click Edit Settings. 5 Click on CPUs and edit the number of virtual processors.

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

21

Before powering on FortiGate-VM Virtual Appliance

Installing FortiGate-VM

Figure 18: Editing CPU settings

Chapter 2

6 Click Ok.

Setting the virtual The FortiGate-VM comes pre-configured with 512 MB of RAM. You may change this RAM value to be anywhere from 512 MB to the maximum allowed by the FortiGate-VM
model you deployed. As an example, if you are deploying a FortiGate-VM04, you may change this setting to be any value between 512 MB and 4 GB. To change the amount of vRAM 1 Log in to the ESX/ESXi host 2 Open the VMware vSphere Client and enter the IP address, user name and password. 3 Click Login. 4 Highlight the FortiGate-VM in the left pane and click Edit Settings. 5 Click on Memory and edit the Memory Size.

22

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Before powering on FortiGate-VM Virtual Appliance

Figure 19: Editing memory settings

Chapter 2

6 Click Ok.

Configuring Mapping FortiGate-VM ports to physical ports depends on your existing virtual Virtual Networks environment. When you deploy the FortiGate-VM OVF file, one Virtual Network
Interface Card (vNIC) is automatically mapped to a port group on a virtual switch within the ESX/ESXi server. You can change the mapping, or map the other vNICs as required. Table 3 provides an example of how vNICs may be mapped to the ports on the VMware ESX/ESXi server.
Table 3: Network mapping example ESX/ESXi Server Physical Adapters eth0 eth1 Network Mapping: ESX/ESXi Server to vSwitch VM Port Groups VM Network 1 VM Network 2 FortiGate-VM VM Network Adapter Settings Network Adapter 1 Network Adapter 2 FortiGate-VM OS port Port 1 Port 2

Configure the Virtual Machine ports can be mapped to port groups on virtual switches and virtual network subsequently mapped to ports on the ESX/ESXi server. To map virtual ports or change adaptor(s) the existing virtual port configurations, edit the FortiGate-VM settings.

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

23

Powering on FortiGate-VM

Installing FortiGate-VM

To map the network adaptors 1 Log in to the ESX/ESXi host 2 Open the VMware vSphere Client and enter the IP address, user name and password. 3 Click Login. 4 Highlight the FortiGate-VM in the left pane and click Edit Settings. 5 Network adapters are mapped to a virtual port on virtual networks (VM Network). 6 Highlight a specific Network adapter to see its current settings. 7 Select the Network adapter and map it to an appropriate VM Network. This will depend on your configuration. For example, in the figure below, Network adapter 1 is mapped to VM Network.
Chapter 2

Figure 20: Mapping network adapters

8 Click Ok when done.

Powering on FortiGate-VM
Once deployed, power on the FortiGate-VM virtual appliance and log in using the Console. In the Console, you have limited CLI commands available for the initial configuration until a valid license is entered through the Web-based manager. You can configure the internal interfaces, system DNS and the static router.

24

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

Installing FortiGate-VM

Powering on FortiGate-VM

To power on the FortiGate-VM 1 Login to the ESX/ESXi host. 2 Open the VMware vSphere Client and enter the IP address, user name and password. 3 Click Login. 4 Highlight the FortiGate-VM in the left pane. 5 Click Power On.
Figure 21: Powering on the FortiGate-VM

Chapter 2

6 Select the Console tab. It may take a few minutes for the FortiGate-VM to format.
Figure 22: Opening the console

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

25

Uploading the License

Installing FortiGate-VM

7 At the FortiGate-VM login prompt, type admin. There is no password 8 Configure the FortiGate-VM internal interface. Type: config system interface edit port1 set ip <int_ip>/<netmask_ip> end 9 Configure the primary and secondary DNS server IP addresses. Type: config system dns set primary <dns-server_ip> set secondary <dns-server_ip> end 10 Configure the default gateway. Type: config router static edit 1 set device port1 set gateway <gateway_ip> end
Chapter 2

Uploading the License

Once the system interface has been configured in the Console, you enter the license using the web-based manager. Configuration through the web-based manager can only be performed after a valid license has been uploaded and verified by FortiGuard Services or FortiManager. Once verified, the web-based manager and the CLI are unlocked and fully functional. To upload the license 1 Open a web browser and type the FortiGate-VM IP address initially configured in the console. For example, https://192.168.1.99. 2 Type admin in the Name field and select Login. The Install FortiGate-VM License File tab opens.
Figure 23: Browsing the license file

3 Select Browse, locate the license file and click Ok. The system will restart. This will take a few minutes. You will get the message License has already been uploaded, please wait for authentication with registration servers. 4 Select Ok. FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

26

Installing FortiGate-VM

Uploading the License

5 Refresh the web browser to login. 6 Type admin in the Name field and select Login. The VM License Registration Status and number of CPUs detected are shown in the FortiGate-VM dashboard.
Figure 24: License validated

Chapter 2

Caution: You will need to set up firewall policies in FortiGate-VM. There are no policies by default; therefore no traffic will flow until firewall policies are created.

For more information on how to set up and use the FortiGate-VM features, see the FortiGate Administration Guide or visit http://docs.fortinet.com/fgt.html for all FortiOS documentation.

FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback

27

28

29