fortigate vm install guide 40 mr2

FortiGate-VM

Install and Setup Guidefor FortiOS 4.0 MR2

FortiGate-VM: Install and Setup Guidev210 November 201001-420-129664-20101110for FortiOS 4.0 MR2 Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

F0hContentsIntroduction 3Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Example Network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Cautions, Notes and Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Typographical conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8CLI command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Entering FortiOS configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . 10Entering text strings (names). . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Entering numeric values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Selecting options from a list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Enabling or disabling options. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . . 12

Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Fortinet Tools and Documentation CD . . . . . . . . . . . . . . . . . . . . . . . 12Fortinet Knowledge Base. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . . 12

Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . . 12

FortiGate-VM 15Installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Installing FortiGate-VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Downloading FortiGate-VM . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Deploying the FortiGate-VM software . . . . . . . . . . . . . . . . . . . . . . . 17

Logging in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Configuring Network Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Configuring the number of CPUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Powering on FortiGate-VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Uploading the License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19ortiGate-VM v2: Install and Setup Guide1-420-129664-20101110 1ttp://docs.fortinet.com/ Feedback

ContentsInstall and Setup Guide for FortiOS 4.0 MR22 01-420-129664-20101110

http://docs.fortinet.com/ Feedback

F0hIntroductionWelcome and thank you for selecting Fortinet products for your network protection.The firewall policies are the key component of FortiOS that allows, or disallows, traffic to and from your network. It is through the firewall policies you define who, what and when traffic goes between networks and the Internet.This guide describes the basics of installing FortiGate-VM on a virual server and steps to configure the basics.This chapter contains the following topics: Document conventions Registering your Fortinet product Fortinet products End User License Agreement Training Documentation Customer service and technical supportortiGate-VM v2: Install and Setup Guide1-420-129664-20101110 3ttp://docs.fortinet.com/ Feedback

IntroductionInstall and Setup Guide for FortiOS 4.0 MR2 4 01-420-129664-20101110


Document conventions

F0hDocument conventionsFortinet technical documentation uses the conventions described below.

IP addressesTo avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.Most of the examples in this document use the following IP addressing: IP addresses are made up of A.B.C.D A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC 1918. B - 168, or the branch / device / virtual device number.

Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other. Device or virtual device - allows multiple FortiGate units in this address space

(VDOMs). Devices can be from x01 to x99.

C - interface - FortiGate units can have up to 40 interfaces, potentially more than one on the same subnet 001 - 099- physical address ports, and non -virtual interfaces 100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.

D - usage based addresses, this part is determined by what device is doing The following gives 16 reserved, 140 users, and 100 servers in the subnet. 001 - 009 - reserved for networking hardware, like routers, gateways, etc. 010 - 099 - DHCP range - users 100 - 109 - FortiGate devices - typically only use 100 110 - 199 - servers in general (see later for details) 200 - 249 - static range - users 250 - 255 - reserved (255 is broadcast, 000 not used) The D segment servers can be farther broken down into:

110 - 119 - Email servers 120 - 129 - Web servers 130 - 139 - Syslog servers 140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc) 150 - 159 - VoIP / SIP servers / managers 160 - 169 - FortiAnalyzers 170 - 179 - FortiManagers 180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.) 190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.) Fortinet products, non-FortiGate, are found from 160 - 189.ortiGate-VM v2: Install and Setup Guide1-420-129664-20101110 5ttp://docs.fortinet.com/ Feedback

Document conventionsThe following table shows some examples of how to choose an IP number for a device based on the information given. For internal and dmz, it is assumed in this case there is only one interface being used.

Example Network configurationThe network configuration shown in Figure 1 or variations on it is used for many of the examples in this document. In this example, the 172.20.120.0 network is equivalent to the Internet. The network consists of a head office and two branch offices.

Table 1: Examples of the IP numbering

Location and device Internal Dmz ExternalHead Office, one FortiGate 10.011.101.100 10.011.201.100 172.20.120.191Head Office, second FortiGate 10.012.101.100 10.012.201.100 172.20.120.192Branch Office, one FortiGate 10.021.101.100 10.021.201.100 172.20.120.193Office 7, one FortiGate with 9 VDOMs

10.079.101.100 10.079.101.100 172.20.120.194

Office 3, one FortiGate, web server

n/a 10.031.201.110 n/a

Bob in accounting on the corporate user network (dhcp) at Head Office, one FortiGate

10.0.11.101.200 n/a n/a

Router outside the FortiGate n/a n/a 172.20.120.195Install and Setup Guide for FortiOS 4.0 MR2 6 01-420-129664-20101110


Document conventionsFigure 1: Example network configuration

FortiGate-620BHA cluster

Port 1172.20.120.141

Port 2

10.11.101.100

Port 2and 3

Switch

10

Internal network

FortiMail-100C

INT10.11.101.101FortiWiFi-80CM

WLAN: 10.12.101.100SSID: example.comPassword: supermarineDHCP range: 10.12.101.200-249

Port 2

10.11.101.102

Port 1 (sniffer mode)

172.20.120.141

Port 8(mir

ror of p

orts 2 a

nd 3)

FortiGate-82CSwitchFortiAnalyzer-100B

Port 210.11.101.130

Port 1

10.11.101.110

Port 1

Linux PC10.21.101.10

Port 110.21.101.101

Port 1

10.21.10

1.160

FortiGate-3810A

FortiManager-3000B

Engineering network10.22.101.0

Port 4

10.22.10

1.100

ClusterPort 1: 10.21.101.102

FortiGate-5005FA2Port 1: 10.21.101.102

FortiGate-5005FA2Port 1: 10.21.101.103

FortiSwitch-5003APort 1: 10.21.101.161

FortiGate-5050-SMPort 1: 10.21.101.104

WAN1

172.20.120.122

Internal10.31.101.100

Windows PC10.31.101.10

FortiGate-51B

Linux PC10.11.101.20

Windows PC10.11.101.10

Branch office

Branch office

Head officeFortiGate-VM v2: Install and Setup Guide01-420-129664-20101110 7http://docs.fortinet.com/ Feedback

Document conventionsCautions, Notes and TipsFortinet technical documentation uses the following guidance and styles for cautions, notes and tips.

Typographical conventionsFortinet documentation uses the following typographical conventions:

CLI command syntax conventionsThis guide uses the following conventions to describe the syntax to use when entering commands in the Command Line Interface (CLI).Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as , indicate which data types or string patterns are acceptable value input.

Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.

Note: Presents useful information, but usually focused on an alternative, optional method, such as a shortcut, to perform a step.

Tip: Highlights useful additional information, often tailored to your workplace activity.

Table 2: Typographical conventions in Fortinet technical documentation

Convention ExampleButton, menu, text box, field, or check box label

From Minimum log level, select Notification.

CLI input config system dnsset primary

endCLI output FGT-602803030703 # get system settings

comments : (null)opmode : nat

Emphasis HTTP connections are not secure and can be intercepted by a third party.

File content Firewall AuthenticationYou must authenticate to use this service.

Hyperlink Visit the Fortinet Technical Support web site, https://support.fortinet.com.

Keyboard entry Type a name for the remote VPN peer or client, such as Central_Office_1.

Navigation Go to VPN > IPSEC > Auto Key (IKE).Publication For details, see the FortiOS Handbook.Install and Setup Guide for FortiOS 4.0 MR2 8 01-420-129664-20101110


Document conventions

F0hTable 3: Command syntax notation

Convention DescriptionSquare brackets [ ] A non-required word or series of words. For example:

[verbose {1 | 2 | 3}]indicates that you may either omit or type both the verbose word and its accompanying option, such as:verbose 3

Angle brackets < > A word constrained by data type.To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example:

indicates that you should enter a number of retries, such as 5.Data types include: : A name referring to another part of the

configuration, such as policy_A. : An index number referring to another part of the

configuration, such as 0 for the first static route. : A regular expression or word with wild cards

that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.

: A fully qualified domain name (FQDN), such as mail.example.com.

: An email address, such as [email protected].

: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet./com/.

: An IPv4 address, such as 192.168.1.99. : A dotted decimal IPv4 netmask, such as

255.255.255.0. : A dotted decimal IPv4 address and netmask

separated by a space, such as 192.168.1.99 255.255.255.0.

: A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash, such as such as 192.168.1.99/24.

: A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

: An IPv6 netmask, such as /96. : An IPv6 address and netmask separated by a

space. : A string of characters that is not another data type,

such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences.

: An integer number that is not another data type, such as 15 for the number of minutes.ortiGate-VM v2: Install and Setup Guide1-420-129664-20101110 9ttp://docs.fortinet.com/ Feedback

Entering FortiOS configuration dataEntering FortiOS configuration dataThe configuration of a FortiGate unit is stored as a series of configuration settings in the FortiOS configuration database. To change the configuration you can use the web-based manager or CLI to add, delete or change configuration settings. These configuration changes are stored in the configuration database as they are made. Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable).

Entering text strings (names)Text strings are used to name entities in the configuration. For example, the name of a firewall address, administrative user, and so on. You can enter any character in a FortiGate configuration text string except, to prevent Cross-Site Scripting (XSS) vulnerabilities, text strings in FortiGate configuration names cannot include the following characters:

" (double quote), & (ampersand), ' (single quote), < (less than) and < (greater than)You can determine the limit to the number of characters that are allowed in a text string by determining how many characters the web-based manager or CLI allows for a given name field. From the CLI, you can also use the tree command to view the number of characters that are allowed. For example, firewall address names can contain up to 64 characters. When you add a firewall address to the web-based manager you are limited to entering 64 characters in the firewall address name field. From the CLI you can do the following to confirm that the firewall address name field allows 64 characters.

Curly braces { } A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].

Options delimited by vertical bars |

Mutually exclusive options. For example:{enable | disable}indicates that you must enter either enable or disable, but must not enter both.

Options delimited by spaces

Non-mutually exclusive options. For example:{http https ping snmp ssh telnet}indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as:ping https sshNote: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type:ping https snmp sshIf the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.

Table 3: Command syntax notation (Continued)

Convention DescriptionInstall and Setup Guide for FortiOS 4.0 MR2 10 01-420-129664-20101110


Registering your Fortinet product

F0hconfig firewall addresstree-- [address] --*name (64) |- subnet |- type |- start-ip |- end-ip |- fqdn (256) |- cache-ttl (0,86400) |- wildcard |- comment (64 xss) |- associated-interface (16) +- color (0,32)

Note that the tree command output also shows the number of characters allowed for other firewall address name settings. For example, the fully-qualified domain name (fqdn) field can contain up to 256 characters.

Entering numeric valuesNumeric values are used to configure various sizes, rates, numeric addresses, or other numeric values. For example, a static routing priority of 10, a port number of 8080, or an IP address of 10.10.10.1. Numeric values can be entered as a series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the IP address 10.10.10.1) or as in the case of MAC or IPv6 addresses separated by colons (for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (again such as MAC addresses) require hexadecimal numbers.Most web-based manager numeric value configuration fields limit the number of numeric digits that you can add or contain extra information to make it easier to add the acceptable number of digits and to add numbers in the allowed range. CLI help includes information about allowed numeric value ranges. Both the web-based manager and the CLI prevent you from entering invalid numbers.

Selecting options from a listIf a configuration field can only contain one of a number of selected options, the web-based manager and CLI present you a list of acceptable options and you can select one from the list. No other input is allowed. From the CLI you must spell the selection name correctly.

Enabling or disabling optionsIf a configuration field can only be on or off (enabled or disabled) the web-based manager presents a check box or other control that can only be enabled or disabled. From the CLI you can set the option to enable or disable.

Registering your Fortinet productBefore you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions.ortiGate-VM v2: Install and Setup Guide1-420-129664-20101110 11ttp://docs.fortinet.com/ Feedback

Fortinet products End User License AgreementFortinet products End User License AgreementSee the Fortinet products End User License Agreement.

TrainingFortinet Training Services provides courses that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide.To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email [email protected].

DocumentationThe Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Center.

Fortinet Tools and Documentation CDMany Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.

Fortinet Knowledge BaseThe Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.

Comments on Fortinet technical documentation Please send information about any errors or omissions in this or any Fortinet technical document to [email protected].

Customer service and technical supportFortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com.You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article FortiGate Troubleshooting Guide - Technical Support Requirements.Install and Setup Guide for FortiOS 4.0 MR2 12 01-420-129664-20101110


Customer service and technical supportInstall and Setup Guide for FortiOS 4.0 MR2 13 01-420-129664-20101110


Customer service and technical supportInstall and Setup Guide for FortiOS 4.0 MR2 14 01-420-129664-20101110


F0hFortiGate-VMFortiGate-VM works in conjunction with VMware vSphere to leverage the power of virtualization to protect your business against network, content, and application-level threats, without degrading network availability and uptime. FortiGate-VM runs on the VMware ESX/ESXi server and is managed using the Web Config GUI running on the management computer.

Figure 2: FortiGate-VM architecture.

Virtual switch

Management Computer

Physical NIC

VMwar

e ESXi

Server

FortiGa

te-VM

VLAN1VLAN2

VLAN3

VM1

VM2

VM3

FortiGu

ard Ser

vices

al swit

FortiGaortiGate-VM Install and Setup Guide1-420-129664-20101110 15ttp://docs.fortinet.com/ Feedback

Installing FortiGate-VMInstallingBefore using FortiGate-VM, you need to install the VMware vSphere Hypervisor (ESX/ESXi) server to host the FortiGate-VM device. The installation instructions for FortiGate-VM assume you are familiar with VMware ESXi server and terminology.VMware vSphere Hypervisor (ESX/ESXi) software must be installed prior to installing FortiGate-VM.

LicensingWhen you placed an order for FortiGate-VM, a registration number is sent to the email address used on the order form. Use the registration number provided when you purchased FortiGate-VM to register at www.support.fortinet.com to obtain a license file. You will need this file to activate FortiGate-VM.For a new installations, the CLI and web-based manager are locked until you load the license file. Once loaded and validated by FortiGuard services, the CLI and web-based manager are unlocked and fully functional.If FortiGuard discovers that the license has expired, pirated, or cloned, FortiGuard returns an invalid status back to the FortiGate-VM and the device remains in locked state.

Table 4: FortiGate-VM requirements.

Requirement ValueVMware vSphere Hypervisor VMware ESXi/ESX 3.5/4.0/4.1

Memory A minimum 512 MB of RAM, maximum of 3GB

CPU 2 virtual CPUs, maximum of 8 virtual CPUs

10/100/1000 Interfaces A minimum of 2 virtual NICS, a maximum of 10 virtual NICs

10 GB E Interface Supported

Storage A minimum of 30GB

Valid internet connection to connect to FortiGuard Services

DNS lookup; RBL lookup UDP 53 FortiGuard Licensing TCP/443

Other useful FortiGuard ports FortiGuard Antispam or Web Filtering rating lookup UDP 53 or UDP 8888

FDN server list UDP 53 (default) or UDP 8888, and UDP 1027 or UDP 1031

Configuration backup to FortiManager unit or FortiGuard Analysis and Management Service TCP 22

SMTP alert email; encrypted virus sample auto-submit TCP 25

LDAP or PKI authentication TCP 389 or TCP 636 FortiGuard Antivirus or IPS update TCP 443 FortiGuard Analysis and Management Service TCP 443 FortiGuard Analysis and Management Service log

transmission (OFTP) TCP 514 SSL management tunnel to FortiGuard Analysis and

Management Service (FortiOS v3.0 MR6 or later) TCP 541

FortiGuard Analysis and Management Service contract validation TCP 10151

Caution: VMware Player, VMware Fusion and VMware Workstation maybe used for evaluation purposes, however they are not supported by Fortinet. FortiGate-VM Install and Setup Guide16 01-420-129664-20101110


FortiGate-VM Installing FortiGate-VM

F0hInstalling FortiGate-VMEnsure the following prerequisites are met before installing FortiGate-VM: The VMware vSphere Hypervisor software must be installed on a server prior to

installing the FortiGate-VM. The VMware vSphere Client is installed on the Management Computer. A valid internet connection is available for FortiGate-VM to contact FortiGuard to

validate the FortiGate-VM license.

Downloading FortiGate-VMWhen you purchase FortiGate-VM, you will be provided a link to download the VM software. From the link provided by Fortinet, save the FGT_VM-v400-buildxxxx-FORTINET.out.ovf.zip file to the management computer and extract the files to a folder.The files in the folder include:1 Extract the zipped files to a folder. The following table describes the files in the folder:

Deploying the FortiGate-VM softwareTo install the Fortigate-VM.ovf file, it needs to be deployed using the VMware vSphere Client.

To deploy the software:1 Open the vSphere Client on the management computer.2 Login to the VMware vSphere Client and log into the ESXi server.3 Go to File > Deploy OVF Template.4 Select Browse and locate the Fortigate-VM.ovf file.5 Complete the installation following the instructions provided by VMWare installation.

Logging inAfter installing the FortiGate-VM, log in and configure the FortiGate-VM.

To log in to the FortiGate-VM:1 Open the vSphere client.2 Enter the IP address, user name, and password and click Login.3 When you login, the first screen shows the Getting Started tab. From here you can:

Select the + (plus) sign to see the FortiGate-VM you added during deployment. Select Edit virtual machine settings to edit details of the CPUs, interfaces, video

cards and other hardware information.

Filename Descriptiondatadrive.vmdk Virtual disk.

FortiGate-VM.hw04.ovf This is an using hardware version 4 and is deployed for VMware ESX/ESXi 3.5.

FortiGate-VM.ovf This is a using hardware version 7.0 and is deployed for ESX/ESXi3.5/4.0/4.1.

fgt.vmdk Virtual disk.ortiGate-VM Install and Setup Guide1-420-129664-20101110 17ttp://docs.fortinet.com/ Feedback

Configuring Virtual Networks FortiGate-VMConfiguring Virtual NetworksMapping the virtual network machine to the physical ports depends on your existing virtual environment. When you deploy the FortiGate-VM, one Virtual Network Interface Card (vNIC) is automatically mapped to a port on the ESXi/ESX server. You can change the mapping, or map the other vNICs if required. The following tables provides an example of how vNICs may be mapped to the ports on the VMware ESXi server.For more information on network and port mapping, see the VMWare server documentation.

Configuring Network AdaptersThe virtual ports can be mapped to the virtual network ports on the ESXi server.

To map the network adaptors:1 Login to the VMware vSphere Client.2 Select the FortiGate-VM.3 In the General tab, select Edit Settings.4 Click the Network Adaptor to see its details. 5 Select the Network Adaptor and map it to the appropriate VM Network.6 Select OK.

Configuring the number of CPUsYou may have 2, 4, or 8 CPUs depending on the type of license purchased. You can change the number of CPUs that the virtual machine is using by changing the number of virtual processors.For more information, see the VMware vSphere documentation.

To change the number of CPUs:1 In the Virtual Machine Properties window, select the Hardware tab, select CPUs.2 Select the number of virtual processors for the virtual machine. 3 Select OK.

Note: If you want to configure the ports on the ESXi server, Do not power on the FortiGate-VM.

Table 5: Network mapping example

ESX Server-OS Physical Adapter

Network Mapping: ESXi Server - vNetwork VM Port Group

FortiGate-VM Settings Network Adapter

FortiGate-VM OS Port

eth0 VM Network 1 Network Adapter 1 Port 1

eth1 VM Network 2 Network Adapter 2 Port 2 FortiGate-VM Install and Setup Guide18 01-420-129664-20101110


FortiGate-VM Powering on FortiGate-VM

F0hPowering on FortiGate-VMOnce FortiGate-VM has been deployed, you can power on the virtual machine and log in using the Console. In the Console, you are limited to depth of CLI commands available for set up until a valid license is entered through the Web-based manager. You can configure the internal interface, system DNS, and the static router.

To power on FortiGate-VM:1 Open the vSphere Client and enter the IP address, user name, and password and

select Login.2 Select the FortiGate-VM.3 In the Getting Started tab, select Power on the virtual machine.4 Select the Console tab.

It may take a few minutes for the FortiGate-VM software to format.5 At the FortiGate-VM login prompt, enter admin. There is no password.6 Configure the FortiGate internal interface. Type:

config system interfaceedit port1set ip

end7 Configure the primary and secondary DNS server IP addresses. Type:

config system dnsset primary set secondary

end8 Configure the default gateway. Type:

config router staticedit 1set device port1set gateway

end

Uploading the LicenseOnce the system interface has been configured in the Console, you can enter the license using the web-based manager.Configuration through the web-based manager can only be performed after a valid license has been uploaded and verified by FortiGuard services. Once verified, the web-based manager and the CLI are unlocked and fully functional. You must have a valid connection to the internet in order to activate the license.

To upload the license1 Open a web browser and type the IP address you configured in the console. For

example, https://192.168.1.99.2 Enter admin in the Name field and select Login.

Note: To access the web-based manager enter the IP address using HTTPS. For example, https://192.168.1.99.ortiGate-VM Install and Setup Guide1-420-129664-20101110 19ttp://docs.fortinet.com/ Feedback

Uploading the License FortiGate-VM3 The Install FortiGate-VM License File tab opens.4 Select Browse and locate the license file and select OK.

The system will restart. This will take a few minutes.You will get the message, License has already been uploaded, please wait for authentication with registration servers.

5 Select OK.6 Refresh the web browser to login.7 Type admin in the Name field and select Login.

The FortiGate-VM web-based manager opens. The VM License Registration Status and number of CPUs detected are shown in the FortiGate-VM dashboard.

For more information on how to set up and use the FortiGate-VM features, see the FortiOS Handbook or visit http://docs.fortinet.com/fgt.html for all FortiOS documentation.

CAUTION: You will need to set up firewall policies in FortiGate-VM. There are no firewall policies by default; therefore no traffic will flow until firewall policies are created. FortiGate-VM Install and Setup Guide20 01-420-129664-20101110


ContentsIntroductionDocument conventionsIP addressesExample Network configurationCautions, Notes and TipsTypographical conventionsCLI command syntax conventions

Entering FortiOS configuration dataEntering text strings (names)Entering numeric valuesSelecting options from a listEnabling or disabling options

Registering your Fortinet productFortinet products End User License AgreementTrainingDocumentationFortinet Tools and Documentation CDFortinet Knowledge BaseComments on Fortinet technical documentation

Customer service and technical support

FortiGate-VMInstallingLicensingInstalling FortiGate-VMDownloading FortiGate-VMDeploying the FortiGate-VM software

Logging inConfiguring Virtual NetworksConfiguring Network Adapters

Configuring the number of CPUsPowering on FortiGate-VMUploading the License

fortigate vm install guide 40 mr2

Documents