Fortigate VM Install Guide 40 Mr2

FortiGate-VM
Install and Setup Guide

for FortiOS 4.0 MR2
FortiGate-VM: Install and Setup Guide

v2
10 November 2010
01-420-129664-20101110
for FortiOS 4.0 MR2
Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Introduction
Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
IP addresses . . . . . . . . . . .
Example Network configuration .
Cautions, Notes and Tips . . . .
Typographical conventions . . . .
CLI command syntax conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Entering FortiOS configuration data . . . . . . . . . . . . . . . . . . . . . . . . . .

Entering text strings (names).
Entering numeric values . . .
Selecting options from a list .
Enabling or disabling options.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
6
8
8
8
10
.
.
.
.
10
11
11
11
Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . .
12
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
Fortinet Tools and Documentation CD . . . . . . . . . . . . . . . . . . . . . . .

Fortinet Knowledge Base. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . .
12
12
12
Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . .
12
FortiGate-VM
15
Installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
Installing FortiGate-VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
Downloading FortiGate-VM . . . . . . . . . . . . . . . . . . . . . . . . . .
Deploying the FortiGate-VM software . . . . . . . . . . . . . . . . . . . . . . .
17
17
Logging in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
Configuring Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
Configuring Network Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
Configuring the number of CPUs . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
Powering on FortiGate-VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
Uploading the License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
FortiGate-VM v2: Install and Setup Guide

01-420-129664-20101110
http://docs.fortinet.com/ Feedback
.
.
.
.
.
.
.
.
.
Contents
Install and Setup Guide for FortiOS 4.0 MR2

01-420-129664-20101110
Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
The firewall policies are the key component of FortiOS that allows, or disallows, traffic to
and from your network. It is through the firewall policies you define who, what and when
traffic goes between networks and the Internet.
This guide describes the basics of installing FortiGate-VM on a virual server and steps to
configure the basics.
This chapter contains the following topics:
Document conventions
Registering your Fortinet product
Fortinet products End User License Agreement
Training
Documentation
Customer service and technical support

01-420-129664-20101110
Introduction

01-420-129664-20101110
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Most of the examples in this document use the following IP addressing:
IP addresses are made up of A.B.C.D
A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC 1918.
B - 168, or the branch / device / virtual device number.
Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other.
Device or virtual device - allows multiple FortiGate units in this address space
(VDOMs).
Devices can be from x01 to x99.
C - interface - FortiGate units can have up to 40 interfaces, potentially more than one
on the same subnet
001 - 099- physical address ports, and non -virtual interfaces
100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.
D - usage based addresses, this part is determined by what device is doing
The following gives 16 reserved, 140 users, and 100 servers in the subnet.
001 - 009 - reserved for networking hardware, like routers, gateways, etc.
010 - 099 - DHCP range - users
100 - 109 - FortiGate devices - typically only use 100
110 - 199 - servers in general (see later for details)
200 - 249 - static range - users
250 - 255 - reserved (255 is broadcast, 000 not used)
The D segment servers can be farther broken down into:
110 - 119 - Email servers
120 - 129 - Web servers
130 - 139 - Syslog servers
140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc)
150 - 159 - VoIP / SIP servers / managers
160 - 169 - FortiAnalyzers
170 - 179 - FortiManagers
180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.)
190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.)
Fortinet products, non-FortiGate, are found from 160 - 189.

01-420-129664-20101110
The following table shows some examples of how to choose an IP number for a device
based on the information given. For internal and dmz, it is assumed in this case there is
only one interface being used.
Table 1: Examples of the IP numbering
Location and device
Internal
Dmz
External
Head Office, one FortiGate
10.011.101.100
10.011.201.100
172.20.120.191
Head Office, second FortiGate
10.012.101.100
10.012.201.100
172.20.120.192
Branch Office, one FortiGate
10.021.101.100
10.021.201.100
172.20.120.193
Office 7, one FortiGate with 9

VDOMs
10.079.101.100
10.079.101.100
172.20.120.194
Office 3, one FortiGate, web

server
n/a
10.031.201.110
n/a
Bob in accounting on the

corporate user network (dhcp)
at Head Office, one FortiGate
10.0.11.101.200
n/a
n/a
Router outside the FortiGate
n/a
n/a
172.20.120.195
Example Network configuration

The network configuration shown in Figure 1 or variations on it is used for many of the
examples in this document. In this example, the 172.20.120.0 network is equivalent to the
Internet. The network consists of a head office and two branch offices.

01-420-129664-20101110
Figure 1: Example network configuration

WLAN: 10.12.101.100
SSID: example.com
Password: supermarine
DHCP range: 10.12.101.200-249
Linux PC
10.11.101.20
T 1.1
IN .1
10
01
.1
FortiWiFi-80CM
01
Windows PC
10.11.101.10
Internal network
10
10
1.
t2
or 2
P 10
1.
.1
od
rm
ff e 4 1
ni .1
(s 20
t 1 .1
or 0
P 2.2
17
10
1
t 2 10
or .
P .11
10
1.
.1
Switch
FortiGate-82C
30
e)
t2
or 0
P .10
1
10
.1
FortiAnalyzer-100B
10
1
P
o
(m rt
irr 8
or
of
14
po
0.
rts
an
17
3)
2
t 1 .1
or 0
P 2.2
t1
or 0
P .11
1
10
1.
.1
t2
or 3
P nd
a
FortiGate-620B
HA cluster
or
t1
FortiMail-100C
Switch
H
ea
d
of
fic
e
t 1 10
or .
P .21
10
1.
10
FortiGate-3810A
17
Linux PC
10.21.101.10
2.
.1
20
al 1.
rn 0
te .1
In .31
10
fic
of
fic
of
nc
ra
nc
ra
1
N
A 2
W .12
20
10
FortiGate-51B
P
10 ort
.2 1
1.
10
1
.1
60
0
Windows PC
10.31.101.10
10
.2
2.
10 Po
1. rt
10 4
0
FortiManager-3000B
Cluster
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.103
FortiSwitch-5003A
Port 1: 10.21.101.161
FortiGate-5050-SM
Port 1: 10.21.101.104
Engineering network
10.22.101.0

01-420-129664-20101110
Cautions, Notes and Tips

Fortinet technical documentation uses the following guidance and styles for cautions,
notes and tips.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Note: Presents useful information, but usually focused on an alternative, optional method,
such as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 2: Typographical conventions in Fortinet technical documentation
Convention
Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input
config system dns

set primary <address_ipv4>
end
CLI output
FGT-602803030703 # get system settings

comments
: (null)
opmode
: nat
Emphasis
HTTP connections are not secure and can be intercepted by a third

party.
File content
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink
Visit the Fortinet Technical Support web site,

https://support.fortinet.com.
Keyboard entry
Type a name for the remote VPN peer or client, such as

Central_Office_1.
Navigation
Go to VPN > IPSEC > Auto Key (IKE).
Publication
For details, see the FortiOS Handbook.
CLI command syntax conventions

This guide uses the following conventions to describe the syntax to use when entering
commands in the Command Line Interface (CLI).
Brackets, braces, and pipes are used to denote valid permutations of the syntax.
Constraint notations, such as <address_ipv4>, indicate which data types or string
patterns are acceptable value input.

01-420-129664-20101110
Table 3: Command syntax notation

Convention
Description
Square brackets [ ]
A non-required word or series of words. For example:

[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and
its accompanying option, such as:
verbose 3
Angle brackets < >
A word constrained by data type.

To define acceptable input, the angled brackets contain a descriptive
name followed by an underscore ( _ ) and suffix that indicates the
valid data type. For example:
<retries_int>
indicates that you should enter a number of retries, such as 5.
Data types include:
<xxx_name>: A name referring to another part of the
configuration, such as policy_A.
<xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.
<xxx_pattern>: A regular expression or word with wild cards
that matches possible variations, such as *@example.com to
match all email addresses ending in @example.com.
<xxx_fqdn>: A fully qualified domain name (FQDN), such as
mail.example.com.
<xxx_email>: An email address, such as
admin@mail.example.com.
<xxx_url>: A uniform resource locator (URL) and its associated
protocol and host name prefix, which together form a uniform
resource identifier (URI), such as
http://www.fortinet./com/.
<xxx_ipv4>: An IPv4 address, such as 192.168.1.99.
<xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.
<xxx_ipv4mask>: A dotted decimal IPv4 address and netmask
separated by a space, such as
192.168.1.99 255.255.255.0.
<xxx_ipv4/mask>: A dotted decimal IPv4 address and
CIDR-notation netmask separated by a slash, such as such as
192.168.1.99/24.
<xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address,
such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
<xxx_v6mask>: An IPv6 netmask, such as /96.
<xxx_ipv6mask>: An IPv6 address and netmask separated by a
space.
<xxx_str>: A string of characters that is not another data type,
such as P@ssw0rd. Strings containing spaces or special
characters must be surrounded in quotes or use escape
sequences.
<xxx_int>: An integer number that is not another data type,
such as 15 for the number of minutes.

01-420-129664-20101110
Entering FortiOS configuration data
Table 3: Command syntax notation (Continued)

Convention
Description
Curly braces { }
A word or series of words that is constrained to a set of options

delimited by either vertical bars or spaces.
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].
Options
delimited by
vertical bars |
Mutually exclusive options. For example:

{enable | disable}
indicates that you must enter either enable or disable, but must
not enter both.
Options
delimited by
spaces
Non-mutually exclusive options. For example:

{http https ping snmp ssh telnet}
indicates that you may enter all or a subset of those options, in any
order, in a space-delimited list, such as:
ping https ssh
Note: To change the options, you must re-type the entire list. For
example, to add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options,
instead of replacing it, or if the list is comma-delimited, the exception
will be noted.
Entering FortiOS configuration data

The configuration of a FortiGate unit is stored as a series of configuration settings in the
FortiOS configuration database. To change the configuration you can use the web-based
manager or CLI to add, delete or change configuration settings. These configuration
changes are stored in the configuration database as they are made.
Individual settings in the configuration database can be text strings, numeric values,
selections from a list of allowed options, or on/off (enable/disable).
Entering text strings (names)

Text strings are used to name entities in the configuration. For example, the name of a
firewall address, administrative user, and so on. You can enter any character in a
FortiGate configuration text string except, to prevent Cross-Site Scripting (XSS)
vulnerabilities, text strings in FortiGate configuration names cannot include the following
characters:
" (double quote), & (ampersand), ' (single quote), < (less than) and < (greater than)
You can determine the limit to the number of characters that are allowed in a text string by
determining how many characters the web-based manager or CLI allows for a given name
field. From the CLI, you can also use the tree command to view the number of
characters that are allowed. For example, firewall address names can contain up to 64
characters. When you add a firewall address to the web-based manager you are limited to
entering 64 characters in the firewall address name field. From the CLI you can do the
following to confirm that the firewall address name field allows 64 characters.
10

01-420-129664-20101110
config firewall address

tree
-- [address] --*name (64)
|- subnet
|- type
|- start-ip
|- end-ip
|- fqdn (256)
|- cache-ttl (0,86400)
|- wildcard
|- comment (64 xss)
|- associated-interface (16)
+- color (0,32)
Note that the tree command output also shows the number of characters allowed for other
firewall address name settings. For example, the fully-qualified domain name (fqdn) field
can contain up to 256 characters.
Entering numeric values

Numeric values are used to configure various sizes, rates, numeric addresses, or other
numeric values. For example, a static routing priority of 10, a port number of 8080, or an
IP address of 10.10.10.1. Numeric values can be entered as a series of digits without
spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the
IP address 10.10.10.1) or as in the case of MAC or IPv6 addresses separated by colons
(for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard
base-10 numbers, but some fields (again such as MAC addresses) require hexadecimal
numbers.
Most web-based manager numeric value configuration fields limit the number of numeric
digits that you can add or contain extra information to make it easier to add the acceptable
number of digits and to add numbers in the allowed range. CLI help includes information
about allowed numeric value ranges. Both the web-based manager and the CLI prevent
you from entering invalid numbers.
Selecting options from a list

If a configuration field can only contain one of a number of selected options, the
web-based manager and CLI present you a list of acceptable options and you can select
one from the list. No other input is allowed. From the CLI you must spell the selection
name correctly.
Enabling or disabling options

If a configuration field can only be on or off (enabled or disabled) the web-based manager
presents a check box or other control that can only be enabled or disabled. From the CLI
you can set the option to enable or disable.

Before you begin configuring and customizing features, take a moment to register your
Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Fortinet Knowledge Center article Registration Frequently
Asked Questions.
01-420-129664-20101110
11

See the Fortinet products End User License Agreement.
Training
Fortinet Training Services provides courses that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training
Services web site at http://campus.training.fortinet.com, or email training@fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Center.
Fortinet Tools and Documentation CD

Many Fortinet publications are available on the Fortinet Tools and Documentation CD
shipped with your Fortinet product. The documents on this CD are current at shipping
time. For current versions of Fortinet documentation, visit the Fortinet Technical
Documentation web site, http://docs.fortinet.com.
Fortinet Knowledge Base

The Fortinet Knowledge Base provides additional Fortinet technical documentation, such
as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and
more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.
Comments on Fortinet technical documentation

Please send information about any errors or omissions in this or any Fortinet technical
document to techdoc@fortinet.com.

Fortinet Technical Support provides services designed to make sure that your Fortinet
products install quickly, configure easily, and operate reliably in your network.
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Base article FortiGate
Troubleshooting Guide - Technical Support Requirements.
12

01-420-129664-20101110
13

01-420-129664-20101110
14

01-420-129664-20101110
FortiGate-VM
FortiGate-VM works in conjunction with VMware vSphere to leverage the power of
virtualization to protect your business against network, content, and application-level
threats, without degrading network availability and uptime.
FortiGate-VM runs on the VMware ESX/ESXi server and is managed using the Web
Config GUI running on the management computer.
Figure 2: FortiGate-VM architecture.
iG
ua
rvi
ce
re
ES
erv
er
-VM
ate
rtiG
Fo
Vir
tua
l sw
i tc
h
VL
M
2
AN
t
pu
om
t C IC
en al N
em sic
ag hy
an P
VL
AN
rt
Fo
e
dS
a
Mw
S
Xi
AN
er
VL
FortiGate-VM Install and Setup Guide

01-420-129664-20101110
15
Installing
FortiGate-VM
Installing
Before using FortiGate-VM, you need to install the VMware vSphere Hypervisor
(ESX/ESXi) server to host the FortiGate-VM device. The installation instructions for
FortiGate-VM assume you are familiar with VMware ESXi server and terminology.
VMware vSphere Hypervisor (ESX/ESXi) software must be installed prior to installing
FortiGate-VM.
Table 4: FortiGate-VM requirements.
Requirement
Value
VMware vSphere Hypervisor
VMware ESXi/ESX 3.5/4.0/4.1
Memory
A minimum 512 MB of RAM, maximum of 3GB
CPU
2 virtual CPUs, maximum of 8 virtual CPUs
10/100/1000 Interfaces
A minimum of 2 virtual NICS, a maximum of 10 virtual NICs
10 GB E Interface
Supported
Storage
A minimum of 30GB
Valid internet connection to

connect to FortiGuard Services
DNS lookup; RBL lookup UDP 53

FortiGuard Licensing TCP/443
Other useful FortiGuard ports
FortiGuard Antispam or Web Filtering rating lookup

UDP 53 or UDP 8888
FDN server list UDP 53 (default) or UDP 8888, and
UDP 1027 or UDP 1031
Configuration backup to FortiManager unit or FortiGuard
Analysis and Management Service TCP 22
SMTP alert email; encrypted virus sample auto-submit
TCP 25
LDAP or PKI authentication TCP 389 or TCP 636
FortiGuard Antivirus or IPS update TCP 443
FortiGuard Analysis and Management Service TCP 443
FortiGuard Analysis and Management Service log
transmission (OFTP) TCP 514
SSL management tunnel to FortiGuard Analysis and
Management Service (FortiOS v3.0 MR6 or later) TCP
541
FortiGuard Analysis and Management Service contract
validation TCP 10151
Caution: VMware Player, VMware Fusion and VMware Workstation maybe used for
evaluation purposes, however they are not supported by Fortinet.
Licensing
When you placed an order for FortiGate-VM, a registration number is sent to the email
address used on the order form. Use the registration number provided when you
purchased FortiGate-VM to register at www.support.fortinet.com to obtain a license file.
You will need this file to activate FortiGate-VM.
For a new installations, the CLI and web-based manager are locked until you load the
license file. Once loaded and validated by FortiGuard services, the CLI and web-based
manager are unlocked and fully functional.
If FortiGuard discovers that the license has expired, pirated, or cloned, FortiGuard returns
an invalid status back to the FortiGate-VM and the device remains in locked state.
16

01-420-129664-20101110
FortiGate-VM
Installing FortiGate-VM
Installing FortiGate-VM
Ensure the following prerequisites are met before installing FortiGate-VM:
The VMware vSphere Hypervisor software must be installed on a server prior to

installing the FortiGate-VM.
The VMware vSphere Client is installed on the Management Computer.
A valid internet connection is available for FortiGate-VM to contact FortiGuard to

validate the FortiGate-VM license.
Downloading FortiGate-VM
When you purchase FortiGate-VM, you will be provided a link to download the VM
software. From the link provided by Fortinet, save the FGT_VM-v400-buildxxxxFORTINET.out.ovf.zip file to the management computer and extract the files to a folder.
The files in the folder include:
1 Extract the zipped files to a folder. The following table describes the files in the folder:
Filename
Description
datadrive.vmdk
Virtual disk.
FortiGate-VM.hw04.ovf
This is an using hardware version 4 and is deployed for VMware

ESX/ESXi 3.5.
FortiGate-VM.ovf
This is a using hardware version 7.0 and is deployed for

ESX/ESXi3.5/4.0/4.1.
fgt.vmdk
Virtual disk.
Deploying the FortiGate-VM software

To install the Fortigate-VM.ovf file, it needs to be deployed using the VMware vSphere
Client.
To deploy the software:
1 Open the vSphere Client on the management computer.
2 Login to the VMware vSphere Client and log into the ESXi server.
3 Go to File > Deploy OVF Template.
4 Select Browse and locate the Fortigate-VM.ovf file.
5 Complete the installation following the instructions provided by VMWare installation.
Logging in
After installing the FortiGate-VM, log in and configure the FortiGate-VM.
To log in to the FortiGate-VM:
1 Open the vSphere client.
2 Enter the IP address, user name, and password and click Login.
3 When you login, the first screen shows the Getting Started tab. From here you can:
Select the + (plus) sign to see the FortiGate-VM you added during deployment.
Select Edit virtual machine settings to edit details of the CPUs, interfaces, video
cards and other hardware information.

01-420-129664-20101110
17
Configuring Virtual Networks
FortiGate-VM
Note: If you want to configure the ports on the ESXi server, Do not power on the
FortiGate-VM.
Configuring Virtual Networks

Mapping the virtual network machine to the physical ports depends on your existing virtual
environment. When you deploy the FortiGate-VM, one Virtual Network Interface Card
(vNIC) is automatically mapped to a port on the ESXi/ESX server. You can change the
mapping, or map the other vNICs if required. The following tables provides an example of
how vNICs may be mapped to the ports on the VMware ESXi server.
For more information on network and port mapping, see the VMWare server
documentation.
Table 5: Network mapping example
ESX Server-OS
Physical Adapter
Network Mapping: ESXi FortiGate-VM

Server - vNetwork VM
Settings Network
Port Group
Adapter
FortiGate-VM OS Port
eth0
VM Network 1
Network Adapter 1
Port 1
eth1
VM Network 2
Network Adapter 2
Port 2
Configuring Network Adapters

The virtual ports can be mapped to the virtual network ports on the ESXi server.
To map the network adaptors:
1 Login to the VMware vSphere Client.
2 Select the FortiGate-VM.
3 In the General tab, select Edit Settings.
4 Click the Network Adaptor to see its details.
5 Select the Network Adaptor and map it to the appropriate VM Network.
6 Select OK.
Configuring the number of CPUs

You may have 2, 4, or 8 CPUs depending on the type of license purchased. You can
change the number of CPUs that the virtual machine is using by changing the number of
virtual processors.
For more information, see the VMware vSphere documentation.
To change the number of CPUs:
1 In the Virtual Machine Properties window, select the Hardware tab, select CPUs.
2 Select the number of virtual processors for the virtual machine.
3 Select OK.
18

01-420-129664-20101110
FortiGate-VM
Powering on FortiGate-VM
Powering on FortiGate-VM
Once FortiGate-VM has been deployed, you can power on the virtual machine and log in
using the Console. In the Console, you are limited to depth of CLI commands available for
set up until a valid license is entered through the Web-based manager. You can configure
the internal interface, system DNS, and the static router.
To power on FortiGate-VM:
1 Open the vSphere Client and enter the IP address, user name, and password and
select Login.
2 Select the FortiGate-VM.
3 In the Getting Started tab, select Power on the virtual machine.
4 Select the Console tab.
It may take a few minutes for the FortiGate-VM software to format.
5 At the FortiGate-VM login prompt, enter admin. There is no password.
6 Configure the FortiGate internal interface. Type:
config system interface
edit port1
set ip <intf_ip><netmask_ip>
end
7 Configure the primary and secondary DNS server IP addresses. Type:
config system dns
set primary <dns-server_ip>
set secondary <dns-server_ip>
end
8 Configure the default gateway. Type:
config router static
edit 1
set device port1
set gateway <gateway_ip>
end
Note: To access the web-based manager enter the IP address using HTTPS. For example,
https://192.168.1.99.
Uploading the License

Once the system interface has been configured in the Console, you can enter the license
using the web-based manager.
Configuration through the web-based manager can only be performed after a valid license
has been uploaded and verified by FortiGuard services. Once verified, the web-based
manager and the CLI are unlocked and fully functional. You must have a valid connection
to the internet in order to activate the license.
To upload the license
1 Open a web browser and type the IP address you configured in the console. For
example, https://192.168.1.99.
2 Enter admin in the Name field and select Login.
01-420-129664-20101110
19
Uploading the License
FortiGate-VM
3 The Install FortiGate-VM License File tab opens.

4 Select Browse and locate the license file and select OK.
The system will restart. This will take a few minutes.
You will get the message, License has already been uploaded, please wait for
authentication with registration servers.
5 Select OK.
6 Refresh the web browser to login.
7 Type admin in the Name field and select Login.
The FortiGate-VM web-based manager opens. The VM License Registration Status
and number of CPUs detected are shown in the FortiGate-VM dashboard.
CAUTION: You will need to set up firewall policies in FortiGate-VM. There are no firewall
policies by default; therefore no traffic will flow until firewall policies are created.
For more information on how to set up and use the FortiGate-VM features, see the
FortiOS Handbook or visit http://docs.fortinet.com/fgt.html for all FortiOS documentation.
20

01-420-129664-20101110

Fortigate VM Install Guide 40 Mr2

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Fortigate VM Install Guide 40 Mr2

Diunggah oleh

Hak Cipta:

Format Tersedia

FortiGate-VM

Install and Setup Guide

FortiGate-VM: Install and Setup Guide

Entering FortiOS configuration data . . . . . . . . . . . . . . . . . . . . . . . . . .

Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . .

Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . .

Fortinet Tools and Documentation CD . . . . . . . . . . . . . . . . . . . . . . .

Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Network Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring the number of CPUs . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Uploading the License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

FortiGate-VM v2: Install and Setup Guide

Install and Setup Guide for FortiOS 4.0 MR2

Registering your Fortinet product

Fortinet products End User License Agreement

Customer service and technical support

FortiGate-VM v2: Install and Setup Guide

Install and Setup Guide for FortiOS 4.0 MR2

IP addresses are made up of A.B.C.D

B - 168, or the branch / device / virtual device number.

Devices can be from x01 to x99.

001 - 099- physical address ports, and non -virtual interfaces

100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.

D - usage based addresses, this part is determined by what device is doing

010 - 099 - DHCP range - users

100 - 109 - FortiGate devices - typically only use 100

110 - 199 - servers in general (see later for details)

200 - 249 - static range - users

250 - 255 - reserved (255 is broadcast, 000 not used)

The D segment servers can be farther broken down into:

110 - 119 - Email servers

120 - 129 - Web servers

130 - 139 - Syslog servers

140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc)

150 - 159 - VoIP / SIP servers / managers

160 - 169 - FortiAnalyzers

170 - 179 - FortiManagers

180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.)

Fortinet products, non-FortiGate, are found from 160 - 189.

FortiGate-VM v2: Install and Setup Guide

Head Office, one FortiGate

Head Office, second FortiGate

Branch Office, one FortiGate

Office 7, one FortiGate with 9

Office 3, one FortiGate, web

Bob in accounting on the

Router outside the FortiGate

Example Network configuration

Install and Setup Guide for FortiOS 4.0 MR2

Figure 1: Example network configuration

FortiGate-VM v2: Install and Setup Guide

Cautions, Notes and Tips

config system dns

FGT-602803030703 # get system settings

HTTP connections are not secure and can be intercepted by a third

Visit the Fortinet Technical Support web site,

Type a name for the remote VPN peer or client, such as

Go to VPN > IPSEC > Auto Key (IKE).

For details, see the FortiOS Handbook.

CLI command syntax conventions

Install and Setup Guide for FortiOS 4.0 MR2

Table 3: Command syntax notation