The FortiGate Next-Generation Firewall for Microsoft Azure is deployed as a virtual appliance in Microsoft’s Azure cloud (IaaS). This recipe shows you how to install and configure a single instance FortiGate-VM virtual appliance in Microsoft Azure to provide a full NGFW/UTM security solution in front of Microsoft Azure IaaS resources.
This recipe covers the deployment of simple web servers, but this type of deployment can be used for any type of public resource protection, with only slight modifications. With this architecture as a starting point, you can implement more advanced solutions, including multi-tiered solutions.
In this recipe, two subnets are created: Subnet1, which is used to connect the FortiGate-VM to the Microsoft Azure Virtual Gateway, and Subnet2, which is used to connect the FortiGate-VM and the web server.
1. Registering and downloading your license |
|
|
FortiGate-VM for Microsoft Azure supports both bring-your-own-license (BYOL) and on-demand (PAYG) licensing models. If you’re deploying a FortiGate-VM in the Microsoft Azure marketplace with BYOL, you must obtain a license to activate it. Licenses can be obtained through any Fortinet partner. If you don’t have a partner, contact azure@fortinet.com for assistance in purchasing a license. After you purchase a license or obtain an evaluation license (60-day term), you will receive a PDF with an activation code. |
|
| Go to https://support.fortinet.com/ and either create a new account or log in with an existing account. | |
|
Go to Asset > Register/Renew to start the registration process. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product. Fill in the other fields with your information. |
 |
|
At the end of the registration process, download the license (.lic) file for your FortiGate-VM. After registering a license, Fortinet servers may take up to 30 minutes to fully recognize the new license. When you upload the license (.lic) file to activate the FortiGate-VM (in step 5), if you get an error that the license is invalid, wait 30 minutes and try again. |
|
2. Creating a Microsoft Azure VNet |
|
|
This section shows you how to create a Microsoft Azure VNet and create two subnets in it. For many of the steps, you will have a choice to make that can be specific to your own environment. |
|
|
Log in to the Microsoft Azure Portal and select + New. |
 |
|
Search for and select Virtual network from the search results. |
|
|
Under Select a deployment model, ensure that Resource Manager is selected. Select Create. |
 |
|
Set a Name for your VNet. Select an Address space for your VNet. This is the range of IP addresses available within your VNet. It’s possible to extend this later. Set Subnet name to Subnet1. Set the Subnet address range. This must be a subset of your VNet address range and you must leave room for a second subnet. Choose a Subscription. Either create a new Resource group or select an existing one. Set a Location. This is the region of the world where your VNet will reside. In the next steps, when we deploy virtual machines, they must exist within the same location. Select Create. |
 |
| Wait for the virtual network to be deployed. You will receive a “Deployment Succeeded” message. | |
|
Browse to your new virtual network and select it. There are a number of ways to do this. The simplest is to select Virtual networks on the left bar. If you don’t see text there, select the three horizontal lines near the top left of the Microsoft Azure portal to expand the left tool bar. |
 |
|
Under SETTINGS, select Subnets. Select + Subnet. Set Subnet name to Subnet2. Select an address space for the subnet from the available range or ranges in your VNet. Leave Network security group and Route table set to None. Select OK. |
|
3. Installing the FortiGate-VM in the VNet |
|
| This section shows how to install a FortiGate NGFW in the VNet that was created in the previous section. | |
|
In the Microsoft Azure Dashboard, select + New and search for FortiGate. Select the option FortiGate NGFW Single VM and select Create. |
 |
|
In the Basics section, set a FortiGate-VM Name. Select the PAYG/BYOL License option that corresponds to the license type that you purchased. Set a FortiGate administrative username. This name can’t be admin or root. An account named admin will also be created that has a randomly generated password. After the installation, you should change the password of the admin account. Choose a FortiGate Password for the new account and confirm the password. This must be a complex password containing three of the following types of characters: numbers, capital letters, lowercase letters, and special characters. For security reasons, it’s not possible to reset this password through the Microsoft Azure portal, so make sure that you remember the password. Select the appropriate Subscription from the drop-down list. You may have only one option here. Create a new Resource group. Currently, it’s not possible to select an existing resource group for a Microsoft Azure Marketplace template set. Set the same Location as you did when you created the VNet in the previous section. Select OK. |
 |
|
In the Network Settings and Instance section, select Virtual network, then select the VNet that you created in the previous step. |
|
|
Select Configure subnets. Set Outside Subnet to Subnet1. This will be the subnet on which the WAN port resides. Set Internal Subnet to Subnet2. This will be the subnet on which the protected port resides. Select OK. |
 |
|
Select the Virtual machine size of the FortiGate from the Recommended choices, or select View all to get additional options. Select OK. |
 |
|
In the FortiGate IP Address Assignments section, set a resource name for the new public IP address. Choose between a Dynamic or Static public IP. A static IP may have associated costs, while a dynamic public IP may be replaced if your FortiGate reboots. Select OK. |
 |
|
Wait for Validation to pass, then select OK. |
 |
|
Select Purchase to buy the FortiGate-VM instance from Microsoft Azure. Once the FortiGate-VM is deployed, you will see a “Deployment succeeded” message. |
 |
4. Associating the route tables with the subnetsYou must associate both Subnet1 and Subnet2 to their corresponding Route tables (in this example, FortiGate-Subnet1-routes and FortiGate-Subnet2-routes). |
|
| In the Microsoft Azure Dashboard, select Resource groups. Select the resource group that you created when you created the FortiGate-VM in step 3 (in this example, FortiGateRG1). | |
| In the Overview screen, you will see two Route tables listed. Select the route table for internal routes (in this example, FortiGate-Subnet2-routes). |  |
|
You must associate the route table to a subnet. Under Settings, select Subnets. Select + Associate. |
|
| In the Associate subnet section, select Virtual network, then select the VNet that you created when you created the FortiGate-VM in step 2 (in this example, FortiGateProtectedVNet1). |  |
|
Select your second subnet (in this example, Subnet2). Select OK. Wait about 30 seconds for the route table to be associated with the subnet. |
 |
| Repeat the steps in this section to associate Subnet1 with its corresponding Route table (in this example, FortiGate-Subnet1-routes). | |
5. Connecting to the FortiGate-VM |
|
|
To connect to the FortiGate-VM, you must find its public IP address. There are a number of ways to do this. One way is to select Virtual machines on the left bar and then select the FortiGate-VM you created. Under Essentials, you will see the FortiGate-VM’s public IP address in the Public IP address field. |
 |
|
Connect to the FortiGate using your browser and the FortiGate-VM’s IP address. You will see a certificate error message from your browser, which is normal because the default FortiGate certificate is self-signed and isn’t recognized by browsers. Proceed past this error. At a later time, you can upload a publicly-signed certificate to avoid this error. Log in to the FortiGate-VM with the FortiGate Administrative Username and FortiGate Password that you configured above. |
 |
|
If you’re using a BYOL license, upload your license (.lic) file to activate the FortiGate-VM. Restart the FortiGate-VM and log in again. After you log in, you will see that the license has been uploaded. You need to wait for authentication with the registration servers. This can take up to 15 minutes. Select Return. |
|
| You will now see the FortiGate-VM dashboard. |  |
The post Deploying FortiGate-VM virtual appliance in Microsoft Azure appeared first on Fortinet Cookbook.