Deployment

Guide of the FortiWeb-VM

Virtual Appliance on MCP Cloud

Table of Contents

Overview of the Fortinet FortiWeb Virtual Appliance Deployment on MCP Cloud 1
Introduction 1
Document scope 2
FortiWeb-VM Virtual Appliance on MCP 2.0 Overview 2
FortiWeb-VM Virtual Appliance Overview 3
FortiWeb-VM Models and Licensing 3
FortiWeb-VM Virtual Appliance Evaluation License 3
FortiWeb-VM Initial Configuration 5
Set the FortiWeb-VM port1 IP Address 6
Connect to the FortiWeb-VM Web-based Manager 8
Upload the FortiWeb-VM License File 10
Integration with FortiSandbox (Optional) 14
Integration with FortiGate (Optional) 16
Configure your FortiWeb-VM 16

Overview of the Fortinet FortiWeb Virtual Appliance Deployment on MCP Cloud

Introduction

FortiWeb is designed specifically to protect web servers. FortiWeb web application firewalls (WAF) provide
specialized application layer threat detection and protection for many HTTP or HTTPS services. FortiWeb’s
integrated web vulnerability scanner can drastically reduces challenges associated with protecting regulated and
confidential data by detecting your exposure to the latest threats, especially the OWASP Top 10.

In addition, FortiWeb’s XML firewall and denial-of-service (DoS) attack-prevention protect your Internet-facing web-
based applications from attack and data theft. Using advanced techniques to provide bidirectional protection against
sophisticated threats like SQL injection and cross-site scripting (XSS), FortiWeb helps you prevent identity theft,
financial fraud, and corporate espionage. FortiWeb delivers the technology you need to monitor and enforce
government regulations, industry best practices, and internal security policies, including firewalling and patching
requirements from PCI DSS.

1
 Document scope

This document outlines and describes how to deploy the FortiWeb-VM virtual appliance on several virtualization
server environments of the Managed Cloud Platform. This also includes how to configure the virtual hardware
settings of the virtual appliance.
This document does not cover configuration and operational aspects of the FortiWeb-VM virtual appliance after it
has been successfully installed and is running. For these issues, see the FortiWeb 5.6 Administration Guide -
Fortinet Document Library.
This document includes the following sections:
• Fortinet on Managed Compute Platform (MCP)
• FortiWeb-VM Virtual Appliance Overview
• FortiWeb-VM Virtual Appliance Initial Configuration

FortiWeb-VM Virtual Appliance on MCP 2.0 Overview

In using the Managed Compute Platform (MCP 2.0) and Fortinet FortiWeb Web Application Firewall Virtual
Appliance, we are able to offer customers a fully managed, secure foundation upon which to establish and grow
their cloud platform. Below is an example of using the FortiWeb virtual appliance to secure a customer’s cloud
environment.

2
FortiWeb-VM Virtual Appliance Overview

The following topics are included in this section:
• FortiWeb-VM models and licensing
• Registering FortiWeb-VM with Customer Service & Support
• Deploying the FortiWeb-VM

FortiWeb-VM Models and Licensing

Table 1 shows the resources available with each license.

FortiWeb-VM resource limitations

License/model

VM01 VM02 VM04 VM08
Virtual CPUs 1 2 4 8
(vCPUs)

Maximum IP sessions and policies varies by license, but also by available vRAM, just as it does for hardware
models. For details, see maximum configuration values in the FortiWeb Administration Guide.
When you place an order for FortiWeb-VM, Fortinet emails a registration number to the recipient address you
supplied on the order form. To register your appliance with Technical Support and to obtain a license file, enter that
registration number on the Fortinet Technical Support web site at the following location:

https://support.fortinet.com/

The license file is required to permanently activate FortiWeb-VM.

FortiWeb-VM needs to periodically re-validate its license by contacting either Fortinet’s FortiGuard Distribution
Network (FDN) via an Internet connection or a FortiManager.

If FortiWeb-VM cannot contact FDN or FortiManager for 24 hours, it locks access to the web UI and CLI. In some
cases, the web UI displays a message such as:
License has been uploaded. Please wait for authentication with registration servers.


FortiWeb-VM Virtual Appliance Evaluation License

The FortiWeb-VM includes a 15-day trial (VM00). The trial version provides all FortiWeb-VM functions except
antispam and antivirus signature updates and the FortiGuard Antispam query. Because the trial version only
provides low encryption, you may not be able to access the FortiWeb-VM web UI through HTTPS, unless you have
enabled a weak cipher in your browser. The trial period begins the first time you start the FortiWeb-VM. If you do not
install a valid license after the trial period expires, you will not be able to make configuration changes to the
FortiWeb-VM.

3
Requirements for FortiWeb-VM Dimension on Data Cloud

For provisioning of FortiWeb appliance for MC, you must have at least have 2 Network (VLAN) created prior to
deployment. As a best practice, 2 networks allow the segregation of Management and Data traffic. Do consider
applying firewall rules to control the access and route between the 2 networks with your overall architecture.

Assign each NIC to one Network as shown in the diagram below.

After deployment of the appliance, do configure the appliance NICs corresponding to the order of the NIC
listing on MCP where the 1st NIC on MCP will be the 1st NIC on the appliance.

For more information on deploying and configuring of Networks (VLAN), please refer to the following
cloud control articles below.

• How to Deploy a VLAN on a Network Domain in an MCP 2.0 Data Center

• How to View, Edit, or Delete a VLAN in a MCP 2.0 Data Center location

4
FortiWeb-VM Virtual Appliance Overview

FortiWeb-VM Initial Configuration

The installation instructions for FortiWeb-VM assume that:
• An Internet connection is available for the FortiWeb-VM to contact the FortiGuard to validate its license.
The FortiGuard™ Subscription Services provide a comprehensive Unified Threat Management (UTM) security
solutions to organizations, including Antivirus, Intrusion Prevention, Web Filtering and Antispam capabilities to
enable protection against content and network level threats.

For assistance in deploying the FortiWeb-VM, refer to the deployment chapter in this guide that
corresponds to your environment. You might also need to refer to the documentation provided with your
virtualization server platform. The deployment chapters are presented as examples as for any particular
virtualization server platform there are multiple ways to create a virtual machine. There are also command
line tools, APIs, and even alternative graphical user interface tools.
Before you start your FortiWeb-VM for the first time, you may need to adjust the virtual disk sizes and networking
settings. The first time you start the FortiWeb-VM, you will have access only through the console window of your
virtualization server environment. After you configure the FortiWeb-VM virtual appliance network interface with an
IP address and administrative access, you can access the FortiWeb-VM virtual appliance Web-Based Manager.
Before you can connect to the FortiWeb-VM Web-based Manager you must configure the FortiWeb- VM basic
configuration via the CLI console. Once configured, you can connect to the FortiWeb-VM Web-based Manager and
upload the FortiWeb-VM license file that you downloaded from the Customer Service & Support portal

5
Set the FortiWeb-VM port1 IP Address

Hypervisor management environments include a guest console window. On the FortiWeb VM, this provides access
to the FortiWeb console, equivalent to the console port on a hardware FortiWeb unit. Before you can access the
Web-based manager, you must configure the FortiWeb-VM port1 with an IP address and administrative access.

To access the console

1. Click the setting button and Start the FortiWeb-VM. Click on the setting button Servers (example
FortiWeb1). Select Console

To configure the port1 IP address:
2. In your Console Manager, press Return to see a login prompt.

6
3. At the FortiWeb-VM login prompt enter the username admin. By default, there is no password. Just
press Return.

NOTE: Be sure to set a strong password for the admin administrator account, and change the password
regularly. Failure to maintain the password of the admin administrator account could compromise the
security of your FortiWeb VM. As such, it can constitute a violation of PCI DSS compliance and thus is
not considered a best practice. For improved security, the password should be at least eight characters
long, be sufficiently complex, and be changed regularly. To check the strength of your password, you
can use a utility such as Microsoft’s password strength meter.

4. Using CLI commands, configure the port1 IP address and netmask. Also, HTTP access must be enabled
because until it is licensed the FortiWeb-VM supports only low-strength encryption. HTTPS access will not
work.
For example:
config system interface
edit port1
set ip 192.168.0.100 255.255.255.0
append allowaccess https
end

To configure the default gateway, enter the following CLI

commands:
config router static
edit 1
set device port1
set gateway <class_ip>
end

You must configure the default gateway with an IPv4 address. FortiWeb-VM needs to access the
Internet to contact the FortiGuard Distribution Network (FDN) to validate its license.

5. Use CLI commands to configure a static route to act as a default gateway. This is needed for license updates.
Enter the following CLI commands in MCP console:
config system route
edit 1
set gateway <gateway_ipv4>
end
Where:
• <gateway_ipv4> is the IP address of the gateway router

7
6. Configure the primary and secondary DNS server IP addresses. Type:

config system dns

set primary <dns_ip>
set secondary <dns_ip>
end
where <dns_ip> is the IPv4 or IPv6 address of a DNS server.

7. Configure a static route with the default gateway. Type:

config router static
edit 0
set gateway <router_ip>
set device port1
end
where <router_ip> is the IP address of the gateway router.

Connect to the FortiWeb-VM Web-based Manager

You should now be able to connect via the network from your management computer to port1 of FortiWeb- VM
using:
• a web browser for the web UI (e.g. If port1 has the IP address 192.168.1.1, go to https://192.168.1.1/)
• an SSH client for the CLI (e.g. If port1 has the IP address 192.168.1.1, connect to 192.168.1.1 on port 22.)

After you login the FortiWeb VM login prompt enter the username admin. By default, there is no
password. Just press Return.

NOTE: Be sure to set a strong password for the admin administrator account, and change the password
regularly. Failure to maintain the password of the admin administrator account could compromise the
security of your FortiWeb-VM. As such, it can constitute a violation of PCI DSS compliance and thus is not
considered a best practice. For improved security, the password should be at least eight characters long,
be sufficiently complex, and be changed regularly. To check the strength of your password, you can use a
utility such as Microsoft’s password strength meter.

Log in as the admin administrator account. 
Alternatively, if you know the current password for the account whose
password you want to change, you may log in with any administrator account whose access profile permits Read
and Write access to items in the Admin Users category. 


Go to System > Admin > Administrators. 


8
 9
 Upload the FortiWeb-VM License File


To install the license

In the License Information widget on the FortiWeb-VM web-based manager, click the Update

Figure 2: Web-based Manager and Evaluation License dialog box

10
Figure 3: FortiWeb-VM license prompt

1. Click Choose File and locate the license file (.lic) you downloaded earlier from Fortinet.
2. Click Upload on the license prompt dialog.
A message box appears stating your license is being authenticated. This may take a few minutes.
If you uploaded a valid license, a second message box will appear informing you that your license
authenticated successfully.
3. Click OK on the message box.
The system will reload and log out.
4. Log in again if prompted using admin, as the user name.
Congratulations! You have successfully installed FortiWeb-VM and can now configure your
virtual appliance.

11
Changing the hardware configuration

Changing the hardware configuration for the FortiWeb-VM to reflect the appropriate CPU for the license type.

12
Shutting down the FortiWeb-VM

The FortiWeb-VM can be shut down, restarted or cloned.

13
Integration with FortiSandbox (Optional)

The FortiSandbox-VM and FortiSandbox cloud service are used for automated sample tracking, or sandboxing.

You can send suspicious email attachments to FortiSandbox for inspection when you configure antivirus profiles. If
the file exhibits risky behaviour, or is found to contain a virus, the result will be sent back to FortiWeb and a new
virus signature is created and added to the FortiGuard antivirus signature database as well.

14
 15
Integration with FortiGate (Optional)
FortiGate appliances can maintain a list of source IPs that it prevents from interacting with the network and
protected systems. You can configure FortiWeb to receive this list of IP addresses at intervals you specify. Then,
you configure an inline protection profile to detect the IP addresses in the list and take an appropriate action.

This feature is available only if the operating mode is reverse proxy or true transparent proxy.

Configure your FortiWeb-VM

Once the FortiWeb-VM license has been validated you can begin to configure your device. You can use the Wizard
located in the top toolbar for basic configuration including enabling central management, setting the admin
password, setting the time zone, and port configuration etc.
For more information on configuring your FortiWeb-VM see the FortiOS Handbook located at:
http://docs.fortinet.com/fortiweb/admin-guides

16