Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
0 MR3 patch 1
Install Guide
25 August 2011 01-431-0147862-20110713 Copyright 2011 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Trademarks ABACAS, APSecure, Dynamic Threat Prevention System (DTPS), FortiAnalyzer, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiDB, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiMail, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiScan, FortiShield, FortiVoIP, FortiWeb, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Visit these links for more information and documentation for your Fortinet product: Technical Documentation - http://docs/fortinet.com Fortinet Knowledge Center - http://kb.fortinet.com Technical Support - http://support.fortinet.com Training Services - http://training.fortinet.com
Table of Contents
Contents
Installing FortiGate-VM
...................................................................... 11
11 12 12 18 19 20 21 22 23 23 24 26
Overview of the Installation....................................................................... Downloading FortiGate-VM ............................................................................ Deploying the FortiGate-VM software ............................................................ Logging in ....................................................................................................... Before powering on FortiGate-VM Virtual Appliance...................................... Resize disk (VMDK)................................................................................... Configure the number of vCPUs............................................................... Setting the virtual RAM ............................................................................. Configuring Virtual Networks .................................................................... Configure the virtual network adaptor(s) .................................................. Powering on FortiGate-VM ............................................................................. Uploading the License ....................................................................................
Table of Figures
FortiGate-VM architecture ................................................................................. 7 Overview of Installing FortiGate-VM ................................................................ 11 Entering login information................................................................................ 12 Deploying *.OVF file ......................................................................................... 13 Browsing to a *.OVF file................................................................................... 13 Entering the OVF template details ................................................................... 14 Accepting the End User Agreement ................................................................ 14 Entering the name of the FortiGate-VM........................................................... 15 Selecting the datastore.................................................................................... 15 Formatting virtual disks ................................................................................... 16 Mapping networks ........................................................................................... 17 Verifying the details. ........................................................................................ 17 Completing the deployment. ........................................................................... 18 Logging in to the ESX/ESXi host ..................................................................... 18 Selecting the FortiGate-VM instance............................................................... 19 Editing settings ................................................................................................ 19 Changing drive sizing ...................................................................................... 21 Editing CPU settings........................................................................................ 22 Editing memory settings .................................................................................. 23 Mapping network adapters.............................................................................. 24 Powering on the FortiGate-VM ........................................................................ 25 Opening the console........................................................................................ 25 Browsing the license file .................................................................................. 26 License validated ............................................................................................. 27
Figures
1. Overview of FortiGate-VM
FortiGate-VM works in conjunction with VMware vSphere to leverage the power of virtualization to protect your business against network, content and application-level threats without degrading network availability and uptime. FortiGate-VM runs on the VMware ESX/ESXi Server (hypervisor) and is managed using FortiManager or the web-based manager running on the management computer.
Chapter 1
Architecture of FortiGate-VM
Figure 1 shows the architecture of the FortiGate-VM.
Figure 1: FortiGate-VM architecture
Table 1: FortiGate-VM model information Technical Specifications Hypervisor Support Max vCPU Support Network Interface Support (Minimum/Maximum) VM Memory Support (Minimum/Maximum) 1 2 / 10 512 MB / 512 MB 1 2 / 10 512 MB / 1 GB FortiGate-VM00 FortiGate-VM01 FortiGate-VM02 FortiGate-VM04 FortiGate-VM08
Licensing
Overview of FortiGate-VM
Table 1: FortiGate-VM model information (Continued) VM Storage Required (Minimum) FortiGuard Services & Port Information 30 GB 30 GB 30 GB 30 GB 30 GB
DNS lookup; RBL lookup - UDP 53 FortiGuard Licensing - TCP 443 FortiGuard Antispam or Web Filtering rating lookup - UDP 53 or UDP 8888 FDN server list - UDP 53 (default) or UDP 8888, UDP 1027 or UDP 1031 Configuration backup to FortiManager unit or FortiGuard Analysis and Management Service TCP 22 SMTP alert email; encrypted virus sample auto-submit - TCP 25 LDAP or PKI authentication - TCP 389 or TCP 636 FortiGuard Antivirus or IPS update - TCP 443 FortiGuard Analysis and Management Service - TCP 443 FortiGuard Analysis and Management Service log transmission (OFTP) - TCP 514 SSL management tunnel to FortiGuard Analysis and Management Service - TCP 541 FortiGuard Analysis and Management Service contract validation - TCP 10151
Chapter 1
Licensing
After placing an order for FortiGate-VM, a registration number is sent to the email address used on the order form. Use the registration number provided to register the FortiGate-VM with FortiCare (https://support.fortinet.com). You will need this file to activate your FortiGate-VM instance. For new installations, the CLI and web-based manager are locked until you load the license file. Once loaded and validated by FortiManager or FortiGuard services, the CLI and web-based manager are unlocked and fully functional. If FortiManager or FortiGuard discovers that the license has expired, was pirated or cloned, an invalid status is returned to the FortiGate-VM and the device remains in a locked state.
Overview of FortiGate-VM
Training
To learn about the technical support services Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article Fortinet Technical Support Requirements.
Training
Chapter 1
Fortinet Training Services provides classes that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email them at training@fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.
Fortinet The Fortinet Knowledge Base provides additional Fortinet technical documentation, Knowledge Base such as troubleshooting and how-to-articles, examples, FAQs, technical notes, and
more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.
Comments on Please send information about any error or omissions in this technical document to Fortinet technical techdoc@fortinet.com. documentation
10
2. Installing FortiGate-VM
Prior to deploying the FortiGate-VM virtual appliance, VMware vSphere Hypervisor (ESX/ESXi) must be installed and configured. The installation instructions for FortiGateVM assume you are familiar with VMware ESX/ESXi server and terminology. Ensure the following prerequisites are met before installing FortiGate-VM: The VMware vSphere ESX/ESXi Hypervisor software must be installed and configured. For more details, refer to http://www.vmware.com/products/esxi. The VMware vSphere Client is installed on the management computer. An Internet connection is available for FortiGate-VM to contact FortiGuard to validate its license or, for closed environments, a FortiManager can be contacted to validate the FortiGate-VM license (please see FortiManager Install and Configure guide for these prerequisites).
Chapter 2
Overview of the Install the FortiGate-VM after installing the VMware ESX/ESXi server. The following Installation flowchart outlines the basic steps of installing the FortiGate-VM.
Figure 2: Overview of Installing FortiGate-VM
Start
Install FortiGate-VM
Configure FortiGate-VM
Install License
Connect to FortiGate-VM
End
11
Downloading FortiGate-VM
Installing FortiGate-VM
Downloading FortiGate-VM
When you purchase FortiGate-VM, you are provided a link to download the FortiGateVM software/image. From the link provided, save the FGT_VM-v400-build0458FORTINET.out.ovf.zip file to the management computer and extract the files to a folder.
Table 2: Extracted files. Filename datadrive.vmdk FortiGate-VM.hw04.ovf
Chapter 2
Description Virtual disk OVF file formatted to VMware VM version 4 (ESX/ESXi 3.5/4.0/4.1) OVF file formatted to VMware VM version 7 (ESX/ESXi 4.0/4.1) OVF file formatted to VMware VM version 7 utilizing VMXNET2 NICs (ESX/ESXi 4.0/4.1) Virtual disk
3 Click Login. FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback
12
Installing FortiGate-VM
5 Select Browse and locate the applicable FortiGate-VM.ovf file and select Next.
Figure 5: Browsing to a *.OVF file
Chapter 2
13
Installing FortiGate-VM
Chapter 2
7 Read the End User License Agreement and click Accept at the bottom, then click Next.
Figure 7: Accepting the End User Agreement
14
Installing FortiGate-VM
Chapter 2
15
Installing FortiGate-VM
Chapter 2
11 Map the networks then click Next. By default, one source network is automatically mapped to the destination source network. For each source network, select a destination network from the drop down list.
16
Installing FortiGate-VM
Chapter 2
12 After verifying the settings, click Finish. If you want to change the settings, click the Back button to return to a previous screen and change them.
Figure 12: Verifying the details.
17
Logging in
Installing FortiGate-VM
Logging in
After installing the FortiGate-VM, log in to the VMware vSphere Hypervisor (ESX/ESXi) and configure the FortiGate-VM settings.
Chapter 2
To log in to the ESX/ESXi host 1 Open the VMware vSphere Client and enter the IP address, user name and password. 2 Click Login.
Figure 14: Logging in to the ESX/ESXi host
18
Installing FortiGate-VM
4 Click Edit Settings to edit details regarding CPUs, RAM, Interfaces, video cards and other virtual hardware information.
Figure 16: Editing settings
Chapter 2
5 Do NOT power on the FortiGate-VM if you want/need to change its default configuration.
19
Installing FortiGate-VM
Configure the number of CPUs; see Configure the number of vCPUs on page 21. Set the RAM on virtual appliance; Setting the virtual RAM on page 22. Configure the virtual network adaptor(s); see Configure the virtual network adaptor(s) on page 23.
Resize disk For your convenience, the FortiGate-VM deploys with pre-sized VMDKs (Virtual (VMDK) Machine Disk Format). After you deploy the FortiGate-VM (see Deploying the
FortiGate-VM software on page 12), you can change the size of the files before the initial startup and configuration. This may be necessary if you are planning to do a large amount of local logging. Before doing so, you need to understand the size limitations of your VMFS VM datastore (not relevant to NFS datastores). During the creation of a VM datastore, you have the following formatting options: 1 MB block size 256 GB maximum file size
Chapter 2
2 MB block size 512 GB maximum file size 4 MB block size 1024 GB maximum file size 8 MB block size 2048 GB maximum file size For example, if you select an 800 GB datastore which has been formatted with 1 MB block size, you wont be able to size a single virtual disk (VMDK) greater than 256 GB on your FortiGate-VM. For more information of VMFS block sizing and recommendations, please see http://communities.vmware.com/docs/DOC-11920. To resize the disk 1 Log in to the ESX/ESXi host 2 Open the VMware vSphere Client and enter the IP address, user name and password. 3 Click Login. 4 Highlight the FortiGate-VM in the left pane and click Edit Settings. 5 Click on Hard disk 2 and edit the Provisioned Size as necessary up to VMwares limit.
20
Installing FortiGate-VM
Chapter 2
6 Click Ok.
Configure the Depending on the FortiGate-VM model you deploy, you may configure any vCPU value number of vCPUs up to your licensed maximum. As an example, if you purchase a FortiGate-VM08, you
may configure this to be any value from 1 vCPU to 8 vCPUs dependent on your VMware license level. For more information, see the VMware vSphere documentation at http://www.vmware.com/products/vsphere-hypervisor/index.html. To change the number of vCPUs 1 Log in to the ESX/ESXi host 2 Open the VMware vSphere Client and enter the IP address, user name and password. 3 Click Login. 4 Highlight the FortiGate-VM in the left pane and click Edit Settings. 5 Click on CPUs and edit the number of virtual processors.
21
Installing FortiGate-VM
Chapter 2
6 Click Ok.
Setting the virtual The FortiGate-VM comes pre-configured with 512 MB of RAM. You may change this RAM value to be anywhere from 512 MB to the maximum allowed by the FortiGate-VM
model you deployed. As an example, if you are deploying a FortiGate-VM04, you may change this setting to be any value between 512 MB and 4 GB. To change the amount of vRAM 1 Log in to the ESX/ESXi host 2 Open the VMware vSphere Client and enter the IP address, user name and password. 3 Click Login. 4 Highlight the FortiGate-VM in the left pane and click Edit Settings. 5 Click on Memory and edit the Memory Size.
22
Installing FortiGate-VM
Chapter 2
6 Click Ok.
Configuring Mapping FortiGate-VM ports to physical ports depends on your existing virtual Virtual Networks environment. When you deploy the FortiGate-VM OVF file, one Virtual Network
Interface Card (vNIC) is automatically mapped to a port group on a virtual switch within the ESX/ESXi server. You can change the mapping, or map the other vNICs as required. Table 3 provides an example of how vNICs may be mapped to the ports on the VMware ESX/ESXi server.
Table 3: Network mapping example ESX/ESXi Server Physical Adapters eth0 eth1 Network Mapping: ESX/ESXi Server to vSwitch VM Port Groups VM Network 1 VM Network 2 FortiGate-VM VM Network Adapter Settings Network Adapter 1 Network Adapter 2 FortiGate-VM OS port Port 1 Port 2
Configure the Virtual Machine ports can be mapped to port groups on virtual switches and virtual network subsequently mapped to ports on the ESX/ESXi server. To map virtual ports or change adaptor(s) the existing virtual port configurations, edit the FortiGate-VM settings.
23
Powering on FortiGate-VM
Installing FortiGate-VM
To map the network adaptors 1 Log in to the ESX/ESXi host 2 Open the VMware vSphere Client and enter the IP address, user name and password. 3 Click Login. 4 Highlight the FortiGate-VM in the left pane and click Edit Settings. 5 Network adapters are mapped to a virtual port on virtual networks (VM Network). 6 Highlight a specific Network adapter to see its current settings. 7 Select the Network adapter and map it to an appropriate VM Network. This will depend on your configuration. For example, in the figure below, Network adapter 1 is mapped to VM Network.
Chapter 2
Powering on FortiGate-VM
Once deployed, power on the FortiGate-VM virtual appliance and log in using the Console. In the Console, you have limited CLI commands available for the initial configuration until a valid license is entered through the Web-based manager. You can configure the internal interfaces, system DNS and the static router.
24
Installing FortiGate-VM
Powering on FortiGate-VM
To power on the FortiGate-VM 1 Login to the ESX/ESXi host. 2 Open the VMware vSphere Client and enter the IP address, user name and password. 3 Click Login. 4 Highlight the FortiGate-VM in the left pane. 5 Click Power On.
Figure 21: Powering on the FortiGate-VM
Chapter 2
6 Select the Console tab. It may take a few minutes for the FortiGate-VM to format.
Figure 22: Opening the console
25
Installing FortiGate-VM
7 At the FortiGate-VM login prompt, type admin. There is no password 8 Configure the FortiGate-VM internal interface. Type: config system interface edit port1 set ip <int_ip>/<netmask_ip> end 9 Configure the primary and secondary DNS server IP addresses. Type: config system dns set primary <dns-server_ip> set secondary <dns-server_ip> end 10 Configure the default gateway. Type: config router static edit 1 set device port1 set gateway <gateway_ip> end
Chapter 2
3 Select Browse, locate the license file and click Ok. The system will restart. This will take a few minutes. You will get the message License has already been uploaded, please wait for authentication with registration servers. 4 Select Ok. FortiGate version 4.3.1 System Guide 01-431-0147862-20110713 http://docs.fortinet.com/ Feedback
26
Installing FortiGate-VM
5 Refresh the web browser to login. 6 Type admin in the Name field and select Login. The VM License Registration Status and number of CPUs detected are shown in the FortiGate-VM dashboard.
Figure 24: License validated
Chapter 2
Caution: You will need to set up firewall policies in FortiGate-VM. There are no policies by default; therefore no traffic will flow until firewall policies are created.
For more information on how to set up and use the FortiGate-VM features, see the FortiGate Administration Guide or visit http://docs.fortinet.com/fgt.html for all FortiOS documentation.
27
28
29