Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Initial setup

The following section provides information about setting up the virtual machine (VM) version of FortiAuthenticator.

FortiAuthenticator VM setup

Before using FortiAuthenticator-VM, you need to install the VMware application to host the FortiAuthenticator-VM device. The installation instructions for FortiAuthenticator-VM assume you are familiar with VMware products and terminology.

System requirements

FortiAuthenticator-VM is compatible with HyperV Windows Server 2012 and 2016. For information on the FortiAuthenticator-VM system requirements, please see the FortiAuthenticator datasheet.

FortiAuthenticator-VM has kernel support for more than 4GB of RAM in VM images. However, this support also depends on the VM player version. For more information, see http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1014006

The default Hardware Version is 4 in order to support the widest base of VM players. However you can modify the VM Hardware Version by editing the following line in the FortiAuthenticator-VM.vmx file:
virtualHW.version = "4"

note icon FortiAuthenticator 5.3+ includes a KVM image for loading onto KVM servers, such as Linux running Virtual Machine Manager, and on FortiHypervisor.

FortiAuthenticator-VM image installation and initial setup

The following procedure describes setup on VMware Fusion.

To set up the FortiAuthenticator VM image:
  1. Download the VM image zip file to the local computer where VMware is installed.
  2. Extract the files from the zip file into a folder.
  3. In your VMware software, go to File > Open.
  4. Navigate to the expanded VM image folder, select the FortiAuthenticator-VM.vmx file, and select Open.
  5. VMware will install and start FortiAuthenticator-VM. This process can take a minute or two to complete.

  6. At the FortiAuthenticator login prompt, enter admin and press Enter. By default, there is no password.
  7. At the CLI prompt enter the following commands:
  8. config system interface

    edit port1

    set ip <ip-address>/<netmask>

    set allowaccess https ssh

    next

    end

     

    config router static

    edit 0

    set device port1

    set dst 0.0.0.0/0

    set gateway <ip-gateway>

    next

    end

     

     

    Substitute your own desired FortiAuthenticator IP address and default gateway.

You can now connect to the GUI at the IP address you set for port 1.

caution icon Suspending the FortiAuthenticator-VM can have unintended consequences. Fortinet recommends that you do not use the suspend feature of VMware. Instead, shut down the virtual FortiAuthenticator system using the GUI or CLI, and then shut down the virtual machine using the VMware console.

Administrative access

Administrative access is enabled by default on port 1. Using the GUI, you can enable administrative access on other ports if necessary.

To add administrative access to an interface:
  1. Go to System > Network > Interfaces and select the interface you need to add administrative access to. See Interfaces for more information.
  2. Under Access Rights, for Admin access, select the types of access to allow.
  3. Select OK.

GUI access

To use the GUI, point your browser to the IP address of port 1 (192.168.1.99 by default). For example, enter the following in the URL box:

https://192.168.1.99

 

Enter admin as the User Name and leave the Password field blank.

HTTP access is not enabled by default. To enable access, use the set ha-mgmt-access command in the CLI (see CLI commands), or enable HTTP access on the interface in the GUI (see Interfaces).

For security reasons, the host or domain names that the GUI responds to are restricted. The list of trusted hosts is automatically generated from the following:

  • Configured hostname.
  • Configured DNS domain name.
  • Network interface IP addresses that have HTTP or HTTPS enabled.
  • HA management IP addresses.

Additional IP addresses and host or domain names that the GUI responded to can be defined in the GUI Access settings. See System access for more information.

Telnet

CLI access is available using telnet to the port1 interface IP address (192.168.1.99 by default). Use the telnet -K option so that telnet does not attempt to log on using your user ID. For example:

$ telnet -K 192.168.1.99

 

At the FortiAuthenticator login prompt, enter admin. By default there is no password. When you are finished, use the exit command to end the telnet session.

CLI access using Telnet is not enabled by default. To enable access, use the set ha-mgmt-access command in the CLI (see CLI commands), or enable Telnet access on the interface in the GUI (see Interfaces).

SSH

SSH provides secure access to the CLI. Connect to the port1 interface IP address (192.168.1.99 by default). Specify the user name admin or SSH will attempt to log on with your user name. For example:

$ ssh admin@192.168.1.99

 

By default there is no password. When you are finished, use the exit command to end the session.

Note that, after three failed login attempts, the interface/connection will reset, and that SSH timeout is set to 60 seconds following an incomplete login or broken session.

Initial setup

The following section provides information about setting up the virtual machine (VM) version of FortiAuthenticator.

FortiAuthenticator VM setup

Before using FortiAuthenticator-VM, you need to install the VMware application to host the FortiAuthenticator-VM device. The installation instructions for FortiAuthenticator-VM assume you are familiar with VMware products and terminology.

System requirements

FortiAuthenticator-VM is compatible with HyperV Windows Server 2012 and 2016. For information on the FortiAuthenticator-VM system requirements, please see the FortiAuthenticator datasheet.

FortiAuthenticator-VM has kernel support for more than 4GB of RAM in VM images. However, this support also depends on the VM player version. For more information, see http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1014006

The default Hardware Version is 4 in order to support the widest base of VM players. However you can modify the VM Hardware Version by editing the following line in the FortiAuthenticator-VM.vmx file:
virtualHW.version = "4"

note icon FortiAuthenticator 5.3+ includes a KVM image for loading onto KVM servers, such as Linux running Virtual Machine Manager, and on FortiHypervisor.

FortiAuthenticator-VM image installation and initial setup

The following procedure describes setup on VMware Fusion.

To set up the FortiAuthenticator VM image:
  1. Download the VM image zip file to the local computer where VMware is installed.
  2. Extract the files from the zip file into a folder.
  3. In your VMware software, go to File > Open.
  4. Navigate to the expanded VM image folder, select the FortiAuthenticator-VM.vmx file, and select Open.
  5. VMware will install and start FortiAuthenticator-VM. This process can take a minute or two to complete.

  6. At the FortiAuthenticator login prompt, enter admin and press Enter. By default, there is no password.
  7. At the CLI prompt enter the following commands:
  8. config system interface

    edit port1

    set ip <ip-address>/<netmask>

    set allowaccess https ssh

    next

    end

     

    config router static

    edit 0

    set device port1

    set dst 0.0.0.0/0

    set gateway <ip-gateway>

    next

    end

     

     

    Substitute your own desired FortiAuthenticator IP address and default gateway.

You can now connect to the GUI at the IP address you set for port 1.

caution icon Suspending the FortiAuthenticator-VM can have unintended consequences. Fortinet recommends that you do not use the suspend feature of VMware. Instead, shut down the virtual FortiAuthenticator system using the GUI or CLI, and then shut down the virtual machine using the VMware console.

Administrative access

Administrative access is enabled by default on port 1. Using the GUI, you can enable administrative access on other ports if necessary.

To add administrative access to an interface:
  1. Go to System > Network > Interfaces and select the interface you need to add administrative access to. See Interfaces for more information.
  2. Under Access Rights, for Admin access, select the types of access to allow.
  3. Select OK.

GUI access

To use the GUI, point your browser to the IP address of port 1 (192.168.1.99 by default). For example, enter the following in the URL box:

https://192.168.1.99

 

Enter admin as the User Name and leave the Password field blank.

HTTP access is not enabled by default. To enable access, use the set ha-mgmt-access command in the CLI (see CLI commands), or enable HTTP access on the interface in the GUI (see Interfaces).

For security reasons, the host or domain names that the GUI responds to are restricted. The list of trusted hosts is automatically generated from the following:

  • Configured hostname.
  • Configured DNS domain name.
  • Network interface IP addresses that have HTTP or HTTPS enabled.
  • HA management IP addresses.

Additional IP addresses and host or domain names that the GUI responded to can be defined in the GUI Access settings. See System access for more information.

Telnet

CLI access is available using telnet to the port1 interface IP address (192.168.1.99 by default). Use the telnet -K option so that telnet does not attempt to log on using your user ID. For example:

$ telnet -K 192.168.1.99

 

At the FortiAuthenticator login prompt, enter admin. By default there is no password. When you are finished, use the exit command to end the telnet session.

CLI access using Telnet is not enabled by default. To enable access, use the set ha-mgmt-access command in the CLI (see CLI commands), or enable Telnet access on the interface in the GUI (see Interfaces).

SSH

SSH provides secure access to the CLI. Connect to the port1 interface IP address (192.168.1.99 by default). Specify the user name admin or SSH will attempt to log on with your user name. For example:

$ ssh admin@192.168.1.99

 

By default there is no password. When you are finished, use the exit command to end the session.

Note that, after three failed login attempts, the interface/connection will reset, and that SSH timeout is set to 60 seconds following an incomplete login or broken session.