Fortinet black logo

Azure Administration Guide

Deploying the FortiGate-VM

Copy Link
Copy Doc ID f296b45a-a61f-11ec-9fd1-fa163e15d75b:598754
Download PDF

Deploying the FortiGate-VM

There are different deployment methods for the FortiGate-VM related to the different deployment methods that the Azure platform supports. This guide focuses on the Azure portal. This offers a convenient and guided deployment. For more automated deployment, ARM templates or Terraform are available on the Fortinet GitHub. See Deploying FortiGate with a custom ARM template.

To deploy the FortiGate-VM:
  1. In the Azure dashboard, select Create a resource and search for FortiGate.
  2. Locate the Fortinet FortiGate Next-Generation Firewall listing and select it.
  3. From the Select a plan dropdown list, select Single VM. Click Create.
  4. Configure the options on the Basics tab according to your requirements:
    1. For Resource Group, create a new resource group or select an existing one. Deploying the solution to a new or empty resource group is recommended. You can deploy the solution to an existing resource group that already contains resources, but this may overwrite existing resources.
    2. From the Region dropdown list, select the desired region. FortiGate-VM is available in all public regions of Azure and the China and Gov regions. Availability depends on the access rights of the Azure subscription used for deployment.
    3. In the FortiGate administrative username field, enter the username that you will use to manage the FortiGate. The username cannot be a common username such as root, admin, or administrator. After deployment, you can reset the username and password from the Azure portal interface, resulting in a system reboot.
    4. In the FortiGate password field, enter the password used to manage the FortiGate via the GUI or CLI. The password must be at least twelve characters and contain one or more of the following tokens: uppercase letters, lowercase letters, digits, and special characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/.
    5. In the Fortigate Name Prefix field, enter the desired prefix. All resources contain the prefix in their name.
    6. From the Fortigate Image SKU dropdown list, select the license type. Pay as you go is billed through Azure as an additional charge to compute usage.
    7. From the Fortigate Image Version dropdown list, select the desired FortiGate version. The default option installs the latest FortiGate version.

  5. For Instance Type, select the instance type according to the purchased bring your own license (BYOL) license or the anticipated cost per hour. Licensing is based on the number of utilized vCPUs. You can resize the VM later if needed. See Instance type support.
  6. On the Networking tab, configure the following:
    1. Configure the networks. You can deploy the FortiGate in an existing VNet or create a new VNet. If deploying to an existing VNet, you must already have three subnets to use for the FortiGate-VM. The FortiGate-VM requires a public and private interface for Internet edge protection. Ensuring that the external and internal subnets of the FortiGate are empty or do not contain other networking devices that require routing is recommended.
    2. Enable Accelerated Networking if desired. You can enable this option to have a direct path from the VM to the Azure infrastructure NIC and allows for better performance. This is only available for specific instance types. See Enabling accelerated networking on the FortiGate-VM.

  7. On the Public IP tab, create a new public IP address or select an existing unattached public IP address. The public IP address can be a basic or standard SKU public IP address. A highly available setup requires a standard SKU public IP address. Upgrading from a basic to a standard SKU public IP address is supported. See Upgrade public IP addresses.
  8. On the Advanced tab, configure the following:
    1. In the FortiManager section, provide FortiManager details if desired. During deployment, the FortiGate can reach out and register itself to a FortiManager using the provided details.
    2. In the Custom Data field, add additional configuration if desired. This provides a configuration to the FortiGate during deployment. For example, you can enter FortiOS CLI commands.
    3. If using a BYOL license, upload the license so that it can be provided during deployment to the FortiGate.
  9. Launch the FortiGate deployment:
    1. You are finished configuring the options. Once validation passes, click OK.
      note icon

      If you want to download the template, click Download template and parameters.

    2. Click Create. After deploying the template, you should see the deployment progress and the parameters and template that Azure is progressing. Once deployed, the new resources show in the resource group.

Deploying the FortiGate-VM

There are different deployment methods for the FortiGate-VM related to the different deployment methods that the Azure platform supports. This guide focuses on the Azure portal. This offers a convenient and guided deployment. For more automated deployment, ARM templates or Terraform are available on the Fortinet GitHub. See Deploying FortiGate with a custom ARM template.

To deploy the FortiGate-VM:
  1. In the Azure dashboard, select Create a resource and search for FortiGate.
  2. Locate the Fortinet FortiGate Next-Generation Firewall listing and select it.
  3. From the Select a plan dropdown list, select Single VM. Click Create.
  4. Configure the options on the Basics tab according to your requirements:
    1. For Resource Group, create a new resource group or select an existing one. Deploying the solution to a new or empty resource group is recommended. You can deploy the solution to an existing resource group that already contains resources, but this may overwrite existing resources.
    2. From the Region dropdown list, select the desired region. FortiGate-VM is available in all public regions of Azure and the China and Gov regions. Availability depends on the access rights of the Azure subscription used for deployment.
    3. In the FortiGate administrative username field, enter the username that you will use to manage the FortiGate. The username cannot be a common username such as root, admin, or administrator. After deployment, you can reset the username and password from the Azure portal interface, resulting in a system reboot.
    4. In the FortiGate password field, enter the password used to manage the FortiGate via the GUI or CLI. The password must be at least twelve characters and contain one or more of the following tokens: uppercase letters, lowercase letters, digits, and special characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/.
    5. In the Fortigate Name Prefix field, enter the desired prefix. All resources contain the prefix in their name.
    6. From the Fortigate Image SKU dropdown list, select the license type. Pay as you go is billed through Azure as an additional charge to compute usage.
    7. From the Fortigate Image Version dropdown list, select the desired FortiGate version. The default option installs the latest FortiGate version.

  5. For Instance Type, select the instance type according to the purchased bring your own license (BYOL) license or the anticipated cost per hour. Licensing is based on the number of utilized vCPUs. You can resize the VM later if needed. See Instance type support.
  6. On the Networking tab, configure the following:
    1. Configure the networks. You can deploy the FortiGate in an existing VNet or create a new VNet. If deploying to an existing VNet, you must already have three subnets to use for the FortiGate-VM. The FortiGate-VM requires a public and private interface for Internet edge protection. Ensuring that the external and internal subnets of the FortiGate are empty or do not contain other networking devices that require routing is recommended.
    2. Enable Accelerated Networking if desired. You can enable this option to have a direct path from the VM to the Azure infrastructure NIC and allows for better performance. This is only available for specific instance types. See Enabling accelerated networking on the FortiGate-VM.

  7. On the Public IP tab, create a new public IP address or select an existing unattached public IP address. The public IP address can be a basic or standard SKU public IP address. A highly available setup requires a standard SKU public IP address. Upgrading from a basic to a standard SKU public IP address is supported. See Upgrade public IP addresses.
  8. On the Advanced tab, configure the following:
    1. In the FortiManager section, provide FortiManager details if desired. During deployment, the FortiGate can reach out and register itself to a FortiManager using the provided details.
    2. In the Custom Data field, add additional configuration if desired. This provides a configuration to the FortiGate during deployment. For example, you can enter FortiOS CLI commands.
    3. If using a BYOL license, upload the license so that it can be provided during deployment to the FortiGate.
  9. Launch the FortiGate deployment:
    1. You are finished configuring the options. Once validation passes, click OK.
      note icon

      If you want to download the template, click Download template and parameters.

    2. Click Create. After deploying the template, you should see the deployment progress and the parameters and template that Azure is progressing. Once deployed, the new resources show in the resource group.