Initially deploying the FortiGate-VM
GCP has added support for Terraform packages via marketplace deployments. The following document outlines the steps to deploy FortiGate-VM bring your own license (BYOL) and pay as you go (PAYG) via the GCP marketplace via Terraform packages.
Deleting the FortiGate-VM instance after deployment does not delete the log disk. However, deleting the entire deployment from the Solution Deployment section deletes all resources that the deployment created, including the log disk. This is a limitation in the Terraform GCP provider. |
Preparing a service account
For information about creating a service account, see Create service accounts.
Deploying a FortiGate-VM requires the following permissions and roles:
- roles/config.agent
- roles/compute.networkAdmin
- roles/compute.admin
- roles/iam.serviceAccountUser
- roles/storage.objectViewer
To perform initial deployment of the FortiGate-VM:
- In the Google Cloud marketplace Cloud Launcher, find FortiGate Next-Generation Firewall. Select BYOL or PAYG according to your needs.
- Click LAUNCH.
- Configure the variables as required:
See Deployment variables for descriptions of the deployment variables:
- Add more networks and network interfaces if desired:
- Under Network interfaces, click ADD NETWORK INTERFACE.
- Select the desired network and subnetwork, then click DONE.
This example adds the HA-Sync and HA-Mgmt networks to NIC 3 and NIC 4 respectively to illustrate multiple network support. If you are not configuring high availability, you can select other networks for any NIC on the FortiGate deployment.
Google Cloud instances support a maximum of eight interfaces, based on the selected VM type.
- Click Deploy. When deployment is done, select DETAILS to review the temporary password and public IP address to access the FortiGate-VM.
Deployment variables
Deployment name |
Enter the FortiGate-VM name to appear in the Compute Engine portal. |
Deployment Service Account |
Select Existing account. |
Select a Service Account |
Autopopulated with service accounts that have the needed roles and permissions assigned. |
Image Version |
Select the FortiGate version. The latest version is the default. |
Zone |
Choose the zone to deploy the FortiGate to. |
Machine type |
Choose the series and instance type required. |
Boot disk size in GB |
Leave as-is at 10 GB. |
Boot disk type |
Choose the desired boot disk type. |
Enable Log Disk |
Enable log disk. |
Log disk size in GB |
Select the desired log disk size or leave as-is at 30 GB. |
Log disk type |
Select the desired log disk type. |
Network |
Select the network located in the selected zone. |
Subnetwork |
Select the subnetwork where the FortiGate resides. |
Enable IP Forward |
Enable the VM to forward packets. |
Firewall |
Leave all selected as shown, or allow at least HTTPS if the strictest security is allowed in your network as the first setup. Change firewall settings as needed later on. These are the open ports allowed in Google Cloud to protect incoming access to the FortiGate instance over the Internet and are not part of FortiGate firewall features. |
External IP |
Select Ephemeral. You must access the FortiOS GUI via this public IP address. |