Fortinet black logo

GCP Administration Guide

Home FortiGate Public Cloud 7.4.0 GCP Administration Guide
7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Initially deploying the FortiGate-VM

Initially deploying the FortiGate-VM

GCP has added support for Terraform packages via marketplace deployments. The following document outlines the steps to deploy FortiGate-VM bring your own license (BYOL) and pay as you go (PAYG) via the GCP marketplace via Terraform packages.

Note

Deleting the FortiGate-VM instance after deployment does not delete the log disk.

However, deleting the entire deployment from the Solution Deployment section deletes all resources that the deployment created, including the log disk. This is a limitation in the Terraform GCP provider.

Preparing a service account

For information about creating a service account, see Create service accounts.

Deploying a FortiGate-VM requires the following permissions and roles:

  • roles/config.agent
  • roles/compute.networkAdmin
  • roles/compute.admin
  • roles/iam.serviceAccountUser
  • roles/storage.objectViewer

To perform initial deployment of the FortiGate-VM:
  1. In the Google Cloud marketplace Cloud Launcher, find FortiGate Next-Generation Firewall. Select BYOL or PAYG according to your needs.
  2. Click LAUNCH.
  3. Configure the variables as required:

    See Deployment variables for descriptions of the deployment variables:

  4. Add more networks and network interfaces if desired:
    1. Under Network interfaces, click ADD NETWORK INTERFACE.
    2. Select the desired network and subnetwork, then click DONE.

    Note

    This example adds the HA-Sync and HA-Mgmt networks to NIC 3 and NIC 4 respectively to illustrate multiple network support. If you are not configuring high availability, you can select other networks for any NIC on the FortiGate deployment.

    Note

    Google Cloud instances support a maximum of eight interfaces, based on the selected VM type.

  5. Click Deploy. When deployment is done, select DETAILS to review the temporary password and public IP address to access the FortiGate-VM.

Deployment variables

Deployment name

Enter the FortiGate-VM name to appear in the Compute Engine portal.

Deployment Service Account

Select Existing account.

Select a Service Account

Autopopulated with service accounts that have the needed roles and permissions assigned.

Image Version

Select the FortiGate version. The latest version is the default.

Zone

Choose the zone to deploy the FortiGate to.

Machine type

Choose the series and instance type required.

Boot disk size in GB

Leave as-is at 10 GB.

Boot disk type

Choose the desired boot disk type.

Enable Log Disk

Enable log disk.

Log disk size in GB

Select the desired log disk size or leave as-is at 30 GB.

Log disk type

Select the desired log disk type.

Network

Select the network located in the selected zone.

Subnetwork

Select the subnetwork where the FortiGate resides.

Enable IP Forward

Enable the VM to forward packets.

Firewall

Leave all selected as shown, or allow at least HTTPS if the strictest security is allowed in your network as the first setup. Change firewall settings as needed later on.

These are the open ports allowed in Google Cloud to protect incoming access to the FortiGate instance over the Internet and are not part of FortiGate firewall features.

External IP

Select Ephemeral. You must access the FortiOS GUI via this public IP address.
Previous
Next

Initially deploying the FortiGate-VM

GCP has added support for Terraform packages via marketplace deployments. The following document outlines the steps to deploy FortiGate-VM bring your own license (BYOL) and pay as you go (PAYG) via the GCP marketplace via Terraform packages.

Note

Deleting the FortiGate-VM instance after deployment does not delete the log disk.

However, deleting the entire deployment from the Solution Deployment section deletes all resources that the deployment created, including the log disk. This is a limitation in the Terraform GCP provider.

Preparing a service account

For information about creating a service account, see Create service accounts.

Deploying a FortiGate-VM requires the following permissions and roles:

  • roles/config.agent
  • roles/compute.networkAdmin
  • roles/compute.admin
  • roles/iam.serviceAccountUser
  • roles/storage.objectViewer

To perform initial deployment of the FortiGate-VM:
  1. In the Google Cloud marketplace Cloud Launcher, find FortiGate Next-Generation Firewall. Select BYOL or PAYG according to your needs.
  2. Click LAUNCH.
  3. Configure the variables as required:

    See Deployment variables for descriptions of the deployment variables:

  4. Add more networks and network interfaces if desired:
    1. Under Network interfaces, click ADD NETWORK INTERFACE.
    2. Select the desired network and subnetwork, then click DONE.

    Note

    This example adds the HA-Sync and HA-Mgmt networks to NIC 3 and NIC 4 respectively to illustrate multiple network support. If you are not configuring high availability, you can select other networks for any NIC on the FortiGate deployment.

    Note

    Google Cloud instances support a maximum of eight interfaces, based on the selected VM type.

  5. Click Deploy. When deployment is done, select DETAILS to review the temporary password and public IP address to access the FortiGate-VM.

Deployment variables

Deployment name

Enter the FortiGate-VM name to appear in the Compute Engine portal.

Deployment Service Account

Select Existing account.

Select a Service Account

Autopopulated with service accounts that have the needed roles and permissions assigned.

Image Version

Select the FortiGate version. The latest version is the default.

Zone

Choose the zone to deploy the FortiGate to.

Machine type

Choose the series and instance type required.

Boot disk size in GB

Leave as-is at 10 GB.

Boot disk type

Choose the desired boot disk type.

Enable Log Disk

Enable log disk.

Log disk size in GB

Select the desired log disk size or leave as-is at 30 GB.

Log disk type

Select the desired log disk type.

Network

Select the network located in the selected zone.

Subnetwork

Select the subnetwork where the FortiGate resides.

Enable IP Forward

Enable the VM to forward packets.

Firewall

Leave all selected as shown, or allow at least HTTPS if the strictest security is allowed in your network as the first setup. Change firewall settings as needed later on.

These are the open ports allowed in Google Cloud to protect incoming access to the FortiGate instance over the Internet and are not part of FortiGate firewall features.

External IP

Select Ephemeral. You must access the FortiOS GUI via this public IP address.
Previous
Next