Fortinet black logo

Cloud Deployment Guide (Azure)

Home FortiProxy Public Cloud 7.0.0 Cloud Deployment Guide (Azure)
7.0.0
7.4.0
7.2.0
7.0.0

Deploying FortiProxy-VM from the Azure marketplace

Deploying FortiProxy-VM from the Azure marketplace

You can deploy FortiProxy-VM as a virtual appliance in the Azure cloud (infrastructure as a service (IaaS)) from the Azure marketplace. This section shows you how to install and configure a single instance FortiProxy-VM in Azure to provide a secure web gateway solution in front of Azure IaaS resources.

Note

You can only deploy certain versions of the FortiProxy 7.0 VM from the Azure marketplace. To install other versions or a custom image, see Deploying FortiProxy-VM from a VHD image file.

This section covers the deployment of simple web servers, but you can use this deployment type for any type of public resource protection with only slight modifications. With this architecture as a starting point, you can implement more advanced solutions, including multi-tiered solutions.

The example in this document creates three subnets:

Subnet

Description

Subnet1

External subnet used to connect the FortiProxy-VM to the Internet.

Subnet2

Internal subnet used as a transit network to one or multiple protected networks containing backend services, such as the web server.

Subnet3

Protected subnet used to deploy services. You can deploy multiples of these subnets. The traffic is sent to the FortiProxy for inspection using UDR.

To deploy the FortiProxy-VM from the Azure marketplace:
  1. In the Azure dashboard, select Create a resource.
  2. Search for FortiProxy to locate the Fortinet FortiProxy Secure Web Gateway (SWG) listing.
  3. Open the listing and click Get It Now.
  4. Click Continue, select FortiProxy Single VM, and click Create.
  5. Configure the options on the Basics tab according to your requirements:
    1. For Resource Group, create a new resource group or select an existing one. Deploying the solution to a new or empty resource group is recommended. You can deploy the solution to an existing resource group that already contains resources, but this may overwrite existing resources.
    2. From the Region dropdown list, select the desired region. FortiProxy-VM is available in all public regions of Azure and the China and Gov regions. Availability depends on the access rights of the Azure subscription used for deployment.
    3. In the FortiProxy administrative username and password fields, enter the username and password for the FortiProxy administrative profile.
    4. In the FortiProxy Name Prefix field, assign a naming prefix for your FortiProxy resources.
    5. From the FortiProxy Image SKU dropdown list, select Bring Your Own License.
    6. From the FortiProxy Image Version dropdown list, select the FortiProxy version to deploy. To install versions that are not available in the list or to install a custom image, see Deploying FortiProxy-VM from a VHD image file.
    7. Click Next.
  6. On the Instance tab, select an availability option, upload your FortiProxy license (see Licensing), specify the name of the FortiProxy VM, and click Next.
  7. On the Networking tab, configure the networks:
    1. Create a new virtual network to deploy the FortiProxy.
    2. Create three subnets as the FortiProxy-VM requires a public and private interface for Internet edge protection.
    3. Enable or disable Accelerated Networking, which refers to SR-IOV support. This depends on the instance type that you selected.
    4. Click Next.
  8. On the Public IP tab, create a new public IP address or create a new one. Click Next.
  9. On the Advanced tab, configure the parameters according to your requirements:
    1. To allow FortiManager to manage this FortiProxy, enable Connect to FortiManager and provide the FortiManager IP address and serial number in the FortiManager IP address and FortiManager Serial Number fields.
    2. In the Custom Data field, add initial configuration for the FortiProxy deployment if desired. For example, you can enter FortiProxy CLI commands which will then be executed during the initial bootup of the FortiProxy.
    3. Enable or disable serial console as needed using the Enable Serial Console field.
    4. Leave the Custom VHD field empty. This field is used only if you are deploying the FortiProxy VM from a custom VHD file. See Deploying FortiProxy-VM from a VHD image file.
    5. Click Review + create.
  10. When validation passes, click OK.

    If you want to download the template, click Download template and parameters.

  11. Click Create. You should see the deployment progress and the parameters and template that Azure is processing. Once deployed, the new resources show in the resource group.

  12. Connect to the FortiProxy-VM by following the steps below:

    1. Open the FortiProxy Public IP resource and copy the IP address that Azure assigned.
    2. In a web browser, connect to the IP address using HTTPS on port 443. You can also use an SSH client on port 22.
    3. The system displays a warning that the certificate is untrusted. This is expected since the FortiProxy-VM is using a self-signed certificate. If desired, replace the certificate with a signed certificate.
    4. Sign in with the credentials specified in the Azure template parameters.
    5. If you did not upload a license during the deployment, upload the license now and reboot the FortiProxy-VM before continuing. See Licensing.
Previous
Next

Deploying FortiProxy-VM from the Azure marketplace

You can deploy FortiProxy-VM as a virtual appliance in the Azure cloud (infrastructure as a service (IaaS)) from the Azure marketplace. This section shows you how to install and configure a single instance FortiProxy-VM in Azure to provide a secure web gateway solution in front of Azure IaaS resources.

Note

You can only deploy certain versions of the FortiProxy 7.0 VM from the Azure marketplace. To install other versions or a custom image, see Deploying FortiProxy-VM from a VHD image file.

This section covers the deployment of simple web servers, but you can use this deployment type for any type of public resource protection with only slight modifications. With this architecture as a starting point, you can implement more advanced solutions, including multi-tiered solutions.

The example in this document creates three subnets:

Subnet

Description

Subnet1

External subnet used to connect the FortiProxy-VM to the Internet.

Subnet2

Internal subnet used as a transit network to one or multiple protected networks containing backend services, such as the web server.

Subnet3

Protected subnet used to deploy services. You can deploy multiples of these subnets. The traffic is sent to the FortiProxy for inspection using UDR.

To deploy the FortiProxy-VM from the Azure marketplace:
  1. In the Azure dashboard, select Create a resource.
  2. Search for FortiProxy to locate the Fortinet FortiProxy Secure Web Gateway (SWG) listing.
  3. Open the listing and click Get It Now.
  4. Click Continue, select FortiProxy Single VM, and click Create.
  5. Configure the options on the Basics tab according to your requirements:
    1. For Resource Group, create a new resource group or select an existing one. Deploying the solution to a new or empty resource group is recommended. You can deploy the solution to an existing resource group that already contains resources, but this may overwrite existing resources.
    2. From the Region dropdown list, select the desired region. FortiProxy-VM is available in all public regions of Azure and the China and Gov regions. Availability depends on the access rights of the Azure subscription used for deployment.
    3. In the FortiProxy administrative username and password fields, enter the username and password for the FortiProxy administrative profile.
    4. In the FortiProxy Name Prefix field, assign a naming prefix for your FortiProxy resources.
    5. From the FortiProxy Image SKU dropdown list, select Bring Your Own License.
    6. From the FortiProxy Image Version dropdown list, select the FortiProxy version to deploy. To install versions that are not available in the list or to install a custom image, see Deploying FortiProxy-VM from a VHD image file.
    7. Click Next.
  6. On the Instance tab, select an availability option, upload your FortiProxy license (see Licensing), specify the name of the FortiProxy VM, and click Next.
  7. On the Networking tab, configure the networks:
    1. Create a new virtual network to deploy the FortiProxy.
    2. Create three subnets as the FortiProxy-VM requires a public and private interface for Internet edge protection.
    3. Enable or disable Accelerated Networking, which refers to SR-IOV support. This depends on the instance type that you selected.
    4. Click Next.
  8. On the Public IP tab, create a new public IP address or create a new one. Click Next.
  9. On the Advanced tab, configure the parameters according to your requirements:
    1. To allow FortiManager to manage this FortiProxy, enable Connect to FortiManager and provide the FortiManager IP address and serial number in the FortiManager IP address and FortiManager Serial Number fields.
    2. In the Custom Data field, add initial configuration for the FortiProxy deployment if desired. For example, you can enter FortiProxy CLI commands which will then be executed during the initial bootup of the FortiProxy.
    3. Enable or disable serial console as needed using the Enable Serial Console field.
    4. Leave the Custom VHD field empty. This field is used only if you are deploying the FortiProxy VM from a custom VHD file. See Deploying FortiProxy-VM from a VHD image file.
    5. Click Review + create.
  10. When validation passes, click OK.

    If you want to download the template, click Download template and parameters.

  11. Click Create. You should see the deployment progress and the parameters and template that Azure is processing. Once deployed, the new resources show in the resource group.

  12. Connect to the FortiProxy-VM by following the steps below:

    1. Open the FortiProxy Public IP resource and copy the IP address that Azure assigned.
    2. In a web browser, connect to the IP address using HTTPS on port 443. You can also use an SSH client on port 22.
    3. The system displays a warning that the certificate is untrusted. This is expected since the FortiProxy-VM is using a self-signed certificate. If desired, replace the certificate with a signed certificate.
    4. Sign in with the credentials specified in the Azure template parameters.
    5. If you did not upload a license during the deployment, upload the license now and reboot the FortiProxy-VM before continuing. See Licensing.
Previous
Next