Fortinet black logo

Cloud Deployment Guide (Azure)

Home FortiProxy Public Cloud 7.0.0 Cloud Deployment Guide (Azure)
7.0.0
7.4.0
7.2.0
7.0.0

Deploying FortiProxy-VM from a VHD image file

Deploying FortiProxy-VM from a VHD image file

You can deploy a FortiProxy-VM (BYOL) using a VHD file of any desired version or build that is outside the marketplace product listing in the Azure portal.

Obtain the FortiProxy VHD image file

  1. Go to https://support.fortinet.com.
  2. Click Login and log in to the Fortinet Support website.
  3. From the Support > Downloads menu, select Firmware Download.
  4. In the Select Product dropdown menu, select FortiProxy.
  5. On the Download tab, navigate to the FortiProxy Azure firmware file in the Image Folders/Files section. For example: FPX_AZURE-v100-buildXXXX-FORTINET.out.hyperv.zip, Where XXXX is the build number.
  6. Click HTTPS to download the firmware.

  7. Unzip it and locate the fortios.vhd file.

  8. Upload the fortios.vhd file to the blob/storage location.

Create an Azure image definition

You can create an image definition via the Azure portal or CLI. See Store and share images in an Azure Compute Gallery and Create a gallery for storing and sharing resources. The following summarizes recommended parameter values to set for the image definition:

Parameter

Recommended value

subscription ID

Enter the subscription ID if the tenant has multiple subscriptions.

publisher

Fortinet

os-type

linux

architecture

Arm64

hyper-v-generation

V2

os-state

Generalized

You can configure other parameters as fits your requirements. See az sig image-definition create. Under the newly created VM definition, you can create a new image version.

To create an image version:
  1. In the Azure portal, go to the VM image definition.
  2. Click Add Version.
  3. Enter the subscription and resource group information.
  4. Under Version details, configure the following:
    1. For Version Number, enter the image version number.
    2. For Source, select Storage blobs (VHDs).
    3. For Os Disk, browse to the VHD that you uploaded to the storage account earlier.

After Azure creates the image version, you can deploy a new FortiProxy-VM from the image.

Deploy the FortiProxy-VM from the Azure VHD image

  1. In the Azure dashboard, select Create a resource.
  2. Search for FortiProxy to locate the Fortinet FortiProxy Secure Web Gateway (SWG) listing.
  3. Open the listing and click Get It Now.
  4. Click Continue, select FortiProxy Single VM, and click Create.
  5. Configure the options on the Basics tab according to your requirements:
    1. For Resource Group, create a new resource group or select an existing one. Deploying the solution to a new or empty resource group is recommended. You can deploy the solution to an existing resource group that already contains resources, but this may overwrite existing resources.
    2. From the Region dropdown list, select the desired region. FortiProxy-VM is available in all public regions of Azure and the China and Gov regions. Availability depends on the access rights of the Azure subscription used for deployment.
    3. In the FortiProxy administrative username and password fields, enter the username and password for the FortiProxy administrative profile.
    4. In the FortiProxy Name Prefix field, assign a naming prefix for your FortiProxy resources.
    5. From the FortiProxy Image SKU dropdown list, select Bring Your Own License.
    6. Leave the FortiProxy Image Version option as it is. To install versions that are available in the list, see Deploying FortiProxy-VM from the Azure marketplace.
    7. Click Next.
  6. On the Instance tab, select an availability option, upload your FortiProxy license (see Licensing), specify the name of the FortiProxy VM, and click Next.
  7. On the Networking tab, configure the networks:
    1. Create a new virtual network to deploy the FortiProxy.
    2. Create three subnets as the FortiProxy-VM requires a public and private interface for Internet edge protection.
    3. Enable or disable Accelerated Networking, which refers to SR-IOV support. This depends on the instance type that you selected.
    4. Click Next.
  8. On the Public IP tab, create a new public IP address or create a new one. Click Next.
  9. On the Advanced tab, configure the parameters according to your requirements:
    1. To allow FortiManager to manage this FortiProxy, enable Connect to FortiManager and provide the FortiManager IP address and serial number in the FortiManager IP address and FortiManager Serial Number fields.
    2. In the Custom Data field, add initial configuration for the FortiProxy deployment if desired. For example, you can enter FortiProxy CLI commands which will then be executed during the initial bootup of the FortiProxy.
    3. Enable or disable serial console as needed using the Enable Serial Console field.
    4. In the Custom VHD field, upload the custom FortiProxy image that you created earlier by entering the resource ID of the image.
    5. Click Review + create.
  10. When validation passes, click OK.

    If you want to download the template, click Download template and parameters.

  11. Click Create. You should see the deployment progress and the parameters and template that Azure is processing. Once deployed, the new resources show in the resource group.

  12. Connect to the FortiProxy-VM by following the steps below:

    1. Open the FortiProxy Public IP resource and copy the IP address that Azure assigned.
    2. In a web browser, connect to the IP address using HTTPS on port 443. You can also use an SSH client on port 22.
    3. The system displays a warning that the certificate is untrusted. This is expected since the FortiProxy-VM is using a self-signed certificate. If desired, replace the certificate with a signed certificate.
    4. Sign in with the credentials specified in the Azure template parameters.
    5. If you did not upload a license during the deployment, upload the license now and reboot the FortiProxy-VM before continuing. See Licensing.
Previous
Next

Deploying FortiProxy-VM from a VHD image file

You can deploy a FortiProxy-VM (BYOL) using a VHD file of any desired version or build that is outside the marketplace product listing in the Azure portal.

Obtain the FortiProxy VHD image file

  1. Go to https://support.fortinet.com.
  2. Click Login and log in to the Fortinet Support website.
  3. From the Support > Downloads menu, select Firmware Download.
  4. In the Select Product dropdown menu, select FortiProxy.
  5. On the Download tab, navigate to the FortiProxy Azure firmware file in the Image Folders/Files section. For example: FPX_AZURE-v100-buildXXXX-FORTINET.out.hyperv.zip, Where XXXX is the build number.
  6. Click HTTPS to download the firmware.

  7. Unzip it and locate the fortios.vhd file.

  8. Upload the fortios.vhd file to the blob/storage location.

Create an Azure image definition

You can create an image definition via the Azure portal or CLI. See Store and share images in an Azure Compute Gallery and Create a gallery for storing and sharing resources. The following summarizes recommended parameter values to set for the image definition:

Parameter

Recommended value

subscription ID

Enter the subscription ID if the tenant has multiple subscriptions.

publisher

Fortinet

os-type

linux

architecture

Arm64

hyper-v-generation

V2

os-state

Generalized

You can configure other parameters as fits your requirements. See az sig image-definition create. Under the newly created VM definition, you can create a new image version.

To create an image version:
  1. In the Azure portal, go to the VM image definition.
  2. Click Add Version.
  3. Enter the subscription and resource group information.
  4. Under Version details, configure the following:
    1. For Version Number, enter the image version number.
    2. For Source, select Storage blobs (VHDs).
    3. For Os Disk, browse to the VHD that you uploaded to the storage account earlier.

After Azure creates the image version, you can deploy a new FortiProxy-VM from the image.

Deploy the FortiProxy-VM from the Azure VHD image

  1. In the Azure dashboard, select Create a resource.
  2. Search for FortiProxy to locate the Fortinet FortiProxy Secure Web Gateway (SWG) listing.
  3. Open the listing and click Get It Now.
  4. Click Continue, select FortiProxy Single VM, and click Create.
  5. Configure the options on the Basics tab according to your requirements:
    1. For Resource Group, create a new resource group or select an existing one. Deploying the solution to a new or empty resource group is recommended. You can deploy the solution to an existing resource group that already contains resources, but this may overwrite existing resources.
    2. From the Region dropdown list, select the desired region. FortiProxy-VM is available in all public regions of Azure and the China and Gov regions. Availability depends on the access rights of the Azure subscription used for deployment.
    3. In the FortiProxy administrative username and password fields, enter the username and password for the FortiProxy administrative profile.
    4. In the FortiProxy Name Prefix field, assign a naming prefix for your FortiProxy resources.
    5. From the FortiProxy Image SKU dropdown list, select Bring Your Own License.
    6. Leave the FortiProxy Image Version option as it is. To install versions that are available in the list, see Deploying FortiProxy-VM from the Azure marketplace.
    7. Click Next.
  6. On the Instance tab, select an availability option, upload your FortiProxy license (see Licensing), specify the name of the FortiProxy VM, and click Next.
  7. On the Networking tab, configure the networks:
    1. Create a new virtual network to deploy the FortiProxy.
    2. Create three subnets as the FortiProxy-VM requires a public and private interface for Internet edge protection.
    3. Enable or disable Accelerated Networking, which refers to SR-IOV support. This depends on the instance type that you selected.
    4. Click Next.
  8. On the Public IP tab, create a new public IP address or create a new one. Click Next.
  9. On the Advanced tab, configure the parameters according to your requirements:
    1. To allow FortiManager to manage this FortiProxy, enable Connect to FortiManager and provide the FortiManager IP address and serial number in the FortiManager IP address and FortiManager Serial Number fields.
    2. In the Custom Data field, add initial configuration for the FortiProxy deployment if desired. For example, you can enter FortiProxy CLI commands which will then be executed during the initial bootup of the FortiProxy.
    3. Enable or disable serial console as needed using the Enable Serial Console field.
    4. In the Custom VHD field, upload the custom FortiProxy image that you created earlier by entering the resource ID of the image.
    5. Click Review + create.
  10. When validation passes, click OK.

    If you want to download the template, click Download template and parameters.

  11. Click Create. You should see the deployment progress and the parameters and template that Azure is processing. Once deployed, the new resources show in the resource group.

  12. Connect to the FortiProxy-VM by following the steps below:

    1. Open the FortiProxy Public IP resource and copy the IP address that Azure assigned.
    2. In a web browser, connect to the IP address using HTTPS on port 443. You can also use an SSH client on port 22.
    3. The system displays a warning that the certificate is untrusted. This is expected since the FortiProxy-VM is using a self-signed certificate. If desired, replace the certificate with a signed certificate.
    4. Sign in with the credentials specified in the Azure template parameters.
    5. If you did not upload a license during the deployment, upload the license now and reboot the FortiProxy-VM before continuing. See Licensing.
Previous
Next