Fortinet Document Library

Version:

6.4.0
6.2.0

Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool
6.4 6.2 6.0

Azure Cookbook

6.2.0
6.4.0
6.2.0
Download PDF
Copy Link

Configurable variables

Following is a list of variables used during deployment and referenced throughout this guide.

Parameter name

Default value

Description

Resource Name Prefix

Requires input

The prefix for all applicable resource names.

Can only contain uppercase letters, lowercase letters, and numbers.

Maximum length is 10.

VNet Deployment Method

create a new VNet in the Autoscale resource group

Options for Virtual Network (VNet) deployment:

  • create a new VNet in the Autoscale resource group
  • create a new VNet in the specified VNet resource group
  • use an existing VNet in the specified VNet resource group
Note

The VNet resource group (specified in the VNet Resource Group Name parameter) must be in the same region as the Autoscale resource group (specified in the Resource group parameter).

If using an existing VNet, refer to the section Requirements when using an existing VNet.

VNet Resource Group Name

Conditionally requires input

Name of the resource group that contains the VNet and related network components.

Note

Required if the VNet and related network components will be deployed to a different resource group than the Autoscale resource group (specified in the Resource group parameter). For details refer to the description for the parameter VNet Deployment Method.

Both resource groups must be in the same region.

VNet Name

Conditionally requires input

Name of the Azure VNet to associate with FortiGate Autoscale.

Required when using an existing VNet.

When creating a new VNet, this parameter may be left empty and a name will be generated.

VNet Address Space

10.0.0.0/16

IP address space of the VNet in (Classless Inter-Domain Routing) CIDR notation. E.g. 10.0.0.0/16.

Required when using an existing VNet. The value should match the address space of the target VNet.

Subnet 1 Name

Conditionally requires input

 

 

 

The Subnet # Name parameters specify the name of the subnet.

  • Subnet 1 is the subnet in which to deploy the FortiGate VMSS.
  • Subnets 2-4 are the subnets to be protected by the FortiGate.
Note

Required only when using an existing VNet. The values should match the subnet of the target VNet.

When creating a new VNet, any input value will be ignored.

Subnet 2 Name

Conditionally requires input

Subnet 3 Name

Conditionally requires input

Subnet 4 Name

Conditionally requires input

 

 

 

Subnet 1 Address Range

10.0.0.0/24

The Subnet # Address Range parameters define the address range in CIDR notation for the subnet. The address range must be contained by the address space of the virtual network as defined in VNet Address Space. After deployment, the address range of a subnet which is in use can't be edited.

Note

Required when using an existing VNet. The values should match the address range of the target VNet.

When creating a new VNet, any input value will be ignored.

Subnet 2 Address Range

10.0.1.0/24

Subnet 3 Address Range

10.0.2.0/24

Subnet 4 Address Range

10.0.3.0/24

 

 

 

Network Security Group Name

Conditionally requires input

Name of the Network Security Group associated with the subnets in the VNet.

Required when using existing VNet. The value should match the name of the existing Network Security Group associated with the subnets in the VNet.

When creating a new VNet, you may specify a name for the Network Security Group. If left empty, a name will be generated.

Frontend IP Deployment Method

create new public IP address

Deployment method for the Frontend Public IP address for the external load balancer.

There are limitations when using an existing IP address. Please refer to the optional requirement in the section Requirements when using an existing VNet.

When creating a new IP address, the IP address will be deployed to the resource group where the VNet is located.

Frontend IP Name

Requires input

Name of the Frontend Public IP address.

When creating a new IP address, this parameter can be left empty and a name will be generated.

Load Balancer IP

10

The last octet of the Frontend Private IP address to be used by the Load Balancer. For example, if set to 10, the Private IP address for the Load Balancer in the subnet with prefix 10.0.1.0/24 would be 10.0.1.10.

Instance Type

Standard_F4

Size of the VMs in the VMSS.

For assistance in choosing the size, refer to the Microsoft article Compute optimized virtual machine sizes.

FOS Version

6.2.3

FortiOS version supported by FortiGate Autoscale for Azure.

FortiGate PSK Secret

Requires input

A secret key used by FortiGate-VM instances to securely communicate with each other.

Must contain numbers and letters; may contain special characters. Maximum length is 128.

Note

Changes to the PSK secret after FortiGate Autoscale for Azure has been deployed are not reflected here. For new instances to be spawned with the changed PSK secret, this environment variable will need to be manually updated.

Admin Username

azureadmin

FortiGate-VM administrator username on all VMs.

Admin Password

Requires input

FortiGate-VM administrator password on all VMs.

Must be between 11 and 26 characters and must include at least one uppercase letter, one lowercase letter, one digit, and one special character such as (! @ # $ %).

Storage Account Type

Standard_LRS

Storage account type.

Rest App ID

Requires input

Application ID for the Registered app.

This is under Azure Active Directory > App registrations > {your app}.

Make note of this when creating a service principal in the section Prerequisites.

Rest App Secret

Requires input

Password (Authentication key) for the Registered app.

Make note of this when creating a service principal in the section Prerequisites.

BYOL Instance Count

2

The number of FortiGate-VM instances the BYOL VMSS should have at any time.

For High Availability in BYOL-only and Hybrid use cases, ensure at least 2 FortiGate-VMs are in the group.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Note

Users can set the size to less than or equal to the number of valid licenses they own and the number should not exceed the Max BYOL Instance Count. Licenses can be purchased from FortiCare.

Min BYOL Instance Count

2

Minimum number of FortiGate-VM instances in the BYOL VMSS.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Note

For BYOL-only and hybrid licensing deployments, this parameter must be at least 2. If set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

Max BYOL Instance Count

2

Maximum number of FortiGate-VM instances in the BYOL VMSS.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing. This number must be greater than or equal to the Min BYOL Instance Count.

Note

Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.

PAYG Instance Count

0

The number of FortiGate-VM instances the PAYG VMSS should have at any time.

For High Availability in a PAYG-only use case, ensure at least 2 FortiGate-VMs are in the group.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Min PAYG Instance Count

0

Minimum number of FortiGate-VM instances in the PAYG VMSS.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Note

For PAYG-only deployments, this parameter must be at least 2. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

Max PAYG Instance Count

6

Maximum number of FortiGate-VM instances in the PAYG VMSS.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing. This number must be greater than or equal to the Min PAYG Instance Count.

Scale Out Threshold

80

Percentage of CPU utilization at which scale-out should occur.

Scale In Threshold

20

Percentage of CPU utilization at which scale-in should occur.

Primary Election Timeout

90

The maximum time (in seconds) to wait for the election of the primary instance to complete.

Get License Grace Period

600

The minimum time (in seconds) permitted before a distributed license can be revoked from a non-responsive FortiGate-VM and re-distributed.

Minimum is 300.

Heart Beat Interval

60

The length of time (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

Minimum is 30. Maximum is 120.

Heart Beat Loss Count

3

Number of consecutively lost heartbeats. When the Heart Beat Loss Count has been reached, the VM is deemed unhealthy and failover activities will commence.

Heart Beat Delay Allowance

30

The maximum amount of time (in seconds) allowed for network latency of the FortiGate-VM heartbeat arriving at the Autoscale handler function.

Minimum is 30.

Script Timeout

230

Timeout value (in seconds) for the Azure function script.

Minimum is 30. Maximum is 230.

Package Res URL

Requires input

The public URL of the function source file named fortigate-autoscale-azure-funcapp.zip, and can be found inside fortigate-autoscale-azure-template-deployment.zip. The public URL of the deployment package zip file that contains the resource used to deploy the Function App.

Note

This URL must be accessible by Azure.

Resources

Upgrade Path Tool

Configurable variables

Following is a list of variables used during deployment and referenced throughout this guide.

Parameter name

Default value

Description

Resource Name Prefix

Requires input

The prefix for all applicable resource names.

Can only contain uppercase letters, lowercase letters, and numbers.

Maximum length is 10.

VNet Deployment Method

create a new VNet in the Autoscale resource group

Options for Virtual Network (VNet) deployment:

  • create a new VNet in the Autoscale resource group
  • create a new VNet in the specified VNet resource group
  • use an existing VNet in the specified VNet resource group
Note

The VNet resource group (specified in the VNet Resource Group Name parameter) must be in the same region as the Autoscale resource group (specified in the Resource group parameter).

If using an existing VNet, refer to the section Requirements when using an existing VNet.

VNet Resource Group Name

Conditionally requires input

Name of the resource group that contains the VNet and related network components.

Note

Required if the VNet and related network components will be deployed to a different resource group than the Autoscale resource group (specified in the Resource group parameter). For details refer to the description for the parameter VNet Deployment Method.

Both resource groups must be in the same region.

VNet Name

Conditionally requires input

Name of the Azure VNet to associate with FortiGate Autoscale.

Required when using an existing VNet.

When creating a new VNet, this parameter may be left empty and a name will be generated.

VNet Address Space

10.0.0.0/16

IP address space of the VNet in (Classless Inter-Domain Routing) CIDR notation. E.g. 10.0.0.0/16.

Required when using an existing VNet. The value should match the address space of the target VNet.

Subnet 1 Name

Conditionally requires input

 

 

 

The Subnet # Name parameters specify the name of the subnet.

  • Subnet 1 is the subnet in which to deploy the FortiGate VMSS.
  • Subnets 2-4 are the subnets to be protected by the FortiGate.
Note

Required only when using an existing VNet. The values should match the subnet of the target VNet.

When creating a new VNet, any input value will be ignored.

Subnet 2 Name

Conditionally requires input

Subnet 3 Name

Conditionally requires input

Subnet 4 Name

Conditionally requires input

 

 

 

Subnet 1 Address Range

10.0.0.0/24

The Subnet # Address Range parameters define the address range in CIDR notation for the subnet. The address range must be contained by the address space of the virtual network as defined in VNet Address Space. After deployment, the address range of a subnet which is in use can't be edited.

Note

Required when using an existing VNet. The values should match the address range of the target VNet.

When creating a new VNet, any input value will be ignored.

Subnet 2 Address Range

10.0.1.0/24

Subnet 3 Address Range

10.0.2.0/24

Subnet 4 Address Range

10.0.3.0/24

 

 

 

Network Security Group Name

Conditionally requires input

Name of the Network Security Group associated with the subnets in the VNet.

Required when using existing VNet. The value should match the name of the existing Network Security Group associated with the subnets in the VNet.

When creating a new VNet, you may specify a name for the Network Security Group. If left empty, a name will be generated.

Frontend IP Deployment Method

create new public IP address

Deployment method for the Frontend Public IP address for the external load balancer.

There are limitations when using an existing IP address. Please refer to the optional requirement in the section Requirements when using an existing VNet.

When creating a new IP address, the IP address will be deployed to the resource group where the VNet is located.

Frontend IP Name

Requires input

Name of the Frontend Public IP address.

When creating a new IP address, this parameter can be left empty and a name will be generated.

Load Balancer IP

10

The last octet of the Frontend Private IP address to be used by the Load Balancer. For example, if set to 10, the Private IP address for the Load Balancer in the subnet with prefix 10.0.1.0/24 would be 10.0.1.10.

Instance Type

Standard_F4

Size of the VMs in the VMSS.

For assistance in choosing the size, refer to the Microsoft article Compute optimized virtual machine sizes.

FOS Version

6.2.3

FortiOS version supported by FortiGate Autoscale for Azure.

FortiGate PSK Secret

Requires input

A secret key used by FortiGate-VM instances to securely communicate with each other.

Must contain numbers and letters; may contain special characters. Maximum length is 128.

Note

Changes to the PSK secret after FortiGate Autoscale for Azure has been deployed are not reflected here. For new instances to be spawned with the changed PSK secret, this environment variable will need to be manually updated.

Admin Username

azureadmin

FortiGate-VM administrator username on all VMs.

Admin Password

Requires input

FortiGate-VM administrator password on all VMs.

Must be between 11 and 26 characters and must include at least one uppercase letter, one lowercase letter, one digit, and one special character such as (! @ # $ %).

Storage Account Type

Standard_LRS

Storage account type.

Rest App ID

Requires input

Application ID for the Registered app.

This is under Azure Active Directory > App registrations > {your app}.

Make note of this when creating a service principal in the section Prerequisites.

Rest App Secret

Requires input

Password (Authentication key) for the Registered app.

Make note of this when creating a service principal in the section Prerequisites.

BYOL Instance Count

2

The number of FortiGate-VM instances the BYOL VMSS should have at any time.

For High Availability in BYOL-only and Hybrid use cases, ensure at least 2 FortiGate-VMs are in the group.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Note

Users can set the size to less than or equal to the number of valid licenses they own and the number should not exceed the Max BYOL Instance Count. Licenses can be purchased from FortiCare.

Min BYOL Instance Count

2

Minimum number of FortiGate-VM instances in the BYOL VMSS.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing.

Note

For BYOL-only and hybrid licensing deployments, this parameter must be at least 2. If set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

Max BYOL Instance Count

2

Maximum number of FortiGate-VM instances in the BYOL VMSS.

For specific use cases, set to 0 for PAYG-only, and >= 2 for BYOL-only or hybrid licensing. This number must be greater than or equal to the Min BYOL Instance Count.

Note

Users can set the size to match the number of valid licenses they own. Licenses can be purchased from FortiCare.

PAYG Instance Count

0

The number of FortiGate-VM instances the PAYG VMSS should have at any time.

For High Availability in a PAYG-only use case, ensure at least 2 FortiGate-VMs are in the group.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Min PAYG Instance Count

0

Minimum number of FortiGate-VM instances in the PAYG VMSS.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing.

Note

For PAYG-only deployments, this parameter must be at least 2. If it is set to 1 and the instance fails to work, the current FortiGate-VM configuration will be lost.

Max PAYG Instance Count

6

Maximum number of FortiGate-VM instances in the PAYG VMSS.

For specific use cases, set to 0 for BYOL-only, >= 2 for PAYG-only, and >= 0 for hybrid licensing. This number must be greater than or equal to the Min PAYG Instance Count.

Scale Out Threshold

80

Percentage of CPU utilization at which scale-out should occur.

Scale In Threshold

20

Percentage of CPU utilization at which scale-in should occur.

Primary Election Timeout

90

The maximum time (in seconds) to wait for the election of the primary instance to complete.

Get License Grace Period

600

The minimum time (in seconds) permitted before a distributed license can be revoked from a non-responsive FortiGate-VM and re-distributed.

Minimum is 300.

Heart Beat Interval

60

The length of time (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

Minimum is 30. Maximum is 120.

Heart Beat Loss Count

3

Number of consecutively lost heartbeats. When the Heart Beat Loss Count has been reached, the VM is deemed unhealthy and failover activities will commence.

Heart Beat Delay Allowance

30

The maximum amount of time (in seconds) allowed for network latency of the FortiGate-VM heartbeat arriving at the Autoscale handler function.

Minimum is 30.

Script Timeout

230

Timeout value (in seconds) for the Azure function script.

Minimum is 30. Maximum is 230.

Package Res URL

Requires input

The public URL of the function source file named fortigate-autoscale-azure-funcapp.zip, and can be found inside fortigate-autoscale-azure-template-deployment.zip. The public URL of the deployment package zip file that contains the resource used to deploy the Function App.

Note

This URL must be accessible by Azure.