Fortinet Document Library

Version:


Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool

Azure Cookbook

6.2.0
Download PDF
Copy Link

Cloud-init

IIn Autoscaling, FortiGate-VM uses the cloud-init feature to pre-configure the instances when they first come up. During template deployment an internal API Gateway endpoint will be created.

FortiGate sends requests to the endpoint to retrieve necessary configurations after initialization. Following are examples of output from BYOL and PAYG FortiGate-VM instances.

BYOL FortiGate-VM cloudinit output

# fgtasg-byol300000W # diag debug cloudinit show

>> Run config script

>> Finish running script

>> fgtasg-byol300000W $ config sys interface

>> fgtasg-byol300000W (interface) $ edit "port2"

>> fgtasg-byol300000W (port2) $ set mode dhcp

>> fgtasg-byol300000W (port2) $ set defaultgw disable

>> fgtasg-byol300000W (port2) $ set allowaccess ping https ssh http fgfm

>> fgtasg-byol300000W (port2) $ # work around for FortiOS 6.0.4 #0543036 mtu values from DNS interfere with HA checksum.

>> fgtasg-byol300000W (port2) $ set mtu-override enable

>> fgtasg-byol300000W (port2) $ set mtu 9001

>> fgtasg-byol300000W (port2) $ next

>> fgtasg-byol300000W (interface) $ end

>> fgtasg-byol300000W $ config system dns

>> fgtasg-byol300000W (dns) $ unset primary

>> fgtasg-byol300000W (dns) $ unset secondary

>> fgtasg-byol300000W (dns) $ end

>> fgtasg-byol300000W $ config system global

>> fgtasg-byol300000W (global) $ set admin-sport 8443

>> fgtasg-byol300000W (global) $ end

>> fgtasg-byol300000W $ config system auto-scale

>> fgtasg-byol300000W (auto-scale) $ set status enable

>> fgtasg-byol300000W (auto-scale) $ set sync-interface "port1"

>> fgtasg-byol300000W (auto-scale) $ set hb-interval 30

>> fgtasg-byol300000W (auto-scale) $ set role master

>> fgtasg-byol300000W (auto-scale) $ set callback-url https://xxxxxxxxxxfuncapp.azurewebsites.net/api/fgt-asg-handler

>> fgtasg-byol300000W (auto-scale) $ set psksecret Fortinet123#

>> fgtasg-byol300000W (auto-scale) $ end

>> fgtasg-byol300000W $

>> fgtasg-byol300000W $

>> fgtasg-byol300000W $ config sys interface

>> fgtasg-byol300000W (interface) $ edit "port3"

>> fgtasg-byol300000W (port3) $ set mode dhcp

>> fgtasg-byol300000W (port3) $ set defaultgw disable

>> fgtasg-byol300000W (port3) $ set allowaccess ping https ssh fgfm

>> fgtasg-byol300000W (port3) $ next

>> fgtasg-byol300000W (interface) $ edit "port4"

>> fgtasg-byol300000W (port4) $ set mode dhcp

>> fgtasg-byol300000W (port4) $ set defaultgw disable

>> fgtasg-byol300000W (port4) $ set allowaccess ping https ssh fgfm

>> fgtasg-byol300000W (port4) $ next

>> fgtasg-byol300000W (interface) $ end

>> fgtasg-byol300000W $

>> fgtasg-byol300000W $ config router static

>> fgtasg-byol300000W (static) $ edit 1

>> fgtasg-byol300000W (1) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-byol300000W (1) $ set gateway 10.0.1.1

>> fgtasg-byol300000W (1) $ set priority 5

>> fgtasg-byol300000W (1) $ set device "port2"

>> fgtasg-byol300000W (1) $ next

>> fgtasg-byol300000W (static) $ edit 2

>> fgtasg-byol300000W (2) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-byol300000W (2) $ set gateway 10.0.2.1

>> fgtasg-byol300000W (2) $ set priority 5

>> fgtasg-byol300000W (2) $ set device "port3"

>> fgtasg-byol300000W (2) $ next

>> fgtasg-byol300000W (static) $ edit 3

>> fgtasg-byol300000W (3) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-byol300000W (3) $ set gateway 10.0.3.1

>> fgtasg-byol300000W (3) $ set priority 5

>> fgtasg-byol300000W (3) $ set device "port4"

>> fgtasg-byol300000W (3) $ next

>> fgtasg-byol300000W (static) $ edit 4

>> fgtasg-byol300000W (4) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-byol300000W (4) $ set gateway 10.0.0.1

>> fgtasg-byol300000W (4) $ set device "port1"

>> fgtasg-byol300000W (4) $ next

>> fgtasg-byol300000W (static) $ end

PAYG FortiGate-VM cloudinit output

fgtasg-payg300000W # diag debug cloudinit show

>> Checking metadata source azure

>> Azure waiting for customdata file

>> Azure waiting for customdata file

>> Azure waiting for customdata file

>> Azure customdata file found

>> Azure cloudinit decrypt successfully

>> Fos-instance-id: aced11b0-5f15-4eb5-93ee-83614522c274

>> Cloudinit trying to get config script from https://xxxxxxxxxxfuncapp.azurewebsites.net/api/fgt-asg-handler

>> Cloudinit download config script successfully

>> Azure customdata processed successfully

>> Run config script

>> Finish running script

>> fgtasg-payg300000W $ config sys interface

>> fgtasg-payg300000W (interface) $ edit "port2"

>> fgtasg-payg300000W (port2) $ set mode dhcp

>> fgtasg-payg300000W (port2) $ set defaultgw disable

>> fgtasg-payg300000W (port2) $ set allowaccess ping https ssh http fgfm

>> fgtasg-payg300000W (port2) $ # work around for FortiOS 6.0.4 #0543036 mtu values from DNS interfere with HA checksum.

>> fgtasg-payg300000W (port2) $ set mtu-override enable

>> fgtasg-payg300000W (port2) $ set mtu 9001

>> fgtasg-payg300000W (port2) $ next

>> fgtasg-payg300000W (interface) $ end

>> fgtasg-payg300000W $ config system dns

>> fgtasg-payg300000W (dns) $ unset primary

>> fgtasg-payg300000W (dns) $ unset secondary

>> fgtasg-payg300000W (dns) $ end

>> fgtasg-payg300000W $ config system global

>> fgtasg-payg300000W (global) $ set admin-sport 8443

>> fgtasg-payg300000W (global) $ end

>> fgtasg-payg300000W $ config system auto-scale

>> fgtasg-payg300000W (auto-scale) $ set status enable

>> fgtasg-payg300000W (auto-scale) $ set sync-interface "port1"

>> fgtasg-payg300000W (auto-scale) $ set hb-interval 30

>> fgtasg-payg300000W (auto-scale) $ set role slave

>> fgtasg-payg300000W (auto-scale) $ set master-ip 10.0.0.5

>> fgtasg-payg300000W (auto-scale) $ set callback-url https://xxxxxxxxxxfuncapp.azurewebsites.net/api/fgt-asg-handler

>> fgtasg-payg300000W (auto-scale) $ set psksecret Fortinet123#

>> fgtasg-payg300000W (auto-scale) $ end

>> fgtasg-payg300000W $

>> fgtasg-payg300000W $

>> fgtasg-payg300000W $ config sys interface

>> fgtasg-payg300000W (interface) $ edit "port3"

>> fgtasg-payg300000W (port3) $ set mode dhcp

>> fgtasg-payg300000W (port3) $ set defaultgw disable

>> fgtasg-payg300000W (port3) $ set allowaccess ping https ssh fgfm

>> fgtasg-payg300000W (port3) $ next

>> fgtasg-payg300000W (interface) $ edit "port4"

>> fgtasg-payg300000W (port4) $ set mode dhcp

>> fgtasg-payg300000W (port4) $ set defaultgw disable

>> fgtasg-payg300000W (port4) $ set allowaccess ping https ssh fgfm

>> fgtasg-payg300000W (port4) $ next

>> fgtasg-payg300000W (interface) $ end

>> fgtasg-payg300000W $

>> fgtasg-payg300000W $ config router static

>> fgtasg-payg300000W (static) $ edit 1

>> fgtasg-payg300000W (1) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-payg300000W (1) $ set gateway 10.0.1.1

>> fgtasg-payg300000W (1) $ set priority 5

>> fgtasg-payg300000W (1) $ set device "port2"

>> fgtasg-payg300000W (1) $ next

>> fgtasg-payg300000W (static) $ edit 2

>> fgtasg-payg300000W (2) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-payg300000W (2) $ set gateway 10.0.2.1

>> fgtasg-payg300000W (2) $ set priority 5

>> fgtasg-payg300000W (2) $ set device "port3"

>> fgtasg-payg300000W (2) $ next

>> fgtasg-payg300000W (static) $ edit 3

>> fgtasg-payg300000W (3) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-payg300000W (3) $ set gateway 10.0.3.1

>> fgtasg-payg300000W (3) $ set priority 5

>> fgtasg-payg300000W (3) $ set device "port4"

>> fgtasg-payg300000W (3) $ next

>> fgtasg-payg300000W (static) $ edit 4

>> fgtasg-payg300000W (4) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-payg300000W (4) $ set gateway 10.0.0.1

>> fgtasg-payg300000W (4) $ set device "port1"

>> fgtasg-payg300000W (4) $ next

>> fgtasg-payg300000W (static) $ end

Resources

Cloud-init

IIn Autoscaling, FortiGate-VM uses the cloud-init feature to pre-configure the instances when they first come up. During template deployment an internal API Gateway endpoint will be created.

FortiGate sends requests to the endpoint to retrieve necessary configurations after initialization. Following are examples of output from BYOL and PAYG FortiGate-VM instances.

BYOL FortiGate-VM cloudinit output

# fgtasg-byol300000W # diag debug cloudinit show

>> Run config script

>> Finish running script

>> fgtasg-byol300000W $ config sys interface

>> fgtasg-byol300000W (interface) $ edit "port2"

>> fgtasg-byol300000W (port2) $ set mode dhcp

>> fgtasg-byol300000W (port2) $ set defaultgw disable

>> fgtasg-byol300000W (port2) $ set allowaccess ping https ssh http fgfm

>> fgtasg-byol300000W (port2) $ # work around for FortiOS 6.0.4 #0543036 mtu values from DNS interfere with HA checksum.

>> fgtasg-byol300000W (port2) $ set mtu-override enable

>> fgtasg-byol300000W (port2) $ set mtu 9001

>> fgtasg-byol300000W (port2) $ next

>> fgtasg-byol300000W (interface) $ end

>> fgtasg-byol300000W $ config system dns

>> fgtasg-byol300000W (dns) $ unset primary

>> fgtasg-byol300000W (dns) $ unset secondary

>> fgtasg-byol300000W (dns) $ end

>> fgtasg-byol300000W $ config system global

>> fgtasg-byol300000W (global) $ set admin-sport 8443

>> fgtasg-byol300000W (global) $ end

>> fgtasg-byol300000W $ config system auto-scale

>> fgtasg-byol300000W (auto-scale) $ set status enable

>> fgtasg-byol300000W (auto-scale) $ set sync-interface "port1"

>> fgtasg-byol300000W (auto-scale) $ set hb-interval 30

>> fgtasg-byol300000W (auto-scale) $ set role master

>> fgtasg-byol300000W (auto-scale) $ set callback-url https://xxxxxxxxxxfuncapp.azurewebsites.net/api/fgt-asg-handler

>> fgtasg-byol300000W (auto-scale) $ set psksecret Fortinet123#

>> fgtasg-byol300000W (auto-scale) $ end

>> fgtasg-byol300000W $

>> fgtasg-byol300000W $

>> fgtasg-byol300000W $ config sys interface

>> fgtasg-byol300000W (interface) $ edit "port3"

>> fgtasg-byol300000W (port3) $ set mode dhcp

>> fgtasg-byol300000W (port3) $ set defaultgw disable

>> fgtasg-byol300000W (port3) $ set allowaccess ping https ssh fgfm

>> fgtasg-byol300000W (port3) $ next

>> fgtasg-byol300000W (interface) $ edit "port4"

>> fgtasg-byol300000W (port4) $ set mode dhcp

>> fgtasg-byol300000W (port4) $ set defaultgw disable

>> fgtasg-byol300000W (port4) $ set allowaccess ping https ssh fgfm

>> fgtasg-byol300000W (port4) $ next

>> fgtasg-byol300000W (interface) $ end

>> fgtasg-byol300000W $

>> fgtasg-byol300000W $ config router static

>> fgtasg-byol300000W (static) $ edit 1

>> fgtasg-byol300000W (1) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-byol300000W (1) $ set gateway 10.0.1.1

>> fgtasg-byol300000W (1) $ set priority 5

>> fgtasg-byol300000W (1) $ set device "port2"

>> fgtasg-byol300000W (1) $ next

>> fgtasg-byol300000W (static) $ edit 2

>> fgtasg-byol300000W (2) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-byol300000W (2) $ set gateway 10.0.2.1

>> fgtasg-byol300000W (2) $ set priority 5

>> fgtasg-byol300000W (2) $ set device "port3"

>> fgtasg-byol300000W (2) $ next

>> fgtasg-byol300000W (static) $ edit 3

>> fgtasg-byol300000W (3) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-byol300000W (3) $ set gateway 10.0.3.1

>> fgtasg-byol300000W (3) $ set priority 5

>> fgtasg-byol300000W (3) $ set device "port4"

>> fgtasg-byol300000W (3) $ next

>> fgtasg-byol300000W (static) $ edit 4

>> fgtasg-byol300000W (4) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-byol300000W (4) $ set gateway 10.0.0.1

>> fgtasg-byol300000W (4) $ set device "port1"

>> fgtasg-byol300000W (4) $ next

>> fgtasg-byol300000W (static) $ end

PAYG FortiGate-VM cloudinit output

fgtasg-payg300000W # diag debug cloudinit show

>> Checking metadata source azure

>> Azure waiting for customdata file

>> Azure waiting for customdata file

>> Azure waiting for customdata file

>> Azure customdata file found

>> Azure cloudinit decrypt successfully

>> Fos-instance-id: aced11b0-5f15-4eb5-93ee-83614522c274

>> Cloudinit trying to get config script from https://xxxxxxxxxxfuncapp.azurewebsites.net/api/fgt-asg-handler

>> Cloudinit download config script successfully

>> Azure customdata processed successfully

>> Run config script

>> Finish running script

>> fgtasg-payg300000W $ config sys interface

>> fgtasg-payg300000W (interface) $ edit "port2"

>> fgtasg-payg300000W (port2) $ set mode dhcp

>> fgtasg-payg300000W (port2) $ set defaultgw disable

>> fgtasg-payg300000W (port2) $ set allowaccess ping https ssh http fgfm

>> fgtasg-payg300000W (port2) $ # work around for FortiOS 6.0.4 #0543036 mtu values from DNS interfere with HA checksum.

>> fgtasg-payg300000W (port2) $ set mtu-override enable

>> fgtasg-payg300000W (port2) $ set mtu 9001

>> fgtasg-payg300000W (port2) $ next

>> fgtasg-payg300000W (interface) $ end

>> fgtasg-payg300000W $ config system dns

>> fgtasg-payg300000W (dns) $ unset primary

>> fgtasg-payg300000W (dns) $ unset secondary

>> fgtasg-payg300000W (dns) $ end

>> fgtasg-payg300000W $ config system global

>> fgtasg-payg300000W (global) $ set admin-sport 8443

>> fgtasg-payg300000W (global) $ end

>> fgtasg-payg300000W $ config system auto-scale

>> fgtasg-payg300000W (auto-scale) $ set status enable

>> fgtasg-payg300000W (auto-scale) $ set sync-interface "port1"

>> fgtasg-payg300000W (auto-scale) $ set hb-interval 30

>> fgtasg-payg300000W (auto-scale) $ set role slave

>> fgtasg-payg300000W (auto-scale) $ set master-ip 10.0.0.5

>> fgtasg-payg300000W (auto-scale) $ set callback-url https://xxxxxxxxxxfuncapp.azurewebsites.net/api/fgt-asg-handler

>> fgtasg-payg300000W (auto-scale) $ set psksecret Fortinet123#

>> fgtasg-payg300000W (auto-scale) $ end

>> fgtasg-payg300000W $

>> fgtasg-payg300000W $

>> fgtasg-payg300000W $ config sys interface

>> fgtasg-payg300000W (interface) $ edit "port3"

>> fgtasg-payg300000W (port3) $ set mode dhcp

>> fgtasg-payg300000W (port3) $ set defaultgw disable

>> fgtasg-payg300000W (port3) $ set allowaccess ping https ssh fgfm

>> fgtasg-payg300000W (port3) $ next

>> fgtasg-payg300000W (interface) $ edit "port4"

>> fgtasg-payg300000W (port4) $ set mode dhcp

>> fgtasg-payg300000W (port4) $ set defaultgw disable

>> fgtasg-payg300000W (port4) $ set allowaccess ping https ssh fgfm

>> fgtasg-payg300000W (port4) $ next

>> fgtasg-payg300000W (interface) $ end

>> fgtasg-payg300000W $

>> fgtasg-payg300000W $ config router static

>> fgtasg-payg300000W (static) $ edit 1

>> fgtasg-payg300000W (1) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-payg300000W (1) $ set gateway 10.0.1.1

>> fgtasg-payg300000W (1) $ set priority 5

>> fgtasg-payg300000W (1) $ set device "port2"

>> fgtasg-payg300000W (1) $ next

>> fgtasg-payg300000W (static) $ edit 2

>> fgtasg-payg300000W (2) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-payg300000W (2) $ set gateway 10.0.2.1

>> fgtasg-payg300000W (2) $ set priority 5

>> fgtasg-payg300000W (2) $ set device "port3"

>> fgtasg-payg300000W (2) $ next

>> fgtasg-payg300000W (static) $ edit 3

>> fgtasg-payg300000W (3) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-payg300000W (3) $ set gateway 10.0.3.1

>> fgtasg-payg300000W (3) $ set priority 5

>> fgtasg-payg300000W (3) $ set device "port4"

>> fgtasg-payg300000W (3) $ next

>> fgtasg-payg300000W (static) $ edit 4

>> fgtasg-payg300000W (4) $ set dst 168.63.129.16 255.255.255.255

>> fgtasg-payg300000W (4) $ set gateway 10.0.0.1

>> fgtasg-payg300000W (4) $ set device "port1"

>> fgtasg-payg300000W (4) $ next

>> fgtasg-payg300000W (static) $ end