tags: - fortigate - VM categories: - informational comments: true

date: 2021-12-26 00:00:00

DESCRIPTION

select product - fortigate select platform - KVM

latest version - 6.4.3 (2020-12-10)

New deployment of FortiGate for KVM

FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip (66.86 MB)

Evaliation - 15 days per install.

Install KVM - kernel virtual machine - software on Ubuntu

https://help.ubuntu.com/community/KVM/Installation

COMMANDS

cp FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip /tmp
cd /tmp
unzip FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
sudo mv fortios.qcow2 /var/lib/libvirt/images/

sudo virt-manager

File -> New Virtual Machine -> Install existing disk image (last option)

Select - /var/lib/libvirt/images/fortios.qcow2

Forward Forward (Memory/CPUs) - use defaults (see below)

Name - FGT_VM64_KVM-v6-build1778-FORTINET

Finish

Click the VM display and you should see a console.

Default login:

admin NOPASSWORD - enter

Set a password

Failure: setting up a management IP

config system interface
edit port1
set mode static
set ip 192.168.0.100 255.255.255.0
next
end

ERRORS

on ‘next’

Attribute 'vdom' MUST be set.
Command fail. Return code 1

Steps to avoid this error and get a management IP

Pitfalls: Undocumented

‘set vdom “root”’ - to avoid

Attribute 'vdom' MUST be set.
Command fail. Return code 1

‘set type aggregate’ to avoid

"Attribute 'interface' MUST be set.
Command fail. Return code 1"

config system interface
edit "port1"
    set vdom "root"
    set mode static
    set ip 192.168.0.100 255.255.255.0
    set allowaccess ping ssh http
    set type aggregate
next
end

Ensure the DNS servers are set to bogus values - the VM will attempt to reach fortinet and update

config system dns
set primary 192.168.0.66
set secondary 192.168.0.67
end

config router static
edit 1
    set gateway 192.168.0.1
    set device "port1"
next
end

Important notes:

Will fail if these settings are not correct
License is for 1 cpu and that memory limit when initializing the VM
No https management GUI (http only)

Documented

Memory 1024MB Single CPU

Undocumented

Ensure the libvirt-manager has the network interface set to ‘virtio’ for the VM

VDOM creation: Limited to split VDOM due to evaluation license

config system global
set vdom-mode multi-vdom
end

FortiGate-VM64-KVM # config system global

FortiGate-VM64-KVM (global) # set vdom-mode multi-vdom
multi-vdom mode cannot be enabled with the current vdom license.
node_check_object fail! for vdom-mode multi-vdom

value parse error before 'multi-vdom'
Command fail. Return code -651

Option to use in evaluation copy: Use split task VDOM

config system global
set vdom-mode split-vdom
end

Mesaage: ~~~ Some settings (e.g., firewall policy/object, security profile, wifi/switch controller, user, device, dashboard) in vdom “root” will be deleted, a split-task vdom “FG-traffic” will be created, and you will be logged out for the operation to take effect. Do you want to continue? (y/n) ~~~

This will cause you to log into the new split non-root VDOM and the ‘config system’ command set command set will not be available. (https://forum.fortinet.com/tm.aspx?m=180832)

ssh admin@192.168.1.1

config system global
8258: Unknown action 3
Command fail. Return code -1

VERIFICATION

References

https://docs.fortinet.com/document/fortigate/6.4.0/fortigate-virtualization -> virtualization https://docs.fortinet.com/vm -> External link to PDF https://docs.fortinet.com/vm/kvm/fortigate/6.4/kvm-cookbook/6.4.0/388201/deployment

Then initial settings and configuring Port1 https://docs.fortinet.com/vm/kvm/fortigate/6.4/kvm-cookbook/6.4.0/615472/configuring-port-1

https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/498634/using-the-cli

https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/575766/multi-vdom-configuration-examples https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/758820/split-task-vdom-mode