Initial Setup of FortiVM with CLI
Tutorial on how to perform initial setup of FortiVM with CLI on VMware ESXi 6.7 Host
- Download FortiVM 6.4 OVA (FGT_VM64-v6-build1579-FORTINET.out.ovf.zip) from FortiGate Support Portal
15-days Evaluation license is included in the FortiVM with Low encryption – No HTTPS Administrative Access. Refer to this link for more information
- Select files highlighted when importing OVA to ESXi 6.7 Host
- Power on the FortiVM and login with admin with BLANK PASSWORD.
Initial Setup of FortiVM with CLI
Hostname & Time zone
Configure Hostname called FortiVM and Time zone = 57 (Malaysia)
config system global
set admin-ssh-grace-time 600
set alias "FortiVM"
set hostname "FortiVM"
set timezone 57
end
DNS and NTP Server
Configure DNS for NTP Server
config system dns
set primary 1.1.1.1
set secondary 8.8.8.8
end
Change the NTP Server if you do not want to use FortiGuard as the default NTP Server and disable FortiVM as NTP Server
config system ntp
set type custom
config ntpserver
edit 1
set server "time.windows.com"
next
end
set server-mode disable
end
WAN Interface
Configure Port1 as WAN Interface and allow management access
config system interface
edit "port1"
set mode static #Static IP
set ip 192.168.1.240 255.255.255.0
set allowaccess ping https ssh http fgfm
set alias "WAN"
set role wan
end
LAN Interface
Configure Port2 as LAN Interface and allow management access
config system interface
edit "port2"
set mode static #Static IP
set ip 10.10.8.1 255.255.255.0
set allowaccess ping https ssh http fgfm
set alias "LAN"
set role lan
end
Default Gateway
Configure default gateway (192.168.1.1) for Internet Access
config router static
edit 1
set gateway 192.168.1.1
set device port1
end
Firewall Rule for Internet Access
Create an object for LAN Segment (10.10.8.0/24)
config firewall address
edit Obj_LAN
set subnet 10.10.8.0/24
end
Create a Firewall Rule to allow LAN to WAN for full Internet Access
- set nat enable – Enable SNAT to use WAN Interface for Interface Access
- set logtraffic all – Log all traffics
config firewall policy
edit 1
set name LAN_to_WAN
set srcintf port1
set dstintf port2
set srcaddr PROD_LAN
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
set logtraffic all
end
Users in Obj_LAN (10.10.8.0/24) should be able to access Internet via FortiVM now
Log File
show all logs with execute log display
FortiVM # execute log display
342 logs found.
10 logs returned.
1: date=2020-05-13 time=03:20:40 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1589311241100063499 tz="+0800" srcip=10.10.8.10 srcport=51622 srcintf="port2" srcintfrole="lan" dstip=1.1.1.1 dstport=53 dstintf="port1" dstintfrole="wan" srccountry="Reserved" dstcountry="Australia" sessionid=4194 proto=17 action="accept" policyid=1 policytype="policy" poluuid="4c733fc8-947b-51ea-2c07-7473e32dcc3a" policyname="LAN_To_WAN" service="DNS" trandisp="snat" transip=192.168.1.240 transport=51622 duration=180 sentbyte=76 rcvdbyte=227 sentpkt=1 rcvdpkt=1 appcat="unscanned" srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:5c:e6:22" srcmac="00:0c:29:5c:e6:22" srcserver=0
Filter the log to show only traffics between Source IP = 10.10.8.10 and Destination IP = 1.9.63.69
FortiVM # execute log filter free-style "(srcip 10.10.8.10) and (dstip 1.9.63.69)"
FortiVM # execute log display
7 logs found.
7 logs returned.
1: date=2020-05-13 time=02:14:57 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1589307298180025719 tz="+0800" srcip=10.10.8.10 srcport=60006 srcintf="port2" srcintfrole="lan" dstip=1.9.63.69 dstport=443 dstintf="port1" dstintfrole="wan" srccountry="Reserved" dstcountry="Malaysia" sessionid=1850 proto=6 action="server-rst" policyid=1 policytype="policy" poluuid="4c733fc8-947b-51ea-2c07-7473e32dcc3a" policyname="LAN_To_WAN" service="HTTPS" trandisp="snat" transip=192.168.1.240 transport=60006 duration=121 sentbyte=846 rcvdbyte=441 sentpkt=6 rcvdpkt=6 appcat="unscanned" srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:5c:e6:22" srcmac="00:0c:29:5c:e6:22" srcserver=0