Have a Question?
< All Topics
Print

Initial Setup of FortiVM with CLI

Posted
Updated
ByYongKW

Tutorial on how to perform initial setup of FortiVM with CLI on VMware ESXi 6.7 Host

  1. Download FortiVM 6.4 OVA (FGT_VM64-v6-build1579-FORTINET.out.ovf.zip) from FortiGate Support Portal

15-days Evaluation license is included in the FortiVM with Low encryption – No HTTPS Administrative Access. Refer to this link for more information

  1. Select files highlighted when importing OVA to ESXi 6.7 Host

Initial Setup of FortiVM with CLI

  1. Power on the FortiVM and login with admin with BLANK PASSWORD.

Initial Setup of FortiVM with CLI

Initial Setup of FortiVM with CLI

Hostname & Time zone

Configure Hostname called FortiVM and Time zone = 57 (Malaysia)

config system global
    set admin-ssh-grace-time 600
    set alias "FortiVM"
    set hostname "FortiVM"
    set timezone 57
end

DNS and NTP Server

Configure DNS for NTP Server

config system dns
    set primary 1.1.1.1
    set secondary 8.8.8.8
end

Change the NTP Server if you do not want to use FortiGuard as the default NTP Server and disable FortiVM as NTP Server

config system ntp
   set type custom
   config ntpserver
        edit 1
            set server "time.windows.com"
        next
        end 
   set server-mode disable
   end

Initial Setup of FortiVM with CLI

WAN Interface

Configure Port1 as WAN Interface and allow management access

config system interface
    edit "port1"
        set mode static #Static IP
        set ip 192.168.1.240 255.255.255.0
        set allowaccess ping https ssh http fgfm
        set alias "WAN"
        set role wan
      end

LAN Interface

Configure Port2 as LAN Interface and allow management access

config system interface
    edit "port2"
        set mode static #Static IP
        set ip 10.10.8.1 255.255.255.0
        set allowaccess ping https ssh http fgfm
        set alias "LAN"
        set role lan
    end

Default Gateway

Configure default gateway (192.168.1.1) for Internet Access

config router static
    edit 1
        set gateway 192.168.1.1
        set device port1
    end

Firewall Rule for Internet Access

Create an object for LAN Segment (10.10.8.0/24)

config firewall address 
    edit Obj_LAN
        set subnet 10.10.8.0/24
    end

Create a Firewall Rule to allow LAN to WAN for full Internet Access

  • set nat enable – Enable SNAT to use WAN Interface for Interface Access
  • set logtraffic all – Log all traffics
config firewall policy
    edit 1
        set name LAN_to_WAN
        set srcintf port1
        set dstintf port2
        set srcaddr PROD_LAN
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
        set nat enable
        set logtraffic all 
    end

Initial Setup of FortiVM with CLI

Users in Obj_LAN (10.10.8.0/24) should be able to access Internet via FortiVM now

Log File

show all logs with execute log display

FortiVM # execute log display
342 logs found.
10 logs returned.

1: date=2020-05-13 time=03:20:40 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1589311241100063499 tz="+0800" srcip=10.10.8.10 srcport=51622 srcintf="port2" srcintfrole="lan" dstip=1.1.1.1 dstport=53 dstintf="port1" dstintfrole="wan" srccountry="Reserved" dstcountry="Australia" sessionid=4194 proto=17 action="accept" policyid=1 policytype="policy" poluuid="4c733fc8-947b-51ea-2c07-7473e32dcc3a" policyname="LAN_To_WAN" service="DNS" trandisp="snat" transip=192.168.1.240 transport=51622 duration=180 sentbyte=76 rcvdbyte=227 sentpkt=1 rcvdpkt=1 appcat="unscanned" srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:5c:e6:22" srcmac="00:0c:29:5c:e6:22" srcserver=0

Filter the log to show only traffics between Source IP = 10.10.8.10 and Destination IP = 1.9.63.69

FortiVM # execute log filter free-style "(srcip 10.10.8.10) and (dstip 1.9.63.69)"
FortiVM # execute log display
7 logs found.
7 logs returned.

1: date=2020-05-13 time=02:14:57 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1589307298180025719 tz="+0800" srcip=10.10.8.10 srcport=60006 srcintf="port2" srcintfrole="lan" dstip=1.9.63.69 dstport=443 dstintf="port1" dstintfrole="wan" srccountry="Reserved" dstcountry="Malaysia" sessionid=1850 proto=6 action="server-rst" policyid=1 policytype="policy" poluuid="4c733fc8-947b-51ea-2c07-7473e32dcc3a" policyname="LAN_To_WAN" service="HTTPS" trandisp="snat" transip=192.168.1.240 transport=60006 duration=121 sentbyte=846 rcvdbyte=441 sentpkt=6 rcvdpkt=6 appcat="unscanned" srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:5c:e6:22" srcmac="00:0c:29:5c:e6:22" srcserver=0

Table of Contents
Scroll to Top