Initial setup of FortiVM with CLI

Steps to perform initial setup of FortiVM with CLI

  1. Download FortiVM 6.0 OVA and import to ESXi 6.7 Host

FortiVM evaluation is valid for 14 Day, and do NOT support HTTPS & 3DES (For VPN)

  1. PowerOn the FortiVM and login with default username = admin (NO Password)

  2. Configuration of Hostname and Timezone

config system global
    set alias "FortiGate-VM64"
    set hostname "FortiGate-VM64"
    set timezone 57 #Malaysia
    set admin-ssh-grace-time 600 #Idle timeout for ssh to 10 min
end
  1. Set password for admin
config system admin
    edit admin  
        set password P@ssw0rd
    end
  1. Configure Port1 as LAN interface
config system interface
    edit "port1"
        set mode static #Static IP
        set ip 30.30.8.1 255.255.255.0
        set allowaccess ping https ssh http fgfm
        set alias "LAN"
        set role lan
    end
  1. Configure Port2 as WAN interface
config system interface
    edit "port2"
        set mode static #Static IP
        set ip 30.30.30.254 255.255.255.0
        set allowaccess ping https ssh http fgfm
        set alias "WAN"
        set role wan
      end
  1. Configure Static Route
config router static
    edit 1
        set gateway 30.30.30.1
        set device port2
    end
  1. Set DNS Server
config system dns
    set primary 8.8.8.8
    set secondary 8.8.4.4
    end
  1. Create an object for Internal LAN
config firewall address 
    edit PROD_LAN
        set subnet 30.30.8.0 255.255.255.0
    end
  1. Set a Firewall Rule to allow LAN to WAN with full access
config firewall policy
    edit 1
        set name LAN_to_WAN
        set srcintf port1
        set dstintf port2
        set srcaddr PROD_LAN
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
        set nat enable 
    end 

FortiVM-Install-01

Users in LAN should be able to access Internet via FortiVM now

Appendix
1. Some useful commands to verify FortiVM is configured properly

#Useful commands
get system status #Check serial no, license, firmware installed
exec time #verify date is correct
exec date #verify time is correct 
exec ping 30.30.30.1 #to verify can ping to gateway
  1. If failed to SSH to FortiVM with the following error message
ssh_rsa_verify: RSA modulus too small: 512 < minimum 768 bits 

You have to enable SSHv1 for Admin Access

config sys global
  set admin-ssh-v1 enable
end

Login with SSHv1 with DES

ssh -1 -c des admin@192.168.10.254

Leave a Comment