Submit Search

FortiGate VM

This chapter describes new FortiGate VM features added to FortiOS 5.4.

FortiGate VM cloud-init integration (300398)

Cloud-init is a set of pythons scripts and utilities commonly used for multi-distribution of VMs into cloud environments.

With cloud-init integration, when users launch a new instance of Fortigate VM, they can:

Upload a license to a FGT-VM
Provide initial management configuration, e.g. IP, default gateway, DNS
Set port configuration mode (DHCP or static)
Provision initial firewall policies

Cloud-init documentation can be found at https://cloudinit.readthedocs.io/en/latest/

Allow VM tools (VMWare platform) to set network settings for FortiGate VMS (292248)

Changes have been made to the firmware to mitigate the following issues:

FGVM does not allow IP configuration during deployment.
The use of multiple OVF files for different network adapter types is redundant.
The sequence of interfaces is not kept in consistent with network adapters in VM settings.

These issues are corrected by the following changes:

During deployment, the user will be prompted for an IP allocation policy (when using the new vApp OVF file). Static/DHCP can be selected for each port. Gateway can be configured for port1. Hostname, as well as primary/secondary DNS address, can be configured.
During deployment, the user will be able to select either E1000 virtual network adapter or VMXNET3 ones (when using the new vApp OVF file).
The new process keeps FGTVM's interface in the same sequence as the order shown in VM settings.
There is an added CLI command "diag vmware show-ovfenv" to print out the whole OVF environment.

All additional features during deployment are only available when FGTVM is deployed through vCenter as a vApp.

FGTVM interface sequence is determined with the following logic (and priority):
If OVF environment is available, the sequence present in the OVF environment will be used. (This is the preferred case. As the sequence can kept consistent with VM settings, regardless of whether adapters are removed/added, or mixed types of adapters are used.)
If the first network adapter is VMXNET3, FGTVM will use a dynamic mapping of interface, according to the total number of network adapters present. (This assumes all the network adapters are VMXNET3.)
If the above conditions do not qualify, FGTVM will use a static mapping of interface, which assumes every network adapter is E1000
Even when a fixed IP allocation policy is selected during deployment, DHCP might be enabled on port1. This happens when the interface IP is set to 0.0.0.0 on port1. Unfortunately, OVF environment is unable to provide which IP allocation policy has been selected. Rather, it is only able to give a set of IP/netmask on each of the interfaces.
Configuration is applied AFTER IP allocation policy. This means, IP allocation policy works as default settings of interface, and is ignored when any existing configuration presents on a certain interface.

FortiKVM removed from most FortiGates (366859)

The FortiKVM feature that allowed a virtual instance of FortiGate on a FortiGate device is no longer part of FortiOS for most models. With few exceptions, this feature is being moved to FortiHypervisor, a specialised appliance with resources optimized for the purpose.

FortiKVM support added to select models (282335)

FortiKVM functionality is now available on the following models:

FGT1500D
FGT3700D
FGT3700DX
FGT3810D

Interface assignment CLI:

config system vm

edit 0

set name vm1

config interface

edit 1

set name vnic1

set device [physical | vlan | softswitch]

mode [bridge | passthrough]

end

[device]: can assign physical, VLAN, or softwitch type host interface to this attribute.

[mode]: this attribute is available only when device is assigned physical type interface, bridge mode means several vNIC can share this interface, when packet arrives, host will lookup vNIC by dst mac address, in passthrough mode, host will send all packets to the vNIC, only one vNIC can use the physical interface in passthrough mode.

FGT-VM VMX (v2) (306438)

FortiGate-VM VMX version 2 allows for automated deployment of virtual FortiGate instances running FortiOS 5.4.1 in a specific VMWare SDN environment. For more details read the Release Notes and Admin Guides for FortiGate-VM VMX.

FortiOS On-Demand (308130)

New VM platform to support a consumption based FOS VM pricing model.FortiOS On-Demand supports VMWare hypervisor, and Openstack KVM hypervisor platforms.

These platforms have three interfaces only: mgmt, port1, and port2.
port1 and port2 are used for metering, and is reported to a FortiManager via the updated process.
The FortiManager is configured externally via Vapp for VMware or user-data in KVM.
FortiGuard updates and webfiltering servers will initially point to the FortiManager.
The FortiManager will authorize the FOSVM instance. If not authorized the vdom is disabled.

Changes to FG-VM00 Min/Max Values (246780,372030)

The maximum memory virtual memory has changed from 1 to 1.5 GB.
The maximum number of VDOMs has changed from 1 to 2.

Integrate VMtools Into FortiGate-VM for VMware (248842)

The following VMtools sub set of features has been integrated into the FortiGate-VM for VMWare images:

Start
Stop
Reboot
IP state in vCenter

VM License Check Time Extension (262494)

VM license check time has been extended to 30 days, with daily warning notifications and a counter.

FortiGate VM Single Root I/O Virtualization (SR-IOV) support (275432)

SR-IOV is a specification that allows a PCIe device to be treated as multiple separate PCIe devices.This feature will enable better performance with Intel based servers across multiple VM platforms, including Citrix and AWS. In fact, AWS has optimized some instance types to take advantage of this feature.

You can reset FortiGate VMs to factory defaults without deleting the VM license (280471)

New command , execute factoryreset keepvmlicense, resets FortiGate VMs to factory defaults without deleting the VM license.