Fortinet white logo
Fortinet white logo

OpenStack Administration Guide

Creating a user_data file to pre-configure FortiGate-VM instances

Creating a user_data file to pre-configure FortiGate-VM instances

The following example user_data file sets up a FortiGate-VM instance with a basic default configuration customized for your environment and requirements. This example configures interfaces, and adds a DNS server and two firewall policies that allow any traffic to pass between the port2 and port3 interfaces. These policies make it easier to test HA failover.

In addition, the MTU of the port4 interface is set to be compatible with the OpenStack 10 environment, which by default, has an MTU of 1446. (In the user_data file, the MTU of port4 is set to 1400.) Using the same MTU setting as the OpenStack 10 environment enables the HA heartbeat interfaces to communicate effectively over the ha-sync network.

See these pages for more information on RedHat OpenStack networks and MTU values:

The following example user_data file could be used for fgt-vm-1. The user_data file for fgt-vm-2 would be the same except for the hostname.

#FGT VM Config File

config sys global

set hostname fgt-vm-1

end

config system interface

edit port1

set mode dhcp

set allowaccess http https ssh ping

next

edit port2

set mode dhcp

set defaultgw disable

set allowaccess http https ssh ping

next

edit port3

set mode dhcp

set defaultgw disable

set allowaccess http https ssh ping

next

edit port4

set mtu-override enable

set mtu 1400

next

end

config system dns

set primary 208.91.112.53

end

config firewall policy

edit 1

set name "Allow port2 to port3"

set dstintf "port2"

set srcintf "port3"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

next

edit 2

set name "Allow port3 to port2"

set dstintf "port3"

set srcintf "port2"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

end

config system central-management

set include-default-servers disable

set type fortimanager

set fmg 10.210.8.25

config server-list

edit 1

set server-type update rating

set server-address 10.210.8.25

end

end

Creating a user_data file to pre-configure FortiGate-VM instances

Creating a user_data file to pre-configure FortiGate-VM instances

The following example user_data file sets up a FortiGate-VM instance with a basic default configuration customized for your environment and requirements. This example configures interfaces, and adds a DNS server and two firewall policies that allow any traffic to pass between the port2 and port3 interfaces. These policies make it easier to test HA failover.

In addition, the MTU of the port4 interface is set to be compatible with the OpenStack 10 environment, which by default, has an MTU of 1446. (In the user_data file, the MTU of port4 is set to 1400.) Using the same MTU setting as the OpenStack 10 environment enables the HA heartbeat interfaces to communicate effectively over the ha-sync network.

See these pages for more information on RedHat OpenStack networks and MTU values:

The following example user_data file could be used for fgt-vm-1. The user_data file for fgt-vm-2 would be the same except for the hostname.

#FGT VM Config File

config sys global

set hostname fgt-vm-1

end

config system interface

edit port1

set mode dhcp

set allowaccess http https ssh ping

next

edit port2

set mode dhcp

set defaultgw disable

set allowaccess http https ssh ping

next

edit port3

set mode dhcp

set defaultgw disable

set allowaccess http https ssh ping

next

edit port4

set mtu-override enable

set mtu 1400

next

end

config system dns

set primary 208.91.112.53

end

config firewall policy

edit 1

set name "Allow port2 to port3"

set dstintf "port2"

set srcintf "port3"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

next

edit 2

set name "Allow port3 to port2"

set dstintf "port3"

set srcintf "port2"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

end

config system central-management

set include-default-servers disable

set type fortimanager

set fmg 10.210.8.25

config server-list

edit 1

set server-type update rating

set server-address 10.210.8.25

end

end