FortiGate VM on KVM running ARM processors 7.0.1
FortiGate VMs can be deployed on KVM hypervisors running ARM64 processors.
To deploy the FortiGate VM:
-
Upload the qcow2 file to the hypervisor host.
-
Open the Virtual Machine Manager and create a new virtual machine.
-
Select Import existing disk image.
-
Set the following in the Architecture options:
-
Virt Type: KVM
-
Architecture: aarch64
-
Machine Type: virt
-
-
Click Forward.
-
Enter the storage path, pointing to the uploaded qcow2 file.
-
Set the OS type to Linux and Version to Ubuntu 18.04 LTS.
-
Click Forward.
-
Set the amount of memory and number of CPUs.
-
Click Forward.
-
Enter a name for the VM, select Customize configuration before install, and select a network.
-
Click Finish.
- Click Add Hardware and add another NIC to connect to an internal, private network.
-
Click Add Hardware again and add bootstrap CDROM device with a VM license.
-
Click Begin Installation to install the VM.
-
Confirm that CPU and memory allocation, and the platform:
# get system status Version: FortiGate-ARM64-KVM v7.0.0,build2292,201201 (interim) ... License Status: Valid License Expiration Date: 2021-11-07 VM Resources: 2 CPU/32 allowed, 1997 MB RAM Log hard disk: Available Hostname: cloud-init-test Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable Current HA mode: standalone Branch point: 2292 Release Version Information: interim System time: Fri Dec 4 09:59:38 2020
-
Confirm that the FortiCloud debug shows the correct platform flag:
# diagnose test application forticldd 1 System=FGT Platform=ARM64-KVM Management vdom: root, id=0, ha=primary. acct_id= acct_st=Logged Out FortiGuard interface selection: method=auto specify=FortiGuard log: status=disabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0 Centra Management: type=NONE, flags=000000bf. active-tasks=0 rpdb_ver=00000001 rpdb6_ver=00000001
To configure the VM:
-
Configure the port1 and port2 interfaces:
config system interface edit "port1" set vdom "root" set mode dhcp set allowaccess ping https ssh fgfm set type physical set snmp-index 1 next edit "port2" set vdom "root" set ip 10.1.100.1 255.255.255.0 set allowaccess ping https ssh snmp http fgfm radius-acct fabric ftm set type physical set snmp-index 2 next end
Port1 uses DHCP, as it is connected to the internet and has a DHCP gateway. Port2 is configured with a static IP.
-
Configure a basic firewall policy with an antivirus profile and certification:
config firewall policy edit 1 set name "main" set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set av-profile "default" set logtraffic all set nat enable next end
To test the FortiGate antivirus:
-
Set the default route gateway on the client to the internal interface of the FortiGate:
qa@ubuntu-arm64:~$ sudo ip link set dev enp2s0 up qa@ubuntu-arm64:~$ sudo ifconfig enp2s0 10.1.100.5 netmask 255.255.255.0 qa@ubuntu-arm64:~$ ifconfig enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.1.100.5 netmask 255.255.255.0 broadcast 10.1.100.255 inet6 fe80::5054:ff:febb:153b prefixlen 64 scopeid 0x20<link> ether 52:54:00:bb:15:3b txqueuelen 1000 (Ethernet) RX packets 1008 bytes 54119 (54.1 KB) RX errors 0 dropped 982 overruns 0 frame 0 TX packets 32 bytes 4351 (4.3 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 3471721 bytes 246592197 (246.5 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3471721 bytes 246592197 (246.5 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 qa@ubuntu-arm64:~$ sudo ip route add default via 10.1.100.1 qa@ubuntu-arm64:~$ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=97 time=9.02 ms ^C --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 9.022/9.022/9.022/0.000 ms
-
Attempt to download the EICAR test file to confirm that it is blocked:
qa@ubuntu-arm64:~$ curl http://www.eicar.org/download/eicar.com <!DOCTYPE html> ... omitted ... <p>You are not permitted to download the file "eicar.com" because it is infected with the virus "EICAR_TEST_FILE".</p>