Fortinet black logo

New Features

FortiGate VM on KVM running ARM processors 7.0.1

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:564436
Download PDF

FortiGate VM on KVM running ARM processors 7.0.1

FortiGate VMs can be deployed on KVM hypervisors running ARM64 processors.

To deploy the FortiGate VM:
  1. Upload the qcow2 file to the hypervisor host.

  2. Open the Virtual Machine Manager and create a new virtual machine.

  3. Select Import existing disk image.

  4. Set the following in the Architecture options:

    • Virt Type: KVM

    • Architecture: aarch64

    • Machine Type: virt

  5. Click Forward.

  6. Enter the storage path, pointing to the uploaded qcow2 file.

  7. Set the OS type to Linux and Version to Ubuntu 18.04 LTS.

  8. Click Forward.

  9. Set the amount of memory and number of CPUs.

  10. Click Forward.

  11. Enter a name for the VM, select Customize configuration before install, and select a network.

  12. Click Finish.

  13. Click Add Hardware and add another NIC to connect to an internal, private network.

  14. Click Add Hardware again and add bootstrap CDROM device with a VM license.

  15. Click Begin Installation to install the VM.

  16. Confirm that CPU and memory allocation, and the platform:

    # get system status
    Version: FortiGate-ARM64-KVM v7.0.0,build2292,201201 (interim)
    ...
    License Status: Valid
    License Expiration Date: 2021-11-07
    VM Resources: 2 CPU/32 allowed, 1997 MB RAM
    Log hard disk: Available
    Hostname: cloud-init-test
    Operation Mode: NAT
    Current virtual domain: root
    Max number of virtual domains: 10
    Virtual domains status: 1 in NAT mode, 0 in TP mode
    Virtual domain configuration: disable
    FIPS-CC mode: disable
    Current HA mode: standalone
    Branch point: 2292
    Release Version Information: interim
    System time: Fri Dec  4 09:59:38 2020
  17. Confirm that the FortiCloud debug shows the correct platform flag:

    # diagnose test application forticldd 1
    System=FGT Platform=ARM64-KVM
    Management vdom: root, id=0,  ha=primary.
    acct_id=
    acct_st=Logged Out
    
    FortiGuard interface selection: method=auto specify=FortiGuard log: status=disabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0
    
    Centra Management: type=NONE, flags=000000bf.
    
    active-tasks=0
    
    rpdb_ver=00000001 rpdb6_ver=00000001
To configure the VM:
  1. Configure the port1 and port2 interfaces:

    config system interface
        edit "port1"
            set vdom "root"
            set mode dhcp
            set allowaccess ping https ssh fgfm
            set type physical
            set snmp-index 1
        next
        edit "port2"
            set vdom "root"
            set ip 10.1.100.1 255.255.255.0
            set allowaccess ping https ssh snmp http fgfm radius-acct fabric ftm
            set type physical
            set snmp-index 2
        next
    end

    Port1 uses DHCP, as it is connected to the internet and has a DHCP gateway. Port2 is configured with a static IP.

  2. Configure a basic firewall policy with an antivirus profile and certification:

    config firewall policy
        edit 1
            set name "main"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set av-profile "default"
            set logtraffic all
            set nat enable
        next
    end
To test the FortiGate antivirus:
  1. Set the default route gateway on the client to the internal interface of the FortiGate:

    qa@ubuntu-arm64:~$ sudo ip link set dev enp2s0 up
    
    qa@ubuntu-arm64:~$ sudo ifconfig enp2s0 10.1.100.5 netmask 255.255.255.0
    qa@ubuntu-arm64:~$ ifconfig
    enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 10.1.100.5  netmask 255.255.255.0  broadcast 10.1.100.255
            inet6 fe80::5054:ff:febb:153b  prefixlen 64  scopeid 0x20<link>
            ether 52:54:00:bb:15:3b  txqueuelen 1000  (Ethernet)
            RX packets 1008  bytes 54119 (54.1 KB)
            RX errors 0  dropped 982  overruns 0  frame 0
            TX packets 32  bytes 4351 (4.3 KB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0
            inet6 ::1  prefixlen 128  scopeid 0x10<host>
            loop  txqueuelen 1000  (Local Loopback)
            RX packets 3471721  bytes 246592197 (246.5 MB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 3471721  bytes 246592197 (246.5 MB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    qa@ubuntu-arm64:~$ sudo ip route add default via 10.1.100.1
    qa@ubuntu-arm64:~$ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=97 time=9.02 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 9.022/9.022/9.022/0.000 ms
  2. Attempt to download the EICAR test file to confirm that it is blocked:

    qa@ubuntu-arm64:~$ curl http://www.eicar.org/download/eicar.com
    <!DOCTYPE html>
    ... omitted ...
        <p>You are not permitted to download the file "eicar.com" because it is infected with the virus "EICAR_TEST_FILE".</p>

FortiGate VM on KVM running ARM processors 7.0.1

FortiGate VMs can be deployed on KVM hypervisors running ARM64 processors.

To deploy the FortiGate VM:
  1. Upload the qcow2 file to the hypervisor host.

  2. Open the Virtual Machine Manager and create a new virtual machine.

  3. Select Import existing disk image.

  4. Set the following in the Architecture options:

    • Virt Type: KVM

    • Architecture: aarch64

    • Machine Type: virt

  5. Click Forward.

  6. Enter the storage path, pointing to the uploaded qcow2 file.

  7. Set the OS type to Linux and Version to Ubuntu 18.04 LTS.

  8. Click Forward.

  9. Set the amount of memory and number of CPUs.

  10. Click Forward.

  11. Enter a name for the VM, select Customize configuration before install, and select a network.

  12. Click Finish.

  13. Click Add Hardware and add another NIC to connect to an internal, private network.

  14. Click Add Hardware again and add bootstrap CDROM device with a VM license.

  15. Click Begin Installation to install the VM.

  16. Confirm that CPU and memory allocation, and the platform:

    # get system status
    Version: FortiGate-ARM64-KVM v7.0.0,build2292,201201 (interim)
    ...
    License Status: Valid
    License Expiration Date: 2021-11-07
    VM Resources: 2 CPU/32 allowed, 1997 MB RAM
    Log hard disk: Available
    Hostname: cloud-init-test
    Operation Mode: NAT
    Current virtual domain: root
    Max number of virtual domains: 10
    Virtual domains status: 1 in NAT mode, 0 in TP mode
    Virtual domain configuration: disable
    FIPS-CC mode: disable
    Current HA mode: standalone
    Branch point: 2292
    Release Version Information: interim
    System time: Fri Dec  4 09:59:38 2020
  17. Confirm that the FortiCloud debug shows the correct platform flag:

    # diagnose test application forticldd 1
    System=FGT Platform=ARM64-KVM
    Management vdom: root, id=0,  ha=primary.
    acct_id=
    acct_st=Logged Out
    
    FortiGuard interface selection: method=auto specify=FortiGuard log: status=disabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0
    
    Centra Management: type=NONE, flags=000000bf.
    
    active-tasks=0
    
    rpdb_ver=00000001 rpdb6_ver=00000001
To configure the VM:
  1. Configure the port1 and port2 interfaces:

    config system interface
        edit "port1"
            set vdom "root"
            set mode dhcp
            set allowaccess ping https ssh fgfm
            set type physical
            set snmp-index 1
        next
        edit "port2"
            set vdom "root"
            set ip 10.1.100.1 255.255.255.0
            set allowaccess ping https ssh snmp http fgfm radius-acct fabric ftm
            set type physical
            set snmp-index 2
        next
    end

    Port1 uses DHCP, as it is connected to the internet and has a DHCP gateway. Port2 is configured with a static IP.

  2. Configure a basic firewall policy with an antivirus profile and certification:

    config firewall policy
        edit 1
            set name "main"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set av-profile "default"
            set logtraffic all
            set nat enable
        next
    end
To test the FortiGate antivirus:
  1. Set the default route gateway on the client to the internal interface of the FortiGate:

    qa@ubuntu-arm64:~$ sudo ip link set dev enp2s0 up
    
    qa@ubuntu-arm64:~$ sudo ifconfig enp2s0 10.1.100.5 netmask 255.255.255.0
    qa@ubuntu-arm64:~$ ifconfig
    enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 10.1.100.5  netmask 255.255.255.0  broadcast 10.1.100.255
            inet6 fe80::5054:ff:febb:153b  prefixlen 64  scopeid 0x20<link>
            ether 52:54:00:bb:15:3b  txqueuelen 1000  (Ethernet)
            RX packets 1008  bytes 54119 (54.1 KB)
            RX errors 0  dropped 982  overruns 0  frame 0
            TX packets 32  bytes 4351 (4.3 KB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0
            inet6 ::1  prefixlen 128  scopeid 0x10<host>
            loop  txqueuelen 1000  (Local Loopback)
            RX packets 3471721  bytes 246592197 (246.5 MB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 3471721  bytes 246592197 (246.5 MB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    qa@ubuntu-arm64:~$ sudo ip route add default via 10.1.100.1
    qa@ubuntu-arm64:~$ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=97 time=9.02 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 9.022/9.022/9.022/0.000 ms
  2. Attempt to download the EICAR test file to confirm that it is blocked:

    qa@ubuntu-arm64:~$ curl http://www.eicar.org/download/eicar.com
    <!DOCTYPE html>
    ... omitted ...
        <p>You are not permitted to download the file "eicar.com" because it is infected with the virus "EICAR_TEST_FILE".</p>