Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Cloud-init

    Cloud-init

    You can use cloud-init to preconfigure a FortiGate-VM instance before bootup using a text file. For example, you can include a license or configuration information in the cloud-init file, so that the license and configuration is already present on the FortiGate-VM after initialization. All FortiGate-VM public and private cloud platforms support cloud-init. You can provide the cloud-init file when initializing the FortiGate-VM through the GUI of your desired cloud platform.

    When providing FortiOS configuration in the cloud-init text file, you can include a full backed up FortiOS configuration or a partial configuration. For a partial configuration, provide the configuration in the form of CLI commands. The example in this topic includes a partial configuration that consists of the following CLI commands:

    config system global

    set hostname mimecheck

    set admintimeout 480

    end

    config system admin

    edit admin

    set password 12345678

    end

    The following shows the content of an example cloud-init MIME file that includes the FortiGate-VM license and some configuration. The example omits most of the license file content for security purposes:

    Content-Type: multipart/mixed; boundary="===============0740947994048919689=="
MIME-Version: 1.0

--===============0740947994048919689==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="config"

config system global
set hostname mimecheck
set admintimeout 480
end
config system admin
edit admin
set password 12345678
end

--===============0740947994048919689==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="license"

-----BEGIN FGT VM LICENSE-----
QAAAAM9mmdw0/C5oquSAhgYYurEyOAeTChjuEt8NlvQZszsj6FMpzv9FFLl8DuV8
C7JSP1JqFSjTEeSLa/crtO84Df7gGQAAgZ3RwxjOeKPEgl4i4cQKpcECVcXM4hcb
...
uqoVJ7Nca1B4mZUE3v4BuO07fZZJCdO2
-----END FGT VM LICENSE-----

--===============0740947994048919689==--

    To debug the cloud-init configuration, use the diagnose debug cloud-init show command. The following shows example output for this command:

    >> Checking metadata source config drive

    >> Found config drive /dev/sr0

    >> Successfully mount config drive

    >> MIME parsed preconfig script

    >> Found metadata source: config drive

    >> Trying to install vmlicense ...

    >> Run config script

    >> FGVMULTM12345678 $

    >> FGVMULTM12345678 $ config system global

    >> FGVMULTM12345678 (global) $ set hostname vFGTvm00

    >> FGVMULTM12345678 (global) $ end

    >> vFGTvm00 $ config system admin

    >> vFGTvm00 (admin) $ edit admin

    >> vFGTvm00 (admin) $ set password 12345678

    >> vFGTvm00 (admin) $ end

    >> vFGTvm00 $

    >> vFGTvm00 $ config system interface

    >> vFGTvm00 (interface) $ edit port1

    >> vFGTvm00 (port1) $ set mode static

    >> vFGTvm00 (port1) $ set ip 10.6.30.169/24

    >> vFGTvm00 (port1) $ set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response ftm

    >> vFGTvm00 (port1) $ next

    >> vFGTvm00 (interface) $ edit port2

    >> vFGTvm00 (port2) $ set mode static

    >> vFGTvm00 (port2) $ set ip 10.1.100.169/24

    >> vFGTvm00 (port2) $ set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response ftm

    >> vFGTvm00 (port2) $ next

    >> vFGTvm00 (interface) $ edit port3

    >> vFGTvm00 (port3) $ set mode static

    >> vFGTvm00 (port3) $ set ip 172.16.200.169/24

    >> vFGTvm00 (port3) $ set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response ftm

    >> vFGTvm00 (port3) $ next

    >> vFGTvm00 (interface) $ end

    >> vFGTvm00 $

    >> vFGTvm00 $ config firewall policy

    >> vFGTvm00 (policy) $ edit 0

    >> vFGTvm00 (0) $ set srcintf "port2"

    >> vFGTvm00 (0) $ set dstintf "port3"

    >> vFGTvm00 (0) $ set srcaddr "all"

    >> vFGTvm00 (0) $ set dstaddr "all"

    >> vFGTvm00 (0) $ set action accept

    >> vFGTvm00 (0) $ set schedule "always"

    >> vFGTvm00 (0) $ set service "ALL"

    >> vFGTvm00 (0) $ set nat enable

    >> vFGTvm00 (0) $ next

    >> vFGTvm00 (policy) $ end

    >> vFGTvm00 $

    >> vFGTvm00 $ config router static

    >> vFGTvm00 (static) $ edit 1

    >> vFGTvm00 (1) $ set gateway 172.16.200.254

    >> vFGTvm00 (1) $ set device "port3"

    >> vFGTvm00 (1) $ next

    >> The destination is set to 0.0.0.0/0 which means all IP addresses.

    >> vFGTvm00 (static) $ end

    >> vFGTvm00 $

    >> Finish running config script

    Previous
    Next

    Cloud-init

    Cloud-init

    You can use cloud-init to preconfigure a FortiGate-VM instance before bootup using a text file. For example, you can include a license or configuration information in the cloud-init file, so that the license and configuration is already present on the FortiGate-VM after initialization. All FortiGate-VM public and private cloud platforms support cloud-init. You can provide the cloud-init file when initializing the FortiGate-VM through the GUI of your desired cloud platform.

    When providing FortiOS configuration in the cloud-init text file, you can include a full backed up FortiOS configuration or a partial configuration. For a partial configuration, provide the configuration in the form of CLI commands. The example in this topic includes a partial configuration that consists of the following CLI commands:

    config system global

    set hostname mimecheck

    set admintimeout 480

    end

    config system admin

    edit admin

    set password 12345678

    end

    The following shows the content of an example cloud-init MIME file that includes the FortiGate-VM license and some configuration. The example omits most of the license file content for security purposes:

    Content-Type: multipart/mixed; boundary="===============0740947994048919689=="
MIME-Version: 1.0

--===============0740947994048919689==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="config"

config system global
set hostname mimecheck
set admintimeout 480
end
config system admin
edit admin
set password 12345678
end

--===============0740947994048919689==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="license"

-----BEGIN FGT VM LICENSE-----
QAAAAM9mmdw0/C5oquSAhgYYurEyOAeTChjuEt8NlvQZszsj6FMpzv9FFLl8DuV8
C7JSP1JqFSjTEeSLa/crtO84Df7gGQAAgZ3RwxjOeKPEgl4i4cQKpcECVcXM4hcb
...
uqoVJ7Nca1B4mZUE3v4BuO07fZZJCdO2
-----END FGT VM LICENSE-----

--===============0740947994048919689==--

    To debug the cloud-init configuration, use the diagnose debug cloud-init show command. The following shows example output for this command:

    >> Checking metadata source config drive

    >> Found config drive /dev/sr0

    >> Successfully mount config drive

    >> MIME parsed preconfig script

    >> Found metadata source: config drive

    >> Trying to install vmlicense ...

    >> Run config script

    >> FGVMULTM12345678 $

    >> FGVMULTM12345678 $ config system global

    >> FGVMULTM12345678 (global) $ set hostname vFGTvm00

    >> FGVMULTM12345678 (global) $ end

    >> vFGTvm00 $ config system admin

    >> vFGTvm00 (admin) $ edit admin

    >> vFGTvm00 (admin) $ set password 12345678

    >> vFGTvm00 (admin) $ end

    >> vFGTvm00 $

    >> vFGTvm00 $ config system interface

    >> vFGTvm00 (interface) $ edit port1

    >> vFGTvm00 (port1) $ set mode static

    >> vFGTvm00 (port1) $ set ip 10.6.30.169/24

    >> vFGTvm00 (port1) $ set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response ftm

    >> vFGTvm00 (port1) $ next

    >> vFGTvm00 (interface) $ edit port2

    >> vFGTvm00 (port2) $ set mode static

    >> vFGTvm00 (port2) $ set ip 10.1.100.169/24

    >> vFGTvm00 (port2) $ set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response ftm

    >> vFGTvm00 (port2) $ next

    >> vFGTvm00 (interface) $ edit port3

    >> vFGTvm00 (port3) $ set mode static

    >> vFGTvm00 (port3) $ set ip 172.16.200.169/24

    >> vFGTvm00 (port3) $ set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response ftm

    >> vFGTvm00 (port3) $ next

    >> vFGTvm00 (interface) $ end

    >> vFGTvm00 $

    >> vFGTvm00 $ config firewall policy

    >> vFGTvm00 (policy) $ edit 0

    >> vFGTvm00 (0) $ set srcintf "port2"

    >> vFGTvm00 (0) $ set dstintf "port3"

    >> vFGTvm00 (0) $ set srcaddr "all"

    >> vFGTvm00 (0) $ set dstaddr "all"

    >> vFGTvm00 (0) $ set action accept

    >> vFGTvm00 (0) $ set schedule "always"

    >> vFGTvm00 (0) $ set service "ALL"

    >> vFGTvm00 (0) $ set nat enable

    >> vFGTvm00 (0) $ next

    >> vFGTvm00 (policy) $ end

    >> vFGTvm00 $

    >> vFGTvm00 $ config router static

    >> vFGTvm00 (static) $ edit 1

    >> vFGTvm00 (1) $ set gateway 172.16.200.254

    >> vFGTvm00 (1) $ set device "port3"

    >> vFGTvm00 (1) $ next

    >> The destination is set to 0.0.0.0/0 which means all IP addresses.

    >> vFGTvm00 (static) $ end

    >> vFGTvm00 $

    >> Finish running config script

    Previous
    Next