Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiPAM 1.4.1 Administration Guide
    1.4.1
    1.4.1
    1.4.0
    1.3.0
    1.2.0
    1.1.2
    1.1.1
    1.1.0
    1.0.3
    1.0.2
    1.0.1
    1.0.0

    Appendix K: Installation on GCP

    Appendix K: Installation on GCP

    FortiPAM installation on GCP and initial setup:

    1. Creating a cloud storage bucket on GCP
    2. Adding the FortiPAM image file to the storage bucket
    3. Creating a FortiPAM image on GCP
    4. Creating VM instance from the image
    5. Licensing
    6. Static interface IP address
    7. Setting up HA
    8. Enabling vTPM

    Creating a cloud storage bucket on GCP

    To create a cloud storage bucket on GCP:
    1. From the navigation pane, go to Cloud Storage > Bucket.

      The Buckets window opens.

    2. Select +CREATE/CREATE BUCKET to create a new storage bucket.

    3. In Name, enter a name for the storage bucket, and click CONTINUE.
    4. In Choose where to store your data, select Multi-region, from the dropdown select a location, and click CONTINUE.
    5. In Choose a storage class for your data, keep the default settings, and click CONTINUE.
    6. In Choose how to control access to objects, keep the default settings, and click CONTINUE.
    7. In Choose how to protect object data, keep the default settings, and click CONTINUE.
    8. Select Create.

      The storage bucket is created.

    Adding the FortiPAM image file to the storage bucket

    To add the FortiPAM image file to the storage bucket:
    1. From the navigation pane, go to Cloud Storage > Bucket.
    2. In the Buckets window, click the name of the storage bucket created in Creating a cloud storage bucket on GCP to open it.

    3. Select UPLOAD FILES, locate the FortiPAM image file from your management computer, and click Open.

      The FortiPAM image file is successfully uploaded to the storage bucket.

    Creating a FortiPAM image on GCP

    If you want to use vTPM, see Enabling vTPM to create an image.
    To create a FortiPAM image on GCP:
    1. From the navigation pane, go to Compute Engine > Storage > Images.

      The Images window opens.

    2. In the Images window, select Create Image, and click CONTINUE.

      The Create an image window opens.

    3. In Name, enter a name for the image.
    4. In the Source dropdown, select Cloud Storage file.
    5. Select BROWSE, from the Select object pane that opens, go to the FortiPAM image file, and click SELECT.

      The image source must have .tar.gz as its extension and the file in it must be named disk.raw.

    6. Ensure that the Location is set to Multi-regional.
    7. Leave the rest of the settings in the default state.

    8. Click CREATE.

      The new FortiPAM image is now listed at the top in the Images window.

    Creating VM instance from the image

    To create VM instance from the image:
    1. From the navigation pane, go to Compute Engine > VM instances.

      The VM instances window opens.

    2. Select CREATE INSTANCE.

      The Create an instance window opens.

    3. In Name, enter a name for the VM instance.
    4. From the Region dropdown, select a region where the resource is located.
    5. From the Zone dropdown, select a zone within the region where the resource is located.
    6. In Machine configuration, select a machine type for deployment.
    7. In Boot disk, select CHANGE:
      1. Switch to the CUSTOM IMAGES tab.
      2. From the Image dropdown, select the image created in Creating a FortiPAM image on GCP.
      3. Click SELECT.

    8. Leave the following settings in the default state:

      • ADVANCED CONFIGURATIONS

      • Display device

      • Confidential VM service

      • Container

      • Identity and API access

      • Firewall

      • Observability - Ops Agent

    9. Expand Advanced options > Networking:
      1. In Network interfaces, ensure that a network interface with a subnetwork is selected.

      2. In Network interfaces, add another network if the FortiPAM will be used in an HA cluster.

    10. Expand Advanced options > Disks:

      We create two disks; one for storing logs and the other for storing videos.

      1. Select +ADD NEW DISK.

        The Add new disk pane opens.

      2. In Name, enter a name for the disk.
      3. In Size, enter 10 (in GB) to add a new volume for the log.
      4. Leave the remaining settings in the default state.
      5. Click Save.
      6. Repeat steps a to e to add a new volume for storing videos.

    11. Click CREATE.
    12. From the VM instance list, click the name of the VM instance you created.

      The instance page opens.

    13. Select EDIT and in Remote access, select Enable connecting to serial ports.

    14. Click SAVE.
    15. In the instance page, select CONNECT TO SERIAL CONSOLE.

      The SSH serial console opens.

    16. Use admin as the username and the Instance Id to log in for the first time.

    Licensing

    To successfully license FortiPAM:
    1. Download the license file (.lic), see Registering and downloading your license.
    2. Upload the license file from the public IP address using SCP, see Uploading the license file using SCP.
    3. FortiPAM reboots. After a few minutes, the license status changes to valid.

      You can check the license status using the following CLI command:

       get system status

    Static interface IP address

    You must use a static IP address if you intend to form an HA cluster.

    To find out the static IP addresses that GCP has assigned to the interfaces:
    1. From the navigation pane, go to Compute Engine > VM instances.
    2. From the VM instances list, click the name of the VM instance you created.
    3. In the Network interfaces pane, you see the static IP addresses assigned to the interfaces used in Creating VM instance from the image.

      Note down the IP addresses.

    To configure port1, change mode from DHCP to static and set the IP address:

    You can skip this step if FortiPAM is in standalone mode.

    1. In the FortiPAM CLI console, enter the following commands: 
       config system interface 
  edit port1
   set mode static #by default set as dhcp		
   set ip 10.110.0.3/32 #set to the IP address assigned by GCP 
  next
 end

      When upgrading a FortiPAM instance, use the following CLI command to enable synchronizing the virtual IP address to the IP address of the external interface:

      Example

       config firewall vip
  set intf-ip-sync enable
  set extintf "port1" #The interface connected to the source network that receives the packets forwarded to the destination network.
 end

      When installing a new FortiPAM instance, the synchronization happens automatically.

    To configure a static route if the interface is configured as static mode:
    1. In the FortiPAM CLI console, enter the following commands: 
       config router static
  edit 1
   set device port1
   set gateway 10.110.0.1
  next
 end
    To verify access to the public network:
    1. Optionally, in the FortiPAM CLI console, enter the following command:
       execute ping update.fortiguard.net

      You should receive an echo reply packet similar to the following:

      2. Optionally, to encrypt disk to protect logs and videos, see Configuring log and video disk encryption.
    Optional- To customize VIP if default VIP is not preferred:
    1. In the FortiPAM CLI console, enter the following commands: 
       config firewall vip 
  edit "fortipam_vip"
   set extip 10.110.0.3 #external visible virtual IP address
  next
 end

    You can now use your FortiPAM-VM deployed on GCP.

    On a web browser, go to https://<Public IP> to access the FortiPAM-VM GUI. This is the same IP address set up above.

    Setting up HA

    Prerequisites

    To deploy and configure FortiPAM as an Active-Passive HA solution, you need the following:

    • Availability to accommodate the required GCP resources:

      • Four network/subnets

        • Ensure that the two FortiPAM devices have connectivity to each other on each network.

        • Appropriate ingress/egress firewall rules for relevant networks (same as a single FortiPAM-VM deployment).

      • Three public (external) IP addresses:

        • One for traffic to/through the active (primary) FortiPAM. At the event of failover, this IP address will move from the primary FortiPAM to the secondary. This must be a static external IP address. It should be reserved/created before creating FortiPAM instances, or promote an ephemeral IP to a static one after deployment. See Reserving a Static External IP Address.

        • Two for management access to each FortiPAM. They can be ephemeral IP address, but static ones are highly recommended. See IP Addresses.

      • All internal IP addresses must be static, not DHCP. You should change ephemeral IP addresses to static ones after deployment. See Reserving a Static Internal IP Address.

      • Two FortiPAM-VM instances:

        • The two nodes must be deployed in the same region/zone.

        • Each FortiPAM-VM must have at least four network interfaces.

        • Each FortiPAM-VM should have a log disk attached. Log disks should be created before deploying FortiPAM instances. This is the same requirement as when deploying a single FortiPAM-VM.

        • Machine types that support at least four network interfaces. Creating Instances with Multiple Network Interfaces.

        • Two valid FortiPAM-VM BYOL licenses. See Licensing.

      • You must configure an SDN connector with GCP on the primary FortiPAM:

         config system sdn-connector
  edit "gcp_conn"
  set type gcp
  set ha-status enable
  config external-ip
   edit "reserve-fpamhapublic"
   next
  end
  config route
   edit "route-internal"
   next
  end
  next
 end
    To set up a FortiPAM HA cluster:
    1. To form an HA cluster, deploy two FortiPAM-VMs separately by following 1 - 6 in FortiPAM installation on GCP and initial setup.
    2. As shown in Static interface IP address, note down the external IP addresses assigned to nic0 for each FortiPAM. These are then used in step 3.
    3. Connect to the primary FortiPAM external IP address using SSH, then enter the following CLI commands: 
       config system ha
  set group-name <choose a group name for the cluster>
  set mode active-passive
  set password <your-ha-password>
  set hbdev "port3" 100
  set ha-mgmt-status enable
  config ha-mgmt-interfaces
   edit 1
    set interface "port4"
    set gateway <ip address of MGMT network intrinsic router>
   next
  end
  set override enable
  set priority 255
  set unicast-status enable
  set unicast-gateway 10.4.100.254
  config unicast-peers
   edit 1
    set peer-ip 10.4.100.12
   next
  end
end
config system sdn-connector
 edit "gcp_conn"
 set type gcp
 set ha-status enable
 config external-ip
  edit "reserve-fpamhapublic"
  next
 end
 config route
  edit "route-internal"
  next
 end
 next
end
    4. On the primary FortiPAM, enter the following CLI commands so that the interface IP address or the firewall VIP is not synchronized: 
       config system vdom-exception  
  edit 1
   set object system.interface
  next
  edit 2
   set object firewall.vip
  next
 end

      This configuration is automatically synchronized once the secondary has been configured.

    Enabling vTPM

    To enable vTPM:
    1. Add the FortiPAM image file to the storage bucket. See Adding the FortiPAM image file to the storage bucket.
    2. From the top-right, select Activate Cloud Shell.

      The CLOUD SHELL Terminal opens.

    3. In the terminal, use the following commands to create a FortiPAM image:
       gcloud compute --project={project-name} images create gcp-fpa-{buildnum}-shielded --source-uri=https://storage.googleapis.com/{Bucket-name}/image.out.gcp.tar.gz --guest-os-features=UEFI_COMPATIBLE,GVNIC

      For example:

       gcloud compute --project=fpam-gcp-documentation images create fpam-gcp-120-ga-shielded --source-uri=https://storage.googleapis.com/fortipam-bucket/FPA_KVM_GCP-v100-build0697-FORTINET.out.gcp.tar.gz --guest-os-features=UEFI_COMPATIBLE,GVNIC

      A new image is created in Compute Engine > Storage > Images.

    4. Create the FortiPAM VM using the image created in step 3. See Creating VM instance from the image.

      When creating the VM, in Advanced options > Security, ensure that Turn on vTPM and Turn on Integrity Monitoring is enabled.

    5. Once the VM is ready, in the SSH serial console, enter the following commands to verify that vTPM is enabled:
       diagnose tpm selftest

      The following message appears if vTPM was successfully set up:

      Successfully tested. Works as expected.

    Previous
    Next

    Appendix K: Installation on GCP

    Appendix K: Installation on GCP

    FortiPAM installation on GCP and initial setup:

    1. Creating a cloud storage bucket on GCP
    2. Adding the FortiPAM image file to the storage bucket
    3. Creating a FortiPAM image on GCP
    4. Creating VM instance from the image
    5. Licensing
    6. Static interface IP address
    7. Setting up HA
    8. Enabling vTPM

    Creating a cloud storage bucket on GCP

    To create a cloud storage bucket on GCP:
    1. From the navigation pane, go to Cloud Storage > Bucket.

      The Buckets window opens.

    2. Select +CREATE/CREATE BUCKET to create a new storage bucket.

    3. In Name, enter a name for the storage bucket, and click CONTINUE.
    4. In Choose where to store your data, select Multi-region, from the dropdown select a location, and click CONTINUE.
    5. In Choose a storage class for your data, keep the default settings, and click CONTINUE.
    6. In Choose how to control access to objects, keep the default settings, and click CONTINUE.
    7. In Choose how to protect object data, keep the default settings, and click CONTINUE.
    8. Select Create.

      The storage bucket is created.

    Adding the FortiPAM image file to the storage bucket

    To add the FortiPAM image file to the storage bucket:
    1. From the navigation pane, go to Cloud Storage > Bucket.
    2. In the Buckets window, click the name of the storage bucket created in Creating a cloud storage bucket on GCP to open it.

    3. Select UPLOAD FILES, locate the FortiPAM image file from your management computer, and click Open.

      The FortiPAM image file is successfully uploaded to the storage bucket.

    Creating a FortiPAM image on GCP

    If you want to use vTPM, see Enabling vTPM to create an image.
    To create a FortiPAM image on GCP:
    1. From the navigation pane, go to Compute Engine > Storage > Images.

      The Images window opens.

    2. In the Images window, select Create Image, and click CONTINUE.

      The Create an image window opens.

    3. In Name, enter a name for the image.
    4. In the Source dropdown, select Cloud Storage file.
    5. Select BROWSE, from the Select object pane that opens, go to the FortiPAM image file, and click SELECT.

      The image source must have .tar.gz as its extension and the file in it must be named disk.raw.

    6. Ensure that the Location is set to Multi-regional.
    7. Leave the rest of the settings in the default state.

    8. Click CREATE.

      The new FortiPAM image is now listed at the top in the Images window.

    Creating VM instance from the image

    To create VM instance from the image:
    1. From the navigation pane, go to Compute Engine > VM instances.

      The VM instances window opens.

    2. Select CREATE INSTANCE.

      The Create an instance window opens.

    3. In Name, enter a name for the VM instance.
    4. From the Region dropdown, select a region where the resource is located.
    5. From the Zone dropdown, select a zone within the region where the resource is located.
    6. In Machine configuration, select a machine type for deployment.
    7. In Boot disk, select CHANGE:
      1. Switch to the CUSTOM IMAGES tab.
      2. From the Image dropdown, select the image created in Creating a FortiPAM image on GCP.
      3. Click SELECT.

    8. Leave the following settings in the default state:

      • ADVANCED CONFIGURATIONS

      • Display device

      • Confidential VM service

      • Container

      • Identity and API access

      • Firewall

      • Observability - Ops Agent

    9. Expand Advanced options > Networking:
      1. In Network interfaces, ensure that a network interface with a subnetwork is selected.

      2. In Network interfaces, add another network if the FortiPAM will be used in an HA cluster.

    10. Expand Advanced options > Disks:

      We create two disks; one for storing logs and the other for storing videos.

      1. Select +ADD NEW DISK.

        The Add new disk pane opens.

      2. In Name, enter a name for the disk.
      3. In Size, enter 10 (in GB) to add a new volume for the log.
      4. Leave the remaining settings in the default state.
      5. Click Save.
      6. Repeat steps a to e to add a new volume for storing videos.

    11. Click CREATE.
    12. From the VM instance list, click the name of the VM instance you created.

      The instance page opens.

    13. Select EDIT and in Remote access, select Enable connecting to serial ports.

    14. Click SAVE.
    15. In the instance page, select CONNECT TO SERIAL CONSOLE.

      The SSH serial console opens.

    16. Use admin as the username and the Instance Id to log in for the first time.

    Licensing

    To successfully license FortiPAM:
    1. Download the license file (.lic), see Registering and downloading your license.
    2. Upload the license file from the public IP address using SCP, see Uploading the license file using SCP.
    3. FortiPAM reboots. After a few minutes, the license status changes to valid.

      You can check the license status using the following CLI command:

       get system status

    Static interface IP address

    You must use a static IP address if you intend to form an HA cluster.

    To find out the static IP addresses that GCP has assigned to the interfaces:
    1. From the navigation pane, go to Compute Engine > VM instances.
    2. From the VM instances list, click the name of the VM instance you created.
    3. In the Network interfaces pane, you see the static IP addresses assigned to the interfaces used in Creating VM instance from the image.

      Note down the IP addresses.

    To configure port1, change mode from DHCP to static and set the IP address:

    You can skip this step if FortiPAM is in standalone mode.

    1. In the FortiPAM CLI console, enter the following commands: 
       config system interface 
  edit port1
   set mode static #by default set as dhcp		
   set ip 10.110.0.3/32 #set to the IP address assigned by GCP 
  next
 end

      When upgrading a FortiPAM instance, use the following CLI command to enable synchronizing the virtual IP address to the IP address of the external interface:

      Example

       config firewall vip
  set intf-ip-sync enable
  set extintf "port1" #The interface connected to the source network that receives the packets forwarded to the destination network.
 end

      When installing a new FortiPAM instance, the synchronization happens automatically.

    To configure a static route if the interface is configured as static mode:
    1. In the FortiPAM CLI console, enter the following commands: 
       config router static
  edit 1
   set device port1
   set gateway 10.110.0.1
  next
 end
    To verify access to the public network:
    1. Optionally, in the FortiPAM CLI console, enter the following command:
       execute ping update.fortiguard.net

      You should receive an echo reply packet similar to the following:

      2. Optionally, to encrypt disk to protect logs and videos, see Configuring log and video disk encryption.
    Optional- To customize VIP if default VIP is not preferred:
    1. In the FortiPAM CLI console, enter the following commands: 
       config firewall vip 
  edit "fortipam_vip"
   set extip 10.110.0.3 #external visible virtual IP address
  next
 end

    You can now use your FortiPAM-VM deployed on GCP.

    On a web browser, go to https://<Public IP> to access the FortiPAM-VM GUI. This is the same IP address set up above.

    Setting up HA

    Prerequisites

    To deploy and configure FortiPAM as an Active-Passive HA solution, you need the following:

    • Availability to accommodate the required GCP resources:

      • Four network/subnets

        • Ensure that the two FortiPAM devices have connectivity to each other on each network.

        • Appropriate ingress/egress firewall rules for relevant networks (same as a single FortiPAM-VM deployment).

      • Three public (external) IP addresses:

        • One for traffic to/through the active (primary) FortiPAM. At the event of failover, this IP address will move from the primary FortiPAM to the secondary. This must be a static external IP address. It should be reserved/created before creating FortiPAM instances, or promote an ephemeral IP to a static one after deployment. See Reserving a Static External IP Address.

        • Two for management access to each FortiPAM. They can be ephemeral IP address, but static ones are highly recommended. See IP Addresses.

      • All internal IP addresses must be static, not DHCP. You should change ephemeral IP addresses to static ones after deployment. See Reserving a Static Internal IP Address.

      • Two FortiPAM-VM instances:

        • The two nodes must be deployed in the same region/zone.

        • Each FortiPAM-VM must have at least four network interfaces.

        • Each FortiPAM-VM should have a log disk attached. Log disks should be created before deploying FortiPAM instances. This is the same requirement as when deploying a single FortiPAM-VM.

        • Machine types that support at least four network interfaces. Creating Instances with Multiple Network Interfaces.

        • Two valid FortiPAM-VM BYOL licenses. See Licensing.

      • You must configure an SDN connector with GCP on the primary FortiPAM:

         config system sdn-connector
  edit "gcp_conn"
  set type gcp
  set ha-status enable
  config external-ip
   edit "reserve-fpamhapublic"
   next
  end
  config route
   edit "route-internal"
   next
  end
  next
 end
    To set up a FortiPAM HA cluster:
    1. To form an HA cluster, deploy two FortiPAM-VMs separately by following 1 - 6 in FortiPAM installation on GCP and initial setup.
    2. As shown in Static interface IP address, note down the external IP addresses assigned to nic0 for each FortiPAM. These are then used in step 3.
    3. Connect to the primary FortiPAM external IP address using SSH, then enter the following CLI commands: 
       config system ha
  set group-name <choose a group name for the cluster>
  set mode active-passive
  set password <your-ha-password>
  set hbdev "port3" 100
  set ha-mgmt-status enable
  config ha-mgmt-interfaces
   edit 1
    set interface "port4"
    set gateway <ip address of MGMT network intrinsic router>
   next
  end
  set override enable
  set priority 255
  set unicast-status enable
  set unicast-gateway 10.4.100.254
  config unicast-peers
   edit 1
    set peer-ip 10.4.100.12
   next
  end
end
config system sdn-connector
 edit "gcp_conn"
 set type gcp
 set ha-status enable
 config external-ip
  edit "reserve-fpamhapublic"
  next
 end
 config route
  edit "route-internal"
  next
 end
 next
end
    4. On the primary FortiPAM, enter the following CLI commands so that the interface IP address or the firewall VIP is not synchronized: 
       config system vdom-exception  
  edit 1
   set object system.interface
  next
  edit 2
   set object firewall.vip
  next
 end

      This configuration is automatically synchronized once the secondary has been configured.

    Enabling vTPM

    To enable vTPM:
    1. Add the FortiPAM image file to the storage bucket. See Adding the FortiPAM image file to the storage bucket.
    2. From the top-right, select Activate Cloud Shell.

      The CLOUD SHELL Terminal opens.

    3. In the terminal, use the following commands to create a FortiPAM image:
       gcloud compute --project={project-name} images create gcp-fpa-{buildnum}-shielded --source-uri=https://storage.googleapis.com/{Bucket-name}/image.out.gcp.tar.gz --guest-os-features=UEFI_COMPATIBLE,GVNIC

      For example:

       gcloud compute --project=fpam-gcp-documentation images create fpam-gcp-120-ga-shielded --source-uri=https://storage.googleapis.com/fortipam-bucket/FPA_KVM_GCP-v100-build0697-FORTINET.out.gcp.tar.gz --guest-os-features=UEFI_COMPATIBLE,GVNIC

      A new image is created in Compute Engine > Storage > Images.

    4. Create the FortiPAM VM using the image created in step 3. See Creating VM instance from the image.

      When creating the VM, in Advanced options > Security, ensure that Turn on vTPM and Turn on Integrity Monitoring is enabled.

    5. Once the VM is ready, in the SSH serial console, enter the following commands to verify that vTPM is enabled:
       diagnose tpm selftest

      The following message appears if vTPM was successfully set up:

      Successfully tested. Works as expected.

    Previous
    Next