Fortinet black logo

FortiSandbox VM on Azure

Home FortiSandbox Public Cloud 4.4.0 FortiSandbox VM on Azure
4.4.0
4.4.0
4.2.1
4.2.0
4.0.0
3.2.0
3.1.0
3.0.0

Best practices

Best practices

Checklist for deploying FortiSandbox on Azure:

Task

Description
Creating a resource group

Azure resource group is a container that holds related resources for an Azure solution.

Go to Azure Portal > Resource groups > Access control (IAM) > Role assignments. Verify the administrator has the minimum ‘'Role assignments for this resource group:

  • Owner, scope = this resource

If you need to launch local custom VM clones, the Access control should grant administrator these Role assignments:

  • Virtual Machine Contributor, scope = this resource
  • API Management Service Contributor, scope = this resource
Creating network security groups

Go to Azure Portal > Network security groups.

  • Verify a security group is available for FortiSandbox firmware (Port1).
  • Verify the Resource group and the Region is the one your created.
  • Optional: a security group is available for port2 if local custom VM clones is used).
Creating virtual networks and one default subnet
  • Go to Azure Portal > Virtual networks. Ensure the Resource group and the Region is the one you created.
  • Go to Azure Portal > Virtual networks. Select the Virtual network created. Under Subnets,ensure the default first subnet is for FortiSandbox firmware (Port1) and is associated with the security group for FortiSandbox Port1.
Optional: Creating multiple subnets in the virtual network
  • Verify the second subnet is available for FortiSandbox custom VM (Port2). The third subnet is available for FortiSandbox HA-Cluster mode (Port3).
  • Go to Azure Portal > Virtual networks. Select the ‘Virtual network’ you created. Under Subnets, ensure the different subnets are associated with different network security groups if needed.
Creating two storage accounts

Go to Azure Portal > Storage accounts.

  • The first storage account is for storing FortiSandbox images. The second storage account is for debugging.
  • Ensure the Resource group and the Region is the one your created and the Redundancy is Geo-Redundant Storage (GRS).
Optional: Creating multiple FSA network interfaces

Go to Azure Portal > Network interfaces.

  • Ensure the different network interfaces for FortiSandbox are deployed in different subnets and associated with different security groups if needed.

Optional: Setting up App registrations for the client id option of Azure Config on

FortiSandbox GUI
  • Go to Azure Portal > App registrations > App roles. Ensure the App roles allowed member types are Both (Users/Groups + Applications).
  • Go to Azure Portal > App registrations > Certificates & secrets > Client secret. Ensure the Expires is valid.
  • Go to Azure Portal > App registrations > API permissions. Ensure the minimum API permissions are as follows:
    • Azure Service Management: Delegated, Granted for FortiSandbox
    • Azure Storage: Delegated, Granted for FortiSandbox.
    • Microsoft Graph: Files.ReadWrite, User.Read
    • App roles: The App roles you created, Granted for FortiSandbox
Previous
Next

Best practices

Checklist for deploying FortiSandbox on Azure:

Task

Description
Creating a resource group

Azure resource group is a container that holds related resources for an Azure solution.

Go to Azure Portal > Resource groups > Access control (IAM) > Role assignments. Verify the administrator has the minimum ‘'Role assignments for this resource group:

  • Owner, scope = this resource

If you need to launch local custom VM clones, the Access control should grant administrator these Role assignments:

  • Virtual Machine Contributor, scope = this resource
  • API Management Service Contributor, scope = this resource
Creating network security groups

Go to Azure Portal > Network security groups.

  • Verify a security group is available for FortiSandbox firmware (Port1).
  • Verify the Resource group and the Region is the one your created.
  • Optional: a security group is available for port2 if local custom VM clones is used).
Creating virtual networks and one default subnet
  • Go to Azure Portal > Virtual networks. Ensure the Resource group and the Region is the one you created.
  • Go to Azure Portal > Virtual networks. Select the Virtual network created. Under Subnets,ensure the default first subnet is for FortiSandbox firmware (Port1) and is associated with the security group for FortiSandbox Port1.
Optional: Creating multiple subnets in the virtual network
  • Verify the second subnet is available for FortiSandbox custom VM (Port2). The third subnet is available for FortiSandbox HA-Cluster mode (Port3).
  • Go to Azure Portal > Virtual networks. Select the ‘Virtual network’ you created. Under Subnets, ensure the different subnets are associated with different network security groups if needed.
Creating two storage accounts

Go to Azure Portal > Storage accounts.

  • The first storage account is for storing FortiSandbox images. The second storage account is for debugging.
  • Ensure the Resource group and the Region is the one your created and the Redundancy is Geo-Redundant Storage (GRS).
Optional: Creating multiple FSA network interfaces

Go to Azure Portal > Network interfaces.

  • Ensure the different network interfaces for FortiSandbox are deployed in different subnets and associated with different security groups if needed.

Optional: Setting up App registrations for the client id option of Azure Config on

FortiSandbox GUI
  • Go to Azure Portal > App registrations > App roles. Ensure the App roles allowed member types are Both (Users/Groups + Applications).
  • Go to Azure Portal > App registrations > Certificates & secrets > Client secret. Ensure the Expires is valid.
  • Go to Azure Portal > App registrations > API permissions. Ensure the minimum API permissions are as follows:
    • Azure Service Management: Delegated, Granted for FortiSandbox
    • Azure Storage: Delegated, Granted for FortiSandbox.
    • Microsoft Graph: Files.ReadWrite, User.Read
    • App roles: The App roles you created, Granted for FortiSandbox
Previous
Next