Fortinet white logo
Fortinet white logo
4.4.0

Set up a local custom Windows VM

Set up a local custom Windows VM

Create a custom VM for GCP

To create a custom Windows VM for GCP, follow the steps in Custom VM Guide which can be found in the Fortinet Developer Network or is available from Customer Support upon request.

Upload the custom VM disk file to a GCP bucket

To upload the VM disk file:
  1. Go to Cloud Storage > Buckets.
  2. Select an existing bucket or create a new one, and upload the VM virtual disk file.

Note

GCP supports VMDK and VHD image formats.

Create a custom VM image using the virtual disk file

To create a custom image:
  1. Go to Compute Engine > Storage > Images and click CREATE IMAGE.

  2. Configure the image then click CREATE.

    Name Enter a name for the image.
    SourceSelect the source from the dropdown.

    Virtual disk file

    Click Browse to upload the disk file.

    OS licenseSelect the license key type.

  3. When the operation is successful, refresh the Compute Engine > Storage > Images page. The new GCP custom image file should be listed.

    This process may take more than 20 minutes.

Set up a Sole-tenant node group for running the Custom VM

To set up a sole-tenant node group:
  1. Go to Compute Engine > Sole-tenant nodes and click CREATE NODE GROUP.

  2. Complete the required steps in the wizard as is in the example below.

  3. Validate the CUSTOM VM IMAGE and NODE GROUP by setting up an instance using the Custom VM Image and Sole-tenant node Group

    To check the validity of the CUSTOM VM IMAGE and NODE GROUP, you can try to set up an instance using the Custom VM Image and Sole-tenant node Group.

    Boot Disk: Select the Custom VM Image

    Sole-tenancy > Node affinity labels: Select the node group that just created

    Example: compute.googleapis.com/node-group-name:IN:custom-vm-group

Configure the Network Interface of Port2

The FortiSandbox instance uses port2 to communicate with local Windows or Linux clones. If you need to use a local Custom VM on FortiSandbox, you need to ensure that there are at least two NICs when creating the FortiSandbox instance, which belongs to two different VPC subnets. The subnet where Port2 is located can be a private network. If it needs to connect to the Internet when performing scanning jobs, you will also need to configure the corresponding Cloud NAT Gateway and Cloud Router for it.

After the FortiSandbox instance is created, start the instance and go to System > Interfaces to verify the network interface is attached and the IP address is set as desired.

Import GCP settings into FortiSandbox

To import the GCP settings into FortiSandbox:
  1. Go to System > GCP Config page, click Configure, and enter the required information.

    Key

    Copy and paste the JSON access key you created for FortiSandbox. For information, see Generate GCP access key for FortiSandbox.

    Node Affinities

    Sole-tenant node Group Node affinity label.

    Formatcompute.googleapis.com/node-group-name:IN:<Node Group Name>

    Examplecompute.googleapis.com/node-group-name:IN:custom-vm-group

    Instance Type

    Any instance type consistent with the selected node group, refer to GCP documentation.

    Example: n2-standard-2

    Allow Hot-Standby VM

    Disable/Enable the toggle.

    Specify whether the Custom VM clone stays up in the no-scan task state. See Reduce scan time in custom Windows VM

  2. Click Test Connection to verify the configuration is valid and GCP is accessible with current key.

  3. Click Submit to save the current configuration.

Install the custom VM using the CLI

After the custom VM image is created, it should be installed on FortiSandbox with the CLI. For details of using FortiSandbox CLI, see Access FortiSandbox CLI.

Note

Do not use the set admin-port command to set port2 as the administrative port.

To install and enable a custom VM on GCP:
  1. Go to the FortiSandbox firmware CLI.
  2. Import the GCP Custom VM image using the CLI command vm-customized.

    For more information about the vm-customized command, see the FortiSandbox CLI Reference Guide in the Fortinet Document Library.

    CLI Command Usage: vm-customized -cn -vo<OS type> -vn< VM name > -i<GCP Custom VM Image Name>

    Example

    vm-customized -cn -voWindows10_64 -vngcpwin10v2 -iwin10gcp-image-v2

  3. In the FortiSandbox GUI, go to Scan Policy and Object > VM Settings and change Clone # to 1 or higher, the click Apply.

  4. VM initialization.

    Once the initialization process is done, you should be able to see the clone instance listed in the GCP VM instances list. The Custom VM is activated and loaded on FortiSandbox GUI.

    Note

    This process may take up to ten minutes to complete.

  5. In the FortiSandbox GUI, go to the Dashboard to verify there is a green check mark beside the Windows VM.

  6. To associate file extensions to the custom VM, go to Scan Policy and Object > Scan Profile to the VM Association tab.

Set up a local custom Windows VM

Set up a local custom Windows VM

Create a custom VM for GCP

To create a custom Windows VM for GCP, follow the steps in Custom VM Guide which can be found in the Fortinet Developer Network or is available from Customer Support upon request.

Upload the custom VM disk file to a GCP bucket

To upload the VM disk file:
  1. Go to Cloud Storage > Buckets.
  2. Select an existing bucket or create a new one, and upload the VM virtual disk file.

Note

GCP supports VMDK and VHD image formats.

Create a custom VM image using the virtual disk file

To create a custom image:
  1. Go to Compute Engine > Storage > Images and click CREATE IMAGE.

  2. Configure the image then click CREATE.

    Name Enter a name for the image.
    SourceSelect the source from the dropdown.

    Virtual disk file

    Click Browse to upload the disk file.

    OS licenseSelect the license key type.

  3. When the operation is successful, refresh the Compute Engine > Storage > Images page. The new GCP custom image file should be listed.

    This process may take more than 20 minutes.

Set up a Sole-tenant node group for running the Custom VM

To set up a sole-tenant node group:
  1. Go to Compute Engine > Sole-tenant nodes and click CREATE NODE GROUP.

  2. Complete the required steps in the wizard as is in the example below.

  3. Validate the CUSTOM VM IMAGE and NODE GROUP by setting up an instance using the Custom VM Image and Sole-tenant node Group

    To check the validity of the CUSTOM VM IMAGE and NODE GROUP, you can try to set up an instance using the Custom VM Image and Sole-tenant node Group.

    Boot Disk: Select the Custom VM Image

    Sole-tenancy > Node affinity labels: Select the node group that just created

    Example: compute.googleapis.com/node-group-name:IN:custom-vm-group

Configure the Network Interface of Port2

The FortiSandbox instance uses port2 to communicate with local Windows or Linux clones. If you need to use a local Custom VM on FortiSandbox, you need to ensure that there are at least two NICs when creating the FortiSandbox instance, which belongs to two different VPC subnets. The subnet where Port2 is located can be a private network. If it needs to connect to the Internet when performing scanning jobs, you will also need to configure the corresponding Cloud NAT Gateway and Cloud Router for it.

After the FortiSandbox instance is created, start the instance and go to System > Interfaces to verify the network interface is attached and the IP address is set as desired.

Import GCP settings into FortiSandbox

To import the GCP settings into FortiSandbox:
  1. Go to System > GCP Config page, click Configure, and enter the required information.

    Key

    Copy and paste the JSON access key you created for FortiSandbox. For information, see Generate GCP access key for FortiSandbox.

    Node Affinities

    Sole-tenant node Group Node affinity label.

    Formatcompute.googleapis.com/node-group-name:IN:<Node Group Name>

    Examplecompute.googleapis.com/node-group-name:IN:custom-vm-group

    Instance Type

    Any instance type consistent with the selected node group, refer to GCP documentation.

    Example: n2-standard-2

    Allow Hot-Standby VM

    Disable/Enable the toggle.

    Specify whether the Custom VM clone stays up in the no-scan task state. See Reduce scan time in custom Windows VM

  2. Click Test Connection to verify the configuration is valid and GCP is accessible with current key.

  3. Click Submit to save the current configuration.

Install the custom VM using the CLI

After the custom VM image is created, it should be installed on FortiSandbox with the CLI. For details of using FortiSandbox CLI, see Access FortiSandbox CLI.

Note

Do not use the set admin-port command to set port2 as the administrative port.

To install and enable a custom VM on GCP:
  1. Go to the FortiSandbox firmware CLI.
  2. Import the GCP Custom VM image using the CLI command vm-customized.

    For more information about the vm-customized command, see the FortiSandbox CLI Reference Guide in the Fortinet Document Library.

    CLI Command Usage: vm-customized -cn -vo<OS type> -vn< VM name > -i<GCP Custom VM Image Name>

    Example

    vm-customized -cn -voWindows10_64 -vngcpwin10v2 -iwin10gcp-image-v2

  3. In the FortiSandbox GUI, go to Scan Policy and Object > VM Settings and change Clone # to 1 or higher, the click Apply.

  4. VM initialization.

    Once the initialization process is done, you should be able to see the clone instance listed in the GCP VM instances list. The Custom VM is activated and loaded on FortiSandbox GUI.

    Note

    This process may take up to ten minutes to complete.

  5. In the FortiSandbox GUI, go to the Dashboard to verify there is a green check mark beside the Windows VM.

  6. To associate file extensions to the custom VM, go to Scan Policy and Object > Scan Profile to the VM Association tab.