Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiSandbox VM on Azure

    Home FortiSandbox Public Cloud 5.0.0 FortiSandbox VM on Azure
    5.0.0
    5.0.0
    4.4.0
    4.2.1
    4.2.0
    4.0.0
    3.2.0
    3.1.0
    3.0.0

    Configure Azure Config Settings

    Configure Azure Config Settings

    Starting in FortiSandbox Version 5.0.0, FortiSandbox only supports importing Azure settings using the Service Principal method. The Azure settings are required from Microsoft to log into the Azure portal, control the Virtual Machines and communication between network interfaces.

    In FortiSandbox Azure, there are features require operations on the Azure portal. These include:

    • HA failover with cluster IP transferred to new Primary.

    • Import/install/activate/delete/startup/shutdown/communicate Customized VMs for Non-Nested mode

    Configure Guest VM Running mode

    The Guest VM Running mode can be switched between Nested and Non-Nested mode.

    To switch from Nested and Non-Nested mode.

    1. Enter the page System > Azure Config.

    2. The switch button will show the status as:

      C:\Users\jixu\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CF89F4B3.tmp

      OR:

      C:\Users\jixu\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\32444439.tmp

      The green button display the current mode.

    1. Before switching, please make sure your FortiSandbox match the requirements.

    2. Switching requirements:

    Port3 Interface

    Local VM

    Unit Type

    Non-Nested > Nested

    Must exist

    There is no local VM

    Standalone

    Nested > Non-Nested

    The clone number of local VM must be 0

    Standalone

    1. Click the button with write color, the switching of Guest VM Running mode will be triggered.

    2. If all the conditions matched, after answer ‘OK’ to the confirmation question, the mode will be switched and system will reboot.

    3. After switching, the local VMs will be deleted.

    Create an App registration in Azure Portal

    This task is only required when the FortiSandbox instance is using the Service Principle method to communicate with the Azure platform.

    To create an App registration:

    1. Log in to the Azure portal.

    2. Go to Azure Active Directory > App registrations and click New registration.

    1. Register a new application.

    Name

    Enter the application display name.

    Supported account types

    Select Accounts in this organizational directory only (Default Directory only –Single tenant).

    Redirect URI

    This section is optional.

    1. Go to Manage > App Roles.

    1. Click Create app role and configure the following settings:

    Display name

    Enter the display name for the app role.

    Allowed member types

    Select Both (Users/Groups + Applications).

    1. Go to Manage > Certificates & secrets and click create a New client secret.

    1. Go to API permissions. As a minimum requirement, the following items should be granted API permissions.

    For items:

    Azure Service Management

    This is for managing deployments, hosted services, and storage accounts.

    Azure Storage

    This is for programmatic access to the Blob, Queue, Table, and File services in Azure or in the development environment via the storage emulator.

    1. Click Add a permission.
    2. Click the item name.
    3. Click the Delegated permission tab.
    4. Select user_impersonation.
    5. Click Add permissions.

    For Microsoft Graph:

    Files

    ReadWrite

    This allows FortiSandbox to read, create, update, and delete the signed-in user's files.

    User

    Read

    This allows FortiSandbox to read the signed-in user's information.

    1. Click Add a permission.

    2. Click the item name.

    3. Click the Delegated permission tab.

    4. Select the permissions.

    5. Click Add permissions.

    Configure Service Principal Settings

    If your guest VM mode is in non-nested mode, or you want your instance will work as a node in a cluster, you need to configure Service Principle value in Azure Config page. To find the Service Principal settings, you need to get the client and tenant IDs from the Azure portal and then enter them into FortiSandbox using the GUI.

    Requirements:
    To get client and tenant IDs in the Azure portal:

    1. In the Azure portal, go to Azure Active Directory > App registrations and locate the service principal information in the application you created.

    For information, see Create an App registration in Azure Portal.

    1. Go to Manage > Certificates & Secrets. The service principal information is located in the Application (client) ID and Directory (tenant) ID fields.

    To configure Azure service principal in FortiSandbox:

    1. In FortiSandbox, go to System > Azure Config.

    2. In FortiSandbox, enter the following Azure configuration settings and then click Submit.

    Client id

    Enter the Application (client) ID from the Azure portal.

    Client Secret

    Enter the client secret.

    Tenant id

    Enter the Directory (tenant) ID from the Azure portal.

    Subscription ID

    Your subscription ID.

    Resource group

    Resource group.

    The Client ID, Client Secret, Location, Subscription ID and Resource group will be used to log into the Azure portal.

    Storage account

    Storage account name.

    This name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.

    Storage account access key

    Storage account access key. Please visit Azure patrol Resource group > Storage account > Access keys to find your access key

    This key will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.

    Monitor storage account

    Monitor account name.

    This account will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.

    Monitor account access key

    Monitor account access key. Please visit Azure patrol Resource group > Storage account > Access keys to find your access key

    This key will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.

    Network security group

    The security group you created for FortiSandbox port2.

    This port2 in FortiSandbox Azure is used to communicate with Virtual Machines in FortiSandbox. The network security group will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.

    Virtual network

    Name of the virtual network you created.

    Virtual Network name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.

    Subnet

    Use the subnet created for the local Windows or Linux VM communication (port2) if one exists. Otherwise, select the management subnet.

    This port2 in FortiSandbox Azure is used to communicate with Virtual Machines in FortiSandbox. Subnet name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.

    VM Type

    The VM type of custom VM clone(s).

    • Minimum: Standard_B2ms

    • Recommended: Standard_B2ms

    Cloud Environment URLs

    Custom Azure environment setting.

    Agent Endpoint

    Custom Azure environment setting.

    Allow Hot-Standby VM

    After Allow Hot-Standby VM is enabled, FortiSandbox will perform VM initialization again to apply changes to existing custom VM clones or prepare new clone(s). This option is hidden in Nested mode. See, Appendix B - Reduce scan time in custom Windows VM.

    Disk Type

    The disk storage type of the new installed custom VM. This option is hidden in Nested mode.

    Disk Types:

    • Standard_LRS

    • Premium_LRS

    • StandardSSD_LRS

    After the custom VM is created, please go to Azure patrol to check the Disks >Storage type of the VM.

    Deallocate custom VM instance when Idle

    FortiSandbox will deallocate the custom VM instance after it remains idle from job scan until the idle timeout value (minutes). By clicking Enabled, an idle time must be entered, otherwise, 0 means disabled.

    Idle time before deallocate custom VM instance in minutes

    FortiSandbox will deallocate the custom VM instance after it remains idle from job scan until the idle timeout value (minutes). By clicking Enabled, an idle time must be entered, otherwise, 0 means disabled. This option is hidden in Nested mode.

    Note

    If the Idle time is enabled, the Allow Hot-Standby VM must be disabled.
    Previous
    Next

    Configure Azure Config Settings

    Configure Azure Config Settings

    Starting in FortiSandbox Version 5.0.0, FortiSandbox only supports importing Azure settings using the Service Principal method. The Azure settings are required from Microsoft to log into the Azure portal, control the Virtual Machines and communication between network interfaces.

    In FortiSandbox Azure, there are features require operations on the Azure portal. These include:

    • HA failover with cluster IP transferred to new Primary.

    • Import/install/activate/delete/startup/shutdown/communicate Customized VMs for Non-Nested mode

    Configure Guest VM Running mode

    The Guest VM Running mode can be switched between Nested and Non-Nested mode.

    To switch from Nested and Non-Nested mode.

    1. Enter the page System > Azure Config.

    2. The switch button will show the status as:

      C:\Users\jixu\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CF89F4B3.tmp

      OR:

      C:\Users\jixu\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\32444439.tmp

      The green button display the current mode.

    1. Before switching, please make sure your FortiSandbox match the requirements.

    2. Switching requirements:

    Port3 Interface

    Local VM

    Unit Type

    Non-Nested > Nested

    Must exist

    There is no local VM

    Standalone

    Nested > Non-Nested

    The clone number of local VM must be 0

    Standalone

    1. Click the button with write color, the switching of Guest VM Running mode will be triggered.

    2. If all the conditions matched, after answer ‘OK’ to the confirmation question, the mode will be switched and system will reboot.

    3. After switching, the local VMs will be deleted.

    Create an App registration in Azure Portal

    This task is only required when the FortiSandbox instance is using the Service Principle method to communicate with the Azure platform.

    To create an App registration:

    1. Log in to the Azure portal.

    2. Go to Azure Active Directory > App registrations and click New registration.

    1. Register a new application.

    Name

    Enter the application display name.

    Supported account types

    Select Accounts in this organizational directory only (Default Directory only –Single tenant).

    Redirect URI

    This section is optional.

    1. Go to Manage > App Roles.

    1. Click Create app role and configure the following settings:

    Display name

    Enter the display name for the app role.

    Allowed member types

    Select Both (Users/Groups + Applications).

    1. Go to Manage > Certificates & secrets and click create a New client secret.

    1. Go to API permissions. As a minimum requirement, the following items should be granted API permissions.

    For items:

    Azure Service Management

    This is for managing deployments, hosted services, and storage accounts.

    Azure Storage

    This is for programmatic access to the Blob, Queue, Table, and File services in Azure or in the development environment via the storage emulator.

    1. Click Add a permission.
    2. Click the item name.
    3. Click the Delegated permission tab.
    4. Select user_impersonation.
    5. Click Add permissions.

    For Microsoft Graph:

    Files

    ReadWrite

    This allows FortiSandbox to read, create, update, and delete the signed-in user's files.

    User

    Read

    This allows FortiSandbox to read the signed-in user's information.

    1. Click Add a permission.

    2. Click the item name.

    3. Click the Delegated permission tab.

    4. Select the permissions.

    5. Click Add permissions.

    Configure Service Principal Settings

    If your guest VM mode is in non-nested mode, or you want your instance will work as a node in a cluster, you need to configure Service Principle value in Azure Config page. To find the Service Principal settings, you need to get the client and tenant IDs from the Azure portal and then enter them into FortiSandbox using the GUI.

    Requirements:
    To get client and tenant IDs in the Azure portal:

    1. In the Azure portal, go to Azure Active Directory > App registrations and locate the service principal information in the application you created.

    For information, see Create an App registration in Azure Portal.

    1. Go to Manage > Certificates & Secrets. The service principal information is located in the Application (client) ID and Directory (tenant) ID fields.

    To configure Azure service principal in FortiSandbox:

    1. In FortiSandbox, go to System > Azure Config.

    2. In FortiSandbox, enter the following Azure configuration settings and then click Submit.

    Client id

    Enter the Application (client) ID from the Azure portal.

    Client Secret

    Enter the client secret.

    Tenant id

    Enter the Directory (tenant) ID from the Azure portal.

    Subscription ID

    Your subscription ID.

    Resource group

    Resource group.

    The Client ID, Client Secret, Location, Subscription ID and Resource group will be used to log into the Azure portal.

    Storage account

    Storage account name.

    This name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.

    Storage account access key

    Storage account access key. Please visit Azure patrol Resource group > Storage account > Access keys to find your access key

    This key will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.

    Monitor storage account

    Monitor account name.

    This account will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.

    Monitor account access key

    Monitor account access key. Please visit Azure patrol Resource group > Storage account > Access keys to find your access key

    This key will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.

    Network security group

    The security group you created for FortiSandbox port2.

    This port2 in FortiSandbox Azure is used to communicate with Virtual Machines in FortiSandbox. The network security group will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.

    Virtual network

    Name of the virtual network you created.

    Virtual Network name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.

    Subnet

    Use the subnet created for the local Windows or Linux VM communication (port2) if one exists. Otherwise, select the management subnet.

    This port2 in FortiSandbox Azure is used to communicate with Virtual Machines in FortiSandbox. Subnet name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.

    VM Type

    The VM type of custom VM clone(s).

    • Minimum: Standard_B2ms

    • Recommended: Standard_B2ms

    Cloud Environment URLs

    Custom Azure environment setting.

    Agent Endpoint

    Custom Azure environment setting.

    Allow Hot-Standby VM

    After Allow Hot-Standby VM is enabled, FortiSandbox will perform VM initialization again to apply changes to existing custom VM clones or prepare new clone(s). This option is hidden in Nested mode. See, Appendix B - Reduce scan time in custom Windows VM.

    Disk Type

    The disk storage type of the new installed custom VM. This option is hidden in Nested mode.

    Disk Types:

    • Standard_LRS

    • Premium_LRS

    • StandardSSD_LRS

    After the custom VM is created, please go to Azure patrol to check the Disks >Storage type of the VM.

    Deallocate custom VM instance when Idle

    FortiSandbox will deallocate the custom VM instance after it remains idle from job scan until the idle timeout value (minutes). By clicking Enabled, an idle time must be entered, otherwise, 0 means disabled.

    Idle time before deallocate custom VM instance in minutes

    FortiSandbox will deallocate the custom VM instance after it remains idle from job scan until the idle timeout value (minutes). By clicking Enabled, an idle time must be entered, otherwise, 0 means disabled. This option is hidden in Nested mode.

    Note

    If the Idle time is enabled, the Allow Hot-Standby VM must be disabled.
    Previous
    Next