Set up the Azure environment for FortiSandbox

Before deploying a FortiSandbox instance, some basic steps are required to setup and run the Azure environment.

To start, log into the Azure management portal with a user account that has enough privileges to create a new resource group.

To set up the Azure environment for deployment:

1. Create a resource group
2. Create network security groups
3. Create virtual networks
4. Create storage accounts
5. Create network interfaces
6. Create a data disk

Create a resource group

To create resource groups in Azure:

1. In the Azure portal, click Resource groups in the left pane.
2. Click Add to create a new empty resource group.

   

3. Enter the following information:

   Subscription	Select a subscription.
   Resource group	Name of the resource group.
   Region	Select a resource group location.

Create network security groups

Create two network security groups:

• The first security group must have inbound rules allowing for HTTPS, SSH traffic, OFTP, FortiGuard, FTP and RDP.
• The second security group must have inbound rules allowing for FTP and RDP.

To create network security groups in Azure:

1. In the Azure portal, click Network security groups in the left pane.
2. Click Add to create a new network security group for FortiSandbox port1 subnet (the management subnet).\

   

3. Enter the following information:

   Subscription	Select a subscription type.
   Resource group	Select the resource group you created. See, Create a resource group.
   Name	Name of the network security group.
   Region	Select the location you used when you set up the resource group.

4. Repeat these steps to create a second network security group for the FortiSandbox port2 and port3 subnet (FSA reserved port2 for firmware instance to communicate with local Windows or Linux clones for Non-Nested mode and port3 for Nested mode ).
5. Go to the security groups and configure the inbound rules:
   • Network security group one: HTTPS (TCP 443), SSH traffic (TCP 22), OFTP traffic (TCP 514).

     Optional: ICAP traffic (TCP 1344), ICAP over SSL (TCP 11344), RDP to VM interaction (FortiSandbox reserved 9833).

   • Network security group two: FTP (TCP 21)and RDP ( TCP 9833 )

     If you choose to use Windows cloud clones located in Fortinet Data Center, the network security group for port2 subnet is not required.

6. Configure the outbound rules: Allow traffic to go out.

Create virtual networks

To create virtual networks in Azure:

1. In the Azure portal, select Virtual networks in the left pane.

2. Select Add to create a new virtual network.

   

3. Enter the following information:

   Name	Name of the virtual network.
   Address space	Use an Azure suggested unused class B network (xxx.xxx.0.0/16) or enter your preferred unused class B network. The address space should cover all the IP ranges this resource group will use.
   Subscription	Select your subscription type.
   Resource group	Select the resource group you created. See, Create a resource group.
   Location	Select the location you used when you set up the resource group.
   Subnet Name	Name of port1 (the management port) subnet.
   Subnet Address range	Enter a class C address range (xxx.xxx.xxx.0/24) within the virtual network.
   DDoS protection	Basic.
   Service endpoints	Disabled.

4. Click Create.

5. Create one additional subnet in the virtual network:

   • Enter the subnet name for FSA port2 (the local VM clones communication port), and assign another class C address range (xxx.xxx.xxx.0/24).

   • Same step to build subnet for port3 if Nested mode or HA-Cluster is in plan.

6. Associate network security group to subnet.

   1. Associate the network security group for FortiSandbox port1 subnet to port1 subnet

   2. Associate the network security group for FortiSandbox port2 subnet to port2 subnet

   3. Associate the network security group for FortiSandbox port3 subnet to port3 subnet.

      

Create storage accounts

Create two storage accounts:

• The first storage account is for storing the FortiSandbox firmware image (Storage Account).
• The second storage account is for storing diagnostic information (Monitor Account), such as FortiSandbox diagnostic screenshots, console of FortiSandbox VM and VM clone diagnostic screenshots during job scans.

To create storage accounts in Azure:

1. In the Azure portal, click Storage accounts in the left pane.
2. Click Add to create a new storage account.

   

3. Enter the following information for each account:

   Subscription	Select your subscription type.
   Resource group	Select the resource group you created. See, Create a resource group.
   Storage account name	Name of the storage account.
   Location	Select the location you used when you set up the resource group.
   Performance	Standard.
   Replication	Geo-Redundant Storage (GRS).

4. Select Review + Create.

5. Repeat these steps to create a second storage account.

Create network interfaces

Create the following network interfaces:

• The first network interface is for FortiSandbox port1.
• The second network interface is for FortiSandbox port2.
• If needed, you can create more network interfaces, such as for Nested mode, for client devices to submit files, or inter-communications between HA Cluster nodes. To do that, more network security groups and virtual networks might be needed.

To create a network interface in Azure:

1. In the Azure portal, click Network interfaces in the left pane.

2. Click Add to create a new network interface.

3. Enter the following information:

Name	VM name.
Virtual network	Select your Virtual Network.
Subnet	One subnet under your Virtual Network. Each interface you create must be on a different subnet.
Private IP address assignment	Static.
Private IP address	Self-defined static IP address.
Network security group	Select the security group you created.
Private IP address (IPv6)	Unchecked.
Subscription	Subscription type.
Resource group	Select the resource group you created. See, Create a resource group.
Location	Select the same location used while setting up the resource group.

4. Repeat these steps to create the network interfaces you need (for Nested Mode, port3 is needed).

If you have created multiple network security groups: The group associated with the FSA port1 interface must be one included in HTTPS (TCP 443), SSH traffic (TCP 22), OFTP traffic (TCP 514). The group associated with the FSA port2 interface must be one including FTP(TCP 21).

Associate the network interface used for the FSA management port (port1) with the Public IP address in the IP configuration section

Create a data disk

To create a data disk:

1. In the Azure portal, click Disks in the left pane.

2. Click Add to create a data disk of at least 200GB.

Keep monitoring the usage of data disk, expand the data disk size when needed. For more information, see the FortiSandbox Best Practices and Troubleshooting Guide.