Install Guest VMs

FortiSandbox supports Local VMs, include Default VM, Optional VM, Custom VM, and Cloud VM. The table below display the difference:

	Default VM	Optional VM	Custom VM	Cloud VM
Nested Mode	Supported	Supported	Supported vdi style	Supported
Non-Nested Mode			Supported vhd style	Supported

To create a custom Windows VM for Azure, follow steps in Custom VM Guide which can be found in the Fortinet Developer Network or is available on request from Customer Support.

Install Guest VMs as Nested Mode

To support the VMs, you will need to set up two more interfaces: port2 and port3.

To setup network interfaces for guest VM for Nested mode:

Guest VMs use port3 to access internet on Nested mode. If you have not created port3 in previous steps, please set up for it here. Otherwise, please skip.
Shutdown the FortiSandbox VM instance from the Azure Portal.
Create interfaces for port2 and port3 to install the VMs. For information, see Create a network interface, in Set up the Azure environment for FortiSandbox.

Nested

Two interfaces are required:

Interface 2: port2
Interface 3: port3

Attach this network interface to FortiSandbox VM instance as FSA Port2 and Port3.

Start the FortiSandbox VM instance from Azure Portal.
On the FortiSandbox GUI, go to System > Interfaces to verify that the network interface is attached.

To install the Guest VM:

Please follow the instructions in, VM Settings in the FortiSandbox Administration Guide. There are default VMs, optional VMs and Customized VM via GUI or CLI. The cloud VMs can be enabled via GUI,
Please make sure the status of port3 is connected on VM External Network Access of page System >Settings

If port1’s connection to Fortinet’s image server is not available, the image should be installed with the CLI command: fw-upgrade, for example:

fw-upgrade -v -thttps –s<your https server> -f/images/WIN10O21V1_1.pkg

Install Guest VMs as Non-Nested Mode

To set up network interface for custom VM for Non-Nested mode:

Guest VMs use port2 to access internet on Non-Nested mode. If you have not created port2 in previous steps, please set up for it. Otherwise, please skip.
Shutdown the FortiSandbox VM instance from the Azure Portal.
Create interfaces for port2 to install the VMs. For information, see Create network interfaces in Set up the Azure environment for FortiSandbox
Attach this network interface to FortiSandbox VM instance as FSA Port2.

Start the FortiSandbox VM instance from Azure Portal
On the FortiSandbox GUI, go to System > Interfaces to verify that the network interface is attached.

To upload image to blob container for installing the custom VM:

Check your Azure Config for the FortiSandbox firmware image storage account.
Go to Resource group > Storage account > Data storage->Containers.
Create a storage blob for the custom VM image.
1. Create a blob container (with anonymous read access) in this storage account.
2. Upload the activated prebuilt custom VM image VHD to this blob container.

To install a custom VM using CLI on Non-Nested Mode:

Go to the FortiSandbox firmware CLI.
Import the VHD image with the CLI: vm-customized

From v3.2.0, FortiSandbox Azure supports installing custom VMs from Azure snapshot and Azure disks.
Use a meaningful custom VM name and keep the same name as VM_image_name.
Do not use:
- Special characters in the name.
- Reserved FortiSandbox VM names starting with WIN7, WIN8, or WIN10.
- The set admin-port command to set port2 or port3 as the administrative port.

To install custom VM from a blob for the Azure Non-Nested mode:

Install the Azure custom VM with the CLI command: vm-customized
Install the VM from a blob as the default type.

vm-customized –cn -tblob -f[blob container name] -b[VM_image_name.vhd] -vo[OS type] -vn[VM name]

To install custom VM from snapshot for the Azure Non-Nested mode:

Install the Azure custom VM with the CLI command: vm-customized
Verify that your snapshot is under the same resource group as FortiSandbox and related resources.
Install the VM from disk with the -t option.

vm-customized -cn -tsnapshot -b[VM_image_disk_name] -vo[OS type] -vn[VM name]

To install custom VM from disk for the Azure Non-Nested mode:

Install the Azure custom VM with the CLI command: vm-customized
Verify that your disk is under the same resource group as FortiSandbox and related resources.
Install the VM from disk with the -t option.

vm-customized -cn -tdisk -b[VM_image_disk_name] -vo[OS type] -vn[VM name]

How to switch between nested and non-nested mode

FortiSandbox support the switching between the two Guest VM running modes when the settings match the requirements.

Non-Nested to Nested: Ensure there is a port 3 and all customized VMs deleted.
Nested to Non-Nested: The clone number of local VMs must be 0. FortiSandbox will delete all local VMs after switching.
Switching is only allowed on standalone unit type.

To switch between Non-Nested and Nested mode, go to the System > Azure config page, refer to Setup Guest VM Running mode Switching modes will reboot the system and delete all the local VMs.

For CLI config-reset and factory-reset, the Guest VM Running Mode setting will be kept.

When backup/restore, the Guest VM Running Mode will also be retained and not restored according to the backup file.

To install the Guest VM in air-gapped mode:

The VM cannot be activated online If FortiSandbox is in air-gapped mode. To activate the VM, do the following:

Go to Log & Report > Events > VM Event.
Search for the failure of activation with an installation ID log.
Call the Microsoft Activation Center to get the confirmation ID.
Use the CLI to add the confirmation ID:

confirm-id -a –k<windows/office key> –c<confirmation ID> –n<VM name>

The re-initialization of the VM will start automatically. Please refer to Hyper-V Admin Guide for other operations.

Non-Nested mode: The custom VMs uses vhd file.
Nested mode: The custom VMs uses vdi file. They are in a different format.

Install Guest VMs

FortiSandbox supports Local VMs, include Default VM, Optional VM, Custom VM, and Cloud VM. The table below display the difference:

	Default VM	Optional VM	Custom VM	Cloud VM
Nested Mode	Supported	Supported	Supported vdi style	Supported
Non-Nested Mode			Supported vhd style	Supported

To create a custom Windows VM for Azure, follow steps in Custom VM Guide which can be found in the Fortinet Developer Network or is available on request from Customer Support.

Install Guest VMs as Nested Mode

To support the VMs, you will need to set up two more interfaces: port2 and port3.

To setup network interfaces for guest VM for Nested mode:

Guest VMs use port3 to access internet on Nested mode. If you have not created port3 in previous steps, please set up for it here. Otherwise, please skip.
Shutdown the FortiSandbox VM instance from the Azure Portal.
Create interfaces for port2 and port3 to install the VMs. For information, see Create a network interface, in Set up the Azure environment for FortiSandbox.

Nested

Two interfaces are required:

Interface 2: port2
Interface 3: port3

Attach this network interface to FortiSandbox VM instance as FSA Port2 and Port3.

Start the FortiSandbox VM instance from Azure Portal.
On the FortiSandbox GUI, go to System > Interfaces to verify that the network interface is attached.

To install the Guest VM:

Please follow the instructions in, VM Settings in the FortiSandbox Administration Guide. There are default VMs, optional VMs and Customized VM via GUI or CLI. The cloud VMs can be enabled via GUI,
Please make sure the status of port3 is connected on VM External Network Access of page System >Settings

If port1’s connection to Fortinet’s image server is not available, the image should be installed with the CLI command: fw-upgrade, for example:

fw-upgrade -v -thttps –s<your https server> -f/images/WIN10O21V1_1.pkg

Install Guest VMs as Non-Nested Mode

To set up network interface for custom VM for Non-Nested mode:

Guest VMs use port2 to access internet on Non-Nested mode. If you have not created port2 in previous steps, please set up for it. Otherwise, please skip.
Shutdown the FortiSandbox VM instance from the Azure Portal.
Create interfaces for port2 to install the VMs. For information, see Create network interfaces in Set up the Azure environment for FortiSandbox
Attach this network interface to FortiSandbox VM instance as FSA Port2.

Start the FortiSandbox VM instance from Azure Portal
On the FortiSandbox GUI, go to System > Interfaces to verify that the network interface is attached.

To upload image to blob container for installing the custom VM:

Check your Azure Config for the FortiSandbox firmware image storage account.
Go to Resource group > Storage account > Data storage->Containers.
Create a storage blob for the custom VM image.
1. Create a blob container (with anonymous read access) in this storage account.
2. Upload the activated prebuilt custom VM image VHD to this blob container.

To install a custom VM using CLI on Non-Nested Mode:

Go to the FortiSandbox firmware CLI.
Import the VHD image with the CLI: vm-customized

From v3.2.0, FortiSandbox Azure supports installing custom VMs from Azure snapshot and Azure disks.
Use a meaningful custom VM name and keep the same name as VM_image_name.
Do not use:
- Special characters in the name.
- Reserved FortiSandbox VM names starting with WIN7, WIN8, or WIN10.
- The set admin-port command to set port2 or port3 as the administrative port.

To install custom VM from a blob for the Azure Non-Nested mode:

Install the Azure custom VM with the CLI command: vm-customized
Install the VM from a blob as the default type.

vm-customized –cn -tblob -f[blob container name] -b[VM_image_name.vhd] -vo[OS type] -vn[VM name]

To install custom VM from snapshot for the Azure Non-Nested mode:

Install the Azure custom VM with the CLI command: vm-customized
Verify that your snapshot is under the same resource group as FortiSandbox and related resources.
Install the VM from disk with the -t option.

vm-customized -cn -tsnapshot -b[VM_image_disk_name] -vo[OS type] -vn[VM name]

To install custom VM from disk for the Azure Non-Nested mode:

Install the Azure custom VM with the CLI command: vm-customized
Verify that your disk is under the same resource group as FortiSandbox and related resources.
Install the VM from disk with the -t option.

vm-customized -cn -tdisk -b[VM_image_disk_name] -vo[OS type] -vn[VM name]

How to switch between nested and non-nested mode

FortiSandbox support the switching between the two Guest VM running modes when the settings match the requirements.

Non-Nested to Nested: Ensure there is a port 3 and all customized VMs deleted.
Nested to Non-Nested: The clone number of local VMs must be 0. FortiSandbox will delete all local VMs after switching.
Switching is only allowed on standalone unit type.

To switch between Non-Nested and Nested mode, go to the System > Azure config page, refer to Setup Guest VM Running mode Switching modes will reboot the system and delete all the local VMs.

For CLI config-reset and factory-reset, the Guest VM Running Mode setting will be kept.

When backup/restore, the Guest VM Running Mode will also be retained and not restored according to the backup file.

To install the Guest VM in air-gapped mode:

The VM cannot be activated online If FortiSandbox is in air-gapped mode. To activate the VM, do the following:

Go to Log & Report > Events > VM Event.
Search for the failure of activation with an installation ID log.
Call the Microsoft Activation Center to get the confirmation ID.
Use the CLI to add the confirmation ID:

confirm-id -a –k<windows/office key> –c<confirmation ID> –n<VM name>

The re-initialization of the VM will start automatically. Please refer to Hyper-V Admin Guide for other operations.

Non-Nested mode: The custom VMs uses vhd file.
Nested mode: The custom VMs uses vdi file. They are in a different format.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

FortiSandbox VM on Azure

Install Guest VMs

Install Guest VMs

Install Guest VMs as Nested Mode

To setup network interfaces for guest VM for Nested mode:

To install the Guest VM:

Install Guest VMs as Non-Nested Mode

To set up network interface for custom VM for Non-Nested mode:

To upload image to blob container for installing the custom VM:

To install a custom VM using CLI on Non-Nested Mode:

To install custom VM from a blob for the Azure Non-Nested mode:

To install custom VM from snapshot for the Azure Non-Nested mode:

To install custom VM from disk for the Azure Non-Nested mode:

How to switch between nested and non-nested mode