Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWeb-VM on VMware ESXi

    Home FortiWeb Private Cloud FortiWeb-VM on VMware ESXi

    Mapping the virtual NICs (vNICs) to physical NICs

    Mapping the virtual NICs (vNICs) to physical NICs

    Appropriate mappings of the FortiWeb-VM network adapter ports to the host computer’s physical ports depends on your existing virtual environment.

    Often, the default bridging vNICs work, and don’t need to be changed.

    If you are unsure of your network mappings, try bridging first before non-default vNIC modes such as NAT or host-only networks. The default bridging vNIC mappings are appropriate where each of the host’s guest virtual machines should have their own IP addresses on your network.

    The most common exceptions to this rule are for VLANs and the transparent modes. See Configuring the vNetwork for the transparent modes

    When you deploy the FortiWeb-VM package, 10 bridging vNICs are created and automatically mapped to a port group on 1 virtual switch (vSwitch) within the hypervisor. Each vNIC is mapped to one of 10 FortiWeb-VM network interfaces. (Alternatively, you can configure some or all of the network interfaces to use the same vNIC.) vSwitches are themselves mapped to physical ports on the server.

    In some cases, FortiWeb-VM deployed on ESXi cannot update the mapping between vNICs and FortiWeb-VM network interfaces after you remove and add adaptors. See Changing the default network adaptors for EXSi deployments.

    You can change the mapping, or map other vNICs, if either your VM environment requires it or FortiWeb-VM will be operating in either true transparent proxy or Transparent Inspection mode. (For information on how to choose the operation mode, see the setup instructions in the FortiWeb Administration Guide.)

    The following table provides an example of how vNICs could be mapped to the physical network ports on a server.

    Example: Network mapping for Reverse Proxy mode
    VMware vSphere FortiWeb-VM
    Physical Network Adapter Network Mapping (vSwitch Port Group) Virtual Network Adapter for FortiWeb-VM Network Interface Name in Web UI/CLI
    eth0 VM Network 0 Management port1
    eth1 VM Network 1 External port2
    VM Network 2 Internal port3
    VM Network 1 External port4
    To map network adapters
    1. On your management computer, start VMware vSphere Client.
    2. Enter the IP address, user name, and password of the VMware vSphere server.
    3. Click Login.
    4. In the pane on the left side, right-click the name of the virtual appliance, such as FortiWeb-VM, then select Edit Settings.

      5. The virtual appliance’s properties dialog appears.

    5. In the list of virtual hardware on the left side of the dialog, click the name of a virtual network adapter to see its current settings.
    6. From the Network Connection drop-down menu, select the virtual network mapping for the virtual network adapter.

      7. The correct mapping varies by your virtual environment’s network configuration. In the example illustration below, the vNIC Network adapter 1 is mapped to the virtual network (vNetwork) named VLAN 593.


    7. Click OK.
    8. Continue with Powering on and shutting down the virtual appliance.

    Changing the default network adaptors for EXSi deployments

    By default, FortiWeb-VM deploys on ESXi using VMXNET network adaptors.

    However, you can delete the VMXNET adaptors and add E1000 network adaptors that replace them, if required. E1000 adaptors do not have the same limitations as VMXNET adaptors. However, for best performance, use VMXNET adaptors because they are optimized for performance in a virtual machine.

    To avoid problems with the mapping of vNICs to FortiWeb-VM network interfaces, do the following:

    • Ensure the network adaptors are all of the same type: VMXNET or E1000.
    • If you are using VMXNET adaptors, do not remove and add adaptors. FortiWeb-VM cannot update the initial mappings to work with the new adaptors.

      However, you can add VMXNET adaptors if you are upgrading from a previous version of FortiWeb-VM that provides only 4 adaptors. (Because the additional adaptors are new, there is no existing mapping to create a conflict.) Ensure that the total number of adaptors after the upgrade is 8 or 10.

    Configuring the vNetwork for the transparent modes

    The default vNetwork configuration does not function with FortiWeb bridges (V-zones). You use bridges when you deploy your FortiWeb-VM in either true transparent proxy or Transparent Inspection operation mode.

    Use the following general configuration steps to support the transparent modes:

    • To create the bridge, use one of the following to create two FortiWeb ports: one for the web server side and one for the client side:
      • 2 vSwitches or distributed vSwitches (dvSwitch)
      • 1 vSwitch that has 2 port groups with different VLAN IDs
    • Set each vSwitch that you add to promiscuous mode and map each port group to a network adapter (vNIC)

    Similar to a deployment that does not use virtual machines, connections between clients and servers are piped through two port groups (on two vSwitches or a single vSwitch) that comprise the bridge, with FortiWeb-VM in between them.

    To create a vSwitch
    1. On your management computer, start VMware vSphere Client.
    2. In IP address / Name, type the IP address or FQDN of the VMware vSphere server.
    3. In User name, type the name of your account on that server.
    4. In Password, type the password for your account on that server.
    5. Click Login.
    6. In the pane on the left side, click the name of the virtual appliance, such as FortiWeb-VM.
    7. On the Configuration tab, click Networking.

      8. A window appears where you can configure vSwitches or distributed vSwitches.

    8. In the View set of buttons, click Virtual Switch. (If you are configuring a distributed vSwitch, click vNetwork Distributed Switch instead. Your steps will vary slightly, but will be similar.)
    9. Click Add Networking.
    10. Accept the default connection type, Virtual Machines, and click Next.
    11. Select Create a virtual switch.
    12. Click Next.
    13. Under Port Group Properties, enter a network label such as Client-Side-vSwitch1 that identifies the port group.
    14. In VLAN ID, if your network uses VLANs, enter a number between 1 and 4,094 to specify the VLAN tag that the vSwitch uses.

      15. If your configuration uses only one vSwitch, add a second port group with a different VLAN tag.

    15. Click Next.
    16. Click Finish.
    17. If your configuration uses 2 vSwitches, repeat this procedure to create the other vSwitch.

    18. If you are creating vSwitches to support True Transparent Proxy, ensure that the vSwitch is configured to use only one VMNIC.
    19. Continue with To configure promiscuous mode for the new vSwitch.
    To configure promiscuous mode for the new vSwitch
    1. On the Configuration tab, click Networking.
    2. Select Properties.

    3. Click Edit.
    4. Select the Security tab.
    5. From the drop-down list for Promiscuous Mode, select Accept.
    6. If your configuration uses 2 vSwitches, repeat this procedure with the other vSwitch for the bridge.
    7. Continue with To map a network adapter to the new vSwitch port groups.
    To map a network adapter to the new vSwitch port groups
    1. In the pane on the left side, click the name of the virtual appliance, such as FortiWeb-VM.
    2. On the Getting Started tab, select Edit Virtual Machine Settings.


      3. A properties window appears.

    3. On the Hardware tab, select a network adapter from the hardware list.
    4. Select the port group of the new vSwitch from the Network label drop-down list.
    5. Click OK.
    6. Do one of the following:
    • If your configuration uses 2 vSwitches, repeat this procedure with the port group on the second vSwitch.
    • If your configuration users 1 vSwitch, repeat this procedure with the second port group on the vSwitch.
  • Later, when you configure FortiWeb-VM, add the FortiWeb ports that correspond to the mapped vSwitch port groups to the bridge (V-zone).
    • Previous
    Next

    Mapping the virtual NICs (vNICs) to physical NICs

    Mapping the virtual NICs (vNICs) to physical NICs

    Appropriate mappings of the FortiWeb-VM network adapter ports to the host computer’s physical ports depends on your existing virtual environment.

    Often, the default bridging vNICs work, and don’t need to be changed.

    If you are unsure of your network mappings, try bridging first before non-default vNIC modes such as NAT or host-only networks. The default bridging vNIC mappings are appropriate where each of the host’s guest virtual machines should have their own IP addresses on your network.

    The most common exceptions to this rule are for VLANs and the transparent modes. See Configuring the vNetwork for the transparent modes

    When you deploy the FortiWeb-VM package, 10 bridging vNICs are created and automatically mapped to a port group on 1 virtual switch (vSwitch) within the hypervisor. Each vNIC is mapped to one of 10 FortiWeb-VM network interfaces. (Alternatively, you can configure some or all of the network interfaces to use the same vNIC.) vSwitches are themselves mapped to physical ports on the server.

    In some cases, FortiWeb-VM deployed on ESXi cannot update the mapping between vNICs and FortiWeb-VM network interfaces after you remove and add adaptors. See Changing the default network adaptors for EXSi deployments.

    You can change the mapping, or map other vNICs, if either your VM environment requires it or FortiWeb-VM will be operating in either true transparent proxy or Transparent Inspection mode. (For information on how to choose the operation mode, see the setup instructions in the FortiWeb Administration Guide.)

    The following table provides an example of how vNICs could be mapped to the physical network ports on a server.

    Example: Network mapping for Reverse Proxy mode
    VMware vSphere FortiWeb-VM
    Physical Network Adapter Network Mapping (vSwitch Port Group) Virtual Network Adapter for FortiWeb-VM Network Interface Name in Web UI/CLI
    eth0 VM Network 0 Management port1
    eth1 VM Network 1 External port2
    VM Network 2 Internal port3
    VM Network 1 External port4
    To map network adapters
    1. On your management computer, start VMware vSphere Client.
    2. Enter the IP address, user name, and password of the VMware vSphere server.
    3. Click Login.
    4. In the pane on the left side, right-click the name of the virtual appliance, such as FortiWeb-VM, then select Edit Settings.

      5. The virtual appliance’s properties dialog appears.

    5. In the list of virtual hardware on the left side of the dialog, click the name of a virtual network adapter to see its current settings.
    6. From the Network Connection drop-down menu, select the virtual network mapping for the virtual network adapter.

      7. The correct mapping varies by your virtual environment’s network configuration. In the example illustration below, the vNIC Network adapter 1 is mapped to the virtual network (vNetwork) named VLAN 593.


    7. Click OK.
    8. Continue with Powering on and shutting down the virtual appliance.

    Changing the default network adaptors for EXSi deployments

    By default, FortiWeb-VM deploys on ESXi using VMXNET network adaptors.

    However, you can delete the VMXNET adaptors and add E1000 network adaptors that replace them, if required. E1000 adaptors do not have the same limitations as VMXNET adaptors. However, for best performance, use VMXNET adaptors because they are optimized for performance in a virtual machine.

    To avoid problems with the mapping of vNICs to FortiWeb-VM network interfaces, do the following:

    • Ensure the network adaptors are all of the same type: VMXNET or E1000.
    • If you are using VMXNET adaptors, do not remove and add adaptors. FortiWeb-VM cannot update the initial mappings to work with the new adaptors.

      However, you can add VMXNET adaptors if you are upgrading from a previous version of FortiWeb-VM that provides only 4 adaptors. (Because the additional adaptors are new, there is no existing mapping to create a conflict.) Ensure that the total number of adaptors after the upgrade is 8 or 10.

    Configuring the vNetwork for the transparent modes

    The default vNetwork configuration does not function with FortiWeb bridges (V-zones). You use bridges when you deploy your FortiWeb-VM in either true transparent proxy or Transparent Inspection operation mode.

    Use the following general configuration steps to support the transparent modes:

    • To create the bridge, use one of the following to create two FortiWeb ports: one for the web server side and one for the client side:
      • 2 vSwitches or distributed vSwitches (dvSwitch)
      • 1 vSwitch that has 2 port groups with different VLAN IDs
    • Set each vSwitch that you add to promiscuous mode and map each port group to a network adapter (vNIC)

    Similar to a deployment that does not use virtual machines, connections between clients and servers are piped through two port groups (on two vSwitches or a single vSwitch) that comprise the bridge, with FortiWeb-VM in between them.

    To create a vSwitch
    1. On your management computer, start VMware vSphere Client.
    2. In IP address / Name, type the IP address or FQDN of the VMware vSphere server.
    3. In User name, type the name of your account on that server.
    4. In Password, type the password for your account on that server.
    5. Click Login.
    6. In the pane on the left side, click the name of the virtual appliance, such as FortiWeb-VM.
    7. On the Configuration tab, click Networking.

      8. A window appears where you can configure vSwitches or distributed vSwitches.

    8. In the View set of buttons, click Virtual Switch. (If you are configuring a distributed vSwitch, click vNetwork Distributed Switch instead. Your steps will vary slightly, but will be similar.)
    9. Click Add Networking.
    10. Accept the default connection type, Virtual Machines, and click Next.
    11. Select Create a virtual switch.
    12. Click Next.
    13. Under Port Group Properties, enter a network label such as Client-Side-vSwitch1 that identifies the port group.
    14. In VLAN ID, if your network uses VLANs, enter a number between 1 and 4,094 to specify the VLAN tag that the vSwitch uses.

      15. If your configuration uses only one vSwitch, add a second port group with a different VLAN tag.

    15. Click Next.
    16. Click Finish.
    17. If your configuration uses 2 vSwitches, repeat this procedure to create the other vSwitch.

    18. If you are creating vSwitches to support True Transparent Proxy, ensure that the vSwitch is configured to use only one VMNIC.
    19. Continue with To configure promiscuous mode for the new vSwitch.
    To configure promiscuous mode for the new vSwitch
    1. On the Configuration tab, click Networking.
    2. Select Properties.

    3. Click Edit.
    4. Select the Security tab.
    5. From the drop-down list for Promiscuous Mode, select Accept.
    6. If your configuration uses 2 vSwitches, repeat this procedure with the other vSwitch for the bridge.
    7. Continue with To map a network adapter to the new vSwitch port groups.
    To map a network adapter to the new vSwitch port groups
    1. In the pane on the left side, click the name of the virtual appliance, such as FortiWeb-VM.
    2. On the Getting Started tab, select Edit Virtual Machine Settings.


      3. A properties window appears.

    3. On the Hardware tab, select a network adapter from the hardware list.
    4. Select the port group of the new vSwitch from the Network label drop-down list.
    5. Click OK.
    6. Do one of the following:
    • If your configuration uses 2 vSwitches, repeat this procedure with the port group on the second vSwitch.
    • If your configuration users 1 vSwitch, repeat this procedure with the second port group on the vSwitch.
  • Later, when you configure FortiWeb-VM, add the FortiWeb ports that correspond to the mapped vSwitch port groups to the bridge (V-zone).
    • Previous
    Next