Fortinet Document Library

Version:


Table of Contents

About FortiGate for GCP

Deploying FortiGate-VM on Google Cloud Marketplace

Deploying FortiGate-VM on Google Cloud Compute Engine

Deploying FortiGate-VM Using Google Cloud SDK

Use Case: High Availability for FortiGate on GCP

Security Fabric Connector Integration with GCP

Resources

Upgrade Path Tool
6.0.0
Copy Link

Deploying the FortiGate

note icon

This deployment method is only applicable for BYOL. The PAYG deployment file will be ready at a later time.

  1. Prepare your GCP environment by meeting the prerequisites. Ensure that you have at least four networks.
  2. Run the following Google Cloud commands:
    1. Create a disk for each FortiGate as described in step 3 here. Replace the disk names, zones, and sizes as required.

    2. Create a static external IP address.
    3. Create the two FortiGate-VM instances. Run the Google Cloud command twice to deploy FortiGate-VM instances. In this example, internal static IP addresses are not assigned at the time of deployment. You must assign the static ones to each network interface on each internal network after deployment.

      For details about Google Cloud commands to deploy a FortiGate instance, see Using the Google Cloud SDK to Deploy FortiGate-VM.

      To deploy the primary FortiGate, run the following command:

      gcloud compute instances create fortigate1 --network-interface network=default,subnet=default,address=your-public-IP-name network=vpc2,subnet=internal,no-address --network-interface network=vpc3,subnet=subnet3,no-address --network-interface --network-interface network=vpc4,subnet=subnet4 --project "your-project" --image your-fortigate-image --can-ip-forward --machine-type n1-standard-8 --zone "us-central1-a" --metadata-from-file "license=licenseA.txt,user-data=master.txt" --disk=name=your-logdisk1,device-name=your-device1,mode=rw,boot=no

      To deploy the secondary FortiGate, run the following command:

      gcloud compute instances create fortigate2 --network-interface network=default,subnet=default ----network-interface network=vpc2,subnet=internal,no-address network-interface network=vpc3,subnet=subnet3,no-address --network-interface network=vpc4,subnet=subnet4 --project "your-project" --image your-fortigate-image --can-ip-forward --machine-type n1-standard-8 --zone "us-central1-a" --metadata-from-file "license=licenseB.txt,user-data=slave.txt" --disk=name=your-logdisk2,device-name=your-device2,mode=rw,boot=no

      Replace the VM host names, network names, external (public) IP address name, project name, machine type, zone name, license file name (licenseA.txt, licenseB.txt), FortiGate config file name (primary.txt, secondary.txt), disk names, and device names, with your own.

      You can upload a BYOL license on the management GUI later if you do not have licenses at the time of deployment.

      In this example, four networks are being used for the following purposes:

      Default network (subnet default)

      External Internet-facing network. This uses port1 on the FortiGate.

      VPC2 (subnet internal)

      Internal network where protected VMs are located. This uses port2 on the FortiGate.

      VPC3 (subnet 3)

      A subnet dedicated to the heartbeat between two FortiGates. This uses port3 on the FortiGate.

      VPC4 (subnet 4)

      A subnet dedicated to management access to the two FortiGates. This uses port4 on the FortiGate.

  3. After deploying the two FortiGates, connect to each FortiGate management console. Do the following:
    1. Configure the network interfaces, ports 2, 3, and 4 by entering IP addresses and subnets. By default, only port1 is configured. For port4, configure administrative access. You may want to allow HTTPS and SSH.
    2. Shut down the FortiGate-VMs. Allow access to Google Cloud API. See Checking Metadata API Access.

Resources

Deploying the FortiGate

note icon

This deployment method is only applicable for BYOL. The PAYG deployment file will be ready at a later time.

  1. Prepare your GCP environment by meeting the prerequisites. Ensure that you have at least four networks.
  2. Run the following Google Cloud commands:
    1. Create a disk for each FortiGate as described in step 3 here. Replace the disk names, zones, and sizes as required.

    2. Create a static external IP address.
    3. Create the two FortiGate-VM instances. Run the Google Cloud command twice to deploy FortiGate-VM instances. In this example, internal static IP addresses are not assigned at the time of deployment. You must assign the static ones to each network interface on each internal network after deployment.

      For details about Google Cloud commands to deploy a FortiGate instance, see Using the Google Cloud SDK to Deploy FortiGate-VM.

      To deploy the primary FortiGate, run the following command:

      gcloud compute instances create fortigate1 --network-interface network=default,subnet=default,address=your-public-IP-name network=vpc2,subnet=internal,no-address --network-interface network=vpc3,subnet=subnet3,no-address --network-interface --network-interface network=vpc4,subnet=subnet4 --project "your-project" --image your-fortigate-image --can-ip-forward --machine-type n1-standard-8 --zone "us-central1-a" --metadata-from-file "license=licenseA.txt,user-data=master.txt" --disk=name=your-logdisk1,device-name=your-device1,mode=rw,boot=no

      To deploy the secondary FortiGate, run the following command:

      gcloud compute instances create fortigate2 --network-interface network=default,subnet=default ----network-interface network=vpc2,subnet=internal,no-address network-interface network=vpc3,subnet=subnet3,no-address --network-interface network=vpc4,subnet=subnet4 --project "your-project" --image your-fortigate-image --can-ip-forward --machine-type n1-standard-8 --zone "us-central1-a" --metadata-from-file "license=licenseB.txt,user-data=slave.txt" --disk=name=your-logdisk2,device-name=your-device2,mode=rw,boot=no

      Replace the VM host names, network names, external (public) IP address name, project name, machine type, zone name, license file name (licenseA.txt, licenseB.txt), FortiGate config file name (primary.txt, secondary.txt), disk names, and device names, with your own.

      You can upload a BYOL license on the management GUI later if you do not have licenses at the time of deployment.

      In this example, four networks are being used for the following purposes:

      Default network (subnet default)

      External Internet-facing network. This uses port1 on the FortiGate.

      VPC2 (subnet internal)

      Internal network where protected VMs are located. This uses port2 on the FortiGate.

      VPC3 (subnet 3)

      A subnet dedicated to the heartbeat between two FortiGates. This uses port3 on the FortiGate.

      VPC4 (subnet 4)

      A subnet dedicated to management access to the two FortiGates. This uses port4 on the FortiGate.

  3. After deploying the two FortiGates, connect to each FortiGate management console. Do the following:
    1. Configure the network interfaces, ports 2, 3, and 4 by entering IP addresses and subnets. By default, only port1 is configured. For port4, configure administrative access. You may want to allow HTTPS and SSH.
    2. Shut down the FortiGate-VMs. Allow access to Google Cloud API. See Checking Metadata API Access.