Fortinet Document Library

Version:


Table of Contents

FortiGate-VM on OpenStack

Use Case: Automatically Updating Dynamic Addresses Using Fabric Connector

Resources

Upgrade Path Tool
6.0.0
Download PDF
Copy Link

Creating userdata.txt files to pre-configure FortiGate-VM instances

The following example userdata.txt file sets up a FortiGate-VM instance with a basic default configuration customized for your environment and requirements. This example configures interfaces, and adds a DNS server and two firewall policies that allow any traffic to pass between the port2 and port3 interfaces. These policies make it easier to test HA failover.

In addition, the MTU of the port4 interface is set to be compatible with the OpenStack 10 environment, which by default, has an MTU of 1446. (In the userdata.txt file, the MTU of port4 is set to 1400.) Using the same MTU setting as the OpenStack 10 environment enables the HA heartbeat interfaces to communicate effectively over the ha-sync network.

See these pages for more information on RedHat OpenStack networks and MTU values:

Example userdata.txt file for fgt-vm-1

The following example userdata.txt file could be used for fgt-vm-1. The userdata.txt file for fgt-vm-2 would be the same except for the hostname.

#FGT VM Config File

config sys global
set hostname fgt-vm-1
end
config system interface
edit port1
set mode dhcp
set allowaccess http https ssh ping
next
edit port2
set mode dhcp
set defaultgw disable
set allowaccess http https ssh ping
next
edit port3
set mode dhcp
set defaultgw disable
set allowaccess http https ssh ping
next
edit port4
set mtu-override enable
set mtu 1400
next
end
config system dns
set primary 208.91.112.53
end
config firewall policy
edit 1
set name "Allow port2 to port3"
set dstintf "port2"
set srcintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "Allow port3 to port2"
set dstintf "port3" 
set srcintf "port2" 
set srcaddr "all" 
set dstaddr "all" 
set action accept 
set schedule "always" 
set service "ALL" 
set nat enable
end
config system central-management
set include-default-servers disable
set type fortimanager
set fmg 10.210.8.25
config server-list
edit 1
set server-type update rating
set server-address 10.210.8.25
end
end

Resources

Creating userdata.txt files to pre-configure FortiGate-VM instances

The following example userdata.txt file sets up a FortiGate-VM instance with a basic default configuration customized for your environment and requirements. This example configures interfaces, and adds a DNS server and two firewall policies that allow any traffic to pass between the port2 and port3 interfaces. These policies make it easier to test HA failover.

In addition, the MTU of the port4 interface is set to be compatible with the OpenStack 10 environment, which by default, has an MTU of 1446. (In the userdata.txt file, the MTU of port4 is set to 1400.) Using the same MTU setting as the OpenStack 10 environment enables the HA heartbeat interfaces to communicate effectively over the ha-sync network.

See these pages for more information on RedHat OpenStack networks and MTU values:

Example userdata.txt file for fgt-vm-1

The following example userdata.txt file could be used for fgt-vm-1. The userdata.txt file for fgt-vm-2 would be the same except for the hostname.

#FGT VM Config File

config sys global
set hostname fgt-vm-1
end
config system interface
edit port1
set mode dhcp
set allowaccess http https ssh ping
next
edit port2
set mode dhcp
set defaultgw disable
set allowaccess http https ssh ping
next
edit port3
set mode dhcp
set defaultgw disable
set allowaccess http https ssh ping
next
edit port4
set mtu-override enable
set mtu 1400
next
end
config system dns
set primary 208.91.112.53
end
config firewall policy
edit 1
set name "Allow port2 to port3"
set dstintf "port2"
set srcintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "Allow port3 to port2"
set dstintf "port3" 
set srcintf "port2" 
set srcaddr "all" 
set dstaddr "all" 
set action accept 
set schedule "always" 
set service "ALL" 
set nat enable
end
config system central-management
set include-default-servers disable
set type fortimanager
set fmg 10.210.8.25
config server-list
edit 1
set server-type update rating
set server-address 10.210.8.25
end
end