Preparing for deployment
The deployment of FortiGate-VMX requires a properly licensed VMware vSphere of a supported version, as well as knowledge of how to configure and maintain the environment. Other VMware platforms such as Workstation, Fusion, Player or Server are not supported.
You can manually alter the specs before deployment.
- FortiGate-VMX SVM requires 1 GB of RAM by default, preconfigured in OVF.
- FortiGate-VMX security nodes require 2 GB of RAM by default, preconfigured in OVF.
- vCenter Server Standard
- vSphere Enterprise Plus license level
- NSX Manager
Verify that you are using supported versions of VMware products. To determine which VMware releases are supported, go to: https://www.vmware.com/resources/compatibility/search.php
Use the following search parameters:
|What are you looking for:||Networking and Security Services for NSX-V|
|Partner Name:||Fortinet, Inc.|
|Solution Category:||Firewall (Host/Network)|
Click on the Update and View Results button and click on the FortiGate VMX link under Product Name next to the appropriate version number. The resulting page lists of supported platforms and releases.
|FortiGate-VMX v6.0.1 is supported in vSphere v5.5 & v6.5 and NSX 6.3 environments.|
The web server hosts the VMX security node's deployment file to install VMX security nodes. There is no particular type or version of web server. It can be IIS, Apache, Nginx, etc. It can be hardware based or VM-based.
The web server must be:
- able to serve up files designated by a URL
- accessible by the NSX Manager
- ESXi host cluster enabled with DRS
- DRS Cluster(s) - These clusters will contain the hosts. The clusters containing the hosts must be DRS enabled for the solution to work.
- Distributed Switch (management traffic can traverse legacy vSwitch)
- vSphere Web Client required for NSX Manager add-on
- vDistributed switches (standard vSwitches aren't supported – this is a VMware requirement).Only traffic going through the vDistributed switches can be secured by the FortiGate-VMX security solution.
Agent VM settings must be set on each ESXi host in the cluster. For larger environments, they can also be set during service deployment.
Certain ports are required for communication between the FortiGate-VMX SVM and FortiGate-VMX security nodes through the sync interface: 700, 703, and 720. These are for the cluster protocol, configuration synchronization, and traffic, such as license registration and log traffic.
SVM must be connected to the Internet for license validation with FortiGuard.
mgmt: management network for communication between the FortiGate-VMX Service Manager and VMware components as well as the FortiGuard Distribution Network (FDN).
sync: sync network for communication between the FortiGate-VMX Service Manager and all deployed FortiGate-VMX Security Nodes