Import Azure settings into FortiSandbox
In FortiSandbox v3.2.0 and higher, you can import Azure settings using the Account Authentication method or the Service Principal method. The Azure settings are required from Microsoft to log into the Azure portal, control the Virtual Machines and communication between network interfaces.
In FortiSandbox Azure, there are features require operations on the Azure portal. These include:
- HA failover with cluster IP transferred to new Primary.
- Import/install/activate/delete/startup/shutdown/communicate Customized VMs
Import using Account Authentication
To import Azure account authentication:
- Go to the FortiSandbox GUI.
- Click System > Azure Config.
The Azure email account should be the Owner of the resource group of FortiSandbox.
Account Type
Select Microsoft Azure account email which means use account authentication to import.
Microsoft Azure account email Your user ID. Microsoft Azure account password Your user password. Location Select the location you used to set up the resource group. Subscription ID Your subscription ID. Resource group The resource group.
The User ID, password, location, Subscription ID and Resource group will be used to log into the Azure portal.
Storage account Storage account name.
This name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
Storage account access key Storage account access key.
This access key will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
Monitor storage account
Monitor account name.
This name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
Monitor account access key
Monitor account access key.
This access key will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
Network security group The security group you created for FortiSandbox port2.
This port2 in FortiSandbox Azure is used to communicate with Virtual Machines in FortiSandbox.
The network security group will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.
Virtual Network Name of the virtual network you crated.
The Virtual Network name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.
Subnet The subnet you created for the FortiSandbox port2 interface.
This port2 in FortiSandbox Azure is used to communicate with Virtual Machines in FortiSandbox. The subnet name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.
VM type The VM type of custom VM clone(s).
Minimum: Standard_B2ms
Recommended: Standard_B2ms
Allow Hot-Standby VM
After Allow Hot-Standby VM is enabled, FortiSandbox will perform VM initialization again to apply changes to existing custom VM clones or prepare new clone(s). See Appendix B - Reduce scan time in custom Windows VM
Disk Type
The disk storage type of the new installed custom VM.
Disk Types:
- Standard_LRS
- Premium_LRS
- StandardSSD_LRS
After the custom VM is created, please go to Azure patrol to check the Disks >Storage type of the VM.
FortiSandbox will deallocate the custom VM instance after it remains idle from job scan until the idle timeout value (minutes). By clicking Enabled, an idle time must be entered, otherwise, 0 means disabled.
:
If the Idle time is enabled, the Allow Hot-Standby VM must be disabled.
- Click Test Connection to verify the connection is accessible and authentication is valid.
- Click Submit.
Import using Service Principal
To import the Azure settings using Service Principal, get the client and tenant IDs from the Azure portal and then enter them into FortiSandbox using the GUI.
Requirements:
To get client and tenant IDs in the Azure portal:
- In the Azure portal, go to Azure Active Directory > App registrations and locate the service principal information in the application you created.
For information, see (Optional) Create an App registration.
- Go to Manage > Certificates & Secrets. The service principal information is located in the Application (client) ID and Directory (tenant) ID fields.
To import Azure service principal in FortiSandbox:
- In FortiSandbox, go to System > Azure Config.
- In FortiSandbox, enter the following Azure configuration settings and then click Submit.
Account Type
Select Client ID, which means use service Principal to import.
Client id
Enter the Application (client) ID from the Azure portal.
Client Secret
Enter the client secret.
Location
The location you used to set up the resource group.
Tenant id
Enter the Directory (tenant) ID from the Azure portal.
Subscription ID
Your subscription ID.
Resource group
Resource group.
The Client ID, Client Secret, Location, Subscription ID and Resource group will be used to log into the Azure portal.
Storage account
Storage account name.
This name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
Storage account access key
Storage account access key.
This key will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
Monitor storage account
Monitor account name.
This account will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
Monitor account access key
Monitor account access key.
This key will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
Network security group
The security group you created for FortiSandbox port2.
This port2 in FortiSandbox Azure is used to communicate with Virtual Machines in FortiSandbox. The network security group will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.
Virtual network
Name of the virtual network you created.
Virtual Network name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.
Subnet
Use the subnet created for the local Windows or Linux VM communication (port2) if one exists. Otherwise, select the management subnet.
This port2 in FortiSandbox Azure is used to communicate with Virtual Machines in FortiSandbox. Subnet name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.
VM Type
The VM type of custom VM clone(s).
Minimum: Standard_B2ms
Recommended: Standard_B2ms
Allow Hot-Standby VM
After Allow Hot-Standby VM is enabled, FortiSandbox will perform VM initialization again to apply changes to existing custom VM clones or prepare new clone(s). See Appendix B - Reduce scan time in custom Windows VM
Disk Type
The disk storage type of the new installed custom VM.
Disk Types:
- Standard_LRS
- Premium_LRS
- StandardSSD_LRS
After the custom VM is created, please go to Azure patrol to check the Disks >Storage type of the VM.
Idle time before deallocate custom VM instance in minutes
FortiSandbox will deallocate the custom VM instance after it remains idle from job scan until the idle timeout value (minutes). By clicking Enabled, an idle time must be entered, otherwise, 0 means disabled.
If the Idle time is enabled, the Allow Hot-Standby VM must be disabled.