Import Azure settings into FortiSandbox

In FortiSandbox v3.2.0 and higher, you can import Azure settings using the Account Authentication method or the Service Principal method. The Azure settings are required from Microsoft to log into the Azure portal, control the Virtual Machines and communication between network interfaces.

In FortiSandbox Azure, there are features require operations on the Azure portal. These include:

• HA failover with cluster IP transferred to new Primary.
• Import/install/activate/delete/startup/shutdown/communicate Customized VMs

Import using Account Authentication

To import Azure account authentication:

1. Go to the FortiSandbox GUI.
2. Click System > Azure Config.

   The Azure email account should be the Owner of the resource group of FortiSandbox.

   Account Type	Select Microsoft Azure account email which means use account authentication to import.
   Microsoft Azure account email	Your user ID.
   Microsoft Azure account password	Your user password.
   Location	Select the location you used to set up the resource group.
   Subscription ID	Your subscription ID.
   Resource group	The resource group. The User ID, password, location, Subscription ID and Resource group will be used to log into the Azure portal.
   Storage account	Storage account name. This name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
   Storage account access key	Storage account access key. This access key will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
   Monitor storage account	Monitor account name. This name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
   Monitor account access key	Monitor account access key. This access key will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
   Network security group	The security group you created for FortiSandbox port2. This port2 in FortiSandbox Azure is used to communicate with Virtual Machines in FortiSandbox. The network security group will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.
   Virtual Network	Name of the virtual network you crated. The Virtual Network name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.
   Subnet	The subnet you created for the FortiSandbox port2 interface. This port2 in FortiSandbox Azure is used to communicate with Virtual Machines in FortiSandbox. The subnet name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.
   VM type	The VM type of custom VM clone(s). Minimum: Standard_B2ms Recommended: Standard_B2ms
   Allow Hot-Standby VM	After Allow Hot-Standby VM is enabled, FortiSandbox will perform VM initialization again to apply changes to existing custom VM clones or prepare new clone(s). See Appendix B - Reduce scan time in custom Windows VM
   Disk Type	The disk storage type of the new installed custom VM. Disk Types: Standard_LRS Premium_LRS StandardSSD_LRS After the custom VM is created, please go to Azure patrol to check the Disks >Storage type of the VM.
   Idle time before deallocate custom VM instance in minutes	FortiSandbox will deallocate the custom VM instance after it remains idle from job scan until the idle timeout value (minutes). By clicking Enabled, an idle time must be entered, otherwise, 0 means disabled. : If the Idle time is enabled, the Allow Hot-Standby VM must be disabled.

3. Click Test Connection to verify the connection is accessible and authentication is valid.
4. Click Submit.

Import using Service Principal

To import the Azure settings using Service Principal, get the client and tenant IDs from the Azure portal and then enter them into FortiSandbox using the GUI.

Requirements:

• Create an App registration in the Azure portal

To get client and tenant IDs in the Azure portal:

1. In the Azure portal, go to Azure Active Directory > App registrations and locate the service principal information in the application you created.

   For information, see (Optional) Create an App registration.

2. Go to Manage > Certificates & Secrets. The service principal information is located in the Application (client) ID and Directory (tenant) ID fields.

   

To import Azure service principal in FortiSandbox:

1. In FortiSandbox, go to System > Azure Config.
2. In FortiSandbox, enter the following Azure configuration settings and then click Submit.

   Account Type	Select Client ID, which means use service Principal to import.
   Client id	Enter the Application (client) ID from the Azure portal.
   Client Secret	Enter the client secret.
   Location	The location you used to set up the resource group.
   Tenant id	Enter the Directory (tenant) ID from the Azure portal.
   Subscription ID	Your subscription ID.
   Resource group	Resource group. The Client ID, Client Secret, Location, Subscription ID and Resource group will be used to log into the Azure portal.
   Storage account	Storage account name. This name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
   Storage account access key	Storage account access key. This key will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
   Monitor storage account	Monitor account name. This account will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
   Monitor account access key	Monitor account access key. This key will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs.
   Network security group	The security group you created for FortiSandbox port2. This port2 in FortiSandbox Azure is used to communicate with Virtual Machines in FortiSandbox. The network security group will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.
   Virtual network	Name of the virtual network you created. Virtual Network name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.
   Subnet	Use the subnet created for the local Windows or Linux VM communication (port2) if one exists. Otherwise, select the management subnet. This port2 in FortiSandbox Azure is used to communicate with Virtual Machines in FortiSandbox. Subnet name will be used to import/install/activate/delete/startup/shutdown/communicate Customized VMs, and HA Cluster failover.
   VM Type	The VM type of custom VM clone(s). Minimum: Standard_B2ms Recommended: Standard_B2ms
   Allow Hot-Standby VM	After Allow Hot-Standby VM is enabled, FortiSandbox will perform VM initialization again to apply changes to existing custom VM clones or prepare new clone(s). See Appendix B - Reduce scan time in custom Windows VM
   Disk Type	The disk storage type of the new installed custom VM. Disk Types: Standard_LRS Premium_LRS StandardSSD_LRS After the custom VM is created, please go to Azure patrol to check the Disks >Storage type of the VM.
   Idle time before deallocate custom VM instance in minutes	FortiSandbox will deallocate the custom VM instance after it remains idle from job scan until the idle timeout value (minutes). By clicking Enabled, an idle time must be entered, otherwise, 0 means disabled. If the Idle time is enabled, the Allow Hot-Standby VM must be disabled.