Fortinet black logo

FortiSandbox VM on GCP

Home FortiSandbox Public Cloud 4.4.0 FortiSandbox VM on GCP
4.4.0
4.4.0
4.2.3

Prepare the GCP environment

Prepare the GCP environment

Before deploying a FortiSandbox instance, some basic steps are required to setup and run the GCP environment.

Start by logging into the GCP management console with a user account that has enough privileges to create new Virtual Private Cloud (VPC) and Instances.

Set up the basic GCP environment for FortiSandbox

Create Virtual Private Cloud (VPC)

To create the VPC:
  1. Go to VPC network > VPC networks.

  2. Click CREATE VPC NETWORK.

  3. Enter the VPC Name, and click New Subnet to create a subnet for FortiSandbox port1.

  4. Click Done and continue to configure the Firewall rules.
  5. Select any of the firewall rules below that you would like to apply to this VPC network. Once the VPC network is created, you can manage all firewall rules on the Firewall rules page.

  6. Set Maximum transmission unit (MTU) to 1500 and click CREATE.
  7. Once the VPC is created, click Done.
  8. Go back to the VPC networks page and select the new VPC item. Click the Firewalls tab, then modify the firewall policy as required.

  9. FortiSandbox requires the following Inbound rules:

    Details

    Value

    Type

    Custom TCP.

    Protocol

    TCP

    Port Range

    Allow the following ports to be accessible:

    • 443 (HTTPS)

    • 22 (if SSH access is needed)

    • 514 (if Fortinet Fabric devices such as FortiGate and FortiMail need to submit jobs)

    • 9833 (for on-demand interactive scans)

    • 21 (FortiSandbox hardcoded port2 to communicate with custom VM clones via FTP)

    More rules can be added. For example, you can add a rule to allow access to FortiSandbox's MTA adapter. For more port information, see Port and access control information in the FortiSandbox Administration Guide.

  10. Repeat Steps 1-9 to create the VPC for port2 and other required VPCs and subnets

    Note

    FortiSandbox VM for GCP requires a minimum of two VPCs and two Subnets: one for port1 and another for port2 connection. If you plan to configure a Cluster, you will need at least three VPCs.

    • Port1 is used to access and manage FortiSandbox.

    • Port2 is used for local CUSTOM VM communication.

    • Port3 is used for HA-Cluster communication.

    Example:

    VPC:vpc-port1 > Subnet: vpc-port1-subnet(10.0.1.0/24)

    VPC:vpc-port2 > Subnet: vpc-port2-subnet(10.0.2.0/24)

    VPC:vpc-port3-> Subnet: vpc-port3-subnet(10.0.3.0/24)

Create a Cloud NAT Gateway and Cloud Router

If an instance in a VPC subnet does not have an Internet address but still needs to access the Internet, you will need to create a corresponding Cloud NAT Gateway and Cloud Router for this VPC.

To create a Cloud NAT Gateway:
  1. Go to Network Services > Cloud Nat, and click CREATE CLOUD NAT GATEWAY.
    1. In the Name field, enter a descriptive name for the gateway. For example, vpc-port2-gw
    2. Under Select Cloud Router , select the correct Network (for example, vpc-port2) and Region.

  2. Select or create a new Cloud Router to attach to the gateway.

  3. Click CREATE to create the Cloud Nat Gateway.

    Note

    If the local CUSTOM VM requires Internet connectivity when performing scanning jobs,you will need to set up a Cloud Nat Gateway and Cloud Router for the VPC and subnet where the Port2 is located.

Previous
Next

Prepare the GCP environment

Before deploying a FortiSandbox instance, some basic steps are required to setup and run the GCP environment.

Start by logging into the GCP management console with a user account that has enough privileges to create new Virtual Private Cloud (VPC) and Instances.

Set up the basic GCP environment for FortiSandbox

Create Virtual Private Cloud (VPC)

To create the VPC:
  1. Go to VPC network > VPC networks.

  2. Click CREATE VPC NETWORK.

  3. Enter the VPC Name, and click New Subnet to create a subnet for FortiSandbox port1.

  4. Click Done and continue to configure the Firewall rules.
  5. Select any of the firewall rules below that you would like to apply to this VPC network. Once the VPC network is created, you can manage all firewall rules on the Firewall rules page.

  6. Set Maximum transmission unit (MTU) to 1500 and click CREATE.
  7. Once the VPC is created, click Done.
  8. Go back to the VPC networks page and select the new VPC item. Click the Firewalls tab, then modify the firewall policy as required.

  9. FortiSandbox requires the following Inbound rules:

    Details

    Value

    Type

    Custom TCP.

    Protocol

    TCP

    Port Range

    Allow the following ports to be accessible:

    • 443 (HTTPS)

    • 22 (if SSH access is needed)

    • 514 (if Fortinet Fabric devices such as FortiGate and FortiMail need to submit jobs)

    • 9833 (for on-demand interactive scans)

    • 21 (FortiSandbox hardcoded port2 to communicate with custom VM clones via FTP)

    More rules can be added. For example, you can add a rule to allow access to FortiSandbox's MTA adapter. For more port information, see Port and access control information in the FortiSandbox Administration Guide.

  10. Repeat Steps 1-9 to create the VPC for port2 and other required VPCs and subnets

    Note

    FortiSandbox VM for GCP requires a minimum of two VPCs and two Subnets: one for port1 and another for port2 connection. If you plan to configure a Cluster, you will need at least three VPCs.

    • Port1 is used to access and manage FortiSandbox.

    • Port2 is used for local CUSTOM VM communication.

    • Port3 is used for HA-Cluster communication.

    Example:

    VPC:vpc-port1 > Subnet: vpc-port1-subnet(10.0.1.0/24)

    VPC:vpc-port2 > Subnet: vpc-port2-subnet(10.0.2.0/24)

    VPC:vpc-port3-> Subnet: vpc-port3-subnet(10.0.3.0/24)

Create a Cloud NAT Gateway and Cloud Router

If an instance in a VPC subnet does not have an Internet address but still needs to access the Internet, you will need to create a corresponding Cloud NAT Gateway and Cloud Router for this VPC.

To create a Cloud NAT Gateway:
  1. Go to Network Services > Cloud Nat, and click CREATE CLOUD NAT GATEWAY.
    1. In the Name field, enter a descriptive name for the gateway. For example, vpc-port2-gw
    2. Under Select Cloud Router , select the correct Network (for example, vpc-port2) and Region.

  2. Select or create a new Cloud Router to attach to the gateway.

  3. Click CREATE to create the Cloud Nat Gateway.

    Note

    If the local CUSTOM VM requires Internet connectivity when performing scanning jobs,you will need to set up a Cloud Nat Gateway and Cloud Router for the VPC and subnet where the Port2 is located.

Previous
Next