KB ID 0001714
Problem
The firm I work for are looking at a replacement for Cisco ASA as their preferred firewall of choice. We are looking at Fortinet to fill this gap, but as a product/solution it’s something I know very little about.
So the best way to learn is to deploy and play with, and the test bench weapon of choice for discerning technical types is EVE-NG. So can I deploy the newest (v6.4.2 at time of writing) Fortigate firewall into EVE-NG? Indeed, read on.
Solution
Getting the VM is pretty easy, Fortinet allows you to create a free login account, and download the trial version. REMEMBER you want the KVM version of the appliance!
If you didn’t know EVE-NG (and the Qemu software that runs inside it) needs to have its images in certain named folders. So log into your EVE-NG appliance and create a new folder;
[box]
mkdir /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2
[/box]
Note: fortinet-xxxxxxxxxx is the correct naming convention 🙂
Now copy your downloaded image into this folder, I use WinSCP, but FileZilla is also free. Remember that your transfer method should be set to ‘binary’.
Back in the EVE-NG console, you need to unzip the appliance, then rename it (EVE-NG also needs the images to have certain names). Then you can delete the original Zip file, and make sure the permissions are set correctly.
[box]
cd /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2 unzip FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip mv fortios.qcow2 virtioa.qcow2 rm FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
[/box]
That’s the hard part done. Log into EVE-NG create a new lab and drop a Fortigate device into the workspace. (Note: You can raise the RAM to 2048 to get it to perform a little better, but no higher though, as only 2GB is permitted with the trial licence).
Allow Web Management Of Fortigate VM
I’ve included this bit because most articles don’t, and if I’m unfamiliar with Fortigate, then some of you will be also. Essentially you setup the interface that you will be using as the inside interface with a static IP and allow web management via HTTP. (Note: First you will be asked to change the Admin password).
[box]
config system interface
edit port1
set mode static
set ip 192.168.1.1 255.255.255.0
set allowaccess http
end
[/box]
Then from a management VM, (on the same network segment) connect to the appliance and log in.
If you just see a blank screen with no logon options see this article.
Related Articles, References, Credits, or External Links
NA