EVE-NG Deploying Fortigate v6 Firewalls

KB ID 0001714

Problem

The firm I work for are looking at a replacement for Cisco ASA as their preferred firewall of choice. We are looking at Fortinet to fill this gap, but as a product/solution it’s something I know very little about.

So the best way to learn is to deploy and play with, and the test bench weapon of choice for discerning technical types is EVE-NG. So can I deploy the newest (v6.4.2 at time of writing) Fortigate firewall into EVE-NG? Indeed, read on.

Solution

Getting the VM is pretty easy, Fortinet allows you to create a free login account, and download the trial version. REMEMBER you want the KVM version of the appliance!

If you didn’t know EVE-NG (and the Qemu software that runs inside it) needs to have its images in certain named folders. So log into your EVE-NG  appliance and create a new folder;

[box]

mkdir /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2

[/box]

Note: fortinet-xxxxxxxxxx is the correct naming convention 🙂

Now copy your downloaded image into this folder, I use WinSCP, but FileZilla is also free. Remember that your transfer method should be set to ‘binary’.

Back in the EVE-NG console, you need to unzip the appliance, then rename it (EVE-NG also needs the images to have certain names). Then you can delete the original Zip file, and make sure the permissions are set correctly.

[box]

cd /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2
unzip FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
mv fortios.qcow2 virtioa.qcow2
rm FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

[/box]

That’s the hard part done. Log into EVE-NG create a new lab and drop a Fortigate device into the workspace. (Note: You can raise the RAM to 2048 to get it to perform a little better, but no higher though, as only 2GB is permitted with the trial licence).

Allow Web Management Of Fortigate VM

I’ve included this bit because most articles don’t, and if I’m unfamiliar with Fortigate, then some of you will be also. Essentially you setup the interface that you will be using as the inside interface with a static IP and allow web management via HTTP. (Note: First you will be asked to change the Admin password).

[box]

config system interface
edit port1
set mode static
set ip 192.168.1.1 255.255.255.0
set allowaccess http 
end

[/box]

Then from a management VM, (on the same network segment) connect to the appliance and log in.

If you just see a blank screen with no logon options see this article.

Related Articles, References, Credits, or External Links

NA

vSphere – Adding a Serial Port to a VM

KB ID 0001039 

Problem

I wanted to perform command line access to a virtual firewall on my home ESXi server, (a Juniper Firefly vSRX) via a console session. To do that I needed to add a serial port to that VM.

Solution

1. From Within the VI client > Select the ESXi Host > Configuration > Security Profile > Firewall Section > Properties.

2. Locate and enable ‘VM serial port connected over network’ > OK.

3. From the actual VM‘s properties, (right click > Edit settings) > Add > Serial Port > Next.

4. Connect via Network > Next.

5. Select ‘Server (VM listens for connection)’ > In Port URI enter telnet://{IP-of the ESX-Server}:2001 > Next.

Note: That’s the IP of the ESX server NOT the VM, here I’m using port 2001, but you can use 23 (standard telnet), or a random port above 1024.

6. Review the settings > Finish.

7. Now on a machine that has network connectivity to the ESX server > launch a telnet session to the VM (remember to use port 2001 as telnet defaults to 23!).

Here I’m using PuTTY but you can run ‘telnet {ip-address} {port}’ from a Windows client, (providing you have telnet enabled).

8. I’m in and working.

 

Related Articles, References, Credits, or External Links

NA