EVE-NG Deploying Fortigate v6 Firewalls

KB ID 0001714

Problem

The firm I work for are looking at a replacement for Cisco ASA as their preferred firewall of choice. We are looking at Fortinet to fill this gap, but as a product/solution it’s something I know very little about.

So the best way to learn is to deploy and play with, and the test bench weapon of choice for discerning technical types is EVE-NG. So can I deploy the newest (v6.4.2 at time of writing) Fortigate firewall into EVE-NG? Indeed, read on.

Solution

Getting the VM is pretty easy, Fortinet allows you to create a free login account, and download the trial version. REMEMBER you want the KVM version of the appliance!

If you didn’t know EVE-NG (and the Qemu software that runs inside it) needs to have its images in certain named folders. So log into your EVE-NG  appliance and create a new folder;

mkdir /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2

Note: fortinet-xxxxxxxxxx is the correct naming convention 🙂

EVE-NG Fortigate VM Folder Naming

Now copy your downloaded image into this folder, I use WinSCP, but FileZilla is also free. Remember that your transfer method should be set to ‘binary’.

EVE-NG Upload Fortigate v6

Back in the EVE-NG console, you need to unzip the appliance, then rename it (EVE-NG also needs the images to have certain names). Then you can delete the original Zip file, and make sure the permissions are set correctly.

cd /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2
unzip FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
mv fortios.qcow2 virtioa.qcow2
rm FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

EVE-NG Connfigure Fortigate v6

That’s the hard part done. Log into EVE-NG create a new lab and drop a Fortigate device into the workspace. (Note: You can raise the RAM to 2048 to get it to perform a little better, but no higher though, as only 2GB is permitted with the trial licence).

Deploy Fortigate on EVE-NG

Allow Web Management Of Fortigate VM

I’ve included this bit because most articles don’t, and if I’m unfamiliar with Fortigate, then some of you will be also. Essentially you setup the interface that you will be using as the inside interface with a static IP and allow web management via HTTP. (Note: First you will be asked to change the Admin password).

config system interface
edit port1
set mode static
set ip 192.168.1.1 255.255.255.0
set allowaccess http 
end

Configure Fortigate for Web Access

Then from a management VM, (on the same network segment) connect to the appliance and log in.

Fortigate Web Access

If you just see a blank screen with no logon options see this article.

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

2 Comments

  1. Hello Pete,

    I hope that I am not being too bold to ask, but I am in the process of performing a very similar task and would appreciate it very much if you would share your findings regarding the FortiGate appliance as opposed to the Cisco ASA and what your opinion is of both?

    Furthermore, would you consider pursuing a certification in FortiNet?

    Looking forward to your response.

    Regards,
    Grant

    Post a Reply
    • I think my options on Fortigate/Cisco are all over the site 🙂 look at the replacing Cisco with FortiGate article Grant.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *