Virtualizing Fortigate firewall on Proxmox

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
for this video we'll go through the steps in virtualizing forgate firewall on proxmox we'll set up a small topology here and take a look how to configure forgate let us Begin by going to this URL support. fortinet.com and click register this registration is a requirement so that we can download the firmware directly from foret site and use the credential as well in activating a license I'm entering my Gmail account in here enter the capture code and click get email verification code here is the verification code sent to my Gmail account copy and paste code next is to create a password we'll fill out this form to complete the registration I'll just skip the video here after filling out the form and submit it it next screen is to accept the terms and conditions we have successfully created a 4 cloud account click complete to finish now let us log into 40 cloud go to support and under downloads click VM images select for gate for the product select KVM for the platform latest firmware version is selected automatically look for new deployment of fortigate for KVM firmware and click download the downloaded file is a ZIP file extension here is the file saved on my local Windows 11 machine when extracted it contains one file only with q c 2 file extension before we set up the VM I will be activating this permanent trial just to try this out and see how it goes just be aware of this limitations below one of the limitations is that we can have a maximum of 1 CPU and 2 G of memory so when provisioning the VM Ure to follow this requirement another limitation is that we can have a maximum three interfaces firewall policies and routes this seems like we are restricted but again it's a permanent evaluation license without expiration we can either activate the permanent evaluation license using CLI and just go through the steps here or activate it via web I'll go for guy methods for ease of doing it we go ahead then and create this forgate VM I'll name this VM as fortigate FW select do not use any media since we will not use an ISO installation file leave the guest OS Di and version as it is under system leave everything here as default under discs this will be used for log disc this can be as large or small as you want I'll leave it as 32 gig for CPU cores we can allocate only one core on this one as mentioned in the limitation I'll set the type here to host for matching the hardware CPU for memory 2 gig is the limitation for Network this is fine for now and we'll add network adapter later click finish to confirm here is a diagram of how my setup looks like I have a Mini PC here running proxmox with management ip1 192.168 18. 250 this mini pie PC comes only with one physical ethernet port and auton named emp1 as zero in proxmox from this physical Port it is caed or physically connected to a router with Gateway 192.168 18.1 I have a physical PC sitting on the same 192.168 18x Network managing proxmox box now this emp1 s04 is virtually connected to this vmbr0 which think of this as a virtual switch by default vmbr0 is associated or linked to the physical Port emp1 s0 where can we find these vmbr0 and EM P1 s0 in proxmox web admin click node under system click Network here is the physical Port emp1 s0 that is auton named or autocreated which is a network device type below emp1 s0 is vmbr0 that is also autocreated which is a Linux Bridge type again think of this as a virtual switch and is associated to emp1 s0 by default the two vmbs here VM br1 and and bmbr R2 are manually created both are Linux Bridge type I created this virtual switches from my previous video when setting up a pfSense firewall check that out then link is posted in the description both vmb R1 and vmb R2 are not associated to the physical Port emp1 s0 back in the diagram so we know that emp1 s0 is linked to vmbr0 when we provision this forgate VM earlier Net Zero is the first Network device added to the VM and this will serve as our internet facing interface or when interface therefore we need to link Net Zero to Virtual switch vmbr0 for this to have access to the outside Network this part of the network here is the W Zone and note that this is just a simulated win as this network address 192.168.0 24 is still behind the router's land this n zero will obtain an IP address via DHCP on the 192.168 a.x Range provided by the router we'll jump to the 40 gate vm's hardware section the first network adapter net0 is already linked vmbr0 which will be for when so we need to add another network adapter right from this forgate VM we'll add second network adapter net one and this will act as our Lan net one will be linked to a virtual switch vmb R1 will set up a Windows 11 VM which will serve as our landan PC and connect its network adapter not zero to VM br1 we'll designate a network address of 192.168.1.0 sl24 for this land Zone We'll add another adapter net 2 and this will act as the DMZ network net 2 is connected to VM br2 I'll have a server 2022 VM on this DMZ and ensure Net Zero is connected to vmb R2 the DMZ Network address here will be 10.10 1.024 when this 40 gate VM is up and running I'll be managing it from the same physical machine where I'm also managing proxmox via its DHCP assigned IP on this Net Zero W interface let us add now the two network adapters into this 40 gate VM second adapter will be linked to VM br1 third adapter will be linked to vmb R2 we have now three network adapters for this 4ate VM first Net Zero link to VM br04 for wi second Net One link to vmb R14 L third net two link to vmb r24 DMZ here is the diagram again Net Zero is connected to vmb r0 for1 Net One is connected to vmb R14 Lan net 2 is connected to vmb brr2 for DMZ next step is now to import the forgate image qal 2 file to the VM but I need to transfer the file first from a local Windows 11 machine to proxmox here in Shell we'll issue df- KH command to show the mounted directories this /dev SL sda1 is my USB flash dis mounted as/ MNT slpv sliso files you can watch my first video how I mounted this one all of my ISO files are uploaded into this directory and I wanted also to store the forgate Q C to file on this us be flash this we'll go to this directory with the CD command cd/ mn/ pv/ ISO files we'll issue LS command to list the content I created this qal directory from my video when installing SOS firewall we'll go into this directory by typing CD Q cow issue LS command again we have two qow 2 files in here already that I used for the SOS firewall installation I'll transfer the for togate qow 2 file from my local Windows 11 machine into the same directory I'll use when SCP program in transferring the file this is a free program that you can download and install select SCP for the file protocol enter the proxmox IP address 192.168 18250 under host name leave the port number to 22 enter the proxmox username rout and password then click log in we are in the root directory click this folder with an arrow icon which will go to the main directory select MNT select PVE select ISO uncore files select qow we have this two qow to files just like what we saw in the proxar Shell this left section here is my local machine directory let me go to that directory where the qal 2 file is at I'll select 4 io. qal2 file and drag it to the right side section to transfer the file back in the proxmark Shell issu the ls command and now we have 40 ios. cal 2 file in here we'll issue now qm import dis vmid 107 followed by the file name 40 ios. qal 2 then local-lvm or local storage file has been successfully import it we'll go now to 4 gate VM Hardware section we have this unused dis zero double click on this select right back for cash check disc card and click add this is the hard disk scy one that we just added I will select as the primary disc when booting this up change the boot order by going to option double click boot order uncheck skazi Z uncheck id2 and uncheck Net Zero check skazi 1 and click okay we are ready to start this VM system is up and we are required to log in tab admin which is the default user password is blank by default just press enter in here we are forced to create a password for the admin user that us create one day I must have entered entry key couple of times here by default 4ate vm's first network interface will be in DHCP and management is enabled on this as well so we need to know what IP address the first network interface has obtained so that we can manage this forgate from that assigned IP issue this command get sis interface physical the first network interface Port one as expected is set to DHCP mode this port one interface obtain an IP address 192.168 18113 to verify that management is enabled on Port one will enter the command show sis interface we already know it's in DHCP mode for allow access we have ping https SSH HTTP fgfm for management access enabled on this interface let's see if we can access forgate web management I'll open a new tab here here on my local machine browser and type 192.168 18113 surely we can get to the login screen enter user admin and password we got a banner here saying this VM is not licensed or license is invalid as I have mentioned before I'll activate the permanent trial license on this VM select evaluation license this is the same limitation we have seen in the document to activate the permanent trial enter the 40 Cloud credential that we have signed up earlier I'm not a government user then click okay updating the license will cause the system to reboot we'll click okay to continue after reboot we'll log in back we'll click begin to complete the setup I'll just click later here for migrate config with 40 converter disable automatic patch upgrade for now save and continue click the box to acknowledge that we have disabled automatic patch upgrade and that we can change the setting when we want to for dashboard setup I'll go for optimal but again this can be changed it shows you a video here for what's new in 40 iOS 7.4 we'll just click okay at last we are in the main dashboard we can find in here system information under system information we can find in here host name serial number foral version mode system time up time when IP we can see the license allocated CPU and allocated Ram we can see the running CPU usage in the right side we can also see the memory usage this dashboard can be customized to your liking we'll go ahead and check the interfaces by going to network and interfaces so Port one is the first network interface and it has obtain a DHCP I 192.168 18113 under administrative access ping https SSH HTTP fmg access are enabled Port two and Port three is not configured yet let us edit Port one by double clicking on it I'll add an alias name here as when since this is the internet facing interface set the roll to win I leave it as DHCP for administrative access leave it as it is as well click okay there is added Alias name when for the sport one now we'll go ahead and edit Port two Alias name for this one is Lan roll will be set to land addressing mode will be manual I'll assign an IP 192.168.1.1 255.255.255.0 in the drawing here I'll update this Net One interface for the land with an IP of 192.168.1.1 for administrative access I'll check https SSH and ping I will enable DHCP server on this land address range will start at 1 192.168.1.100 and ends at 192.168.1.2 200 I leave the default gateway same as the interface we assign 192.168.1.1 for DNS server I leave this as same as system DNS ensure that status is enabled and click okay Port two for landan is now configured with static IP and DHCP enabled let us go to Windows 11 VM but before we start this VM let us examine the network adapter in Hardware section looks like it is associated to vmbr0 in our drawing here Windows 11 VM Net Zero should be linked to VM br1 edit Net Zero by double clicking and change it from vmbr0 to VM br1 we can start this VM then it appeared from the network icon below that this Windows 11 VM has no internet access when examining the ethernet details it has obtained an IP address via DHCP of 192.168.1.100 that us sping google.com from the command prompt and it's not resolving to an IP address it must be a DNS issue opening edge browser and going to google.com it can't reach the page saying google.com server IP address could not be found is the issue related to a firew rule let us go and check for to get firewall rule then let's go to policy and objects and click firewall policy I'll choose use new layout there's only one firewall rule in here is the implicit deny this rule means any source to any destination and any service will be denied this is the reason why we can't ping google.com nor access it from the edge browser let us create a new firew rule I'll name this firew rule land to win incoming interface is land port two outgoing interface will be when Port one for the source I'll create an object and name it as land for the type leave it as subnet and put the land subnet address 192.168.1.0 255.255.255.0 for the destination I'll select all which means anything on the internet schedule is always pH means this rule will be active all the time for service I'll choose all which means any ports or protocols including HTTP https DNS icmp Etc action is accept by default we leave this not enabled there's an option to add security profiles in here for antivirus web filter DNS filter application control IPS file filter SSL inspection I'll leave this off for now logging is enabled this policy is also enabled let's click okay then there is a message here saying entries have changed since last load we'll click reload now here is the first far rule we have added for land to land traffic direction we can see the name land to Wi Source coming from the land subnet 192.168.0 sl24 destination is all schedule is always service is all action is accept not enabled secur profiles n in here let us check windows 11 VM whether it can access google.com or not with this newly added firewall rule in place binging google.com works this time google.com and edge browser is reachable to we have verified that Windows 11 VM in the land subnet 192.168.1.0 sl24 traffic is allowed to pass through the 4ate firewall to reach the internet I'll do the same for the server 2022 in the DMZ subnet allows traffic from server 2022 to pass through the firewall and access the internet we need to configure Port three assign an IP and set this to DMZ go to interfaces double click P three to edit it I'll add elas name as DMZ set the r to DMZ assigned an IP address 10.1.1.1 255.255.255.0 zero in the diagram let us update this net to interface IP to 10.1.1.1 for administrative access I'll enable just only ping as you can see there is no DHCP anywhere in here does this mean that when setting the interface R to DMZ DHCP is not an option let me change the r from DMZ to land to verify indeed d CP server is an option for land roll and not in DMZ rooll we just need to assign the static IP at the server 2022 VM then Port three for DMZ is now configured with static IP 101011 it has spin for administrative access and no DHCP let's add a firewall rule for DMZ to win traffic direction unlimit DMZ to Wi incoming interface DMZ port three outgoing interface when Port one for Source I'll create an object for the subnet 10.10.10 sl24 destination will be all schedule is always service is all action is accept Nat is on no security profiles for now click okay firewall rule for DMZ to Wi traffic direction is now configured traffic coming from Source DMZ subnet going to all destination active all the time service is all action is except natet is enabled this is exactly the same as L to when firew rule except for the source in server 2022 VM Hardware section change the Net Zero from vmbr0 to VM br2 and start this VM then it says no internet what do you think is happening here does this machine obtain an IP address or not remember remember that there is no DHCP option for the r DMZ the ethernet is configured by default as DHCP but since no DHCP on DMZ port 3 at the 40 gate firewall this machine will UT to assign a 169 IP address so what we need here is to assign a static IP on the server 2022 machine edit the network properties and select use the following IP address I'll send an IP address of 101011 100 subnet mask is 255.255.255.0 default gateway is 10.1.1.1 DNS server IP is 8.8.8.8 in the command prompt now we are able to Ping [Music] google.com an edge browser google.com is also accessible back in in the diagram This Server 2022 VM from this DMZ network 10.10.10 sl24 is allowed to pass traffic through the firewall going out to the internet I'm going to check whether Windows 11 VM can Ping Server 2022 VM is this allowed it should not since there is no far rule right and the command prompt let's try to Ping 10.1.1.1 100 as expected it is timing out let us create a new far rule for land to DMZ traffic I'll name this rule land to DMZ incoming interface is land port two outgoing interface is DMZ port 3 source is LAN subnet1 192.168.0 sl24 destination is the DMZ network 10.10.10 sl24 service is all action is accept for natat I'll switch it off we don't need natat when communicating internally the IP should retain as it is we now have a third far rule for traffic from land to DMZ going back to Windows 11 and Ping Server 2022 IP it is now reachable in the far rule we can see traffic usage in here is traffic from server 2020 22 allowed to Ping Windows 11 this is not possible again since there is no allowed firew Rule and the command prompt from Windows 2022 VM pinging Windows 11 VMI P1 192.168.1.100 is timing out let us create another firewall room however create new button is grayed out there is a message saying the maximum number of firewall policy entries has been reached delete existing ones to proceed looks like reached the limitation on this permanent evaluation license that we can only have a maximum of three firewall policies just to proceed for my purpose of showing the traffic from DMZ to land is not allowed unless a far rule is created we'll just delete this DMZ to when far Rule now we can create a new far rule this will be for DMZ to land traffic incoming interface DMZ port 3 out going to land port 2 Source DMZ Network destination is a Land network schedule is always service is any action is accept disable net click okay server 2022 still kidnapping Windows 11 IP P1 192.168.1.100 from Windows 11 ping is still fine going to 101011 100 the server 2022 it must be the windows firew rule blocking icmp let us turn off Windows Defender firew rule on this Windows 11 VM ping is working now we can see traffic usage for this DMZ to land far rule just be aware of this limitation in this permanent evaluation license that is all I wanted to share here when this helps you in any way I'd appreciate the like and you may consider subscribing to the channel in the next video I'll set up gns3 VM until then take care and see you on the next video
Info
Channel: Practical Kri
Views: 1,005
Rating: undefined out of 5
Keywords: virtualizing fortigate, how to virtualize fortigate as virtual machine, virtualize fortigate on proxmox, install and configure fortigate as virtual machine on proxmox, fortigate virtual machine on proxmox, setup fortigate as virtual machine
Id: nY7CVtsTLro
Channel Id: undefined
Length: 44min 33sec (2673 seconds)
Published: Mon Apr 22 2024
Related Videos
How to create Virtual Domains (VDOMs) on Fortigate Firewall
Silesio Carvalho
2.4K
Don’t run Proxmox without these settings!
Christian Lempa
136K
Virtualizing OPNsense on Proxmox as Your Primary Router
Home Network Guy
42K
How to configure SD-WAN in FortiGate Firewall
IgoroTech Official
18K
Connecting Proxmox virtual machines to a physical switch
Practical Kri
1.4K
Proxmox Automation with Proxmox Helper Scripts!
Techno Tim
67K
Proxmox Backup Server Saves You Money And Time!
Jim's Garage
45K
Running a NAS on Proxmox, Different Methods and What to Know
ElectronicsWizardry
24K
How To Create VLANs in Proxmox For a Single NIC
Tech Tutorials - David McKone
106K
Software-Defined Network (SDN) Setup in Proxmox
DB Tech
12K
Install pfSense on Proxmox (The Easy Way!)
Tech Me Out
3K
pfSense Alternatives: Firewall Solutions for your Network
VirtualizationHowto
8.7K
Virtualize pfsense on Proxmox
Practical Kri
4.4K
pfsense VS OPNSense
Lawrence Systems
295K
The Complete Tutorial for Installing pfSense on Proxmox
syncbricks
1.4K
Never Lose Data AGAIN! Level Up with the Power of Proxmox Backups
DB Tech
5.3K
My Proxmox Home Server Walk-Through: Part 1 (TrueNAS, Portainer, Wireguard)
Hardware Haven
1.1M
pfSense vs UniFi Firewall: May 2024 Edition
Lawrence Systems
64K
FortiGate Firewall Configuration Step by Step
IT Tech
1.3K
How to Virtualize Your Home Router / Firewall Using pfSense
Techno Tim
279K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.