Bootstrap Configuration Example for FortiGate Firewall in Azure

Using the bootstrap option significantly simplifies Fortinet FortiGate initial configuration setup.

In this document, we provide a bootstrap example to set up an "Allow All" firewall policy, firewall health check policy and static routes for the FortiGate to validate that traffic is indeed sent to the FortiGate for VNet-to-VNet traffic inspection.

For a manual setup, follow the manual setup example.

There are two ways to configure Fortinet FortiGate via bootstrap configuration.

If you plan to select Azure Storage when you create your Azure-based FortiGate firewall using a bootstrap configuration, you must follow the below sections.

If you plan to select User Data when you create your Azure-based FortiGate firewall using a bootstrap configuration, click here to complete the bootstrap configuration.

Fortigate Using Azure Blob

Creating Storage Account and Private Container

Log in to Azure’s console and create a storage account and private container in the Azure blob for bootstrap with a unique name (for example "bootstrap-fortigate), using steps 2 and 3 in this guide with the following structure:

Storage Account
    Container
        fortigatebootstrap/
            init.txt
            license.txt

Uploading Config Files

  1. The example init.conf file contains the "Allow All" setup. To download the file, click init.txt.

  2. For the example license.lic file (optional), click license.txt.

  3. Upload these two files in the blob. Please follow Step 4 in this guide.

Launching the Fortigate Instance

  1. Follow Step 5 in the Fortinet Azure Administration Guide to obtain the SAS URL for Configuration and License.

  2. Follow these steps to launch the firewall instance.

  3. Fill in the required fields for Azure Storage.

    Advanced Field Example Value

    Storage

    Azure Storage Name (e.g. transitbootstrapstorage)

    Container

    Private Container Name (e.g. fortigatebootstrap)

    SAS URL Config

    SAS Config URL (as per step 1 above)

    SAS URL License

    SAS License URL (as per step 1 above)

  4. Click Deploy.

  5. Wait 15 minutes for the firewall to boot and initialize. You should verify the RFC 1918 and Internet static route in FortiGate firewall.

Log in to the HTTPS interface of the public IP with username "admin" and the password specified in the example FortiGate Bootstrap Configuration. For initial FortiGate login information, go to ZENDESK_TITLE. You must be registered to access the Aviatrix Customer Support website. If you are not already registered, you can sign-up at https://support.aviatrix.com.

Validating Configurations and Policies

Now your firewall instance is ready to receive packets.

The next step is to validate your configurations and polices using FlightPath and Diagnostic Tools (ping, traceroute etc.).

Launch one instance in PROD Spoke VNet and one in DEV Spoke VNet. Start pinging packets from an instance in DEV Spoke VNet to the private IP of another instance in PROD Spoke VNet. The ICMP traffic should go through the firewall and be inspected in the firewall.