Fortinet
Set up a Fortinet Firewall on CoreWeave Cloud
Currently, the only supported Fortinet Firewall product on CoreWeave Cloud is FGT_VM64_KVM
.
Note
CoreWeave is not currently not able to supply Fortinet licenses. Licenses will need to be purchased separately from Fortinet.
Setup
Before getting started on this guide, bear the following prerequisites in mind:
You must have a Fortinet account in order to have access to FortiGate images.
Your L2VPC must be created before the firewall is deployed.
Acquiring the FortiGate image
The FortiGate image must be imported into your CoreWeave namespace by downloading the image file from the Fortinet website, then imported using a Kubernetes manifest.
Tip
If you'd prefer some assistance in this process, reach out to your CoreWeave Support Specialist.
In the future, a selection of images will be available right from the Cloud, removing the need for a manual import.
First, navigate to the Fortinet Firmware Images and Software Releases catalog. From the drop-down menu, select the FortiGate product.
From the Download tab, select the FortiGate version you would like to download. In the example shown here, version 7.2.1
is selected.
Scroll down until the image file is accessible. In this example, the file is named FGT_VM64_KVM-v7.2.1.F-build1254-FORTINET.out.kvm.zip
. Click on the filename to download the file.
Once the download is complete, extract the image file, then upload it to a publicly accessible URL, such as a CoreWeave Object Storage public bucket.
Importing the FortiGate image
The FortiGate image will be imported into a new block storage volume, which is created using a Kubernetes manifest such as the one described below.
The fields that comprise this manifest are:
Option name | Description |
---|---|
| The name to assign to the block storage that will contain the FortiGate image |
| Your namespace |
| The source URL for the unpacked QCOW2 image |
| A storage device ( |
| The access modes for the block storage to be created; see Storage for more information |
| Specifies the type of storage volume this will be; for importing purposes, |
| The name to give the storage class |
| The size of the volume to be created |
Additional Resources
Read our documentation on importing external images for more information.
Example manifest
Applying the manifest
To apply the manifest and initialize the image import, use kubectl apply
:
Verifying the import
The kubectl --watch
command can be used to track the progress of your import:
The import will go through four phases:
Pending
ImportScheduled
ImportInProgress
Succeeded
Once the import has reached the Succeeded
status, you are ready to proceed.
Note
If the import does not start, refer to the importing external images documentation or reach out to your CoreWeave Support Specialist.
Deploying FortiGate
Now that the image is accessible within your CoreWeave namespace, we'll use a Kubernetes manifest to deploy the FortiGate instance.
The fields that comprise this manifest are:
Option Name | Instructions |
---|---|
| The name to assign to the FortiGate Firewall |
| The name of your VPC(s)
Note: Multiple VPCs can be specified by adding additional |
| Specifies whether or not the CoreWeave networking IP should be publicly accessible; for most instances, this will be |
| Correlates to the license you have purchased; refer to Fortinet's FortiGate-VM virtual licenses and resources guide for more information |
| The name of the data volume created earlier (for this example, |
| Your namespace |
Example manifest
A complete manifest for deploying the FortiGate instance looks similar to the following example.
Once this manifest is composed, use kubectl apply
to apply the manifest and begin provisioning the instance:
To verify the deployment's status, use the --watch
option:
This command will also display the EXTERNAL IP
attached to your FortiGate instance.
Once the STATUS
changes to VirtualServerReady
, you will be able to reach your FortiGate instance via HTTP or console.
Note
It could take up to one minute for the FortiGate instance to be fully loaded and accessible.
Accessing FortiGate
There are two ways to access your newly deployed FortiGate instance. The first is by using your browser to navigate to the provisioned address of the instance, and the second is by using the virtctl
console to access the instance's address.
Using HTTP
Note
HTTPS connections to your FortiGate instance will require a license. Only HTTP or the CLI console may be used to access the instance before a license is acquired.
As shown earlier, the external IP address provisioned for the FortiGate instance can be obtained by running:
To access the instance from your browser, navigate to http://<EXTERNAL IP ADDRESS>
. The default username is admin
. Leave the password field empty, then click the Login button.
Important
Please change your default password immediately, especially if your FortiGate is exposed to the Internet via an external IP address.
The next screen will prompt you to change your password. It is highly recommended to create a strong, unique password.
Using the virtctl
console
virtctl
consoleThe virtctl
console can be used to access the FortiGate instance by invoking:
This will launch the console log-in prompts:
The default username is admin.
The password field should be left blank, then hit the return key.
Security
It is strongly advised to set up access to your FortiGate either via your VPC interface or via an IPSec tunnel. Then, from the Interfaces -> Administrative Access panel, disable all administrative access except for PING
on the public-facing interface (port1
).
Important
Ensure that your connection is through a VPC interface or an IPSec tunnel before disabling administrative access on the WAN interface. Should you lose access, the console may be used to restore any needed permissions.
Additional Resources
For additional information on Fortinet, consult the Fortinet Documents Library.
Last updated