Fortinet
Set up a Fortinet Firewall on CoreWeave Cloud
Currently, the only supported Fortinet Firewall product on CoreWeave Cloud is
FGT_VM64_KVM.Note
CoreWeave is not currently not able to supply Fortinet licenses. Licenses will need to be purchased separately from Fortinet.
Before getting started on this guide, bear the following prerequisites in mind:
The FortiGate image must be imported into your CoreWeave namespace by downloading the image file from the Fortinet website, then imported using a Kubernetes manifest.
Tip
In the future, a selection of images will be available right from the Cloud, removing the need for a manual import.
First, navigate to the Fortinet Firmware Images and Software Releases catalog. From the drop-down menu, select the FortiGate product.
From the Download tab, select the FortiGate version you would like to download. In the example shown here, version
7.2.1 is selected.
The Fortinet Firmware Images and Software Releases catalog with listed downloads
Scroll down until the image file is accessible. In this example, the file is named
FGT_VM64_KVM-v7.2.1.F-build1254-FORTINET.out.kvm.zip. Click on the filename to download the file.Once the download is complete, extract the image file, then upload it to a publicly accessible URL, such as a CoreWeave Object Storage public bucket.
The FortiGate image will be imported into a new block storage volume, which is created using a Kubernetes manifest such as the one described below.
The fields that comprise this manifest are:
Option name | Description |
|---|---|
metadata.name | The name to assign to the block storage that will contain the FortiGate image |
metadata.namespace | Your namespace |
spec.source.http.url | The source URL for the unpacked QCOW2 image |
pvc | A storage device ( PersistentVolumeClaim) will be created to import the image; this stanza configures that device |
pvc.accessModes | |
pvc.volumeMode | Specifies the type of storage volume this will be; for importing purposes, Block is appropriate |
storageClassName | The name to give the storage class |
resources.requests.storage | The size of the volume to be created |
Additional Resources
apiVersion: cdi.kubevirt.io/v1beta1
kind: DataVolume
metadata:
name: fgt721
namespace: tenant-example
spec:
source:
http:
url: "http://example.com/fgt721.qcow2"
pvc:
accessModes:
- ReadWriteOnce
volumeMode: Block
storageClassName: block-nvme-lga1
resources:
requests:
storage: 2Gi
To apply the manifest and initialize the image import, use
kubectl apply:$ kubectl apply -f fgt721-dv.yaml
datavolume.cdi.kubevirt.io/fgt721 created
The
kubectl --watch command can be used to track the progress of your import:$ kubectl get --watch datavolume fgt721
NAME PHASE PROGRESS RESTARTS AGE
fgt721 Pending N/A 3s
fgt721 ImportScheduled N/A 25s
fgt721 ImportInProgress N/A 39s
fgt721 ImportInProgress 0.00% 51s
fgt721 ImportInProgress 10.57% 58s
fgt721 ImportInProgress 49.75% 78s
...
fgt721 Succeeded 100.0% 97s
The import will go through four phases:
- 1.
Pending - 2.
ImportScheduled - 3.
ImportInProgress - 4.
Succeeded
Once the import has reached the
Succeeded status, you are ready to proceed.Note
If the import does not start, refer to the importing external images documentation or reach out to your CoreWeave Support Specialist.
Now that the image is accessible within your CoreWeave namespace, we'll use a Kubernetes manifest to deploy the FortiGate instance.
The fields that comprise this manifest are:
Option Name | Instructions |
|---|---|
metadata.name | The name to assign to the FortiGate Firewall |
spec.network.vpcs.name | The name of your VPC(s)
Note: Multiple VPCs can be specified by adding additional - name: vpc items to the vpcs.name list |
spec.public | Specifies whether or not the CoreWeave networking IP should be publicly accessible; for most instances, this will be true |
resources | Correlates to the license you have purchased; refer to Fortinet's FortiGate-VM virtual licenses and resources guide for more information |
storage.root.source.pvc.name | |
storage.root.source.pvc.namespace | Your namespace |
Example manifest
A complete manifest for deploying the FortiGate instance looks similar to the following example.
apiVersion: virtualservers.coreweave.com/v1alpha1
kind: VirtualServer
metadata:
name: fgt-prod1
spec:
initializeRunning: true
network:
vpcs:
- name: vpc-lga1
public: true
directAttachLoadBalancerIP: true
os:
definition: a
type: linux
region: LGA1
resources:
cpu:
count: 1
type: amd-epyc-milan
definition: a
memory: 2Gi
storage:
root:
accessMode: ReadWriteOnce
size: 2Gi
source:
pvc:
name: fgt721
namespace: tenant-example
storageClassName: block-nvme-lga1
volumeMode: Block
Once this manifest is composed, use
kubectl apply to apply the manifest and begin provisioning the instance:$ kubectl apply -f fgt-prod1.yaml
virtualserver.virtualservers.coreweave.com/fgt-prod1 created
To verify the deployment's status, use the
--watch option:$ kubectl get --watch virtualserver fgt-prod1
NAME STATUS REASON STARTED INTERNAL IP EXTERNAL IP
fgt-prod1 Pending Waiting for DataVolume to be ready - CSICloneInProgress False 216.153.61.23
fgt-prod1 Pending Waiting for VirtualMachineInstance to be ready False 216.153.61.23
fgt-prod1 Pending Waiting for VirtualMachine to be ready False 216.153.61.23
fgt-prod1 Pending virt-launcher pod has not yet been scheduled False 216.153.61.23
fgt-prod1 Pending Guest VM is not reported as running False 216.153.61.23
fgt-prod1 VirtualServerReady VirtualServerReady True 216.153.61.23 216.153.61.23
This command will also display the
EXTERNAL IP attached to your FortiGate instance.Once the
STATUS changes to VirtualServerReady, you will be able to reach your FortiGate instance via HTTP or console.Note
It could take up to one minute for the FortiGate instance to be fully loaded and accessible.
There are two ways to access your newly deployed FortiGate instance. The first is by using your browser to navigate to the provisioned address of the instance, and the second is by using the
virtctl console to access the instance's address.Note
HTTPS connections to your FortiGate instance will require a license. Only HTTP or the CLI console may be used to access the instance before a license is acquired.
As shown earlier, the external IP address provisioned for the FortiGate instance can be obtained by running:
$ kubectl get --watch virtualserver <name-of-fortigate-pod>
To access the instance from your browser, navigate to
http://<EXTERNAL IP ADDRESS>. The default username is admin. Leave the password field empty, then click the Login button.Important
Please change your default password immediately, especially if your FortiGate is exposed to the Internet via an external IP address.
The FortiGate login screen
The next screen will prompt you to change your password. It is highly recommended to create a strong, unique password.
The FortiGate change password prompt
$ virtctl console fgt-prod1
This will launch the console log-in prompts:
Successfully connected to fgt-prod1 console. The escape sequence is ^]
FortiGate-VM64-KVM login: admin
Password:
You are forced to change your password. Please input a new password.
New Password:
Confirm Password:
Welcome!
FortiGate-VM64-KVM #
The default username is
admin. The password field should be left blank, then hit the return key.It is strongly advised to set up access to your FortiGate either via your VPC interface or via an IPSec tunnel. Then, from the Interfaces -> Administrative Access panel, disable all administrative access except for
PING on the public-facing interface (port1).Important
Ensure that your connection is through a VPC interface or an IPSec tunnel before disabling administrative access on the WAN interface. Should you lose access, the console may be used to restore any needed permissions.
The administrative access panel on the Fortinet Web portal
Additional Resources
Last modified 2mo ago