Set up a Fortinet Firewall on CoreWeave Cloud
Currently, the only supported Fortinet Firewall product on CoreWeave Cloud is
Before getting started on this guide, bear the following prerequisites in mind:
In the future, a selection of images will be available right from the Cloud, removing the need for a manual import.
From the Download tab, select the FortiGate version you would like to download. In the example shown here, version
The Fortinet Firmware Images and Software Releases catalog with listed downloads
Scroll down until the image file is accessible. In this example, the file is named
FGT_VM64_KVM-v7.2.1.F-build1254-FORTINET.out.kvm.zip. Click on the filename to download the file.
The fields that comprise this manifest are:
To apply the manifest and initialize the image import, use
$ kubectl apply -f fgt721-dv.yaml
kubectl --watchcommand can be used to track the progress of your import:
$ kubectl get --watch datavolume fgt721
NAME PHASE PROGRESS RESTARTS AGE
fgt721 Pending N/A 3s
fgt721 ImportScheduled N/A 25s
fgt721 ImportInProgress N/A 39s
fgt721 ImportInProgress 0.00% 51s
fgt721 ImportInProgress 10.57% 58s
fgt721 ImportInProgress 49.75% 78s
fgt721 Succeeded 100.0% 97s
The import will go through four phases:
Once the import has reached the
Succeededstatus, you are ready to proceed.
Now that the image is accessible within your CoreWeave namespace, we'll use a Kubernetes manifest to deploy the FortiGate instance.
The fields that comprise this manifest are:
A complete manifest for deploying the FortiGate instance looks similar to the following example.
- name: vpc-lga1
Once this manifest is composed, use
kubectl applyto apply the manifest and begin provisioning the instance:
$ kubectl apply -f fgt-prod1.yaml
To verify the deployment's status, use the
$ kubectl get --watch virtualserver fgt-prod1
NAME STATUS REASON STARTED INTERNAL IP EXTERNAL IP
fgt-prod1 Pending Waiting for DataVolume to be ready - CSICloneInProgress False 18.104.22.168
fgt-prod1 Pending Waiting for VirtualMachineInstance to be ready False 22.214.171.124
fgt-prod1 Pending Waiting for VirtualMachine to be ready False 126.96.36.199
fgt-prod1 Pending virt-launcher pod has not yet been scheduled False 188.8.131.52
fgt-prod1 Pending Guest VM is not reported as running False 184.108.40.206
fgt-prod1 VirtualServerReady VirtualServerReady True 220.127.116.11 18.104.22.168
This command will also display the
EXTERNAL IPattached to your FortiGate instance.
VirtualServerReady, you will be able to reach your FortiGate instance via HTTP or console.
It could take up to one minute for the FortiGate instance to be fully loaded and accessible.
There are two ways to access your newly deployed FortiGate instance. The first is by using your browser to navigate to the provisioned address of the instance, and the second is by using the
virtctlconsole to access the instance's address.
HTTPS connections to your FortiGate instance will require a license. Only HTTP or the CLI console may be used to access the instance before a license is acquired.
$ kubectl get --watch virtualserver <name-of-fortigate-pod>
To access the instance from your browser, navigate to
http://<EXTERNAL IP ADDRESS>. The default username is
admin. Leave the password field empty, then click the Login button.
Please change your default password immediately, especially if your FortiGate is exposed to the Internet via an external IP address.
The FortiGate login screen
The next screen will prompt you to change your password. It is highly recommended to create a strong, unique password.
The FortiGate change password prompt
$ virtctl console fgt-prod1
This will launch the console log-in prompts:
Successfully connected to fgt-prod1 console. The escape sequence is ^]
FortiGate-VM64-KVM login: admin
You are forced to change your password. Please input a new password.
The default username is
admin.The password field should be left blank, then hit the return key.
It is strongly advised to set up access to your FortiGate either via your VPC interface or via an IPSec tunnel. Then, from the Interfaces -> Administrative Access panel, disable all administrative access except for
PINGon the public-facing interface (
Ensure that your connection is through a VPC interface or an IPSec tunnel before disabling administrative access on the WAN interface. Should you lose access, the console may be used to restore any needed permissions.
The administrative access panel on the Fortinet Web portal