Skip to main content

Set up a Fortinet Firewall on CoreWeave Cloud


Currently, the only supported Fortinet Firewall product on CoreWeave Cloud is FGT_VM64_KVM.


CoreWeave is not currently not able to supply Fortinet licenses. Licenses will need to be purchased separately from Fortinet.


Before getting started on this guide, bear the following prerequisites in mind:

Acquiring the FortiGate image

The FortiGate image must be imported into your CoreWeave namespace by downloading the image file from the Fortinet website, then imported using a Kubernetes manifest.


If you'd prefer some assistance in this process, reach out to your CoreWeave Support Specialist.

In the future, a selection of images will be available right from the Cloud, removing the need for a manual import.

First, navigate to the Fortinet Firmware Images and Software Releases catalog. From the drop-down menu, select the FortiGate product.

From the Download tab, select the FortiGate version you would like to download. In the example shown here, version 7.2.1 is selected.

The Fortinet Firmware Images and Software Releases catalog with listed downloads

Scroll down until the image file is accessible. In this example, the file is named Click on the filename to download the file.

Once the download is complete, extract the image file, then upload it to a publicly accessible URL, such as a CoreWeave Object Storage public bucket.

Importing the FortiGate image

The FortiGate image will be imported into a new block storage volume, which is created using a Kubernetes manifest such as the one described below.

The fields that comprise this manifest are:

Option nameDescription
metadata.nameThe name to assign to the block storage that will contain the FortiGate image
metadata.namespaceYour namespace
spec.source.http.urlThe source URL for the unpacked QCOW2 image
pvcA storage device (PersistentVolumeClaim) will be created to import the image; this stanza configures that device
pvc.accessModesThe access modes for the block storage to be created; see Storage for more information
pvc.volumeModeSpecifies the type of storage volume this will be; for importing purposes, Block is appropriate
storageClassNameThe name to give the storage class
resources.requests.storageThe size of the volume to be created
Additional Resources

Read our documentation on importing external images for more information.

Example manifest

kind: DataVolume
name: fgt721
namespace: tenant-example
url: ""
- ReadWriteOnce
volumeMode: Block
storageClassName: block-nvme-lga1
storage: 2Gi

Applying the manifest

To apply the manifest and initialize the image import, use kubectl apply:

$ kubectl apply -f fgt721-dv.yaml created

Verifying the import

The kubectl --watch command can be used to track the progress of your import:

$ kubectl get --watch datavolume fgt721

fgt721 Pending N/A 3s
fgt721 ImportScheduled N/A 25s
fgt721 ImportInProgress N/A 39s
fgt721 ImportInProgress 0.00% 51s
fgt721 ImportInProgress 10.57% 58s
fgt721 ImportInProgress 49.75% 78s
fgt721 Succeeded 100.0% 97s

The import will go through four phases:

  1. Pending
  2. ImportScheduled
  3. ImportInProgress
  4. Succeeded

Once the import has reached the Succeeded status, you are ready to proceed.


If the import does not start, refer to the importing external images documentation or reach out to your CoreWeave Support Specialist.

Deploying FortiGate

Now that the image is accessible within your CoreWeave namespace, we'll use a Kubernetes manifest to deploy the FortiGate instance.

The fields that comprise this manifest are:

Option NameInstructions
metadata.nameThe name to assign to the FortiGate Firewall name of your VPC(s). Note: Multiple VPCs can be specified by adding additional - name: vpc items to the list
spec.publicSpecifies whether or not the CoreWeave networking IP should be publicly accessible; for most instances, this will be true
resourcesCorrelates to the license you have purchased; refer to Fortinet's FortiGate-VM virtual licenses and resources guide for more information
storage.root.source.pvc.nameThe name of the data volume created earlier (for this example, fgt721)
storage.root.source.pvc.namespaceYour namespace

Example manifest

A complete manifest for deploying the FortiGate instance looks similar to the following example.

kind: VirtualServer
name: fgt-prod1
initializeRunning: true
- name: vpc-lga1
public: true
directAttachLoadBalancerIP: true
definition: a
type: linux
region: LGA1
count: 1
type: amd-epyc-milan
definition: a
memory: 2Gi
accessMode: ReadWriteOnce
size: 2Gi
name: fgt721
namespace: tenant-example
storageClassName: block-nvme-lga1
volumeMode: Block

Once this manifest is composed, use kubectl apply to apply the manifest and begin provisioning the instance:

$ kubectl apply -f fgt-prod1.yaml created

To verify the deployment's status, use the --watch option:

$ kubectl get --watch virtualserver fgt-prod1

fgt-prod1 Pending Waiting for DataVolume to be ready - CSICloneInProgress False
fgt-prod1 Pending Waiting for VirtualMachineInstance to be ready False
fgt-prod1 Pending Waiting for VirtualMachine to be ready False
fgt-prod1 Pending virt-launcher pod has not yet been scheduled False
fgt-prod1 Pending Guest VM is not reported as running False
fgt-prod1 VirtualServerReady VirtualServerReady True

This command will also display the EXTERNAL IP attached to your FortiGate instance.

Once the STATUS changes to VirtualServerReady, you will be able to reach your FortiGate instance via HTTP or console.


It could take up to one minute for the FortiGate instance to be fully loaded and accessible.

Accessing FortiGate

There are two ways to access your newly deployed FortiGate instance. The first is by using your browser to navigate to the provisioned address of the instance, and the second is by using the virtctl console to access the instance's address.

Using HTTP


HTTPS connections to your FortiGate instance will require a license. Only HTTP or the CLI console may be used to access the instance before a license is acquired.

As shown earlier, the external IP address provisioned for the FortiGate instance can be obtained by running:

$ kubectl get --watch virtualserver <name-of-fortigate-pod>

To access the instance from your browser, navigate to http://<EXTERNAL IP ADDRESS>. The default username is admin. Leave the password field empty, then click the Login button.


Please change your default password immediately, especially if your FortiGate is exposed to the Internet via an external IP address.

The FortiGate login screen

The next screen will prompt you to change your password. It is highly recommended to create a strong, unique password.

The FortiGate change password prompt

Using the virtctl console

The virtctl console can be used to access the FortiGate instance by invoking:

$ virtctl console fgt-prod1

This will launch the console log-in prompts:

Successfully connected to fgt-prod1 console. The escape sequence is ^]

FortiGate-VM64-KVM login: admin
You are forced to change your password. Please input a new password.
New Password:
Confirm Password:

FortiGate-VM64-KVM #

The default username is admin. The password field should be left blank, then hit the return key.


It is strongly advised to set up access to your FortiGate either via your VPC interface or via an IPSec tunnel. Then, from the Interfaces -> Administrative Access panel, disable all administrative access except for PING on the public-facing interface (port1).


Ensure that your connection is through a VPC interface or an IPSec tunnel before disabling administrative access on the WAN interface. Should you lose access, the console may be used to restore any needed permissions.

The administrative access panel on the Fortinet Web portal
Additional Resources

For additional information on Fortinet, consult the Fortinet Documents Library.