Copyright IBM Corporation 2017 Page 1 of 10

FortiGate–VM on IBM Cloud

Solution Architecture

Date: 2017–12–22

Copyright IBM Corporation 2017 Page 2 of 10

Table of Contents

1 Introduction................................................................................................................................ 4

1.1 About FortiGate–VM............................................................................................................ 4

1.2 Background ......................................................................................................................... 4

1.3 Key Benefits ........................................................................................................................ 5

2 Design ....................................................................................................................................... 6

2.1 Overview.............................................................................................................................. 6

2.2 FortiGate–VM Deployment .................................................................................................. 6

Virtual machine configuration ..................................................................................... 7

Network configuration ................................................................................................. 8

VMware DRS and reservations .................................................................................. 8

Caveats ....................................................................................................................... 8

Appendix A—License Requirements ............................................................................................... 9

Appendix B—Reference ................................................................................................................. 10

List of Figures

Figure 1 VMware Cloud Foundation on IBM Cloud ........................................................................................ 4

Figure 2 FortiGate–VM on IBM Cloud High Level Components.................................................................. 6

Figure 3 Overview of a FortiGate–VM networking configuration ............................................................ 7

List of Tables

Table 1 FortiGate–VM virtual machine summary ........................................................................................... 7

Copyright IBM Corporation 2017 Page 3 of 10

Summary of Changes

This section records the history of significant changes to this document. Only the most significant changes

are described here.

Version Date Author Description of Change

1.0

2017–12–22 Jack Benney

Frank Chodacki

Daniel De Araujo

Bob Kellenberger

Simon Kofkin–Hansen

Scott Moonen

Jim Robbins

Initial Release

Copyright IBM Corporation 2017 Page 4 of 10

1 Introduction

1.1 About FortiGate–VM

The purpose of this document is to define and describe the FortiGate–VM architecture for the vCenter

Server and VMware Cloud Foundation offerings deployed in the IBM Cloud. Specifically, it will detail the

components of the solution and high–level configuration of each component in the design. This solution is

considered to be an additional component and extension of both the vCenter Server solution offering and

the VMware Cloud Foundation solution offering on IBM Cloud. As a result, this document will not cover

the existing configuration of the foundation solutions on IBM Cloud. Therefore, it is highly recommended

to review and understand the VMware on IBM Cloud solution architecture located on the IBM Architecture

Center before reading this document.

Figure 1 VMware Cloud Foundation on IBM Cloud

1.2 Background

IBM Cloud for VMware Solutions offers a variety of solutions to meet your network security requirements.

The base offering includes VMware NSX for integrated virtual networking and security. Additional

network security features are available with the FortiGate–VM offering, which provides Fortinet’s next–

generation firewall (NGFW) capabilities in the form of a highly available pair of virtual FortiGate

appliances.

IBM Cloud also offers a FortiGate Security Appliance offering which is focused on providing perimeter

firewall, NAT and VPN services in the form of a physical appliance. Visit the IBM Architecture Center to

see the FortiGate Security Appliance solution architecture.

Copyright IBM Corporation 2017 Page 5 of 10

1.3 Key Benefits

Several licensing options are available for FortiGate–VM on IBM Cloud. The Standard FW licensing tier

offers the following capabilities:

• Ingress / egress firewall rules including stateful packet inspection

• VLAN protection and advanced logging

• SSL / IPsec VPN

The Standard FW + UTM tier adds the following capabilities:

• Next–generation firewall (NGFW) intrusion prevention system (IPS) and web filtering

• Anti–virus and anti–spam

• IP and domain reputation

The Standard FW + Enterprise tier adds the following additional capabilities:

• FortiSandbox advanced detection

• Mobile security service

Copyright IBM Corporation 2017 Page 6 of 10

2 Design

2.1 Overview

The FortiGate–VM solution complements the IBM Cloud for VMware Solutions offerings by providing

next–generation firewall (NGFW) capabilities for networks within your VMware on IBM Cloud cluster.

These services are provided by one or more pairs of FortiGate virtual appliances deployed to your vSphere

cluster.

Figure 2 FortiGate–VM on IBM Cloud High Level Components

2.2 FortiGate–VM Deployment

FortiGate–VM does not replace NSX but rather complements and enhances the existing NSX architecture.

FortiGate–VM can be installed into either VMware Cloud Foundation (VCF) or vCenter Server (VCS)

instances on IBM Cloud. In both scenarios, FortiGate–VM is deployed as a pair of virtual appliances with

one network interface (port1) configured for management access and nine available network interfaces in

the client’s data plane. With appropriate configuration of networks and routes, you can use FortiGate–VM

to provide network security between all tiers of your network topology. Figure 3 shows an overview of one

possible instantiation of this architecture, where FortiGate is protecting ingress into a web server as well as

communications between various tiers of a web application.

Copyright IBM Corporation 2017 Page 7 of 10

Figure 3 Overview of a FortiGate–VM networking configuration

The FortiGate–VM solution can be combined with other networking components for additional

functionality. For example, VMware NSX offers basic load balancing capabilities, and F5 BIG–IP offers

advanced load balancing capabilities for your applications and services. Refer to the IBM Architecture

Center for information on these complementary solutions.

Virtual machine configuration

The FortiGate–VM offering is deployed as a pair of virtual machines within your primary vSphere cluster

to enable a high availability configuration. The configuration of the appliances follows a small, medium or

large template. Depending on the deployment size that you select at the time of deployment, the appliances

are deployed with the configuration shown in Table 1:

Attribute Small Deployment Medium Deployment Large Deployment

CPU 2 vCPU 4 vCPU 8 vCPU

RAM 4 GB 6 GB 12 GB

High availability Two appliances deployed to enable high availability

Disk usage Two disks totaling 32 GB on the cluster’s management datastore:

• 2 GB

• 30 GB

Disk backing Management datastore: vSAN or IBM Cloud Endurance, as applicable

Table 1 FortiGate–VM virtual machine summary

Although two virtual machines are deployed, FortiGate HA is not preconfigured by the IBM Cloud

automation. This is because you have a variety of choices for network, routing, and HA configuration

including VRRP and FortiGate Cluster Protocol (FGCP). After the FortiGate virtual appliance have been

deployed, you must login to them and implement your desired configuration.

Copyright IBM Corporation 2017 Page 8 of 10

Network configuration

Management interface

The FortiGate virtual appliances are deployed with ten network interfaces. All interfaces are attached to the

management VLAN using the SDDC-DPortGroup-Mgmt port group. A management IP address is

assigned by the IBM Cloud automation only to the first interface, port1. You should not re–assign or re–

configure this management interface.

A firewall rule and source NAT rule are created on the management NSX Edge Services Gateway (ESG) to

allow the device to connect to the public network using http and https only. This is to allow license

management and it is not recommended to change these rules as it could lead to the license being

deactivated.

Firewall interfaces

The remaining interfaces are attached to the management VLAN using the SDDC-DPortGroup-Mgmt port

group, but are left inactive with no IP address assigned; you may reassign them to different networks as

needed for firewall purposes. If you plan to use either the IBM Cloud public VLAN or private VLAN for

either interface, you must order your own subnets from the IBM Cloud portal for use with the FortiGate

virtual appliances.

Note: In certain modes of operation, FortiGate requires its interfaces to operate in promiscuous mode.

Remember to enable promiscuous mode when needed.

VMware DRS and reservations

Because it provides time–sensitive networking services, FortiGate–VM should be configured to ensure that

it has adequate resources. The IBM Cloud automation configures a reservation to ensure that the virtual

appliances receive their full allotment of CPU and memory.

In order to assure high availability, the IBM Cloud automation also creates a DRS anti–affinity rule to

restrict the two FortiGate–VM virtual appliances from running on the same host.

Caveats

It is not possible to change the licensing tier or licensed throughput of your FortiGate–VM deployment

once it has been deployed. In order to achieve this, you must deploy a new instance of FortiGate–VM,

migrate your configuration to the new instance, and delete the original instance.

Copyright IBM Corporation 2017 Page 9 of 10

Appendix A—License Requirements This architecture requires FortiGate–VM licensing from Fortinet. IBM Cloud automation provisions the

FortiGate–VM license based on your chosen license tier and deployment size. Your IBM Cloud monthly

bill will reflect your order and ongoing usage of FortiGate–VM.

The FortiGate virtual appliances require outbound connectivity to Fortinet licensing servers to activate and

maintain their license. This connectivity is preconfigured as described in section 2.2.2.1 and should not be

re–configured.

Copyright IBM Corporation 2017 Page 10 of 10

Appendix B—Reference Additional information about IBM Cloud and FortiGate–VM on IBM Cloud can be found at the following

sites:

• IBM Cloud Architecture Center for Virtualization:

https://www.ibm.com/cloud/garage/content/architecture/virtualizationArchitecture/

• FortiOS 5.2 online documentation:

http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortiOS-HTML5-

v2/OnlineHelpPage.htm

• FortiGate high availability configuration:

http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-high-availability-

52/HA_intro.htm