Adding FortiAuthenticator VM into Proxmox
I have previously written a blog article about Adding FortiGate VM into Proxmox which is a relatively straight forward process. Unfortunately, there are a few caveats that have to be taken into account when doing the same procedure with the FortiAuthenticator. This article will serve as a comprehensive guide in adding the FortiAuthenticator into Proxmox.
- FortiAuthenticator (5.5.x)
- Proxmox (5.3.x)
Examining Contents of FortiAuthenticator Files
The files associated with the FortiAuthenticator image are unique in that they include a “fackvm.xml.tmpl”. This file is important because it explains the exact virtual machine definitions that are required for this FortiAuthenticator to work. Deviating from these recommendations will cause the FortiAuthenticator VM not to boot.
Reviewing an abbreviated version of this file, we see the following settings:
<devices> <emulator>/usr/bin/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='@@IMAGE_DRIVE@@'/> <target dev='vda' bus='virtio'/> <alias name='virtio-disk0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> </disk> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='@@DATA_DRIVE@@'/> <target dev='vdb' bus='virtio'/> <alias name='virtio-disk1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </disk> <interface type='bridge'> <mac address='@@MAC1@@'/> <source bridge='@@PORT1_BR@@'/> <target dev='vnet0'/> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> </devices>
According to the above snippet, we see that the FortiAuthenticator is specified to work with the following resources:
Please note: This partially differs from the default settings required by the FortiGate VM.
Uploading the FortiAuthenticator Image to Proxmox
Now that you the FortiAuthenticator virtual machine settings are known, we can proceed with uploading the image for this VM to the Proxmox server. To do so, perform the following steps:
1.Transfer the file to Proxmox via WinSCP
Prepare the FortiAuthenticator Image File (ZFS Only)
Once the file has been uploaded to the Proxmox server, you will need to make sure that it is compatible with the VM datastore you intend to store it to. If you are using a non-ZFS datastore, you can potentially skip this step. However, since I am using ZFS as my primary datastore, it is imperative that the steps in the related article are followed so that the image will run.
Create the FortiAuthenticator VM
A Virtual Machine must be created in Proxmox before you can copy the FortiAuthenticator image file. To create a VM, follow the steps below:
1.Log into Proxmox GUI | Click “Create VM”
2. On the “Create: Virtual Machine | General” tab, set the “Name” (i.e. fortiauth-vm) | Click “Next”
3. On the “Create: Virtual Machine | OS” tab, set “Do not use any media”;”Guest OS – Type: Linux”;”Guest OS – Version: 4.X/3.X/2.6 Kernel” | Click “Next”
4. On the “Create Virtual Machine: Hard Disk” tab, set “Bus/Device: VirtIO Block”;”Storage: <vm datastore>” (non-ZFS);”Disk size (GiB): 2″;”Format: Raw disk image (raw)” | Click “Next”
Please Note: Bus/Device is set to “VirtIO Block” as instructed by the template file accommodating the image files.
5. On the “Create Virtual Machine: CPU” tab, leave the defaults | Click “Next”
6. On the “Create Virtual Machine: Memory” tab, set “Memory (MiB): 1024” | Click “Next”
7. On the “Create: Virtual Machine | Network” tab, set the “Bridge: <VM Bridge>”;”Model: VirtIO (Paravirtualized)” | Click “Next”
8. On the “Create: Virtual Machine | Confirm” tab, confirm the settings | Click “Finish”
Adding an Extra Hard Drive for Logs
Once the VM has been created, it is recommended to add an extra hard drive that the FortiAuthenticator can use for logging purposes. To do this, follow the steps below:
1.In Proxmox, Select the VM | Click “Hardware” | Click “Add | Hard Drive”
2. On the “Add: Hard Disk” dialog, set “Bus/Device: VirtIO Block”;”Storage: <VM datastore>” (ZFS); “Disk size (GiB): 16” | Click “Add”
Overwrite VM Disk with FortiAuthenticator Image
Now that the resources for the FortiAuthenticator VM are provisioned, the image can be copied over in preparation for powering on the FortiAuthenticator. To do this, follow the steps below:
1.In the CLI of Proxmox, copy the FortiAuthenticator image over the existing hard disk for the VM by using the following command:
cp -v fackvm.raw /var/lib/vz/images/<vm id>/vm-<vm id>-disk-1.raw
Please note: To see the file update reflected in the Proxmox GUI, you can use the command below:
qm rescan --vmid <id of VM>
Move FortiAuthenticator VM Disk to ZFS (Only if you use ZFS)
The last step before powering on the FortiAuthenticator is to move the VM image to the ZFS partition which supports running virtual machine images. To this, follow the steps below:
1.In Proxmox, click the FortiAuthenticator VM | “Hardware” | “Hard Disk (virtio0)” | “Move disk”
2. In the “Move disk” dialog box, set “Target Storage:” to your ZFS storage (i.e. local-zfs) | Set “Delete source:” to enabled | Click “Move Disk”
If the copy was successful, you will see the “Task OK” at the bottom of the “Task viewer: VM <ID> – Move Disk” dialog box as shown in the screenshot below:
If you get an error when attempting this due to “volume block size”, make sure to check out the article on how to fix this common error.
Powering on FortiAuthenticator VM
Once the VM file is in the correct location, the FortiAuthenticator can be powered on for initial configuration. To do so, follow the steps below:
1.In Proxmox, Click the FortiAuthenticator VM | Click “Start”
2. Click the FortiAuthenticator VM | Click “Console”
3. Once the FortiAuthenticator login prompt is shown, login with the default credentials:
At this point, you are ready to configure the FortiAuthenticator.