Automatically Provision FortiGate VM with Cloud-Init in Proxmox
Have you ever cared to deploy a FortiGate virtual machine in your favorite hypervisor (Proxmox, of course) but dreaded the need of completing the mundane tasks of installing the licensing, applying the configuration and the whole host of post setup tasks required for a successful VM deployment? Well stay tuned, because in this article, I am going to cover leveraging the built-in support for Cloud-Init to simplify common deployment tasks associated with deploying a FortiGate VM into Proxmox.
What is Cloud-Init
Before I go into the details about the procedure to follow, it would be worth it to provide a bit of background about this mechanism. In a nutshell, Cloud-init is defined by the following statement:
Cloud-init is the defacto multi-distribution package that handles early initialization of a cloud instance.
In a nutshell, this functionality can be leveraged to set up a lot of tasks that is commonly associated with a VM. An example list of these tasks are:
- Setting up a hostname
- Configuring networking
- Added SSH keys for login
Cloud-Init in FortiOS
With the explanation above, one can see the potential capabilities that Cloud-Init would enable for the provisioning of a FortiGate VM. As an MSSP or an administrator that manages their own private/public cloud, this functionality allows simplification of mass deployment of FortiGate VMs.
The ability to bootstrap a FortiGate with network information as part of the VM deployment is very valuable. However, the supported feature set goes beyond this. Cloud-Init support in FortiOS allows the administrator to accomplish the following:
- Apply a FortiGate VM license
- Apply a custom configuration defined by FortiOS CLI
This can be used to bootstrap a FortiGate for easy access after initial VM deployment to fully setting up a FortiGate VM for production-ready use with a validated configuration. To accomplish this task using Proxmox, follow the sections listed below.
Preparing the Cloud-Init Imaging
In its simplest form, Cloud-Init requires the image to be mounted to the FortiGate VM as an ISO image presented on a virtual CD-ROM drive. The files have to be presented in a particular order. Specifically as shown below:
cloud-init/ – directory
└── openstack – directory
├── content – directory
│ └── 0000 – License file
└── latest – directory
└── user_data – Configuration file
Please note that you must adhere to this directory structure in order for the cloud-init process to work with FortiOS.
The file “0000” is a copy of the FortiGate VM License. The “user_data” is the FortiOS CLI configuration file. Here is an example of the FortiGate configuration to be applied upon boot to the FortiGate VM:
config system interface edit port1 set mode dhcp set allowaccess http https ssh ping telnet next end config system dns set primary 220.127.116.11 unset secondary end config system global set hostname cloud-init-fortigate end
Once you have the file directory structure above built, you can create an iso in Linux using a utility such as mkisofs with the following command:
sudo mkisofs -R -r -o fgt-bootstrap.iso cloud-init/
In Windows, you can use a utility called CDBurnerXP to create the iso from a directory. Using this application is beyond the scope of this article.
Uploading the Cloud-Init Image to Proxmox server
Once you have generated the ISO file, transfer it to the Proxmox server via the GUI as shown in the process below:
1. In proxmox, under the node, Click the storage path | Content | Upload
2. In the “Upload” dialog box, click “Select File”
3. Select the file | Click “Upload”
4. Once the file has been uploaded, confirm that it is listed in the available ISO images as shown below:
Applying the Cloud-Init Image to the FortiGate VM in Proxmox
Once you have the cloud-init ISO image created, the next step is to apply it to the FortiGate VM. In order to apply it to the FortiGate, you need to first create a FortiGate VM in proxmox as detailed in the following article. Before launching the FortiGate for the first time, you must add a CD-ROM referencing the cloud-init ISO image as detailed in the following process:
1. In Proxmox, click on the FortiGate
2. Click “Hardware” | “Add” | “CD/DVD Drive”
3. Select the cloud-init ISO image | Click “Create”
4. Confirm that the cloud-init image has been added under the hardware listing of the FortiGate VM
Observing the Cloud-Init process
Once all of these items have been configured, the remaining task is to power up the FortiGate and observe Cloud-Init provision the FortiGate:
Upon boot of the FortiGate, it goes through the normal boot process and detects that there is a FortiGate VM license to install.
The FortiGate continues its provisioning process and detects that there is an additional hard disk and automatically formats that drive for use. After formatting this drive, the FortiGate performs a reboot.
Upon completion of the reboot, the FortiGate starts up and shows that the FortiGate serial number has changed based on that of the applied FortiGate VM license.
Upon logging into the FortiGate, the administrator is forced to change the password, but after completion of this, the prompt is shown with the hostname as which was defined under the user_data configuration file.
Upon logging into the FortiGate, it is now available configured with the configuration as defined in “user_data”. As I referenced previously, this could have been used just to bootstrap the FortiGate or fully provision the FortiGate for deployment in the new lab environment.
As always, I hope this was a helpful article. Please leave a comment below and let me know if this is useful and applicable to your environment.