Automatically Provision FortiGate VM with Cloud-Init in Proxmox

Have you ever cared to deploy a FortiGate virtual machine in your favorite hypervisor (Proxmox, of course) but dreaded the need of completing the mundane tasks of installing the licensing, applying the configuration and the whole host of post setup tasks required for a successful VM deployment? Well stay tuned, because in this article, I am going to cover leveraging the built-in support for Cloud-Init to simplify common deployment tasks associated with deploying a FortiGate VM into Proxmox.

What is Cloud-Init

Before I go into the details about the procedure to follow, it would be worth it to provide a bit of background about this mechanism. In a nutshell, Cloud-init is defined by the following statement:

Cloud-init is the defacto multi-distribution package that handles early initialization of a cloud instance.

In a nutshell, this functionality can be leveraged to set up a lot of tasks that is commonly associated with a VM. An example list of these tasks are:

  • Setting up a hostname
  • Configuring networking
  • Added SSH keys for login

Cloud-Init in FortiOS

With the explanation above, one can see the potential capabilities that Cloud-Init would enable for the provisioning of a FortiGate VM. As an MSSP or an administrator that manages their own private/public cloud, this functionality allows simplification of mass deployment of FortiGate VMs.

The ability to bootstrap a FortiGate with network information as part of the VM deployment is very valuable. However, the supported feature set goes beyond this. Cloud-Init support in FortiOS allows the administrator to accomplish the following:

  • Apply a FortiGate VM license
  • Apply a custom configuration defined by FortiOS CLI

This can be used to bootstrap a FortiGate for easy access after initial VM deployment to fully setting up a FortiGate VM for production-ready use with a validated configuration. To accomplish this task using Proxmox, follow the sections listed below.

Preparing the Cloud-Init Imaging

In its simplest form, Cloud-Init requires the image to be mounted to the FortiGate VM as an ISO image presented on a virtual CD-ROM drive. The files have to be presented in a particular order. Specifically as shown below:

cloud-init/ – directory
└── openstack – directory
├── content – directory
│   └── 0000 – License file
└── latest – directory
└── user_data – Configuration file

Please note that you must adhere to this directory structure in order for the cloud-init process to work with FortiOS.

The file “0000” is a copy of the FortiGate VM License. The “user_data” is the FortiOS CLI configuration file. Here is an example of the FortiGate configuration to be applied upon boot to the FortiGate VM:

config system interface
    edit port1
    set mode dhcp
    set allowaccess http https ssh ping telnet
config system dns
    set primary
    unset secondary
config system global
    set hostname cloud-init-fortigate

Once you have the file directory structure above built, you can create an iso in Linux using a utility such as mkisofs with the following command:

sudo mkisofs -R -r -o fgt-bootstrap.iso cloud-init/
Figure. – Screenshot of the terminal console running mkisofs.

In Windows, you can use a utility called CDBurnerXP to create the iso from a directory. Using this application is beyond the scope of this article.

Uploading the Cloud-Init Image to Proxmox server

Once you have generated the ISO file, transfer it to the Proxmox server via the GUI as shown in the process below:

1. In proxmox, under the node, Click the storage path | Content | Upload

Figure. – Screenshot of location to upload ISO in Proxmox

2. In the “Upload” dialog box, click “Select File”

Figure. – Screenshot of the ISO upload dialog box in Proxmox

3. Select the file | Click “Upload”

Figure. – Screenshot of ISO upload dialog box with file selected in Proxmox

4. Once the file has been uploaded, confirm that it is listed in the available ISO images as shown below:

Figure. – Screenshot of ISO image upladed to Proxmox

Applying the Cloud-Init Image to the FortiGate VM in Proxmox

Once you have the cloud-init ISO image created, the next step is to apply it to the FortiGate VM. In order to apply it to the FortiGate, you need to first create a FortiGate VM in proxmox as detailed in the following article. Before launching the FortiGate for the first time, you must add a CD-ROM referencing the cloud-init ISO image as detailed in the following process:

1. In Proxmox, click on the FortiGate

Figure. – Screenshot of the Proxmox navigation bar

2. Click “Hardware” | “Add” | “CD/DVD Drive”

Figure. – Screenshot of adding CD/DVD Drive in Proxmox

3. Select the cloud-init ISO image | Click “Create”

Figure. – Screenshot of select cloud-init ISO image in Proxmox

4. Confirm that the cloud-init image has been added under the hardware listing of the FortiGate VM

Figure. – Screenshot of hardware listing referencing cloud-init in Proxmox

Observing the Cloud-Init process

Once all of these items have been configured, the remaining task is to power up the FortiGate and observe Cloud-Init provision the FortiGate:

Upon boot of the FortiGate, it goes through the normal boot process and detects that there is a FortiGate VM license to install.

Figure. – Screenshot of FortiGate VM console

The FortiGate continues its provisioning process and detects that there is an additional hard disk and automatically formats that drive for use. After formatting this drive, the FortiGate performs a reboot.

Figure. – Screenshot of the FortiGate console in the cloud-init process

Upon completion of the reboot, the FortiGate starts up and shows that the FortiGate serial number has changed based on that of the applied FortiGate VM license.

Figure. – Screenshot of the FortiGate VM console with the serial number of VM license

Upon logging into the FortiGate, the administrator is forced to change the password, but after completion of this, the prompt is shown with the hostname as which was defined under the user_data configuration file.

Figure. – Screenshot of the command prompt with the updated host name

Upon logging into the FortiGate, it is now available configured with the configuration as defined in “user_data”. As I referenced previously, this could have been used just to bootstrap the FortiGate or fully provision the FortiGate for deployment in the new lab environment.

As always, I hope this was a helpful article. Please leave a comment below and let me know if this is useful and applicable to your environment.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments