Hello and welcome to the FortiGate section, in this first post we will cover how to add a FortiGate into GNS3. I believe it is vital for anyone looking to learn about network security and firewalls to do so in a hands-on environment. And there is no better way to do so than within network simulation software. If you have not yet been through the other blog posts, we have an entire section dedicated to GNS3 and how to install and run it here.
Importing the FortiGate appliance
Firstly get into GNS3 and create a new project, you can name this anything you want, although it may be practicle to call it something like FortiGate_Lab1. Once you have the project created navigate to the Security Devices node and try to drag the FortiGate appliance into the topology canvas.
Once you begin the process to import or add an appliance you can simply just continue until we reach the window where we need to specify the files that will be used to install the software image.
Now that we are at the required files part of the importing process you will firstly have to decide which version of the firewall you would like to import. This helps us with doing things such as testing compatibilities between different versions and also allows you to import maybe the same version of the FortiOS that you are using in the office to simulate your own network. For this article though we will be downloading version 6.0.0. Clicking on the dropdown arrow will show us which files are missing or found, if you files are missing simply select the file that is missing and click on the download button. This will redirect you to either the vendor's website where you can download the software image or some sort of file depository where you can directly download the file from.
When we try to download the FGT_VM64_GVM-v6-build0076-FORTINET.out.kfvm.cqow2 file it will redirect us to the FortiNet website. If you are registered simply log in here and if you aren't registered you will need to sign-up.
Once you're logged into the FortiNet support site simply click on the Download button as seen on the image below.
As we know we are going to be running in image that's in version 6.0.0 we will navigate to that directory and select it.
We now need to select the version of the OS we are looking to download, we know this is for version 6.0 and not 6.2 so we will select 6.0
Again we will have the different sub-versions within the 6.0 tree that we can select. Let us select 6.0.0 where we will be placed in the final directory where all the software images are stored.
In the images directory we will need to find the exact software image or file that GNS3 was looking for. So you can just press "ctrl + F" and type in the name "FGT_VM64_GVM-v6-build0076-FORTINET" you should find a zip file with the name in it which you can download by clicking on the "HTTPS" hyperlink once the file is downloaded you can extract it inside your downloads directory.
Now navigate into GNS3 again and download the emtpy30G.qcow2 file, when you click on Download this will just redirect you to a SourceForge link which will automatically download the file, once done we are ready to finally proceed with installing the virtual appliance, if you are still missing any files please click on Refresh or review the steps as you might still be missing a file or did not extract the zip file.
The next few boxes we really do not need to make any changes, simply press next until we get to the space where we will finish the import and you will only need to name your device, you can keep the name as FortiGate 6.0.0 if you so choose.
You have now successfully imported a virtual FortiGate appliance. Navigate back to the Securirty devices node and you will see the template which you just imported. Drag and drop your template into the project canvas and start it by press the play button.
Congratulations you have now successfully imported your own virtual FortiGate appliance into GNS3! If you double click on the device in the canvas it will open up the console window and you will see the firewall boot up as any normal FortiGate firewall would. To log into the firewall simply use the default username which is admin and leave the password blank.
BONUS: Connecting your real Computer to the FortiGate
If you have not yet read our article on how to import your real machine into GNS3 I suggest you visit that first before continuing. Some people enjoy configuring a FortiGate on CLI, however there are certain quality of life features added on the GUI to make manage policies and such a bit easier and faster so let's connect our real machine to the virtual appliance.
Firstly log into the FortiGate's CLI and assign a static IP address to one of the interfaces in the 192.168.99.0/24 range, I prefer to give all individual devices .1 where the computer receives .2, I will be giving port 10 the IP address of 192.168.99.1/24.
So go into the interface configuration by typing "config system interface" then going into the interface we want to change which is port10 by typing "edit port10". Now we just need to give the interface an IP address by typing "set ip 192.168.99.1/24" and also setting the allow access which basically opens the management ports on the interface, we will open most of them by typing "set allowaccess ping http https telnet ssh" so that we can access the firewall on all of those ports. To save the changes simply type "next" followed by "end"
Now that you have a management IP address assigned to one of the interfaces please drag in a cloud device from End Devices node, if you've followed the steps in the article on how to import your real device into GNS3 you should just have to configure your device and select your VMnet interface where you have configured the 192.168.99.2/24 address, mine was VMnet2
All that remains for us is to run a cable from our VMnet adapter from the cloud to our FortiGate device onto port10, please select the connector tool and connect these ports.
Go into command prompt on your local computer and try to ping the 192.168.99.1 address. You will notice that you are getting a response as you have set ping in the allowedaccess configuration on port10.
This means if we can ping the device that we should be able to access this through the GUI now as well. Go into your preferred browser and type in "192.168.99.1" or whatever IP you are using for management. You will notice that the browser is now loading the login page for the FortiGate, simply log in with admin and blank
Once logged in you will be put in the dashboard where everything will work as any normal FortiGate firewall. You will now be able to access the device from your actual machine over the virtual network and configure it on the GUI, how amazing is that!?
NB: Just a reminder that the OS will be working on a trial license and you will only have a month on this instance of the appliance. You can always add a new template into the canvas by just dragging and dropping it, but it is something to take note of, as you will need to bring in new appliances for labbing purposes.
That's a Wrap
You have now learned how to add a FortiGate into GNS3, how to log into the FortiGate via the console window and how to assign an IP address to an interface on the FortiGate. You have also brought your own computer into the GNS3 topology and connected it to the FortiGate in order to manage the unit via the GUI. That's some really amazing work and will allow you to run many various labs on FortiGate devices! If you enjoyed the material please feel free to share this with your colleagues as it helps get the knoweldge out there! I'd like to thank you for reading this and I hope that you have learned something new!