Fortinet has a growing list of technology-alliances, and a prolific ecosystem of resellers, technology partners and customers. This ecosystem needs complete, fully featured Fortinet FortiGate environments for - demos, PoCs and testing. Public clouds - AWS or Google are ideal for these transient workloads, but they don’t support Layer 2 networking - multicast/broadcast, VMACs, Gratuitous ARP and VLANs don’t work, making it difficult to create representative environments using FortiGate AMI (Amazon Machine Image). Ravello's nested virtualization and overlay networking solves this problem by running FortiGate KVM and VMware appliance with Layer 2 networking on AWS/Google.
Advanced capabilities such as unified threat management, NG Firewall, IPS, NAT make FortiGate a popular security appliance. It is used by enterprises across the globe to secure branch offices, headquarters and data centers.
However before deploying, enterprises typically like to see a demo and run PoCs - needing a fully featured FortiGate environment. FortiGate VM - FortiGate’s virtualized version is a great alternative to get customers to ‘test-drive’ the FortiGate without shipping hardware. Fortinet sales engineers, resellers, technology partners can use FortiGate VM to demo the power of the platform, run PoCs with ease, and Fortinet trainers can use it to spin training environments.
Companies have explored provisioning their data-centers to run these transient workloads for demo, PoC, training, upgrade and development test environments - and have experienced a sticker shock - it is expensive! Further, it takes weeks to months to procure, provision the hardware, and get the environment running, and there are opportunity costs associated when the environment is not being used.
Public clouds, such as AWS and Google provide the flexibility to move to a usage-based pricing model and avoid these opportunity costs. However, FortiGate’s AMI (Amazon Machine Image) that natively runs on Amazon is held back by the public cloud limitations that don’t allow it to support IPv6 and Layer 2 networking (broadcast, multicast, VLANs, VMACs, Gratuitous ARP won’t work!), and prevent from creating representative copies of production data center environments.
Nested virtualization platform with software defined networking overlay - such as Ravello - brings together financial benefits of moving to cloud while avoiding technological limitations. This allows organizations to recreate an exact replica of their complex data center environment on Google cloud and AWS - running the same version and configuration of the Fortinet FortiGate VMware or KVM virtual appliance as they do in their data center. The platform gives the ability to snapshot or ‘blue-print’ a multi-VM application including Forigate VM complete with complex networking, and spin up as many copies as needed at the click of a button or through a REST API call.
Here is a comprehensive comparison of benefits of running FortiGate VM in DC, natively on public cloud and on public cloud using Ravello:
|Running FortiGate VM on AWS / Google using Ravello||Running FortiGate VM in DC||Running FortiGate AMI natively on AWS/Google|
|Usage based costs||✓||✕||✓|
|Layer 2 networking support||✓||✓||✕|
|High fidelity copy of DC environment||✓||✓||✕|
|Zero day deployment (no migration)||✓||✓||✕|
|One click creation of replica environments from snapshots or blueprints||✓||✕||✕|
|Automation through REST APIs||✓||✕||✓|
|Version control application infrastructure||✓||✕||✕|
|Share blueprints with others||✓||✕||✕|
|Better end-user experience through global deployment||✓||✕||✓|
|Lack of exposure to transient infrastructure issues||✓||✕||✕|
Data Center Setup
Eager to reap the benefits, I decided to move my data center FortiGate VM deployment to Ravello. The subsequent sections chronicle the steps I had to undertake.
My data center Fortinet FortiGate contains two interfaces - one each connected to external and internal networks. The external interface is connected to the internet. Three hosts sit behind the firewall on the internal network - two ubuntu linux machines and a windows 2012 machine (see below). UTM, Firewall, NAT and web-filtering are all enabled.
Re-creating this environment in Ravello was simple 3 step process:
I used the Ravello VM uploader to upload my multi-VM environment.
|1. Ravello VM uploader gave me multiple options - ranging from directly uploading my multi-VM environment from VMware vSphere™/ VMware vCenter™ to uploading OVFs or VMDKs or QCOW or ISOs individually. Siding with their recommendation, I chose to directly upload from vSphere.|
|2. After entering my vSphere credentials on the next screen, the upload process began. was able to track the VM upload progress from Ravello’s user interface.|
|1. Verification started by asking for a VM name for the Fortinet FortiGate|
|2. Clicking ‘Next’, I was allowed to choose the resources (VCPUs and Memory) that I wanted my FortiGate to run on. Since VM00 runs on 1 VCPU and 1GB RAM, I set it as such.|
|3. Clicking ‘Next’, I was taken to the Disk tab. Since FortiGate KVM requires 30GB of disk-space and uses VirtIO controller, I selected it as such on this screen.|
|4. Next I entered the static IPs & netmasks for each of the FortiGate interfaces (internal and external) mirroring what I had in my data center. Here I also assigned a public IP to my external interface to be able to access the management UI through the internet.|
|5. Clicking ‘Next’, I was taken to the services tab. Since access to the FortiGate UI is through HTTP/HTTPS, I enabled these “Services” to open ports for external access.|
|6. I went through the steps 1-5 for my other VMs - linux & windows hosts ending up with a total of 4 VMs on my application canvas|
|1. With my application canvas complete, I clicked ‘Publish’ to run it in cost-optimized mode. If I had chosen performance optimized, I would have been presented with a choice of AWS or Google Cloud, and corresponding regions to publish it on. My environment took roughly 5 minutes to come alive.|
|2. Clicking on the networking tab, one can see this closely mirrors my data center setup.|
|3. Once the FortiGate was up, I pointed my web-browser at the public IP of FortiGate and was presented with FortiGate’s management UI.|
To verify that the FortiGate is working as expected, just for kicks I created a web-filtering rule that blocked web browsing to news.google.com
As you can see from the screenshot below, when my Windows LAN host (192.168.0.4) tries to access news.google.com, it gets blocked by the ForiGate VM verifying that FortiGate VM is working as expected.
Ravello’s nested virtualization and overlay networking provides a straightforward easy way run Fortinet FortiGate VMware or KVM appliance demos, PoCs, training and testing using AWS and Google cloud. Just sign up for a free Ravello trial, and drop us a line – we can share our FortiGate config, and also help you get your Fortinet FortiGate VM appliance running ‘as-is’ in Ravello in no time.