Virtual firewalls with FortiGate VM: Implementation tips and tricks

In the era of cloud and virtualization, traditional physical firewall appliances, while still indispensable in many scenarios, are not always the optimal solution. We need flexibility, scalability and the ability to quickly deploy advanced security features where our applications and data run – that is, increasingly in virtual and cloud environments. Virtual firewalls are the answer to this need, and FortiGate VM from Fortinet is the leading solution in this category, bringing the full range of next-generation firewall(NGFW) capabilities to the virtualization world. However, just getting a virtual machine up and running is only the beginning. Successful deployment and optimal configuration of the FortiGate VM require knowledge and the application of best practices. At nFlo, with extensive experience in implementing virtual security solutions, we share key tips and tricks to help you realize the full potential of FortiGate VM.

What differentiates FortiGate VM virtual firewalls from traditional solutions?

FortiGate VM is essentially FortiOS software, the same operating system that powers physical FortiGate appliances, but packaged as a virtual machine (VM). This allows Fortinet’s full-fledged next-generation firewall to run on standard virtualization platforms (like VMware ESXi, Microsoft Hyper-V, KVM) and public clouds (AWS, Azure, GCP, Oracle Cloud).

The main difference, and also an advantage over traditional physical firewalls, is the great flexibility and scalability. FortiGate VM can be deployed in minutes, without the need to purchase and install dedicated hardware. Resources (CPU, memory, bandwidth) can be dynamically scaled up or down as needed. Virtualization also makes it easy to create redundant configurations (HA) and fast disaster recovery. Most importantly, FortiGate VM offers the same rich set of security features as its physical counterpart, including firewall, VPN, IPS, antivirus, web filtering, application control, sandboxing and more, providing consistent protection regardless of the form of deployment.

How to prepare the infrastructure for FortiGate VM deployment in a cloud environment?

Successful deployment of FortiGate VM in a public cloud (e.g. AWS, Azure, GCP) requires careful preparation of the environment. It is crucial to understand the network architecture of a given cloud platform – how virtual networks (VPC/VNet), subnets, security groups (Security Groups/Network Security Groups), routing tables and Internet gateways work.

You need to design a suitable network topology that takes into account the placement of the FortiGate VM. It is often deployed as a security gateway at the edge of the virtual network, filtering traffic entering and leaving the Internet, or as a segmentation firewall controlling traffic between different subnets (e.g., between a production zone and a development zone). It is necessary to allocate appropriate computing resources for VM instances (VM type, number of vCPUs, amount of RAM) according to bandwidth requirements and number of active sessions – Fortinet provides detailed guidelines in this regard. It is also necessary to configure appropriate security/NSG groups to allow the necessary traffic to and from FortiGate VM interfaces (management traffic, data traffic, VPN traffic, etc.). Finally, it is worthwhile to plan for high availability (HA) mechanisms, taking advantage of the cloud’s native features (e.g. Availability Zones/Sets) and the HA mechanisms of FortiGate VM itself.

How to configure network interfaces and static routes in FortiGate VM?

The foundation of any firewall is the proper configuration of network interfaces and routing. In the case of FortiGate VM, the process is similar to configuring a physical device, but with the specifics of a virtual or cloud environment. Once the VM instance is up and running, FortiGate virtual network interfaces (vNICs) should be assigned to the appropriate virtual networks (port groups in VMware, vNICs in Azure/AWS/GCP). Each interface should be configured with the appropriate IP address, subnet mask and possibly the default gateway address for that network.

Next, the key is to configure routing so that FortiGate VM knows how to direct traffic between different networks. In simpler scenarios, static routes will suffice, defining through which interface and to which gateway traffic should be routed to specific subnets (e.g. route to internal network, default route to Internet). In more complex environments, especially in the cloud, you may need to use dynamic routing mechanisms (e.g. BGP) or native cloud routing mechanisms (e.g. User Defined Routes in Azure, VPC Route Tables in AWS), which need to be properly configured to route traffic through the FortiGate VM instance. Proper configuration of interfaces and routing is the foundation for proper operation of all security functions.

How do I integrate FortiGate VM with Azure or AWS platforms?

FortiGate VM is natively supported on major public cloud platforms such as Microsoft Azure and Amazon Web Services (AWS), and Fortinet provides pre-built VM images (AMI on AWS, VHD on Azure) available in their marketplaces. The integration process typically involves several steps.

First, you need to start the FortiGate VM instance from the appropriate image in the selected region and availability zone, assigning it the appropriate resources (instance type, disks). Then, it is necessary to configure the virtual network interfaces (vNICs) of the instance and assign them to the appropriate virtual networks (VNet/Subnet in Azure, VPC/Subnet in AWS). It is crucial to configure security groups (Network Security Groups in Azure, Security Groups in AWS) to allow the necessary traffic to the FortiGate interfaces (e.g. HTTPS for management, ports for VPN, traffic to be filtered).

The most important part of the integration is to configure routing in the cloud so that network traffic (e.g. from application subnets to the Internet or between subnets) is routed through the FortiGate VM instance. In Azure, this is accomplished using User Defined Routes (UDR), and in AWS by modifying VPC Route Tables. Fortinet provides detailed guides and templates (e.g. CloudFormation, ARM templates) to facilitate and automate this integration process.

How to secure administrative access to a FortiGate virtual firewall?

The FortiGate VM management interface is the gateway to configuring all network protection, so securing it properly is absolutely critical. Several layers of protection should be applied. First, access to the management interface (usually via HTTPS, SSH) should be strictly limited to only trusted IP addresses or subnets (e.g., management networks, administrator IP addresses). This can be implemented using firewall rules on the FortiGate itself (Local-in Policy) and additionally using security groups in the cloud or ACL rules in a virtual environment.

Second, change the default administrator password to a strong, unique password and change it regularly. It is strongly recommended to enable Multi-Factor Authentication (MFA) for all administrative accounts, using, for example, FortiToken or other compatible solutions. It’s also a good idea to configure administrator profiles with Least Privilege, giving individual administrators only the privileges they need to perform their tasks. Finally, monitor administrative access logs regularly to detect any unauthorized login attempts.

How to properly configure SSL certificates for secure VPN access?

FortiGate VM often acts as a VPN gateway, allowing secure remote access to the corporate network (SSL VPN, IPsec VPN). Proper configuration of SSL certificates is crucial to ensure the security and trustworthiness of these connections. Instead of using FortiGate’s default self-signed certificate (which generates warnings in browsers and VPN clients), it is strongly recommended to use an SSL certificate issued by a trusted public Certificate Authority (CA) or by an internal, company-owned CA.

You need to generate a certificate signing request (CSR) on the FortiGate VM with correct information (domain name, organization details). The CSR should then be sent to the selected CA for signing. Once the signed server certificate and any intermediate CA certificates are received, they should be imported into FortiGate VM. The imported certificate should then be assigned to the appropriate services, such as the SSL VPN portal and VPN connection listening interfaces. Regularly monitoring the validity of certificates and renewing them before they expire is also key. Using trusted certificates eliminates security warnings for users and ensures the integrity and confidentiality of VPN communications.

How to implement High Availability (HA) mode for business continuity?

In production environments, where firewall continuity is critical, it is essential to implement High Availability (HA) mechanisms. FortiGate VM supports an Active-Passive or Active-Active HA cluster configuration, just like physical devices. In the most common Active-Passive model, two FortiGate VM instances operate as a pair. One instance is active and processes all traffic, while the other is passive (standby), but constantly synchronizes configuration and session state with the active instance.

The two instances monitor each other’s status via a dedicated heartbeat connection. If the active instance fails, the passive instance automatically takes over its role and IP addresses within seconds, ensuring uninterrupted service. Implementing HA in a virtual or cloud environment requires additional configuration steps related to platform-specific failover mechanisms. For example, in a public cloud, mechanisms such as UDR/Route Tables updates or Elastic IP/Public IP switching are often used with scripts or native cloud services (e.g., AWS Transit Gateway, Azure Route Server) to redirect traffic to a newly active FortiGate VM instance. Properly configuring HA is key to ensuring resiliency and meeting SLA requirements.

Summary: FortiGate VM key implementation tips.

Infrastructure planning: Understand the network architecture of the virtualization/cloud platform and design the topology and resources for FortiGate VM accordingly.
Secure administrative access: restrict access to the management interface, use strong passwords and MFA, configure RBAC.
Correct routing: Carefully configure network interfaces and routes (static or dynamic/cloud) to ensure correct traffic flow.
High Availability (HA): Implementation of an HA cluster (Active-Passive or Active-Active) using platform-specific failover mechanisms.
Configure security profiles: Enable and tune key features like antivirus, IPS, web/DNS filtering, application control.
SSL Inspection: Implement inspection of encrypted traffic for full security effectiveness.
Monitoring and logging: Continuous performance monitoring and log analysis for problem detection and optimization.
Regular updates: Maintain FortiOS software and threat signatures in the latest version.

How to use Virtual Domains (VDOMs) to separate network functions?

Virtual Domains (VDOMs) is a powerful FortiOS feature, also available in FortiGate VM, that allows a single FortiGate appliance to be logically divided into multiple independent virtual firewalls. Each VDOM acts as a separate firewall, with its own interface configuration, routing table, security policies, administrator profiles and VPN settings.

The use of VDOMs brings a number of benefits, especially in complex environments:

Segmentation and separation: Enables logical separation of different network segments, company departments, customers (in a multi-tenant model) or functions (e.g., separate VDOM for Internet traffic, separate for VPN) on a single physical or virtual device. This enhances security and simplifies management.
Configuration flexibility: Each VDOM can have a completely independent configuration, tailored to the specific needs of a segment or service.
Delegating administration: You can assign different administrators to manage individual VDOMs, limiting their privileges only to their “virtual firewall.”
Resource Consolidation: Allows multiple physical firewalls to be replaced with fewer VDOM-enabled FortiGate units, reducing infrastructure costs and complexity.

When planning an architecture with FortiGate VM, consider using VDOMs to logically organize and separate network and security functions.

How to configure security profiles: antivirus, IPS and DNS filtering?

The basis of NGFW protection in FortiGate VM is security profiles, which define what inspections and actions are to be applied to traffic passing through the firewall. The key profiles are:

Antivirus (AV): Scans traffic (including Internet downloads, email attachments) for known malware based on FortiGuard signatures. Enable scanning for relevant protocols (HTTP, FTP, SMTP, POP3, IMAP) and define an action (e.g. block). Consider enabling cloud scanning (FortiSandbox Cloud) for better detection.
Intrusion Prevention System (IPS): Analyzes network traffic for patterns corresponding to known exploits and attacks at the network and application level. Select the appropriate IPS signature profile (e.g., default, high_security) and apply it to the appropriate firewall policies in protection mode. Regular updates to IPS signatures are key.
DNS Filtering: Controls DNS queries sent by users, blocking access to domains known to host malware, phishing or other malicious content, and allowing access to undesirable site categories (e.g., gambling, adult content) to be blocked at the DNS level. Select the appropriate DNS filtering profile from FortiGuard and apply it to firewall policies.

These security profiles should be applied to the corresponding firewall policies that define the flow of traffic (e.g., from the internal network to the Internet). Proper configuration and regular updating of these profiles are the foundation of effective preventive protection.

Why is SSL inspection critical to the effectiveness of FortiGate VM security?

On today’s Internet, a huge portion of traffic (often more than 80-90%) is encrypted using SSL/TLS (HTTPS) protocols. While encryption is essential for privacy and data integrity, it also poses a serious challenge to security systems. Attackers are increasingly using encrypted connections to hide malware, communicate with Command and Control (C&C) servers or launch phishing attacks.

If an NGFW firewall such as FortiGate VM does not inspect SSL/TLS traffic, it becomes virtually “blind” to threats transmitted inside encrypted tunnels. Mechanisms such as antivirus, IPS, web filtering, application control or DLP will not be able to analyze the content of encrypted traffic and detect hidden threats in it.

That’s why implementing SSL Inspection (SSL Inspection), the process of decrypting traffic on the FortiGate VM for analysis by security engines and then re-encrypting it before sending it to its destination, is absolutely critical to ensuring that NGFW security is fully effective. While there are some challenges to configuring SSL inspection (certificate management, performance impact, privacy issues), it is essential to realize the full protective potential of FortiGate VM in today’s encrypted Internet.

How to optimize FortiGate VM performance in hybrid environments?

Ensuring optimal FortiGate VM performance, especially in complex hybrid environments combining on-premise and cloud resources, requires a conscious approach to configuration and resource management. First, proper sizing of VM instances is key. Bandwidth requirements, the number of concurrent sessions and the load associated with enabled security features (especially SSL inspection) should be carefully evaluated, and the right type of virtual/cloud instance with sufficient vCPU and RAM should be selected.

Second, it is worth optimizing the use of the virtualization/cloud platform’s hardware resources. Make sure that the FortiGate VM has access to the right number of CPU cores and that it is not competing for resources with other resource-intensive VMs. Using faster network interfaces and optimizing virtual switch configurations can also make a difference.

Third, security features should be consciously managed. Enabling all possible inspections for all traffic can significantly overload the FortiGate VM. It’s worth applying granular policies, using more intensive inspections (such as deep SSL inspection or full AV scanning) only where absolutely necessary, and using lighter profiles for less critical traffic. Using offload mechanisms such as hardware acceleration (if available in the virtualization platform) or optimizing IPS configurations can also help. Finally, regular monitoring of key performance indicators (CPU usage, memory usage, session counts, latency) allows for early detection of potential bottlenecks and proactive optimization.

How to monitor and analyze network traffic through a virtual firewall?

Effective monitoring and analysis of traffic passing through the FortiGate VM is key to both ensuring security and addressing performance issues. FortiOS offers built-in real-time monitoring tools that can be accessed via the web interface (GUI) and command line interface (CLI). They allow you to view current sessions, bandwidth usage on individual interfaces and policies, system resource load (CPU, memory) and event logs generated by various security modules (firewall, IPS, AV, Web Filter, etc.).

However, for deeper historical analysis, event correlation and advanced reporting, integration with a central logging and analysis platform such as FortiAnalyzer (also available as a virtual appliance) is essential. FortiGate VM sends detailed logs to FortiAnalyzer, which aggregates them, indexes them and provides powerful search, filtering, visualization and report generation tools. FortiAnalyzer allows you to analyze traffic trends, identify anomalies, investigate security incidents and monitor policy compliance. Alternatively, logs from FortiGate VM can be sent to external SIEM (Security Information and Event Management) systems using standard protocols such as Syslog.

How to upgrade FortiGate VM software without downtime?

Keeping the FortiOS software on the FortiGate VM up-to-date is crucial for security (access to the latest patches) and functionality (access to new capabilities). However, the upgrade process often involves a reboot, which can cause a brief interruption of services. To minimize or completely eliminate downtime during updates, use high availability (HA) mechanisms.

In the HA Active-Passive cluster configuration, the upgrade process goes as follows:

The passive (standby) device is updated first. After the update and reboot, the standby device is ready to take over traffic with the new software version.
A manual failover is then initiated so that the standby device becomes the new active device. This switchover is usually very fast and causes minimal or no disruption to traffic.
Finally, the previously active device, which is now in standby mode, is updated.

With this procedure, updating the entire HA pair is done without interrupting service continuity. For Active-Active clusters, the procedure is similar, updating individual nodes one at a time and ensuring that the remaining nodes are able to take over their load during a reboot.

How to solve common routing and resource access problems?

Routing and resource access problems are common challenges when configuring a firewall. FortiOS offers a number of built-in diagnostic tools to help resolve them:

Policy Lookup: A tool in the GUI that allows you to see which firewall policy will be applied to a specific traffic flow (based on source, destination, port, protocol). This helps verify whether traffic is allowed or blocked as expected.
Packet Sniffer (diagnose packet sniffer): A powerful CLI tool that allows you to capture and display packets passing through specific FortiGate interfaces. This enables detailed analysis of packet-level traffic and identification of communication problems.
Debug Flow (diagnose debug flow): An advanced CLI tool that tracks the processing of a single packet through all FortiOS modules (firewall engine, IPS, AV, etc.), showing step-by-step what decisions are made and why traffic may be blocked or modified.
Routing Table Lookup (get router info routing-table details): A CLI command to check the contents of the routing table and verify that there are valid routes to the target networks.
Ping / Traceroute: Standard tools available in the GUI and CLI to test basic network connectivity from within FortiGate.
Forward Traffic Logs: Analyzing the logs of traffic passed through and blocked by the firewall provides information about which policies are applied and why traffic may be rejected.

Skillful use of these tools makes it possible to systematically diagnose and solve most common routing and access problems.

How do I set up temporary access for technical support without risk?

Sometimes it is necessary to give temporary access to FortiGate VM management to an external technical support or consultant. This should be done in a controlled and secure manner, minimizing risk. Instead of providing a master administrator account, create a dedicated user account specifically for the support purpose.

This account should be assigned an administrator profile with limited privileges, granting access only to those functions and configuration areas that are absolutely necessary to perform the task (principle of least privilege). Access to the management interface (HTTPS, SSH) for this account should be limited only to the specific IP address of the source support provider and only for a specific, limited period of time. It is also strongly recommended to enforce multi-factor authentication (MFA) for this account.

Once the work is completed by technical support, the account should be immediately disabled or deleted. The entire access session should be accurately logged and monitored. This approach provides the necessary access for support while minimizing potential security risks.

Summary: FortiGate VM – Flexibility and Security.

Full NGFW functionality: All of Fortinet’s advanced security features available in virtual form.
Deployment flexibility: Ability to run on popular virtualization platforms and in all major public clouds.
Scalability: Easily adapt resources (CPU, RAM, bandwidth) to changing needs.
High availability: support for HA clusters to ensure business continuity.
VDOM segmentation: the ability to logically divide into multiple independent virtual firewalls.
Centralized management: manageability through FortiManager and integration with FortiAnalyzer.
Consistency with Security Fabric: Native integration with other Fortinet products for coordinated protection.

How to implement advanced application control and cloud access policies?

In addition to traditional firewall rules based on IP addresses and ports, FortiGate VM offers advanced application-level (Layer 7) control capabilities. Application Control allows you to identify and control thousands of business and consumer applications (e.g. Facebook, Dropbox, Salesforce, Office 365) regardless of the port or protocol used. Policies can be created that allow, block, monitor or limit bandwidth (traffic shaping) for individual applications or their categories.

In addition, FortiGate VM integrates with Cloud Access Security Broker (CASB) features, allowing granular control of access to authorized cloud applications (SaaS). For example, it is possible to allow employees to log in to a company’s Office 365 account, but block access to private Gmail or Dropbox accounts. It is also possible to monitor and control operations performed inside cloud applications (such as file sharing). This application-level control is crucial to ensure security and compliance in modern work environments.

How to use sandboxing features to detect advanced threats?

As mentioned, FortiGate VM integrates with Fortinet’s sandboxing technology (FortiSandbox), which is crucial for detecting advanced, previously unknown threats (zero-day) that antivirus or IPS signatures won’t catch. When FortiGate VM encounters a suspicious file (e.g., in web, email or file transfer traffic) that it can’t uniquely classify with local mechanisms, it can automatically send it for analysis in FortiSandbox.

FortiSandbox can be deployed as a physical appliance, virtual appliance or as a cloud service (FortiSandbox Cloud). In an isolated sandbox environment, a file is run and subjected to deep behavioral analysis. All its interactions with the operating system, registry, network and other processes are monitored. If the file shows any malicious behavior, FortiSandbox generates a risk assessment and a detailed report. This information is immediately passed back to FortiGate VM, which can block the file and update its protection mechanisms. The use of sandboxing significantly increases the ability to detect and neutralize the most sophisticated attacks.

How to manage access policies in multi-domain environments?

In organizations using Virtual Domains (VDOMs) to logically separate networks or functions, managing access policies requires an appropriate approach. Each VDOM acts as an independent firewall and has its own set of firewall policies, security profiles and routing settings. This allows the creation of highly granular and customized rules for specific network segments or user groups.

Administrators can manage policies for individual VDOMs individually. However, when consistent global policies are needed (e.g., basic security rules, access to shared resources), FortiOS offers mechanisms for sharing objects (addresses, services, security profiles) between VDOMs and configuring policies at the global level that are applied to all VDOMs. Central management via FortiManager further facilitates consistent policy management in environments with multiple FortiGates and VDOMs, enabling the creation of templates and central deployment of changes.

How to secure communication between virtual firewalls in a cluster?

In configuring a High Availability (HA) cluster, it is crucial to ensure secure and reliable communication between the FortiGate VMs that make up the cluster. This communication, known as heartbeat, is used to monitor partner status and synchronize configuration and session information.

The heartbeat connection should be through a dedicated network interface and a dedicated network (or VLAN), isolated from production traffic. Heartbeat traffic is encrypted by default, but it is recommended to configure additional authentication (password) for HA communications to prevent potential man-in-the-middle attacks or impersonation of a cluster member. You should also provide redundancy for the heartbeat connection by configuring at least two dedicated interfaces and network paths between devices in the cluster. Properly securing heartbeat communications is fundamental to the stability and security of the entire HA cluster.

How to measure the effectiveness of FortiGate VM deployment through log analysis?

Analyzing the logs generated by FortiGate VM is a key way to measure the effectiveness of deployed security and identify areas for improvement. By integrating FortiGate VM with FortiAnalyzer or a SIEM system, valuable metrics can be obtained:

Number and types of blocked threats: Monitoring logs from AV, IPS, Web Filter, Application Control and FortiSandbox modules shows how many and what types of attacks were successfully neutralized.
Number of rejected connections by firewall policies: Indicates whether access policies are properly configured and enforced.
Detected anomalies and incidents: Analysis of correlated incidents can reveal more complex attack attempts that were detected at different stages.
VPN traffic statistics: Monitor the number of active tunnels, bandwidth and possible errors of VPN connections.
Resource utilization and performance: Analyze system logs and performance metrics to assess whether FortiGate VM is properly sized and performing optimally.
Compliance events: Logs can provide evidence of compliance with specific regulatory requirements.

Regular analysis of this data, supported by predefined and custom reports in FortiAnalyzer/SIEM, allows you to quantitatively assess the effectiveness of your FortiGate VM deployment and make informed decisions on further optimizing your configuration and security policies.

In summary, FortiGate VM brings Fortinet’s powerful next-generation firewall capabilities to the flexible world of virtualization and the cloud. However, successful deployment and configuration of this solution requires understanding the specifics of the virtual/cloud environment and applying best practices in infrastructure preparation, network configuration, access security, HA implementation, performance optimization and continuous monitoring. By following the guidance provided, organizations can take full advantage of the potential of FortiGate VM to build a secure, efficient and scalable virtual and cloud infrastructure.

Need support implementing or optimizing FortiGate VM in your environment? Contact the experts at nFlo. We have deep knowledge and experience to help you get the maximum benefit from this technology.