Supported Fortinet Devices

Product	Install License	Backup Configuration	Restore Configuration	ZTP	Flex-VM Default	Remarks	FortiPoC License Type	ITF License	.lic File
FAC	NO	NO	NO			see FAC before 5.5
FAC >= 5.5	tftp	tftp	tftp				FAC_VM_KVM	FAC-VM-BASE	FAC-VM
FAD	tftp	tftp	tftp		FortiADC	see FAD 5.0	FAD_KVM	FAD-VMxx	FADV
FAD-CM	cli	tftp	tftp			Experimental	FADManager-KVM	FAD-CM-BASE
FAI	tftp	tftp	tftp			see FNDR (previously FAI)	FAI_VMKV	FC?-10-AIVMS	FAIVMS
FAZ	cli/ssh	ftp	ftp		FortiAnalyzer	see FAZ 7.4.2	FAZ_VM64_KVM	FAZ-VM-BASE	FAZ-VM
FCH	tftp	tftp	tftp				FCHKVM	FCH-VMxx	FCHV
FDC	ftp	NO	NO			Experimental, see Deep nested VMs
FEDR	NO	NO	NO			Experimental, see FEDR
FEXT	NO	NO	NO			Experimental
FGT	tftp	tftp	tftp	see ZTP	FortiGate	see FGT	FGT_VM64_KVM	FG-VMxx	FGVM
FHV	ftp	ftp	ftp			Experimental
FIN	NO	tftp	tftp			see FIN
FIS	tftp	NO	tftp			Incomplete
FMG	cli/ssh	ftp	ftp		FortiManager	see FMG 7.4.2	FMG_VM64_KVM	FMG-VM-BASE	FMG-VM
FML 5.3	cloudinit	tftp	cloudinit			see FML 5.3	FML_VMKV	FML-VMxx	FEVM
FML >= 5.4	tftp	tftp	tftp				FML_VMKV	FML-VMxx	FEVM
FNAC	NO	NO	NO			Experimental, tested with 8.7.1
FNAC-F	tftp	tftp	tftp			Experimental
FNDR	tftp	tftp	tftp			see FNDR (previously FAI)	FNDR_VMKV	FC?-10-AIVMS	FAIVMS
FOS	N/A	tftp	tftp
FOS-LXC	NO	http	NO			Experimental
FPA	tftp	tftp	tftp			see FPA	FPA_KVM		FPA
FPC	rest	ftp	ftp		FortiPortal	see FPC	FPC_VM64	FPC-VM-BASE	FPC-VM
FPL	NO	NO	NO			see sd_fpl
FPX	tftp	tftp	tftp				FPXKVM
FRC	tftp	tftp	tftp				FRC_VMKV	FRC-VM-BASE	FK-SVM
FSA	ftp	tftp	tftp			Experimental, see FSA
FSM	NO	NO	NO			Experimental
FSW	tftp	tftp	tftp			Internal use, see FSW
FSWM	tftp	tftp	tftp			Based on FGT	FSWM_VM64_KVM		FSWMVM
FTS	http	http	http			see FTS	FTS_VM_KVM	FTS-VM04	FTSV
FVE	tftp	tftp	tftp			see FVE	FVE_VMKV	FVE-VM-BASE	FO-SVM
FWB	tftp	tftp	tftp		FortiWeb		FWB_KVM	FWB-VMxx	FVVM
FWC	NO	NO	NO			Experimental
FWM	NO	NO	NO			Experimental
FWN	tftp	tftp	tftp			see FWN	FWAN_VM	FWN-VMxx	FWN
SOAR	NO	NO	NO			Experimental
WLM	NO	NO	NO			see WLM

Base configuration process

• serial: configure ports, gateway, dns then send configuration

• tftp/ftp/http:

  1. configure mgmt port using serial console

  2. apply license by TFTP, FTP or CLI if installed first (default)

  3. configuration

     • if full configuration (detection is device dependent, simple check is: does configuration file start with a #) apply by restore configuration method

     • if no configuration or snippet configuration (and supported):

       1. backup current device configuration by backup configuration method

       2. add FortiPoC configuration (ports, gateway and dns) to the end of the backup

       3. add snippet configuration to the end of the backup

       4. apply updated configuration by restore configuration method

  4. apply license by TFTP, FTP or CLI if installed last

• cloudinit: see product specific cloudinit documentation, snippet is generally not supported

Licenses

The FortiPoC License Type matches the VM archive name from info and is used as Type field when license is added in FortiPoC.

Limitations

At the time of this release, products’ images are tied to the following limitations. They may evolve with new releases of products’ images. Support of new products’ releases may need a new FortiPoC release.

FAC before 5.5

The FAC CLI doesn’t provide any commands to perform backup or restore of configuration by TFTP. It neither provides a CLI command to install a license through TFTP.

The configuration by FortiPoC is strictly limited to port’s address and the default static route.

FAD 5.0

If you use license, you must untick the Install license before configuration because FAD must validate the license before allowing the execute restore full-config.

FAZ 7.4.2

Important

Apply to v7 build 2380 and above.

The encryption password is now mandatory when doing a configuration backup.

FortiPoC can’t decrypt such backup as a consequence, it’s not able to add its snippet to complete the default configuration.

The only way to bypass this limitation is to restore a configuration file, else you MUST complete the configuration manually.

FortiPoC uses "fortinet" as password during the backup or the restore (it seems to not have any impact on configuration without a password).

FEDR

FortiPoC can only configure the root password. The configuration process uses a textual GUI not compatible with FortiPoC. There is no known command to backup configuration of the different FortiEDR.

FGT

ZTP

Warning

ZTP should only be achieved using port1 (like on the hardware). FortiPoC doesn’t allow to use another port.

FortiPoC and the FMG managing the FGT must use the same IP address for the management port to let you access the FGT through the FortiPoC SSH and HTTP(S) port forwarding accesses.

1. FortiPoC configures VM’s port1 internal state to down: no DHCP request can reach a DHCP server. You can check state of the port with CLI command expert virsh domif-getlink <VM_NAME> <PORT1_PEERNAME> [--config].

2. FortiPoC configures the management port with the static address (even if it has been defined as DHCP in PoC definition).

3. If the management port is port1, FortiPoC switches port1 running VM internal state to up.

4. FortiPoC uploads the FGT license.

5. FortiPoC executes execute factoryreset keepvmlicense.

6. FortiPoC switches and configures port1 internal state to up. It’s persistent even after a shutdown/power on cycle.

7. The FGT can now achieve a normal ZTP configuration with the serial number of the license.

FortiCarrier

FortiPoC can install a FortiCarrier license. As a FortiCarrier license is attached to a FGT License, the FortiCarrier license must be added at the end of the FGT license as follow:

-----BEGIN FGT VM LICENSE-----
QAAAANxKDC9+Ys6KjNEVCeaTdzfVN18AmWbGYwmznvdPxyGMaPfErG2RVBSoaDjX
....
ZRgC05RQtkpyzMXQIPeXqha6ERvLVGKx
-----END FGT VM LICENSE-----
forticarrier-license 1234-5678-9ABC-DEF0-1234

The FGT ignores extra lines in the license file (tested with v6-build1778).

Warning

As the FortiCarrier license must be validated and attached to the FGT license on Forticare, the management network MUST have “IP Forwarding” and “NAT” native functions enabled. FortiPoC configures the default route through the network native functions IP address before applying the license.

HA mode

We assume that when in cluster mode, the interface used by FortiPoC for management is isolated from the HA logic.

You must configure the HA as follow:

config system ha
  ...
  set ha-mgmt-status enable
  config ha-mgmt-interfaces
    edit 1
      set interface port1
    next
  end
end

Where port1 is the management interface.

Warning

You must not have any static routes configured on port1 interface to be able to use it.

FIN

FortiInsight takes at least 260 seconds (PoC with FortiInsight alone) before first login prompt, it’s strongly suggested to configure the console timeout to 300 seconds as a minimum.

FortiInsight requires to change the default password. But while FortiInsight may offer the login prompt, server may not be ready. FortiPoC detects the Server not ready message and sleep for 30 seconds then retry until it succeeds or max retry (100) is reached.

FMG 7.4.2

Important

Apply to v7 build 2380 and above.

The encryption password is now mandatory when doing a configuration backup.

FortiPoC can’t decrypt such backup as a consequence, it’s not able to add its snippet to complete the default configuration.

The only way to bypass this limitation is to restore a configuration file, else you MUST complete the configuration manually.

FortiPoC uses "fortinet" as password during the backup or the restore (it seems to not have any impact on configuration without a password).

FML 5.3

To allow tftp configuration, when a license is installed, the FML must validate the license first (it implies that DNS and a default route must exist), so we use cloudinit mechanism. But cloudinit seems to not fully support full configuration restore … it may not work as expected.

Restoring configuration through serial console is not recommended as it may fails due to CLI interactive behavior (ex: show helps on “?” characters) and system message display (ex: CPU usage warnings). To limit errors use small configuration snippet.

FPA

FortiPoC starts to officially support FortiPAM with 1.0.0 GA (build 0016).

FPC

FPC >= 7.0

• License installation and basic configuration should work

• No backup of restore of configuration

FPC < 7.0

Common

As FortiPortal first boot is (very) long, you should increase the PoC’s global timeout parameter to at least 4 minutes as default timeout value can be too short.

License

The CLI command doesn’t work (see https://mantis.fortinet.com/bug_view_page.php?bug_id=0736121).

Since FPC v6.0.6 interim build 285, FortiPoC can install the license using the REST API. Prerequisites are:

1. in expert parameters you must choose to install license after configuration (untick the “Install license before configuration”)

2. the database must be up, configured and running before the FPC. For LXC a postinst can be:

   #!/bin/sh
   
   main()
   {
   
       export DEBIAN_FRONTEND="noninteractive"
       echo $(date -u) "WAITING FOR OTHER VM TO BOOT - Sleep 300"
       sleep 1
       echo $(date -u) "LAUCHING BOOT SCRIPT"
       echo $(date -u) "Update Package"
       # route add|change default gw <OOB_MGMT_GW>
       apt-get update -y
       echo $(date -u) "INSTALLING USEFULL TOOLS"
       apt-get install -y apt-utils iputils-ping wget ftp vim iperf3 mariadb-server
   
       sed -i 's/127.0.0.1/0.0.0.0\nsql_mode=STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION/g' /etc/mysql/mariadb.conf.d/50-server.cnf
       sed -i 's/\/var\/lib\/mysql\//\/fortipoc\/mysql\//g' /etc/mysql/mariadb.conf.d/50-server.cnf
   
       systemctl restart mysql
   
       mysql -u root -e "create user 'fortiportal'@'%' identified by 'fortinet';"
       mysql -u root -e "GRANT ALL PRIVILEGES ON *.* TO 'fortiportal'@'%' IDENTIFIED BY 'fortinet';"
       mysql -u root -e "flush privileges;"
   
       echo $(date -u) "BOOT SCRIPT ENDED"
   }
   
   main | tee /fortipoc/boot.log
   

3. the FPC must be already configured to access the DB, ex:

   config system sql
       set status remote
       set database-name fortiportal
       set database-type mysql
       set password fortinet
       set server LXC_DB_ADDRESS
       set username fortiportal
   end
   

FortiPoC uses the default spuser user to install the license. FortiPoC tries the default test123 password and if it fails it tries the password configured at PoC level.

As the web services may take times to start on the FortiPortal, FortiPoC uses a try loop to access the REST API interface once the management IP is replying to ping. By default it’s 5 tries of 5 seconds. If you need to change these settings, you must put in the “Expert settings” a “timeout” entry, example for 6 tries of 10 seconds:

{
  "timeout": {
    "retries": 6,
    "retry_delay": 10
  }
}

Old versions

FortiPoC can start a VM with the mysql.qcow2 image from info.fortinet.com. The image provided with FPC v4.0.4 GA Release is an Ubuntu statically configured (10.1.1.1/8 with default route on 10.1.1.1). It doesn’t provide a serial console and it doesn’t support cloudinit, as a consequence FortiPoC can’t configure it.

FTS

Before v300 build 119

The FTS configuration backup mechanism only backs up the test cases and results. It doesn’t save the mgmt port configuration, the gateway, the name servers nor the work mode. FortiPoC does this task by itself and includes a fortipoc.json file in the configuration ZIP archive to be able to restore these parameters.

The FTS needs to validate the license before we can change the work mode, the FTS must be able to contact FortiGuard.

As a consequence, FortiPoC FTS configuration process is:

1. set mgmt (CLI)

2. set gateway (the PoC or configuration backup value) (HTTP)

3. set dns (the PoC or configuration backup value) (HTTP)

4. restore test and results (HTTP)

5. apply license and wait for license validation (HTTP)

6. restore the work mode if a license is installed (HTTP)

Since v300 build 119

By default HTTP connection to the FTS are redirected to HTTPS, this redirect is not compatible with the port forwarding as port is left unchanged in the URL leading to a ERR_SSL_PROTOCOL_ERROR error in the browser.

The FTS configuration backup now includes system configuration. But to restore configuration you must have a valid FTS license. The FTS MUST be able to access the FDS Server.

So FortiPoC now always configures mgmt address + DNS + gateway first to allow proper license validation.

Warning

You must ensure internet connectivity is available to the FTS when PoC is launched.

If a configuration must be restored, FortiPoC always installs the license first (if provided) ignoring the install license first/last state in the device’s advanced parameters.

FortiPoC doesn’t restore work mode or other extra parameters, they are now supposed to be backed up/restored by the standard backup/restore REST API calls.

FVE

When using a license on a FVE, the license must be first validated before the execute restore command is available. You can tell FortiPoC to install license after the configuration; edit the device’s Advanced Parameters and un-tick the “Install license before configuration” checkbox.

WLM

First port must be connected on a network supporting a DHCP server. In the PoC definition, it’s strongly advised to configure the port as DHCP to be able to use the FortiPoC DHCP native function.

WLM doesn’t provide serial connection CLI, FortiPoC is by then unable to:

• configure the WLM

• backup/restore the WLM configuration

• install license

Warning

WLM needs an extra disk that can be 500GB or 1TB depending the version used.

WLC

Warning

WLC base disk is a 16GB raw image, VM’s disk bus is IDE, depending the version it may need up to 64GB of memory and 48 vCPU.

FWN

Warning

KVM licenses was not yet available during development, it should work once available if they follow VMWare license format.

FSW

Important

This firmware is only available to Fortinet employee.

By default FortiPoC considers the FSW is configured by FortiLink and skip all the configuration part except when a license has to be installed.

When the FortiSwitch is managed by a FortiGate using FortiLink and requires a FortiSwitch license, send a license request to pm_fsw@fortinet.com (license is not required in standalone mode).

To switch to standalone mode add in the device’s Advanced Parameters Expert settings:

{"special": {"fortilink": false}}

With FSW_108D_VM-v7 firmware; configuration backup/restore and license installation should work (tested with FSW_108D_VM-v7-build5339).

With FSW_108D_VM-v6 firmware; configuration backup/restore should work (tested with FSW_108D_VM-v6-build5835), there is no license support.

With older firmware in standalone mode, FortiPoC may fail to configure the FSW because some kernel messages may overload the serial console output and prevent FortiPoC to detect login and configuration prompts. Configuration backup/restore and license are not supported.

FSA

Important

License installation support is deprecated for version before v3 build 102.

From v3 build 102 FortiPoC can perform configuration backup and restore.

FSA support stays experimental because of Deep nested VMs constraints. You should configure it to use with the cloud.

Warning

(2019-07-05) When using license, if you restart a PoC, the FSA license is locked to the “dead” FSA for 1 hour, during this period the FSA may complain the license is invalid.

FNDR (previously FAI)

The license IP must be set on the port1 (mgmt).

Minimal supported version is v1.4-build0081.

FPL

FortiPoC supports basic configuration of elements required by the CLI: the static management address, the dns server and the default gateway.

If ony of these is missing nothing is done at all.

The following other non configurable parameters are automatically set:

• the hostname is set to fortipolicy

• the ntp server is set to 162.159.200.1 and 37.187.5.167 (some debian.pool.ntp.org) as FortiPolicy refuses FQDN

Important

beware when you define the new password for devices, FortiPolicy (tested with v7.2.2) has strict rules:

• new password must not be similar to default “fortinet” password is “fortinet”

• must have upper case and lower case

• must have a digit

• must have a non alphanumerical caracters

Please also note that you can’t change again the password during 1 day.

Deep nested VMs

Both FSA and FDC needs to run VM, that ends as a level 3 VM:

L0: Hypervisor (VMWare, GCP, ...)
L1: FortiPoC
L2: FSA, FDC
L3: VMs

Warning

Such depth of VM is experimental and may not work (hardware virtualization) or with poor perform (software virtualization).