FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to install and configure FortiGate Autoscale for Azure.
It requires knowledge of the following: - Configuring a FortiGate using the CLI. - Azure deployment templates. - Azure Functions.
It is expected that FortiGate Autoscale for Azure will be deployed by DevOps engineers or advanced system administrators who are familiar with the above.
Solution Before starting the deployment, the following steps have to be carried out:
2) Create a service principal for the Autoscale to interact with the different Azure services. The creation of the service principal may be done by a different Azure account. For details on the permissions required by the service principal and by the user creating the service principal, refer to the note below. Make note of the following items as they are required to deploy the Function App: - Application ID (used for the parameter Rest App ID).
This is under Azure Active Directory -> App registrations > {your-app}. - Application secret (used for the parameter Rest App Secret).
The application secret only appears once and cannot be retrieved. The service principal requires read and write permissions which can be granted by adding the Contributor role to the service principal.
In order to grant the service principal such permissions, the Azure account used to create the service principal requires the following permissions. - Microsoft.Authorization/roleAssignments/write (to add role assignments). - Microsoft.Authorization/roleAssignments/delete (to remove role assignments).
These permissions are included in the roles User Access Administrator and Owner. For details, refer to the Microsoft article Add or remove role assignments using Azure RBAC and the Azure portal.
3) Confirm that a valid subscription to the PAYG and/or BYOL marketplace listings for FortiGate, as required for the deployment. Without the valid subscriptions, the deployment will fail with errors.
Requirements when using an existing VNet.
When using an existing VNet: - The VNet must contain 4 subnets. - The FortiGate VMSS will be deployed in one of the subnets. This subnet must: - be a clean subnet (i.e. is not used by any other resource.) - have two service endpoints that have been manually enabled, one for Microsoft.AzureCosmosDB, and one for Microsoft.Web. - should have its name specified in the Subnet 1 Name parameter. - The 3 other subnets will be protected by the FortiGate VMSS. - Route tables have been created to route traffic between the FortiGate VMSS subnet and the other subnets. - One network security group is associated with the 4 subnets in the VNet. - (Optional) One available (i.e. not associated with any resource) public IP address to be used for the external load balancer that will be created during template deployment. - This IP address must be of the 'standard' SKU in order to match the VMSS. - This requirement is optional as a new IP address can be created during template deployment, as specified by the Frontend IP Deployment Method parameter. - All of the components above must reside in the same resource group.
