With FortiOS version 5.4.1 and above, Fortinet added support for initial configuration of a FortiGate virtual machine by attaching a cloud-init config drive. When the FortiGate VM powers up for the first time, it will automatically read the data from the config drive and apply both license and configuration to the FortiGate. This is an excellent way to automate deployments of FortiGate virtual machines in production or lab environments. You can read more about the config drive support and how to use one at http://cookbook.fortinet.com/config-drive-esx-vcenter-vmware-5-4/. In this blog post, I will try to capture some of the missing pieces and also provide pointers on how to troubleshoot.

Configuration format

The user_data file in the config drive ISO holds the configuration in standard FortiOS syntax. However, you don’t need to provide the complete configuration and can simply provide parts of the configuration. E.g.: If you want to configure port1 of the virtual machine for DHCP, and enable SSH on it, you simply need to provide the block below.

config system interface
    edit port1
    set mode dhcp
    set allowaccess ping ssh
end
Order of configuration is important

Put the configuration exactly the way you would configure the FortiGate. E.g.: If you are configuring interface based VPN, configure the IPsec phase1-interface and phase2-interface before adding a tunnel interface. E.g.:

Correct

config vpn ipsec phase1-interface
    edit "ipsec-tunnel"
        set interface "port1"
        set mode aggressive
        set peertype any
        set localid LOCALID
        set dhgrp 2
        set xauthtype client
        set authusr USER
        set authpasswd PASSWORD
        set remote-gw vpn.gw.ip.addr
        set psksecret SECRET
    next
end
config system interface
    edit "ipsec-tunnel"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.255
        set allowaccess ping https ssh snmp telnet fgfm
        set type tunnel
        set remote-ip 192.168.254.254
        set interface "port1"
    next
end

Wrong

config system interface
    edit "ipsec-tunnel"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.255
        set allowaccess ping https ssh snmp telnet fgfm
        set type tunnel
        set remote-ip 192.168.254.254
        set interface "port1"
    next
end
config vpn ipsec phase1-interface
    edit "ipsec-tunnel"
        set interface "port1"
        set mode aggressive
        set peertype any
        set localid LOCALID
        set dhgrp 2
        set xauthtype client
        set authusr USER
        set authpasswd PASSWORD
        set remote-gw vpn.gw.ip.addr
        set psksecret SECRET
    next
end
Debugging

In order to validate that the configuration from the user_data file got applied properly, use the command below and read through the output.

diagnose debug cloudinit show

The diagnose command will show the exact order in which commands were applied on the FOrtiGate and will help troubleshoot any issues. I couldn’t find this command within the documentation from Fortinet but I don’t think it’s a hidden command. I found about this command using the ‘tree’ command within FortiOS.

I hope this post helps.

print