Binary Nature where the a… se

arch

DEC
FortiGate Vagrant box for
27 VMware Fusion

Continuing my journey to Vagrantize more

virtual network appliances...

Ingredients used in this guide:

macOS Mojave (10.14)
VMware Fusion 11 Pro
Vagrant 2.2.2
VMware provider for Vagrant
FortiGate VM

NOTE: The FortiGate VM includes a limited

embedded 15-day trial license that supports:
1 CPU maximum
1 GB RAM maximum
Low encryption only (no HTTPS
administrative access)
All features except FortiGuard updates

01. Download and unzip the FortiGate

VM deployment package for VMware.
FortiGate VM deployment packages are
included with FortiGate firmware images on the
Customer Service & Support site. I will be using
FortiGate VM v6.0.2 for my example.
Save the FGT_VM64-v6-build0163-
FORTINET.out.ovf.zip file to the
Downloads folder.
Double-click the FGT_VM64-v6-
build0163-FORTINET.out.ovf.zip file to
unzip it.
Rename the FGT_VM64-v6-build0163-
FORTINET.out.ovf folder to FGT_VM64-
v6.

02. Create the FortiGate VM template.

Open the VMware Fusion application.
Click File | Import... from the VMware
Fusion menu bar.
Click the Choose File... button.
Navigate to and select the FortiGate-
VM64.ovf file in the FGT_VM64-v6 folder.
Click the Open button.
Click the Continue button.
Click the Accept button for the EULA.
Save as the default FortiGate-VM64
Click the Save button.
Click the Customize Settings button to
modify the virtual appliance settings.
Set Network Adapter to Share with my
Mac.
Upgrade the VM hardware version to 16
(Compatibility | Upgrade).
Close the Settings window.
Close the VMware Fusion application.

03. Remove additional network

interfaces from the virtual appliance
configuration file.
From a macOS terminal, remove Network
Adapter 2 to Network Adapter 10.

$ sed -i '' '/^ethernet[^0]/d' $HO

ME/Virtual\ Machines.localized/For
tiGate-VM64.vmwarevm/FortiGate-VM6
4.vmx

NOTE: The default virtual machine folder

(directory) for VMware Fusion 11 is
$HOME/Virtual\ Machines.localized. Upgrades
and earlier versions use
$HOME/Documents/Virtual\
Machines.localized as the default.

Verify only Network Adapter remains.

$ grep '^ethernet' $HOME/Virtual\

Machines.localized/FortiGate-VM64.
vmwarevm/FortiGate-VM64.vmx
ethernet0.present = "TRUE"
ethernet0.virtualDev = "e1000"
ethernet0.connectionType = "nat"
ethernet0.addressType = "generated
"
ethernet0.wakeonpcktrcv = "true"
ethernet0.allowguestconnectioncont
rol = "true"

04. Add a custom serial port (for

management via console connection).
From a macOS terminal, append a serial port
device to the virtual appliance configuration file.

$ printf 'serial0.present = "TRUE"

\nserial0.yieldOnMsrRead = "TRUE"\
nserial0.fileType = "network"\nser
ial0.fileName = "telnet://127.0.0.
1:52099"\n' >> $HOME/Virtual\ Mach
ines.localized/FortiGate-VM64.vmwa
revm/FortiGate-VM64.vmx

Verify the component has been added.

$ tail -4 $HOME/Virtual\ Machines.

localized/FortiGate-VM64.vmwarevm/
FortiGate-VM64.vmx
serial0.present = "TRUE"
serial0.yieldOnMsrRead = "TRUE"
serial0.fileType = "network"
serial0.fileName = "telnet://127.0
.0.1:52099"

05. Start the virtual appliance.

From a macOS terminal, start the virtual
appliance with the vmrun command.

$ /Applications/VMware\ Fusion.app
/Contents/Library/vmrun start $HOM
E/Virtual\ Machines.localized/Fort
iGate-VM64.vmwarevm/FortiGate-VM64
.vmx

NOTE: An automatic reboot will be performed

after initialization.

06. Log in to the FortiGate device.

Log in via the VMware console with admin and
no password.

FortiGate-VM64 login: admin

Password:

07. Get the management network

interface (port1) IPv4 address.

FortiGate-VM64 # get system interf

ace physical
== [onboard]
==[port1]
mode: dhcp
ip: 192.168.200.132 255.25
5.255.0
ipv6: ::/0
status: up
speed: 1000Mbps (Duplex: f
ull)

FortiGate-VM64 # exit

08. Connect via SSH.

From a macOS terminal, log in via SSH to the
FortiGate device.

$ ssh admin@192.168.200.132

09. Establish a baseline configuration

for the Vagrant box.
Create the vagrant user. For complete access
to all commands, you must create an
administrator account that has the
super_admin access profile.

FortiGate-VM64 # config system adm

in
FortiGate-VM64 (admin) # edit vagr
ant
FortiGate-VM64 (vagrant) # set acc
profile super_admin
FortiGate-VM64 (vagrant) # set pas
sword vagrant
FortiGate-VM64 (vagrant) # set ssh
-public-key1 "ssh-rsa AAAAB3NzaC1y
c2EAAAABIwAAAQEA6NF8iallvQVp22WDkT
kyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+ni
NltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZy
N1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYe
t2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8H
fdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUec
p4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZW
FYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhM
mBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FI
PKcF96hrucXzcWyLbIbEgE98OHlnVYCzRd
K8jlqm8tehUc9c9WhQ=="
FortiGate-VM64 (vagrant) # end

Verify the vagrant user configuration.

FortiGate-VM64 # show system admin

vagrant
config system admin
edit "vagrant"
set accprofile "super_admi
n"
set vdom "root"
set ssh-public-key1 "ssh-r
sa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF
8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz
4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6o
Xevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6I
edplqoPkcmF0aYet2PkEDo3MlTBckFXPIT
AMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn
5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR
61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOT
d0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOz
FUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIb
EgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ=
="
set password ENC SH28ytlJG
DAGlEQ6Oo7Z0BNTLVuqBIf7yLQWuuaBln/
BsRSTbJTvAYZrXgq1OY=
next
end

Set idle timeout to one hour.

FortiGate-VM64 # config system glo

bal
FortiGate-VM64 (global) # set admi
ntimeout 60
FortiGate-VM64 (global) # set admi
n-ssh-grace-time 3600
FortiGate-VM64 (global) # end

Verify the idle timeout configuration.

FortiGate-VM64 # show system globa

l | grep -f admin
config system global
set admin-ssh-grace-time 3600
<---
set admintimeout 60 <---
set alias "FortiGate-VM64"
set hostname "FortiGate-VM64"
set timezone 04
end

We should also verify the management network

interface (port1) allows web UI access. It
should be enabled by default.

FortiGate-VM64 # show system inter

face port1
config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping https
ssh http fgfm
set type physical
set snmp-index 1
next
end

Exit the SSH session with the FortiGate device.

FortiGate-VM64 # exit

10. Stop the virtual appliance and quit

the VMware Fusion application.
From a macOS terminal, stop the virtual
appliance with the vmrun command.

$ /Applications/VMware\ Fusion.app
/Contents/Library/vmrun stop $HOME
/Virtual\ Machines.localized/Forti
Gate-VM64.vmwarevm/FortiGate-VM64.
vmx

11. Create the Vagrant box.

From a macOS terminal, change the current
directory.

$ cd $HOME/Virtual\ Machines.local
ized/FortiGate-VM64.vmwarevm

Remove generated MAC addresses from the

FortiGate-VM64 configuration file.

$ sed -i '' '/generatedAddress/d'

FortiGate-VM64.vmx

Remove UUID properties from the FortiGate-

VM64 configuration file.

$ sed -i '' '/uuid/d' FortiGate-VM

64.vmx

Create the metadata.json file for the VMware

provider.

$ printf '{"provider": "vmware_des

ktop"}' > metadata.json

List the directory contents to verify the essential

files are present.

$ du -csh *
102M FortiGate-VM64-disk1.vmdk
53M FortiGate-VM64-disk2.vmdk
4.0K FortiGate-VM64.plist
0B FortiGate-VM64.vmsd
4.0K FortiGate-VM64.vmx
4.0K FortiGate-VM64.vmxf
4.0K metadata.json
12K nvram
4.0K startMenu.plist
340K vmware.log
155M total

Package the Vagrant box file with tar.

$ tar cvzf fortigate-602.box ./*

12. Add the Vagrant box.

From a macOS terminal, add the Vagrant box
to our local inventory.

$ vagrant box add --provider vmwar

e_desktop --name fortigate-602 for
tigate-602.box
==> box: Box file was not detected
as metadata. Adding it directly..
.
==> box: Adding box 'fortigate-602
' (v0) for provider: vmware_deskto
p
box: Unpacking necessary files
from: file:///Users/marc/Virtual%
20Machines.localized/FortiGate-VM6
4.vmwarevm/fortigate-602.box
==> box: Successfully added box 'f
ortigate-602' (v0) for 'vmware_des
ktop'!

Verify the box is now listed.

$ vagrant box list

bento/centos-7.5 (vmware_d
esktop, 201808.24.0)
bento/ubuntu-18.04 (vmware_d
esktop, 201808.24.0)
cisco-asav-9-10-1 (vmware_d
esktop, 0)
cisco-asav-9-9-2 (vmware_d
esktop, 0)
cisco-iosv-l2-152-201703 (vmware_d
esktop, 0)
cisco-iosv-l3-156-2 (vmware_d
esktop, 0)
fortigate-602 (vmware_d
esktop, 0)

13. Test it.

From a macOS terminal, create a directory for
a test project and change to it.

$ mkdir $HOME/Documents/test-forti
gate && cd $_

Download an example Vagrantfile.

$ curl -Lo Vagrantfile https://raw

.githubusercontent.com/mweisel/vag
rant-vmware-examples/master/fortig
ate-single-mgmt-int

Validate the Vagrantfile.

$ vagrant validate

Show the current status of the vagrant

machine.

$ vagrant status
Current machine states:

default not crea

ted (vmware_desktop)

The VMware machine has not yet bee

n created. Run `vagrant up`
to create the machine. If a machin
e is not created, only the
default provider will be shown. Th
erefore, if a provider is not list
ed,
then the machine is not created fo
r that provider.

14. Vagrant Up!

$ vagrant up
Bringing machine 'default' up with
'vmware_desktop' provider...
==> default: Cloning VMware VM: 'f
ortigate-602'. This can take some
time...
==> default: Verifying vmnet devic
es are healthy...
==> default: Preparing network ada
pters...
==> default: Starting the VMware V
M...
==> default: Waiting for the VM to
receive an address...
==> default: Forwarding ports...
==> default: Waiting for machine t
o boot. This may take a few minute
s...
default: SSH address: 192.168.
200.132:22
default: SSH username: vagrant
default: SSH auth method: priv
ate key
==> default: Machine booted and re
ady!
==> default: Configuring network a
dapters within the VM...

The status of the vagrant machine is now in the

running state.

$ vagrant status
Current machine states:

default running
(vmware_desktop)

The VM is running. To stop this VM

, you can run `vagrant halt` to
shut it down, or you can run `vagr
ant suspend` to simply suspend
the virtual machine. In either cas
e, to restart it again, run
`vagrant up`.

We can connect to the vagrant machine with

SSH:

$ vagrant ssh

or a console connection (out-of-band

management) via netcat:

$ nc -c 127.0.0.1 52001

or the web UI via HTTP:

15. More Vagrant commands:

From a macOS terminal, stop the vagrant
machine with the force option.

$ vagrant halt -f

Destroy (Delete) the vagrant machine with the

force option.

$ vagrant destroy -f

16. Next Steps

Posted 27th December 2018 by Marc Weisel

Labels: Ansible, Fortinet, macOS, Security,

Vagrant, VMware