Create NGFW Fortigate (Single VM)

Blogs , , 2 Comments


Ok,.. so you have some VM’s already running in Azure and are adding VM’s day-by-day you should consider adding a NGFW! Also, if you have ever run the Azure Advisor you should already have been notified to add a NGFW.

In Azure you can choose from different Firewall vendors:

  • Fortinet
  • Cisco
  • Barracuda
  • Checkpoint
  • etc.

Because i’m familliar with Forinet Firewalls I have created a FortiGate! The Fortigate NGFW is available as Pay-As-You-Go or Bring-Your-Own-License (BYOL).

  • FG-VM02-AZ
    • FortiGate-VM ‘virtual appliance’ designed for [Platform]. 2x vCPU cores and (up to) 4 GB RAM.
    • SKU: FG-VM02(-Xen/HV/KVM/AWS/AZ)
  • FG-VM04-AZ
    • FortiGate-VM ‘virtual appliance’ designed for [Platform]. 4x vCPU cores and (up to) 6 GB RAM. No VDOM support.
    • SKU: FG-VM04(-Xen/HV/KVM/AWS)
      Note: Looks like there is a mistake in the Fortinet Datasheet (check link below) because this SKU suggests that there is no Azure Support and VDOM support!?
  • FG-VM08-AZ
    • FortiGate-VM ‘virtual appliance’ designed for [Platform]. 8x vCPU cores and (up to) 12 GB RAM.
    • SKU: FG-VM08(-Xen/HV/KVM/AWS/AZ)

Check the visio-drawing on a ‘standard’ Fortigate (Single VM) deployment within Azure.


Resourses Create by the Deployment:

  • 1x VM
  • 1x Availability Set
  • 1x Storage Account (No Managed disks!)
  • 1x VNET
    • 1x Address Space
    • 2x Subnet (LAN and WAN)
  • 2x Custom IP Routes
  • 2x Network Interfaces (LAN and WAN)
  • 1x Public IP Address

The deployment is quite simple:

  1. Create a VNET with two Subnets.
  2. Create a VM with two network interfaces and connect one network interface to the ‘LAN’ Subnet and one to the ‘WAN’ subnet.
  3. From there create a custom IP Route and assign it to the ‘LAN’ Subnet so traffic will be routed to the Fortigate LAN interface.
  4. Also create a custom IP Route on the ‘WAN’ subnet so traffic to the ‘Public IP’ will be routed to the Fortigate WAN interface.

Lets just create a Fortigate NGFW! Check the Azure Marketplace and search for ‘Fortigate’:


Fillin the details like Fortigate VM Name, Username, Password etc.


For this example i have choosen to create a new VNET. I have left the pre-populated unchanged (‘FortigateProtectedVNet’):
Note: Keep in mind when choosing a Address Space that you need two Subnets (one for LAN and one for WAN)


On the Subnets tab; fillin the details.
Notice the two subnets! (where ‘PublicFacingSubnet’ = WAN and ‘FortigateInternalSubnet’ = LAN)


Select a VM size as you should normally do with a VM. You could also choose a smaller one. Just for testing i selected a ‘Standard D2’, 2Cores,7GB)


Create a Storage Account which will store the OS-Disk and Data-Disk


Create a Public IP:



Assign a Domain name label to the Public IP. With this DNS name you can manage the Fortigate.
Note1: Your Fortigate will be availible via: HTTPS://<Your domain label>.<location>
Note2: If you have created a Fortigate HA cluster, the second node will be availible via: HTTPS://<Your domain label>.<location>


Ok, Done! Now lets check the Resource group and its resources:


As explained above you will find all the resources outlined in the visio drawing.

So you have yourself a Fortigate NGFW in Azure! yeah! Now you will be able to login to the Fortigate Management interface and upload a license (BYOL) and manage the Fortigate as you normally should do.




Azure MarketPlave – Test-Drive

It is also possible to Test-Drive the Fortigate on Azure via the Marketplace. You can Test-Drive the Fortigate for 1 hour. This works great but you won’t be able to see the resources created and how things are connected to each other.



Marketplace: FortiGate Next Generation Firewall – Single VM

DataSheet – FortiGate® Virtual Appliances

2 thoughts on “Create NGFW Fortigate (Single VM)

  • Ryan Brinch

    Hi There

    Thanks so much for this, I am however struggling to understand how I would create VM behind the NGFW. We want to host a DC in Azure, what is best way to achieve this? Do I just create the DC vm in the same Resource Group and assign the NGFW InternalSubnet to the NIC of the DC VM?

    Or do you create a second Resource group and route between them? I am rather last at how you are expected to use the Firewall and VM’s behind it.

    Any guidance would be greatly appreciated.

  • Pieterbas Nagengast Post author


    A Resource Groups gives you the ability to logical group Azure Resources (it holds related resources for an Azure solution). As an example you can create different Resource Groups for each ‘Function’ or ‘type’… its up to you. You could:

    – Create Resource Group(s) for your VM’s
    – Create a Resource Group for your VNET
    – Create a Resource Group for you Firewall
    – etc..

    A resource in a Resource Group can Span (or is accessible) to all resources. So you don’t have to create a VM in the same resource group as your VNET or Firewall. Keep in mind that you can only connect resources (like VM’s and Firewalls) to a VNET in the same Azure region.

    Check this link for a better/detailed explanation of resource groups:


    ps. sorry for the late response… had some issues with the comments on this WordPress site… 😉

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.