If you have been following along with the posts so far, you will know that we are using Vagrant to help automate the provision of VNFs within VirtualBox.

Vagrant uses “Box” files as a template to spin up multiple copies of a Virtual Machine (VM). To re-use this Fortinet FortiGate-VM, we need to convert it into a re-usable Box image.

Box files have a few requirements that should be applied to the VM to operate correctly. These are:

  • The first interface (management) is set to get its address from DHCP.
  • There is a user called vagrant configured with a password of “vagrant”.
  • Vagrant must be able to SSH to the VM.
  • There is a default SSH key applied to the “vagrant” user.

So, let’s configure these settings on our newly created FortiGate-VM. Fortunately for us, DHCP is already set on the management interface, so let’s go straight to configuring the “vagrant” user.

FortiGate-VM64-KVM # config system admin
FortiGate-VM64-KVM (admin) # edit vagrant
new entry 'vagrant' added
FortiGate-VM64-KVM (vagrant) # set accprofile "super_admin"
FortiGate-VM64-KVM (vagrant) # set vdom "root"
FortiGate-VM64-KVM (vagrant) # set password vagrant
FortiGate-VM64-KVM (vagrant) # end

Open up a WSL2 terminal (either in Windows Terminal, VSCode or by searching “Ubuntu” in the start menu”) and try SSHing to the FortiGate-VM (if asked to trust the host, type “yes”):

nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ ssh vagrant@192.168.56.108
The authenticity of host '192.168.56.108 (192.168.56.108)' can't be established.
ED25519 key fingerprint is SHA256:juxdi8VA9TcmBSz4I+CCweYAr6U4idXN1xax0xT6UQU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.108' (ED25519) to the list of known hosts.
vagrant@192.168.56.108's password:
FortiGate-VM64-KVM #

Now are are logged in with the “vagrant” user, we have no need for the “admin” user, so we can delete it.

FortiGate-VM64-KVM # config system admin
FortiGate-VM64-KVM (admin) # delete admin
FortiGate-VM64-KVM (admin) # end
FortiGate-VM64-KVM #

Finally, we should add the Vagrant default SSH key into the vagrant user to log in without using a password. The Vagrant default SSH key can be found at https://github.com/hashicorp/vagrant/blob/master/keys/vagrant.pub.

Note: This is very insecure and should not be used in a production environment.

FortiGate-VM64-KVM # config system admin
FortiGate-VM64-KVM (admin) # edit vagrant
FortiGate-VM64-KVM (vagrant) # set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"
SSH key is good.
FortiGate-VM64-KVM (vagrant) # end

Great, that should be it. Let’s test it out.

nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ ssh -i ~/.vagrant.d/insecure_private_key vagrant@192.168.56.108
FortiGate-VM64-KVM #

Awesome, we logged into FortiGate without a password using the Vagrant insure private key.

Ok, now it’s time to package everything up into a reusable Box file. Exit out of FortiGate and run “vagrant package –base <name_of_vm> –output <name_of_output_file>.box”:

nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ export VAGRANT_HOME="/mnt/c/Users/nfvdev/.vagrant.d"
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant package --base fortigate-7.0.5 --output fortigate-7.0.5.box
==> fortigate-7.0.5: Attempting graceful shutdown of VM...
    fortigate-7.0.5: Guest communication could not be established! This is usually because
    fortigate-7.0.5: SSH is not running, the authentication information was changed,
    fortigate-7.0.5: or some other networking issue. Vagrant will force halt, if
    fortigate-7.0.5: capable.
==> fortigate-7.0.5: Forcing shutdown of VM...
==> fortigate-7.0.5: Exporting VM...
==> fortigate-7.0.5: Compressing package to: /mnt/c/Users/nfvdev/Documents/NFVs/fortigate-7.0.5.box
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ export VAGRANT_HOME="~/.vagrant.d"

This creates a file called fortigate-7.0.5.box for us to reuse. We can then test the box image by creating a Vagrantfile with the following contents. The entire file available at: https://github.com/nfvdev/nfvdev-blog/blob/main/07-how-to-create-a-fortinet-fortigate-vm-box-image/single/Vagrantfile

# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
  config.ssh.insert_key = false # By default, Vagrant will try and change the insecure SSH key to a better one. This won't work for us as it does not know how to talk fortigate.
  config.vm.box = "fortigate-7.0.5.box" # Use the fortigate box image
  config.vm.synced_folder '.', '/vagrant', disabled: true # Disable shared folders
  config.vm.guest = :linux # Tell Vagrant that it is Linux so it doesn't error
end

And then type “vagrant up” to spin up the VM.

nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Box 'fortigate-7.0.5.box' could not be found. Attempting to find and install...
    default: Box Provider: virtualbox
    default: Box Version: >= 0
==> default: Box file was not detected as metadata. Adding it directly...
==> default: Adding box 'fortigate-7.0.5.box' (v0) for provider: virtualbox
    default: Unpacking necessary files from: file:///mnt/c/Users/nfvdev/Documents/NFVs/fortigate-7.0.5.box
==> default: Successfully added box 'fortigate-7.0.5.box' (v0) for 'virtualbox'!
==> default: Importing base box 'fortigate-7.0.5.box'...
==> default: Matching MAC address for NAT networking...
==> default: Setting the name of the VM: NFVs_default_1644751811566_50767
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
==> default: Forwarding ports...
    default: 22 (guest) => 2222 (host) (adapter 1)
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 172.17.240.1:2222
    default: SSH username: vagrant
    default: SSH auth method: private key
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
    default: No guest additions were detected on the base box for this VM! Guest
    default: additions are required for forwarded ports, shared folders, host only
    default: networking, and more. If SSH fails on this machine, please install
    default: the guest additions and repackage the box to continue.
    default:
    default: This is not an error message; everything may continue to work properly,
    default: in which case you may ignore this message.

Finally, we can check that Vagrant can SSH into the newly created FortiGate-VM:

nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant ssh default
FortiGate-VM64-KVM #

We can destroy the VM with “vagrant destroy” and remove our template VM.

nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant destroy
    default: Are you sure you want to destroy the 'default' VM? [y/N] y
==> default: Forcing shutdown of VM...
==> default: Destroying VM and associated drives..
VirtualBox Remove VM

FortiGate-VM Vagrant Mini-Lab

Now that we have our FortiGate-VM Box file created, we can use it in a mini-lab. This will set up 2 FortiGate-VM firewalls connected back to back and do some ping tests between them.

nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant up
Bringing machine 'fortigate1' up with 'virtualbox' provider...
Bringing machine 'fortigate2' up with 'virtualbox' provider...
==> fortigate1: Importing base box 'fortigate-7.0.5.box'...
==> fortigate1: Matching MAC address for NAT networking...
==> fortigate1: Setting the name of the VM: NFVs_fortigate1_1644752260564_81340
==> fortigate1: Clearing any previously set network interfaces...
==> fortigate1: Preparing network interfaces based on configuration...
    fortigate1: Adapter 1: nat
    fortigate1: Adapter 2: intnet
    fortigate1: Adapter 3: intnet
==> fortigate1: Forwarding ports...
    fortigate1: 22 (guest) => 2222 (host) (adapter 1)
    fortigate1: 22 (guest) => 2222 (host) (adapter 1)
==> fortigate1: Booting VM...
==> fortigate1: Waiting for machine to boot. This may take a few minutes...
    fortigate1: SSH address: 172.17.240.1:2222
    fortigate1: SSH username: vagrant
    fortigate1: SSH auth method: private key
==> fortigate1: Machine booted and ready!
==> fortigate1: Checking for guest additions in VM...
    fortigate1: No guest additions were detected on the base box for this VM! Guest
    fortigate1: additions are required for forwarded ports, shared folders, host only
    fortigate1: networking, and more. If SSH fails on this machine, please install
    fortigate1: the guest additions and repackage the box to continue.
    fortigate1:
    fortigate1: This is not an error message; everything may continue to work properly,
    fortigate1: in which case you may ignore this message.
==> fortigate2: Importing base box 'fortigate-7.0.5.box'...
==> fortigate2: Matching MAC address for NAT networking...
==> fortigate2: Setting the name of the VM: NFVs_fortigate2_1644752320896_79886
==> fortigate2: Fixed port collision for 22 => 2222. Now on port 2200.
==> fortigate2: Clearing any previously set network interfaces...
==> fortigate2: Preparing network interfaces based on configuration...
    fortigate2: Adapter 1: nat
    fortigate2: Adapter 2: intnet
    fortigate2: Adapter 3: intnet
==> fortigate2: Forwarding ports...
    fortigate2: 22 (guest) => 2200 (host) (adapter 1)
    fortigate2: 22 (guest) => 2200 (host) (adapter 1)
==> fortigate2: Booting VM...
==> fortigate2: Waiting for machine to boot. This may take a few minutes...
    fortigate2: SSH address: 172.17.240.1:2200
    fortigate2: SSH username: vagrant
    fortigate2: SSH auth method: private key
==> fortigate2: Machine booted and ready!
==> fortigate2: Checking for guest additions in VM...
    fortigate2: No guest additions were detected on the base box for this VM! Guest
    fortigate2: additions are required for forwarded ports, shared folders, host only
    fortigate2: networking, and more. If SSH fails on this machine, please install
    fortigate2: the guest additions and repackage the box to continue.
    fortigate2:
    fortigate2: This is not an error message; everything may continue to work properly,
    fortigate2: in which case you may ignore this message.
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant ssh fortigate1
FortiGate-VM64-KVM # config system global
FortiGate-VM64-KVM (global) # set hostname fortigate1
FortiGate-VM64-KVM (global) # end
fortigate1 # config system interface
fortigate1 (interface) # edit port2
fortigate1 (port2) # set ip 10.100.12.1/24
fortigate1 (port2) # set allowaccess ping
fortigate1 (port2) # set description External
fortigate1 (port2) # next
fortigate1 (interface) # edit port3
fortigate1 (port3) # set ip 10.100.1.1/24
fortigate1 (port3) # set allowaccess ping
fortigate1 (port3) # set description Internal
fortigate1 (port3) # end
fortigate1 # config router ospf
fortigate1 (ospf) # set router-id 10.100.12.1
fortigate1 (ospf) # config area
fortigate1 (area) # edit 0.0.0.0
new entry '0.0.0.0' added
fortigate1 (0.0.0.0) # next
fortigate1 (area) # edit 1.1.1.1
new entry '1.1.1.1' added
fortigate1 (1.1.1.1) # next
fortigate1 (area) # end
fortigate1 (ospf) # config network
fortigate1 (network) # edit 1
new entry '1' added
fortigate1 (1) # set prefix 10.100.12.0/255.255.255.0
fortigate1 (1) # set area 0.0.0.0
fortigate1 (1) # next
fortigate1 (network) # edit 2
new entry '2' added
fortigate1 (2) # set prefix 10.100.1.0/255.255.255.0
fortigate1 (2) # set area 1.1.1.1
fortigate1 (2) # next
fortigate1 (network) # end
fortigate1 (ospf) # set passive-interface port3
fortigate1 (ospf) # end
fortigate1 # config system zone
fortigate1 (zone) # edit INTERNAL
new entry 'INTERNAL' added
fortigate1 (INTERNAL) # set interface port3
fortigate1 (INTERNAL) # next
fortigate1 (zone) # edit EXTERNAL
new entry 'EXTERNAL' added
fortigate1 (EXTERNAL) # set interface port2
fortigate1 (EXTERNAL) # end
fortigate1 # config firewall policy
fortigate1 (policy) # edit 1
new entry '1' added
fortigate1 (1) # set name ALLOW-ALL
fortigate1 (1) # set srcintf any
fortigate1 (1) # set dstintf any
fortigate1 (1) # set srcaddr all
fortigate1 (1) # set dstaddr all
fortigate1 (1) # set action accept
fortigate1 (1) # set schedule always
fortigate1 (1) # set service ALL
fortigate1 (1) # next
fortigate1 (policy) # end
fortigate1 # exit
Connection to 172.17.240.1 closed.
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant ssh fortigate2
FortiGate-VM64-KVM # config system global
FortiGate-VM64-KVM (global) # set hostname fortigate2
FortiGate-VM64-KVM (global) # end
fortigate2 # config system interface
fortigate2 (interface) # edit port2
fortigate2 (port2) # set ip 10.100.12.2/24
fortigate2 (port2) # set allowaccess ping
fortigate2 (port2) # set description External
fortigate2 (port2) # next
fortigate2 (interface) # edit port3
fortigate2 (port3) # set ip 10.100.2.2/24
fortigate2 (port3) # set allowaccess ping
fortigate2 (port3) # set description Internal
fortigate2 (port3) # end
fortigate2 # end
fortigate2 # config router ospf
fortigate2 (ospf) # set router-id 10.100.12.2
fortigate2 (ospf) # config area
fortigate2 (area) # edit 0.0.0.0
new entry '0.0.0.0' added
fortigate2 (0.0.0.0) # next
fortigate2 (area) # edit 2.2.2.2
new entry '2.2.2.2' added
fortigate2 (2.2.2.2) # next
fortigate2 (area) # end
fortigate2 (ospf) # config network
fortigate2 (network) # edit 1
new entry '1' added
fortigate2 (1) # set prefix 10.100.12.0/255.255.255.0
fortigate2 (1) # set area 0.0.0.0
fortigate2 (1) # next
fortigate2 (network) # edit 2
new entry '2' added
fortigate2 (2) # set prefix 10.100.2.0/255.255.255.0
fortigate2 (1) # set area 2.2.2.2
fortigate2 (2) # next
fortigate2 (network) # end
fortigate2 (ospf) # set passive-interface port3
fortigate2 (ospf) # end
fortigate2 # config system zone
fortigate2 (zone) # edit INTERNAL
new entry 'INTERNAL' added
fortigate2 (INTERNAL) # set interface port3
fortigate2 (INTERNAL) # next
fortigate2 (zone) # edit EXTERNAL
new entry 'EXTERNAL' added
fortigate2 (EXTERNAL) # set interface port2
fortigate2 (EXTERNAL) # end
fortigate2 # config firewall policy
fortigate2 (policy) # edit 1
new entry '1' added
fortigate2 (1) # set name ALLOW-ALL
fortigate2 (1) # set srcintf any
fortigate2 (1) # set dstintf any
fortigate2 (1) # set srcaddr all
fortigate2 (1) # set dstaddr all
fortigate2 (1) # set action accept
fortigate2 (1) # set schedule always
fortigate2 (1) # set service ALL
fortigate2 (1) # next
fortigate2 (policy) # end
fortigate2 # get router info ospf neighbor all
OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.100.12.1       1   Full/DR         00:00:40    10.100.12.1     port2
fortigate2 # execute ping-options source 10.100.2.2
fortigate2 # execute ping 10.100.1.1
PING 10.100.1.1 (10.100.1.1): 56 data bytes
64 bytes from 10.100.1.1: icmp_seq=0 ttl=255 time=18.9 ms
64 bytes from 10.100.1.1: icmp_seq=1 ttl=255 time=11.5 ms
64 bytes from 10.100.1.1: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 10.100.1.1: icmp_seq=3 ttl=255 time=10.6 ms
64 bytes from 10.100.1.1: icmp_seq=4 ttl=255 time=17.4 ms
--- 10.100.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/11.7/18.9 ms
fortigate2 # exit
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant destroy -f
==> fortigate2: Forcing shutdown of VM...
==> fortigate2: Destroying VM and associated drives...
==> fortigate1: Forcing shutdown of VM...
==> fortigate1: Destroying VM and associated drives...
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$