Fortinet FortiGate-VM Install – How to Tutorial

In this Tutorial will be deployed Fortinet FortiGate-VM Virtual Appliance in Testlab, running on ESXi Host. I will go step by step with both types of management – locally (standalone) and remotely (centralised) with FortiManager. These steps could also be used for production environment install.



Network Diagram:

1. Download the FortiGate for VMWare ESXi platform


Download the FortiGate-VM Virtual Appliance image for VMware ESXi from, and save it to your local computer:



A login is required.

2. Create VMware Virtual Machine

The FortiGate-VM is available in five virtual appliance models, which are determined by license, that provides different limitations such as throughput levels / virtual CPU  / virtual network interfaces / virtual memory etc. 
Minimal Hardware Requirements for FortiGate Virtual Appliance (FG-VM00):
CPU: 1
Network Interfaces: 2
Memory: 1 GB RAM
Storage: Thin Provision 32 GB
For the Testlab purposes will be used the minimal configuration. This configuration is not necessary to prepare in advance for the VM, because we will be deploying this virtual machine from ovf file which includes deployment template.

2.1 In VMware ESXi Web interface select “Create/Register VM”.

2.2 Select “Deploy a virtual machine from an OVF or OVA file”. Select Next.

2.3 Enter name for the FortiGate-VM “FortiGate_1”, Select or drag and drop the fortios.vmdk, datadrive.vmdk file and FortiGate-VM64.ovf file. Select Next.



If you are deploying into older Version of ESXi, use appropriate .ovf file for deploy:


Template | Compatible with
FortiGate-VM64.ovf | ESXI 7.0(Hardware Version 17) or later 

FortiGate-VM64.hw13.ovf | ESXI 6.5(Hardware Version 13) or later
FortiGate-VM64.hw15.ovf | ESXI 6.7U2+(Hardware Version 15) or later
FortiGate-VM64.vapp.ovf | ESXI 7.0(Hardware Version 17) or later
FortiGate-VM64.nsxt.ovf | ESXI 6.7U2+(Hardware Version 15) or later

2.4 Choose your Datastore. Select Next.

2.5 Accept license agreement. “I agree”, Select Next.

2.6 Configure your Network interface mappings and disk provisioning


“Network 1” – function Management (lab_mgmt1)

“Network 2” – function Outside Interface (lab_wan1)

“Network 3” – function Inside Interface (lab_lan1)

“Network 4-10” – no function – dummy network (vm_net1)


Disk Provisioning: Thin

more about VMware ESXi disk provisioning


Select Next.

2.7 Review your configuration before finishing the wizard. Select Finish.

3. Complete the FortiGate setup using CLI

3.1 Open the VMware console and log in with default credentials: admin/no password, enter new admin password, press Enter.

3.2 Configure network


by default port1 is out of the box configured as management interface with enabled DHCP and allowed access for services: ping, https, ssh, http, fgfm.

FortiGate-VM64 # show system interface port1
config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping https ssh http fgfm
set type physical
set snmp-index 1

configure management port1 ip

FortiGate-VM64 # config system interface
FortiGate-VM64 (interface) # edit port1
FortiGate-VM64 (port1) # set mode static
FortiGate-VM64 (port1) # set ip
FortiGate-VM64 (port1) # end
FortiGate-VM64 #

now it is possible to reach https GUI of the FortiGate on IP address and to continue with configuration


I will finish the network configuration for port2, port3 and default gw (WAN) according to the network diagram in CLI

port2 (lab_wan1)

port3 (lab_lan1)

default gw:

FortiGate-VM64 (port1) # next
FortiGate-VM64 (interface) # edit port2
FortiGate-VM64 (port2) # set ip
FortiGate-VM64 (port2) # next
FortiGate-VM64 (interface) # edit port3
FortiGate-VM64 (port3) # set ip
FortiGate-VM64 (port3) # end
FortiGate-VM64 #
FortiGate-VM64 # config router static
FortiGate-VM64 (static) # edit 1
FortiGate-VM64 (1) # set gateway
FortiGate-VM64 (1) # set device "port2"
FortiGate-VM64 (1) # end
FortiGate-VM64 #
4. Basic FortiGate GUI configuration

4.1 Log in to FortiGate GUI with your account.

4.2 Select Begin and configure hostname

4.3 Select preferred Dashboard

5. Basic Policy configuration

5.1 In GUI select Policy&Objects  > Firewall Policy > Create New


configure Policy according to your needs. (In this example test rule with action “allow all icmp”)


Name: test allow all

Incoming interface: port3 (lan)

Outgoing interface: port2 (wan)

Source: all

Destination: all

Service: ALL_ICMP


more about Configuring the Policy and Objects

At this point we have functional locally managed Fortinet FortiGate-VM Firewall with basic policy configuration already processing the traffic and ready for advanced configuration. FortiGate-VM comes out of the box with Plug&Play license for 15 days.


more about:

FortiGate-VM evaluation license

6. Remotely managed FortiGate with FortiManager
In this chapter will be FortiGate connected with existing FortiManager

6.1 In FortiManager Select Device Manager and Add Device

6.2 Select Discover Device

6.3 Enter the IP address of the FortiGate System and Login credentials. Select Next


if you got the error message “Probe failed”:

1. verify if you have on the FortiGate under Network > Interfaces,  FMG-Access enabled on the correct interface

2. adjust ssl encryption configuration on the FortiManager and try again Add Device

FortiManager_1 # config system global
(global)# set ssl-low-encryption enable
(global)# set fgfm-ssl-protocol sslv3
(global)# end
FortiManager_1 #


6.4 Add Device. Select Next and Finish

6.5 Configure simple Firewall Policy for FortiGate on the FortiManager


1. Installation Targets > Edit > Add FortiGate_1

2. Firewall Policy > Create New > allow icmp

3. Install Policy

At this point we have FortiGate Firewall connected with FortiManager and ready for advanced configuration.