Professional Documents
Culture Documents
FortiGate Deployment Guide - Microsoft Entra ID - Microsoft Learn
FortiGate Deployment Guide - Microsoft Entra ID - Microsoft Learn
Using this deployment guide, you will learn how to set up and work with the Fortinet
FortiGate next-generation firewall product deployed as an Azure Virtual Machine.
Additionally, you will configure the FortiGate SSL VPN Microsoft Entra Gallery App to
provide VPN authentication through Microsoft Entra ID.
If you have purchased a FortiGate license from Fortinet to use with the BYOL virtual
machine deployment option, redeem it from Fortinet's product activation page –
https://support.fortinet.com . The resulting license file will have a .lic file extension.
Download Firmware
At the time of writing, the Fortinet FortiGate Azure VM does not ship with the firmware
version needed for SAML authentication. The latest version must be obtained from Fortinet.
1. Sign in at https://support.fortinet.com/ .
2. Go to Download > Firmware Images.
3. To the right of Release Notes, select Download.
4. Select v6.00 > 6.4 > 6.4.2.
5. Download FGT_VM64_AZURE-v6-build1723-FORTINET.out by selecting the HTTPS
link on the same row.
6. Save the file for later.
2. Create a new resource group, or open the resource group into which you will deploy
the FortiGate virtual machine.
3. Select Add.
https://learn.microsoft.com/en-us/entra/identity/saas-apps/media/fortigate-ssl-vpn-tutorial/fortigate-deployment-guide-converted 2/13
3/20/24, 11:42 PM FortiGate deployment guide - Microsoft Entra ID | Microsoft Learn
7. Set Authentication type to Password, and provide administrative credentials for the
VM.
For a consistent user experience, set the public IP address assigned to the FortiGate VM to
be statically assigned. In addition, map it to a fully qualified domain name (FQDN).
1. Go to the Azure portal, and open the settings for the FortiGate VM.
If you own a publicly routable domain name for the environment into which the FortiGate
VM is being deployed, create a Host (A) record for the VM. This record maps to the
preceding public IP address that is statically assigned.
2. In the menu on the left, select Networking. The network interface is listed, and the
inbound port rules are shown.
https://learn.microsoft.com/en-us/entra/identity/saas-apps/media/fortigate-ssl-vpn-tutorial/fortigate-deployment-guide-converted 4/13
3/20/24, 11:42 PM FortiGate deployment guide - Microsoft Entra ID | Microsoft Learn
5. Select Add.
1. Go to the Azure portal, and open the settings for the FortiGate VM.
2. If the FortiGate VM is not already stopped, select Stop and wait for the VM to shut
down.
https://learn.microsoft.com/en-us/entra/identity/saas-apps/media/fortigate-ssl-vpn-tutorial/fortigate-deployment-guide-converted 5/13
3/20/24, 11:42 PM FortiGate deployment guide - Microsoft Entra ID | Microsoft Learn
6. Configure properties for the new network interface and then select Create.
https://learn.microsoft.com/en-us/entra/identity/saas-apps/media/fortigate-ssl-vpn-tutorial/fortigate-deployment-guide-converted 6/13
3/20/24, 11:42 PM FortiGate deployment guide - Microsoft Entra ID | Microsoft Learn
5. After the reboot, sign in again with the administrator credentials to validate the
license.
Update Firmware
1. Go to https://<address> . Here, <address> is the FQDN or the public IP address
assigned to the FortiGate VM.
5. In Firmware Management, select Browse, and select the firmware file downloaded
earlier.
https://learn.microsoft.com/en-us/entra/identity/saas-apps/media/fortigate-ssl-vpn-tutorial/fortigate-deployment-guide-converted 7/13
3/20/24, 11:42 PM FortiGate deployment guide - Microsoft Entra ID | Microsoft Learn
7. Select Continue.
8. When you're prompted to save the FortiGate configuration (as a .conf file), select
Save.
9. Wait for the firmware to upload and to be applied. Wait for the FortiGate VM to
reboot.
10. After the FortiGate VM reboots, sign in again with the administrator credentials.
https://learn.microsoft.com/en-us/entra/identity/saas-apps/media/fortigate-ssl-vpn-tutorial/fortigate-deployment-guide-converted 8/13
3/20/24, 11:42 PM FortiGate deployment guide - Microsoft Entra ID | Microsoft Learn
5. Under Administration Settings, change the HTTPS port to 8443, and select Apply.
6. After the change applies, the browser attempts to reload the administration page, but
it fails. From now on, the administration page address is https://<address>:8443 .
6. Browse to the certificate downloaded from the FortiGate custom app deployment in
the Azure tenant. Select it, and select OK.
https://learn.microsoft.com/en-us/entra/identity/saas-apps/media/fortigate-ssl-vpn-tutorial/fortigate-deployment-guide-converted 9/13
3/20/24, 11:42 PM FortiGate deployment guide - Microsoft Entra ID | Microsoft Learn
6. Browse to the .PFX file that contains the SSL certificate and the private key.
7. Provide the .PFX password, and a meaningful name for the certificate. Then select OK.
9. Under Administration Settings, expand the list next to HTTPS server certificate, and
select the SSL certificate imported earlier.
12. Sign in with the FortiGate administrator credentials. You should now see the correct
SSL certificate in use.
https://learn.microsoft.com/en-us/entra/identity/saas-apps/media/fortigate-ssl-vpn-tutorial/fortigate-deployment-guide-converted 10/13
3/20/24, 11:42 PM FortiGate deployment guide - Microsoft Entra ID | Microsoft Learn
5. Examine port1 (external interface) and port2 (internal interface) to ensure they are
obtaining an IP address from the correct Azure subnet. a. If either port is not
obtaining an IP address from the subnet (via DHCP), right-click the port and select
Edit. b. Next to Addressing Mode, ensure that DHCP is selected. c. Seelct OK.
https://learn.microsoft.com/en-us/entra/identity/saas-apps/media/fortigate-ssl-vpn-tutorial/fortigate-deployment-guide-converted 11/13
3/20/24, 11:42 PM FortiGate deployment guide - Microsoft Entra ID | Microsoft Learn
https://learn.microsoft.com/en-us/entra/identity/saas-apps/media/fortigate-ssl-vpn-tutorial/fortigate-deployment-guide-converted 12/13
3/20/24, 11:42 PM FortiGate deployment guide - Microsoft Entra ID | Microsoft Learn
7. Under Subnet, specify the subnet information where the on-premises corporate
resources reside (e.g. 10.1.0.0/255.255.255.0)
8. Next to Gateway Address specify the gateway on the Azure subnet where port2 is
connected (e.g. this usually ends in 1 like 10.6.1.1)
https://learn.microsoft.com/en-us/entra/identity/saas-apps/media/fortigate-ssl-vpn-tutorial/fortigate-deployment-guide-converted 13/13