Dark Light

This article described how to protect your Hetzner Cloud workload with a KVM based VPS provider like Hetzner. This is not a sponsored article and hopefully helps people to easily protect their environment.

Step 1: Get your FortiGate KVM image

Since FortiGate images are not available as ISO files to install it on an empty disk, we need to solve it with another method. Go to support.fortinet.com, log in or create a free account. Now go to Support -> VM Images on the top menu.

VM Images on Fortinet Support Portal

Select “FortiGate” as Product and “KVM” as Platform. Download the KVM image for new deployments. Make sure to select the right type like VM64 for x86 based platforms and ARM64 for ARM based setups.

Select FortiGate VM Image (e.x. x86 based platform)

Step 2: Convert your image to a raw .img file

Download qemu to convert the image.

qemu-img.exe convert -f qcow2 -O raw fortios.qcow2 fortios.img

Upload the newly created image to a direct download file hoster or create a direct download link using Azure Blob storage for example or a local, internet accessible webserver.

Step 3: Setup VM instances

Create a network

Network configuration with respective subnet

Create VM

Create a server with any type of Linux. Add a Public IP to it. And also create a volume which you add to the server.

Create a volume

Go to the created server and select “Rescue”. Click on Rescue aktivieren & Reset.

Activate Rescue System

Access the VM through the console using the displayed login credentials.

Login details of the rescue system

While you log in, IP and Disk information will be displayed.

IP and Disk information

Mound the additionally created volume /dev/sdb.

Mount the created volume

Download the previously created image from the webserver to the mounted filesystem.

Write image to boot disk

root@rescue /mount-volume # dd if=fortios.img of=/dev/sda

After completion, reboot the server and it should boot now from boot disk with FortiOS.

Complete image transfer

You can now keep the volume attached, as it will be used as log disk from FortiGate or you can detach and delete it.

Step 4: Network configuration

Enable private network access

Go to the server settings and attach the previously created network.

Attach private network to server

You will see then the assigned IP in this field. Now, on the FortiGate you will see a second Interface, which will be the private network.

Second IP attached with additional Interface

Disable Default GW propagation

Make sure you configure the same IP as /32 or use DHCP assignment for port2. If you’re using DHCP, disable “Retrieve default gateway from server”.

Disable default GW propagation

Create a static route

As described in Hetzner’s Knowledge Base, create a static default route (even it is already retrieved via DHCP) towards

Default route towards Hetzners Default GW

Create a firewall rule

Create a Firewall Policy to enable outbound internet access for LAN devices

Firewall rule creation

Create a route towards the FortiGate

Go to networks -> [Previously created network] -> Routen and create a default route pointing towards the FortiGate

Default route creation

Step 5: Create a protected server

Create a second server and disable public network access. Attach the previously created private network.

Server without public IP.

Log into the server and create a persistent route.

Add persistent route to server

Review the host’s route table and verify the route.

Protected server route table

Verify connectivity via internet.

Ping test towards internet

Verify if traffic is being filtered by FortiGate.

Traffic log view on FortiGate

(optional) Step 6: Publish Service via VIP

Create a Virtual IP

Create a virtual IP

Add external IP from FortiGate and private IP to which traffic should be mapped to. Also specify the port which should be forwarded.

Create Firewall Rule

Create a firewall rule to the newly created VIP and select Security Profiles. As this is an example, this is not accurate. If you intent to protect a webserver, I suggest adding the certificate with private key to the FortiGate and enforce SSL inspection to this traffic.

Create a Firewall Rule
Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Fortinet Important Sites

Fortinet Developer Network fndn.fortinet.net Fortinet Support support.fortinet.com Github (Official) github.com/fortinet Github (EMEA CSE) github.com/40net-cloud Fortinet Docs docs.fortinet.com