Continuing my journey to Vagrantize more virtual network appliances…

Ingredients used in this guide:

The FortiGate VM includes a limited embedded 15-day trial license that supports:

  • 1 CPU maximum
  • 1 GB RAM maximum
  • Low encryption only (no HTTPS administrative access)
  • All features except FortiGuard updates


1. Download and unzip the FortiGate VM deployment package for VMware.

FortiGate VM deployment packages are included with FortiGate firmware images on the Customer Service & Support site. I will be using FortiGate VM v6.0.2 for my example.

  1. Save the FGT_VM64-v6-build0163-FORTINET.out.ovf.zip file to the Downloads folder
  2. Double-click the FGT_VM64-v6-build0163-FORTINET.out.ovf.zip file to unzip it
  3. Rename the FGT_VM64-v6-build0163-FORTINET.out.ovf folder to FGT_VM64-v6

2. Create the FortiGate VM template.

  1. Open the VMware Fusion application
  2. Menu: FileImport…
  3. Click the Choose File… button
  4. Navigate to and select the FortiGate-VM64.ovf file in the FGT_VM64-v6 folder
  5. Click the Open button
  6. Click the Continue button
  7. Click the Accept button for the EULA
  8. Save As: FortiGate-VM64
  9. Click the Save button
  10. Click the Customize Settings button to modify the virtual appliance settings
  11. Set Network Adapter to Share with my Mac
  12. Upgrade the VM hardware version to 16 (Compatibility → Upgrade)
  13. Close the Settings window
  14. Quit the VMware Fusion application

3. Remove additional network interfaces from the virtual appliance configuration file.

From a macOS terminal, remove Network Adapter 2 to Network Adapter 10.

sed -i '' '/^ethernet[^0]/d' $HOME/Virtual\ Machines.localized/FortiGate-VM64.vmwarevm/FortiGate-VM64.vmx

The default virtual machine folder (directory) for VMware Fusion 11 is $HOME/Virtual\ Machines.localized. Upgrades and earlier versions use $HOME/Documents/Virtual\ Machines.localized as the default.

Verify only Network Adapter remains.

grep '^ethernet' $HOME/Virtual\ Machines.localized/FortiGate-VM64.vmwarevm/FortiGate-VM64.vmx


ethernet0.present = "TRUE"
ethernet0.virtualDev = "e1000"
ethernet0.connectionType = "nat"
ethernet0.addressType = "generated"
ethernet0.wakeonpcktrcv = "true"
ethernet0.allowguestconnectioncontrol = "true"

4. Add a custom serial port (for management via console connection).

From a macOS terminal, append a serial port device to the virtual appliance configuration file.

printf 'serial0.present = "TRUE"\nserial0.yieldOnMsrRead = "TRUE"\nserial0.fileType = "network"\nserial0.fileName = "telnet://"\n' >> $HOME/Virtual\ Machines.localized/FortiGate-VM64.vmwarevm/FortiGate-VM64.vmx

Verify the component has been added.

tail -4 $HOME/Virtual\ Machines.localized/FortiGate-VM64.vmwarevm/FortiGate-VM64.vmx


serial0.present = "TRUE"
serial0.yieldOnMsrRead = "TRUE"
serial0.fileType = "network"
serial0.fileName = "telnet://"

5. Start the virtual applicance.

From a macOS terminal, start the virtual appliance with the vmrun command.

/Applications/VMware\ Fusion.app/Contents/Library/vmrun start $HOME/Virtual\ Machines.localized/FortiGate-VM64.vmwarevm/FortiGate-VM64.vmx

An automatic reboot will be performed after initialization.

FGT boot console

6. Log in to the FortiGate device.

Log in via the VMware console as admin with no password.

7. Get the management network interface (port1) IPv4 address.

get system interface physical


== [onboard]
        mode: dhcp
        ipv6: ::/0
        status: up
        speed: 1000Mbps (Duplex: full)

Log out.


8. Connect via SSH.

From a macOS terminal, log in via SSH to the FortiGate device.

ssh [email protected]

9. Set a baseline configuration for the Vagrant box.

Create the vagrant user with the super_admin access profile.

config system admin
edit vagrant
set accprofile super_admin
set password vagrant
set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ=="

Verify the configuration for the vagrant user.

show system admin vagrant


config system admin
    edit "vagrant"
        set accprofile "super_admin"
        set vdom "root"
        set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ=="
        set password ENC SH28ytlJGDAGlEQ6Oo7Z0BNTLVuqBIf7yLQWuuaBln/BsRSTbJTvAYZrXgq1OY=

Set idle timeout to one hour.

config system global
set admintimeout 60
set admin-ssh-grace-time 3600

Verify the idle timeout configuration.

show system global | grep -f admin


config system global
    set admin-ssh-grace-time 3600 <---
    set admintimeout 60 <---
    set alias "FortiGate-VM64"
    set hostname "FortiGate-VM64"
    set timezone 04

We should also verify the management network interface (port1) allows web UI access. It should be enabled by default.

show system interface port1


config system interface
    edit "port1"
        set vdom "root"
        set mode dhcp
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1

Exit the SSH session.


10. Stop the virtual appliance and quit the VMware Fusion application.

From a macOS terminal, stop the virtual appliance with the vmrun command.

/Applications/VMware\ Fusion.app/Contents/Library/vmrun stop $HOME/Virtual\ Machines.localized/FortiGate-VM64.vmwarevm/FortiGate-VM64.vmx
Fusion -> Quit

11. Create the Vagrant box.

From a macOS terminal, change the current directory.

cd $HOME/Virtual\ Machines.localized/FortiGate-VM64.vmwarevm

Remove generated MAC addresses from the configuration file.

sed -i '' '/generatedAddress/d' FortiGate-VM64.vmx

Remove UUID properties from the configuration file.

sed -i '' '/uuid/d' FortiGate-VM64.vmx

Create the metadata.json file for the VMware provider.

printf '{"provider": "vmware_desktop"}' > metadata.json

List the directory contents to verify the essential files are present.

du -csh *


102M    FortiGate-VM64-disk1.vmdk
 53M    FortiGate-VM64-disk2.vmdk
4.0K    FortiGate-VM64.plist
  0B    FortiGate-VM64.vmsd
4.0K    FortiGate-VM64.vmx
4.0K    FortiGate-VM64.vmxf
4.0K    metadata.json
 12K    nvram
4.0K    startMenu.plist
340K    vmware.log
155M    total

Package the Vagrant box file with tar.

tar cvzf fortigate-602.box ./*

12. Add the Vagrant box.

From a macOS terminal, add the Vagrant box to our local inventory.

vagrant box add --provider vmware_desktop --name fortigate-602 fortigate-602.box

13. Test it.

From a macOS terminal, create a directory for a test project and change to it.

mkdir $HOME/Documents/test-fortigate && cd $_

Download an example Vagrantfile.

$ curl -Lo Vagrantfile https://raw.githubusercontent.com/mweisel/vagrant-vmware-examples/master/fortigate-single-mgmt-int

Validate the Vagrantfile.

vagrant validate

Show the current status of the vagrant machine.

vagrant status

14. Vagrant Up!

vagrant up

The status of the vagrant machine should now be in the running state.

vagrant status

We can connect to the vagrant machine with SSH.

vagrant ssh

We can also connect to the vagrant machine with a console connection (out-of-band management) via Netcat.

nc -c 52001

Or the web UI via HTTP.

Web UI login

15. More Vagrant commands

Stop the vagrant machine with the force option.

vagrant halt -f

Destroy (delete) the vagrant machine with the force option.

vagrant destroy -f

16. Happy Labbing!