IBM Cloud Docs
FortiGate Virtual Appliance on IBM Cloud overview

FortiGate Virtual Appliance on IBM Cloud overview

FortiGate® Virtual Appliance on IBM Cloud® deploys a pair of FortiGate Virtual Appliances to your environment, which can help you reduce risk by implementing critical security controls within your virtual infrastructure. FortiGate Virtual Appliance on IBM Cloud is a non-IBM product that is offered under terms and conditions from Fortinet, not IBM.

  • You can install multiple instances of this service as needed. You can manage this service by using the FortiOS Web Client or the CLI through SSH.
  • For VMware Cloud Foundation for Classic - Automated with NSX-T™ instances, FortiGate Virtual Appliance is supported for NSX-T 3.1 or later and for VMware vSphere® 7.0.
  • For existing NSX-V instances V4.7 and earlier, FortiGate Virtual Appliance is supported for vSphere 6.7.

IBM Cloud® for VMware Solutions offers promotions for some add-on services. Promotional pricing offers a number of months at no cost for a service license, if the service has license charges. For more information, see Promotions for VMware Solutions add-on services.

The FortiGate Virtual Appliance version available for deployment is 7.4.3.

Technical specifications for FortiGate Virtual Appliance

For more information about resource requirements and capacity checking for some services, see Resource requirements for add-on services.

The following components are ordered and included in the FortiGate Virtual Appliance service.

Virtual machines

  • All options include a pair of virtual machines (VMs).
  • 2, 4, 8, 16, or 32 CPUs per VM. The number depends on the deployment size.
  • 4, 6, or 12 GB RAM per VM. The number depends on the deployment size.

High availability

Two VMs are deployed and ready for HA or Virtual Router Redundancy Protocol (VRRP) configuration.

Networking

Access to the FortiGate console is provided through a private management network. When deployed to a management or consolidated cluster, FortiGate Virtual Appliance management addresses are drawn from the instance management private portable subnet. When deployed to a gateway cluster, a new private portable subnet is ordered for these addresses.

License and fees

License fees for each VM are applied to each billing cycle. The fees depend on the selected deployment size and monthly subscription license model.

Licensing notes

  • You cannot change the licensing level after service installation. To change the licensing level, you must delete the existing service and reinstall the service by using a different licensing option.
  • If you receive expiration notifications about the FortiGate Virtual Appliance service license, you can ignore them. The license is automatically renewed annually before it expires.

Uplink speeds, deployment sizes, and CPU models

The following information describes the different considerations for the uplink speed, deployment size, and CPU when you install FortiGate Virtual Appliance.

FortiGate Virtual Appliance on VCF for Classic - Automated

You can install FortiGate Virtual Appliance on the consolidated cluster or the gateway cluster.

On the consolidated cluster, note the following information:

  • You can choose a 10 Gb or 25 Gb uplink speed for the cluster.

    • For 10 Gb, you can select a deployment size from FortiGate-VM02 up to FortiGate-VM32.
    • For 25 Gb, you can select a FortiGate-VM16 or FortiGate-VM32 deployment size.

  • The FortiGate-VM32 deployment size requires Cascade Lake 5218 or higher.

On the gateway cluster, note the following information about the uplink speed:

  • For 10 Gb, select Cascade Lake 4210 and FortiGate-VM16.
  • For 25 Gb, select Cascade Lake 5218 and either FortiGate-VM16 or FortiGate-VM32.

FortiGate Virtual Appliance on Regulated Workloads

For Regulated Workloads, you can install FortiGate Virtual Appliance on the gateway cluster. You can deploy the service on a single-zone (new or existing) or multizone (existing only) instance.

  • You can install FortiGate Virtual Appliance on gateway clusters with a 10 Gb or 25 Gb uplink speed.
  • For 10 Gb, you can install FortiGate-VM16 on Cascade Lake 4210.
  • For 25 Gb, you can install FortiGate-VM16 or FortiGate-VM32. The FortiGate-VM32 deployment size requires Cascade Lake 5218 or higher.

FortiGate Virtual Appliance on vCenter Server 6.7 with NSX-V

On existing NSX-V instances V4.7 and earlier, you can install FortiGate Virtual Appliance on the management cluster.

  • You can select a deployment size from FortiGate-VM02 up to FortiGate-VM16.
  • You can install FortiGate Virtual Appliance on clusters with a 10 Gb or 25 Gb uplink speed.
  • NSX-V clusters with 25 Gb uplink speed support only a deployment size of FortiGate-VM16.

FortiGate Virtual Appliance on the Security and Compliance Readiness Bundle

On the Security and Compliance Readiness Bundle, you can install FortiGate Virtual Appliance on the gateway cluster.

  • You can install FortiGate Virtual Appliance on gateway clusters with a 10 Gb or 25 Gb uplink speed.
  • For 10 Gb, you can select a deployment size from FortiGate-VM02 up to FortiGate-VM32. The FortiGate-VM32 deployment size requires Cascade Lake 5218 or higher.
  • For 25 Gb, you can install FortiGate-VM16 or FortiGate-VM32. The FortiGate-VM32 deployment size requires Cascade Lake 5218 or higher.

FortiGate Virtual Appliance order example

You can order a VCF for Classic - Automated instance with two VMware ESXi™ servers with the following configuration: 16 cores at 2.10 GHz each with 128 GB RAM. For FortiGate Virtual Appliance, you select 8 CPUs / 12 GB RAM for deployment size and any subscription license model.

In this case, a single FortiGate VM requires the following components on each server:

  • 2.1 GHz * 8 CPU = 16.8 GHz of CPU
  • 12 GB RAM

For two FortiGate VMs, the total is 33.6 GHz CPU and 24 GB RAM.

Each ESXi server has a capacity of 16 cores * 2.1 GHz = 33.6 GHz. So the first two requirements are met if both servers are active and there are at least 16.8 GHz of CPU and 12 GB RAM available on each server.

However, by default, vSphere HA reserves 50% of CPU and RAM for failover on Automated instances that were initially deployed with two ESXi servers. So the capacity is shown in the following formula.

50% of 2 * 16 cores * 2.1 GHz = 33.6 GHz available

Since other workloads exist on the ESXi servers, for example, vCenter Server, VMware NSX® Controller, or VMware NSX Edge, by using these resources, the third requirement is not met. The reason is because 33.6 GHz of CPU and 24 GB RAM for the two FortiGate VMs are needed.

In this case, the FortiGate Virtual Appliance installation might fail, unless at least one ESXi server is added to the environment. Also, the vSphere HA failover reservations must be updated to ensure that enough resources are available for two FortiGate VMs.

If more resources are needed to run the FortiGate Virtual Appliance service, you can add more ESXi servers before you install the service.