Creating an MVE Integrated with Fortinet
This topic describes how to create and configure a Megaport Virtual Edge (MVE) with Fortinet Secure SD-WAN. Before you begin, you need user accounts with ordering permissions that provide access to the Megaport Portal and to Fortinet.
For details on setting up a Megaport account, see Registering an Account.
Fortinet provides documentation for their SD-WAN product, including FortiManager and cloud connections, at Fortinet SD-WAN Documentation Library.
This section provides an overview of the configuration steps in FortiManager and the Megaport Portal. Details follow.
The basic steps are:
- Obtain a license from Fortinet.
- Generate an SSH key pair for authentication.
- Create the Fortinet MVE in the Megaport Portal.
- View the MVE public IP address assignment in the Megaport Portal.
- Set an admin password for the FortiGate.
- Allow secure console access to the FortiGate.
- Add the FortiGate to FortiManager Cloud (optional).
Before you create an MVE in the Megaport Portal, you need a valid license from Fortinet. After purchasing a license from Fortinet, you’ll receive a registration code in a PDF. You’ll use this registration code to generate a license file.
To obtain a license file from Fortinet
Log in to your registration account at Fortinet Support.
Choose Register Product and enter the provided registration code.
Follow the registration process.
Fortinet generates the serial number and displays it on the Registration Completion page.
Choose Manage > View Products and click the serial number.
Click the download link and save the license file. You’ll upload the license file later in the Megaport Portal.
Once the product is registered, it appears in the FortiCloud Asset Management product list.
The next step is to generate an SSH key pair for authentication.
Administrative access to MVE
MVE and the FortiGate connect through a public/private SSH key pair to establish secure connections. The public SSH key allows you to SSH into the FortiGate and set the administrative password, enable HTTPS access, and optionally register the FortiGate to your FortiManager Cloud.
Megaport supports the 2048-bit RSA key type.
To generate an SSH key pair (Linux/Mac OSX)
- Run the SSH keygen command:
ssh-keygen -f ~/.ssh/megaport-mve-instance-1-2048 -t rsa -b 2048
The key generator command creates an SSH key pair and adds two files to your ~/.ssh directory:
- megaport-mve-instance-1-2048 - contains the private key.
- megaport-mve-instance-1-2048.pub - contains the public key that is authorized to log in to the Fortinet account.
To generate an SSH key pair (Windows, using PuTTYgen)
- Open PuTTYGen.
- In the Key section, choose RSA 2048 bit and click Generate.
- Move your mouse randomly in the small screen to generate the key pairs.
- Enter a key comment, which will identify the key.
This is convenient when you use several SSH keys.
- Enter a Key passphrase, and re-enter to confirm.
The passphrase is used to protect your key. You will be asked for it when you connect via SSH.
- Click Save private key, choose a location, and click Save.
- Click Save public key, choose a location, and click Save.
You’ll copy and paste the contents of the public key file in the Megaport Portal later to distribute the public key to the FortiGate. Your private key will match the public key to grant access. Only a single private key has access to the FortiGate for SSH access.
Creating an MVE in the Megaport Portal
Before you create an MVE, you need to determine the best location - one that supports MVE and one that is in the most compatible metro area. You can connect multiple locations to an individual MVE. For location details, see Planning Your Deployment.
You can deploy multiple MVEs within the same metropolitan area for redundancy or capacity reasons.
To create an MVE
- In the Megaport Portal, go to the Services page.
Click Create MVE.
Select the MVE location.
Select a location geographically close to your target branch and/or on-premises locations.
The country you choose must be a market in which you have already registered.
If you haven’t registered a billing market in the location where you will deploy the MVE, follow the procedure in Enabling a Billing Market.
To search for your local market in the list, enter a country in the Country Filter or a metro region detail in the Search filter.
Select Fortinet and the software version.
The MVE will be configured to be compatible with this software version from Fortinet.
Specify the MVE details.
MVE Name – Enter a name for the MVE that is easily identifiable, particularly if you plan on provisioning more than one. This name appears in the Megaport Portal.
Partner managed accounts can apply a Partner Deal to a service. For details, see Applying a Deal to a Service.
Service Level Reference (optional) – Specify a unique identifying number for the MVE to be used for billing purposes, such as a cost center number or a unique customer ID. The service level reference number appears for each service under the Product section of the invoice. You can also edit this field for an existing service.
The transit VXC associated with the MVE is automatically updated with the MVE service level reference number.
Size – Select a size from the drop-down list: Small, Medium, or Large. Three sizes are available to support varying numbers of concurrent connections. Individual partner product metrics vary slightly, but in general the small size can handle greater than 40 concurrent branch connections and up to 500 Mbps of traffic, a medium size up to 100 connections and 1 Gbps, and a large size approximately 500 connections and approximately 5 Gbps of traffic. For details, see Planning your Deployment.
Appliance License – (Optional) Click Choose File and select the appliance license generated earlier from Fortinet.
SSH Key – Copy and paste the contents of your public SSH key here. You can find the public key in the megaport-mve-instance-1-2048.pub file generated earlier.
Click Next to view the Summary screen.
The monthly rate is based on location and size.
Confirm the configuration and pricing and click Add MVE.
Click Create MVE to add more MVEs in other locations.
Review the Order Services agreement, and click Order Now.
- Click Save to save the configured MVE before placing the order.
- Click Add Promo Code to enter a promotional code, and click Add Code.
Ordering MVE provisions the instance and assigns IP addresses from the Megaport SDN. The MVE provisioning takes only a few minutes to complete. The provisioning process spins up a FortiGate.
Viewing the MVE public IP address assignment in the Megaport Portal
After creating the MVE, you can view it in the Megaport Portal.
To view an MVE in the Megaport Portal
- Go to the Services page.
As part of the MVE provisioning, Megaport creates a transit Virtual Cross Connect (VXC) to provide internet connectivity and to allow MVE to register and communicate with the Fortinet SD-WAN overlay network. The overlay network is created and maintained by Fortinet to provide secure tunnels from the branch locations. The transit VXC is a fixed size, based on the size of the MVE. You cannot modify or delete the transit VXC. The transit VXC icon differs from a standard VXC icon in the Megaport Portal, as shown in the image.
To view the public IP addresses assigned to the MVE
Click the gear icon next to the transit VXC to Megaport Internet.
Locate the public IP address (IPv4 or IPv6). These are the public IP addresses assigned to the MVE. Make a note of these addresses for use later.
Allow console access to the FortiGate
Console access to the FortiGate is delivered through a secure HTTPS session. The MVE blocks all access to the public IP addresses assigned to the device until you SSH into it and grant HTTPS access.
To set an admin Web UI password and allow HTTPS access
SSH to the Fortinet MVE instance using the SSH private key generated earlier. The default username is admin, followed by the public IP address assigned to the device by Megaport.
ssh -i ~/.ssh/megaport-mve-instance-1-2048 email@example.com
Once in the FortiOS CLI, you can view system status and allow access to the device using CLI commands.
The FortiOS CLI differs from the standard NOS CLI or Linux shell.
Configure a password for the user admin account.
FGVM08TM21001375 # config system admin FGVM08TM21001375 (admin) # edit admin FGVM08TM21001375 (admin) # set password xxxxxxxx FGVM08TM21001375 (admin) # next FGVM08TM21001375 (admin) # end
Allow HTTPS access to the public interface GUI on port 1.
FGVM08TM21001375 # config system interface FGVM08TM21001375 (interface) # edit port1 FGVM08TM21001375 (port1) # append allowaccess https FGVM08TM21001375 (port1) # next FGVM08TM21001375 (interface) # end FGVM08TM21001375 #
Verify that HTTPS access is allowed.
FGVM08TM21001375 # show system interface
With HTTPS access allowed, you can log in to the FortiGate through its Web UI using the user admin credentials.
Add the FortiGate to FortiManager Cloud
The next step is to add the FortiGate to FortiManager Cloud, Fortinet’s SD-WAN centralized management platform.
This step is optional. You can manage a FortiGate as a standalone device without using FortiManager Cloud as its central manager.
To add the FortiGate to FortiManager Cloud
Log in to the FortiGate GUI: https://162.43.xx.x
Select Device Manager.
From the Device Dashboard, Choose Security Fabric > Fabric Connectors.
Select FortiManager and click Edit.
Select the following settings:
- Status - Enabled
- Type - FortiManager Cloud
- Mode - Normal
The FortiCloud contacts your registered FortiManager Cloud for approval. The registration process does not require an IP address but instead uses backend authentication through prior registration and licensing.
Authorize the FortiGate in FortiManager
Before FortiManager adds the FortiGate to its list of managed devices, you need to manually authorize it.
To authorize the FortiGate
Log in to your FortiManager Cloud instance at Fortinet Support.
Choose Services > FortiManager.
You’ll see an unauthorized device awaiting approval.
Click Unauthorized Devices, and then select the device to authorize.
You can optionally change the device name, apply a preconfigured policy package, or apply a preconfigured provisioning template to the device.
Click OK when you are satisfied with the configuration.
A green check mark indicates the FortiGate was authorized by FortiManager.
The device is now managed via FortiManager Cloud and you can view it in the list of managed devices.
The IP address for the FortiGate displayed on the dashboard is an internal, private IP that is specifically used for the SD-WAN overlay.
You can terminate an MVE directly from the Megaport Portal.
To delete an MVE
In the Megaport Portal, go to the Services page.
Click the trash can icon next to the MVE you want to delete.
A list of all services connected to the MVE appear.
Click Yes - Terminate Services to confirm the MVE termination, or click No, Keep Services to cancel.
The MVE and its associated VXCs are deleted from the Megaport network. Use the Device Manager in FortiManager to delete the FortiGate.
Now that you’ve deployed an MVE, the next step is to connect a VXC to a CSP, a local port, or a third-party network. You can optionally connect a physical Port to the MVE through a private VXC or connect to a service provider in the Megaport Marketplace.