Creating an MVE Integrated with Fortinet

This topic describes how to create and configure a Megaport Virtual Edge (MVE) with Fortinet Secure SD-WAN. Before you begin, you need user accounts with ordering permissions that provide access to the Megaport Portal and to Fortinet.

For more information on setting up a Megaport account, see Creating an Account.


Fortinet provides documentation for their SD-WAN product, including FortiManager and cloud connections, at Fortinet SD-WAN Documentation Library.

Basic steps

This section provides an overview of the configuration steps in FortiManager and the Megaport Portal. Detailed procedures follow this basic step summary.

The basic steps are:

  • Obtain a license from Fortinet.
  • Generate an SSH key pair for authentication.
  • Create the Fortinet MVE in the Megaport Portal.
  • View the MVE public IP address assignment in the Megaport Portal.
  • Set an admin password for the FortiGate.
  • Allow secure console access to the FortiGate.
  • Add the FortiGate to FortiManager Cloud (optional).


A valid FortiGate VM license file can be applied during the MVE deployment process through the Megaport Portal, or it can be applied post-deployment through the FortiGate WebUI or CLI interfaces.
Alternatively, you can use the FortiFlex points-based licensing model. The FortiFlex token-based license must be applied through the CLI post-deployment.

If you buy a license from Fortinet, you’ll receive a registration code in a PDF. You will use this registration code to generate a license file.
If you use FortiFlex points, you will generate a license token through the FortiFlex portal associated with your Fortinet Support account.

To obtain a license file from Fortinet

  1. Log in to your registration account at Fortinet Support.

  2. Choose Register Product and enter the provided registration code.

  3. Follow the registration process.
    Fortinet generates the serial number and displays it on the Registration Completion page.

  4. Choose Manage > View Products and click the serial number.

  5. Click the download link and save the license file.
    You’ll upload the license file later in the Megaport Portal.

To use FortiFlex points

  1. Deploy the FortiGate VM on MVE without choosing to upload a license file.

  2. Access the FortiGate VM CLI by establishing a using the SSH session.

  3. Copy the license token provided from your FortiFlex portal.

  4. Inject the license token into the VM using the CLI.

  5. Reboot the FortiGate VM when prompted.

Once the product is registered, it appears in the FortiCloud Asset Management product list.

The next step is to generate an SSH key pair for authentication.

Administrative access to MVE

MVE and the FortiGate connect through a public/private SSH key pair to establish secure connections. The public SSH key allows you to SSH into the FortiGate and set the administrative password, enable HTTPS access, and optionally register the FortiGate to your FortiManager Cloud.

Megaport supports the 2048-bit RSA key type.

To generate an SSH key pair (Linux/Mac OSX)

  • Run the SSH keygen command:
     ssh-keygen -f ~/.ssh/megaport-mve-instance-1-2048 -t rsa -b 2048

The key generator command creates an SSH key pair and adds two files to your ~/.ssh directory:

  • megaport-mve-instance-1-2048 - contains the private key.
  • - contains the public key that is authorized to log in to the Fortinet account.

To generate an SSH key pair (Windows, using PuTTYgen)

  1. Open PuTTYGen.
  2. In the Key section, choose RSA 2048 bit and click Generate.
  3. Move your mouse randomly in the small screen to generate the key pairs.
  4. Enter a key comment, which will identify the key.
    This is convenient when you use several SSH keys.
  5. Enter a Key passphrase, and re-enter to confirm.
    The passphrase is used to protect your key. You will be asked for it when you connect via SSH.
  6. Click Save private key, choose a location, and click Save.
  7. Click Save public key, choose a location, and click Save.

You’ll copy and paste the contents of the public key file in the Megaport Portal later to distribute the public key to the FortiGate. Your private key will match the public key to grant access. Only a single private key has access to the FortiGate for SSH access.

Creating an MVE in the Megaport Portal

Before you create an MVE, you need to determine the best location - one that supports MVE and one that is in the most compatible metro area. You can connect multiple locations to an individual MVE. For more information about location details, see Planning Your Deployment.

You can deploy multiple MVEs within the same metropolitan area for redundancy or capacity reasons. As part of the MVE creation process, you will also create a Megaport Internet connection.

To create an MVE

  1. In the Megaport Portal, go to the Services page.
  2. Click Create MVE.
    Create MVE button

  3. Select the MVE location.

    Select a location geographically close to your target branch and/or on-premises locations.

    The country you choose must be a market in which you have already registered.

    If you haven’t registered a billing market in the location where you will deploy the MVE, follow the procedure in Enabling Billing Markets.

    To search for your local market in the list, enter a country in the Country Filter or a metro region detail in the Search filter.

  4. Select a diversity zone.

    You can select either Red or Blue, or select Auto and have Megaport select the zone for you. The selected or allocated diversity zone will be displayed on the location details through the rest of the provisioning, and on the summary page at the end.
    For more information, see MCR and MVE Diversity.

    Select MVE location

  5. Click Next.

  6. Select Fortinet FortiGate-VM.

  7. Specify the MVE details:

    • Version – Select the software version. The MVE will be configured to be compatible with that version of Fortinet.

    • MVE Name – Enter a name for the MVE that is easily identifiable, particularly if you plan on provisioning more than one. This name appears in the Megaport Portal.

    • Size – Select a size from the drop-down list. The list displays all sizes that match the CPU capacity at the selected location. The sizes support varying numbers of concurrent connections, and individual partner product metrics vary slightly. For more information, see Planning Your Deployment.


      If the MVE size you want is not in the list, then there is not enough capacity at the selected location. You can either select another location with enough capacity or contact your Account Manager to discuss requirements.

    • Service Level Reference (optional) – Specify a unique identifying number for the MVE to be used for billing purposes, such as a cost center number or a unique customer ID. The service level reference number appears for each service under the Product section of the invoice. You can also edit this field for an existing service.

    • Appliance License – (optional) If you have purchased a license from Fortinet, click Choose File and select the appliance license generated earlier from Fortinet.
      If you are using FortiFlex, skip this step.

    • SSH Key – Copy and paste the contents of your public SSH key here. You can find the public key in the file generated earlier.

    • Virtual Interfaces (vNICs) – Fortinet is configured with one vNIC named Data Plane by default. If required, you can change the name by typing over the Data Plane text.

      You can add a total of five vNICs to the MVE, including the one added by default. For more information, see Types of vNIC Connections.

      To add a vNIC:

      • Click + Add.

        Add vNIC

      • Enter a name for the vNIC.

        Add name for vNIC


      If you want to increase or decrease the number of vNICs on this MVE after it has been deployed, you will have to delete the entire MVE and recreate it. You can’t add or delete vNICs from a deployed MVE.

    • Minimum Term – Select No Minimum Term, 12 Months, 24 Months, or 36 Months. Longer terms result in a lower monthly rate. 12 Months is selected by default. For more information, see MVE Pricing and Contract Terms.


      Partner and partner-managed accounts select MVE subscriptions instead of MVE contract terms.

  8. Click Next to view the Summary page.
    The monthly rate is based on location and size.

  9. Confirm the configuration and pricing then click Add MVE.
    You are prompted to create a Megaport Internet connection. A Megaport Internet connection provides connectivity and allows MVE to register and communicate with Fortinet SD-WAN.

    Create Megaport Internet connection

To create the Megaport Internet connection

  1. Click Create Megaport Internet to proceed (recommended), or click Not now to provision internet access at a later time.


    MVE requires connectivity to the internet onto the management plane virtual interface. You can either provision a Megaport Internet connection or configure a third-party internet connection using a private VXC. We strongly recommend that you create a Megaport Internet connection for the initial MVE startup and deployment to ensure that the MVE is provisioned and functioning correctly.

  2. Select the target Port (the internet router).
    The B-End of a Megaport Internet connection can be anywhere that Megaport Internet is available.
    You can filter by diversity zone, or select to view all.

  3. Click Next.

  4. Specify the connection details:

    • Connection Name – The name of your Megaport Internet connection to be shown in the Megaport Portal.

    • Service Level Reference (optional) – Specify a unique identifying number for the Megaport Internet connection to be used for billing purposes, such as a cost center number or a unique customer ID. The service level reference number appears for each service under the Product section of the invoice.


      Use the same Service Level Reference numbers for the Megaport Internet connection and MVE to help identify the matching pair in your invoice.

    • Rate Limit – The speed of your connection in Mbps. The speed is adjustable from 20 Mbps to 10 Gbps in increments of 1 Mbps. You can change the speed as needed after you create the Megaport Internet connection. Monthly billing details appear based on location and rate limit.

    • VXC State – Select Enabled or Shut Down to define the initial state of the connection. For more information, see Shutting Down a VXC for Failover Testing.


      If you select Shut Down, traffic will not flow through this service and it will behave as if it was down on the Megaport network. Billing for this service will remain active and you will still be charged for this connection.

    • A-End vNIC - Specify a vNIC from the drop-down list. The list shows the vNICs that were created with the MVE.

    • Preferred A-End VLAN (optional) – Specify an unused VLAN ID for this connection. This must be a unique VLAN ID on this MVE and can range from 2 to 4093. If you specify a VLAN ID that is already in use, the system displays the next available VLAN number. The VLAN ID must be unique to proceed with the order. If you don’t specify a value, Megaport will assign one.
      Alternatively, you can click Untag. This selection removes the VLAN tagging for this connection and it will be configured without a VLAN ID.

    • Minimum Term – Select No Minimum Term, 12 Months, 24 Months, or 36 Months. Longer terms result in a lower monthly rate. 12 Months is selected by default.
      Take note of the information on the screen to avoid early termination fees (ETF). For more information, see Megaport Internet Pricing and Contract Terms and VXC, Megaport Internet, and IX Billing.

    Megaport Internet connection details

  5. Click Next to proceed to the connection detail summary.

  6. Click Add VXC to order the connection.

    Configured services

  7. Click Order.

    Order services

  8. If you have a promotional code, click Add Promo Code, enter it, then click Add Code.

  9. Click Order Now.

    Order services

Ordering MVE provisions the appliance and assigns IP addresses from the Megaport SDN. The MVE provisioning takes only a few minutes to complete. The provisioning process spins up a Fortinet FortiGate.

Viewing the MVE in the Megaport Portal

After creating the MVE, you can view it in the Megaport Portal on the Services page. You can also view the public IP addresses assigned.

To view an MVE in the Megaport Portal

  • Go to the Services page.

MVE and Megaport Internet connection in the Megaport Portal

The Megaport Internet icon differs from a standard VXC icon in the Megaport Portal, as shown in the image.

For more information on the Services page, see Understanding the Services Page.

To view the public IP addresses assigned to the MVE

  1. Click the gear icon Gear icon next to the Megaport Internet connection.
    The Connection Configuration screen appears. From here, you can modify any of the Megaport Internet connection details.
    Megaport Internet connection details
  2. Select the Details tab.
    Megaport Internet connection details
  3. Locate the public IP address (IPv4 or IPv6).
    These are the public IP addresses assigned to the MVE.

Allow console access to the FortiGate

Console access to the FortiGate is delivered through a secure HTTPS session. The MVE blocks all access to the public IP addresses assigned to the device until you SSH into it and grant HTTPS access.

To set an admin Web UI password and allow HTTPS access

  1. SSH to the Fortinet MVE instance using the SSH private key generated earlier. The default username is admin, followed by the public IP address assigned to the device by Megaport.

    ssh -i ~/.ssh/megaport-mve-instance-1-2048 admin@162.43.xx.x

    Once in the FortiOS CLI, you can view system status and allow access to the device using CLI commands.


    The FortiOS CLI differs from the standard NOS CLI or Linux shell.

  2. Configure a password for the user admin account.

      FGVM08TM21001375 # config system admin
      FGVM08TM21001375 (admin) # edit admin
      FGVM08TM21001375 (admin) # set password xxxxxxxx
      FGVM08TM21001375 (admin) # next
      FGVM08TM21001375 (admin) # end
  3. Allow HTTPS access to the public interface GUI on port 1.

      FGVM08TM21001375 # config system interface
      FGVM08TM21001375 (interface) # edit port1
      FGVM08TM21001375 (port1) # append allowaccess https
      FGVM08TM21001375 (port1) # next
      FGVM08TM21001375 (interface) # end
      FGVM08TM21001375 #
  4. Verify that HTTPS access is allowed.

      FGVM08TM21001375 # show system interface

With HTTPS access allowed, you can log in to the FortiGate through its Web UI using the user admin credentials.

Supply the FortiFlex license token

If you are using FortiFlex to license your MVE, you must use the CLI to inject the license token from FortiFlex into the VM. Use the following command:

exec vm-license <license_token>

For example,

exec vm-license 58923569A3FFB7F46879

Add the FortiGate to FortiManager Cloud

The next step is to add the FortiGate to FortiManager Cloud, Fortinet’s SD-WAN centralized management platform.


This step is optional. You can manage a FortiGate as a standalone device without using FortiManager Cloud as its central manager.

To add the FortiGate to FortiManager Cloud

  1. Log in to the FortiGate GUI: https://162.43.xx.x

  2. Select Device Manager.

  3. From the Device Dashboard, Choose Security Fabric > Fabric Connectors.

  4. Select FortiManager and click Edit.

    Add FortiGate to FortiManager

  5. Select the following settings:

    • Status - Enabled
    • Type - FortiManager Cloud
    • Mode - Normal
  6. Click OK.

    The FortiCloud contacts your registered FortiManager Cloud for approval. The registration process does not require an IP address but instead uses backend authentication through prior registration and licensing.

Authorize the FortiGate in FortiManager

Before FortiManager adds the FortiGate to its list of managed devices, you need to manually authorize it.

To authorize the FortiGate

  1. Log in to your FortiManager Cloud instance at Fortinet Support.

  2. Choose Services > FortiManager.

    Authorize device

    You’ll see an unauthorized device awaiting approval.

    FortiGate awaiting authorization

  3. Click Unauthorized Devices, and then select the device to authorize.

  4. Click Authorize.

  5. You can optionally change the device name, apply a preconfigured policy package, or apply a preconfigured provisioning template to the device.

  6. Click OK when you are satisfied with the configuration.
    A green check mark indicates the FortiGate was authorized by FortiManager.

    FortiGate successful authorization

  7. Click Close.

The device is now managed via FortiManager Cloud and you can view it in the list of managed devices.

FortiCloud managed through FortiManager


The IP address for the FortiGate displayed on the dashboard is an internal, private IP that is specifically used for the SD-WAN overlay.

Next steps

Once the MVE is provisioned with an Active status, the next step is to connect a VXC to a CSP, a local port, or a third-party network. You can optionally connect a physical Port to the MVE through a private VXC or connect to a service provider in the Megaport Marketplace.

For more information, see Creating a VXC.