Config drive with ESX vCenter VMware

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin
In this recipe, you will learn how to bootstrap a FortiGate-VM in VMware vCenter using config drive. If you find yourself deploying VMs on VMware vCenter or standalone ESX and are looking for a way to to pre-configure the FortiGate VM so that it boots with a pre-determined configuration, and a valid license you have found the right recipe

Make sure to verify the config drive functionality available for your FortiGate VM version in the release notes. FortiGate VM 5.4.1 and above support version 2 of the config-drive capabilities. Cloud-Init config drive was initially created for OpenStack and other cloud environments — and it is a capability available on the FortiGate-VM (FGT-VM) even when booting within a VMware vCenter or standalone ESX environment. Config drive also allows the administrator to pass both day zero configuration scripts and FGT-VM licenses to the FortiGate on initial boot.
 
In order to pass a config drive to the FGT-VM, first you need to create a directory structure, and place the license file and configuration script file in the appropriate places. Here is the directory structure you will need:
 
 
For more information on the directory structure, please see this PDF.
 
 

1. FortiGate VM License file

The contents of the FGT-VM license file go into the 0000 file. Generally one would cat the license file and redirect the output into config-drive/openstack/content/0000 file. 
 
aaberra@ubuntu:/var/tmp$  
aaberra@ubuntu:/var/tmp$ cat config-drive/openstack/content/0000

-----BEGIN FGT VM LICENSE—— 

#-REDACTED-REDACTED-REDACTED-REDACTED-REDACTED-REDACTED-REDACTED-REDACTED-# 
#-REDACTED-REDACTED-REDACTED-REDACTED-REDACTED-REDACTED-REDACTED-REDACTED-# 
#-REDACTED-REDACTED-REDACTED-REDACTED-REDACTED-REDACTED-REDACTED-# 

-----END FGT VM LICENSE—— 

aaberra@ubuntu:/var/tmp$

2. FortiGate Configuration Script

The configuration script for a FGT-VM is in standard CLI syntax.

 Here is a simple example below, where the hostname is Example-Day0 and port1 is configured to use DHCP to get an IP address.

aaberra@ubuntu:/var/tmp$ cat config-drive/openstack/latest/user_data

#Example FGT Day0 Configuration

config system global

   set hostname Example-Day0

end

 

config system interface

edit port1

set mode dhcp

set allowaccess https ssh ping

end

aaberra@ubuntu:/var/tmp$
 

3. Create the Config Drive ISO

  
To create the config-drive ISO you will need to use a utility such a xorriso.  (Other utilities can be used to create ISOs such as mkisofs. In this recipe we will provide examples using xorriso). Using xorriso we will refer to the config-drive directory created above with the relevant license file and configuration script. Here is an example of creating a config-drive ISO on an Ubuntu host.:
 
aaberra@ubuntu:/var/tmp$ xorriso -as mkisofs -V config-2 -o Day0-CFG-Drive.iso config-drive/

xorriso 1.3.2 : RockRidge filesystem manipulator, libburnia project.

Drive current: -outdev 'stdio:Day0-CFG-Drive.iso'

Media current: stdio file, overwriteable

Media status : is blank

Media summary: 0 sessions, 0 data blocks, 0 data, 14.3g free

xorriso : WARNING : -volid text does not comply to ISO 9660 / ECMA 119 rules

Added to ISO image: directory '/'='/var/tmp/config-drive'

xorriso : UPDATE : 5 files added in 1 seconds

xorriso : UPDATE : 5 files added in 1 seconds

ISO image produced: 185 sectors

Written to medium : 185 sectors at LBA 0

Writing to 'stdio:Day0-CFG-Drive.iso' completed successfully.

aaberra@ubuntu:/var/tmp$
 
aaberra@ubuntu:/var/tmp$ ls -l Day0-CFG-Drive.iso

-rw-rw-r-- 1 aaberra aaberra 378880 Feb 15 13:32 Day0-CFG-Drive.iso

aaberra@ubuntu:/var/tmp$
Now that the configuration drive has been created, the next steps are to place the ISO on our data store so we can use it to instantiate FortiGate VMs.   
Deploy the FortiGate VM using an OVF template.
We won’t get into the details of how to deploy an OVF template. Generally you’ll accept the EULA, define your storage policy along with the virtual disk format, and pick the network configuration. Once you reach the end of the OVF template deployment make sure to deselect Power on after deployment. This is so we can attach our config-drive ISO as a cdrom device before initial boot. 
 
Edit the virtual machine settings 
Add a new device: CD/DVD drive and make sure to select Connect at power on.
Then attach the Day0-CFG-Drive.iso ISO you created earlier. 
Complete your changes then navigate to the VM to boot it. 

4. Results

Upon booting the VM, go to the console to verify that the VM is booting and utilizing the license file and day zero configuration file that was provided. Follow the verifications steps below:
Power on the VM. 
Go to the Console. Verify that you see the VM license install succeeded message and the subsequent reboot.
Upon completion of the boot sequence, you should notice that the FGT-VM hostname has changed to Example-Day0. Also notice that the license file has been verified and the license registration status has changed to VALID.
Upon login we see that the license is valid when you run get system status

command.

Further we see that ForiGate-VM’s port1, which was configured in DHCP mode, has received an IP from the DHCP server. We are also able to ping fortiguard.com from our newly booted VM. 
Kerrie Newton

Kerrie Newton

Project Management Specialist at Fortinet
Kerrie Newton

Latest posts by Kerrie Newton (see all)

  • Was this helpful?
  • Yes   No
You have the option of only providing a license file or a configuration script if you don’t want to provide both options.