Getting started with IBM Cloud Virtual FortiGate Security Appliance

IBM Cloud® Virtual FortiGate Security Appliance allows you to route private and public network traffic selectively, through a full-featured, enterprise-level firewall that is powered by FortiOS software features and FortiGuard AI-powered Security Services.

These features include:

Firewall policies
Dynamic routing protocols
Intrusion Prevention Service (IPS)
Deep packet and SSL Inspection (DPI)
Anti-malware and antivirus support
DNS filtering
Web filtering
Web Application Firewall (WAF)
SSL-VPN
IPSec VPN
SD-WAN and ECMP
Application control
Automation stitches
Fortinet security fabric integration.
DoS policies
Session Load Balancing for distributing specific security processing like Antivirus to FortiGate cluster members in active-active HA
Server Load Balancing

For a list of known limitations with IBM Cloud® Virtual FortiGate Security Appliance, see Known limitations.

Choosing a vFSA license

There are three license types available for your IBM Cloud® Virtual FortiGate Security Appliance:

Advanced Threat Protection (ATP)
Unified Threat Management (UTM)
Enterprise

Each license includes a different set of features and options, and the following table outlines the differences.

Table 1. vFSA License Entitlements
The rows are read from left to right. The first column is the license name. The second column is a description of the features that the license enables for usage.
License Name	Features/Security Services
Advanced Threat Protection (ATP)	Intrustion Prevention System (IPS)
	Application control
	Geo IP Updates
	Device/OS Detection
	IoT Mac Database
	Trusted Certificate Database
	Internet Service (SaaS) Database
	DDNS (v4/v6)
	Advanced Malware Protection (AMP)
	Antivirus
	Botnet
	Mobile Malware
	FortiGate Cloud Sandbox
Unified Threat Management (UTM)	All ATP Features/Security Services
	Web Security
	Web and Content Filtering
	Secure DNS Filtering
	Video Filtering
	AntiSpam
Enterprise	All UTM Features/Security Services
	IOT Query Service
	OT Protocol Service
	Security Fabric Rating and Compliance Monitoring
	FortiConverter Service

You can specify your license type when you order your vFSA and can also change the license by using the Gateway Appliance Details page.

Ordering a vFSA

To order your IBM Cloud® Virtual FortiGate Security Appliance, follow these steps:

From your browser, open the Gateway Appliances page and log in to your account.

You can also get to the page by logging in to the IBM Cloud console and selecting Classic Infrastructure > Network > Gateway appliance. Alternatively, from the IBM Cloud catalog, select the Network category, then choose the Gateway Appliance tile.
Choose Fortinet under Vendor.
Choose either 7.4.3 (up to 1 Gbps) or **7.4.3 (up to 10 Gbps) under Version.
Choose your license type from License, either UTM License or Enterprise License or ATP License.

See the previous section for information on the features offered with each license.
From the Gateway appliance section, enter your Hostname and Domain name information. These fields are already be populated with default information, so ensure that the values are correct.
Check the High Availability option if needed, then select a data center Location, and the specific Pod you want from the menu.
From the Configuration section, choose your processor's RAM. You can also define an SSH key, if you want to use it to authenticate access to your new Gateway Ubuntu host.

The appropriate processor is chosen for you based on the license version you selected in step 2. However, you can choose different RAM configurations.
From the Storage disks section, choose the options that meet your storage requirements.

RAID configurations are available for customizing storage performance, size and data protection. RAID1 or RAID10 are recommended for a combination of data protection and performance. RAID0 provides the highest read/write performance with the least data protection. If you choose RAID0, ensure that you have a data backup plan, as one disk failure needs the complete rebuild of the RAID with new disks and the rebuilding and reloading of the appliance.

You can have up to four disks per vFSA. "Disk size" with a RAID configuration is the usable disk size, as RAID configurations for every type of RAID other than RAID0 changes the amount of storage available.
All settings in the Network interface section should be preselected and are not modifiable. The vFSA supports only redundant public and private interfaces with a port speed that matches the Version that is specified earlier in the order form. "Private only" network interfaces are not supported.
Review your selections, check that you read the Third-Party Service Agreements, then click Create. The order is verified automatically.

After your order is approved, the provisioning of your IBM Cloud® Virtual FortiGate Security Appliance Gateway starts automatically. When the provisioning process is complete, the new vFSA appears in the Gateway Appliances list page. Click the gateway name to open the Gateway Details page. The IP addresses, login username, and password for the device appear.

After you order and configure your gateway from the IBM Cloud catalog, you must also login to and configure the device itself with customized configurations for your cloud environment. This includes VLAN interfaces, subnet gateway IP addresses, security policies and any additional features that you require.

Next steps

After your order is approved, the provisioning of your vFSA starts automatically. When the provisioning process is complete, the gateway appears in the Gateway Appliances list.

Click the gateway name to open the Gateway Details page. You find the IP addresses, login username, and passwords for the device.