■約4.8GBの空きメモリに収まるように無理やりFortiSandboxを起動するまで。 FortiSandbox-VM版には評価ライセンスは含まれていない。 代理店に申請するFortiSandbox-VM評価ライセンスの他、 MS Windows XPor7(評価版にも含まれる?)や、 Office2010or2013のライセンスが必要。 $ wget http://docs.fortinet.com/uploaded/files/2107/fortisandbox-vm-vmware-install-guide.pdf $ pdftotext fortisandbox-vm-vmware-install-guide.pdf - | grep -A 2 ^IP.*license IP information in the license file. If a new license has been imported or the FortiSandbox VM’s IP address has been changed, the FortiSandbox VM must be rebooted in order for the system to validate the change and operate with a valid license. ■ホストOSの物理メモリの空き容量は以下。 $ free | awk '/^Mem/{print $3/1024/1024"GB"}' 4.87477GB ■OVFテンプレートzipの解凍 $ ls *.zip | awk -F\- '{print "mkdir "$1";cd "$1";unzip ../"$0";cd .."}' | sh Archive: ../FGT_VM64-v5-build0670-FORTINET.out.ovf.zip inflating: datadrive.vmdk inflating: FortiGate-VM64.ovf inflating: FortiGate-VM64.hw04.ovf inflating: FortiGate-VM64.hw07_vmxnet2.ovf inflating: FortiGate-VM64.hw07_vmxnet3.ovf inflating: fortios.vmdk Archive: ../FSA_VM-v200-build0042-FORTINET.out.ovf.zip inflating: datadrive.vmdk inflating: FortiSandbox-VM.ovf inflating: fsa.vmdk ■Fortigate-VMのメモリは減らせない。 FortiAnalyzer-VM(x86)のメモリを2GBから512MBに。 FortiSandbox-VM(x64)のメモリを8GBから3GBに。 計、4.5GBのメモリを使用する想定。 $ sed -i -e 's/2048/512/g' FAZ_VM64/FortiAnalyzer-VMi64.ovf $ sed -i 's/8192/3072/g' FSA_VM/FortiSandbox-VM.ovf ■OVFテンプレートの記述間違いを修正 $ sed -i -e 's/VirtualSCSI/lsilogic/g' FAZ_VM64/FortiAnalyzer-VM64.ovf $ sed -i -e 's/vmkernel5Guest/other26xLinuxGuest/g' FSA_VM/FortiSandbox-VM.ovf ■OVFをVMXに変換 $ echo */ | tr ' ' '\n' | awk -F\/ '{print "test -d "$1"_VMX || mkdir "$1"_VMX;cp "$1"/*.vmdk "$1"_VMX"}' | sh $ ls */*VM.ovf */*64.ovf | awk -F\. '{print "ovftool --skipManifestGeneration --acceptAllEulas "$0" "$1".vmx"}' | \ sed -e 's%/[A-z0-9\-]*.vmx%_VMX&%g' | sh Opening OVF source: FAZ_VM64/FortiAnalyzer-VM64.ovf Opening VMX target: FAZ_VM64_VMX/FortiAnalyzer-VM64.vmx Writing VMX file: FAZ_VM64_VMX/FortiAnalyzer-VM64.vmx Transfer Completed Warning: - No manifest file found. - Wrong file size specified in OVF descriptor for 'datadrive.vmdk' (specified: 75264, actual 10551808). - No manifest entry found for: 'faz.vmdk'. - No manifest entry found for: 'datadrive.vmdk'. Completed successfully Opening OVF source: FGT_VM64/FortiGate-VM64.ovf Opening VMX target: FGT_VM64_VMX/FortiGate-VM64.vmx Writing VMX file: FGT_VM64_VMX/FortiGate-VM64.vmx Transfer Completed Warning: - No manifest file found. - No manifest entry found for: 'fortios.vmdk'. - No manifest entry found for: 'datadrive.vmdk'. Completed successfully Opening OVF source: FSA_VM/FortiSandbox-VM.ovf Opening VMX target: FSA_VM_VMX/FortiSandbox-VM.vmx Writing VMX file: FSA_VM_VMX/FortiSandbox-VM.vmx Transfer Completed Warning: - No manifest file found. - Wrong file size specified in OVF descriptor for 'fsa.vmdk' (specified: 1073741824, actual 104059392). - No manifest entry found for: 'fsa.vmdk'. - No manifest entry found for: 'datadrive.vmdk'. Completed successfully ■Fortigateは3NIC、 FortiAnalyzerは2NIC、 FortiSandboxは4NICの計9NICとする。 $ sed -i -e 's/ethernet[3-9]/#&/' FGT_VM64_VMX/FortiGate-VM*.vmx $ sed -i -e 's/ethernet[2-9]/#&/' FAZ_VM64_VMX/FortiAnalyzer-VM64.vmx $ sed -i -e 's/ethernet[5-9]/#&/g' FSA_VM_VMX/FortiSandbox-VM.vmx ■内部はブリッジ、DMZはvmnet1、外部はvmnet8とする。 $ netstat -i | awk '/^[ev]/{print "ip a list "$1}' | sh | \ awk '/^[0-9]/ || /inet /{print $2}' | tr -d '\n' | sed -e 's%/[0-9]*%&\n%g' eth0:172.31.31.90/24 vmnet1:172.16.76.1/24 vmnet8:192.168.152.1/24 ■vmplayerで起動 $ ls */*.vmx | awk '{print "vmrun -T player start "$0}' | sh ■Fortigate-VM/FortiAnalyzer-VMの共通設定 config system global set timezone 60 set language japanese end ■Fortigate-VMの設定 execute formatlogdisk config system interface edit "port1" set ip 172.31.31.11 255.255.255.0 set allowaccess ping https ssh http telnet fgfm next edit "port2" set ip 172.16.76.11 255.255.255.0 next edit "port3" set ip 192.168.152.11 255.255.255.0 next edit "port4" set status down next edit "port5" set status down next edit "port6" set status down next edit "port7" set status down next edit "port8" set status down next edit "port9" set status down next edit "port10" set status down next end config router static edit 0 set dst 172.31.31.0 255.255.255.0 set gateway 172.31.31.254 set device port1 next edit 0 set device port3 set gateway 192.168.152.254 next end config log fortianalyzer setting set status enable set server 172.31.31.12 set source-ip 172.31.31.11 set upload-option realtime end ■FortiAnalyzerの設定 以下を設定後、GUI接続で未登録デバイスを登録。 config system interface edit "port1" set ip 172.31.31.12 255.255.255.0 set allowaccess ping https ssh http telnet fgfm next edit "port2" set status down next edit "port3" set status down next edit "port4" set status down next end config system route edit 0 set dst 172.31.31.0 255.255.255.0 set gateway 172.31.31.254 set device port1 next end ■FortiSandboxの設定 以下を設定してGUI接続。というよりGUIでしか設定出来ない項目が多い印象。 なお、「v2.02,build0042 (GA)」では日本語に変更する箇所が見つからなかった。 > set port1-ip 172.31.31.13/255.255.255.0 > set default-gw 172.31.31.254 ■FortigateからSandboxへの最小限の接続設定 config system fortisandbox set status enable set server 172.31.31.13 end
