FortiDDoS Cloud Monitoring Agent VM Install Guide 5.0.0

FortiDDoS Cloud Monitoring Agent VM Install Guide 5.0.0

FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ FORTIGATE COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING SERVICES http://www.fortinet.com/training FORTIGUARD CENTER http://www.fortiguard.com END USER LICENSE AGREEMENT http://www.fortinet.com/doc/legal/eula.pdf FEEDBACK Email: techdocs@fortinet.com Wednesday, June 08, 2016 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide Revision 1

TABLE OF CONTENTS Overview 4 Network environment 4 Features and benefits 5 FDD Cloud Agent VM configuration workflow 6 About this document 7 Scope 7 Conventions 7 IP addresses 7 Typographical conventions 8 Command syntax conventions 9 System requirements 12 Creating an account 13 Downloading and installing VMware vsphere Client 16 Downloading and extracting FDD Cloud Agent VM 19 Deploying a virtual appliance 21 Configuring VM network settings 28 Testing VM network connection 30 Registering FDD Cloud Agent VM 30 Activating your VM 31

Overview Network environment Overview Welcome, and thank you for selecting Fortinet products for your network! FortiDDoS Cloud Monitoring Agent VM (FDD Cloud Agent VM hereafter) is a virtual appliance, which works in tandem with FortiDDoS Cloud Monitor to provide supplemental health check services. With FDD Cloud Agent VM, we at Fortinet are enabling our customers to scale their cloud monitoring infrastructure based on their business needs, in addition to providing them with state-of-the-art cloud monitoring sites across the globe. This document describes the installation, configuration, testing, and activation of FDD Cloud Agent VM. You must have a FortiDDoS Cloud Monitoring contract and a valid user account to take advantage of FDD Cloud Agent VM.. Network environment FDD Cloud Agent VM must be deployed in a virtual machine environment. This current release supports VMware vsphere only. FDD Cloud Agent VM network topology Once the virtual appliance is deployed, you can configure FortiDDoS Cloud Agent VM via its CLI or web UI from your management computer. Keep in mind that FDD Cloud Agent VM requires live Internet connectivity to operate and does not work in closed lab environments. In order to communicate with FortiDDoS Cloud Monitoring servers and perform Health Checks, the ideal deployment should be in a DMZ or dedicated subnet that has outgoing access, allowing FDD Cloud Agent VM to connect to any port on any host on the Internet. This is because FDD Cloud Agent VM can monitor custom 4 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Features and benefits Overview configurations that use arbitrary ports for monitored protocols. If FDD Cloud Agent VM is positioned behind a firewall, the firewall may need to be custom-configured in a way that it does not interfere with the health check or reporting functions. FDD Cloud Agent VM uses the SSL protocol to communicate with FortiDDoS Cloud Monitoring servers via TCP Port 80/443. It may also use other ports and protocols, depending on your specific network configuration. Features and benefits FortiDDoS Cloud Monitoring consists of three components as defined below: Network Resources A Network Resource is a host/port/protocol entity on the network. It can be a server or any device that responds to a Health Check. Monitoring Points A Monitoring Point is a monitoring site. FortiDDoS Cloud Monitoring offers up to 10 Cloud Monitoring Points for any contract level. Some contract levels also support a certain number of FDD Cloud Agent VMs to deploy as private monitoring points. These private monitoring points can perform local monitoring of datacenter servers, remote branch monitoring of central or cloud services, or remote geography monitoring of datacenter servers to understand your customers' experience from those geographies to your services. Health Check A Health Check is an IP test directed to Network Resources from Monitoring Points based on DNS Queries, Pings, TCP Connections, or HTTP/HTTPS Requests (default). The number of Health Checks you have available for definition and use is dependent on the level of your FortiDDoS Cloud Monitoring contract. The same Health Check can be delivered from any or all allowed Monitoring Points. Based on the Health Checks from the various cloud and private monitoring points, FortiDDoS Cloud Monitoring collects and displays statistics for the Network Resources. FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide 5

Overview FDD Cloud Agent VM configuration workflow FDD Cloud Agent VM configuration workflow The following diagram highlights the workflow for configuring FDD Cloud Agent VM. 6 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

About this document Scope About this document Scope This document discusses how to deploy the FDD Cloud Agent VM virtual appliance as an OVF template onto a virtualization server, and how to configure the settings of the virtual appliance. It assumes that a virtualization server has already been successfully installed on the physical machine. This document does NOT cover the initial configuration of the virtual appliance itself or its ongoing use and maintenance. Conventions This document uses the conventions described below. IP addresses To avoid IP conflicts that would occur if you used examples in this document with public IP addresses that belong to a real organization, the IP addresses used in this document are fictitious. They belong to the private IP address ranges defined in the following RFCs: RFC 1918: Address Allocation for Private Internets http://ietf.org/rfc/rfc1918.txt?number-1918 RFC 5737: IPv4 Address Blocks Reserved for Documentation http://tools.ietf.org/html/rfc5737 RFC 3849: IPv6 Address Prefix Reserved for Documentation http://tools.ietf.org/html/rfc3849 For example, even though a real network s Internet-facing IP address would be routable on the public Internet, in this document s examples, the IP address would be shown as a non-internet-routable IP such as 10.0.0.1, 192.168.0.1, or 172.16.0.1. Cautions, notes, & tips This document uses the following guidance and styles for notes, tips and cautions. Warns you about procedures or feature behaviors that could have unexpected or undesirable results, including loss of data or damage to equipment. 7 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Typographical conventions About this document Highlights important, possibly unexpected but non-destructive, details about a feature s behavior. Presents best practices, troubleshooting, performance tips, or alternative methods. Typographical conventions Typographical conventions in this document Convention Button, menu, text box, field, or checkbox label CLI input CLI output Emphasis File content Hyperlink Keyboard entry Navigation Publication Example From Minimum log level, select Notification. config system dns set primary <address_ipv4> end FGT-602803030703 # get system settings comments : (null) opmode : nat HTTP connections are not secure and can be intercepted by a third party. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</h4></body></html> https://support.fortinet.com Type the IP address or domain name of an NTP server or pool, such as pool.ntp.org. Go to System > Status > Status. For details, see the FortiADC Handbook. FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide 8

About this document Typographical conventions Command syntax conventions The command line interface (CLI) requires that you use valid syntax, and conform to expected input constraints. It will reject invalid commands. Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input. Command syntax notation Convention Square brackets [ ] Example A non-required (optional) word or words. For example: [verbose {1 2 3}] indicates that you may either omit or type both the verbose word and its accompanying option, such as: verbose 3 Curly braces { } A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces. You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ]. Options delimited by vertical bars Options delimited by spaces Mutually exclusive options. For example: {enable disable} indicates that you must enter either enable or disable, but must not enter both. Non-mutually exclusive options. For example: {http https ping snmp ssh telnet} indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as: ping https ssh Note: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type: ping https snmp ssh If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted. 9 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Typographical conventions About this document Convention Angle brackets < > Example A word constrained by data type. To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example: <retries_int> indicates that you should enter a number of retries, such as 5. Data types include: <xxx_name> A name referring to another part of the configuration, such as policy_a. <xxx_index> An index number referring to another part of the configuration, such as 0 for the first static route. <xxx_pattern> A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all e-mail addresses ending in @example.com. <xxx_fqdn> A fully qualified domain name (FQDN), such as mail.example.com. <xxx_email> An email address, such as admin@mail.example.com. <xxx_url> A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet.com/. <xxx_ipv4> An IPv4 address, such as 192.168.1.99. <xxx_v4mask> A dotted decimal IPv4 netmask, such as 255.255.255.0. <xxx_ipv4mask> A dotted decimal IPv4 address and netmask separated by a space, such as 192.168.1.99 255.255.255.0. <xxx_ipv4/mask> A dotted decimal IPv4 address and CIDRnotation netmask separated by a slash, such as such as 192.168.1.99/24. <xxx_ipv6> A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234. <xxx_v6mask> An IPv6 netmask, such as /96. <xxx_ipv6mask> An IPv6 address and netmask separated by a space. <xxx_str> A string of characters that is not another data type, such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences. See the FortiADC Handbook. <xxx_int> An integer number that is not another data type, such as 15 for the number of minutes. FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide 10

About this document Typographical conventions See also Typographical conventions IP addresses 11 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

System requirements System requirements Before you can install FDD Cloud Agent VM, you must first have virtual machine (VM) environment software (a hardware abstraction layer (HAL) that is sometimes called a hypervisor) on your server. FDD Cloud Agent VM is a virtual appliance that runs inside that environment. Supported hypervisor versions include: VMware vsphere ESXi 5.0/5.1 VMware vsphere Hypervisor 5.0/5.1 For best performance, install FDD Cloud Agent VM on a bare metal hypervisor, such as VMware ESXi. Hypervisors that are installed as applications on top of a general purpose operating system (Windows, Mac OS X or Linux) host will have fewer computing resources available due to the host OS s own overhead. For installation instructions, see the documentation for your VM environment, such as: http://www.vmware.com/products/esxi http://www.vmware.com/support/pubs/vs_pages/vsp_pubs_esxi41_e_vc41.html Hardware-assisted virtualization (VT) must be enabled in the BIOS. You must also have the VM environment client, such as VMware vsphere Client, installed on a management computer. A management computer is a desktop or a laptop that you will use to deploy and manage your virtual machines. 12 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Creating an account Creating an account All FortiDDoS Cloud Monitor user accounts are handled by FortiDDoS Cloud Monitoring Service. You must have a valid user account on FortiDDoS Cloud Monitoring Service in order to use FDD Cloud Agent VM. The following instructions show how to create your account on FortiDDoS Cloud Monitoring Service. To create a user account 1. From your management computer, open a web browser. 2. Type in the URL https://cm.fortiddos.com/cm, and press Enter on your keyboard. The FortiDDoS Cloud Monitor web page opens. 3. Click Try for FREE. The FortiDDoS Cloud Monitoring sign-up page opens. FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide 13

Creating an account 4. Be sure to fill out all fields on the page, and click Get Free Access. The FortiDDoS Cloud Monitoring Signup Complete page opens, as illustrated below. 14 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Creating an account 5. Read the instructions and information on the page. 6. Open the email account you've provided to retrieve your FortiDDoS Cloud Monitoring Service User Account Activation notice, which is similar to the message below. FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide 15

Downloading and installing VMware vsphere Client 7. Click the URL in the body of the email. The Set Password page opens, as illustrated below. 8. Enter and confirm your password, and click Set Password. The FortiDDoS Cloud Monitoring Service Login page opens. 9. Use your email address and new password to log in. Downloading and installing VMware vsphere Client To take advantage of FDD Cloud Agent VM, you must meet the following two requirements: 16 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Downloading and installing VMware vsphere Client Have VMware vcenter Server or host in your network environment Have VMware vsphere Client installed on your management computer The following instructions show how to download and install VMware vsphere Client on your management computer in case you need to. The instructions assume that you already have a VMware ESX/ESXi Server in your environment. A VMware vcenter Server component, vsphere Client is a Windows application for configuring the VMware host and managing its virtual machines (VMs). You can download vsphere Client from any host. In order to download vsphere Client, you must meet the following three prerequisites: The URL of the VMware vcenter Server, which is the server's IP address or host name Administrator privilege on the management computer A live Internet connection To download and install VMware vsphere Client 1. From your management computer, open a web browser. 2. Type in the URL or IP address of the VMware vcenter Server or host, e.g., https://test.qa.com or https://xx.xxx.xx.xxx, and press Enter on your keyboard. The VMware ESXi Welcome page opens, as illustrated below. FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide 17

Downloading and installing VMware vsphere Client 3. Under Getting Started, click Download vsphere Client. The download starts. 4. Upon completion of the download, click the downloaded VMware-vclient-all-...exe file to start installing vsphere Client. 5. Follow the prompts to complete the installation. 18 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Downloading and extracting FDD Cloud Agent VM Downloading and extracting FDD Cloud Agent VM Once you have set up a valid user account on FortiDDoS Cloud Monitoring Service, the next step is to log into your account on FortiDDoS Cloud Monitor web UI where you can download FDD Cloud Agent VM software and install it on your management computer. To download and install FortiDDoS Cloud Monitor Agent 1. From your management computer, open a web browser. 2. Type https://cm.fortiddos.com/, and click Enter on your keyboard. The FortiDDoS Cloud Monitor web UI opens. 3. From the top of the page, click Log In. The FortiDDoS Cloud Monitor Login page opens. 4. Enter your email address and password, and click Login. The FortiDDoS Cloud Monitor Dashboard page opens, as illustrated below. 5. From the top of the page on the right, click Agents. The Registered Private Agents page opens. 6. From the left-side menu, click Download. The FortiDDoS Cloud Monitoring VM Packages (Private Agent) page opens, showing a list of files. See the illustration below. 19 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Downloading and extracting FDD Cloud Agent VM 7. Click the file named "fddcmagent-5.x.x-ovf.zip". The download starts, as indicated in the lower-left corner of the page. 8. Upon completion of the download, click the downloaded zip file to open it. The zip file opens, showing the file, "image-esx-64", as illustrated below. 9. Select the file and click Extract. The illustration below shows the FDD Cloud Agent VM software that has been downloaded and extracted. FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide 20

Deploying a virtual appliance Deploying a virtual appliance The FDD Cloud Agent VM software is delivered in Open Virtualization Format (OVF), an open standard for packaging and distributing software to be installed on virtual appliances. Before you can configure a FDD Cloud Agent VM, you must first use VMware vsphere Client to deploy the FDD Cloud Agent VM OVF package onto the VMware vcenter Server. To deploy a virtual appliance 1. On your management computer, start VMware vsphere Client. 2. In IP address / Name, type the IP address or FQDN of the VMware vcenter Server. 21 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Deploying a virtual appliance 3. In User name, type the name of your account on that server. 4. In Password, type the password for your account on that server. 5. Click Login. Once you have logged in, the vsphere Client window appears. 6. In the Inventory pane of the page, click Inventory to expand it. 7. Click File > Deploy OVF Template. The Deploy OVF Template window opens, as illustrated below. FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide 22

Deploying a virtual appliance 23 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Deploying a virtual appliance 8. Click Browse, and locate the FDD Cloud Agent VM OVF file, as illustrated below. FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide 24

Deploying a virtual appliance 9. Be sure to select the file FortiDDoS-vm-64-hw7, click Next, and then click another Next. The selected file now appears in the Deploy OVF Template window, as illustrated below. 10. In Name, type a unique descriptive name, e.g., FortiDDoS Cloud Monitoring Agent VM-VM1, for this instance of FDD Cloud Agent VM because it will appear in vsphere Client s inventory. (If you will deploy multiple instances of this file, consider a naming scheme that will make each VM s purpose or IP address easy to remember. This name will not be used as the host name, nor will it appear on the FDD Cloud Agent VM web UI.) Click Next. The Deploy OVF Template window now prompts you to choose a disk format, as illustrated below. 25 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Deploying a virtual appliance 11. Select Thin Provision, and click Next. The Deploy OVF Template window now prompts you to deploy the OVF file, as illustrated below. FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide 26

Deploying a virtual appliance 12. Check the Power on after deployment check box, and click Finish.The deployment of the VM starts. 13. Upon completion of the VM deployment, click Close. The wizard closes. The client connects to the VM environment and deploys the OVF to it. Time required depends on your computer s hardware speed and resource load, and also on the file size and speed of the network connection, but might take several minutes to complete. The vsphere Client window reappears. The navigation pane s list of virtual machines on the left now should include the newly deployed instance of FDD Cloud Agent VM. The storage repository can be either: Thin provisioned format Allocate more disk space on demand, if the storage repository uses a VMFS3 or newer file system. Thick provisioned format Immediately allocate disk space (specifically 32 GB) for the storage repository Regardless of your choice here, you must later either allocate or make available at least 40 GB of disk space. 30 GB is only the default minimum value, and is not recommended. 27 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Configuring VM network settings Configuring VM network settings Once a VM is deployed, you must log into the FDD Cloud Agent VM command line interface (CLI) via the console and configure its basic network settings. To configure the basic network settings in FDD Cloud Agent VM 1. On your management computer, start VMware vsphere Client. 2. Log into the vcenter Server. The vsphere Client window opens. 3. In the left pane, select the name of the virtual appliance, e.g., FortiDDoS Cloud Monitoring Agent VM-VM1, and click theconsole tab on the right. The VM's console opens. 4. At the login prompt, type: admin, and press the Enter key twice. (For initial login, no password is required.) See the illustration below. 5. Configure the IP address and netmask of the network interface named port1, or whichever network interface maps to the network physically connected to your management computer. Also configure a static route with the default gateway, and DNS settings (optional). Type: config system interface edit port1 set ip {<address_ipv4mask> <address_ipv6mask>} 28 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Configuring VM network settings end config system default-gateway edit 1 set gateway {<router_ipv4> <router_ipv6>} end config system dns set primary {<dns_ipv4> <dns_ipv6>} end where: {<address_ipv4mask> <address_ipv6mask> is either the IPv4 or IPv6 address and netmask assigned to the network interface, such as 192.168.1.99 255.255.255.0, or the correct IP will vary by your configuration of the vnetwork. {<router_ipv4> <router_ipv6>} is either the IPv4 or IPv6 address of the next hop router for port1 (or whichever network adapter packets should egress from by default) {<dns_ipv4> <dns_ipv6>} is either the IPv4 or IPv6 address of a DNS server (DNS configuration may be OPTIONAL, depending on your network environment.) You should now be able to connect via the network from your management computer to port1 of FortiDDoS Cloud Monitoring Agent VM using: a web browser for the web UI (e.g., If port1 has the IP address 192.168.1.1, go to https://192.168.1.1/) an SSH client for the CLI (e.g., If port1 has the IP address 192.168.1.1, connect to 192.168.1.1 on port 22.) If you cannot connect to the web UI via HTTPS, verify that your computer s time zone matches the appliance s configured system time. For more first-time connection troubleshooting or instructions on how to configure the time and time zone, see the FortiDDoS Handbook. FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide 29

Testing VM network connection Testing VM network connection Once you have completed the configuration of an FDD Cloud Agent VM's network settings, you must run a ping test to make sure that the settings are configured correctly. To test a VM's network configuration 1. Open the VM console. 2. Decide on a URL or IP address of a remote server you want to test again. 3. Run a ping test against the URL or IP address, as illustrated below. Registering FDD Cloud Agent VM After you have configured your FDD Cloud Agent VM's network settings, you must register it with the FortiDDoS Cloud Monitor API. The registration will assign an API key to the VM. To register with the FortiDDoS Cloud Monitor API 1. From your management computer, log into the CLI console. 2. Execute the following commands: config system registration set email {<email used to register with the Dashboard>} set password {<password used to register with the Dashboard>} end Once you have successfully registered your FDD Cloud Agent VM, you can activate it from the FortiDDoS Cloud Monitor Dashboard page. You can then view the API key from the VM's Web UI. 30 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Activating your VM Activating your VM Once your VM has been successfully configured and tested, the VM should appear on the Registered Private Agents page of the ForiDDoS Cloud Monitor Agent's web UI. By default, all newly configured VMs are in Test state. You must change them to Active state to use them. To change a VM from Test state to Active state 1. On your management computer, log onto the FortiDDoS Cloud Monitor web UI (https://cm.fortiddos.com). The FortiDDoS Cloud Monitor Dashboard page opens. 2. Click the Agents tab. The Registered Private Agents page opens, showing the newly configured VM in Test state. See illustration below. 3. Click the corresponding Edit button in the far-right of the row. The Private Agent Details page opens, as illustrated below. FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide 31

Activating your VM 4. Select the Active radio button, and click Save. The Private Agent Details page closes, and the Registered Private Agents page opens showing the VM in Active state. The VM now is ready to use. 32 FortiDDoS Cloud Monitoring Agent VM 5.0.0 Install Guide

Copyright (Undefined variable: FortinetVariables.Year) Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.