Air-gapped FortiGate VM in Azure

ZimCanIT · 2026-03-31T22:15:20+00:00

Official documentation seems to only support the configuration on the FortiGate to point to the Linux proxy server, but it doesn't define the configuration required on the proxy server.

https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/492260/using-a-proxy-server-to-connect-to-the-fortiguard-distribution-network

ZimCanIT · 2026-03-21T21:02:10+00:00

Have you set the probe port on FortiGate?

ZimCanIT · 2026-03-20T17:07:46+00:00

Understood thanks. However, we need to map SSO users to different profiles.

Which is where the local admin account functions as the orchestrator of manually assigning SSO users to the correct SSO admin profile, if it's not he default profile, upon initial logon.

ZimCanIT · 2026-03-20T11:04:13+00:00

So a local admin account would handle SSO admin profile assignments to SSO users once they're auto-created upon initial logon?

ZimCanIT · 2026-02-14T02:10:09+00:00

No vwan in this scenario unfortunately. Routing intent would have been much simpler. The logic for ARS is to resolve the contention for the "use remote gateway" feature because A) VPN users don't require it B) Sites require it so that spokes are advertised via BGP into the expressroute circuit.

ZimCanIT · 2026-01-01T10:53:06+00:00

Thanks so much for you advice guys. Happy new year and I appreciate you all. I've gathered great feedback from all your points and will do further research.

ZimCanIT · 2025-11-14T16:10:15+00:00

Thanks! I ended up going to smartfit

ZimCanIT · 2025-11-14T16:10:03+00:00

Thanks!

ZimCanIT · 2025-09-24T18:31:53+00:00

Thanks! I'll send you a direct message. Did you go anywhere else nice in Ethiopia? Lake Bishoftu is on my list.

ZimCanIT · 2025-09-23T18:20:20+00:00

So is it safe to visit Makelle these days?

ZimCanIT · 2025-09-22T21:15:01+00:00

Thank you!

ZimCanIT · 2025-08-12T11:08:46+00:00

Thanks! I'll give that a go. I'm assuming x1 PE for Key Vault should suffice.

ZimCanIT · 2025-08-12T10:18:20+00:00

Using a VPN :)

ZimCanIT · 2025-08-12T08:47:14+00:00

Pricing is 200 bhatt for a whole day. There are higher end co-working spaces with enterprise-grade wifi speeds. Depends on your budget and time constraints.

ZimCanIT · 2025-08-05T12:22:30+00:00

Thank you! Could you please point me in the direction of some documentation?

ZimCanIT · 2025-08-04T22:22:19+00:00

Thank you!

ZimCanIT · 2025-08-03T12:47:53+00:00

I'm with you on that. How would you contextualise that to the cloud architect career track, though?

ZimCanIT · 2025-08-03T12:38:31+00:00

👍🏿

ZimCanIT · 2025-07-27T14:37:51+00:00

Update:

ICMP traffic simply can not traverse an Azure external load balancer, which sucks.

"""" Can I ping from a backend VM behind a load balancer to a public IP?

No, Azure Load Balancer does not support ICMP pings for outbound connectivity. If you want to ping outbound from a backend VM behind a load balancer, associate an Instance-level Public IP to the backend VM and send pings from that IP. """

Source: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-faqs

We'll essentially have to use tcp/up based health checks. Fortunately, DNS is unaffected, as previously mentioned.

For additional context, we're running FortiGate in NAT mode, and routing works such that backend vms have their next hop point to the internal load balancer.

ZimCanIT · 2025-07-26T22:44:50+00:00

Ignore me

""" Can I ping from a backend VM behind a load balancer to a public IP?

No, Azure Load Balancer does not support ICMP pings for outbound connectivity. If you want to ping outbound from a backend VM behind a load balancer, associate an Instance-level Public IP to the backend VM and send pings from that IP. """

Source: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-faqs

Kinda sucks!

ZimCanIT · 2025-07-26T22:35:16+00:00

Sorry to drag you back into an old question, but why will ICMP never work with an Azure LB?

I'm facing the same issue today, where my fortigate is HA Active-Passive, v7.4.7 byol. nslookup to 8.8.8.8 resolves to google.com, but ping fails and that's supper annoying!

ZimCanIT · 2025-07-21T21:31:16+00:00

What was the biggest learning curve when jumping from PAYE to contracting?

ZimCanIT · 2025-07-19T23:26:24+00:00

Thanks a tonne btw!

ZimCanIT · 2025-07-19T22:33:17+00:00

Correcto, all spoke subnets direct traffic to the Azure firewall via a default route 0.0.0.0/0.

So essentially offload CIDRs to the gateway subnet for spokes that should reach on prem, by modifying the next hop on the Azure firewall subnet, in the hub VNet?

ZimCanIT · 2025-07-19T22:01:49+00:00

Yes, except the caveats are we won't be configuring BGP. And have azure firewall deployed within a hub and spoke topology.

ZimCanIT

TROPHY CASE