Learning Modules

All about FortiFlex and FortiCloud Organizations

In the next 2 sections, we’ll cover the key features of FortiFlex and how FortiCloud Organizations enabled multitenancy/MSSP features for FortiFlex licensing

We’ll cover the following topics:

• FortiFlex features
• FortiFlex use cases
• FortiFlex API
• FortiCloud Organizations & IAM features
• MSSP features
• Tools and resources
• Integrations and Automations

Workshop Setup Guide

Prerequisites Checklist

Before starting the hands-on lab, ensure you have completed the following setup steps and have the necessary tools ready:

• Azure Portal Access: Valid Azure subscription credentials
• Fortinet Support Portal Account: Registered account with FortiFlex access
• Postman: Desktop application, Web Version, or Azure VM
• Web Browser: Chrome, Firefox, or Edge (latest version)
• Lab Environment Access: Resource group and permissions provided by instructor

Step 1: Azure Portal & Cloudshell Access

Use these steps to access your Azure Portal environment.

​

Azure Portal & Cloudshell Setup Verify Resource Group Open Cloud Shell Mount Storage Storage Account

Open a browser and access the following URL: https://portal.azure.com

Use the credentials provided in the email you got from fortinetsecdevops@gmail.com.

• Username: “flexxx@fortinetcloud.onmicrosoft.com”

1. Enter Temporary access credentials, and click Sign In

   

2. Click No on the ‘Stay signed in?’ prompt

3. Click Get started on the ‘Welcome to Microsoft Azure’ page.

4. Click Skip on the ‘How do you plan to use Azure’ page.

5. Click Skip on the ‘Now, let show you around Azure’ page.

• After login, you should see the Azure dashboard
• Locate your assigned resource group: flex[XX]

  

1. Click the Cloud Shell icon in the top navigation bar and Select Bash as the shell type

2. Wait for the Cloud Shell to initialize

• Next, you will see a “Getting started” page.

  • Select Mount Storage Account
  • Choose Internal-Training as the Storage account subscription
  • Click Apply

  

• On the Mount storage account screen

  • click Select existing storage account

  • click Next

    

• On the Select storage account screen (values in drop down)

  • choose Internal-Training as description

  • resource group will be [XX]flex-flex105-workshop where [XX] is your unique student number

  • storage account name will be “student number” followed by some random numbers and letters

  • File share will be cloudshellshare

  • Click Select

    

Step 2: Fortinet Support Portal Access

​

Fortinet Support Portal Login Steps FortiFlex Dashboard

Browse to the following URL: https://customersso1.fortinet.com/saml-idp/proxy/demo_sallam_okta/login/

Warning

Important: PLEASE URL EXACTLY AS ABOVE, ENDING WITH /. Do not use general Fortinet Support Portal URL.

Enter the credentials provided in the email you got from fortinetsecdevops@gmail.com

• Username: “flex[XX]@fortinetcloud.onmicrosoft.com”

• Temporary Access Password: “[TemporaryPassword]”

• You can choose No to “stay Signed In”

• You may have to click “Login” at the SAML Login Portal

From the FortiCloud Main Portal, look for “FortiFlex” in the main navigation menu

• Click to enter the FortiFlex dashboard

Step 3: Postman Options

We will be using an existing Postman Collection to interact with the FortiFlex API

1. Postman desktop application will provide the best user experience and is a great tool for working with API’s
2. If you can’t install the Desktop client for some reason, you can use Postman’s web version requiring a login (you can use your personal email)
3. If you’d prefer not creating a Postman login, you can create an Azure VM with Postman pre-installed, and import the

Installing Postman

Option 1: Desktop Application (Recommended) 👈

1. Download from https://www.postman.com/downloads/
2. Install following the standard process for your operating system
3. Create a free Postman account when prompted

Option 2: Web Version

1. Go to https://web.postman.co/
2. Sign in with your Google or create a Postman account

Setup Complete? Let’s address some common questions before diving into the lab.

Frequently Asked Questions

General FortiFlex Questions

Q: What’s the difference between FortiFlex and traditional Fortinet licensing?

A: Traditional licensing requires purchasing fixed-term licenses upfront (typically 1-3 years) for specific capacities. FortiFlex uses a usage-based model where you:

• Pay only for actual consumption (daily billing)
• Scale resources up/down automatically
• Provision instantly without procurement delays
• Get consolidated billing across all Fortinet products

Q: How does FortiFlex pricing work?

A: FortiFlex uses a “points” system:

• Different VM sizes consume different points
• Example: FortiGate Enterprice Service Bundle 2-vCPU = 6.39 points/day, 4-vCPU = 12.91 points/day
• For Enterprise customers, Points are purchased in advance and consumed as resources run
• For MSSP Customers with special agreements, Points are post-paid,
• Detailed differences in the programs can be found here
• Detailed pricing available in the FortiFlex portal under “Pricing Calculator”

Q: Can I use FortiFlex for on-premises deployments?

A: FortiFlex licensing works on VM’s, Hardware Services, Cloud/SaaS

• FortiGate VMs in the cloud or on Prem.
• Hardware Services
• Cloud/SaaS Services

Q: Does FortiFlex Points Consumption Stop if my VM/Service stops?

A: No, there is currently no inherrent link between individual services and Fortinet Entitlements. If the Entitlement is active, it will incure FortiFlex Point deductions, regardless of the VM/service state

• Customers can setup triggers and automated actions using the FortiFlex API, FortiGate Automation Stitches, and automation platforms of their choice to monitor instance state and trigger FortiFlex Entitlement stop/reactivate

Technical Questions

Q: What happens if I run out of FortiFlex points?

A: When points are low:

1. You’ll receive email notifications at 80% and 90% consumption
2. At 100% consumption, new entitlements cannot be created
3. Existing entitlements continue running but accrue overage charges
4. You can purchase additional points anytime through the portal

Q: How quickly can I provision a new FortiGate?

A: With FortiFlex:

• Manual provisioning: 5-10 minutes through WebUI
• API provisioning: 1-3 minutes with automation
• Traditional licensing: 2-4 weeks for procurement + provisioning

Q: Can I change VM sizes after deployment?

A: Yes! This is a key FortiFlex advantage:

• Update the FortiFlex configuration which the entitlement is governed by (this will impact all entitlements for that configuration)
• Modify the VM size in your cloud provider (which will trigger a VM reboot)
• FortiFlex Licensing will automatically update License coverage
• FortiOS should automatically add the CPU’s after the resize reboot, but there are open bugs on this issue. You may need to add the CPUs or reboot the device again to get FortiOS to recognize the new CPU’s.
• Billing automatically adjusts to new point consumption

Q: How does FortiFlex integrate with Infrastructure-as-Code?

A: FortiFlex provides multiple automation options:

• REST API: Direct integration with Terraform, Ansible, etc.
• Terraform Provider: Native Fortinet provider for FortiFlex resources
• Ansible Collection: Playbook to interact FortiFlex
• CI/CD Pipelines: API calls in deployment workflows

Lab-Specific Questions

Q: Can I access my lab environment after the workshop?

A: Lab environments are temporary:

• Available during workshop + 24 hours for practice
• All Scripts used in the workshop are available at the course GitHub Repo

Q: What if my API calls aren’t working in Postman?

A: Common issues and solutions:

1. Authentication Error: Verify API key is correct in environment variables
2. 404 Errors: Check the base URL is set correctly
3. JSON Formatting: Use Postman’s JSON validator for request bodies

Q: How do I get production FortiFlex access for my organization?

A: To enable FortiFlex for production use:

1. Contact your Fortinet sales representative
2. Request FortiFlex access for your organization
3. Complete any required MSP/partner agreements
4. Purchase initial points allocation
5. Set up billing and payment methods

Best Practices Questions

Q: How should I organize FortiFlex configurations?

A: Recommended organization strategies:

• By Environment: dev-config, staging-config, prod-config
• By Customer: customer-a-config, customer-b-config (for MSPs)
• By Region: us-east-config, eu-west-config
• By Function: branch-office-config, datacenter-config

Q: What’s the best way to monitor FortiFlex costs?

A: Cost monitoring best practices:

1. Set up billing alerts at 75% and 90% of monthly budget
2. Regular usage reviews - weekly for active environments
3. Automated reporting - API calls to extract usage data
4. Tag entitlements with cost centers or customer codes
5. Schedule regular optimization reviews to identify unused resources

Q: Should I use separate FortiFlex accounts for different customers?

A: For MSPs, consider:

• Single Account: Easier management, consolidated billing, use tagging for separation
• Multiple Accounts: Complete isolation, individual customer billing, more complex management
• Hybrid Approach: Major customers get separate accounts, smaller customers share an account with tagging

Troubleshooting

Q: My FortiGate VM isn’t getting a license from FortiFlex

A: Check these items:

1. VM has internet connectivity to Fortinet licensing servers
2. Entitlement is in “Active” status in FortiFlex portal
3. Serial number matches between VM and entitlement
4. No firewall rules blocking licensing traffic (TCP 443 to *.fortinet.com)

Q: I’m getting “Insufficient Points” errors

A: Resolution steps:

1. Check current points balance in FortiFlex dashboard
2. Review active entitlements and their point consumption
3. Purchase additional points if needed
4. Consider stopping unused entitlements to free up points

Q: Can I migrate from traditional licenses to FortiFlex?

A: Migration options:

• New Deployments: Use FortiFlex for all new cloud deployments
• Existing VMs: Contact Fortinet support for migration assistance
• Hybrid Approach: Keep existing traditional licenses, use FortiFlex for new/scaled resources
• Contract Renewal: Consider FortiFlex when traditional licenses expire

Questions Answered? Time to get hands-on with FortiFlex!

Next: Hands-On Lab →

FortiFlex WebUI

In this section, you’ll learn how to manage FortiFlex entitlements through the FortiCloud web interface, providing a foundational understanding of FortFlex,

Step 1: Create a Configuration

Every FortiFlex subscription starts with a configuration. A configuration defines the product type, form factor, and service package for your FortiFlex subscription. You can create multiple configurations to manage different products or services.

​

Access FortiFlex Dashboard Create new Configuration Config Wizard Config Details Config Review & Submit Config Success

Start from the FortiCloud Dashboard

• Click on “Services”, then “FortiFlex” in the navigation menu

  

Navigate to Configurations

• In the FortiFlex dashboard, click “Configurations”

• You should see an empty list or existing lab configurations

  

• Click the + New Configuration button

You’ll see the configuration wizard. Enter details as follows:

• Name: XPerts25-FGT-VM (or any name you prefer)
• Select Form Factor: Virtual Machines
• Product Type: FortiGate Virtual Machine - Service Bundle
• Click Next

  

On the next screen, set the following details:

• Number of CPU’s: 2
• Service Package: UTP
• Leave Virtual domains set to 0
• Click Next

  

Review the details of your configuration and click Submit

You’ll see the config successfully created

Step 2: Create an Entitlement

Once you have a configuration, you can create entitlements. An entitlement is a license that allows you to use the product defined in your configuration.

​

Create Entitlement Entitlement Wizard Entitlement Review & Submit Entitlement Success License File Token

Navigate to the Flex Entitlements tab and click + New Entitlement

Fill in the following details in the entitlement wizard:

• Product Type: Select FortiGate Virtual Machine - Service Bundle
• Select the configuration you created above in Step 1 from the dropdown
• Click Next

  

Review the details of your entitlement and click Submit

You’ll see the entitlement successfully created. Serial Number for future reference.

Click on List to go back to the Entitlement Listing and retrieve the Entitlement Token

From the entitlement details page, copy the License File Token. You will need this token to activate your FortiGate VM in the next step.

Step 3: Create a FortiGate VM in Azure & License with Flex Entitlement

Now that you have an entitlement, you can assign it to your FortiGate VM in Azure. Login to the Azure portal and follow these steps:

​

Azure Marketplace Create FGT VM Assign Entitlement Review & Create Deploy in progress

Navigate into your Resource Group and click on the + Create located at the top left of the tool bar. You will be redirected to the Azure Marketplace.

In the Marketplace search bar, type: Fortinet FortiGate and then enter. Navigate to the Fortinet FortiGate Next-Generation Firewall offering from Fortinet and select Create and Single VM.

Tip

Recently the ordering of marketplace listings has changed, and the first one to pop up will likely be the PAYG Listing with a price starting at $0.36/ 1 year. THIS IS NOT WHAT YOU WANT TO SELECT. Make sure you find the listing which allows you to Create a single VM

You will be redirected to the Create Single VM template.

Warning

Make sure you select the BYOL (Bring Your Own License) option. This is important as it allows you to use your FortiFlex entitlement. When you click Create on the listing, you should see options for Active-Active, Active-Passive, and Single VM.

If you see anything referencing PAYG (Pay-As-You-Go), you are viewing the wrong listing.

1. Under the Basics tab, the Subscription and Resource Groups should already be filled in with your assigned info. If not, see the screen shot below for details.

Note

Use the **flexXX** username you've been assigned. Replace **[XX]** with your specific number.

• Under Instance details, select/enter the following:
  • Region: East US
  • FGT VM instance Architecture: ARM64
  • FortiGate administrative username: flex[XX]
  • FortiGate password/Confirm password: FortinetAzure2025!
  • Fortigate Name Prefix: flex[XX]
  • Resource Group: flex[XX]-flex104-workshop
• Select Next.

• In the Instance Details tab, scroll down to the License section, and check the box for Use FortiFlex Entitlement entering the License File Token you copied earlier.
• Then click Review + Create

Review all the settings in the Review + create tab. Ensure that everything is correct, especially the License File Token. Click on Create to deploy the FortiGate VM.

You’ll see the deployment in progress. This may take a few minutes. Once completed, you can navigate to the resource to manage your FortiGate VM.

Step 4: Verify the FortiGate VM Licensing

​

Access FortiGate VM FGT Web UI FGT License

From the Resource Group, click on the FortiGate VM you just created. Note the public IP address assigned to the VM. You can use this IP to access the FortiGate CLI or GUI.

Copy the Public IP address.

• In a new browser tab, enter the public IP address of the FortiGate VM in the address bar in the format: https://a.b.c.d

• Accept the security warnings for the unsigned Cert.

• You will be prompted to log in.

• Use the username and password you set during the VM creation (e.g., flex[XX] and FortinetAzure2025!).

  

  You may need to wade through some of the initial setup steps, but you can safely can skip or delay by choosing Later

You’ll see the FortiGate Status Dashboard where the License will show 2 vCPU. The SN will match the entitlement you created in FortiFlex.

Tip

FortiOS View Above and FortiFlex WebUI view Below.

You can also verify the license via CLI in FortiOS. get system status You will see the matching SN, with Valid License, and the number of vCPU’s allowedreflecting the assigned entitlement.

Step 5: Update the Flex Config & Entitlement to add Additional new vCPU count

Next, we’ll update the FortiFlex configuration to increase the licensed vCPU count.

​

Edit Configuration Change vCPUs Review & Submit

In the FortiFlex dashboard, navigate to the Configurations tab. Select the configuration you created earlier and click on the edit icon.

Click Next to continue past the product selection screen.

Update the number of CPU’s to 4 and click Next until you reach the review screen.

Click Submit to save the changes

You will see a warning message, and you should click to Confirm the changes.

The entitlement linked this configuration will automatically reflect the vCPU change.

Step 6: Double the vCPU on the Azure FortiGate VM

Now, we’ll change the VM size in Azure to double the vCPU from 2 to 4.

​

Resize the VM Verify CPU Count

Go to the VM Overview Page and then on left side click on Availability + scale and then Size. For simplicy and speed, we’re going to select the same Family and Options VM with 4CPU’s which is: D4ps_v6 and click “Resize”.

You’ll see a confirmation message that the resize is in progress. This may take a few minutes.

Proceed when you see the successful message

On the VM Overview Page, you can verify that the VM size has been updated to reflect the new vCPU count.

Step 7: Add the additional CPU’s to FortiGate

Finally, log back into the FortiGate VM WebUI to verify that the license now reflects the updated vCPU count, and add the additional CPU’s to the FortiGate configuration.

​

Access FortiGate VM FGT Web UI Add CPU’s to FGT

From the Resource Group, click on to the FortiGate VM you just created. Note the public IP address assigned to the VM. You can use this IP to access the FortiGate CLI or GUI.

Copy the Public IP address.

• In a new browser tab, enter the public IP address of the FortiGate VM in the address bar
• Accept the security warnings for the unsigned Cert.
• You will be prompted to log in.
  • Use the username and password you set during the VM creation (e.g., flexXX and FortinetAzure2025!).
  • You can skip the inital setup by choosing Later
  • You’ll see the FortiGate Status Dashboard where the License will show 2/4 Allocated vCPU
  • You can also verify the vCPU via CLI.
  • get system status
  • You will see 2/4 vCPU.

    

To add the additional CPU’s to the FortiGate configuration, open the system CLI and run the following commands:

exec cpu add 2

Then verify the CPU count again:

get system status

You should now see 4/4 vCPU allocated.

WebUI Quiz

FortiFlex API

In this section, you’ll learn about the building blocks of automating FortiFlex operations…the FortiFlex REST API

We’ll start by setting up Postman with our FortiFlex Collection, then create an API Key in FortiCloud, and finally use Postman to interact with the FortiFlex API.

Step 1: Import FortiFlex Postman Collection

The following steps should remain relatively consistent regardless of how you’re using Postman, so open Postman and proceed.

​

Import FortiFlex Postman Collection Postman Collection Variables Explore Collection Script

• In Postman, use an existing collection, or create a new one if you’d like
• click on File–>Import in the top left corner, or Import button in the top left of the collection
• On the import dialog, paste the following URL:
  • https://raw.githubusercontent.com/FortinetCloudCSE/fortiflexvm-api/refs/heads/main/api/Postman/v2/FortiCloud.postman_collection.json
• You should see the FortiCloud Collection appear in the left sidebar

• All variables used in the collection are stored at the highest level of the Collection (rather than in a seperate environment file)
• Click on Collection Title in the left sidebar, then click on the Variables tab
• You’ll see variables for the following

API Base URLs	BASE URLs for each of the specific Service Endpoints	pre-set
api_username	Used for Authentication	user-set
api_password	Used for Authentication	user-set
accountId	Specify the FortiCloud Account we’re targetting	user-set
programSerialNumber	Specifies the FortiFlex Program Serial Number	auto-set (overridable)
client_id	for authentication (only used to override the automated client_id in the script)	auto-set (overridable)
access_token	stores Bearer token returned from authentication request for each client_id/request	auto-set
expires_at	stores token expiration checked on each use to see if refresh needed	auto-set

Tip

In most situations, the only variables you’ll need to modify are the api_user, api_password, and accountId. You will notice the access_tokens populate as you launch different API requests

• We’ve set up the FortiCloud Postman collection to automate the authentication process and store the access token for use in subsequent requests
  • You can see the scripting used to fetch Bearer tokens by clicking on the Scripts tab at the top level of the Collection, and viewing the Pre-request Script
  • Pseudocode

    1. Grab the URL of the request, along with the API Username and Password
    2. Set the authentication client_id depending on the path in the URL
    3. If (No bearer token or it's already expired): get a new bearer token with api_username, api_password, and client_id
    4. Set the bearer token in the request header for the given request type

    

Step 2: API Authentication Setup

​

FortiCloud IAM Portal Create FortiFlex API Key API User API Credentials Postman Variables Verify Successful Auth

From the FortiCloud Portal, click on Services–>IAM

Click on Users (left nav menu) –> Add New –> API User

• Enter a description for the API User such as: flex[XX] where [XX] is your flex student number
• Choose the SysAdmin Permission Profile
• Click Next

• When the API User is created, you will see a message to download the credentials.
• Click to download, and enter a password to encrypt the file, such as FortiFlex2025!

• You’ll get a password-protected zip file with the API credentials. Open it using the same password you entered when downloading the file.
• The folder will contain a single text file with the apiId and password
• You’ll enter the apiId and password into a Postman Collection Variables the next step

Tip

Keep these API credentials handy as we’ll use them for the rest of the workshop!

• Back in Postman, enter the newly created apiId and password into the Postman Collection Variables
• Copy the apiId from the credentials text file into the api_user field
• Copy the password from the credentials text file into the api_password field

Tip

Postman recently released a newer version with changes to the way variables are stored. If you happen to have an older version showing Current and Initial values, Important: Make sure to use the Current value field, not the Initial value field. The Current value is what will be used when you send requests. Also if you see this, be sure to save your values

• From the top level FortiCloud Collection, open folder: FortiFlex V2.0–>Programs, and then POST Request: List
• Click the Send button

Tip

• Notice how the POST URL is constructed using the {{flexvm_base_url}} variable. This allows for an easy change to the entire collection if the baseURL ever changes
• After the POST returns, open the Variables in Request button on the top right and click to view All Variables
  • Notice how the programSerialNumber variable is populated with the value returned from our Post call!

• You should see a response with a 200 OK status and 2 different serialNumber in the response body

Congratulations, you’re now authenticated with the FortiFlex API!

Warning

If you get an error at this step, please double-check everything and-or check with the Workshop Instructor before proceeding!

Step 3: Basic List Actions

Let’s take a moment to understand FortiFlex API list actions

​

Configuration List Entitlement List

To view configurations

• In the Collection’s Configurations folder, open the Post/List request
  • Notice how the request URL is built with the Base URL Variable
  • Notice the Request Body requires a programSerialNumber, which is a variable already populated from our last request to list programs!
    • If yours isn’t populated for some reason, For this Workshop, we’re focusing on FortiFlex MSSP(postpaid), and the Program SN is: ELAVMS0000000518
  • Click Send
  • You should see a response with a 200 OK status and a list of configurations and their id in the response body

  

Next, we can retrieve a list of Entitlements by sending a request to the /entitlements/list endpoint.

• In the Collection’s Entitlements folder, open the Post List request
• Enter the configId returned from the previous request into the Body of the Get Entitlements request, and click Send

Step 4: Entitlement Management via API

Let’s look at modifying entitlements via the API

​

Stop Entitlement Reactivate Entitlement

• Open the Stop request from the Entitlements folder in the collection
• Under the Body tab, enter the serialNumber you got from the previous request
• Click Send to disable the entitlement
• You should see a response with a 200 OK status and the entitlement status updated to “STOPPED”
• You can verify this by sending the list request and checking the status, or by checking the WebUI

• Open the reactivate request from the Entitlements folder in the collection
• Under the Body tab, enter the serialNumber you got from the previous request
• Click Send to enable the entitlement
• You should see a response with a 200 OK status and the entitlement status updated to “ACTIVE”
• You can verify this by sending the list request and checking the status, or by checking the WebUI

Key Takeaways from API Basics

• Speed: API operations complete in seconds vs minutes for manual operations.
• Consistency: Automated processes eliminate human error and ensure standardization.
• Integration: APIs enable seamless integration with existing DevOps and FinOps workflows.
• Best Practices Learned:
  • Always validate API responses before proceeding to next steps
  • Use Collection variables for sensitive data like API keys, and to automate future steps

FortiFlex Integrations

Now that we understand the basic FortiFlex API building blocks underpining the service, let’s take a look at how we can automate our Security Operations using the FortiFlex API in different scenarios

In this section, we’ll explore how to automate FortiFlex operations using Terraform, take a peak at what an MSSP implementation for FortiFlex Might look like.

1. Terraform

Let’s take a peek at how we’d take advantage of the Terraform provider for FortiFlex to automate our infrastructure deployments! Under the covers, the Terraform FortiFlex Provider is using an implementation of the FortiFlex API to create, read, update, and delete Configurations and Entitlements!

git clone https://github.com/FortinetCloudCSE/PublicCloud105-FortiFlex.git
cd PublicCloud105-FortiFlex/terraform/azure
export ARM_SUBSCRIPTION_ID=$(az account show --query "id" -otsv)
echo $ARM_SUBSCRIPTION_ID

terraform init
terraform plan 

terraform apply

2. Python Example - Points Reporting

Remember when we said you can only get 90 days of point history at the FortiFlex WebUI? Here, we demonstrate a simple Python script to interact with the FortiFlex API to retrieve points reporting information to go back to the beginning of the FortiFlex service.

We’ll use python from the Azure Cloudshell, so head over to the Azure Portal and launch Cloudshell.

cd ~/PublicCloud105-FortiFlex/scripts/python
pip install -r requirements.txt --user
python fortiflex_points_by_config.py

You’ll be prompted to enter the following information:

1. FortiFlex API Username: <IAM_API_Username_you_created_earlier>
2. FortiFlex API Password: <IAM_API_password_you_created_earlier>
3. Starting Date Range (YYYY-MM-DD): 1900-01-01
4. Ending Date Range (YYYY-MM-DD): 2025-08-26
5. FortiFlex Program Serial Number: ELAVMS0000000518

After entering the initial info, you’ll enter a loop where you can choose different options for point reporting. Try a few and then exit!

3. Advanced Use Cases

We don’t have time to get into every possible integration use case in this workshop but we wanted to at least give you a taste. Here are some additional resources to get you started if you’re interested in exploring further:

• Code: Ansible, Terraform, Python, and Postman
• Terraform Provider: Infrastructure-as-code integration
• Ansible Module: https://galaxy.ansible.com/ui/repo/published/fortinet/fortiflexvm/

4. MSSP Use Case

Now that we know how the FortiFlex Program works, and we know how to automate with it, lets fly!

This task will explore how a Managed Security Service Provider (MSSP) might implement FortiFlex to manage multiple clients’ security infrastructure efficiently and automatically. The MSSP may want to offer a self service portal for their customers to provision, entitle, and deploy their own FortiGate VMs with pre-defined security templates created by the MSSP.

​

Demo site Explore Add Creds Flex Configs Modify Config Create Entitlement Deploy VM Verify FortiGate Flex Licensing

Open the CloudCSE FortiFlex Marketplace Demo and click “Sign In” at the top right.

As long as you’re using the same browser you used for logging into the Azure and FortiCloud Portals, you should be auto logged in with SAML and see your workshop account username next to the login button.

Info

This is an MVP0 demo application created by the Fortinet Cloud CSE team to demonstrate how an MSSP might implement a self-service portal for their customers to provision, entitle, and deploy FortiGate VMs using FortiFlex.

This is not a production ready application, and is not supported by Fortinet. It is provided as-is for educational purposes only.

Disregard the front page…those 5 products are just to test frontend to backend connectivity.

The real magic is on the FortiFlex Configs and Entitlements pages….which are Empty presently, because we haven’t provided any credentials yet!

The Demo hasn’t implemented any kind of secure storage for credentials, because FortiCloud doesn’t offer API creation of IAM accounts yet.

So for now, we’ll just use the IAM API credentials you created earlier in the workshop.

Click on the API Credentials link in the top menu

Enter the following information:

• FortiFlex IAM API Username: <IAM_API_Username_you_created_earlier>
• FortiFlex IAM API Password: <IAM_API_password_you_created_earlier>
• FortiFlex Program Serial Number: ELAVMS0000000518
• FortiCloud Account ID: You can get this from your FortiCloud account info (top right).

then click Submit

• You can get your FortiCloud Account ID from the FortiCloud Portal top right corner
  • click on the down arrow next to your account name, and look for the Member Account ID

  

If you provided all the info correctly, the FortiFlex Configs page, will show the XPerts25-FGT-VM Config you created manually back in the beginning of the hands on section!

You’ll notice the parameters show the config is set for 4 CPUs, and the Create Entitlement is disabled. This is purposeful as we’re trying to conserve resources for this workshop.

From the FortiFlex Configurations Page, Click on Modify Configuration for the XPerts25-FGT-VM Flex Config and set it back to 2 CPU’s.

Confirm the changes and you’ll see the Create Entitlement Button Activate.

Once the Configuration is back at 2 CPU, Click Create Entitlement and confirm

You’ll be redirected to the FortiFlex Entitlements Page to view the newly created Entitlement named CloudCSE MKPL VM. You’ll also notice the entitlement you previously created manually at the WebUI.

Click on Launch VM on the Cloud CSE MKPL VM Entitlement, and confirm the prompts.

Behind the scenes, the MSSP Marketplace is launch a combination of API calls and Terraform to automatically deploy a FortiGate into your Azure account. That FortiFate is already licensed with the FortiFlex Entitlement Token you just created at the MSSP Portal!

It will take approx 5 mins to fully deploy, and then you can go check in your Azure Portal in the resource group for your account.

Imagine the possibilities for MSSP’s to customize the deployment options (single VM’s, A/P, A/A, Azure vWAN, AWS GWLB, AutoScaling, etc)

You will know the VM is ready when you see the Flex Entitlement Card:

• Launch Azure VM Button turn Grey
• RED STOP Button Appear
• Status turn to Active
• Token Status turn to Used

Go to the Azure Portal and check your resource group for a Virtual Machine prefixed with cat-. This is the VM deployed from the Flex Catalog.

Tip

For step-by-step instructions, reference the Azure Portal steps in the FortiFlex WebUI steps here

Click on the VM, and copy the Public IP opening it in a new browser window.

Login using the following (replacing [XX] with your student number):

• Username: “flex[XX]”
• Password: ChangeMe123#@!

You will see the Serial number of the Flex Entitlement you used to provision this VM.

Workshop Cleanup

This section provides instructions on how to clean up resources created during the workshop. Follow these steps to ensure that all resources are properly deleted and your environment is left in a clean state for the next session.

​

Stop all FortiFlex Entitlements Delete Forticloud IAM API Key

We’ll use the Demo FortiFlex MSSP Marketplace to Stop all Entitlements we created as part of this workshop Go to the FortiFlex Enttlements Page and click Stop on any active entitlements. Click to confirm.

Info

Remember, FortiFlex points deduction doesn’t stop even if the resources stop, are terminated, or are decomissioned. So it’s imperative to maintain proper FortiFlex maintenance records or automation on the entitlements

In the FortiCloud Portal, Go to the IAM Portal, Users section, Select the API account you created for this workshop and delete it.

Warning

After deleting your API key, the FortiFlex Marketplace will cease to function!