From 3e9006a071f013fb654730bdc9af9558926ec9a1 Mon Sep 17 00:00:00 2001
From: John McDonough <movinalot@gmail.com>
Date: Wed, 9 Oct 2024 15:10:59 -0400
Subject: [PATCH] recommended updates

---
 FortiGate/A-Single-VM/README.md               | 119 ++++++++++--------
 FortiGate/A-Single-VM/azuredeploy.json        |  18 +--
 FortiGate/A-Single-VM/createUiDefinition.json |   8 +-
 3 files changed, 77 insertions(+), 68 deletions(-)

diff --git a/FortiGate/A-Single-VM/README.md b/FortiGate/A-Single-VM/README.md
index 91e2fd66..a894ebf1 100644
--- a/FortiGate/A-Single-VM/README.md
+++ b/FortiGate/A-Single-VM/README.md
@@ -1,28 +1,28 @@
 # FortiGate Next-Generation Firewall - A Single VM
 
-[![[FGT] ARM - A-Single-VM](https://github.com/40net-cloud/fortinet-azure-solutions/actions/workflows/fgt-arm-a-single-vm.yml/badge.svg)](https://github.com/40net-cloud/fortinet-azure-solutions/actions/workflows/fgt-arm-a-single-vm.yml) 
+[![[FGT] ARM - A-Single-VM](https://github.com/40net-cloud/fortinet-azure-solutions/actions/workflows/fgt-arm-a-single-vm.yml/badge.svg)](https://github.com/40net-cloud/fortinet-azure-solutions/actions/workflows/fgt-arm-a-single-vm.yml)
 
 :wave: - [Introduction](#introduction) - [Design](#design) - [Deployment](#deployment) - [Requirements](#requirements-and-limitations) - [Configuration](#configuration) - :wave:
 
 ## Introduction
 
-More and more enterprises are turning to Microsoft Azure to extend or replace internal data centers and take advantage of the elasticity of the public cloud. While Azure secures the infrastructure, you are responsible for protecting the resources you put in it. As workloads are being moved from local data centers connectivity and security are key elements to take into account. FortiGate-VM offers a consistent security posture and protects connectivity across public and private clouds, while high-speed VPN connections protect data.
+More and more enterprises are turning to Microsoft Azure to extend or replace internal data centers and take advantage of the elasticity of the public cloud. While Azure secures the infrastructure, you are responsible for protecting the resources you put in it. As workloads are being moved from local data centers, connectivity and security are key elements to take into account. FortiGate-VM offers a consistent security posture and protects connectivity across public and private clouds, while high-speed VPN connections protect data.
 
 This ARM template deploys a single FortiGate Next-Generation Firewall accompanied by the required infrastructure. Additionally, Fortinet Fabric Connectors deliver the ability to create dynamic security policies.
 
 ## Design
 
-In Microsoft Azure, this single FortiGate-VM setup a basic setup to start exploring the capabilities of the next generation firewall. The central system will receive, using user-defined routing (UDR), all or specific traffic that needs inspection going to/coming from on-prem networks or the public internet.
+In Microsoft Azure, this single FortiGate-VM setup a basic setup to start exploring the capabilities of the next generation firewall. The central system will receive, using user-defined routing (UDR), all or specific traffic that needs inspection going to/coming from on-premises networks or the public internet.
 
 This Azure ARM template will automatically deploy a full working environment containing the following components.
 
 - 1 standalone FortiGate-VM
-- 1 VNETs containing a protected subnet
-- User Defined Routes (UDR) for the protected subnets
+- 1 VNET containing a protected subnet
+- 1 User Defined Routes (UDR) for the protected subnet
 
 ![FortiGate-VM azure design](images/fgt-single-vm.png)
 
-This Azure ARM template can also be extended or customized based on your requirements. Additional subnets besides the ones mentioned above are not automatically generated. By extending the Azure ARM templates additional subnets can be added. Additional subnets will require their own routing tables.
+This Azure ARM template can also be extended or customized based on your requirements. Additional subnets besides the one mentioned above are not automatically generated. By extending the Azure ARM templates additional subnets can be added. Additional subnets can be added to an existing route table or may require their own routing tables.
 
 ## Deployment
 
@@ -46,28 +46,29 @@ Custom Deployment:
 
 To fast track the deployment, use the Azure Cloud Shell. The Azure Cloud Shell is an in-browser CLI that contains Terraform and other tools for deployment into Microsoft Azure. It is accessible via the Azure Portal or directly at [https://shell.azure.com/](https://shell.azure.com). You can copy and paste the below one-liner to get started with your deployment.
 
-```
+``` bash
 cd ~/clouddrive/ && wget -qO- https://github.com/40net-cloud/fortinet-azure-solutions/archive/main.tar.gz | \
 tar zxf - && cd ~/clouddrive/fortinet-azure-solutions-main/FortiGate/A-Single-VM/ && ./deploy.sh
 ```
 
 ![Azure Cloud Shell](images/azure-cloud-shell.png)
 
-After deployment, you will be shown the IP addresses of all deployed components. This information is also stored in the output directory in the 'summary.out' file. You can access both management GUI's using the public management IP addresses using HTTPS on port 443.
+After deployment, you will be shown the IP addresses of all deployed components. This information is also stored in the output directory in the 'summary.out' file. You can access the management GUI using the public management IP address using HTTPS on port 443.
 
 ## Requirements and limitations
 
-The ARM template deploys different resources and it is required to have the access rights and quota in your Microsoft Azure subscription to deploy the resources.
+The ARM template deploys several resources and it is required to have the access rights and quota in your Microsoft Azure subscription to deploy the resources.
 
-- The template will deploy Standard F2s VMs for this architecture. Other VM instances are supported as well with a minimum of 2 NICs. A list can be found [here](https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/562841/instance-type-support)
+- By default the template will deploy Standard F2s VMs for this architecture. Other VM instances are supported as well, a minimum of 2 NICs is required. A list of supported Azure instance types can be found [here](https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/562841/instance-type-support)
 - Licenses for FortiGate-VM
-  - BYOL: A demo license can be made available via your Fortinet partner or on our website. These can be injected during deployment or added after deployment. Purchased licenses need to be registered on the [Fortinet support site](http://support.fortinet.com). Download the .lic file after registration. Note, these files may not work until 60 minutes after it's initial creation.
+  - BYOL: A demo license can be made available via your Fortinet partner or on our website. The license can be injected during deployment or added after deployment. Purchased licenses need to be registered on the [Fortinet support site](http://support.fortinet.com). Download the .lic file after registration. Note, these files may not work until 60 minutes after it's initial creation.
+  - FLEX: A demo FortiFlex evaluation account can be made available via you Fortinet partner. The FortiFlex token can be injected during deployment or added after deployment.
   - PAYG or OnDemand: These licenses are automatically generated during the deployment of the FortiGate-VM systems.
   - The password provided during deployment must need password complexity rules from Microsoft Azure:
   - It must be 12 characters or longer
   - It needs to contain characters from at least 3 of the following groups: uppercase characters, lowercase characters, numbers, and special characters excluding '\' or '-'
 - The terms for the FortiGate-VM PAYG or BYOL image in the Azure Marketplace needs to be accepted once before usage. This is done automatically during deployment via the Azure Portal. For the Azure CLI the commands below need to be run before the first deployment in a subscription.
-  - BYOL
+  - BYOL/FLEX
 `az vm image terms accept --publisher fortinet --offer fortinet_fortigate-vm_v5 --plan fortinet_fg-vm`
   - PAYG
 `az vm image terms accept --publisher fortinet --offer fortinet_fortigate-vm_v5 --plan fortinet_fg-vm_payg_2023`
@@ -87,21 +88,24 @@ The FortiGate-VMs need a specific configuration to match the deployed environmen
 
 ### Fabric Connector
 
-The FortiGate-VM uses [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/) for the SDN Fabric Connector. A SDN Fabric Connector is created automatically during deployment. After deployment, it is required apply the 'Reader' role to the Azure Subscription you want to resolve Azure Resources from. More information can be found on the [Fortinet Documentation Libary](https://docs.fortinet.com/document/fortigate-public-cloud/7.6.0/azure-administration-guide/236610/configuring-an-sdn-connector-using-a-managed-identity).
+The FortiGate-VM uses [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/) or [Service Principals](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals) for the SDN Fabric Connector. A SDN Fabric Connector is created automatically during deployment. After deployment, it is required to apply the 'Reader' role to the Azure Subscription you want to resolve Azure Resources from. More information can be found in the Fortinet Documentation
+
+- [Managed Identity](https://docs.fortinet.com/document/fortigate-public-cloud/7.6.0/azure-administration-guide/236610/configuring-an-sdn-connector-using-a-managed-identity)
+- [Service Principal](https://docs.fortinet.com/document/fortigate-public-cloud/7.6.0/azure-administration-guide/948968/azure-sdn-connector-service-principal-configuration-requirements)
 
 ### VNET peering
 
-In Microsoft Azure, this central security services hub is commonly implemented using VNET peering. The central security services hub component will receive, using user-defined routing (UDR), all or specific traffic that needs inspection going to/coming from on-prem networks or the public internet. This deployment can be used as the hub section of such a [Hub-Spoke network topology](https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke?tabs=cli#communication-through-an-nva)
+In Microsoft Azure, this central security services hub is commonly implemented using VNET peering. The central security services hub component will receive, using user-defined routing (UDR), all or specific traffic that needs inspection going to/coming from on-premises networks or the public internet. This deployment can be used as the hub section of such a [Hub-Spoke network topology](https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke?tabs=cli#communication-through-an-nva)
 
 ![VNET peering](images/fgt-single-vm-vnet-peering.png)
 
 ### East-West connections
 
-#### Introduction
+#### Introduction - East-West connections
 
 East-West connections are considered the connections between internal subnets within the VNET or peered VNETs. The goal is to direct this traffic via the FortiGate-VM.
 
-To direct traffic to the FortiGate-VM routing needs to be adapted on Microsoft Azure using User Defined Routing (UDR). With UDRs the routing in Azure can be adapted to send traffic destined for a specific network IP range to a specific destination such as Internet, VPN Gateway, Virtual Network (VNET), ... In order for the FortiGate-VM to become the destination there is a specific destination called Virtual Appliance. The private IP of the FortiGate-VM is provided. More information about User Defined Routing can be found [here](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview)
+To direct traffic to the FortiGate-VM, routing needs to be adapted on Microsoft Azure using User Defined Routing (UDR). With UDRs the routing in Azure can be adapted to send traffic destined for a specific network IP range to a specific destination such as Internet, VPN Gateway, Virtual Network (VNET), ... In order for the FortiGate-VM to become the destination there is a specific destination called Virtual Appliance. The private IP of the FortiGate-VM is provided. More information about User Defined Routing can be found [here](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview)
 
 #### East-West Flow
 
@@ -110,11 +114,11 @@ In the diagram the different steps to establish a session are layed out. This fl
 ![East west flow](images/ew-flow.png)
 
 1. Connection from client to the private IP of server. Azure routes the traffic using UDR to the internal network interface - s: 172.16.137.4 - d: 172.16.138.4
-2. FGT inspects the packet and when allowed sends the packet to the server - s: 172.16.137.4 - d: 172.16.138.4
-3. The server responds to the request, th Azure fabric sends the packet for inspection to the FGT internal network interface using UDR - s: 172.16.137.4 - d: 172.16.138.4
-4. The active FGT accepts the return packet after inspection and sends it to the client - s: 172.16.137.4 - d: 172.16.138.4
+2. FortiGate-VM inspects the packet and when allowed sends the packet to the server - s: 172.16.137.4 - d: 172.16.138.4
+3. The server responds to the request, th Azure fabric sends the packet for inspection to the FortiGate-VM internal network interface using UDR - s: 172.16.137.4 - d: 172.16.138.4
+4. The FortiGate-VM accepts the return packet after inspection and sends it to the client - s: 172.16.137.4 - d: 172.16.138.4
 
-#### Configuration
+#### East-West Configuration
 
 To configure the east-west connectivity to a service there are 2 resources that need to be verified/configured:
 
@@ -141,11 +145,11 @@ The drawing in the [flow](#east-west-flow) section is used in the configuration
 
 On the FortiGate-VM, a firewall policy rule needs to be created to allow traffic from specific IP ranges going in and out of the same internal interface (port2). It is also possible to use dynamic addresses using the SDN Connector to have more dynamic firewall policies.
 
-### Inbound connections
+### Inbound Connections
 
-#### Introduction
+#### Introduction - Inbound Connections
 
-Inbound connections are considered the connections coming from the internet towards the public IP address to publish services like a webserver or other, hosted in the VNET or peered VNETs. 
+Inbound connections are considered the connections coming from the internet towards the public IP address to publish services like a webserver or other, hosted in the VNET or peered VNETs.
 
 This template will use the Standard SKU public IPs. The standard public IP by default is a static allocation. More information can be found [in the Microsoft documentation](https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-addresses).
 
@@ -158,13 +162,13 @@ In the diagram the different steps to establish a session are layed out. This fl
 </p>
 
 1. Connection from client to the public IP attached to a private IP on the FortiGate-VM - s: w.x.y.z - d: a.b.c.d
-2. The Azure Fabric will translate(DNAT) from the public IP to the private IP attacjed to the FortiGate-VM - s: w.x.y.z - d: 172.16.136.4
-3. FGT VIP linked to the private IP picks up the packet, translates (DNAT) the packet destined for the private IP on the FortiGate-VM. - s: w.x.y.z - d: 172.16.137.4
+2. The Azure Fabric will translate (DNAT) from the public IP to the private IP attached to the FortiGate-VM - s: w.x.y.z - d: 172.16.136.4
+3. FortiGate-VM VIP linked to the private IP picks up the packet, translates (DNAT) the packet destined for the private IP on the FortiGate-VM. - s: w.x.y.z - d: 172.16.137.4
 4. Server responds to the request and the Azure Fabric using UDR will route the packet to the internal interface of the FortiGate-VM - s: 172.16.137.4 - d: w.x.y.z
 5. FortiGate-VM receives the packet and translates the source to the FortiGate-VM VIP on the external interface - s: 172.16.136.4 - d: w.x.y.z
-6. Azure Fabric translates (SNAT) the packet use the public IP to return to the client - s: a.b.c.d - d: w.x.y.z
+6. Azure Fabric translates (SNAT) the packet using the public IP to return to the client - s: a.b.c.d - d: w.x.y.z
 
-#### Configuration
+#### Inbound Configuration
 
 To configure the inbound connectivity to a service via the FortiGate-VM, configuration needs to happen on the Azure and FortiGate-VM level:
 
@@ -174,7 +178,7 @@ To configure the inbound connectivity to a service via the FortiGate-VM, configu
 
 The drawing in the [flow](#inbound-flow) section is used in the configuration screenshots.
 
-##### Azure user-defined route (UDR)
+##### Azure user-defined route (UDR) - Inbound
 
 The user-defined route (UDR) is required to route return traffic back from the internal server to the FortiGate-VM. If the UDR is not configured, one needs to SNAT the inbound packet behind the FortiGate-VM internal interface to ensure the return packet send back via the FortiGate-VM.
 
@@ -184,20 +188,22 @@ It is possible to create more specific routes instead of the general 0.0.0.0/0 r
   <img width="800px" src="images/fgt-udr.png" alt="fgt udr">
 </p>
 
-The route needed to route internet traffic back to the FortiGate-VM contains the following values and attached to one or more protected subnets:
-```
+The route needed to route internet traffic back to the FortiGate-VM contains the following values and is attached to one or more protected subnets:
+
+``` text
 Name: Default
 Address Prefix: 0.0.0.0/0
 Next hop type: Virtual Appliance
 Next hop IP address: 172.16.136.68
 ```
-The additional routes on the screenshot will provide additional functionality. The 'Subnet' route will unsure virtual machines can talk to each other without being send to the FortiGate-VM. The 'VirtualNetwork' route will send traffic for all the subnets in the VNET to the FortiGate-VM for inspection.
 
-It is recomended to deploy servers in different subnets behind the FortiGate-VM or in peered VNETs/subnets, these networks are indicated in documentation as protected subnets. It is not recomended to deploy virtual machines whose traffic needs to pass through the FortiGate-VM to be deployed in the same network as an interface of the FortiGate-VM (external or internal). This will cause routing loops when traffic needs to be routed between a protected subnet virtual machine and a internal subnet virtual machine via the FortiGate-VM.
+The additional routes on the screenshot will provide additional functionality. The 'Subnet' route will ensure virtual machines can talk to each other without being send to the FortiGate-VM. The 'VirtualNetwork' route will send traffic for all the subnets in the VNET to the FortiGate-VM for inspection.
 
-##### Azure network security group (NSG)
+It is recommended to deploy servers in different subnets behind the FortiGate-VM or in peered VNETs/subnets, these networks are indicated in documentation as protected subnets. It is not recommended to deploy virtual machines whose traffic needs to pass through the FortiGate-VM to be deployed in the same network as an interface of the FortiGate-VM (external or internal). This will cause routing loops when traffic needs to be routed between a protected subnet virtual machine and a internal subnet virtual machine via the FortiGate-VM.
 
-The default deployment of the FortiGate-VM deploys a network security group (NSG) on the network interfaces. This NSG ensure that all traffic is allowed and that inbound traffic is allowed when using Standard SKU public IP addresses.
+##### Azure network security group (NSG) - Inbound
+
+The default deployment of the FortiGate-VM deploys a network security group (NSG) on the network interfaces. This NSG ensures that all traffic is allowed and that inbound traffic is allowed when using Standard SKU public IP addresses.
 
 <p align="center">
   <img width="800px" src="images/fgt-nsg.png" alt="fgt nsg">
@@ -207,31 +213,33 @@ If any additional NSGs are configured, they need to allow traffic to and from th
 
 ##### FortiGate-VM
 
-On the Azure level, the FortiGate-VM needs to have a Standard SKU public IP address connected to a private IP address. Up to 255 additional public IP addresses can be attached to secondary public IP addresses.
+On the Azure level, the FortiGate-VM needs to have a Standard SKU public IP address connected to a private IP address. Up to 255 additional public IP addresses can be attached as secondary public IP addresses.
+
 <p align="center">
   <img width="800px" src="images/inbound-vm.png" alt="inbound vm">
 </p>
 
-On the FortiGate-VM, the first task is to create a virtual IP. Beware that the primary IP is also used for managment of the FortiGate and some ports are reserved.
+On the FortiGate-VM, the first task is to create a virtual IP. Be aware that the primary IP is also used for management of the FortiGate and some ports are reserved.
+
 <p align="center">
   <img width="800px" src="images/inbound-vip.png" alt="inbound vip">
 </p>
 
-Once the virtual IP is configured, a firewall policy needs to be created based on the virtual IP. It is possible to have a different port on the outside the port running on the server internal resulting in port address translation (PAT)
+Once the virtual IP is configured, a firewall policy needs to be created based on the virtual IP. It is possible to have a different port on the outside map to the port running on the server internally, resulting in port address translation (PAT)
 
 <p align="center">
   <img width="800px" src="images/inbound-policy.png" alt="inbound policy">
 </p>
 
-### Outbound connections
+### Outbound Connections
 
-#### Introduction
+#### Introduction Outbound Connections
 
 Outbound connections are considered the connections coming from the internal subnets within the VNET or peered VNETs via the FortiGate-VM towards the internet.
 
 To direct traffic to the FortiGate-VM routing needs to be adapted on Microsoft Azure using User Defined Routing (UDR). With UDRs the routing in Azure can be adapted to send traffic destined for a specific network IP range to a specific destination such as Internet, VPN Gateway, Virtual Network (VNET), ... In order for the FortiGate-VM to become the destination there is a specific destination called Virtual Appliance. The private IP of the FortiGate-VM is provided. More information about User Defined Routing can be found [here](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview)
 
-Which public IP is used for the outbound connections depends on the configuration and layout of your deployed setup. There are 3 options 
+Which public IP is used for the outbound connections depends on the configuration and layout of your deployed setup. There are 3 options
 
 - Public IP directly connected to a primary or secondary private IP on the NIC of the FortiGate-VM
 - NAT Gateway attached to the subnet of the external NIC of the FortiGate-VM
@@ -245,7 +253,7 @@ NAT Gateway takes precedence over a public IP directly connected to a NIC as sec
 
 #### Outbound Flow
 
-In the diagram the different steps to establish a session are layed out. 
+In the diagram the different steps to establish a session are layed out.
 
 ![Outbound flow](images/outbound-flow.png)
 
@@ -254,9 +262,9 @@ In the diagram the different steps to establish a session are layed out.
 3. The Azure Fabric will translate the source private IP to the linked public IP - s: a.b.c.d - d: w.x.y.z
 4. The server responds to the request - s: w.x.y.z - d: a.b.c.d
 5. The Azure Fabric translates the destination public IP to the linked private IP - s: w.x.y.z - d: 172.16.136.4
-6. The FortiGate-VM accepts the return packet after inspection. It translates and routes the packet to the client - s: w.x.y.z - d: 172.16.137.4
+6. The FortiGate-VM accepts the return packet after inspection. FortiGate-VM translates and routes the packet to the client - s: w.x.y.z - d: 172.16.137.4
 
-#### Configuration
+#### Outbound Configuration
 
 To configure the outbound connectivity via the FortiGate-VM, configuration needs to happen on the Azure and FortiGate-VM level:
 
@@ -266,7 +274,7 @@ To configure the outbound connectivity via the FortiGate-VM, configuration needs
 
 The drawing in the [flow](#outbound-flow) section is used in the configuration screenshots.
 
-##### Azure user-defined route (UDR)
+##### Azure user-defined route (UDR) - Outbound
 
 The user-defined route (UDR) is required to route outbound traffic from the internal client via the FortiGate-VM. The UDR is the same as the one required for the inbound return traffic.
 
@@ -277,14 +285,15 @@ It is possible to create more specific routes instead of the general 0.0.0.0/0 r
 </p>
 
 The route needed to route internet traffic to the FortiGate-VM contains the following values and attached to one or more protected subnets:
-```
+
+``` text
 Name: Default
 Address Prefix: 0.0.0.0/0
 Next hop type: Virtual Appliance
 Next hop IP address: 172.16.136.68
 ```
 
-##### Azure network security group (NSG)
+##### Azure network security group (NSG) - Outbound
 
 The default deployment of the FortiGate-VM deploys a network security group (NSG) on the network interfaces. This NSG ensure that all traffic is allowed and that inbound traffic is allowed when using Standard SKU public IP addresses.
 
@@ -304,7 +313,7 @@ On the FortiGate-VM, a firewall policy needs to be created to allow traffic from
 
 ### Availability Zone
 
-Each of the architecture options listed in the design section will have the possibility enable Availability Zones.
+Each of the architecture options listed in the design section will have the possibility to enable Availability Zones.
 
 Microsoft defines an Availability Zone to have the following properties:
 
@@ -322,9 +331,9 @@ Based on information in the presentation ['Inside Azure datacenter architecture
 
 After deployment, the below configuration has been automatically injected during the deployment. The bold sections are the default values. If parameters have been changed during deployment these values will be different.
 
-#### FortiGate-VM
+#### FortiGate-VM - base configuration
 
-<pre><code>
+```python
 config system sdn-connector
   edit AzureSDN
     set type azure
@@ -332,30 +341,30 @@ config system sdn-connector
 end
 config router static
   edit 1
-    set gateway <b>172.16.136.1</b>
+    set gateway 172.16.136.1
     set device port1
   next
   edit 2
-    set dst <b>172.16.136.0/22</b>
+    set dst 172.16.136.0/22
     set device port2
-    set gateway <b>172.16.136.65</b>
+    set gateway 172.16.136.65
   next
 end
 config system interface
   edit port1
     set mode static
-    set ip <b>172.16.136.5/26</b>
+    set ip 172.16.136.5/26
     set description external
     set allowaccess ping ssh https
   next
   edit port2
     set mode static
-    set ip <b>172.16.136.69/24</b>
+    set ip 172.16.136.69/24
     set description internal
     set allowaccess ping ssh https
   next
 end
-</code></pre>
+```
 
 ## Support
 
diff --git a/FortiGate/A-Single-VM/azuredeploy.json b/FortiGate/A-Single-VM/azuredeploy.json
index f4c06637..61b5da10 100644
--- a/FortiGate/A-Single-VM/azuredeploy.json
+++ b/FortiGate/A-Single-VM/azuredeploy.json
@@ -609,7 +609,7 @@
   },
   "resources": [
     {
-      "apiVersion": "2023-07-01",
+      "apiVersion": "2024-03-01",
       "name": "[concat(parameters('fortiGateNamePrefix'), '-fortinetdeployment-', uniquestring(resourceGroup().id))]",
       "type": "Microsoft.Resources/deployments",
       "properties": {
@@ -625,7 +625,7 @@
       "condition": "[and(variables('useAS'),equals(parameters('existingAvailabilitySetName'),''))]",
       "name": "[variables('availabilitySetName')]",
       "type": "Microsoft.Compute/availabilitySets",
-      "apiVersion": "2023-09-01",
+      "apiVersion": "2023-03-01",
       "location": "[parameters('location')]",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/availabilitySets'), union(parameters('fortinetTags'),parameters('tagsByResource')['Microsoft.Compute/availabilitySets']), parameters('fortinetTags')) ]",
       "properties": {
@@ -640,7 +640,7 @@
       "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]",
       "name": "[variables('vnetName')]",
       "type": "Microsoft.Network/virtualNetworks",
-      "apiVersion": "2023-06-01",
+      "apiVersion": "2023-11-01",
       "location": "[parameters('location')]",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/virtualNetworks'), union(parameters('fortinetTags'),parameters('tagsByResource')['Microsoft.Network/virtualNetworks']), parameters('fortinetTags')) ]",
       "dependsOn": [
@@ -681,7 +681,7 @@
       "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]",
       "type": "Microsoft.Network/routeTables",
       "name": "[variables('routeTableProtectedName')]",
-      "apiVersion": "2023-06-01",
+      "apiVersion": "2023-11-01",
       "location": "[parameters('location')]",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), union(parameters('fortinetTags'),parameters('tagsByResource')['Microsoft.Network/routeTables']), parameters('fortinetTags')) ]",
       "properties": {
@@ -715,7 +715,7 @@
     {
       "name": "[variables('nsgName')]",
       "type": "Microsoft.Network/networkSecurityGroups",
-      "apiVersion": "2023-06-01",
+      "apiVersion": "2023-11-01",
       "location": "[parameters('location')]",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), union(parameters('fortinetTags'),parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups']), parameters('fortinetTags')) ]",
       "properties": {
@@ -755,7 +755,7 @@
       "condition": "[equals(parameters('publicIP1NewOrExisting'), 'new')]",
       "name": "[variables('publicIP1Name')]",
       "type": "Microsoft.Network/publicIPAddresses",
-      "apiVersion": "2023-06-01",
+      "apiVersion": "2023-11-01",
       "location": "[parameters('location')]",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), union(parameters('fortinetTags'),parameters('tagsByResource')['Microsoft.Network/publicIPAddresses']), parameters('fortinetTags')) ]",
       "sku": {
@@ -772,7 +772,7 @@
     {
       "name": "[variables('fgtNic1Name')]",
       "type": "Microsoft.Network/networkInterfaces",
-      "apiVersion": "2023-06-01",
+      "apiVersion": "2023-11-01",
       "location": "[parameters('location')]",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), union(parameters('fortinetTags'),parameters('tagsByResource')['Microsoft.Network/networkInterfaces'],variables('fastpathtag')), union(parameters('fortinetTags'),variables('fastpathtag'))) ]",
       "dependsOn": [
@@ -805,7 +805,7 @@
     {
       "type": "Microsoft.Network/networkInterfaces",
       "name": "[variables('fgtNic2Name')]",
-      "apiVersion": "2023-06-01",
+      "apiVersion": "2023-11-01",
       "location": "[parameters('location')]",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), union(parameters('fortinetTags'),parameters('tagsByResource')['Microsoft.Network/networkInterfaces'],variables('fastpathtag')), union(parameters('fortinetTags'),variables('fastpathtag'))) ]",
       "dependsOn": [
@@ -837,7 +837,7 @@
     {
       "type": "Microsoft.Compute/virtualMachines",
       "name": "[variables('fgtVmName')]",
-      "apiVersion": "2023-09-01",
+      "apiVersion": "2023-03-01",
       "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), union(parameters('fortinetTags'),parameters('tagsByResource')['Microsoft.Compute/virtualMachines']), parameters('fortinetTags')) ]",
       "location": "[parameters('location')]",
       "identity": {
diff --git a/FortiGate/A-Single-VM/createUiDefinition.json b/FortiGate/A-Single-VM/createUiDefinition.json
index 6c7f0c7e..60260315 100644
--- a/FortiGate/A-Single-VM/createUiDefinition.json
+++ b/FortiGate/A-Single-VM/createUiDefinition.json
@@ -811,7 +811,7 @@
               {
                 "name": "fgtLicenseFortiFlexCheck",
                 "type": "Microsoft.Common.CheckBox",
-                "label": "My organisation is using the FortiFlex subscription service.",
+                "label": "My organization is using the FortiFlex subscription service.",
                 "toolTip": "Select this box to enter a FortiFlex token",
                 "visible": "[or(equals(steps('instance').instancetype_x64.fortiGateImageSKU_x64, 'fortinet_fg-vm'),equals(steps('instance').instancetype_arm64.fortiGateImageSKU_arm64, 'fortinet_fg-vm_arm64'))]"
               },
@@ -850,7 +850,7 @@
                 "type": "Microsoft.Common.InfoBox",
                 "options": {
                   "icon": "Info",
-                  "text": "Pay As You Go licenses was selected in the basics blade and provisioned automatically durig deployment. Registration of the PAYG license is required to receive support.",
+                  "text": "Pay As You Go licenses was selected in the basics blade and provisioned automatically during deployment. Registration of the PAYG license is required to receive support.",
                   "uri": "https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/azure-administration-guide/533394/creating-a-support-account"
                 },
                 "visible": "[not(or(equals(steps('instance').instancetype_x64.fortiGateImageSKU_x64, 'fortinet_fg-vm'),equals(steps('instance').instancetype_arm64.fortiGateImageSKU_arm64, 'fortinet_fg-vm_arm64')))]"
@@ -993,7 +993,7 @@
                 "type": "Microsoft.Common.TextBlock",
                 "visible": true,
                 "options": {
-                  "text": "Enables SR-IOV support allowing direct acces from the NIC in the Azure infrastructure to the FortiGate VM.",
+                  "text": "Enables SR-IOV support allowing direct access from the NIC in the Azure infrastructure to the FortiGate VM.",
                   "link": {
                     "label": "Learn more",
                     "uri": "https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/azure-administration-guide/651644/enabling-accelerated-networking-on-the-fortigate-vm"
@@ -1287,7 +1287,7 @@
                 "name": "customvhdcheck",
                 "type": "Microsoft.Common.CheckBox",
                 "label": "Use Azure compute gallery VHD for deployment",
-                "toolTip": "This option enables the Internet inbound usecase and creates additional routing infrastructure",
+                "toolTip": "This option enables the Internet inbound use case and creates additional routing infrastructure",
                 "visible": true
               },
               {