diff --git a/firewall/ks-vm.yaml b/firewall/ks-vm.yaml
new file mode 100644
index 0000000..257d4ce
--- /dev/null
+++ b/firewall/ks-vm.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app fortigate
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./firewall/vm
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
\ No newline at end of file
diff --git a/firewall/vm/fortigate.yaml b/firewall/vm/fortigate.yaml
new file mode 100644
index 0000000..9d6f2f3
--- /dev/null
+++ b/firewall/vm/fortigate.yaml
@@ -0,0 +1,71 @@
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: fortigate
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  dataVolumeTemplates:
+    - metadata:
+        name: fortigate-rootdisk
+      spec:
+        source:
+          http:
+            url: http://nginx.demo.svc.cluster.local:8080/fortios_v7_6_3.qcow2
+        storage:
+          resources:
+            requests:
+              storage: 20Gi
+  runStrategy: Always
+  template:
+    metadata:
+      labels:
+        kubevirt.io/domain: fortigate
+    spec:
+      domain:
+        cpu:
+          cores: 2
+        memory:
+          guest: 4Gi
+        features:
+          acpi: {}
+          smm:
+            enabled: true
+        firmware:
+          bootloader:
+            efi: {}
+        devices:
+          rng: {}
+          networkInterfaceMultiqueue: true
+          interfaces:
+            - name: default
+              masquerade: {}
+              ports:
+              - port: 8080
+              - port: 443
+              - port: 22
+          disks:
+            - disk:
+                bus: sata
+              name: rootdisk
+           # - disk:
+           #     bus: scsi
+           #   name: cloudinitdisk
+        resources:
+          requests:
+            memory: 4Gi
+            cpu: 2
+          limits:
+            memory: 4Gi
+            cpu: 2
+      networks:
+        - name: default
+          pod: {}
+      terminationGracePeriodSeconds: 180
+      volumes:
+        - name: rootdisk
+          dataVolume:
+            name: fortigate-rootdisk
+        #- name: cloudinitdisk
+        #  cloudInitNoCloud:
+        #    secretRef:
+        #      name: windows-cloud-init
diff --git a/kustomization.yaml b/kustomization.yaml
index 7b3aa28..bc48a2c 100644
--- a/kustomization.yaml
+++ b/kustomization.yaml
@@ -4,6 +4,7 @@ resources:
   - vars/ks.yaml
   - repos/ks.yaml
   - network/ks-lb.yaml
+  - firewall/ks-vm.yaml
   - windows-vm-standard/ks-vm.yaml
   - windows-vm-standard/ks-pvc.yaml
   - windows-vm-standard-dev/ks-vm.yaml