Fortigate Ver 1

c
Cu hnh VDOM Root ........................................................................................... 2

................................................... 2
! .................................................................... 6
""##$%&' ($ )* #+ ........................... 8
#, $ ............................................................10
- ..........................................................................................12
./ ..................................................................................................15
# 0 .......................................................................................16
$-1 ................................................................................................17
234.3250 ............................................................................................23
# ( (# 6. ................................................................................23
Cu hnh VDOM ADSL .......................................................................................25
! .....................................................................................25
-1 $ 7$ 18$ 9#": #" ...............................26

234.36;:c0::/
O

. < Fortigate khng cho php gn a ch IP trc tip vo policy, mi a ch khi
gn vo policy phi c tham chiu bi mt tn gi ca a ch . Vi mi a
ch IP c trn ASA, ta cu hnh tn cho tng a ch.
6=" <
>??@A<
name 10.36.71.101 OnePay_SV
name 172.16.0.6 SHB_SV
> <

config firewall address
edit "OnePay_SV"
set subnet 10.36.71.101 255.255.255.255
next
edit "SHB_SV"
set subnet 172.16.0.6 255.255.255.255

>??@A

> >
10.36.71.101 255.255.255.255
OnePay_SV
172.16.0.6 255.255.255.255
SHB_SV
10.0.0.0 255.0.0.0
ip_10.0.0.0_255.0.0.0
10.10.12.10 255.255.255.255
ip_10.10.12.10_255.255.255.255
10.18.4.7 255.255.255.255
ip_10.18.4.7_255.255.255.255
10.18.4.8 255.255.255.255
ip_10.18.4.8_255.255.255.255
10.255.252.28 255.255.255.255
ip_10.255.252.28_255.255.255.255
10.255.252.5 255.255.255.255
ip_10.255.252.5_255.255.255.255
10.4.24.250 255.255.255.255
ip_10.4.24.250_255.255.255.255
10.4.28.13 255.255.255.255
ip_10.4.28.13_255.255.255.255
10.4.28.14 255.255.255.255
ip_10.4.28.14_255.255.255.255
10.4.28.21 255.255.255.255
ip_10.4.28.21_255.255.255.255
10.4.28.24 255.255.255.255
ip_10.4.28.24_255.255.255.255
10.4.28.26 255.255.255.255
ip_10.4.28.26_255.255.255.255
10.4.28.28 255.255.255.255
ip_10.4.28.28_255.255.255.255
10.4.28.32 255.255.255.255
ip_10.4.28.32_255.255.255.255
10.4.28.33 255.255.255.255
ip_10.4.28.33_255.255.255.255
10.4.28.51 255.255.255.255
ip_10.4.28.51_255.255.255.255
10.4.28.52 255.255.255.255
ip_10.4.28.52_255.255.255.255
10.4.28.54 255.255.255.255
ip_10.4.28.54_255.255.255.255
10.4.28.55 255.255.255.255
ip_10.4.28.55_255.255.255.255
10.4.28.57 255.255.255.255
ip_10.4.28.57_255.255.255.255
10.4.28.58 255.255.255.255
ip_10.4.28.58_255.255.255.255
10.4.28.61 255.255.255.255
ip_10.4.28.61_255.255.255.255
10.4.28.62 255.255.255.255
ip_10.4.28.62_255.255.255.255
10.4.28.68 255.255.255.255
ip_10.4.28.68_255.255.255.255
10.4.28.86 255.255.255.255
ip_10.4.28.86_255.255.255.255
10.4.28.87 255.255.255.255
ip_10.4.28.87_255.255.255.255
10.4.28.88 255.255.255.255
ip_10.4.28.88_255.255.255.255
10.4.29.145 255.255.255.255
ip_10.4.29.145_255.255.255.255
10.4.30.30 255.255.255.255
ip_10.4.30.30_255.255.255.255
10.4.4.102 255.255.255.255
ip_10.4.4.102_255.255.255.255
10.4.4.103 255.255.255.255
ip_10.4.4.103_255.255.255.255
10.4.4.106 255.255.255.255
ip_10.4.4.106_255.255.255.255
10.4.4.107 255.255.255.255
ip_10.4.4.107_255.255.255.255
10.4.4.62 255.255.255.255
ip_10.4.4.62_255.255.255.255
172.16.0.0 255.255.255.0
ip_172.16.0.0_255.255.255.0
172.16.0.10 255.255.255.255
ip_172.16.0.10_255.255.255.255
172.16.0.11 255.255.255.255
ip_172.16.0.11_255.255.255.255
172.16.0.12 255.255.255.255
ip_172.16.0.12_255.255.255.255
172.16.0.13 255.255.255.255
ip_172.16.0.13_255.255.255.255
172.16.0.142 255.255.255.255
ip_172.16.0.142_255.255.255.255
172.16.0.18 255.255.255.255
ip_172.16.0.18_255.255.255.255
172.16.0.1 255.255.255.255
ip_172.16.0.1_255.255.255.255
172.16.0.254 255.255.255.255
ip_172.16.0.254_255.255.255.255
172.16.0.3 255.255.255.255
ip_172.16.0.3_255.255.255.255
172.16.0.4 255.255.255.255
ip_172.16.0.4_255.255.255.255
172.16.0.7 255.255.255.255
ip_172.16.0.7_255.255.255.255
172.16.0.8 255.255.255.255
ip_172.16.0.8_255.255.255.255
172.16.0.9 255.255.255.255
ip_172.16.0.9_255.255.255.255
202.9.84.87 255.255.255.255
ip_202.9.84.87_255.255.255.255
210.245.12.219 255.255.255.255
ip_210.245.12.219_255.255.255.255
210.245.52.67 255.255.255.255
ip_210.245.52.67_255.255.255.255
210.245.61.209 255.255.255.255
ip_210.245.61.209_255.255.255.255
210.245.61.210 255.255.255.255
ip_210.245.61.210_255.255.255.255
210.245.61.211 255.255.255.255
ip_210.245.61.211_255.255.255.255
210.245.61.212 255.255.255.255
ip_210.245.61.212_255.255.255.255
210.245.61.213 255.255.255.255
ip_210.245.61.213_255.255.255.255
210.245.61.214 255.255.255.255
ip_210.245.61.214_255.255.255.255
210.245.61.216 255.255.255.255
ip_210.245.61.216_255.255.255.255
210.245.61.218 255.255.255.255
ip_210.245.61.218_255.255.255.255
210.245.61.219 255.255.255.255
ip_210.245.61.219_255.255.255.255
210.245.61.220 255.255.255.255
ip_210.245.61.220_255.255.255.255
210.245.85.21 255.255.255.255
ip_210.245.85.21_255.255.255.255
212.5.125.194 255.255.255.255
ip_212.5.125.194 255.255.255.255
10.0.0.0 255.0.0.0.
addr_10.0.0.0_255.0.0.0
172.16.0.0 255.255.0.0
addr_172.16.0.0_255.255.0.0
172.16.0.11 255.255.255.255
addr_172.16.0.11_255.255.255.255
172.16.0.12 255.255.255.255
addr_172.16.0.12_255.255.255.255
172.16.0.13 255.255.255.255
addr_172.16.0.13_255.255.255.255
172.16.0.7 255.255.255.255
addr_172.16.0.7_255.255.255.255
192.168.4.0
addr_192.168.4.0_255.255.255.0

!
0"" C#"
?
O
N
""##
DAE@EFAEGH
. B#*
G??EG??EG??EG@H
-#
05;2.;./
!
GDAEG@?ENDEGGD G??EG??EG??EG@A
DPGEDNEAED
G??EG??EG??EA
:2/;5
!
;cQ !
DAE@EFAEHD
G??EG??EG??EA

!.;5<

config system interface
edit port1
set vdom "root"
set alias "INSIDE interface"
set type physical
set status up
next
edit port2
set vdom "root"
set alias "INSIDE Interface"
set type physical
set status up
next
edit Redundant_Inside
set vdom "root"
set alias "REDUNDANT FOR INSIDE INTERFACE"
set allowaccess ping https ssh snmp http telnet
set ip 10.4.30.28 255.255.255.248
set type redundant
set member port1 port2
set status up
.
$ D I G
J
""
!E KL M ,
#"
KL M ,: #"
KL M ,;cQ
KL M ,
&-c-
!:2/;5<

edit port5
set vdom "root"
set alias "OUTSIDE Interface"
set ip 210.245.61.221 255.255.255.240
set type physical
set status up
!;cQ<

edit port9
set vdom "root"
set alias "DMZ Interface"
set ip 172.16.0.1 255.255.255.0
set type physical
set status up
!*L M ,&-c-<

edit port6
set vdom "root"
et alias "ISA Server"
set ip 10.4.30.81 255.255.255.0
set type physical
set status up

>??@A<
object-group network IRS_Server
network-object 10.4.4.62 255.255.255.255
network-object 10.4.4.102 255.255.255.255
network-object 10.4.4.103 255.255.255.255
network-object 10.4.4.106 255.255.255.255
network-object 10.4.4.107 255.255.255.255
network-object 10.18.4.7 255.255.255.255
network-object 10.18.4.8 255.255.255.255
object-group network DM_INLINE_NETWORK_1
network-object host 10.4.30.30
network-object host SHB_SV
network-object host SHB_SV
network-object host SHB_SV445

> <

config firewall addrgrp
edit "DM_INLINE_NETWORK_1"
set member ip_10.4.30.30_255.255.255.255
ip_172.16.0.10_255.255.255.255 SHB_SV
ip_172.16.0.8_255.255.255.255
next
set member ip_10.4.30.30_255.255.255.255
ip_172.16.0.10_255.255.255.255 SHB_SV
ip_172.16.0.8_255.255.255.255
next
set member ip_10.4.30.30_255.255.255.255
ip_172.16.0.10_255.255.255.255 ip_172.16.0.8_255.255.255.255
next
edit "IRS_Server"
set member ip_10.4.4.62_255.255.255.255
ip_10.4.4.102_255.255.255.255 ip_10.4.4.103_255.255.255.255
ip_10.4.4.106_255.255.255.255 ip_10.4.4.107_255.255.255.255
ip_10.18.4.7_255.255.255.255 ip_10.18.4.8_255.255.255.255
next
end

. < Fortigate c mt danh sch nh ngha trc cc service. Cu hnh service
trong policy tham chiu n tn service . Vi cc service khng c nh ngha
sn, ta t nh ngha cc service tng ng vi port service nh sau:

6=" $ @@P<
config firewall service custom
edit "tcp_447-447"
set protocol TCP/UDP
set TCP-portrange 1-65535:447-447

66
447
1433
35001
444
446
447
50636
5800
7002
7017
8000
8002
8004
8686
8888
9012
-
TCP
B
tcp_sqlnet
TCP
tcp_447-447
TCP
tcp_1433-1433
TCP
tcp_35001-35001
TCP
tcp_444-444
TCP
tcp_446-446
TCP
tcp_447-447
TCP
tcp_50636-50636
TCP
tcp_5800-5800
TCP
tcp_7002-7002
TCP
tcp_7017-7017
TCP
tcp_8000-8000
TCP
tcp_8002-8002
TCP
tcp_8004-8004
TCP
tcp_8686-8686
TCP
tcp_8888-8888
TCP
tcp_9012-9012
25
445
8000
ESP
UDP
udp_25-25
UDP
udp_445-445
UDP
udp_8000-8000
IP
PROTOCOL_esp
i vi mt s policy c cng ""## I ;#

""##, ch khc nhau v # $ , ta s nhm cc service port thnh mt
#$ n gin vic cu hnh policy.

<
config firewall service group
edit Service_210.245.61.216
set member HTTP HTTPS tcp_444-444
Source IP
Destination IP
Service
Service group
ANY
210.245.61.216
www, https, 444
Service_210.245.61.216
ANY
210.245.61.218
www, 8000, https
Service_210.245.61.218
ANY
210.245.61.209
domain, smtp
Service_210.245.61.209
ANY
210.245.61.210
smtp, https, www, Service_210.245.61.210

isakmp, 4500, 1701,
pptp
202.9.84.87
210.245.61.220
8002, 447
Service_210.245.61.220
ANY
210.245.61.214
https, www
Service_210.245.61.214
172.16.0.142
10.4.28.58
Sqlnet, 8024
Service_10.4.28.58
172.16.0.4
10.4.28.54
7017, https, 7002
Service_10.4.28.54
172.16.0.4
10.4.28.55
7017, https, 7002
Service_10.4.28.55
172.16.0.7
10.4.28.54
8024, 7017
Service_172.16.0.7
SHB_SV
10.4.28.28
1433, sqlnet
Service_10.4.28.28
172.16.0.142
10.4.28.57
sqlnet, 8024
Service_10.4.28.57
172.16.0.12
ANY
https,www, domain, Service_172.16.0.12

smtp
ANY
10.4.28.21
Smtp, 50636, 25
Service_10.4.28.21
172.16.0.7
10.0.0.0/8
www, 3389
Service_172.16.0.7

Virtual IP c dng map a ch IP global vi mt a ch IP Inside.
Dng trong trng hp static NAT. Sau khi cu hnh Virtual IP, ta s cu hnh
policy tng ng vi Virtual IP.
/><

static (;cQ,:2/;5) TCP GDAEG@?ENDEGDG 8686 DPGEDNEAEGHNHN netmask 255.255.255.255

/>
@

u u u u
u u

@
$-1<
edit DADHN
set srcintf $ ?
set dstintf $ O
set srcaddr all
set dstaddr CGDAEG@?ENDEGDGCHNHN
set status enable
set action accept

set schedule always
set service ANY
set logtraffic disable
set comments Static_Nat
Da trn cu hnh static NAT trn ASA, ta thnh lp c bng sau:
-1;<s th t policy trong file 6;:cC0::/
!
DMZ
DMZ
INSIDE
INSIDE
INSIDE
ISA
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
R-&-
#"
6 -
OUTSIDE
210.245.61.212
172.16.0.2
v_210.245.61.212_8686
-1
;
DADHN
OUTSIDE
210.245.61.212
172.16.0.19
v_210.245.61.212_9012
10185
DMZ
172.16.0.80
10.4.28.19
v_172.16.0.80
10142
DMZ
10.4.28.21
10.4.28.21
v_10.4.28.21
10164
DMZ
10.4.28.13
10.4.28.13
v_10.4.28.13
10165
OUTSIDE
210.245.61.210
10.4.30.82
v_210.245.61.210
10143
DMZ
172.16.0.125
10.4.28.25
v_172.16.0.125
10144
DMZ
172.16.0.168
10.4.29.30
v_172.16.0.168
10145
DMZ
192.168.131.1
192.168.131.1 v_192.168.131.1
10184
DMZ
10.4.28.33
10.4.28.33
v_10.4.28.33
10166
DMZ
10.4.28.32
10.4.28.32
v_10.4.28.32
10167
DMZ
10.4.28.68
10.4.28.68
v_10.4.28.68
10168
DMZ
10.4.28.51
10.4.28.51
v_10.4.28.51
10169
DMZ
10.4.28.52
10.4.28.52
v_10.4.28.52
10170
DMZ
10.4.28.26
10.4.28.26
v_10.4.28.26
10171
DMZ
10.4.28.61
10.4.28.61
v_10.4.28.61
10173
DMZ
10.4.28.62
10.4.28.62
v_10.4.28.62
10174
DMZ
10.4.28.28
10.4.28.28
v_10.4.28.28
10172
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
DMZ
DMZ
DMZ
DMZ
DMZ
DMZ
DMZ
DMZ
INSIDE
DMZ
10.4.28.54
10.4.28.54
v_10.4.28.54
10175
DMZ
10.4.28.55
10.4.28.55
v_10.4.28.55
10176
DMZ
10.4.28.90
10.4.28.90
v_10.4.28.90
10177
DMZ
10.4.28.86
10.4.28.86
v_10.4.28.86
10178
DMZ
10.4.28.87
10.4.28.87
v_10.4.28.87
10179
DMZ
10.4.28.58
10.4.28.58
v_10.4.28.58
10180
DMZ
10.4.28.24
10.4.28.24
v_10.4.28.24
10181
DMZ
10.4.28.88
10.4.28.88
v_10.4.28.88
10182
DMZ
10.4.28.57
10.4.28.57
v_10.4.28.57
10183
OUTSIDE
210.245.61.211
10.4.29.48
v_210.245.61.211
10146
DMZ
10.18.28.6
10.18.28.6
v_10.18.28.6
10158
DMZ
10.18.4.7
10.18.4.7
v_10.18.4.7
10159
DMZ
10.18.4.8
10.18.4.8
v_10.18.4.8
10160
DMZ
10.4.4.102
10.4.4.102
v_10.4.4.102
10161
DMZ
10.4.4.106
10.4.4.106
v_10.4.4.106
10162
DMZ
10.4.4.107
10.4.4.107
v_10.4.4.107
10163
INSIDE
10.4.30.30
172.16.0.7
v_10.4.30.30
10147
OUTSIDE
210.245.61.216
SHB_SV
v_210.245.61.216
10148
OUTSIDE
210.245.61.218
172.16.0.8
v_210.245.61.218
10150
OUTSIDE
210.245.61.219
172.16.0.10
v_210.245.61.219
10151
OUTSIDE
210.245.61.220
172.16.0.142
v_210.245.61.220
10152
OUTSIDE
210.245.61.209
172.16.0.12
v_210.245.61.209
10153
OUTSIDE
210.245.61.213
172.16.0.18
v_210.245.61.213
10154
OUTSIDE
210.245.61.214
172.16.0.3
v_210.245.61.214
10155
DMZ
10.4.24.250
10.4.24.250
v_10.4.24.250
10156
INSIDE
DMZ
10.10.12.10
10.10.12.10
v_10.10.12.10
10157

/><
nat (.;5) 1 10.0.0.0 255.0.0.0
global (:2/;5) 1 interface
/> <cu hnh policy vi tham s S &-T
edit 10187
set srcintf Redundant_Inside
set dstintf port5
set srcaddr addr_10.0.0.0_255.0.0.0
set dstaddr all
set status enable
set action accept
set schedule always
set service ANY
set &-
set comments NAT_INSIDE_TO_OUTSIDE_ID_1
Source inteface
#"
Inside
Inside
Inside
Inside
Dmz
Dmz
Destination
interface
: #"
Source Address
Policy ID
10.0.0.0/8
NAT
Address
IPs port Outside
Outside
192.168.4.0/24
IPs port Outside
10188
Dmz
192.168.4.0/24
172.16.0.254
10189
Dmz
10.0.0.0/8
172.16.0.254
10190
Outside
10.4.28.17/32
210.245.61.215
10191
Outside
172.16.0.7/32
210.245.61.215
10192
Outside
172.16.0.11/32
IPs port Outside
10193
10187
Dmz
Dmz
Dmz
Outside
172.16.0.12/32
IPs port Outside
10194
Outside
172.16.0.13/32
IPs port Outside
10195
Outside
172.16.0.0/16
IPs port Outside
10196

><
route OUTSIDE 0.0.0.0 0.0.0.0 210.245.61.222 1
route INSIDE 10.0.0.0 255.0.0.0 10.4.30.25 1
route OUTSIDE OnePay_SV 255.255.255.255 210.245.61.222 1
route INSIDE 192.168.4.0 255.255.255.0 10.4.30.25 1
route INSIDE 192.168.131.1 255.255.255.255 10.4.30.25 1
> <
config router static
edit 1
set device port5
set dst 0.0.0.0 0.0.0.0
set gateway 210.245.61.222
set distance 1
next
edit 2
set device Redundant_Inside
set dst 10.0.0.0 255.0.0.0
set gateway 10.4.30.25
set distance 1
next
edit 3
set device port5
set dst 10.36.71.101 255.255.255.255
set gateway 210.245.61.222
set distance 1
next
edit 4
set dst 192.168.4.0 255.255.255.0

set distance 1
next
edit 5
set dst 192.168.131.1 255.255.255.255
set distance 1
next
end

-1B: 100
/><
access-list 100 extended permit icmp any any

/> <
config firewall policy
edit DAAAA
set srcintf port5
set dstintf any
set srcaddr all
set dstaddr all
set status enable
set action accept
set schedule always
set service ICMP_ANY
set comments 100
-
ICMP
TCP
TCP
TCP
TCP
TCP/UDP
TCP/UDP
TCP/UDP
TCP
TCP
TCP
ESP
TCP
TCP
TCP
TCP
TCP

;#
U
-1
;
DAAAA
ANY
ANY
212.5.125.194
210.245.61.211
8888
10001
210.245.12.219
210.245.61.216
446
10002
210.245.85.21
210.245.61.216
8004
10003
ANY
210.245.61.216
www, https
10004
ANY
210.245.61.218
www, 8000, https
10006
ANY
210.245.61.209
domain, smtp
10008
ANY
210.245.61.210
stmp, https, www, isakmp,

4500, 1701, pptp
10011
210.245.52.67
210.245.61.220
8002
10015
202.9.84.87
210.245.61.220
8002. 447
10016
ANY
210.245.61.220
www
10018
ANY
210.245.61.210
ANY
210.245.61.216
444
10024
ANY
210.245.61.219
8000
10125
ANY
210.245.61.213
ftp
10026
ANY
210.245.61.214
https, www
10027
ANY
210.245.61.212
8686, 9012
10029
10019
-1B: INSIDE_access_in
-
TCP
TCP
TCP
TCP

;#
U
-1;
10.4.29.145
DM_INLINE_NETWORK_1
5900
10023, 10024
ANY
DM_INLINE_NETWORK_2
5900
10025,10026
ANY
DM_INLINE_NETWORK_3
5800
10027,10028
ANY
ANY
IP
10029

-1B: acl_dmz_in
/><
access-list acl_dmz_in extended permit UDP any host 10.4.24.250 eq 445
/> <
edit DAAFD
set srcintf port9
set dstintf Redundant_Inside
set srcaddr all
set dstaddr ip_10.4.24.250_255.255.255.255
set status enable
set action accept
set schedule always
set service udp_445-445
set comments acl_dmz_in
-
UDP
TCP
TCP
UDP

;#
U
-1;
ANY
10.4.24.250
445
DAAFD
172.16.0.7
10.255.252.28
ftp
10032
SHB_SV
10.255.252.5
35001
10033
172.16.0.18
10.4.28.13
domain
10034
172.16.0.18
10.4.28.14
domian
10035
172.16.0.3
172.16.0.254
ftp
10036
SHB_SV
OnePay_SV
447
10037
172.16.0.18
ANY
172.16.0.142
10.4.28.88
sqlnet
10039
172.16.0.9
10.4.28.58
sqlnet
10041
172.16.0.142
10.10.12.10
www
10042
172.16.0.142
10.4.28.58
sqlnet, 8024
10043
172.16.0.8
10.4.28.87
sqlnet
10045
SHB_SV
10.4.28.87
sqlnet
10046
SHB_SV
10.4.28.86
sqlnet
10047
172.16.0.8
10.4.28.86
sqlnet
10048
172.16.0.8
10.4.28.54
8024
10049
172.16.0.7
10.4.28.55
8024
10050
172.16.0.8
10.4.28.55
8024
10051
SHB_SV
10.4.28.55
8024
10052
SHB_SV
10.4.28.54
8024
10053
TCP
172.16.0.4
10.4.28.54
TCP
172.16.0.4
172.16.0.7
10.4.28.55
10.4.28.54
172.16.0.142
UDP
TCP
TCP
IP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
10038
7017, https, 7002 10054

7017, https, 7002 10055
8024, 7017
10060
10.4.28.28
sqlnet
10062
SHB_SV
10.0.0.0/8
www
10063
SHB_SV
10.4.28.61
sqlnet
10064
SHB_SV
10.4.28.62
sqlnet
10065
SHB_SV
10.4.28.52
sqlnet
10066
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
SHB_SV
10.4.28.51
sqlnet
10067
172.16.0.8
10.4.28.61
sqlnet
10068
172.16.0.8
10.4.28.62
sqlnet
10069
172.16.0.8
10.4.28.52
sqlnet
10070
172.16.0.8
10.4.28.51
sqlnet
10071
172.16.0.9
10.4.28.61
sqlnet
10072
172.16.0.10
10.4.28.61
sqlnet
10073
172.16.0.9
10.4.28.62
sqlnet
10074
172.16.0.10
10.4.28.62
sqlnet
10075
172.16.0.10
10.4.28.52
sqlnet
10076
172.16.0.10
10.4.28.51
sqlnet
10077
172.16.0.7
10.4.28.28
1433
10078
172.16.0.9
10.4.28.28
sqlnet
10079
172.16.0.10
10.4.28.28
sqlnet
10080
172.16.0.8
10.4.28.28
sqlnet
10081
172.16.0.7
10.4.28.61
sqlnet
10082
172.16.0.7
10.4.28.62
sqlnet
10083
172.16.0.7
10.4.28.52
sqlnet
10084
172.16.0.7
10.4.28.51
sqlnet
10085
172.16.0.7
10.4.28.28
sqlnet
10086
SHB_SV
10.4.28.28
1433, sqlnet
10087
172.16.0.7
172.16.0.10
10.4.28.26
10.4.28.26
8888
10089
8888
10090
172.16.0.9
10.4.28.24
sqlnet
10091
172.16.0.142
10.4.28.24
sqlnet
10092
TCP
TCP
TCP
TCP
TCP
TCP
IP
IP
TCP
UDP
TCP
TCP
IP
TCP
TCP
IP
IP
TCP
TCP
TCP
IP
IP
172.16.0.10
10.4.28.24
sqlnet
10093
172.16.0.7
10.4.28.24
sqlnet
10094
SHB_SV
10.4.28.24
sqlnet
10095
172.16.0.8
10.4.28.24
sqlnet
10096
172.16.0.9
10.4.28.57
sqlnet
10097
172.16.0.142
10.4.28.57
sqlnet, 8024
10098
ANY
host 10.4.28.52
10100
ANY
10.4.28.51
10101
ANY
10.4.28.68
50636
10102
172.16.0.13
10.4.28.21
445
10103
ANY
10.4.28.68
Stmp
10104
ANY
10.4.28.32
8024
10105
ANY
10.4.28.32
172.16.0.12
ANY
ANY
10.4.28.33
ANY
10.4.28.33
10110
172.16.0.12
ANY
10114
172.16.0.11
172.16.0.1
ssh
10115
ANY
10.4.28.21
smtp, 50636, 25
10116
172.16.0.7
10.0.0.0/8
www, 3389
10119
172.16.0.0/24
10.0.0.0/8
10121
ANY
ANY
10122
10106
https, www,
domain, smtp
sqlnet
10107
10109

config user local
edit "anhnc"
set type password
set passwd cisco@123
next
edit "cisco"
set type password
set passwd cisco@123
next
config user group
edit "local_usrgrp"
set group-type firewall
set profile unfiltered
set member anhnc cisco
next
end

config vpn ipsec phase1
edit "OUTSIDE_map01_p"
set type static
set remote-gw 202.9.84.2
set interface port5
set mode main
set authmethod psk
set psksecret 123456
set proposal aes256-sha1
set keylife 86400
set dhgrp 2
next
end
config vpn ipsec phase2

edit "OUTSIDE_map01"
set phase1name OUTSIDE_map01_p
set proposal aes256-sha1
set keylife-type seconds
set keylifeseconds 1800
set pfs disable
next
Cu hnh policy dnh cho VPN
edit 60000
set srcintf port9
set dstintf port5
set srcaddr SHB_SV
set dstaddr OnePay_SV
set status enable
set action ipsec
set schedule always
set service ANY
set comments OUTSIDE_1_cryptomap
set inbound enable
set outbound enable
set vpntunnel OUTSIDE_map01_p

!
0"" C#"C;
H
-#
.
05;2.;./ ! $ FI@ J
"" !EKL M ,
#"
:2/;5 !
KL M ,V1

hot ng ch #$ , do cc interface khng
c gn a ch IP.
!05;2.;./<
config system interface
edit port3
set vdom "adsl"
set alias "INSIDE interface"
set type physical
set status up
next
edit port4
set vdom "adsl"
set alias "INSIDE Interface"
set type physical
set status up
next
edit 0"" C#"C;
set vdom " adsl "
set alias "REDUNDANT FOR INSIDE INTERFACE"
set allowaccess ping https ssh http telnet
set member port3 port4
set type redundant
set status up
!:2/;5<

edit port8
set vdom "adsl"
set alias "OUTSIDE Interface"
set type physical
set status up

config firewall policy
edit 10000
set srcintf Redundant_Inside_ADSL
set dstintf port8
set srcaddr all
set dstaddr all
set status enable
set action accept
set schedule always
set service ANY
set comments ADSL_policy
next

Fortigate Ver 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortigate Ver 1

Uploaded by

Copyright:

Available Formats

c

Cu hnh VDOM Root ........................................................................................... 2

   >  <

   ! . ;5<

   !:2/ ;5<

   !;cQ<

   !*L M ,  &-c-<

   >  <

i vi mt s policy c cng  ""## I ;#  

www, https, 444

www, 8000, https

smtp, https, www, Service_210.245.61.210

7017, https, 7002

7017, https, 7002

https,www, domain, Service_172.16.0.12

set action accept

IPs port Outside

IPs port Outside

IPs port Outside

IPs port Outside

IPs port Outside

set dst 192.168.4.0 255.255.255.0

;#  

www, 8000, https

stmp, https, www, isakmp,

;#  

;#  

7017, https, 7002 10054

config vpn ipsec phase2

   !:2/ ;5<

  

You might also like

> <

!.;5<

!:2/;5<

!;cQ<

!*L M ,&-c-<

> <

i vi mt s policy c cng ""## I ;#

;#

;#

;#

!:2/;5<