Professional Documents
Culture Documents
Diagram
-
- Open web browser
- 192.168.30.1
- User: admin
- Password: admin
- Login
- Network -> Interfaces
o Set IP to Port3: 192.168.90.1/255.255.255.0. Allow access Ping, HTTPS, SSH, FMG-Access
and Enable DHCP Server
- Policy & Object -> Firewall Policy (Allow from client to server)
o Create New
Name: Allow-client-to-server
Incoming Interface: port2
Outgoing Interface: port3
Source: all
Destination: all
Service: all
Action: Accept
OK
- Policy & Object -> Firewall Policy (Allow from server to client)
o Create New
Name: Allow-server-to-client
Incoming Interface: port3
Outgoing Interface: port2
Source: all
Destination: all
Service: all
Action: Accept
OK
- Login Fortigate
o NAT
Policy & Objects -> Firewall Policy
Create New
Name: SD-WAN
Incoming Interface: port3
Outgoing Interface: virtual-wan-link
Source: all
Destination: all
Schedule: always
Service: all
Action: Accept
Inspection Mode: Flow-based
NAT: enable
OK
- NGFWs
o Next-generation firewalls (NGFWs) play a critical role in cybersecurity architectures the
world over. As defending data and applications become more complicated, security
products built to withstand evolving threats also grow more powerful.
- Configure on Fortigate
o Login Fortigate
o Network -> Interfaces
Select Port1 -> Edit
Alias: ISP-1
Role: WAN
Addressing Mode: Manual
IP/Network Mask: 10.10.10.10/24
IPv4: PING
OK
Select Port2 -> Edit
Alias: ISP-2
Role: WAN
Addressing Mode: Manual
IP/Network Mask: 10.10.20.10/24
IPv4: PING
OK
Select Port3 -> Edit
Alias: ISP-3
Role: WAN
Addressing Mode: Manual
IP/Network Mask: 10.10.30.10/24
IPv4: PING
OK
Select Port4 -> Edit
Alias: Toward-Core-SW
Role: LAN
Addressing Mode: Manual
IP/Network Mask: 192.168.100.10/24
IPv4: HTTPS, PING, SNMP
OK
o Network -> SD-WAN
Status: Enable
SD-WAN Interface Members -> Add
Interface: ISP-1 (port1)
o Gateway: 10.10.10.100
o Status: Enable
Interface: ISP-2 (port2)
o Gateway: 10.10.20.100
o Status: Enable
Interface: ISP-3 (port3)
o Gateway: 10.10.30.100
o Status: Enable
SD-WAN Usage
o Bandwidth
Apply
o Network -> Performance SLA -> Create
Name: SLASDWAN
Protocol: Ping
Server: 8.8.8.8
Participants: ISP-1 (port1), ISP-2 (port2), ISP-3 (port3)
SLA Targets -> Add
Target1
o Latency threshold (Enable): 100 ms
o Jitter threshold (Enable): 100 ms
o Packet loss threshold: 2 %
Link Status
Check interval: 1 second(s)
Failures before inactive: 5
Restore link after: 5
Actions when inactive
Update static route (Enable)
OK
o Network -> SD-WAN Rules -> Select “sd-wan” -> Edit
Load Balancing Algorithm: Volume
ISP-1 (port1) 100
ISP-2 (port2) 100
ISP-3 (port3) 100
OK
o Network -> SD-WAN Rules -> Create New
Name: Users
Source address: -> + -> + -> Address ->
Name: Users
Type: Subnet
Subnet/IP Range: 192.168.10.0/24
Interface: Toward-Core-SW (port4)
Show in Address List (Enable)
Static Route Configuration (Enable)
OK
Select “Users”
Destination Address: all
Protocol number: ANY
Strategy: Best Quantity
Interface preference: ISP-3 (port3), ISP-1 (port1), ISP-2 (port2)
Measured SLA: SLASDWAN
Quality criteria: Packet Loss
OK
o Network -> SD-WAN Rules -> Create New
Name: Managers
Source address: -> + -> + -> Address ->
Name: Managers
Type: Subnet
Subnet/IP Range: 192.168.20.0/24
Interface: 192.168.20.0/24
Interface: Toward-Core-SW (port4)
Show in Address List (Enable)
Static Route Configuration (Enable)
OK
Select “Managers”
Destination address: all
Protocol number: ANY
Strategy: Best Quanlity
Interface preference: ISP-1 (port1), ISP-2 (port2), ISP-3 (port3)
Measured SLA: SLASDWAN
Quality criteria: Packet Loss
OK
o Network -> SD-WAN Rules -> Create New
Name: CEO
Source address: -> + -> + -> Address ->
Name: CEO
Type: Subnet
Subnet/IP Range: 192.168.30.0/24
Interface: Toward-Core-SW (port4)
Show in Address List (Enable)
Static Route Configuration (Enable)
OK
Select “CEO”
Destination address: all
Protocol number: ANY
Strategy: Best Quality
Interface preference: ISP-2 (port2), ISP-1 (port1), ISP-3 (port3)
Measured SLA: SLASDWAN
Quality criteria: Packet Loss
OK
o Network -> Static Routes -> Create New
Destination: Subnet
0.0.0.0/0.0.0.0
Interface: SD-WAN
Administrative Distance: 10
Status: Enabled
OK
o Network -> Static Routes -> Create New
Destination: Subnet
192.168.10.0/24
Interface: Toward-Core-SW (port4)
Gateway Address: 192.168.100.100
Administrative Distance: 10
Status: Enabled
OK
o Network -> Static Routes -> Create New
Destination: Subnet
192.168.20.0/24
Interface: Toward-Core-SW (port4)
Gateway Address: 192.168.100.100
Administrative Distance: 10
Status: Enabled
OK
o Network -> Static Routes -> Create New
Destination: Subnet
192.168.30.0/24
Interface: Toward-Core-SW (port4)
Gateway Address: 192.168.100.100
Administrative Distance: 10
Status: Enabled
OK
o Policy & Objects -> IPv4 Policy -> Create New
Name: Users
Incoming Interface: Toward-Core-SW (port4)
Outgoing Interface: SD-WAN
Source: Users
Destination: all
Schedule: always
Service: All
Action: Accept
NAT: Enable
IP Pool Configuration: Use Outgoing Interface Address
OK