Fortigate Firewall Configuration Guide

1.
Diagram
2. Install Fortigate Firewall

- Execute factoryreset
User: admin, password:
1. Config system interface
2. Edit port...
3. Set IP 192.168.30.1 255.255.255.0
4. Set allow access ssh ping http https
5. End
6. Config system global
7. Set hostname Fwg1
- # config system interface
edit port2
set ip 192.168.30.1 255.255.255.0
set allow access ssh ping http https
end
- Connect form PC via web browser
o Open web browser
o 192.168.30.1
o User: admin
o Password:
o Login
o Begin
o Hostname: fwg
o OK
o Network Tab
 Interface
 For set IP and configure interface
 Port 1 set as DHCP
 Port 2 already set IP on step above
 Static Routes
 Destination: Subnet
o 0.0.0.0/0.0.0.0
 Gateway Address: Specify: Gateway from ISP
 Interface: port1
 OK
3. Configure DHCP server and NAT in Fortigate Client Access

Internet
- Login Fortigate
- Network -> Interfaces
o Double click “port2”
 Enable DHCP Server
 OK
- Policy & Object -> Firewall Policy (Create NAT)
o Create New
 Name: Allow-Internet-Lan
 Incoming Interface: port2
 Outgoing Interface: port1
 Source: all
 Destination: all
 Schedule: always
 Service: all
 OK
4. Separate Network Server and Client in Fortigate Firewall
-
- Open web browser
- 192.168.30.1
- User: admin
- Password: admin
- Login
- Network -> Interfaces
o Set IP to Port3: 192.168.90.1/255.255.255.0. Allow access Ping, HTTPS, SSH, FMG-Access
and Enable DHCP Server
- Policy & Object -> Firewall Policy (Allow from client to server)
o Create New
 Name: Allow-client-to-server
 Source: all
 Service: all
 Action: Accept
 OK
- Policy & Object -> Firewall Policy (Allow from server to client)
o Create New
 Name: Allow-server-to-client
 Source: all
 Service: all
 Action: Accept
 OK
5. Block website with web filter and application control in Fortigate

- Open web browser
- 192.168.30.1
- User: admin
- Password: admin
- Login
- Security Profiles
o Web Filter
 Double click “default”
 Enable “FortiGuard category-based filter”
o Select “Potentially Liable” -> Click “Block”
o Ex: Hacking -> Block
 Enable “URL Filter”
o Create New
o URL: web.facebook.com
o Type: Simple
o Action: Block
o Status: Enable
o OK
o Application Control
 Double click “default”
 Categories
o For block by categories
 Application and Filter overriders
o Create New
o Type: Application
o Action: Block
o Search for facebook
o Select “Facebook”
o Add Selected
o Select other that need for block -> Add Selected
- Use filter that we just created
o Policy & Objects -> Firewall Policy
 Double click on Allow-Internet-Lan (port2 -> port1)
 Enable “Web Filter”: Default
 Enable “Application Filter”: Default
 OK
6. Fortigate Firewall Internet Balancing by WAN load balancing

(SD-WAN)
-
- Login Fortigate
o Set Port 1 for ISP 1 and Port 2 for ISP 2

 Network -> Interfaces
 Double click “port1”
 Name: port1
 Alias: ISP1
 Role: WAN
 Addressing mode: Manual
 IP/Metmask: 10.10.10.2/24
 OK
 Double click “port2”
 Name: port2
 Alias: ISP2
 Role: WAN
 Addressing mode: DHCP
 OK
o Add port1 and port2 to SD-WAN

 Network -> SD-WAN
 Double click “virtual-wan-link”
 Interface members: +
 Create
o Interface: ISP1 (Port1)
o SD-WAN Zone: virtual-wan-link
o Gateway: 10.10.10.1
o Cost: 0
o OK
 Create
o Interface: ISP2 (Port2)
o SD-WAN Zone: virtual-wan-link
o Gateway: auto
o Cost: 0
o OK
 Interface members: Add
 ISP1 (Port1)
 ISP2 (Port2)
 OK
o Add Static Routes

 Network -> Static Routes
 Create New
 Destination: Subnet
o 0.0.0.0/0.0.0.0
o Interface: + -> Double click “virtual-wan-link”
o Status: Enabled
o OK
o NAT
 Policy & Objects -> Firewall Policy
 Create New
 Name: SD-WAN
 Incoming Interface: port3
 Outgoing Interface: virtual-wan-link
 Source: all
 Destination: all
 Schedule: always
 Service: all
 Action: Accept
 Inspection Mode: Flow-based
 NAT: enable
 OK
o Set SD-WAN Rules

 Network -> SD-WAN -> SD-WAN Rules
 Double click “sd-wan”
 Load Balancing Algorithm
o Source IP: បែងចែកតាម Range source IP
o Session: បែងចែកជា session ដោយកំនត់ Weight តាម ទំហំ

speed ISP
o Spillover: ពេល ISP 1 ពេញ ដើរបន្តរទៅ ISP 2
o Source-Destination IP: ចេញតាមណា ចូលតាមនិង
o Volume: កំនត់ Weight តាម ទំហំ speed ISP

 Choose volume 1 1 -> OK
o Set Performance SLAs (Packet Loss, Latency, Jitter)

 Latency -> Create New
 Name: Check-Up-link
 Probe mode: Active
 Protocol: Ping
 Server: 1.1.1.1/8.8.8.8
 Participant: All SD-WAN Members
 SLA Target: Enable
o Latency threshold: Enable 5 ms
o Jitter threshold: Enable 5 ms
o Packet Loss threshold Enable 10 %
 Link Status
o Check interval: 1000 ms
o Failures before inactive: 5
o Restore link after: 5 checks(s)
 Action when Inactive
o Update static route: Enable
 OK
o Set Vlan go out via ISP2

 Policy & Objects -> Addresses
 Create New -> Address Group
 Group name: To-ISP2
 Color: Yellow
 Type: Group
 Members: +
o Guest address (192.168.20.0/24)
 OK
 Network -> SD-WAN -> SD-WAN Rules
 Create New
 Name: To-ISP2
 Source
o Source address: To-ISP2
 Destination
o Address: all
o Protocol number: Any
 Outgoing Interfaces
o Manual
o Interface preference: ISP2 (port2)
o Set PC go out via ISP2 by MAC

 Create New -> Address
 Name: Server1
 Color: Choose color you want
 Type: Device (MAC Address)
 MAC Address: Input Server1 MAC (28:39:26:A9:60:2F)
 Interface: any
 OK
 Double click “To-ISP2”
 Member: +
o Server1
 OK
o Block Server1 from access game in working time

 Create New -> Address
 Name: Server1
 Color: Choose color you want
 Type: Device (MAC Address)
 MAC Address: Input Server1 MAC (28:39:26:A9:60:2F)
 Interface: any
 OK
 Policy & Objects -> Firewall Policy
 Create New
 Name: For-Special-Device
 Incoming interface: vlan-staff
 Outgoing Interface: virtual-wan-link
 Source: + -> Server1
 Destination: all
 Schedule: always
 Service: all
 Action: Accept
 Web Filter: For-staff
 Application Control: For-staff
 OK
7. Fortinet Firewall High Availability | Active | Passive | Concept
- Architecture of a Typical Campus Network
- Why we need Firewall?

o A firewall is a network security device that monitors incoming and outgoing network
traffic and permits, or blocks data packets based on a set of security rules. Its purpose is
to establish a barrier between your internal network and incoming traffic from external
sources (such as the internet) in order to block malicious traffic like viruses and hackers.,
that enforces an access control policy between networks.
- What is HA?
o High availability (HA) is a deployment in which two firewalls are placed in a group and
their configuration is synchronized to prevent a single point of failure on your network.
A heartbeat connection between the firewall peers ensures seamless failover in the
event that a peer goes down.
- NGFWs
o Next-generation firewalls (NGFWs) play a critical role in cybersecurity architectures the
world over. As defending data and applications become more complicated, security
products built to withstand evolving threats also grow more powerful.
- Lab Scenario For HA
o Configure Master firewall (HA)

 Set IP 172.16.80.1 and allows http https service
 Login 172.16.80.1
 System -> HA
 Mode: Active-Passive
 Device priority: 200 (Note: higher priority is master)
 Group name: Active-Passive
 Password: Admin@2021$
 Session pickup: enable
 Monitor interface: +
o Port3
o Port4
 Heartbeat interfaces: +
o Port3
o Port4
 OK
o Configure Slave firewall (HA)

 Set IP 172.16.81.1
 Login 172.16.81.1
 System -> HA
 Mode: Active-Passive
 Device priority: 110
 Group name: Active-Passive
 Password: Admin@2021$
 Session pickup: enable
 Monitor interface: +
o Port3
o Port4
 Heartbeat interfaces: +
o Port3
o Port4
 OK
8. SDWAN with 3 ISP

- Diagram
- Configure on Fortigate
o Login Fortigate
o Network -> Interfaces
 Select Port1 -> Edit
 Alias: ISP-1
 Role: WAN
 Addressing Mode: Manual
 IP/Network Mask: 10.10.10.10/24
 IPv4: PING
 OK
 Alias: ISP-2
 Role: WAN
 IP/Network Mask: 10.10.20.10/24
 IPv4: PING
 OK
 Alias: ISP-3
 Role: WAN
 IP/Network Mask: 10.10.30.10/24
 IPv4: PING
 OK
 Alias: Toward-Core-SW
 Role: LAN
 IP/Network Mask: 192.168.100.10/24
 IPv4: HTTPS, PING, SNMP
 OK
o Network -> SD-WAN
 Status: Enable
 SD-WAN Interface Members -> Add
 Interface: ISP-1 (port1)
o Gateway: 10.10.10.100
o Status: Enable
o Gateway: 10.10.20.100
o Status: Enable
o Gateway: 10.10.30.100
o Status: Enable
 SD-WAN Usage
o Bandwidth
 Apply
o Network -> Performance SLA -> Create
 Name: SLASDWAN
 Protocol: Ping
 Server: 8.8.8.8
 Participants: ISP-1 (port1), ISP-2 (port2), ISP-3 (port3)
 SLA Targets -> Add
 Target1
o Latency threshold (Enable): 100 ms
o Jitter threshold (Enable): 100 ms
o Packet loss threshold: 2 %
 Link Status
 Check interval: 1 second(s)
 Failures before inactive: 5
 Restore link after: 5
 Actions when inactive
 Update static route (Enable)
 OK
o Network -> SD-WAN Rules -> Select “sd-wan” -> Edit
 Load Balancing Algorithm: Volume
 ISP-1 (port1) 100
 ISP-2 (port2) 100
 ISP-3 (port3) 100
 OK
o Network -> SD-WAN Rules -> Create New
 Name: Users
 Source address: -> + -> + -> Address ->
 Name: Users
 Type: Subnet
 Subnet/IP Range: 192.168.10.0/24
 Interface: Toward-Core-SW (port4)
 Show in Address List (Enable)
 Static Route Configuration (Enable)
 OK
 Select “Users”
 Destination Address: all
 Protocol number: ANY
 Strategy: Best Quantity
 Interface preference: ISP-3 (port3), ISP-1 (port1), ISP-2 (port2)
 Measured SLA: SLASDWAN
 Quality criteria: Packet Loss
 OK
 Name: Managers
 Name: Managers
 Type: Subnet
 Subnet/IP Range: 192.168.20.0/24
 Interface: 192.168.20.0/24
 OK
 Select “Managers”
 Destination address: all
 Strategy: Best Quanlity
 OK
 Name: CEO
 Name: CEO
 Type: Subnet
 Subnet/IP Range: 192.168.30.0/24
 OK
 Select “CEO”
 Destination address: all
 Strategy: Best Quality
 OK
o Network -> Static Routes -> Create New
 Destination: Subnet
 0.0.0.0/0.0.0.0
 Interface: SD-WAN
 Administrative Distance: 10
 Status: Enabled
 OK
 192.168.10.0/24
 Interface: Toward-Core-SW (port4)
 Gateway Address: 192.168.100.100
 Status: Enabled
 OK
 192.168.20.0/24
 Status: Enabled
 OK
 192.168.30.0/24
 Status: Enabled
 OK
o Policy & Objects -> IPv4 Policy -> Create New
 Name: Users
 Incoming Interface: Toward-Core-SW (port4)
 Outgoing Interface: SD-WAN
 Source: Users
 Schedule: always
 Service: All
 Action: Accept
 NAT: Enable
 IP Pool Configuration: Use Outgoing Interface Address
 OK

Fortigate Firewall Configuration Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortigate Firewall Configuration Guide

Uploaded by

Copyright:

Available Formats

1.

2. Install Fortigate Firewall

3. Configure DHCP server and NAT in Fortigate Client Access

5. Block website with web filter and application control in Fortigate

6. Fortigate Firewall Internet Balancing by WAN load balancing

o Set Port 1 for ISP 1 and Port 2 for ISP 2

o Add port1 and port2 to SD-WAN

o Add Static Routes

o Set SD-WAN Rules

o Session: បែងចែកជា session ដោយកំនត់ Weight តាម ទំហំ

o Source-Destination IP: ចេញតាមណា ចូលតាមនិង

o Volume: កំនត់ Weight តាម ទំហំ speed ISP

o Set Performance SLAs (Packet Loss, Latency, Jitter)

o Set Vlan go out via ISP2

o Set PC go out via ISP2 by MAC

o Block Server1 from access game in working time

- Why we need Firewall?

- Lab Scenario For HA

o Configure Master firewall (HA)

o Configure Slave firewall (HA)

8. SDWAN with 3 ISP

You might also like