NSE4 7.

2 Infrastructure

Módulo 01.01 Intro

LAB Config Inicial

Eduardo Aliaga
 Password inicial
Ingresar a la consola de FortiGate.
Nos obligan a poner un password en el primer login

FortiGate-VM64-KVM login: admin Password en blanco

Password:
You are forced to change your password. Please input a new password.
New Password:
Confirm Password: Nuevo Password es consultel
Welcome!

FortiGate-VM64-KVM #

FortiGate-VM64-KVM # exit

FortiGate-VM64-KVM login: admin

Password:
Welcome!
Probar el nuevo pasword

FortiGate-VM64-KVM #
 Get system status
FortiGate-VM64-KVM # get system status

Version: FortiGate-VM64-KVM v7.2.0,build1157,220331 (GA.F)

Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2001-01-01 00:00)
Serial-Number: FGVMEVHLUCBO5ZE6
License Status: Valid
Evaluation License Expires: Fri May 12 15:54:09 2023
VM Resources: 1 CPU/1 allowed, 997 MB RAM/2048 MB allowed
Log hard disk: Not available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1157
Release Version Information: GA
FortiOS x86-64: Yes
System time: Thu Apr 27 16:20:15 2023
Last reboot reason: power cycle
 Configurar port1
FortiGate-VM64-KVM # show system interface port1

config system interface

edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping https ssh http fgfm
set type physical Se muestra la misma config de
set snmp-index 1
next
2 maneras diferentes
end

FortiGate-VM64-KVM # config system interface

FortiGate-VM64-KVM (interface) # show
config system interface
edit "port1"
set vdom "root"
set mode dhcp
set allowaccess ping https ssh http fgfm
set type physical
set snmp-index 1
next
end Se quita “http” y “fgfm” del
comando allowaccess
FortiGate-VM64-KVM (port1) # unselect allowaccess http fgfm

FortiGate-VM64-KVM (port1) # show | grep allowaccess

set allowaccess ping https ssh

Se quita completamente el
FortiGate-VM64-KVM (port1) # unset allowaccess
FortiGate-VM64-KVM (port1) # show | grep allowaccess
comando allowaccess

FortiGate-VM64-KVM (port1) # end

Configurar port3 FortiGate-VM64-KVM # config system interface
FortiGate-VM64-KVM (interface) # edit port3

FortiGate-VM64-KVM (port3) # show

config system interface
edit "port3"
set vdom "root"
set type physical
set snmp-index 3
next
end

FortiGate-VM64-KVM (port3) # set mode static

FortiGate-VM64-KVM (port3) # set ip 192.168.3.1/24
FortiGate-VM64-KVM (port3) # set allowaccess ping http

FortiGate-VM64-KVM (port3) # show

config system interface
edit "port3"
set vdom "root"
set ip 192.168.3.1 255.255.255.0
set allowaccess ping http
set type physical
set snmp-index 3
next
end

FortiGate-VM64-KVM (port3) # end

FortiGate-VM64-KVM # get system interface physical port3

== [onboard]
==[port3]
mode: static
ip: 192.168.3.1 255.255.255.0
ipv6: ::/0
status: up
speed: 10000Mbps (Duplex: full)
FEC: none
FEC_cap: none
Ingresar al GUI de MGMT-PC y usar Firefox para entrar a http://192.168.3.1 del Fortigate
 GUI - Dashboard

Simultáneamente podemos revisar la consola de Fortigate

FortiGate-VM64-KVM # get system info admin status

Index User name Login type From

Logged in users: 2
USERNAME TYPE FROM TIME
admin console Thu Apr 27 18:33:15 2023

admin http 192.168.3.7 Thu Apr 27 18:34:16 2023

 Configurar Hostname y Timezone
Verificar antes de configurar hostname y timezone
FortiGate-VM64-KVM # show system global
config system global
set alias "FortiGate-VM64-KVM"
set hostname "FortiGate-VM64-KVM"
set timezone 04
end
System > Settings:
Modificar hostname y timezone

Encontrar hasta abajo el botón “Apply”

Verificar después de configurar hostname y timezone

FG # show system global
config system global
set alias "FortiGate-VM64-KVM"
set hostname "FG"
set timezone 11
end
Cfg-Save Automatic vs Cfg-Save Manual
FG # show full-configuration system global | grep save
set cfg-save automatic
“cfg-save automatic” graba automáticamente
en memoria RAM y también en flash
FG # config system global
Se usa “?” para ver las opciones
FG (global) # set cfg-save
automatic Automatically save config.
manual Manually save config.
revert Manually save config and revert the config when timeout.

FG (global) # set cfg-save manual

FG (global) # end

FG # config system global

“cfg-save manual” graba automáticamente en
FG (global) # set hostname FGtest memoria RAM pero no graba en flash
FG (global) # end

FGtest # execute cfg save

..config saved.
Hay que grabar manualmente la
FGtest # config en flash
Cfg-Save Manual : There are unsaved changes (GUI)
System > Settings: El hostname es FGtest. Lo cambiamos y ponemos FG

Green Bar:

Green Bar:
Volver a poner Cfg-Save Automatic
FG # show system global
config system global
set alias "FortiGate-VM64-KVM"
set cfg-save manual
set hostname "FG"
set timezone 11
end

FG # config system global

FG (global) # set cfg-save automatic

FG (global) # end

FG # show system global

config system global
set alias "FortiGate-VM64-KVM"
set hostname "FG"
set timezone 11
end
Feature Visibility

Notar que el menú Network tiene muchas opciones incluyendo

RIP, OSPF, BGP

Desactivar las opciones de routing que aparecen en el GUI

config system settings

set gui-dynamic-routing disable
end
Feature Visibility El equivalente de lo hecho en consola en la página anterior es
desactivar “Advanced Routing”
System > Feature Visibility:

Verificar yendo al menú “Network”.

Ya no aparecen las opciones de RIP, OSPF, BGP