Basic Fortigate Firewall Configuration.docx

7/22/2019 Basic Fortigate Firewall Configuration.docx

1/17

Basic Fortigate FirewallConfigurationIf you want to equip your network with an affordable firewall and easy administration, Fortigate is

a right choice for you. Fortigate firewall ranges from 20C to 5000 series with chassis for service

providers networks. For a medium company, a Fortigate 200B is powerful enough to handle up

to 10,000 concurrent sessionsand multiple 100Mbps internet bandwidth. These numbers

are facts from my personal real tests, the CPU of the firewall went up to 85%, memory utilization

went up to 90%. Specs from Fortinet might be different because it is maximum capacity.

Anyway, this tutorial is to show you where the firewall resides within your network, and how to

basically configure it to work with your network. I will use a Fortigate 200B as the firewall in this

tutorial.

Content at a glance Firewall basic knowledge Where to place the firewall? Connecting to Fortigate at the first time Configuring network interfaces Configuring Routing Table Configuring Firewall Policy

Firewall basic knowledgeA firewall basically will have these configurations

Interface: where the firewall communicate with other devices in your network. This could beinternal LAN, extranet, or internet. Basically you will allocate IP addresses for these interfaces.

Routing Table: where to send the packets to. You could see a routing table on almost everynetwork-supported devices, such as ADSL Router, wireless router, routers, firewall, and even onyour PC (Mac, Windows, Linux,)

Firewall Policy: what type of traffic is allowed or denied to pass through the firewall. This is themain part of a firewall where you could control the access per IP/subnet. On advanced firewalls,you could find policy components where it is used to build firewall policy, such as scheduler,bandwidth throttling, address, service, etc.

Operation Mode: NATor Transparent. If you use the Fortigate as a firewall between yourprivate network and public network, NAT/Route is for this situation. If you place the firewallbehind another firewall or within your internal network, Transparent mode could be used.
http://www.plaintutorials.com/basic-fortigate-firewall-configuration/http://www.plaintutorials.com/basic-fortigate-firewall-configuration/http://www.plaintutorials.com/basic-fortigate-firewall-configuration/#sec1http://www.plaintutorials.com/basic-fortigate-firewall-configuration/#sec1http://www.plaintutorials.com/basic-fortigate-firewall-configuration/2/#sec2http://www.plaintutorials.com/basic-fortigate-firewall-configuration/2/#sec2http://www.plaintutorials.com/basic-fortigate-firewall-configuration/3/#sec3http://www.plaintutorials.com/basic-fortigate-firewall-configuration/3/#sec3http://www.plaintutorials.com/basic-fortigate-firewall-configuration/4/#sec4http://www.plaintutorials.com/basic-fortigate-firewall-configuration/4/#sec4http://www.plaintutorials.com/basic-fortigate-firewall-configuration/5/#sec5http://www.plaintutorials.com/basic-fortigate-firewall-configuration/5/#sec5http://www.plaintutorials.com/basic-fortigate-firewall-configuration/6/#sec6http://www.plaintutorials.com/basic-fortigate-firewall-configuration/6/#sec6http://www.plaintutorials.com/basic-fortigate-firewall-configuration/6/#sec6http://www.plaintutorials.com/basic-fortigate-firewall-configuration/5/#sec5http://www.plaintutorials.com/basic-fortigate-firewall-configuration/4/#sec4http://www.plaintutorials.com/basic-fortigate-firewall-configuration/3/#sec3http://www.plaintutorials.com/basic-fortigate-firewall-configuration/2/#sec2http://www.plaintutorials.com/basic-fortigate-firewall-configuration/#sec1http://www.plaintutorials.com/basic-fortigate-firewall-configuration/http://www.plaintutorials.com/basic-fortigate-firewall-configuration/


2/17

Where to place the firewall?There are some common topologies of placing firewall within a network. In this tutorial, I will use

a Dual-Homed Firewalltopology.

In Dual-Homed topology, the firewall is configured to handle everything, from controlling clients

internet access to VPN Site-to-site with business vendors. A Fortigate 200B is a very good

candidate for this model. Or you could choose to use Juniper or Cisco Firewalls, its all your

decision.
http://www.plaintutorials.com/wp-content/uploads/2012/04/baiviet000199.png


3/17

The firewall is placed just right behind the ISP Router. In this example, I assume that youre

using a managed internet service with an ISP provided router; therefore, the only thing you

received from the ISP is just the IP information. You have no access to the ISP Routerin the

picture (even it is shipped and operated at your location). To access the internet, your networkmust point the the IP of this ISP router and use it as the internet gateway or default gateway.

Connecting to Fortigate at the first timeFortigate 200B is shipped with total 16 Ethernet ports. By default, the first 8 ports from 1 to 8

works as an Ethernet switch, and thesecond 8ports from 9 to 16 works independentlyas

single port. This Ethernet switch has the default IP as 192.168.1.99/24. You will use this IP to

configure your Fortigate at the very first time.

Connect a straight-through Cat-5cable from your computer to port 9of the unit.

Set your computer IP address as 192.168.1.x, subnet mask 255.255.255.0. Leave Default Gateway and DNS Settings of your network connection empty. You dont need it

for now.

Make sure you could PING the IP 192.168.1.99 from your computer Connect to your new Fortigate by entering this websitehttps://192.168.1.99
https://192.168.1.99/https://192.168.1.99/https://192.168.1.99/http://www.plaintutorials.com/wp-content/uploads/2012/04/baiviet0001100.pnghttp://www.plaintutorials.com/wp-content/uploads/2012/05/baiviet000115.pnghttp://www.plaintutorials.com/wp-content/uploads/2012/04/baiviet0001100.pnghttp://www.plaintutorials.com/wp-content/uploads/2012/05/baiviet000115.pnghttps://192.168.1.99/


4/17

Could not access https

You might not be able to access the site https://192.168.1.99 of your firewall because with factory

settings, Fortigate 200B Port 9 is not enabled HTTPS. You, still, could PING because PING is

enabled by default on management port (port 9). Execute these commands in yourSerial

connection with Fortigateto enable HTTPS on Port 9

FG900A83901645649 # config system interface

FG900A83901645649 (interface) #edit port9

FG900A83901645649 (port9) # set allowaccess ping https

FG900A83901645649 (port9) # end

Login with username = adminand no passwordSelect a management IP for Fortigate

If you dont want to use the IP 192.168.1.99 because you dont want to change your computers

IP, you could change it to whatever IP address you want. Firstly,connect to Fortigate using Serial

Console,and change the default IP address to something else as you wish using Fortigate

command lines. The final step is to connect to the device using https.

Here are the commands that allow you to change the default IP address of Fortigate

FG900A83901645649 # config system interface

FG900A83901645649 (interface) # edit port9FG900A83901645649 (port9) # set ip 192.168.100.253 255.255.255.0

FG900A83901645649 (port9) #end
http://www.plaintutorials.com/connect-to-fortigate-firewall-using-serial-console-cable/http://www.plaintutorials.com/connect-to-fortigate-firewall-using-serial-console-cable/http://www.plaintutorials.com/connect-to-fortigate-firewall-using-serial-console-cable/http://www.plaintutorials.com/connect-to-fortigate-firewall-using-serial-console-cable/http://www.plaintutorials.com/connect-to-fortigate-firewall-using-serial-console-cable/http://www.plaintutorials.com/connect-to-fortigate-firewall-using-serial-console-cable/http://www.plaintutorials.com/connect-to-fortigate-firewall-using-serial-console-cable/http://www.plaintutorials.com/connect-to-fortigate-firewall-using-serial-console-cable/http://www.plaintutorials.com/connect-to-fortigate-firewall-using-serial-console-cable/http://www.plaintutorials.com/connect-to-fortigate-firewall-using-serial-console-cable/http://www.plaintutorials.com/connect-to-fortigate-firewall-using-serial-console-cable/http://www.plaintutorials.com/connect-to-fortigate-firewall-using-serial-console-cable/


5/17

Configuring network interfacesFor the dual-homed topology, Fortigate basically has only two interfaces. You need to configure

both interfaces before you could go further.

The firstinterface is External. You could name it as anything. If you want to use Port 10as the

External interface, connect the RJ45 connector from your ISP Router to Port 10of Fortigate.

About the IP address, it depends on your ISP Router. I assume you are assigned by your ISP a

range of public IP, for example 203.162.4.0/26. It means the usable IPs are

from 203.162.4.1to203.162.4.63/26. The first IP of the range, 203.162.4.1, is assigned to the

ISP Router interface. Fortigates External interfaces IP could be any of the leftover IPs. Lets

pick 203.162.4.2and assign it toPort 10on Fortigate.

Step by Step How to configure Fortigate external interface Click to expand Network> Interface Select port10, and click Editto open the interface properties dialog
http://www.plaintutorials.com/wp-content/uploads/2012/04/baiviet0001101.pnghttp://www.plaintutorials.com/wp-content/uploads/2012/05/baiviet000116.pnghttp://www.plaintutorials.com/wp-content/uploads/2012/04/baiviet0001101.pnghttp://www.plaintutorials.com/wp-content/uploads/2012/05/baiviet000116.png


6/17

Enter Aliasa friendly name for Port10, you could use External as the interface name. Select Addressing modeas Manual,and type in the IP address as 203.162.4.2and subnet

mask255.255.255.192(26 bits subnet mask)

Tick to enable SSHand HTTPS. These two options are to allow you to connect to your Fortigatefrom internet.

With the IP 203.162.4.2, a public IP, my Fortigate is facing directly to the internet. The

firewall become a part of internet. The ISP managed router usually passes all traffic to the user-

end; therefore, the firewall is accessible by all internet users.Keep your password strong

Whenever youre exposing your network to the internet, it means youre exposing tounlimited

risksof breach in attempts. You will be the victim of some random/intentional brute-force

password scanning attack. Using a long-enough and strong password is a good practice to keep

your network secure. Moreover, you should rename the default username of your admin account.

To see how torename default admin account on Fortigate,see my previous post.
http://www.plaintutorials.com/rename-default-admin-account-in-fortinet-appliances/http://www.plaintutorials.com/rename-default-admin-account-in-fortinet-appliances/http://www.plaintutorials.com/wp-content/uploads/2012/04/baiviet0001102.pnghttp://www.plaintutorials.com/rename-default-admin-account-in-fortinet-appliances/


7/17

The secondinterface is Internal, where Fortigate connects to your local network. Assume that

your local network has the IP range as 192.168.100.0/24, the Fortigate internal interfaces IP

could be 192.168.100.254. Assign the IP 192.168.100.254 to Port 11on Fortigate, and connect it

to your local network switch.

Step by Step How to configure Fortigate internal interface Click to expand Network> Interface Select port10, and click Editto open the interface properties dialog


8/17

Enter Aliasa friendly name for Port11, you could use Internal as the interface name. Select Addressing modeas Manual,and type in the IP address as 192.168.100.254and

subnet mask 255.255.255.0

Tick to enable SSHand HTTPS. These two options are to allow you to manage the Fortigatefrom any internal computers.

Allow PING from internal network for troubleshooting purposes.

Test the connectivityIts time to test the connectivity between Fortigate and both External and Internal network. From

the CLI command of Fortigate, execute these commands to PING

execute ping 203.162.4.1

execute ping 192.168.1.25

If both commands show replies, then your connectivity is good. You can move on.


9/17

Configuring Routing TableRouting table is the knowledge base of Fortigate firewall. Fortigate firewall supports both static

routes and dynamic routes. You could modify static route manually by entering new routes into

Fortigate at the section Router > Static Route. Fortigate supports RIP, OSPF, BGP as dynamic

routing protocols. In this tutorial, I will not touch the dynamic routing.

Basically, a firewall must have knowledge of all routeswithin your local network and the

internet. For examples, your local network consists the

IP 192.168.100.0/24and 192.168.20.0/24(just for example), you will need 2 routesfor

these two networks, or one generic routefor both network.

The last processed routing entry in the routing table is always the default route. Default route

points to the gateway that the firewall will send all traffic out to that IP. Default route usually

points to a default gateway. In this case, default route points to 203.162.4.1, the IP of the ISP

Router. Routes to internet is default route because there are no specific routes for internet

addresses.

Step by step How to configure Static Route on FortigateFollow these steps to configure Default Routes to point to 203.162.4.1. This route will bring all

internet traffic out to ISP Router.

Go to Router> Static> Static RouteYou will see one default route right there as 0.0.0.0 0.0.0.0 and pointed to 192.168.1.99 as

default gateway. We need to change this gateway.

Select default route, click Edit


10/17

Change gateway IP to 203.162.4.1 Change Deviceto Port10, instead of Port9. Click OKto go back to the Static Route screen

There is no need to create a static route for your direct connected network

192.168.100.0/255.255.255.0. Fortigate will automatically add a connected route for this network

since its already connected toport11.

The next step is to create a new route to your local network. Destination should

be192.168.200.0/255.255.255.0 , and device is port11. You only need to create route to

the network .200 if you really have it, and the network .200 is not directly connected to

Fortigate.

Go to Router> Static> Static Route Click Create New


11/17

Destination IPis 192.168.200.0with subnet mask as 255.255.255.0 Deviceis port11 Gatewayis 192.168.100.1, which is your internal Routers interface

Click OKto go back to Static RoutescreenRepeat the same steps as above to create more network and routing for your network as you

need.

Configuring Firewall PolicyThis is the coolest part of the game where you could control the incoming/outgoing trafficof

your network. With Firewall Policy, you could allocate how much bandwidthyou want to assign

to each IP, network, or a specific external IP. Fortigate supports schedulerand fully

customized service definition. With these options, you could customize your network to match

your needs.

For advanced configuration, Fortigate could play as an IPSto protect your network by deeply scan

the content/pattern of the traffic packets. In this tutorials, I will not touch to these advanced

configuration.

Lets go for some basics Firewall Policies

Allow everyone to access full internetBy default, Fortigate has an implied policy that blocks everythingfrom incoming and outgoing

from passing the box. In older FortiOS version 3.x, this implied policy are now shown up to end-

users. From version 4.0, Fortigate users could see this implied policy. Because of this implied

policy, Fortigate is not a plug-and-play firewall. To allow full internet access, at least, you must

create the following policy.


12/17

Go to Firewall> Policy> Policy Click Create Newto create a new firewall policy

Source Interface: Port 11(Internal) Source Address: all Destination Interface: Port 10(External) Destination Address: all Action: Accept NAT: Enabled


13/17

Click OKto finish the policyYou should have the same policy as I do here

With this configuration, all devices in your internal network are allowed to traverse the Fortigate to

internet. Please note since the Source addressis all, any devices that have access to Fortigate

from Port 11 are allowed to pass the firewall. This is not recommended. For more specific, you

should set Source address as an IP range or IP subnet.

Allow a specific IP to access full internetTo allow a specific IP to access full internet, you need to create an Address object, and assign this

object to a firewall policy. Only machine with this specific IP would match the policy and be able to

access internet.


14/17

To create a new Address object on Fortigate, select Firewall> Address> Address Click Create New

Address Nameis any name you want. Do not use too special characters, such as / or *. Itcould cause your Fortigate to go crazy.

Type: Subnet/IP Range Subnet/IP Range: 192.168.100.10(just type the IP, with no subnet mask) Interface: Any


15/17

Click OKto finish the new addressBe careful with the subnet mask

When you create a new Address object on Fortigate, pay attention to the subnet mask of the IP. In

this case, if I want only the IP 192.168.100.10 with subnet mask 255.255.255.0 to access

internet, I enter only the IP 192.168.100.10. If you ever accidentally enter 192.168.100.10/24, it

means all of your 192.168.100.0/24 network are able to access internet. Fortigate

wrongly interprets the subnet mask right here. Fortigate doesnt care about the .10. Fortigate sees

the /24, and automatically understands that the administrator wants to allow the who subnet.

Interesting.

Next step is to create a new Firewall Policy, and select Hao-PC as the Source Address

Go back to Firewall> Policy> Policy Instead of clicking Create Newbutton, you could right click on the section Port11 >

Port10, select Insertfrom the pop-up menu. Fortigate will create a new firewall policy, and putit above the current positionof the firewall policy at your current mouse position.

Fortigate will put Port11as Source Interface, and Port10as Destination Interfacefor you(because you just right click > Insert)

Select Hao-PCas Source Address Action: Allow NAT: enabled


16/17

Click OKto finish the policyYou should have a new policy like this

Allow a contiguous IP range to accessFor example, Id like to allow an IP range from192.168.100.40 to 192.168.100.100to access

to internet, or to be on the same Firewall Policy, then I need to create an Address Rangeon

Fortigate and use it as the Source Address. The key to create an IP range with Fortigate GUI is

the square brackets [ ]. The ranging numbers are typed within these brackets.

192.168.100.[40-100]means all IP from 40 to 100, including192.168.100.40 and

192.168.100.100.

Go to section Firewall> Address> Address Click Create New Enter the IP range as below, please note the square bracket is after the period .


17/17

Click OKto finish the IP range.Use this new Address Range as the Source Address in a Firewall Policy to allow this specific IP

range to access internet.

Define IP range using commands

You could define an address range with command line. Using command line is clearer, and

somehow, it looks more professional.

FG900A83901645649 # config firewall address

FG900A83901645649 (address) # edit Range-40to100

new entry Range-40to100 added

FG900A83901645649 (Range-40to100) # set type iprange

FG900A83901645649 (Range-40to100) # set end-ip 192.168.100.100

FG900A83901645649 (Range-40to100) # set start-ip 192.168.100.40

FG900A83901645649 (Range-40to100) # next

Basic Fortigate Firewall Configuration.docx

Documents

Transcript of Basic Fortigate Firewall Configuration.docx