Basic Fortigate Firewall Configuration

If you want to equip your network with an affordable firewall and easy administration, Fortigate is a right choice for you. Fortigate firewall ranges from 20C to 5000 series with chassis for service providers networks. For a medium company, a Fortigate 200B is powerful enough to handle up to 10,000 concurrent sessions and multiple 100Mbps internet bandwidth. These numbers are facts from my personal real tests, the CPU of the firewall went up to 85%, memory utilization went up to 90%. Specs from Fortinet might be different because it is maximum capacity. Anyway, this tutorial is to show you where the firewall resides within your network, and how to basically configure it to work with your network. I will use a Fortigate 200B as the firewall in this tutorial.

Content at a glance

Firewall basic knowledge Where to place the firewall? Connecting to Fortigate at the first time Configuring network interfaces Configuring Routing Table Configuring Firewall Policy

Firewall basic knowledge

A firewall basically will have these configurations

Interface: where the firewall communicate with other devices in your network. This could be internal LAN, extranet, or internet. Basically you will allocate IP addresses for these interfaces. Routing Table: where to send the packets to. You could see a routing table on almost every network-supported devices, such as ADSL Router, wireless router, routers, firewall, and even on your PC (Mac, Windows, Linux,) Firewall Policy: what type of traffic is allowed or denied to pass through the firewall. This is the main part of a firewall where you could control the access per IP/subnet. On advanced firewalls, you could find policy components where it is used to build firewall policy, such as scheduler, bandwidth throttling, address, service, etc. Operation Mode: NAT or Transparent. If you use the Fortigate as a firewall between your private network and public network, NAT/Route is for this situation. If you place the firewall behind another firewall or within your internal network, Transparent mode could be used.

Where to place the firewall?

There are some common topologies of placing firewall within a network. In this tutorial, I will use a Dual-Homed Firewall topology.

In Dual-Homed topology, the firewall is configured to handle everything, from controlling clients internet access to VPN Site-to-site with business vendors. A Fortigate 200B is a very good candidate for this model. Or you could choose to use Juniper or Cisco Firewalls, its all your decision.

The firewall is placed just right behind the ISP Router. In this example, I assume that youre using a managed internet service with an ISP provided router; therefore, the only thing you received from the ISP is just the IP information. You have no access to the ISP Router in the picture (even it is shipped and operated at your location). To access the internet, your network must point the the IP of this ISP router and use it as the internet gateway or default gateway.

Connecting to Fortigate at the first time

Fortigate 200B is shipped with total 16 Ethernet ports. By default, the first 8 ports from 1 to 8 works as an Ethernet switch, and the second 8 ports from 9 to 16 works independently as single port. This Ethernet switch has the default IP as 192.168.1.99/24. You will use this IP to

configure your Fortigate at the very first time. Connect a straight-through Cat-5 cable from your computer to port 9 of the unit.

Set your computer IP address as 192.168.1.x, subnet mask 255.255.255.0. Leave Default Gateway and DNS Settings of your network connection empty. You dont need it for now. Make sure you could PING the IP 192.168.1.99 from your computer Connect to your new Fortigate by entering this website https://192.168.1.99

Could not access https You might not be able to access the site https://192.168.1.99 of your firewall because with factory settings, Fortigate 200B Port 9 is not enabled HTTPS. You, still, could PING because PING is enabled by default on management port (port 9). Execute these commands in your Serial connection with Fortigate to enable HTTPS on Port 9

FG900A83901645649 # config system interface FG900A83901645649 (interface) # edit port9 FG900A83901645649 (port9) # set allowaccess ping https FG900A83901645649 (port9) # end

Login with username = admin and no password Select a management IP for Fortigate If you dont want to use the IP 192.168.1.99 because you dont want to change your computers IP, you could change it to whatever IP address you want. Firstly, connect to Fortigate using Serial Console, and change the default IP address to something else as you wish using Fortigate command lines. The final step is to connect to the device using https. Here are the commands that allow you to change the default IP address of Fortigate FG900A83901645649 # config system interface FG900A83901645649 (interface) # edit port9 FG900A83901645649 (port9) # set ip 192.168.100.253 255.255.255.0 FG900A83901645649 (port9) # end

Configuring network interfaces

For the dual-homed topology, Fortigate basically has only two interfaces. You need to configure both interfaces before you could go further. The first interface is External. You could name it as anything. If you want to use Port 10 as the External interface, connect the RJ45 connector from your ISP Router to Port 10 of Fortigate. About the IP address, it depends on your ISP Router. I assume you are assigned by your ISP a range of public IP, for example 203.162.4.0/26. It means the usable IPs are from 203.162.4.1 to203.162.4.63/26. The first IP of the range, 203.162.4.1, is assigned to the ISP Router interface. Fortigates External interfaces IP could be any of the leftover IPs. Lets pick 203.162.4.2 and assign it toPort 10 on Fortigate.

Step-by-Step How to configure Fortigate external interface

Click to expand Network > Interface Select port10, and click Edit to open the interface properties dialog

Enter Alias a friendly name for Port10, you could use External as the interface name. Select Addressing mode as Manual,and type in the IP address as 203.162.4.2 and subnet mask255.255.255.192 (26 bits subnet mask) Tick to enable SSH and HTTPS. These two options are to allow you to connect to your Fortigate from internet.

With the IP 203.162.4.2, a public IP, my Fortigate is facing directly to the internet. The firewall become a part of internet. The ISP managed router usually passes all traffic to the userend; therefore, the firewall is accessible by all internet users. Keep your password strong Whenever youre exposing your network to the internet, it means youre exposing to unlimited risksof breach in attempts. You will be the victim of some random/intentional brute-force password scanning attack. Using a long-enough and strong password is a good practice to keep your network secure. Moreover, you should rename the default username of your admin account. To see how torename default admin account on Fortigate, see my previous post.

The second interface is Internal, where Fortigate connects to your local network. Assume that your local network has the IP range as 192.168.100.0/24, the Fortigate internal interfaces IP could be 192.168.100.254. Assign the IP 192.168.100.254 to Port 11 on Fortigate, and connect it to your local network switch.

Step-by-Step How to configure Fortigate internal interface

Click to expand Network > Interface Select port10, and click Edit to open the interface properties dialog

Enter Alias a friendly name for Port11, you could use Internal as the interface name. Select Addressing mode as Manual,and type in the IP address as 192.168.100.254 and subnet mask 255.255.255.0 Tick to enable SSH and HTTPS. These two options are to allow you to manage the Fortigate from any internal computers.

Allow PING from internal network for troubleshooting purposes.

Test the connectivity

Its time to test the connectivity between Fortigate and both External and Internal network . From the CLI command of Fortigate, execute these commands to PING execute ping 203.162.4.1 execute ping 192.168.1.25 If both commands show replies, then your connectivity is good. You can move on.

Configuring Routing Table

Routing table is the knowledge base of Fortigate firewall. Fortigate firewall supports both static routes and dynamic routes. You could modify static route manually by entering new routes into Fortigate at the section Router > Static Route. Fortigate supports RIP, OSPF, BGP as dynamic routing protocols. In this tutorial, I will not touch the dynamic routing. Basically, a firewall must have knowledge of all routes within your local network and the internet. For examples, your local network consists the IP 192.168.100.0/24 and 192.168.20.0/24 (just for example), you will need 2 routes for these two networks, or one generic route for both network. The last processed routing entry in the routing table is always the default route. Default route points to the gateway that the firewall will send all traffic out to that IP. Default route usually points to a default gateway. In this case, default route points to 203.162.4.1, the IP of the ISP Router. Routes to internet is default route because there are no specific routes for internet addresses.

Step-by-step How to configure Static Route on Fortigate

Follow these steps to configure Default Routes to point to 203.162.4.1. This route will bring all

internet traffic out to ISP Router. Go to Router > Static > Static Route You will see one default route right there as 0.0.0.0 0.0.0.0 and pointed to 192.168.1.99 as default gateway. We need to change this gateway.

Select default route, click Edit

Change gateway IP to 203.162.4.1 Change Device to Port10, instead of Port9. Click OK to go back to the Static Route screen

There is no need to create a static route for your direct connected network 192.168.100.0/255.255.255.0. Fortigate will automatically add a connected route for this network since its already connected to port11. The next step is to create a new route to your local network. Destination should be192.168.200.0/255.255.255.0, and device is port11. You only need to create route to the network .200 if you really have it, and the network .200 is not directly connected to

Fortigate. Go to Router > Static > Static Route Click Create New

Destination IP is 192.168.200.0 with subnet mask as 255.255.255.0 Device is port11 Gateway is 192.168.100.1, which is your internal Routers interface

Click OK to go back to Static Route screen Repeat the same steps as above to create more network and routing for your network as you need.

Configuring Firewall Policy

This is the coolest part of the game where you could control the incoming/outgoing traffic of your network. With Firewall Policy, you could allocate how much bandwidth you want to assign to each IP, network, or a specific external IP. Fortigate supports scheduler and fully customized service definition. With these options, you could customize your network to match your needs. For advanced configuration, Fortigate could play as an IPS to protect your network by deeply scan the content/pattern of the traffic packets. In this tutorials, I will not touch to these advanced configuration. Lets go for some basics Firewall Policies

Allow everyone to access full internet

By default, Fortigate has an implied policy that blocks everything from incoming and outgoing from passing the box. In older FortiOS version 3.x, this implied policy are now shown up to endusers. From version 4.0, Fortigate users could see this implied policy. Because of this implied policy, Fortigate is not a plug-and-play firewall. To allow full internet access, at least, you must create the following policy.

Go to Firewall > Policy > Policy Click Create New to create a new firewall policy

Source Interface: Port 11 (Internal) Source Address: all Destination Interface: Port 10 (External) Destination Address: all Action: Accept NAT: Enabled

Click OK to finish the policy You should have the same policy as I do here

With this configuration, all devices in your internal network are allowed to traverse the Fortigate to internet. Please note since the Source address is all, any devices that have access to Fortigate from Port 11 are allowed to pass the firewall. This is not recommended. For more specific, you should set Source address as an IP range or IP subnet.

Allow a specific IP to access full internet

To allow a specific IP to access full internet, you need to create an Address object, and assign this object to a firewall policy. Only machine with this specific IP would match the policy and be able to access internet.

To create a new Address object on Fortigate, select Firewall > Address > Address Click Create New

Address Name is any name you want. Do not use too special characters, such as / or *. It could cause your Fortigate to go crazy. Type: Subnet/IP Range Subnet/IP Range: 192.168.100.10 (just type the IP, with no subnet mask) Interface: Any

Click OK to finish the new address Be careful with the subnet mask When you create a new Address object on Fortigate, pay attention to the subnet mask of the IP. In this case, if I want only the IP 192.168.100.10 with subnet mask 255.255.255.0 to access internet, I enter only the IP 192.168.100.10. If you ever accidentally enter 192.168.100.10/24, it means all of your 192.168.100.0/24 network are able to access internet. Fortigate wrongly interprets the subnet mask right here. Fortigate doesnt care about the .10. Fortigate see s the /24, and automatically understands that the administrator wants to allow the who subnet. Interesting. Next step is to create a new Firewall Policy, and select Hao-PC as the Source Address

Go back to Firewall > Policy > Policy Instead of clicking Create New button, you could right click on the section Port11 > Port10, select Insert from the pop-up menu. Fortigate will create a new firewall policy, and put it above the current position of the firewall policy at your current mouse position. Fortigate will put Port11 as Source Interface, and Port10 as Destination Interface for you (because you just right click > Insert) Select Hao-PC as Source Address Action: Allow NAT: enabled

Click OK to finish the policy You should have a new policy like this

Allow a contiguous IP range to access

For example, Id like to allow an IP range from 192.168.100.40 to 192.168.100.100 to access to internet, or to be on the same Firewall Policy, then I need to create an Address Range on Fortigate and use it as the Source Address. The key to create an IP range with Fortigate GUI is the square brackets [ ]. The ranging numbers are typed within these brackets. 192.168.100.[40-100] means all IP from 40 to 100, including 192.168.100.40 and

192.168.100.100. Go to section Firewall > Address > Address Click Create New Enter the IP range as below, please note the square bracket is after the period .

Click OK to finish the IP range. Use this new Address Range as the Source Address in a Firewall Policy to allow this specific IP range to access internet. Define IP range using commands You could define an address range with command line. Using command line is clearer, and somehow, it looks more professional. FG900A83901645649 # config firewall address FG900A83901645649 (address) # edit Range-40to100 new entry Range-40to100 added FG900A83901645649 (Range-40to100) # set type iprange FG900A83901645649 (Range-40to100) # set end-ip 192.168.100.100 FG900A83901645649 (Range-40to100) # set start-ip 192.168.100.40 FG900A83901645649 (Range-40to100) # next