Fortigate Labs

Download as pdf or txt
Download as pdf or txt
You are on page 1of 7

Lab 1: Basic Configuration

In NAT route, a Fortigate is deployed as a gateway/ router between two networks, i.e., private
network and public network (Internet).
The WAN interface is connected to the ISP network and the internal port (Port 1) is connected
to internal network.
➢ Configuring Network Interface:
1. Go to Network -> Interfaces
2. Select the interface to configure and click on edit.
3. Set Alias name in such a manner that you should be able to recognize the role of that
particular interface.
4. Set addressing mode to Manual and enter IP/ Network mask.
5. Select interface state Enabled, to enable that interface.
6. Click on OK to save the config.

➢ Add a default route


1. Go to Network -> Static Routes
2. Select Destination Subnet (enter all zeros).
3. Set Device to the internet facing interface and assign the IP address of ISP to
Gateway.
4. Click on OK to save the config.

➢ Create a Policy
1. Go to Policy & Objects -> IPv4 Policy
2. Click on Create New.
3. Enter the name for your policy.
4. Select the Incoming and Outgoing interface.
5. Set Source and Destination Address.
6. Select all services
7. Set Action to ACCEPT
8. Enable NAT
9. Select Use Outgoing Interface Address.
10. Enable Log Allowed Traffic to log all traffic.

➢ Configuring log settings


1. Go to Log & Report -> Log Settings.
2. Local logging can be used only when Fortigate hardware has its own disk.
3. Remote logging can also be done.
Note: No logging will happen till we enable logging in a policy.

➢ Viewing processed traffic


1. Go to FortiView -> All Sessions; to view all the logged traffic.
2. We can right click on any log and take further action like ending that session,
blocking source or destination IP, etc.
3. We can double on a particular log to get more details of that log.
Lab 2: Creating policies
➢ Configuring Internet Policy:
1. Go to Policy & Objects -> IPv4 Policy
2. Click on Create New.
3. Enter the name for your policy as Internet.
4. Select the Incoming and Outgoing interface.
5. Set Source and Destination Address.
6. Select DNS, HTTP, HTTPS services
7. Set Action to ACCEPT
8. Enable NAT
9. Select Use Outgoing Interface Address.
10. Enable Log Allowed Traffic to log all traffic.

➢ Creating Mobile Policy:


1. Go to Policy & Objects -> IPv4 Policy
2. Click on Create New.
3. Enter the name for your policy as Mobile.
4. Select the Incoming and Outgoing interface.
5. For Source, click on Device -> Mobile Devices group and select all from Addresses.
6. Set Destination Address all.
7. Select DNS, HTTP, HTTPS services
8. Set Action to ACCEPT
9. Enable NAT
10. Select Use Outgoing Interface Address.
11. Enable Log Allowed Traffic to log all traffic.

➢ Create Admin Profile/Policy:


- We create profile to identify our administrator PC.
1. Go to User & Device -> Custom Devices & Groups
2. Click on Create New.
3. Enter Alias, MAC Address (of admin PC), Select Device Type and save the
profile.
- Now we create a policy for our admin
1. Go to Policy & Objects -> IPv4 Policy; click on Create New;
2. Select Incoming & Outgoing interface.
3. Select admin’s PC from devices as Source and select all from Addresses.
4. Select all for Destination
5. Select all services and click on Ok to save the config.

➢ Ordering Policy List


1. Go to Policy & Objects -> IPv4 Policy.
2. Select the By Sequence View.
3. Click on Sequence number (Seq.#) and drag the policy and up or down to reorder
its sequence.
4. This sequence represents the way these policies are enforced by Fortigate.

➢ Inspecting Traffic
1. Go to FortiView -> Policies.
2. Right click on any policy and Select Drill Down to see the details.
Lab 3: Blocking FB
➢ Enabling Web Filtering:
1. Go to System -> Feature Visibility
2. Inside Security Features, enable Web Filter

➢ Editing the default profile:


1. Go to Security Profiles -> Web Filter
2. Enable URL filter.
3. Click on Create.
4. Set Type to Wildcard.
5. URL to *facebook.com (blocks any site that ends with facebook.com)
6. Action to Block and Status enabled.

➢ Creating a security policy:


1. Go to Policy & Objects -> IPv4 Policy.
2. Create New.
3. Enter the name for your policy.
4. Select the Incoming and Outgoing interface.
5. Set Source and Destination Address.
6. Select all services
7. Set Action to ACCEPT
8. Enable NAT
9. Select Use Outgoing Interface Address.
10. Enable Web Filter and select default profile.
11. Enable SSL/SSH Inspection and select certificate-inspection.
Note: To make sure that this policy is applied to all outgoing traffic, it should be above all
policies.
Lab 4: Upgrading firmware
➢ Checking current firmware version
1. On dashboard, the System Information widget has the information of current
firmware.
➢ Checking new available firmware
1. Go to System -> Firmware
2. If new firmware is available, then a notice will appear under current version.
➢ Upgrading firmware
1. Under FortiGuard Firmware, select All available.
2. Select a version to upgrade, we can read release notes to get more info about the
selected version.
3. We can also upload an image manually and upgrade firmware.
4. Once decided to upgrade, click on Backup config and upgrade.
5. Save the current config when a prompt appears. The current config will be saved on
the computer from where you have logged into Fortigate.
Lab 5: Configuring HA
In HA, we setup two Fortigate units to provide backup redundancy if primary firewall fails.
Before we configure HA, we need to make sure that both Fortigate runs the same FotiOS
version. Also, both the firewalls must have same level of license.
➢ Configuring Primary Fortigate:
1. Configure the primary firewall hostname to identify it easily.
2. Go to System -> Settings and set the Host name.
3. Go to System -> HA and set the mode to Active-Passive.
4. Set higher Device priority so that the current FW becomes Primary firewall.
5. Enter a Group name.
6. Enter a Password.
7. Select Heartbeat interfaces in our case (port3 and port4).
Note: If there are other FortiOS HA group clusters on our network, then we need to
change the cluster group ID by using the following CLI commands:
Config system ha
set group-id 25
end

➢ Configuring Backup Fortigate:


1. Change the hostname to identify the backup Fortigate.
2. Configure the same settings as in primary Fortigate.
3. Set the Device Priority value lesser than the primary Fortigate.

➢ Observations:
1. We can monitor all the information of HA from the dashboard.
2. Once the heartbeat interfaces are connected, both the Primary and secondary FW
are visible in Settings -> HA.
3. We left click on the widget and select show HA historical events to view all traffic
flowing between the FWs.
Lab 6: DNS Filtering
It is done to block access to bandwidth consuming websites. We can enable DNS filtering
from System -> Feature Visibility and then enabling DNS Filter under Security Features.
➢ Creating a DNS web filter profile:
1. Go to Security Profiles -> DNS Filter, and edit the default profile.
2. Enable FortiGuard category-based filter, right click Bandwidth Consuming, and
set it to Block.

➢ Enabling DNS filtering in a security policy:


1. Go to Policy & Objects -> IPv4 Policy and edit the outgoing policy that allows
internet access.
2. Under Security Profiles, enable DNS Filter and set it to default.
Lab 7: Configuring Site-to-Site IPSec VPN
We create a tunnel between two remote sites to enable communication between two private
Networks, i.e., LAN1 and LAN2.
➢ Configuring Fortigate1:
1. Go to VPN -> IPSec Wizard.
2. In the VPN Setup step, set Template Type to Site to Site, set Remote Device
Type to FortiGate, and set NAT Configuration to No NAT between sites.
3. In the Authentication step, set IP Address to the public IP address of the Branch
FortiGate.
4. After you enter the IP address, the wizard automatically assigns an interface as
the Outgoing Interface. If you want to use a different interface, select it from the
drop-down menu.
5. Set a secure Pre-shared Key.
6. In the Policy & Routing step, set Local Interface to lan. The wizard adds the local
subnet automatically. Set Remote Subnets to the Branch network’s subnet.
7. Set Internet Access to None.
8. A summary page shows the configuration created by the wizard, including
interfaces, firewall addresses, routes, and policies.
9. To view the VPN interface created by the wizard, go to VPN > IPSec VPNs.

➢ Configuring Fortigate2:
Configure this firewall in same way as above.

➢ Results:
1. We can ping any device from LAN1 to LAN2 and vice versa.
2. The tunnel status can be in VPN > IPSec VPNs.

You might also like