Basic Fortigate Firewall

Configuration
If you want to equip your network with an affordable firewall and easy administration, Fortigate is

a right choice for you. Fortigate firewall ranges from 20C to 5000 series with chassis for service

providers networks. For a medium company, a Fortigate 200B is powerful enough to handle up

to 10,000 concurrent sessions and multiple 100Mbps internet bandwidth. These numbers

are facts from my personal real tests, the CPU of the firewall went up to 85%, memory utilization

went up to 90%. Specs from Fortinet might be different because it is maximum capacity.

Anyway, this tutorial is to show you where the firewall resides within your network, and how to

basically configure it to work with your network. I will use a Fortigate 200B as the firewall in this

tutorial.

Content at a glance
 Firewall basic knowledge
 Where to place the firewall?
 Connecting to Fortigate at the first time
 Configuring network interfaces
 Configuring Routing Table
 Configuring Firewall Policy

Firewall basic knowledge

A firewall basically will have these configurations

 Interface: where the firewall communicate with other devices in your network. This could
be internal LAN, extranet, or internet. Basically you will allocate IP addresses for these
interfaces.
 Routing Table: where to send the packets to. You could see a routing table on almost
every network-supported devices, such as ADSL Router, wireless router, routers, firewall, and
even on your PC (Mac, Windows, Linux,…)
 Firewall Policy: what type of traffic is allowed or denied to pass through the firewall. This
is the main part of a firewall where you could control the access per IP/subnet. On advanced
firewalls, you could find policy components where it is used to build firewall policy, such as
scheduler, bandwidth throttling, address, service, etc.
 Operation Mode: NAT or Transparent. If you use the Fortigate as a firewall between
your private network and public network, NAT/Route is for this situation. If you place the firewall
behind another firewall or within your internal network, Transparent mode could be used.
Where to place the firewall?
There are some common topologies of placing firewall within a network. In this tutorial, I will use

a Dual-Homed Firewall topology.

In Dual-Homed topology, the firewall is configured to handle everything, from controlling clients

internet access to VPN Site-to-site with business vendors. A Fortigate 200B is a very good

candidate for this model. Or you could choose to use Juniper or Cisco Firewalls, it’s all your

decision.
 The firewall is placed just right behind the ISP Router. In this example, I assume that you’re

using a managed internet service with an ISP provided router; therefore, the only thing you

received from the ISP is just the IP information. You have no access to the ISP Router in the

picture (even it is shipped and operated at your location). To access the internet, your network

must point the the IP of this ISP router and use it as the internet gateway or default gateway.

Connecting to Fortigate at the first time

Fortigate 200B is shipped with total 16 Ethernet ports. By default, the first 8 ports from 1 to 8

works as an Ethernet switch, and the second 8 ports from 9 to 16 works independently as

single port. This Ethernet switch has the default IP as 192.168.1.99/24. You will use this IP to

configure your Fortigate at the very first time.

 Connect a straight-through Cat-5 cable from your computer to port 9 of the unit.

 Set your computer IP address as 192.168.1.x, subnet mask 255.255.255.0.

 Leave Default Gateway and DNS Settings of your network connection empty. You don’t
need it for now.

 Make sure you could PING the IP 192.168.1.99 from your computer
 Connect to your new Fortigate by entering this website https://192.168.1.99

Could not access https

 You might not be able to access the site https://192.168.1.99 of your firewall because with factory

settings, Fortigate 200B Port 9 is not enabled HTTPS. You, still, could PING because PING is

enabled by default on management port (port 9). Execute these commands in your Serial

connection with Fortigate to enable HTTPS on Port 9

FG900A83901645649 # config system interface

FG900A83901645649 (interface) # edit port9

FG900A83901645649 (port9) # set allowaccess ping https

FG900A83901645649 (port9) # end

 Login with username = admin and no password

Select a management IP for Fortigate

If you don’t want to use the IP 192.168.1.99 because you don’t want to change your computer’s

IP, you could change it to whatever IP address you want. Firstly, connect to Fortigate using Serial

Console, and change the default IP address to something else as you wish using Fortigate

command lines. The final step is to connect to the device using https.

Here are the commands that allow you to change the default IP address of Fortigate

FG900A83901645649 # config system interface

FG900A83901645649 (interface) # edit port9

FG900A83901645649 (port9) # set ip 192.168.100.253 255.255.255.0

FG900A83901645649 (port9) # end 

 Configuring network interfaces

For the dual-homed topology, Fortigate basically has only two interfaces. You need to configure

both interfaces before you could go further.

The first interface is External. You could name it as anything. If you want to use Port 10 as the

External interface, connect the RJ45 connector from your ISP Router to Port 10 of Fortigate.

About the IP address, it depends on your ISP Router. I assume you are assigned by your ISP a

range of public IP, for example 203.162.4.0/26. It means the usable IPs are

from 203.162.4.1 to203.162.4.63/26. The first IP of the range, 203.162.4.1, is assigned to the

ISP Router interface. Fortigate’s External interface’s IP could be any of the leftover IPs. Let’s

pick 203.162.4.2 and assign it toPort 10 on Fortigate.

Step-by-Step How to configure Fortigate external interface

 Click to expand Network –> Interface
 Select port10, and click Edit to open the interface properties dialog
 Enter Alias a friendly name for Port10, you could use External as the interface name.
 Select Addressing mode as Manual,and type in the IP address as 203.162.4.2 and
subnet mask255.255.255.192 (26 bits subnet mask)
 Tick to enable SSH and HTTPS. These two options are to allow you to connect to your
Fortigate from internet.

With the IP 203.162.4.2, a public IP, my Fortigate is facing directly to the internet. The

firewall become a part of internet. The ISP managed router usually passes all traffic to the user-

end; therefore, the firewall is accessible by all internet users.

Keep your password strong

Whenever you’re exposing your network to the internet, it means you’re exposing to unlimited

risksof breach in attempts. You will be the victim of some random/intentional brute-force

password scanning attack. Using a long-enough and strong password is a good practice to keep

your network secure. Moreover, you should rename the default username of your admin account.

To see how torename default admin account on Fortigate, see my previous post.
 The second interface is Internal, where Fortigate connects to your local network. Assume that

your local network has the IP range as 192.168.100.0/24, the Fortigate internal interface’s IP

could be 192.168.100.254. Assign the IP 192.168.100.254 to Port 11 on Fortigate, and connect it

to your local network switch.

Step-by-Step How to configure Fortigate internal interface

 Click to expand Network –> Interface
 Select port10, and click Edit to open the interface properties dialog
 Enter Alias a friendly name for Port11, you could use Internal as the interface name.
 Select Addressing mode as Manual,and type in the IP address
as 192.168.100.254 and subnet mask 255.255.255.0
 Tick to enable SSH and HTTPS. These two options are to allow you to manage the
Fortigate from any internal computers.

Allow PING from internal network for troubleshooting purposes.

Test the connectivity

It’s time to test the connectivity between Fortigate and both External and Internal network. From

the CLI command of Fortigate, execute these commands to PING

execute ping 203.162.4.1

execute ping 192.168.1.25

If both commands show replies, then your connectivity is good. You can move on.
 Configuring Routing Table
Routing table is the knowledge base of Fortigate firewall. Fortigate firewall supports both static

routes and dynamic routes. You could modify static route manually by entering new routes into

Fortigate at the section Router –> Static Route. Fortigate supports RIP, OSPF, BGP as dynamic

routing protocols. In this tutorial, I will not touch the dynamic routing.

Basically, a firewall must have knowledge of all routes within your local network and the

internet. For examples, your local network consists the

IP 192.168.100.0/24 and 192.168.20.0/24 (just for example), you will need 2 routes for

these two networks, or one generic route for both network.

The last processed routing entry in the routing table is always the default route. Default route

points to the gateway that the firewall will send all traffic out to that IP. Default route usually

points to a default gateway. In this case, default route points to 203.162.4.1, the IP of the ISP

Router. Routes to internet is default route because there are no specific routes for internet

addresses.

Step-by-step How to configure Static Route on Fortigate

Follow these steps to configure Default Routes to point to 203.162.4.1. This route will bring all

internet traffic out to ISP Router.

 Go to Router –> Static –> Static Route

You will see one default route right there as 0.0.0.0 0.0.0.0 and pointed to 192.168.1.99 as

default gateway. We need to change this gateway.

 Select default route, click Edit

 Change gateway IP to 203.162.4.1
 Change Device to Port10, instead of Port9.
 Click OK to go back to the Static Route screen

There is no need to create a static route for your direct connected network

192.168.100.0/255.255.255.0. Fortigate will automatically add a connected route for this network

since it’s already connected to port11.

The next step is to create a new route to your local network. Destination should

be192.168.200.0/255.255.255.0, and device is port11. You only need to create route to

the network .200 if you really have it, and the network .200 is not directly connected to

Fortigate.
 Go to Router –> Static –> Static Route
 Click Create New
 Destination IP is 192.168.200.0 with subnet mask as 255.255.255.0
 Device is port11
 Gateway is 192.168.100.1, which is your internal Router’s interface

 Click OK to go back to Static Route screen

Repeat the same steps as above to create more network and routing for your network as you
need.

Configuring Firewall Policy

This is the coolest part of the game where you could control the incoming/outgoing traffic of

your network. With Firewall Policy, you could allocate how much bandwidth you want to assign

to each IP, network, or a specific external IP. Fortigate supports scheduler and fully

customized service definition. With these options, you could customize your network to match

your needs.

For advanced configuration, Fortigate could play as an IPS to protect your network by deeply scan

the content/pattern of the traffic packets. In this tutorials, I will not touch to these advanced

configuration.

Let’s go for some basics Firewall Policies

Allow everyone to access full internet

By default, Fortigate has an implied policy that blocks everything from incoming and outgoing

from passing the box. In older FortiOS version 3.x, this implied policy are now shown up to end-

users. From version 4.0, Fortigate users could see this implied policy. Because of this implied

policy, Fortigate is not a plug-and-play firewall. To allow full internet access, at least, you must

create the following policy.

 Go to Firewall –> Policy –> Policy
 Click Create New to create a new firewall policy

 Source Interface: Port 11 (Internal)

 Source Address: all
 Destination Interface: Port 10 (External)
 Destination Address: all
 Action: Accept
 NAT: Enabled
 Click OK to finish the policy

You should have the same policy as I do here

With this configuration, all devices in your internal network are allowed to traverse the Fortigate to

internet. Please note since the Source address is all, any devices that have access to Fortigate

from Port 11 are allowed to pass the firewall. This is not recommended. For more specific, you

should set Source address as an IP range or IP subnet.

Allow a specific IP to access full internet

To allow a specific IP to access full internet, you need to create an Address object, and assign this

object to a firewall policy. Only machine with this specific IP would match the policy and be able to

access internet.
 To create a new Address object on Fortigate, select Firewall –> Address –> Address
 Click Create New

 Address Name is any name you want. Do not use too special characters, such as /
or *. It could cause your Fortigate to go crazy.
 Type: Subnet/IP Range
 Subnet/IP Range: 192.168.100.10 (just type the IP, with no subnet mask)
 Interface: Any
 Click OK to finish the new address
Be careful with the subnet mask

When you create a new Address object on Fortigate, pay attention to the subnet mask of the IP. In

this case, if I want only the IP 192.168.100.10 with subnet mask 255.255.255.0 to access

internet, I enter only the IP 192.168.100.10. If you ever accidentally enter 192.168.100.10/24, it

means all of your 192.168.100.0/24 network are able to access internet. Fortigate

wrongly interprets the subnet mask right here. Fortigate doesn’t care about the .10. Fortigate sees

the /24, and automatically understands that the administrator wants to allow the who subnet.

Interesting.

Next step is to create a new Firewall Policy, and select Hao-PC as the Source Address

 Go back to Firewall –> Policy –> Policy
 Instead of clicking Create New button, you could right click on the section Port11 –>
Port10, select Insert from the pop-up menu. Fortigate will create a new firewall policy, and put
it above the current position of the firewall policy at your current mouse position.
 Fortigate will put Port11 as Source Interface, and Port10 as Destination
Interface for you (because you just right click –> Insert)
 Select Hao-PC as Source Address
 Action: Allow
 NAT: enabled
 Click OK to finish the policy

You should have a new policy like this

Allow a contiguous IP range to access

For example, I’d like to allow an IP range from 192.168.100.40 to 192.168.100.100 to access

to internet, or to be on the same Firewall Policy, then I need to create an Address Range on

Fortigate and use it as the Source Address. The key to create an IP range with Fortigate GUI is

the square brackets [ ]. The ranging numbers are typed within these brackets.

192.168.100.[40-100] means all IP from 40 to 100, including 192.168.100.40 and

192.168.100.100.
 Go to section Firewall –> Address –> Address
 Click Create New
 Enter the IP range as below, please note the square bracket is after the period “.”

 Click OK to finish the IP range.

Use this new Address Range as the Source Address in a Firewall Policy to allow this specific IP

range to access internet.

Define IP range using commands

You could define an address range with command line. Using command line is clearer, and

somehow, it looks more professional.

FG900A83901645649 # config firewall address

FG900A83901645649 (address) # edit “Range-40to100″

new entry ‘Range-40to100′ added

FG900A83901645649 (Range-40to100) # set type iprange

FG900A83901645649 (Range-40to100) # set end-ip 192.168.100.100

FG900A83901645649 (Range-40to100) # set start-ip 192.168.100.40

FG900A83901645649 (Range-40to100) # next