Fortigate Firewall Configuration Summary

2025-02-10

Basic Setup

1. Management IP: Set up the management IP address.

   config system interface
   edit "mgmt"
   set ip 192.168.1.99 255.255.255.0
   set allowaccess ping https ssh
   next
   end
   

2. Admin Account: Create an admin account and assign a password.

   config system admin
   edit "admin"
   set password "strongpassword123"
   next
   end
   

3. Hostname: Define the hostname for the firewall device.

   config system global
   set hostname "FortiGate-FW01"
   end
   

Interface Setup

1. Physical Interface: Configure physical interfaces (e.g., wan1, lan1).

   config system interface
   edit "wan1"
   set mode static
   set ip 203.0.113.1 255.255.255.0
   next
   edit "lan1"
   set mode static
   set ip 192.168.1.1 255.255.255.0
   next
   end
   

2. VLAN Interface: Create VLAN interfaces (e.g., vlan100).

config system interface
edit "vlan100"
set vdom "root"
set interface "internal"
set vlanid 100
set ip 192.168.100.1 255.255.255.0
next
end

3. IP Address: Assign IP addresses to interfaces.

Security Policies

1. Policy Mode: Choose the policy mode (e.g., NAT, Transparent).

   config firewall policy
   edit 1
   set name "Allow-HTTP"
   set srcintf "lan1"
   set dstintf "wan1"
   set srcaddr "all"
   set dstaddr "all"
   set action accept
   set service "HTTP"
   next
   end
   

2. Source & Destination: Define source and destination IP addresses.
3. Services: Select services for the policy (e.g., HTTP, FTP).

4. Action: Set the action (e.g., Accept, Deny).

NAT Configuration

1. Source NAT (SNAT): Configure SNAT to hide internal IP addresses.

   config firewall ippool
   edit "SNAT-Pool"
   set startip 203.0.113.10
   set endip 203.0.113.20
   next
   end
   

2. Destination NAT (DNAT): Set up DNAT to map external IP addresses to internal IPs.

   config firewall vip
   edit "Web-Server"
   set extip 203.0.113.30
   set mappedip 192.168.1.100
   next
   end
   

VPN Configuration

1. IPsec VPN: Configure an IPsec VPN tunnel for secure communication.

   config vpn ipsec phase1-interface
   edit "VPN-Tunnel"
   set interface "wan1"
   set peertype any
   set proposal aes128-sha1
   set psksecret "vpnpassword123"
   next
   end
   

2. SSL VPN: Set up an SSL VPN tunnel for remote access.

   config vpn ssl settings
   set port 443
   set tunnel-ip-pools "SSLVPN_POOL"
   end
   

Logging & Reporting

1. Logging: Enable logging for security events and traffic.

   config log syslogd setting
   set status enable
   set server "192.168.1.200"
   end
   

2. Reporting: Set up reporting for security-related events.

Additional Features

1. DHCP: Configure the DHCP server to assign IP addresses dynamically.

   config system dhcp server
   edit 1
   set dns-service default
   set default-gateway 192.168.1.1
   set netmask 255.255.255.0
   set interface "lan1"
   config ip-range
   edit 1
   set start-ip 192.168.1.100
   set end-ip 192.168.1.200
   next
   end
   next
   end
   

2. DNS: Set up a DNS server for name resolution.

   config system dns
   set primary 8.8.8.8
   set secondary 8.8.4.4
   end
   

3. Web Filtering: Enable and configure web filtering for URL categorization and security.

   config webfilter profile
   edit "default"
   set inspection-mode flow-based
   config web
   set block-malicious-url enable
   end
   next
   end
   

What Undercode Say

Fortigate firewalls are powerful tools for securing networks, and their configuration requires a deep understanding of networking and security principles. The commands provided above are essential for setting up a Fortigate firewall, from basic management IP configuration to advanced features like VPNs and web filtering.

For Linux users, many of these concepts translate well into tools like `iptables` for firewall management, `OpenVPN` for VPN configurations, and `dnsmasq` for DHCP and DNS services. For example, to set up a basic NAT rule in Linux using iptables, you can use:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

For logging, tools like `syslog-ng` or `rsyslog` can be configured to centralize logs, similar to Fortigate’s logging capabilities. For web filtering, tools like `Squid` with `SquidGuard` can be used to block malicious URLs.

To further enhance your knowledge, explore resources like the Fortinet Documentation and Linux man pages for iptables, OpenVPN, and dnsmasq. Combining these tools with a solid understanding of networking protocols will make you adept at managing both Fortigate devices and Linux-based systems.

Remember, cybersecurity is an ever-evolving field, and staying updated with the latest tools and techniques is crucial. Regularly practice these commands and explore new tools to keep your skills sharp.

**Useful URLs**:

• Fortinet Documentation
• iptables Man Page
• OpenVPN Documentation
• Squid Configuration Guide

References:

Hackers Feeds, Undercode AI