ANS

ISACA CISM

Huawei

Palo Alto

Aruba

Juniper

Comptia

Fortinet

Microsoft

F5

GCIH

Oracle

Itil-v4

CWNA

Opengroup

1. Preparing for Deployment

Before touching the FortiGate GUI or CLI, gather:

  • Network Plan: IP subnets for LAN, WAN, DMZ, VPN pools, and management.
  • Access Credentials: FortiGate serial number, default admin login (GUI/SSH), and SSH keys if used.
  • Documentation: FortiGate model datasheet, FortiOS version compatibility, and firmware image.

Maintaining clear documentation of your network design and IP addressing will streamline every subsequent configuration step.

2. Initial Access and Administrative Hardening

2.1 Physical & Management Access

  1. Physical Connections:
    • Connect the WAN port (e.g., wan1) to your ISP modem.
    • Connect an internal switch or a management workstation to a LAN port (e.g., port2).
  2. Browser Access:
    • Assign your PC a static IP in the default FortiGate management subnet (e.g., 192.168.1.2/24).
    • Navigate to https://192.168.1.99 and log in with:
      • Username: admin
      • Password: (blank)

2.2 Change Default Admin Settings

  • Change the Admin Password:
    Navigate to System > Administrators, edit the admin user, and set a strong password.
  • Restrict Administrative Access:
    Bind admin access to trusted hosts (specific management IPs) and enable only HTTPS and SSH services on the management interface.
  • Enable CLI Audit Logging:
config system global  
  set cli-audit-log enable  
end

3. Network Interface Configuration

3.1 WAN Interface

  1. Navigate to Network > Interfaces.
  2. Edit the WAN interface (wan1):
    • Addressing Mode:
      • DHCP if provided by ISP.
      • Static: configure IP, subnet mask, and default gateway.
    • Administrative Access: Allow only HTTPS (and SSH, if required).
  3. Apply changes.

3.2 LAN Interface

  1. Edit the LAN interface (internal or port2):
    • IP/Subnet: e.g., 192.168.10.1/24.
    • Role: set to LAN.
  2. Enable DHCP Server (optional): define an IP range for client leases, DNS servers, and default gateway.
  3. Apply changes.

3.3 DMZ Interface (Optional)

To host public-facing servers in a DMZ:

  1. Create or edit a dedicated interface (physical or VLAN).
  2. IP/Subnet: assign a separate range (e.g., 10.0.0.0/24).
  3. Role: set to DMZ.
  4. Apply changes.

4. Static Routing

A default route ensures internet-bound traffic reaches the WAN:

  1. Network > Static Routes > Create New.
  2. Destination: 0.0.0.0/0 (default route).
  3. Gateway: ISP’s next-hop IP.
  4. Interface: wan1.
  5. Distance: 10 (default).
  6. Save.

For additional networks (e.g., DMZ or VPN pools), add specific routes pointing to the appropriate interface.

5. Creating Firewall Policies

Firewall policies define traffic flows between interfaces. A typical LAN-to-WAN policy:

  1. Policy & Objects > IPv4 Policy > Create New.
  2. Name: LAN_to_WAN.
  3. Incoming Interface: internal.
  4. Outgoing Interface: wan1.
  5. Source: all (or specify Internal_Subnet).
  6. Destination: all.
  7. Service: ALL.
  8. Action: Accept.
  9. NAT: Enable (for internet access).
  10. Logging: Enable All Sessions.
  11. Save.

DMZ-to-WAN and WAN-to-DMZ (Port Forwarding)

  • DMZ Policy: Mirror the above, swapping internal with the DMZ interface.
  • VIPs (Virtual IPs) for port forwarding:
    1. Policy & Objects > Virtual IPs > Create New.
    2. Name: e.g., Web_VIP.
    3. Interface: wan1.
    4. External IP: public IP.
    5. Mapped IP: internal server IP.
    6. Port Forwarding: enable and set service (e.g., TCP 80).
    7. Save and apply the VIP to a new WAN-to-DMZ policy.

6. Security Profiles (UTM)

Enhance policy enforcement by applying security profiles:

  1. Security Profiles menu: configure profiles for Antivirus, Web Filter, Application Control, and Intrusion Prevention (IPS).
  2. Customize filters and exception lists per organizational needs.
  3. Attach profiles to firewall policies under the Security Profiles section.

7. VPN Configuration (Optional)

FortiGate supports both IPsec and SSL VPN for remote connectivity:

7.1 Site-to-Site IPsec VPN

  1. VPN > IPsec Wizard.
  2. Select a template (e.g., Site to Site).
  3. Local Interface: wan1.
  4. Remote Gateway: Peer’s IP or FQDN.
  5. Authentication: pre-shared key or certificate.
  6. Phase 1 & 2 selectors: choose encryption and hashing algorithms.
  7. Create policy and routes automatically.

7.2 SSL VPN

  1. VPN > SSL-VPN Settings.
  2. Enable SSL VPN on wan1.
  3. Define portal settings (splits, bookmarks).
  4. Create user groups and assign to the portal.
  5. Save and distribute URL to clients.

8. Logging, Monitoring & SIEM Integration

8.1 Local and Remote Logging

  • Log & Report > Log Settings: enable local disk logs and/or remote Syslog/FortiCloud.
  • Retention and rotation policies help manage disk usage.

8.2 Syslog Configuration for SIEM

Follow the Huntress guide for CEF-formatted logs:

config log syslogd setting  
  set status enable  
  set format cef  
  set server <SIEM_IP>  
end  

config log syslogd filter  
  set severity information  
  set forward-traffic enable  
  set anomaly enable  
  set local-traffic enable  
  …  
end

Verify with show log syslogd setting and show log syslogd filter.

9. Backup, Firmware Updates & High Availability

9.1 Configuration Backup

  • Dashboard > Status: in the System Information widget, click Backup to download a .conf file.
  • Store backups off-site or in FortiCloud.

9.2 Firmware Upgrades

  • System > Firmware: check and install FortiOS updates during planned maintenance windows.
  • Always backup config before upgrading.

9.3 High Availability (HA)

  • System > HA: configure cluster mode (active-active or active-passive), set group name, password, and heartbeat interfaces.
  • Sync configuration and firmware across cluster members for seamless failover.
Please follow and like us:
Tweet
fb-share-icon
Last modified: May 23, 2025

Author

Comments

Write a Reply or Comment

Your email address will not be published.