Chapter 2 Advanced Routing for FortiOS 5.0 : Border Gateway Protocol (BGP) : Redistributing and blocking routes in BGP : Configuring the FortiGate unit : Configuring the FortiGate unit — networks and firewalls
  
Configuring the FortiGate unit — networks and firewalls
The FortiGate unit has three interfaces connected to networks — two external and one dmz.
Security policies must be in place to allow traffic to flow between these networks.
Firewall services will change depending on which routing protocol is being used on that network — either BGP or OSPF. Beyond that, all services that are allowed will be allowed in both directions due to the internal servers. The services allowed are web-server services (DNS, HTTP, HTTPS, SSH, NTP, FTP*, SYSLOG, and MYSQL), email services (POP3, IMAP, and SMTP), and general troubleshooting services (PING, TRACEROUTE). Those last two can be removed once the network is up and working properly to increase security. Other services can be added later as needed.
To configure the interfaces - GUI
1. Go to System > Network > Interfaces.
2. Edit port1 (dmz) interface.
3. Set the following information, and select OK.
Alias
dmz
IP/Netmask
10.11.201.110/255.255.255.0
Administrative Access
HTTPS SSH PING
Description
OSPF internal networks
Administrative Status
Up
4. Edit port2 (external1) interface.
5. Set the following information, and select OK.
Alias
external1
IP/Netmask
172.21.111.4/255.255.255.0
Administrative Access
HTTPS SSH
Description
BGP external1 Peer 1
Administrative Status
Up
6. Edit port3 (external2) interface.
7. Set the following information, and select OK.
Alias
external2
IP/Netmask
172.22.222.4/255.255.255.0
Administrative Access
HTTPS SSH
Description
BGP external2 Peer2
Administrative Status
Up
To configure the FortiGate interfaces (CLI)
config system interface
edit port1
set alias dmz
set ip 10.11.201.110 255.255.255.0
set allowaccess https ssh ping
set description "OSPF internal networks"
set status up
next
edit port2
set alias external1
set ip 172.21.111.4 255.255.255.0
set allowaccess https ssh
set description "BGP external1 Peer 1"
set status up
next
edit port3
set alias external2
set ip 172.22.222.4 255.255.255.0
set allowaccess https ssh
set description "BGP external2 Peer 2"
set status up
next
end
To configure the firewall addresses - GUI
1. Go to Firewall Objects > Address > Addresses.
2. Select Create New, and set the following information.
Address Name
BGP_services
Type
Subnet / IP Range
Subnet / IP Range
10.11.201.0 255.255.255.0
Interface
port1
3. Select OK.
4. Select Create New, and enter the following information:
5. Select OK.
To configure the firewall addresses - CLI
config firewall address
edit "BGP_services"
set associated-interface "port1"
set subnet 10.11.201.0 255.255.255.0
next
end
To configure firewall service groups - GUI
1. Go to Firewall Objects > Service > Groups.
2. Select Create New.
3. Name the group BGP_Services.
4. Move the following services to the right list: BGP, DHCP, DNS, FTP, FTP_GET, FTP_PUT, HTTP, HTTPS, IMAP, MYSQL, NTP, PING, POP3, SMTP, SSH, SYSLOG, and TRACEROUTE.
5. Select OK.
6. Select Create New.
7. Name the group OSPF_Services.
8. Move the following services to the right list: DNS, FTP, FTP_GET, FTP_PUT, HTTP, HTTPS, IMAP, MYSQL, NTP, OSPF, PING, POP3, SMTP, SSH, SYSLOG, and TRACEROUTE.
9. Select OK.
To configure firewall service groups - CLI
config firewall service group
edit "BGP_services"
set member “BGP”, "DHCP" "DNS" "FTP" "FTP_GET" "FTP_PUT" "HTTP" "HTTPS" "IMAP" "MYSQL" "NTP" "PING" "POP3" "SMTP" "SSH" "TRACEROUTE" "SYSLOG"
next
edit "OSPF_services"
set member "DHCP" "DNS" "FTP" "FTP_GET" "FTP_PUT" "HTTP" "HTTPS" "IMAP" "MYSQL" "NTP" "PING" "POP3" "SMTP" "SSH" "TRACEROUTE" "SYSLOG" "OSPF"
next
end