Configuring the FortiGate unit — networks and firewalls
The FortiGate unit has three interfaces connected to networks — two external and one dmz.
Security policies must be in place to allow traffic to flow between these networks.
Firewall services will change depending on which routing protocol is being used on that network — either BGP or OSPF. Beyond that, all services that are allowed will be allowed in both directions due to the internal servers. The services allowed are web-server services (DNS, HTTP, HTTPS, SSH, NTP, FTP*, SYSLOG, and MYSQL), email services (POP3, IMAP, and SMTP), and general troubleshooting services (PING, TRACEROUTE). Those last two can be removed once the network is up and working properly to increase security. Other services can be added later as needed.
To configure the interfaces - GUI
1. Go to System > Network > Interfaces.
2. Edit port1 (dmz) interface.
3. Set the following information, and select OK.
Alias | dmz |
IP/Netmask | 10.11.201.110/255.255.255.0 |
Administrative Access | HTTPS SSH PING |
Description | OSPF internal networks |
Administrative Status | Up |
4. Edit port2 (external1) interface.
5. Set the following information, and select OK.
Alias | external1 |
IP/Netmask | 172.21.111.4/255.255.255.0 |
Administrative Access | HTTPS SSH |
Description | BGP external1 Peer 1 |
Administrative Status | Up |
6. Edit port3 (external2) interface.
7. Set the following information, and select OK.
Alias | external2 |
IP/Netmask | 172.22.222.4/255.255.255.0 |
Administrative Access | HTTPS SSH |
Description | BGP external2 Peer2 |
Administrative Status | Up |
To configure the FortiGate interfaces (CLI)
config system interface
edit port1
set alias dmz
set ip 10.11.201.110 255.255.255.0
set allowaccess https ssh ping
set description "OSPF internal networks"
set status up
next
edit port2
set alias external1
set ip 172.21.111.4 255.255.255.0
set allowaccess https ssh
set description "BGP external1 Peer 1"
set status up
next
edit port3
set alias external2
set ip 172.22.222.4 255.255.255.0
set allowaccess https ssh
set description "BGP external2 Peer 2"
set status up
next
end
To configure the firewall addresses - GUI
1. Go to Firewall Objects > Address > Addresses.
2. Select Create New, and set the following information.
Address Name | BGP_services |
Type | Subnet / IP Range |
Subnet / IP Range | 10.11.201.0 255.255.255.0 |
Interface | port1 |
3. Select OK.
4. Select Create New, and enter the following information:
5. Select OK.
To configure the firewall addresses - CLI
config firewall address
edit "BGP_services"
set associated-interface "port1"
set subnet 10.11.201.0 255.255.255.0
next
end
To configure firewall service groups - GUI
1. Go to Firewall Objects > Service > Groups.
2. Select Create New.
3. Name the group BGP_Services.
4. Move the following services to the right list: BGP, DHCP, DNS, FTP, FTP_GET, FTP_PUT, HTTP, HTTPS, IMAP, MYSQL, NTP, PING, POP3, SMTP, SSH, SYSLOG, and TRACEROUTE.
5. Select OK.
6. Select Create New.
7. Name the group OSPF_Services.
8. Move the following services to the right list: DNS, FTP, FTP_GET, FTP_PUT, HTTP, HTTPS, IMAP, MYSQL, NTP, OSPF, PING, POP3, SMTP, SSH, SYSLOG, and TRACEROUTE.
9. Select OK.
To configure firewall service groups - CLI
config firewall service group
edit "BGP_services"
set member “BGP”, "DHCP" "DNS" "FTP" "FTP_GET" "FTP_PUT" "HTTP" "HTTPS" "IMAP" "MYSQL" "NTP" "PING" "POP3" "SMTP" "SSH" "TRACEROUTE" "SYSLOG"
next
edit "OSPF_services"
set member "DHCP" "DNS" "FTP" "FTP_GET" "FTP_PUT" "HTTP" "HTTPS" "IMAP" "MYSQL" "NTP" "PING" "POP3" "SMTP" "SSH" "TRACEROUTE" "SYSLOG" "OSPF"
next
end