Configure interfaces and default routes
The FortiGate unit is connected to three networks — Company Network on the internal interface, ISP1 Network on external1interface, and ISP2 on external2 interface.
This example uses basic interface settings. Check with your ISP to determine if additional settings are required such as setting the maximum MTU size, or if gateway detection is supported.
High end FortiGate units do not have interfaces labeled Internal, or External. Instead, for clarity’s sake, we are using the alias feature to name interfaces for these roles.
Default routes to both external interfaces are configured here as well. Both are needed in case one goes offline. ISP1 is the primary connection and has a smaller administrative distance so it will be preferred over ISP2. Both distances are set low so they will be preferred over any learned routes.
To configure the FortiGate interfaces - web-based manager
1. Go to System > Network > Interface.
2. Edit port 1 (internal) interface.
3. Set the following information, and select OK.
Alias | internal |
IP/Network Mask | 10.11.101.110/255.255.255.0 |
Administrative Access | HTTPS SSH PING |
Description | Company internal network |
Administrative Status | Up |
4. Edit port 2 (external1) interface.
5. Set the following information, and select OK.
Alias | external1 |
IP/Network Mask | 172.21.111.5/255.255.255.0 |
Administrative Access | HTTPS SSH PING |
Description | ISP1 External BGP network |
Administrative Status | Up |
6. Edit port 3 (external2) interface.
7. Set the following information, and select OK.
Alias | external2 |
IP/Network Mask | 172.22.222.5/255.255.255.0 |
Administrative Access | HTTPS SSH PING |
Description | ISP2 External BGP network |
Administrative Status | Up |
To configure the FortiGate interfaces - CLI
config system interface
edit port1
set alias internal
set ip 10.11.101.110 255.255.255.0
set allowaccess http https ssh
set description “Company internal network”
set status up
next
edit port2
set alias external1
set ip 172.21.111.5 255.255.255.0
set allowaccess https ssh
set description “ISP1 External BGP network”
set status up
next
edit port3
set alias external2
set ip 172.22.222.5 255.255.255.0
set allowaccess https ssh
set description “ISP2 External BGP network”
set status up
next
end
To configure default routes for both ISPs - web-based manager
1. Go to Router > Static > Static Routes.
2. Delete any existing routes with a IP/Mask of address of 0.0.0.0/0.0.0.0
3. Select Create New, and set the following information.
Destination IP/Mask | 0.0.0.0/0.0.0.0 |
Device | port2 |
Gateway | 172.21.111.5 |
Distance | 10 |
4. Select OK.
5. Select Create New, and set the following information.
Destination IP/Mask | 0.0.0.0/0.0.0.0 |
Device | port3 |
Gateway | 172.22.222.5 |
Distance | 15 |
6. Select OK.
To configure default routes for both ISPs - CLI
config router static
edit 1
set device "port2"
set distance 10
set gateway 172.21.111.5
next
edit 2
set device "port3"
set distance 15
set gateway 172.22.222.5
next
end