To create a firewall services group – web-based manager
1. Go to Policy & Objects > Objects > Services, select the dropdown arrow next to Create New and select
Service Group.
2. For Group Name, enter “Basic_Services”.
3. From the Members dropdown, choose the following six services — BGP, FTP, FTP_GET, FTP_PUT, DNS, HTTP, and HTTPS.
4. Select OK.
To create a firewall services group – CLI
config firewall service group edit “Basic_Services”
set member “BGP” “DNS” “FTP” “FTP_GET” “FTP_PUT” “HTTP” “HTTPS” next
end
To create a zone for the ISP interfaces – web-based manager
1. Go to System > Network > Interfaces.
2. Select the caret to the right of Create New and then select Zone.
3. Enter the following information.
Zone Name ISPs
Block Intra-zone traffic enable
interface members port2 port3
4. Select OK.
To create a zone for the ISP interfaces – CLI
config system zone edit “ISPs”
set interface “port2” “port3” set intrazone block
next end
To add the firewall addresses – web-based manager
1. Go to Policy & Objects > Objects > Addresses.
2. Select Create New, and set the following information.
Category Address
Name Internal_network
Type Subnet / IP Range
Subnet / IP Range 10.11.101.0 255.255.255.0
Interface port1
3. Select OK.
To add the firewall addresses – CLI
config firewall address edit “Internal_network”
set associated-interface “port1”
set subnet 10.11.101.0 255.255.255.0 next
end
To add the HTTP and DNS security policies – web-based manager
1. Go to Policy & Objects > Policy > IPv4, and select Create New.
2. Set the following information.
Incoming Interface port1(internal)
Source Address Internal_network
Outgoing Interface ISPs
Destination Address All
Schedule Always
Service Basic_services
Action ACCEPT
Log Allowed Traffic Enable
Firewall / Network Options Enable NAT
Comments ISP1 basic services out policy
3. Select OK.
4. Select Create New, and set the following information.
Incoming Interface ISPs
Source Address All
Outgoing Interface port1(internal)
Destination Address Internal_network
Schedule Always
Service Basic_services
Action ACCEPT
Log Allowed Traffic Enable
Firewall / Network Options Enable NAT
Comments ISP1 basic services in policy
Hi Mike,
if i configure the following on fortigate1:
config router bgp
set as 65000
set router-id 10.2.2.254
config neighbor
edit “10.2.2.253”
set next-hop-self enable
set remote-as 65000
set send-community6 disable
next
config redistribute “static”
set status enable
end
fortigate2 should get the default route 0.0.0.0 0.0.0.0 from fortigate1 as it is static ?
how can i redistribute the default route(fortigate1) to fortigate2 ?
thanks
regards
There is a really good KB article that explains how to do this. You can find it here
If you want to redistribute static routes you would enable the following
config router bgp
config redistribute static
set status enable
end
end
An example of the config would be like this
config router prefix-list
edit “only_dflt”
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
config router route-map
edit “only_default_route”
config rule
edit 1
set match-ip-address “only_dflt”
next
end
next
end
config router bgp
set as 2
config neighbor
edit 10.142.0.110
set remote-as 1
set route-map-in “only_default_route”
next
end
set router-id 10.142.0.205
end
Let me know if this helped answer your question!
Thanks!
Hi,
thanks for the link and example, got it working!
Regards
Awesome to hear Piccolo!
config router bgp
set as 65041
set router-id 162.53.156.138
config neighbor
edit “10.104.55.1”
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set remote-as 64699
set send-community6 disable
next
edit “10.104.55.2”
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set remote-as 64699
set send-community6 disable
next
i am trying to accomplish above but i can see only one neighbour is establish and other is in ACTIVE state…
So you see both neighbors but only one is active?