Configuring the FortiGate unit

1. Configuring the FortiGate unit — networks and firewalls

2. Configuring the FortiGate unit – BGP

3. Configuring the FortiGate unit – OSPF

4. Configuring other networking devices

5. Configuring ECMP support for BGP

 

Configuring the FortiGate unit — networks and firewalls

The FortiGate unit has three interfaces connected to networks — two external and one dmz. Security policies must be in place to allow traffic to flow between these networks.

Firewall services will change depending on which routing protocol is being used on that network — either BGP or OSPF. Beyond that, all services that are allowed will be allowed in both directions due to the internal servers. The services allowed are web-server services (DNS, HTTP, HTTPS, SSH, NTP, FTP*, SYSLOG, and MYSQL), email services (POP3, IMAP, and SMTP), and general troubleshooting services (PING, TRACEROUTE). Those last two can be removed once the network is up and working properly to increase security. Other services can be added later as needed.

 

To configure the interfaces – GUI

1. Go to System > Network > Interfaces.

2. Edit port1 (dmz) interface.

3. Set the following information, and select OK.

Alias                                           dmz

IP/Network Mask                       10.11.201.110/255.255.255.0

Administrative Access             HTTPS SSH PING

Description                                OSPF internal networks

Administrative Status               Up

4. Edit port2 (external1) interface.

5. Set the following information, and select OK.

Alias                                           external1

IP/Network Mask                       172.21.111.4/255.255.255.0

Administrative Access             HTTPS SSH

Description                                BGP external Peer 1

Administrative Status               Up

6. Edit port3 (external2) interface.

7. Set the following information, and select OK.

Alias                                           external2

IP/Network Mask                       172.22.222.4/255.255.255.0

Administrative Access             HTTPS SSH

Description                                BGP external2 Peer2

Administrative Status               Up

To configure the FortiGate interfaces (CLI)

config system interface edit port1

set alias dmz

set ip 10.11.201.110 255.255.255.0 set allowaccess https ssh ping

set description “OSPF internal networks” set status up

next

edit port2

set alias external1

set ip 172.21.111.5 255.255.255.0 set allowaccess https ssh

set description “external1 Peer 1” set status up

next

edit port3

set alias external2

set ip 172.22.222.5 255.255.255.0 set allowaccess https ssh

set description “external2 Peer 2” set status up

next end

 

To configure the firewall addresses – GUI

1. Go to Policy & Objects > Objects > Addresses.

2. Select Create New, and set the following information.

Category                                     Address

Name                                           BGP_services

Type                                            Subnet / IP Range

Subnet / IP Range                     10.11.201.0 255.255.255.0

Interface                                     port1

3. Select OK.