General configuration steps

The steps to configuring routing on this network are:

1. Get your ISP information such as DNS, gateway, etc.

2. Configure FortiGate unit

3. Configure Admin PC and Dentist PCs

4. Testing network configuration

 

Get your ISP information such as DNS, gateway, etc.

Your local network connects to the Internet through your Internet Service Provider (ISP). They have IP addresses that you need to configure your network and routing.

The addresses needed for routing are your assigned IP address, DNS servers, and the gateway.

 

Configure FortiGate unit

The FortiGate unit will have two interfaces in use—one connected to the internal network and one connected to the external network. Port1 will be the internal interface, and port2 will be the external interface.

To configure the FortiGate unit:

1. Configure the internal interface (port1)

2. Configure the external interface (port2)

3. Configure networking information

4. Configure basic security policies

5. Configure static routing

 

Configure the internal interface (port1)

To configure the internal interface (port1) – web based manager

1. Go to System > Network > Interfaces. Highlight port1 and select Edit.

2. Enter the following:

Addressing Mode                     Manual

IP/Netmask                                 172.100.1.1/255.255.255.0

Administrative Access             HTTPS, PING, TELNET

Description                                Internal network

To configure the internal interface (port1) – CLI

config system interface edit port1

set IP 192.168.10.1 255.255.255.0 set allowaccess https ping telnet set description “internal network”

end end

 

Configure the external interface (port2)

The external interface connects to your ISP’s network. You need to know the IP addresses in their network that you should connect to. Use their addresses when you get them, however for this example we will assume the address your ISP gave you is 172.100.20.20 will connect to the gateway at 172.100.20.5 on their network, and their DNS servers are 172.11.22.33 and 172.11.22.34.

 

To configure the internal interface (port2) – web based manager

1. Go to System > Network > Interfaces. Highlight port2 and select Edit.

2. Enter the following:

Addressing Mode                     Manual

IP/Netmask                                 172.100.20.20/255.255.255.0

Administrative Access             HTTPS, PING, TELNET

Description                                Internal network

 

To configure the internal interface (port2) – CLI

configure system interface edit port2

set IP 172.100.20.20 255.255.255.0 set allowaccess https ping telnet set description “internal network”

end end

 

Configure networking information

Networking information includes the gateway, and DNS servers. Your FortiGate unit requires a connection to the

Internet for antivirus and other periodic updates.

 

 

To configure networking information – web-based manager

1. Go to System > Network > DNS.

2. Enter the primary and secondary DNS addresses.

3. Select Apply.

 

 

To configure networking information – CLI

config system global

set dns_1 172.11.22.33 set dns_2 172.11.22.34

end

 

Configure basic security policies

For traffic to flow between the internal and external ports in both directions, two security policies are required as a minimum. More can be used to farther limit or direct traffic as needed, but will not be included here.

Before configuring the security policies, a firewall address group is configured for the PCs that are allowed

Internet access. This prevents PC without Internet privileges from accessing the Internet. The security policy assumptions are:

• Only the basic networking services have been listed as allowed for added security. Others can easily be added as the users require them.
• In this example to keep things simple, both incoming and outgoing security policies are the same. In a real network there are applications that are allowed out but not in, and vice versa.
• Endpoint control has been enabled to ensure that all computers on the local network are running FortiClient and those installs are up to date. This feature ensures added security on your local network without the need for the network administrator to continually bother users to update their software. The FortiGate unit can store an up to date copy of the FortiClient software and offer a URL to it for users to install it if they need to.

 

To configure security policies – web-based manager

1. Go to Policy & Objects > Objects > Addresses.

2. Create a new Firewall Address entry for each of:

PC Name                                          IP Address                                        Interface

Admin                                               192.168.10.11                                    port1

Dentist1                                            192.168.10.21                                    port1

Dentist2                                            192.168.10.22                                    port1

Dentist3                                            192.168.10.23                                    port1

3. Go to Policy & Objects > Objects > Addresses.

4. Select the dropdown arrow next to Create New and select Address Group.

5. Name the group Internet_PCs.

6. Add Admin, Dentist1, Dentist2, and Dentist3 as members of the group.

7. Select OK.

8. Go to Policy & Objects > Policy > IPv4.

9. Select Create New.

10. Enter the following: DH – port2(external) -> port1(internal)

Incoming Interface                   port2

Source Address                        all

 

	Outgoing Interface	port1
	Destination Address	Internet_PCs
	Schedule	always
	Service	Multiple.
		Select DHCP, DNS,FTP, HTTP, HTTPS, NTP, POP3, SMTP, SSH.
	Action	ACCEPT
	Log Allowed Traffic	Enabled
11.	Select OK.
12.	Select Create New.
13.	Enter the following:
	Incoming Interface	port1
	Source Address	Internet_PCs
	Outgoing Interface	port2
	Destination Address	all
	Schedule	always
	Service	Multiple.
		Select DHCP, DNS,FTP, HTTP, HTTPS, NTP, POP3, SMTP, SSH.
	Action	ACCEPT
	Log Allowed Traffic	Enabled

 

14. Select OK.

 

To configure security policies – CLI

config firewall address edit “Admin”

set associated-interface “port1”

set subnet 192.168.10.11 255.255.255.255 next

edit “Dentist1”

set associated-interface “port1”

set subnet 192.168.10.21 255.255.255.255 next

edit “Dentist2”

set associated-interface “port1”

set subnet 192.168.10.22 255.255.255.255 next

edit “Dentist3”

set associated-interface “port1”

set subnet 192.168.10.23 255.255.255.255 end

config firewall addrgrp edit Internet_PCs

set member Admin Dentist1 Dentist2 Dentist3 end

config firewall policy edit 1

set srcintf port1 set dstintf port2

set srcaddr Internet_PCs set dstaddr all

set action accept set schedule always

set service “DHCP” “DNS” “FTP” “HTTP” “HTTPS” “NTP” “POP3” “SMTP” “SSH” set logtraffic enable

set label “Section2”

set endpoint-restrict-check no-av db-outdated next

edit 2

set srcintf port2 set dstintf port1 set srcaddr all

set dstaddr Internet_PCs set action accept

set schedule always

set service “DHCP” “DNS” “FTP” “HTTP” “HTTPS” “NTP” “POP3” “SMTP” “SSH” set logtraffic enable

set label “Section2”

set endpoint-restrict-check no-av db-outdated end

end

 

Configure static routing

With the rest of the FortiGate unit configured, static routing is the last step before moving on to the rest of the local network. All traffic on the local network will be routed according to this static routing entry.

 

To configure Fortinet unit static routing – web-based manager

1. Go to Router > Static > Static Routes.

2. Select Edit for the top route on the page.

3. Enter the following:

Destination IP/Mask                 172.100.20.5

Device                                         port2

Gateway                                     172.100.20.5

Distance                                     10

 

4. Select OK.

 

To configure Fortinet unit static routing – CLI

configure routing static edit 1

set gateway 172.100.20.5 set distance 10

set device port2 set dst 0.0.0.0

end end