fortigate

最後更新: 2020-01-17

介紹

 


NAT (Port forwarding)

 

 

Port forward 8443 -> 443, Service 要填 "HTTPS", 亦即係填目的地的 Port !!

Step

 Incoming Interface to your Internet-facing interface,

 Outgoing Interface to the interface connected to the server,

 Destination Address to the VIP group.

NAT

disabled for this policy so that the server sees the original source addresses of the packets it receives.

 


COM port

 

# 60E

Bits per second  9600
Data bits        8
Stop bits        1
Parity           None
Flow control     None

 


Useful setting

 

# Setting the idle timeout time for GUI

config system global
    # from 1 to 480 min.
    set admintimeout 60    
end

# "show" without more

config system console
    set output standard
end

 


reboot

 

execute reboot

 


reset

 

execute factoryreset

 


show command

 

# Get NIC IP

show system interface

...
    edit "lan"
        set vdom "root"
        set ip 192.168.1.99 255.255.255.0
        set allowaccess ping https ssh http fgfm fabric
        set type switch
        set role lan
        set snmp-index 8
    next
..

# allow remote management

config system interface
    edit <interface_name>
    set allowaccess <access_types>
end

# print all the configurations

show full configuration

 


show

 

# Unlike get, show does not display settings that are assumed to remain in their default state.

show system interface

show system route

show system dns

show system global

# to display the change of system-administration settings

show system admin setting

 


HA cluster

 

 * Make sure that ALL FortiGates in the cluster must have the same level of licensing

On the primary FortiGate

1) System > Settings >

Set "Host name" to identify this as the primary

2) System > HA >

a) Mode: Active-Passive

b) Set "Device priority" to a higher value than the default

c) Set Group name & Passwordp

e) Heartbeat interfaces (port1, port2 ....)
     如果有多個 NIC 時就要 Set "Heartbeat Interface Priority"

Setting

Heartbeat interfaces

A best practice is to use interfaces that don't process traffic, but this is not a requirement.

(the HA heartbeat interfaces must be on the same broadcast domain)

Session pickup

When session-pickup is enabled, the FGCP synchronizes the primary unit's TCP session table to all cluster units.

As soon as a new TCP session is added to the primary unit session table, that session is synchronized to all cluster units.

This synchronization happens as quickly as possible to keep the session tables synchronized.

If session pickup is enabled, you can use the following command to also enable UDP and ICMP session failover:

config system ha
    set session-pickup-connectionless enable
end

Configuring the backup FortiGate

1) reset the new backup FortiGate to factory default settings

execute factoryreset

2)

Duplicate the primary FortiGate HA settings, except set the Device Priority to a lower value (for example, 50) and do not enable override.

config system global
    set hostname Backup
end

config system ha
    set mode a-p
    set group-id 100
    set group-name My-cluster
    set password <password>
    set priority 50
    set hbdev lan4 200 lan5 100
end

Test & Checking failover cluster operation

CLI: diagnose sys ha checksum cluster

HA Status dashboard widget

System > HA

* When the primary FortiGate rejoins the cluster, the backup FortiGate should continue operating as the primary FortiGate.

1) powered off

2) unplug the primary FortiGate's Internet-facing interface

FortiGate Clustering Protocol (FGCP) High Availability cluster.

 * The FGCP does not support using a switch interface for the HA heartbeat.
 => you can use the wan1 and wan2 interfaces for the HA heartbeat.

Override

If you keep override enabled, the same FortiGate always becomes the primary FortiGate.

 * Enabling override and increasing the device priority means this FortiGate always becomes the primary unit.

HA Reserved Management Interface

You can provide direct management access to all cluster units by reserving a management interface as part of the HA configuration.

Configuration changes to the reserved management interface are not synchronized to other cluster units.

config system ha
    set ha-mgmt-status enable
        config ha-mgmt-interfaces
        edit 1
            set interface "dmz"
            set dst 0.0.0.0 0.0.0.0
            set gateway 10.223.0.100
        next
    end
end

show system interface dmz

Upgrading the firmware

Upgrading on the primary FortiGate automatically upgrades the firmware on the backup FortiGate.

Both FortiGates are updated with minimal traffic disruption.

widget : System Information

 


fortilink interface

 

FortiGate units can be used to remotely manage FortiSwitch units,

which is also known as using a FortiSwitch in FortiLink mode.

FortiLink defines the management interface and the remote management protocol between the FortiGate and FortiSwitch.

Auto-discovery of the FortiSwitch ports

config switch interface
    edit <port>
    set auto-discovery-fortilink enable
end

 *  default: enabled

 


Split Internal Ports

 

software switch

A software switch is a virtual switch that is implemented in software instead of hardware.

Software Switch is used to form a simple bridge between two or more physical or wireless FortiGate interfaces.

They are made up of "member" interfaces.

 - traffic is processed by CPU

CLI: config system switch-interface

virtual switch interfaces

Virtual switch feature enables you create virtual switches on top of the physical switch(es) with designated interfaces/ports

When traffic is forwarded among interfaces belonging to the same virtual switch,

the traffic doesn't need to go up to the software stack, but forwarded directly by the switch.

CLI: config system virtual-switch

Hardware Switch mode

 - A hardware switch is a virtual interface that groups different interfaces together,
    allowing a FortiGate to treat the group as a single interface.

 - traffic is processed by asic

VLAN Switch Mode

 - it's the same as a hardware switch

 - define a trunk port

 

Which mode is your FortiGate in by default

System > Network > Interfaces

Locate the "lan" or "internal" interface  in the Type column

Step

[1]

FW-A # config firewall policy

FW-A (policy) # show

config firewall policy
    edit 1
        set uuid ?-?-?-?-?
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

FW-A (policy) # purge

[2]

config system switch-interface

show

config system switch-interface
    edit "lan"
        set vdom "root"
        set member "internal" "wifi"
    next
    edit "wqt.root"
        set vdom "root"
        set member "wqtn.7.wifi"
    next
end

edit "lan"

set member wifi

[3]

config system virtual-switch

show

config system virtual-switch
    edit "internal"
        set physical-switch "sw0"
        config port
            edit "internal1"
            next
            edit "internal2"
            next
            ...

FW-A (virtual-switch) # purge

Remark: Remove 個別 port

config system virtual-switch
    config port
    delete internal1
end

 


Admin ACL

 

System > Administrators

in the web-based manager and selecting "Restrict login to trusted hosts"

FortiManager Access (FMG-Access)

FMG-Access on the wan interface would be used for something like forticloud or fortimanager

Trusted hosts are configured when adding a new administrator by going to

 


Configure DHCP on the FortiGate

 

Network > Interfaces > Edit

 


DNS

 

# To enable DNS server options in the GUI:

Go to System > Feature Visibility

Enable "DNS Database" in the Additional Features section.

# To configure DNS server

Network > DNS Servers

DNS Service on Interface -> Create New

Mode: Recursive / Non-Recursive / Forward to System DNS

DNS Filter:

filters the DNS request based on the
 * FortiGuard domain rating
 * blocks the DNS request for the known botnet C&C domains.
 * External IP block list: allows you to define an IP block list to block resolved IPs that match this list.