Firewall ABC’s – Fortinet Setup, Configure, Logging, VPN Vol 9 rel 6

Often we receive emails requesting featured articles.  Well, one that seems to be reoccurring is that of firewall configuration, not advanced items, like Intrusion Detection Sensors, or SDWAN.  No, not even close.  Just good old setup, config, logging, and VPN.  So, in the fine tradition of giving what the public wants, we decided to choose one manufacturer's offering to avoid going down the combinatoric array of offerings out there. So we chose one of the more popular ones and this time its not Cisco.  We thought, yet another Cisco article would be biased.  Submitted for your approval, we give you Firewall Configurations for the every day person, featuring a the Firewall offerings of the Fortinet family. Share and Enjoy

FortiGate and NAT Networking

In this step by step, you will learn how to connect and configure a new FortiGate unit in NAT route mode to securely connect a private network to the Internet.

In NAT route mode of FortiGate unit is installed as a gateway or router between two networks. 

In most cases, it is used between a private network and the Internet. 

This allows the FortiGate to hide the IP addresses of the private network using network address translation, or NAT.

BASIC FORTIGATE SETUP

First, you'll need to connect your FortiGate into your network setup.  

Connect the FortiGate Internet facing interface, usually WAN1, to your ISP supplied equipment, and connect to PC to the FortiGate using an internal port, usually port1.

Power all the ISP equipment, the FortiGate equipment, and the PC that is now on the internal network.

On the PC, connect to the FortiGate's web-based interface using FortiExplorer or an Internet browser.

 Log in using the default admin account with username admin and no password.  You may need to set a new administrator password for the FortiGate. if it's the first time that have been connected or the device is just been factory reset.  

CONFIGURE NETWORK INTERFACES

Next, you'll need to configure the FortiGate's network interfaces. 

Go to network interfaces and edit the Internet facing interface. 

Set the addressing mode to manual, and the IP netmask to the public IP address provided by your ISP.

Save the configuration, and then edit the LAN interface,  which may be called “internal” on some devices.

Set the interfaces role to LAN, set the addressing mode to manual, and set the IP netmask to the private IP address you want to assign to the FortiGate.  

If you need your FortiGate to provide IP addresses to devices connected to the internal network, enable the DHCP server.

Save your changes.

Changing the default IP of your interfaces is recommended as a security measure, but if you're connected to the FortiGate through that interface, the FortiGate will log you out, and you'll have to navigate to the new interface IP that you set, and log in again.

ADD A DEFAULT ROUTE

Now go to network >> static routes

and go to the top first tab, and press “create new” route to allow your FortiGate to reach the Internet.

Fill in the fields of the New Static Route Template

·         Set destination to subnet, and

·         enter an IP netmask of eight 0

·         Set the gateway to the gateway IP provided by your ISP

·         Set the interface to the Internet facing interface

·         save the route.

CREATE AN IPV4 FIREWALL POLICY

Go to policy and objects IPV 4 policy, and create a new policy which will allow Internet traffic through the FortiGate…

Set the incoming interface to the internal interface  

and the outgoing interface to the Internet facing interface

Set the Source to allow all traffic 

Set the Destination to allow all traffic

Set Service to ALL and the action to accept, enable Nat and make sure use outgoing interface address is enabled…

Scroll down to view the logging options to log and track Internet traffic enabled log allowed traffic and select all sessions

You can now browse the Internet using any computer that is connected to the FortiGate’s internal interface. 

Logging and FortiView

In this section, you will learn how to configure logging to record information about traffic sessions processed by your FortiGate you will then use FortiView to look at the traffic logs and see how your network is being used.

FortiView is a logging tool that contains dashboards that show real time and historical logs you can filter the dashboards to show specific results and to drill down for more information about certain sessions.  

Some FortiView dashboards such as applications or websites require you to enable specific security profiles before you can view the results.

CONFIGURE LOG SETTINGS

First, to configure the log settings go to login report >> log setting

Select which location you want to record the log messages this example uses local lab because it is required by FortiLogging in places with a hard drive.

Enable disk local reports and historical for you figure remote logging in archive descent logs to either FortiAnalyzer, FortiManager, FortiCloud, or a syslog server

under log settings set both event logging and local traffic log to all.

Enable Logging in a Firewall Policy

Now that you have set the log settings, no logging will happen until you enable logging on a firewall policy so go to Policy and Objects >> IPV 4 policy to edit your Internet access policy under logging options

Since logging all sessions uses more system resources it is typically recommended to log only security events; however, for the purpose of this example all sessions will be logged to ensure that the logging has been configured correctly save the policy.

View Collected Logs

Now browse the Internet on a device behind the FortiGate to generate traffic at logs in the FortiGate interface.

You can view traffic that has been processed and logged by your FortiGate by opening the web-based interface and going to FortiView >> All Sessions

You can right click a session in the list to take further actions such as ending the session, banning the source IP, or filtering logs to just that session. 

If your unit has a hard drive, you could change to the 24-hour view to see a historical view of your traffic.

 and you can double click any log to see more information. To see a list of the source addresses and devices that are created traffic go to FortiView >> Sources.  Right click on any source and select drill down to details.

You can view a variety of information about the source address, including traffic destinations, policies used, and if any threats originate traffic from this address.

Setting Up VPN for a Remote User

In this section you will learn how to create an IP SEC tunnel for remote users to connect to using for decline this will allow remote users to access the corporate network using an IP stack VPN that they connect to using FortiClient for Mac OS X, windows, or Android.  Traffic to the Internet will also flow through the FortiGate to apply security scanning.

Create a User and User Group

First you go to User & Device >> User Definition and create a loc

al user account for an IPSEC VPN

Enter username, password, email address, and enabled the user account.

Then go to user & device  >>      user groups  and create an IPSEC VPN user group

Add the username to the User Group. 

Next go to VPN IP sequencer and create a new tunnel using a preexisting template:

Name the VPN connection remember the name can't contain any spaces and should not exceed 13 characters in length set template to remote access and set remote device tape to FortiClient VPN for OS X windows and Android. 

 Set the incoming interface to the Internet facing interface.

and authentication method pre-shared key enter appreciate key and select the IP SEK users’ group and then click next.

Set local interface to an internal interface at that local address to the local LAN address

  

and create an address for the local network

network said type to IP netmask subnet IP range the local subnet an interface to an internal port on the local area network click OK,

Next, enter client address range for VPN users

Your FortiGate then automatically creates an object address using this range it's named after the VPN name followed by underscore range.

Enter subnet masks.  Make sure that the IPV 4 split tunnel is not enabled this means that all Internet traffic will go through the FortiGate and be subject to security profiles. Click Next

Select your preferred client options auto connect initiates the phase two SA (Security Association) negotiation automatically repeating every 5 seconds until the SA is established it's useful when one of the VPN is download here since it allows users at the other peer to initiate traffic as well keep a log ensures that in SA is negotiated even if there's no traffic so that your VPN tunnel stays up.

After you create the tunnel a summary page will list the objects that have been created by the VPN wizard The IP stack wizard automatically created a security policy allowing IP SEC PN users to access the internal network however since split tunneling is disabled, you need to create another policy to allow users to access the Internet through the FortiGate.

Creating an Internet Access Policy

Go to policy and objects IPV 4 policies and create new Internet access policy

 

  

Name the policy and said incoming interface to the tunnel interface outgoing interface to win one source to all destination address to all service to all and enable NAT don't forget to configure the security profile options according to your preferences

 

Configuring the FortiClient

From a computer outside of the internal network open for different if you haven't downloaded FortiClient yet go to the link below go to remote access and add a new connection  

 Set the type to IPSEC and remote gateway to the FortiGate IP address set authentication method to pre-shared key and enter the key below click add

  

In FortiClient’s select the VPN enter the username and password and select connect.

Once the connection is established the FortiGate assigns the user an IP address and FortiClient displays the status of the connection including the IP address connection duration and bytes sent and received.

  

  

Open a browser and make sure to generate some web traffic to test that your Internet is working.

Also open your CLI console a ping the IP address of the computer that's behind the corporate FortiGate.

On the FortiGate unit go to Monitor >> IPSEC Monitor and verify that the tunnel status is up you can also see the remote gateway assigned for the FortiClient user.

Then go to FortiView >> Policies and select the now view you can see that the pings are reaching the internal network and that web traffic is flowing through the IPSEC VPN and Internet policy right click on the policy

and select drill down into details more information about the traffic is available

Also, you can return to FortiView VPN see the users assigned IP address.

___________________________________________

We would like to thank our sponsors, for without them - our fine content wouldn't be deliverable!

Rick's Cafe' American

____________________________________________

Source

• https://en.wikipedia.org/wiki/Fortinet
• https://docs.fortinet.com/document/fortigate/6.0.0/

So “Once more unto the breach, dear friends, once more;”

____________________________________________________________

About Rick Ricker

An IT professional with over 23 years' experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
For more information, contact Rick at rwricker@gmail.com