Scribd
Upload
101 views4 pages

Fortinet Firewall

The document provides detailed instructions on configuring various interface types and settings for FortiNet Firewalls, including physical, VLAN, and redundant interfaces. It outlines steps for setting up maximum transmission unit (MTU), maximum segment size (MSS), default gateway, DNS server, and firewall address objects. Additionally, it includes examples of firewall policies for managing traffic between different VLANs.

Uploaded by

mpplat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
101 views4 pages

Fortinet Firewall

The document provides detailed instructions on configuring various interface types and settings for FortiNet Firewalls, including physical, VLAN, and redundant interfaces. It outlines steps for setting up maximum transmission unit (MTU), maximum segment size (MSS), default gateway, DNS server, and firewall address objects. Additionally, it includes examples of firewall policies for managing traffic between different VLANs.

Uploaded by

mpplat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd

FortiNet Firewall

=================

Interface
=========

Interface Types
===============
- Physical - Physical interface on Firewall (Ethernet or
Fibere Optic connection)
- VLAN - Subinerface of Physical Interface
called VLAN interfae (IEEE 802.1Q vlan)
- Aggregate - Combine multiple interfaces to increase
throughput and to provide redundancy (all ports are active)
- Redundant - Combine multiple interfaces, only one of the
interfaces are active and use for data transmission. Other ports are in standby
mode
- Zone - It is a group of one or more physical
or virtual interfaces. To simplify firewall policy configuration
- Virtual Wire Pair - consisting of two interfaces, with an
interface at each of the wire. No IP addressing is configured on a VWP, and
communication is restricted between the two
interfaces using firewall policies
- Software Switch
- Hardware Switch
- FortiNet WLAN Extension
- FortiNet LAN Extension
- VXLAN
- Tunnel

How to configure interface


==========================

config system interface


edit <name>
set vdom <VDOM_name>
set mode {static | dhcp | pppoe}
set ip <IP_address/netmask>
set security-mode {none | captive-portal | 802.1X}
set egress-shaping-profile <profile>
set device-identification {enable | disable}
set allowaccess {ping https ssh http snmp telnet fgfm radius-acct probe-
response fabric ftm}
set eap-supplicant {enable | disable}
set eap-method {peap | tls}
set eap-identity <identity>
set eap-password <password>
set eap-ca-cert <CA_cert>
set eap-user-cert <user_cert>
set secondary-IP enable
config secondaryip
edit 1
set ip [Link] [Link]
set allowaccess ping https ssh snmp http
next
end
next
end
How to configure Maximum Transmission Unit - MTU
=================================================

config system interface


edit <interface>
set mtu-override enable
set mtu <integer>
next
end

>ping [Link] -l 1472 -f


Pinging [Link] with 1472 bytes of data:
Reply from [Link]: bytes=1472 time=41ms TTL=52
Reply from [Link]: bytes=1472 time=42ms TTL=52
Reply from [Link]: bytes=1472 time=103ms TTL=52
Reply from [Link]: bytes=1472 time=38ms TTL=52

Ping statistics for [Link]:


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 38ms, Maximum = 103ms, Average = 56ms

>ping [Link] -l 1473 -f


Pinging [Link] with 1473 bytes of data:
Request timed out.

Ping statistics for [Link]:


Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

How to configure Maximum Segment Size


=====================================

config system interface


edit "wan2"
set vdom "root"
set mode dhcp
set allowaccess ping fgfm
set type physical
set tcp-mss 1448
set role wan
next
end

How to configure default gateway


=================================
config router static
edit 1
set device port2
set gateway [Link]
next
end

How to configure DNS server


config sytem dns
set primary [Link]
set secondary [Link]
end

How to configure VLAN Interface


===============================
config system interface - Go to interface
configuration mode
edit VLAN_100 - Edit the name of VLAN
set vdom root - Set vdom name
set interface internal - Set parent physical
interface (In this case, physical interface name is internal)
set type vlan - Set interface type (vlan)
set vlanid 100 - Set VLAN ID
set mode static - Set IP address mode for
this vlan interface
set ip [Link] [Link] - Assign IP address on
this vlan interface
set allowaccess https ping - Administrative allow access
for this vlan interface
next - Exit edit mode
edit VLAN_200
set vdom root
set interface internal
set type vlan
set vlanid 200
set mode static
set ip [Link] [Link]
set allowaccess https ping
next
end

How to create Firewall addrss (Subnet Object)


==============================================

config firewall address - Firewall address


configuration
edit VLAN_100_Net - Edit
set type ipmask - Set object type (ipmask)
set subnet [Link] [Link] - Set subnet
next
edit VLAN_200_Net
set type ipmask
set subnet [Link] [Link]
next
end

config firewall policy


edit 1
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf VLAN_200
set dstaddr VLAN_200_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 2
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf VLAN_100
set dstaddr VLAN_100_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 3
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
edit 4
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
end

You might also like