1.

Diagram

2. Install Fortigate Firewall

- Execute factoryreset
User: admin, password:
1. Config system interface
2. Edit port...
3. Set IP 192.168.30.1 255.255.255.0
4. Set allow access ssh ping http https
5. End
6. Config system global
7. Set hostname Fwg1
- # config system interface
edit port2
set ip 192.168.30.1 255.255.255.0
set allow access ssh ping http https
end
- Connect form PC via web browser
o Open web browser
o 192.168.30.1
o User: admin
 o Password:
o Login
o Begin
o Hostname: fwg
o OK
o Network Tab
 Interface
 For set IP and configure interface
 Port 1 set as DHCP
 Port 2 already set IP on step above
 Static Routes
 Destination: Subnet
o 0.0.0.0/0.0.0.0
 Gateway Address: Specify: Gateway from ISP
 Interface: port1
 OK

3. Configure DHCP server and NAT in Fortigate Client Access

Internet
- Login Fortigate
- Network -> Interfaces
o Double click “port2”
 Enable DHCP Server
 OK
- Policy & Object -> Firewall Policy (Create NAT)
o Create New
 Name: Allow-Internet-Lan
 Incoming Interface: port2
 Outgoing Interface: port1
 Source: all
 Destination: all
 Schedule: always
 Service: all
 OK
4. Separate Network Server and Client in Fortigate Firewall

-
- Open web browser
- 192.168.30.1
- User: admin
- Password: admin
- Login
- Network -> Interfaces
o Set IP to Port3: 192.168.90.1/255.255.255.0. Allow access Ping, HTTPS, SSH, FMG-Access
and Enable DHCP Server
- Policy & Object -> Firewall Policy (Allow from client to server)
o Create New
 Name: Allow-client-to-server
 Incoming Interface: port2
 Outgoing Interface: port3
 Source: all
 Destination: all
 Service: all
 Action: Accept
 OK
- Policy & Object -> Firewall Policy (Allow from server to client)
o Create New
 Name: Allow-server-to-client
 Incoming Interface: port3
 Outgoing Interface: port2
 Source: all
 Destination: all
 Service: all
 Action: Accept
 OK

5. Block website with web filter and application control in Fortigate

- Open web browser
- 192.168.30.1
- User: admin
- Password: admin
- Login
- Security Profiles
o Web Filter
 Double click “default”
 Enable “FortiGuard category-based filter”
o Select “Potentially Liable” -> Click “Block”
o Ex: Hacking -> Block
 Enable “URL Filter”
o Create New
o URL: web.facebook.com
o Type: Simple
o Action: Block
o Status: Enable
o OK
o Application Control
 Double click “default”
 Categories
o For block by categories
 Application and Filter overriders
o Create New
o Type: Application
o Action: Block
o Search for facebook
o Select “Facebook”
o Add Selected
o Select other that need for block -> Add Selected
- Use filter that we just created
 o Policy & Objects -> Firewall Policy
 Double click on Allow-Internet-Lan (port2 -> port1)
 Enable “Web Filter”: Default
 Enable “Application Filter”: Default
 OK

6. Fortigate Firewall Internet Balancing by WAN load balancing

(SD-WAN)
-

- Login Fortigate

o Set Port 1 for ISP 1 and Port 2 for ISP 2

 Network -> Interfaces
 Double click “port1”
 Name: port1
 Alias: ISP1
 Role: WAN
 Addressing mode: Manual
 IP/Metmask: 10.10.10.2/24
 OK
 Double click “port2”
 Name: port2
 Alias: ISP2
 Role: WAN
 Addressing mode: DHCP
 OK

o Add port1 and port2 to SD-WAN

 Network -> SD-WAN
 Double click “virtual-wan-link”
 Interface members: +
 Create
o Interface: ISP1 (Port1)
o SD-WAN Zone: virtual-wan-link
o Gateway: 10.10.10.1
o Cost: 0
o OK
  Create
o Interface: ISP2 (Port2)
o SD-WAN Zone: virtual-wan-link
o Gateway: auto
o Cost: 0
o OK
 Interface members: Add
 ISP1 (Port1)
 ISP2 (Port2)
 OK

o Add Static Routes

 Network -> Static Routes
 Create New
 Destination: Subnet
o 0.0.0.0/0.0.0.0
o Interface: + -> Double click “virtual-wan-link”
o Status: Enabled
o OK

o NAT
 Policy & Objects -> Firewall Policy
 Create New
 Name: SD-WAN
 Incoming Interface: port3
 Outgoing Interface: virtual-wan-link
 Source: all
 Destination: all
 Schedule: always
 Service: all
 Action: Accept
 Inspection Mode: Flow-based
 NAT: enable
 OK

o Set SD-WAN Rules

 Network -> SD-WAN -> SD-WAN Rules
 Double click “sd-wan”
 Load Balancing Algorithm
o Source IP: បែងចែកតាម Range source IP

o Session: បែងចែកជា session ដោយកំនត់ Weight តាម ទំហំ

speed ISP
 o Spillover: ពេល ISP 1 ពេញ ដើរបន្តរទៅ ISP 2

o Source-Destination IP: ចេញតាមណា ចូលតាមនិង

o Volume: កំនត់ Weight តាម ទំហំ speed ISP

 Choose volume 1 1 -> OK

o Set Performance SLAs (Packet Loss, Latency, Jitter)

 Latency -> Create New
 Name: Check-Up-link
 Probe mode: Active
 Protocol: Ping
 Server: 1.1.1.1/8.8.8.8
 Participant: All SD-WAN Members
 SLA Target: Enable
o Latency threshold: Enable 5 ms
o Jitter threshold: Enable 5 ms
o Packet Loss threshold Enable 10 %
 Link Status
o Check interval: 1000 ms
o Failures before inactive: 5
o Restore link after: 5 checks(s)
 Action when Inactive
o Update static route: Enable
 OK

o Set Vlan go out via ISP2

 Policy & Objects -> Addresses
 Create New -> Address Group
 Group name: To-ISP2
 Color: Yellow
 Type: Group
 Members: +
o Guest address (192.168.20.0/24)
 OK
 Network -> SD-WAN -> SD-WAN Rules
 Create New
 Name: To-ISP2
 Source
o Source address: To-ISP2
 Destination
o Address: all
o Protocol number: Any
 Outgoing Interfaces
 o Manual
o Interface preference: ISP2 (port2)

o Set PC go out via ISP2 by MAC

 Policy & Objects -> Addresses
 Create New -> Address
 Name: Server1
 Color: Choose color you want
 Type: Device (MAC Address)
 MAC Address: Input Server1 MAC (28:39:26:A9:60:2F)
 Interface: any
 OK
 Double click “To-ISP2”
 Member: +
o Server1
 OK

o Block Server1 from access game in working time

 Policy & Objects -> Addresses
 Create New -> Address
 Name: Server1
 Color: Choose color you want
 Type: Device (MAC Address)
 MAC Address: Input Server1 MAC (28:39:26:A9:60:2F)
 Interface: any
 OK
 Policy & Objects -> Firewall Policy
 Create New
 Name: For-Special-Device
 Incoming interface: vlan-staff
 Outgoing Interface: virtual-wan-link
 Source: + -> Server1
 Destination: all
 Schedule: always
 Service: all
 Action: Accept
 Web Filter: For-staff
 Application Control: For-staff
 OK
7. Fortinet Firewall High Availability | Active | Passive | Concept
- Architecture of a Typical Campus Network

- Why we need Firewall?

o A firewall is a network security device that monitors incoming and outgoing network
traffic and permits, or blocks data packets based on a set of security rules. Its purpose is
to establish a barrier between your internal network and incoming traffic from external
sources (such as the internet) in order to block malicious traffic like viruses and hackers.,
that enforces an access control policy between networks.
- What is HA?
o High availability (HA) is a deployment in which two firewalls are placed in a group and
their configuration is synchronized to prevent a single point of failure on your network.
A heartbeat connection between the firewall peers ensures seamless failover in the
event that a peer goes down.

- NGFWs
o Next-generation firewalls (NGFWs) play a critical role in cybersecurity architectures the
world over. As defending data and applications become more complicated, security
products built to withstand evolving threats also grow more powerful.

- Lab Scenario For HA

o Configure Master firewall (HA)

 Set IP 172.16.80.1 and allows http https service
 Login 172.16.80.1
 System -> HA
 Mode: Active-Passive
 Device priority: 200 (Note: higher priority is master)
 Group name: Active-Passive
  Password: Admin@2021$
 Session pickup: enable
 Monitor interface: +
o Port3
o Port4
 Heartbeat interfaces: +
o Port3
o Port4
 OK

o Configure Slave firewall (HA)

 Set IP 172.16.81.1
 Login 172.16.81.1
 System -> HA
 Mode: Active-Passive
 Device priority: 110
 Group name: Active-Passive
 Password: Admin@2021$
 Session pickup: enable
 Monitor interface: +
o Port3
o Port4
 Heartbeat interfaces: +
o Port3
o Port4
 OK

8. SDWAN with 3 ISP

- Diagram

- Configure on Fortigate
o Login Fortigate
o Network -> Interfaces
 Select Port1 -> Edit
 Alias: ISP-1
  Role: WAN
 Addressing Mode: Manual
 IP/Network Mask: 10.10.10.10/24
 IPv4: PING
 OK
 Select Port2 -> Edit
 Alias: ISP-2
 Role: WAN
 Addressing Mode: Manual
 IP/Network Mask: 10.10.20.10/24
 IPv4: PING
 OK
 Select Port3 -> Edit
 Alias: ISP-3
 Role: WAN
 Addressing Mode: Manual
 IP/Network Mask: 10.10.30.10/24
 IPv4: PING
 OK
 Select Port4 -> Edit
 Alias: Toward-Core-SW
 Role: LAN
 Addressing Mode: Manual
 IP/Network Mask: 192.168.100.10/24
 IPv4: HTTPS, PING, SNMP
 OK
o Network -> SD-WAN
 Status: Enable
 SD-WAN Interface Members -> Add
 Interface: ISP-1 (port1)
o Gateway: 10.10.10.100
o Status: Enable
 Interface: ISP-2 (port2)
o Gateway: 10.10.20.100
o Status: Enable
 Interface: ISP-3 (port3)
o Gateway: 10.10.30.100
o Status: Enable
 SD-WAN Usage
o Bandwidth
 Apply
o Network -> Performance SLA -> Create
 Name: SLASDWAN
  Protocol: Ping
 Server: 8.8.8.8
 Participants: ISP-1 (port1), ISP-2 (port2), ISP-3 (port3)
 SLA Targets -> Add
 Target1
o Latency threshold (Enable): 100 ms
o Jitter threshold (Enable): 100 ms
o Packet loss threshold: 2 %
 Link Status
 Check interval: 1 second(s)
 Failures before inactive: 5
 Restore link after: 5
 Actions when inactive
 Update static route (Enable)
 OK
o Network -> SD-WAN Rules -> Select “sd-wan” -> Edit
 Load Balancing Algorithm: Volume
 ISP-1 (port1) 100
 ISP-2 (port2) 100
 ISP-3 (port3) 100
 OK
o Network -> SD-WAN Rules -> Create New
 Name: Users
 Source address: -> + -> + -> Address ->
 Name: Users
 Type: Subnet
 Subnet/IP Range: 192.168.10.0/24
 Interface: Toward-Core-SW (port4)
 Show in Address List (Enable)
 Static Route Configuration (Enable)
 OK
 Select “Users”
 Destination Address: all
 Protocol number: ANY
 Strategy: Best Quantity
 Interface preference: ISP-3 (port3), ISP-1 (port1), ISP-2 (port2)
 Measured SLA: SLASDWAN
 Quality criteria: Packet Loss
 OK
o Network -> SD-WAN Rules -> Create New
 Name: Managers
 Source address: -> + -> + -> Address ->
 Name: Managers
 Type: Subnet
  Subnet/IP Range: 192.168.20.0/24
 Interface: 192.168.20.0/24
 Interface: Toward-Core-SW (port4)
 Show in Address List (Enable)
 Static Route Configuration (Enable)
 OK
 Select “Managers”
 Destination address: all
 Protocol number: ANY
 Strategy: Best Quanlity
 Interface preference: ISP-1 (port1), ISP-2 (port2), ISP-3 (port3)
 Measured SLA: SLASDWAN
 Quality criteria: Packet Loss
 OK
o Network -> SD-WAN Rules -> Create New
 Name: CEO
 Source address: -> + -> + -> Address ->
 Name: CEO
 Type: Subnet
 Subnet/IP Range: 192.168.30.0/24
 Interface: Toward-Core-SW (port4)
 Show in Address List (Enable)
 Static Route Configuration (Enable)
 OK
 Select “CEO”
 Destination address: all
 Protocol number: ANY
 Strategy: Best Quality
 Interface preference: ISP-2 (port2), ISP-1 (port1), ISP-3 (port3)
 Measured SLA: SLASDWAN
 Quality criteria: Packet Loss
 OK
o Network -> Static Routes -> Create New
 Destination: Subnet
 0.0.0.0/0.0.0.0
 Interface: SD-WAN
 Administrative Distance: 10
 Status: Enabled
 OK
o Network -> Static Routes -> Create New
 Destination: Subnet
 192.168.10.0/24
 Interface: Toward-Core-SW (port4)
 Gateway Address: 192.168.100.100
  Administrative Distance: 10
 Status: Enabled
 OK
o Network -> Static Routes -> Create New
 Destination: Subnet
 192.168.20.0/24
 Interface: Toward-Core-SW (port4)
 Gateway Address: 192.168.100.100
 Administrative Distance: 10
 Status: Enabled
 OK
o Network -> Static Routes -> Create New
 Destination: Subnet
 192.168.30.0/24
 Interface: Toward-Core-SW (port4)
 Gateway Address: 192.168.100.100
 Administrative Distance: 10
 Status: Enabled
 OK
o Policy & Objects -> IPv4 Policy -> Create New
 Name: Users
 Incoming Interface: Toward-Core-SW (port4)
 Outgoing Interface: SD-WAN
 Source: Users
 Destination: all
 Schedule: always
 Service: All
 Action: Accept
 NAT: Enable
 IP Pool Configuration: Use Outgoing Interface Address
 OK