Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
860 views6 pages

FortiGate Complete Configuration Guide

This guide provides detailed steps for configuring and testing firewall policies on a FortiGate device, including accessing the GUI and CLI, creating allow and deny policies, testing with ping and traceroute, and monitoring traffic logs. It also covers advanced features like IPsec VPN configuration, SD-WAN setup, and web filtering. Each section includes specific goals and step-by-step instructions to ensure proper implementation and verification of firewall rules.

Uploaded by

Ibad Atif
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
860 views6 pages

FortiGate Complete Configuration Guide

This guide provides detailed steps for configuring and testing firewall policies on a FortiGate device, including accessing the GUI and CLI, creating allow and deny policies, testing with ping and traceroute, and monitoring traffic logs. It also covers advanced features like IPsec VPN configuration, SD-WAN setup, and web filtering. Each section includes specific goals and step-by-step instructions to ensure proper implementation and verification of firewall rules.

Uploaded by

Ibad Atif
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

FortiGate Firewall Policy Testing &

Configuration Guide
1. Access FortiGate VM GUI and CLI

Step 1.1: Log into FortiGate GUI


Goal: Access the web-based FortiGate GUI to configure firewall policies.

Steps:

 - Open a web browser and enter the FortiGate’s IP address (e.g., https://<FortiGate-
IP>).
 - Enter your credentials to log in.
 - Navigate through the menu to explore the available sections like Network, Policy &
Objects, Log & Report.

Step 1.2: Access FortiGate CLI


Goal: Use the FortiGate CLI to execute diagnostic commands.

Steps:

 - Access the CLI through the GUI or via SSH.


 - Enter your credentials to start using the CLI.
 - Test access by typing the following: get system status
 - Ensure you receive system status output to confirm access to the CLI.

2. Create Firewall Policies for Testing

Step 2.1: Allow ICMP (Ping) Traffic from LAN to WAN


Goal: Create a firewall policy that allows ping traffic between LAN and WAN.

Steps:

 - Navigate to Policy & Objects → IPv4 Policy in the GUI.


 - Click Create New and configure the following:
 - - Incoming Interface: LAN
 - - Outgoing Interface: WAN
 - - Source: Select the LAN subnet or all.
 - - Destination: all (for internet traffic).
 - - Service: Select ICMP (for ping traffic).
 - - Action: Accept.
 - Enable logging for traffic so that you can track the packets.
 - Save the policy.

Step 2.2: Create a Deny Policy for Specific Traffic


Goal: Create a policy to block specific traffic (e.g., block all HTTP traffic).

Steps:

 - Go to Policy & Objects → IPv4 Policy.


 - Click Create New and configure the following:
 - - Incoming Interface: LAN
 - - Outgoing Interface: WAN
 - - Source: Select the LAN subnet or all.
 - - Destination: all.
 - - Service: Select HTTP (to block web traffic).
 - - Action: Deny.
 - Enable logging to verify this rule in the logs.
 - Move this policy above any allow rules (since FortiGate processes policies top to
bottom).

3. Testing Firewall Policies with Ping

Step 3.1: Ping a Public IP to Test WAN Access


Goal: Test whether the firewall allows traffic from the LAN to WAN using ICMP (ping).

Steps:

 - Open the FortiGate CLI.


 - Run the following command to ping Google's public DNS server (8.8.8.8): execute ping
8.8.8.8
 - The ping should succeed if the firewall policy allows ICMP traffic.
 - Go to Log & Report → Traffic Log to verify that the ping request and response are
logged.

Step 3.2: Ping the FortiGate Interface


Goal: Test ICMP traffic between the LAN and FortiGate interface.

Steps:

 - From the FortiGate CLI, run the following command: execute ping <LAN_Interface_IP>
 - If the ping succeeds, the firewall allows ICMP traffic between the FortiGate interface
and LAN subnet.
4. Testing Firewall Policies with Traceroute

Step 4.1: Use Traceroute to Test WAN Access


Goal: Test the route traffic takes from the LAN to an external IP using traceroute.

Steps:

 - Open the FortiGate CLI.


 - Run the following command: execute traceroute 8.8.8.8
 - This command shows the path the packets take from the LAN, through the FortiGate,
and to Google’s DNS server.
 - Go to Log & Report → Traffic Log to view the logs and ensure that the correct firewall
policy is applied.

5. Verifying Firewall Policies via Logs

Step 5.1: Monitor Traffic Logs


Goal: Use traffic logs to verify which firewall policies are applied and track traffic flows.

Steps:

 - Navigate to Log & Report → Traffic Log in the GUI.


 - Filter the logs by IP address, service, or policy ID to view specific traffic (e.g., ping or
traceroute traffic).
 - Confirm that traffic is allowed or denied according to the firewall policies you created.

6. Advanced Testing with FortiGate Diagnostic Commands

Step 6.1: Use the FortiGate CLI to Generate Traffic


Goal: Simulate traffic using built-in CLI tools for further testing.

Steps:

 - To simulate an HTTP request, run: execute telnet www.google.com 80


 - To simulate a DNS request, run: execute telnet 8.8.8.8 53
 - Check the logs to verify whether this traffic was allowed or denied based on the
firewall policies.

Step 6.2: Use Flow Debugging to Trace Packet Processing


Goal: Analyze how packets are handled by the firewall in more detail.

Steps:

 - Enable debug flow for detailed traffic processing output:


 - - diagnose debug enable
 - - diagnose debug console timestamp enable
 - - diagnose debug flow filter addr <Test_IP>
 - - diagnose debug flow trace start 100
 - Disable the debugging after testing: diagnose debug disable
 - Analyze the debug output to see which firewall policy processed the packets and if any
were dropped.

7. Testing Deny Rules

Step 7.1: Test the Deny Policy with Ping


Goal: Test the deny policy by blocking ICMP traffic (ping) to a specific IP.

Steps:

 - Ensure the deny policy is placed above the allow policy.


 - Attempt to ping a blocked IP (e.g., 8.8.8.8) from the CLI: execute ping 8.8.8.8
 - The ping should fail, and the traffic logs should indicate that the firewall blocked the
request.

8. Troubleshooting and Final Verification

Step 8.1: Common Issues to Check


Goal: Troubleshoot and verify correct firewall policy behavior.

Steps:

 - Misconfigured Firewall Policy: Verify that the policy is correct (interfaces, services,
sources, and destinations).
 - Policy Order: Ensure that the deny policies are placed above allow policies if you want
them to take precedence.
 - NAT Settings: If traffic is not reaching the WAN, ensure that NAT is correctly
configured for outbound traffic.

3. Configure and Test IPsec VPN

Step 3.1: Configuring Site-to-Site IPsec VPN


Goal: Create an IPsec VPN tunnel to allow secure communication between two networks.

Steps:

 - Navigate to VPN → IPsec Wizard in the FortiGate GUI.


 - Select 'Site to Site' as the VPN type.
 - Configure Remote Gateway, Authentication (Pre-shared Key), Local Interface (WAN),
and Subnets.
 - Complete the wizard and save the configuration.

Step 3.2: Create VPN Policies


Goal: Create policies to allow traffic through the IPsec VPN tunnel.

Steps:

 - Go to Policy & Objects → IPv4 Policy.


 - Create LAN to VPN and VPN to LAN policies.
 - Ensure the policies have logging enabled for testing.

Step 3.3: Test the VPN Tunnel


Goal: Ensure the IPsec VPN tunnel is up and running.

Steps:

 - Check tunnel status via Monitor → IPsec Monitor.


 - Ping the remote subnet to test connectivity.
 - Verify the logs for traffic.

4. Configure and Test SD-WAN

Step 4.1: Configure SD-WAN Interfaces


Goal: Combine multiple WAN links into a single SD-WAN interface for load balancing and
failover.

Steps:

 - Go to Network → SD-WAN.
 - Add two or more WAN interfaces.
 - Configure health checks for failover.

Step 4.2: Create SD-WAN Rules


Goal: Set rules to direct traffic through the appropriate WAN interface.

Steps:

 - Go to Policy & Objects → SD-WAN Rules.


 - Create rules based on source, destination, or service.

Step 4.3: Test SD-WAN Traffic


Goal: Ensure SD-WAN is balancing and failing over traffic correctly.

Steps:
 - Use traceroute to check WAN path.
 - Simulate WAN link failure and monitor SD-WAN status.

5. Configure and Test Web Filter

Step 5.1: Enable Web Filtering


Goal: Block or allow access to certain websites based on categories.

Steps:

 - Go to Security Profiles → Web Filter.


 - Create or edit a profile.
 - Enable FortiGuard Categories and block/allow desired categories.

Step 5.2: Apply Web Filter to Firewall Policy


Goal: Apply the web filter profile to an outgoing firewall policy.

Steps:

 - Go to Policy & Objects → IPv4 Policy.


 - Edit the LAN to WAN policy and enable Web Filter.
 - Select the desired Web Filter profile.

Step 5.3: Test Web Filtering


Goal: Ensure web filtering blocks or allows access to specific sites.

Steps:

 - Attempt to access a blocked category from a LAN device.


 - Verify the web filter activity in the logs.

You might also like