Fortigate

Administration
NSE 4 (Fortigate I)
 Contents

1 Management Access or Device Management 1

Graphical Access 1

Password Reset 3

2 Firmware 5

FortiOS Upgrade 5

FortiOS Downgrade 6

Backup 7

Restore 8

3 Firewall Policies 9

Firewall Object 9

Firewall Policy 10

4 Network Address Translation 11

NAT 12

Destination NAT 15

Port Forwarding 18

PAT 19

5 Authentication 20

6 SSL VPN 25

7 IP SEC VPN 31
 1. Management Access or Device Management

Graphical Access
Step 1: Connect Management PC to the Port1, Configure Network adapter to receive IP from
DHCP server and then check the connectivity between pc and firewall. Default Fortigate IP is
192.168.1.99

Step 2: Open any browser and type https://192.168.1.99 and press enter. Default Username is
admin password is empty(Nothing)

1
Upon Successful login you must see the below page

2
Password Reset

Step 1: Connect the computer to the firewall via the console port.

Step 2: start your terminal software. (Ex: Putty)

Step 3: Reboot the firewall. Wait the firewall name and login prompt to appear.
The terminal window should display something similar to the following:

Step 4: Type in the username: maintainer

Step 5: The password is bcpb + the serial number of the firewall (letters of the serial number are in
UPPERCASE format)
Example: bcpbFGT60D4Q16007210

Note: After the login prompt appear, you have only 30sec or less to type in the username and
password. It might, therefore, be necessary to have the credentials ready in a text editor, and then
copy and paste them into the login screen.

3
Step 6: Now you should be connected to the firewall. To change the admin password you follow the
below syntax

In a unit where vdoms are not enabled:

config system admin

edit admin
set password <password>
end

In a unit where vdoms are enabled:

config global
config system admin
edit admin
set password <password>
end

4
 2. Firmware Upgrade and Downgrade

FortiOS Upgrade

Step 1: After log into the web-based manager as the admin administrative user.
Go to System > Dashboard > Status. Under System Information > firmware Version, select Update.

Step 2: Clicking on Upload firmware, select the file from local disk then select upgrade.

The Fortgate unit uploads the firmware image file, upgrades to the new firmware version,
restarts, and displays the Fortigate login. This process takes a few minutes.

Note: Always remember to backup your configuration before making any changes to the firmware.

5
FortiOS Downgrade

Step 1: After log into the web-based manager as the admin administrative user.
Go to System > Dashboard. Under System Information > firmware Version, select Update.

Step 2: Clicking on Upload firmware, select the file from local disk then select Downgrade.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version,
resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes.

6
Backup

Step 1: Go to System > Dashboard. On the System Information Widget, select Backup for the
System Configuration.

Step 2: Select to backup to your Local PC or USB Disk (The USB Disk option will be grayed out
If no USB drive is inserted in the USB Port). Then select Encrypt configuration file (encryption
must be enabled on the backup file to backup VPN certificates).

Step 3: Enter a password and enter it again to confirm it. You will need this password to restore
the file. Then select OK

7
Restore

Step 1: Go to System > Dashboard. On the System Information Widget, select Restore for the
System configuration.

Step 2: Clicking on upload, select the configuration file from Local PC or USB Disk, Then enter
Password if required, then click ok.

The configuration file will have a .conf extension

The FortiGate unit will load the configuration file and restart. Once the restart has completed,
verify that the configuration has been restored.

8
 3. Firewall Policies

Creating Firewall Object

Go to Policy & Objects > Addresses and create new address.

1. Give the object a Name
2. Then select Type (IP/Netmask or FQDN or Geography or IP Range or Wildcard FQDN) and
3. Select the interface that indicates this object assigning to which interface.

9
Creating Firewall Policy

Go to the Policy & Objects > IPv4 Policy and Create New Policy.
1. Give the policy a Name that indicates that the policy will be for traffic to the internet from lan.
2. Set the Incoming Interface to the LAN interface and Outgoing Interface to the internet
facing Interface.
3. Set Source, Destination Address, Schedule and Service as required.
4. Make sure the Action is set to ACCEPT, Turn on NAT and make sure Use Outgoing
Interface Address is selected.
5. Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed
Traffic and select All Sessions.
6. Click ok.

10
 4. Network Address Translation

Objectives

 Configure NAT
 Configure Destination NAT using Virtual IPs
 Configure Port forwarding
 Configure PAT

11
Configure NAT

Step 1: Go to Network > Interfaces and edit the internet-facing interface (WAN). Set Addressing
mode to Manual and set the IP/Netmask.

Step 2: Add Default route (Because of wan interface ip address manually configured).
Go to Network > Routing and Create New route. Set Destination to Subnet, Destination
IP/Mask to 0.0.0.0/0.0.0.0, the Device to the Internet-facing interface (WAN1), and the
Gateway to the gateway (or default route) provided by your ISP or to the next hop router,
depending on your network requirements.

12
Step 3: Go to Network > Interfaces and edit the DMZ interface. Set Addressing mode to Manual
and set the IP/Netmask.

Step 4: Create new Object Address for DMZ

Go to Policy & Objects > Addresses and Create new address. Set the details as below

13
Step 5: Create New Policy with NAT
Go to the Policy & Objects > IPv4 Policy and Create New Policy.

Step 6: Verify the Results

Go to Fortiview > Sources > Sessions

14
Destination NAT

Step 1: Create New Virtual IPs for Web Server and FTP Server
Go to Policy & Objects > Virtual IPs and Create New Virtual IP

15
Step 2: Create New Policy for Web server and FTP Server.
Go to the Policy & Objects > IPv4 Policy and Create New Policy.

If anyone browse from wan interface with 192.168.3.248 service is HTTP it would be
translate to 172.24.10.100

If anyone browse from wan interface with 192.168.3.247 service is FTP it would be
translate to 172.24.10.50

16
Step 3: Verify the Results
Open Browser from pc that located in wan interface side type http://192.168.3.248
and ftp://192.168.3.247

Step 4: Go to Fortiview > Sources

17
Port Forwarding
Step 1: Create or Edit web server and ftp server
Go to Policy & Objects > Virtual IPs edit the web server. Set the external IP Address is
Wan interface IP Address and enable Port forwarding set the port numbers.

Go to Policy & Objects > Virtual IPs edit the ftp server. Set the external IP Address is
Wan interface IP Address and enable Port forwarding set the port numbers.

18
Step 2: Go to Fortiview > Source

Port Address Translation

Step 1: Create or Edit Web server from Virtual IPs. Set port number if any one hit from wan
Interface side with http://192.168.3.249:80 it would be reach to web server.

Step 2: Verify the results. Go to Fortiview > Sources

19
 5. Authentication

Objectives
 Create Local Users
 Integrate LDAP Server into the Fortigate
 Local Users & Remote Users add into one Group
 Authentication via a Firewall Policy

20
Step 1: Create Local Users
Go to User & Device > User Definition, select Create New

21
Step 2: LDAP Server Integration
Go to User & Device > LDAP Servers, select Create New

Step 3: Create Group, add users into that group

Go to User & Device > User Groups, select Create New

22
23
Step 4: Create a Policy for sales group to access the internet
Go to the Policy & Objects > IPv4 Policy and Create New Policy.

Step 5: Open Browser from Sales group LAN, access any website, it will automatically redirect to
authentication page.

24
 6. SSL VPN

Objectives
 Configure and connect to an SSL VPN
 Enable Authentication Security
 Configure policies for access to private network resources

25
Step 1: Create Bookmarks for users access remote desktop or web portal from the internet
Go to VPN > SSL-VPN Portals, select create new or edit Web-access mode. After enter into
the Web-access mode create bookmarks for RDP & web page access.

26
Step 2: Create New group for SSL VPN users.
Go to User & Device > User Groups, select create new

Step 3: Edit into SSL VPN settings, add unused port number on Listen Port and mapping SSL users
group and portal.

27
Mapping SSL Users group and Portal

28
Step 4: Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic.

29
Step 5: Access the https://192.168.3.249:8081 from any remote PC you will get the below portal
Enter the login credentials automatically bookmarks SSL-VPN Portal Page will open.

30
 7. IP SEC VPN

Objectives
 Site to Site VPN

31
HQ
Step 1: On the HQ Fortigate, go to VPN > IP SEC Wizard and select site to site Fortigate.

Step 2: In the Authentication step, set the Branch FortiGate IP as the Remote Gateway, after
you enter the gateway, an available interface will be assigned as the Outgoing Interface. Set secure
Pre-shared Key.

Step 3: In the Policy & Routing section, set local interface to your LAN interface. The local subnet
will be added automatically. Set Remote subnet to branch Fortigate Local subnet.

32
Step 4: A summary page shows the configuration created by the wizard, including firewall addresses,
Firewall address groups, static route, and security policies.

Branch Office
Step 1: On the Branch Fortigate, go to VPN > IP SEC Wizard and select site to site Fortigate.

33
Step 2: In the Authentication step, set the HQ FortiGate IP as the Remote Gateway, after you
enter the gateway, an available interface will be assigned as the Outgoing Interface. Set the same Pre-
Shared key that was used for HQ’s VPN.

Step 3: In the Policy & Routing section, set local interface to your LAN interface. The local subnet
will be added automatically. Set Remote subnet to HQ Fortigate Local subnet.

34
Step 4: A summary page shows the configuration created by the wizard, including firewall addresses,
Firewall address groups, static route, and security policies.

35