Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ckumar_FTNT
Staff
Staff

Created on ‎03-17-2021 06:24 AM Edited on ‎11-04-2024 12:03 AM By Community Manager

Article Id 195715

Technical Tip: FortiGate Getting Started - Configure Interfaces and policies to access Internet

Description


This article provides an example of configuring an interface and policies on a FortiGate.

 

Scope

 

FortiGate.

Solution


Basic Topology.



 
 
Configuring interfaces.
  • To edit the Internet-facing interface (in the example, WAN1), go to Network -> Interfaces.
  • Set Role to WAN.
 
 
To determine which Addressing mode.
  • If the ISP provides an IP address, set Addressing mode to Manual and set the IP/Network Mask to that IP address.
  •  If the ISP equipment uses DHCP/PPOE, set Addressing mode to DHCP/PPOE to allow the equipment to assign an IP address to WAN1.
    • Edit the LAN interface, which is called internal on some FortiGate models.
    • Set Role to LAN.
    • Set the Addressing mode to Manual and set the IP/Network Mask to the private IP address to use for the FortiGate.
    <Optional> To assign IP addresses to devices on the internal network, enable DHCP Server.
 
 
 
 

DNS Configuration:

Configuring DNS is necessary for internet access. Users can go to Network -> DNS to set FortiGuard DNS servers or any preferred DNS servers, ensuring name resolution for internal devices.

 

Adding a default route.
  • If the Addressing mode is set to DHCP/PPoE then a default route is automatically created with AD as 5 and priority as 1. And can be modified from the interface only. Either GUI can change the distance or Cli can change the distance and priority. From GUI to change the 'distance':

 

adchange.png
 

 From CLI to change 'distance' and 'priority':

 

config system interface

    edit wan1

         set priority 1           <----- Change to desired priority.

         set distance 5          <----- Change to desired distance.

end

 

  • For manual mode, define the default route.
  • Go to Network -> Select Static Routes, select 'Create New' to create a static route
  • Set Gateway to the IP address provided by the ISP and Interface to the Internet-facing interface.
 
 
Creating a policy.
  • To create a new policy, go to Policy & Objects -> IPv4 Policy.
 
 
 
 
 

NAT Settings in Policy:

When creating the policy to allow internet access, it’s important to check that NAT is enabled. In Policy & Objects -> IPv4 Policy, under the policy settings, select NAT to translate private IP addresses to the public IP on the WAN interface.

Security Profile Configuration:

Security profiles (like Antivirus, Web Filter, and Intrusion Prevention) can be added to the policy for internet-bound traffic. This enhances security for outbound traffic by protecting against threats from the internet.

Logging and Monitoring:
Recommend enabling logging for the policy to monitor traffic. Users can enable Log Allowed Traffic under Policy & Objects -> IPv4 Policy and choose to log all sessions or only security events. This will allow users to monitor internet access logs in Log & Report -> Forward Traffic.

 

Browse the Internet using the PC on the internal network.

 

Related article:

Technical Tip: PPPoE interface option not available from GUI

Labels:
6424
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.