- Unbox FortiGate or initialize a new VM. Start by unboxing the FortiGate, then connect the power cord and boot the FortiGate. If deploying a FortiGate VM, initialize a new VM by following the hypervisor's VM deployment guide.
- Note the factory default settings on the firewall interface are as below:
IP: 192.168.1.99.
Subnet Mask: 255.255.255.0.
Gateway: 192.168.1.99.
Default login user: admin.
Default password: (blank).
- Access the FortiGate GUI: To begin the initial configuration, connect the computer with an Ethernet cable to the MGMT interface on mid-range and high-end models. Entry-level FortiGates do not have the MGMT interface: Use the port1 interface instead. When connecting to a VM, it may be necessary to reconfigure the VM and the computer to be on the same VLAN.
Open a browser, navigate to https://192.168.1.99, and enter the default username admin with no password. FortiGate should provide a prompt to update the default password:
- If the login page fails to load, make sure the https:// is included in the URL.
- If the login page still cannot be accessed, open a command prompt and ping 192.168.1.99.
- If no ICMP echo replies, review the computer's IP address and netmask. Ensure being on the same broadcast domain using ipconfig /all.
- If the computer's ethernet port does not have an IP address, has 169.254.x.x, or has an IP address other than 192.168.1.x 255.255.255.0: type ncpa.cpl in the Microsoft Windows command line, right-click the ethernet interface and select Properties, then use the IP address 192.168.1.110 255.255.255.0.
Optionally, set the Default Gateway and DNS to 192.168.1.99.
- Configure LAN interface. Open Network -> Interfaces then select and edit an interface that will be used for the Local Area Network (LAN). In general, it is recommended to use interface port2 or an internal interface and assign a preferred private LAN address. Avoid using 192.168.1.0/24 because some ISPs use that same subnet on their ISP device. One option is to use 10.0.10.1/24 as shown below.
config system interface
edit "port2"
set ip 10.0.10.1 255.255.255.0
set allowaccess ping https ssh http
set alias "LAN"
next
end
Additionally, enable the DHCP server unless an internal DHCP server is being used, or if it is preferable to assign static IP addresses to hosts. Save the changes by clicking the OK button.
config system dhcp server
edit 1
set interface "port2"
set default-gateway 10.0.10.1
set netmask 255.255.255.0
set lease-time 604800
set dns-service default
config ip-range
edit 1
set start-ip 10.0.10.100
set end-ip 10.0.10.250
next
end
next
end
Next, unplug the computer from the MGMT port or port1 and connect to the designated LAN port, which is port2 in the example above.
- If a static IP address was assigned to the computer's ethernet port, open ncpa.cpl and set TCP/IPv4 Properties back to its default settings.
Open the browser and navigate to the IP address assigned on the LAN interface or https://10.0.10.1 in the example above. It should be possible to log in to the FortiGate GUI through the LAN IP address. If the login was not possible, try to statically assign the IP address 10.0.10.9, subnet mask 255.255.255.0, gateway 10.0.10.1, and DNS 10.0.10.1.
- Configure the WAN interface. Connect the WAN interface or port1 (if that is the preferred WAN interface) to the ISP device if it is not connected yet. If the ISP assigned the company a public IP address: Open Network -> Interfaces, then edit the WAN interface and select Manual in the Addressing mode. Next, set the first valid IP address assigned by the ISP and the correct netmask, uncheck all Administrative Access options, and select the OK button to save the settings. The example below uses 192.168.2.2/24 for demonstration purposes.
config system interface
edit "wan1"
set ip 192.168.2.2 255.255.255.0
set allowaccess none
set alias "WAN"
next
end
Open Network -> Static Routes and add a default route. Select the WAN interface and set the Gateway Address accordingly based on the ISP assigned gateway and select the OK button. In the example below, 192.168.2.1 was used because it is the next hop.
config router static
edit 1
set dst 0.0.0.0/0
set gateway 192.168.2.1
set device "wan1"
next
end
If the ISP has NOT assigned the company a static public IP address:
- Open Network -> Interfaces, then edit the WAN interface and select DHCP in the Addressing mode.
- Enable the option 'Retrieve default gateway from server'.
config system interface
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess none
set type physical
set role wan
set defaultgw enable
set snmp-index 2
next
end
- Configure firewall policy and enable NAT.
Open Policy & Objects -> Firewall Policy and select Create New. Set the settings similar to the example below, but do not forget to enable NAT and select the OK button to save. It should now be possible to connect to the Internet. After completing the initial internet test, set the applicable security profiles such as Web Filter and Anti-Virus.
config firewall policy
edit 1
set name "LAN_to_WAN"
set srcintf "port2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
Note:
Starting from v7.6.3, FortiOS included the enhanced GUI access for the global search feature. The improved global search in the top header menu provides quick command palette access from the GUI and additional keyboard shortcuts.
This menu allows fast navigation to GUI pages and running actions, such as opening the CLI console, executing diagnostic commands, and searching configurations.
For more information about this feature, use the following document: GUI access for global search 7.6.3.
If the FortiGate GUI is still not accessible after completing the above steps, refer to the following article to connect to the FortiGate using a console cable and verify the configuration directly via CLI:
Technical Tip: How to connect to the FortiGate and FortiAP console port.
Related article:
Technical Tip: How to configure a FortiGate interface to use DHCP
Technical Tip: Best practices for firewall policy configuration on FortiGate
|
