- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Configuring FG 40F
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuring FG 40F
Hello guys,
I will be detailing the below and I am searching for a full answer (full config) if possible:
I have a FG-40F which will be installed in order to mainly protect the assets.
I have sever A which will be exposed to the internet (accessed from internet via Real IP provided by the ISP - the ISP provided a /29 subnet real IP) [lets say this server will be assigned an IP from subnet to be created 10.10.10.1/24 - the IP of server A will be 10.10.10.10]
I have another server B which will be accessed from the internal network and will access the internet by itself [this server will be assigned from 10.10.20.1/24 to be created - Sever B IP will be 10.10.20.10]
I have 3 PCs which will be assigned from subnets to be created [10.10.101.1/24, 10.10.102.1/24, and 10.10.103.1/24]
The WAN physical interface port will be assigned one of the Real IPs X.X.X.2/29 but have no clue where to configure the gateway. I asked the ISP for the their router gateway facing my WAN to route my internal traffic to via static routes in order to reach internet, they said you do not need anything from our side.
On physical interface 1 LAN, the IP of the FG 40F is configured; I need to create as VLAN interface in order to trunk the vlan to the switch and I need this vlan interface to reach the internet. Under this LAN 1 interface too I need to create the other 3 vlan interfaces for the users and i need them to reach the internet and server B.
On physical interface 2 LAN, i need to create vlan interface of server B which must reach the internet.
On physical interface 3 LAN, I need to create vlan interface for Server A which is accessible from the internet (which must be DMZ). Server A should be totally isolated from the network and only accessible from the internet via couple of ports. So security should be on its top.
If anyone can please help me in configuring this scenario taking into consideration the Natting, policies, static routes if needed, security, etc..
I am sorry for flooding your screens and thanks in advance for the help.
Appreciated.
FortiGate
FortiGate
Labels:
- Labels:
-
FortiGate
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A couple of things to clarify.
1. WAN side, if the ISP says "you don't have to do anything for routing", that generally means you get a different IP likely in a /30 subnet via DHCP or PPPoE on the wan interface. What did you configure and what IP did the 40F get on wan interface?
2. LAN side, you don't have any VLAN capable switch behind the 40F? If you have a switch, you regulary don't have to use individual LAN ports for each network. One connection to the switch is enough and all networks are separated and carried over by VLANs.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Toshi,
1- No, we have a Real IP subnet/29; i.e. 193.188.5.176/29 = IPs: 193.188.5.178 to 182 - Mask: 255.255.255.248 - Gateway: 193.188.5.177. The ISP said "You do not need anything from our side" not "you don't have to do anything for routing" when I asked them about the transit vlan between us and them.
Now I think that i can use one of the Real IPs on the WAN interface, and I config the vlan interfaces via static routes to the gateway of the real IPs (5.177) subnet as a destination. Right?
2- Yes I have, but I want to assign 1 physical interface on the FW to be configured "under it" vlan interfaces for omly DMZ (which is the server accessed by the internet and should not be accessed by anything else other than internet and should be totally isolated from the rest of the network). how to secure it ? natting, policies, security feats. etc..
The other physical interface i will create under it all internal vlan interfaces. how to secure this too?
Thanks.
Created on 04-27-2023 07:47 AM Edited on 04-27-2023 07:48 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Then you already know the GW to configure for the default route - .5.177. But since one of them needs to be on wan interface (.178?), you can't route the rest toward the other LAN ports. You have to use VIP+SNAT to map one of the /29 IPs, say like .179, to the server's local/real IP 10.10.10.10.
2. If you really want to use those three LAN ports separately you have to break them from "lan" hard-switch, Then all become lan1, lan2, lan3. However, if you configure VLANs on top of each, those three ports are left as untagged interfaces. Be careful if you connect them to the same device like switch. Since FGTs don't participate in STP, it can easily create a L2 loop or at least on the same broadcast domain.
Securing DMZ can be accomplished by policies. Without them, none can reach or even it can't go out to the internet.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuring an FG 40F is a multi-step process that can vary depending on your specific network requirements. Here is a general overview of the steps involved in configuring an FG 40F:
Connect the FortiGate 40F to your network: Connect the FortiGate 40F to your network using Ethernet cables. Ensure that the FortiGate 40F is powered on and the system LED is lit.
Set the FortiGate 40F's IP address: By default, the FortiGate 40F is set to DHCP mode. To set a static IP address for the FortiGate 40F, access the web-based manager and navigate to System > Network > Interface.
Create security policies: Security policies are used to control the flow of traffic through the FortiGate 40F. To create security policies, navigate to Policy & Objects > Policy > IPv4.
Configure firewall policies: Firewall policies are used to manage the traffic that is allowed to enter and leave your network. To configure firewall policies, navigate to Firewall > Policies.
Configure VPN settings: VPN settings are used to create secure connections between remote sites or users. To configure VPN settings, navigate to VPN > IPsec.
Set up DHCP server: If you want to set up a DHCP server to automatically assign IP addresses to devices on your network, navigate to System > Network > DHCP Server.
Configure advanced settings: Finally, you may want to configure advanced settings such as antivirus, web filtering, and intrusion prevention. To configure these settings, navigate to Security Profiles.
Regardss,
Rachel Gomez
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Rachel,
I am seeking a deeper config design.
Appreciated.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well to make a server or ports accessible from the internet you will have to do vip on the FGT (i.e.snat). You cannot assign a public ip to your server behind the FGT.
IF you want it to be completely open do a vip that forwards port 1-65535 any protocol to your server with one public ip as source and use that as destination in a policy.
Then if anyone hits that public ip the traffic will hit your server.
If you only want specific ports you will have to do a vip for each (or a range if possible) and use that as destination in a policy.
source in these policies would be ANY or ALL.
Your Gateway has to be either entered as gw of the default route or as gateway of the sd-wan member if you use sdwan. If the WAN Port does PPPoE with DHCP you don't need to set it at all.
And for the vlans: we use one POrt as "Uplink" to the first switch. All vlans are virtual interfaces beyond that port. So that Port would be a "Vlan Trunk". The Switch then divide the vlans to their ports where needed.
SInce a vlan in FOrtiOS is a (virtual) Interface it will be isolated from everything unless there is policy matching this traffic that is not policy #0 (= implicite deny) :)
Additional Routing would only be required if the FGT doesn't have an interface in the destination subnet.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Related Posts
Labels
-
FortiGate
6,510 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.