My DLINK router died. The DLINK router configuration was just one subnet. I purchased a FWF-60E to replace it and its coming tomorrow. I did get 24x7 support for it. I use a 800C with HP layer 3 switches in my data center. 800C has VLANs configured on the interfaces and switch ports setup for VLANs. I am used to doing advanced layer 3 on the 800C and my network. So the 60E configuration is taking some planning. I am building the configuration on paper. I have the gateway addresses and subnets laid out per port. DLINK used MAC filtering and IP assignment. I have all those printed out. I know how do set them up in 5.4. I have the DNS information since the AT&T bridge mode does not pass DNS through, only IP, mask and gateway of the modem.
My house is just layer 2. My house has CAT 6 cabling in every room to DLINK switches. So most devices are wired. I am looking at how to setup the 60E interfaces. My wife works from home and has been without wireless for her laptop for since the DLINK crash. So she wants the 60E up quickly. 1.) WAN1: will have the AT&T modem in bridge mode and WAN 1 DHCP mode with device in NAT/Route mode
2.) DMZ, and WAN2 reassigned as LAN ports
3.) What about interfaces 1 to 7, DMZ, WAN2? Do I just assign a separate gateway address and enable DHCP on the port to assigned devices from?
4.) Anything special to get the WIFI up quickly?
5.) On the 800C, outbound rules for each VLAN are configured. Do I need to do the same with the ports, since I am not using VLANs.
6.) I figure Virtual IPs work the same way to NAT my web server out as the 800C. Anything I should read think about doing?
The device comes out of the box preconfigured to pretty much be plug and play now. (even down to the any any all allow rule)...
Wifi is preconfigured as well you just need to change the SSID (it will be bound to the lan interface to make it one broadcast domain so wifi and lan can talk to each other immediately).
For the most part you have it down pat. Enjoy the 60E.
Mike Pruett
The 800C required a lot of configuration to get it working. So the 60E out of the box is pretty much ready to go. My wife will be happy. How is the 5.4.2 firmware? Should I upgrade to the latest firmware to start with?
Cisco VIRL requires 5 NICs be configured to work properly. Other 4 will be setup on different subnets. I still need to get all the QoS rules off my DLINK for various traffic like Netflix, Amazon Prime, Sprint Airave device and other stuff. I was thinking of a QoS rule for my wife's laptop wireless connection. She complained that it would drop on her when other internet traffic was going on. I am working on my Cisco CCDP. I am used to setting up RIP v2 on Cisco hardware. Do I need to setup Router RIP for all the different ports? WAN1 will be bridged. So I don't think I will need a Default Static Route.
You'll be quite happy with the FWF 60E for home. The desktop models these days do come configured to work out of the box to grab a DHCP address on either WAN port, insert a default route, provide DHCP to the internal network and pass all traffic from the inside with NAT outbound. It's up to you to create more granular policies and apply security profiles.
FortiOS 5.4.2 is good... and is the latest. I'm running it at home and at a few client sites as well.
There are plenty of ways to keep the wife happy with prioritization and the order of policies.
A FortiGate must have a route for it to pass any traffic beyond the connected networks, as would any other IP device. If your WAN port is getting a DHCP assigned address, it will automatically add that port's gateway as a default without you needing to do anything else. While FortiOS support RIP, unless you've got multiple subnets inside and just want to use RIP, there no need to. The switch ports on the FortiGate do all understand tags and you can add virtual interfaces for various VLANs and add routes as necessary (or not).
We should get you into training for the NSE4. If you got your hands on a FortiSwitch and FortiAPs. They are key elements to extending the Security Fabric beyond the FortiGate. The ability to configure and manage them from the FortiGate is great. The latest FortiCast discusses FortiSwitch and FortiLink... (episode 2 was on Wave2 and FortiAP). http://cookbook.fortinet....fortiswitch-fortilink/
Norris Carden
Fortinet XTreme Team USA (2015, 2016)
CISSP (2005), CISA (2007), NSE4 (2016)
Actually, it did not work out of the box. IP Passthrough did not pass DNS correctly from AT&T, it passed the IP of the modem for DNS. Ports 1-7 were set to internet. All tied together. I called Fortinet about it. We had to connect to the DMZ port instead of port 1. Remove the internet and release all 7 ports. I finally got them released and configured with the ip addresses. Today, my wife is having issues with VPN getting out. It is not passing DNS properly either. I will be fixing DNS on the 60E tonight. I looked at the NSE 4 training. Cisco training is buy a $30 book. NSE 4 is $1800. I don't do classes. I buy books. Not worth spending $1800 for NSE 4 training. I can get my CCDP and MCSE done for that price. I can buy the Cisco VIRL virtual lab box for under $1000.
I agree that the training seems inordinately expensive. I prefer books as well. There are some book options.
UTM Security with Fortinet: Mastering FortiOS - Best book I found about working with FortiGates, and though it is for older versions most of it still applies. I'd recommend this book over almost all the other documentation.
The online admin guides, http://docs.fortinet.com/fortigate/admin-guides, have a lot of information, and many of the guides have PDF forms so you can read them on a Kindle, iPad, etc. One caveat: these are often not correctly edited for new versions -- new information is added, but without taking out information that is incorrect for the new version.
Definitely look at the (over 3000 page) FortiOS Handbook either in PDF form (http://docs.fortinet.com/uploaded/files/2827/fortios-handbook-54.pdf) or web-based form (http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortiOS-HTML5-v2/OnlineHelpPage.htm).
Other top level help: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortiOS-HTML5-v2/Home.htm.
For specific tasks, http://cookbook.fortinet.com/ has many recipes. For more general stuff the SysAdmin Notes, http://cookbook.fortinet.com/sysadmins-notebook/, are helpful.
For odd little details, the Knowledge Base, http://kb.fortinet.com/kb/microsites/microsite.do, is useful, though again you need to make sure the information is correct for your version.
Hope this helps.
I have books on CISCO and CISSP. They are very complete and accurate. Spending hours reading Fortinet manuals that are not accurate or have relevant information is frustrating. I bought tech support. It is easier to call and have them show me. I ask for documentation on it. They can't find any. Cookbooks should be more accurate. HP Cookbooks are kept up to date. Fortinet disables many features that Cisco, Check Point and others enable. Setting the 60E to internet mode and tied 7 ports together is just stupid.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.