#4: FortiGate: Basic Config of the firewall | VLAN, WAN, DHCP, IPv4 Policies | My Home Network

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey what's up guys this is gee here with cable trainings welcome to this new video in which i'm going to show you the configuration of this photigate for my home network this is part of a bigger project that i started a couple weeks ago and i'm sharing everything with you here because here on kb trainings i share with you everything that i know everything that i'm learning and all the small projects that i'm building so here i'm building a home network for this new home and i've created the first video in which i introduced the project and i showed you all the equipment that i'm going to use and then there's another video in which i did the cabling and i installed the patch panel and the rock as well and then there's another third video in which i showed you the installation of the ups so now i'm going to show you how i configure this photigate here to match the design that i showed you last time because i had some change in my design first when i showed you this last time i had cable internet so i was using this cable modem here to get access to the internet but it changed since then i have now a fiber gigabit internet i showed you in one of my previous videos how this connection was installed and i told you everything about it so now i'm using this isp provided modem here it's now playing the role of modem router and it does a little bit of security but i'm going to reduce it to a simple modem and i'm going to put the photigate behind it to be the firewall for more security and advanced features so yeah as i said i have fiber coming of course there is ont somewhere over here it comes to the modem we are going to call the isp at some point i'm not sure if i can change the status myself i can try but if we have an issue i'm going to call the isp because um i don't know if i should um yeah i can try to do it on my own but if it doesn't it doesn't work i'll call them um and then when we get the modem here we connect the modem to the photogate on port one and this is where we are going to put our wan connection or what area network connection and the port 2 is going to be my main port going to the home network it's going to have a vlan number 35 but i'm not i'm not going to tag this port because it goes to the switch so the the port will be part of the vlan 35 so i don't have to target in this um in the photogate but on the port 3 i'm going to tag them because i have three vlans inside i'm going to explain all the vlans next and then the port 4 is going to go to the lab where i have my data center all my servers for my studies and my practices and everything so um the different vlans that i have first the villain iot one or the vlan 15 this is where i'm going to put all the smart devices that do not need access to my internal network like the smart bulbs small switches the nest thermostat or the nest door ring and then i have the vlan 20 which is another iot vlan iot2 where i'm going to put all the smart devices that need a little bit of network access to my internal network select the tv the fridge or and the the console for gaming and then there is also the vlan 25 for guests i put the smiley face here because i want my my guests to be happy when they're surfing the internet because that's all they're going to have they will not have access to my internal network and i have the main villain of the vlan 35 which is the main villain where i have all my phones cameras and my workstation for work and everything else um next i have the vlan 75 going to the lab with data center where i have my servers and i run a lot of things on it and thousands of virtual machines i don't know thousands that may be a lot but yeah i'll show you everything here maybe you get to a thousand vms in there the aps are going to broadcast ssids for every vlan it's every floor of the house and so i won't have any problem with any connection for all my wireless devices so that's all for the design i've had some questions like hey man you call it a 40 gate but we see 49 on top fortinet is the company and the fortigate is their line of of firewalls so they call them 40 gates just like they have switches and call them for the switch and aps or 40 aps so right now this is my fortigate i know it's an 80d which is kind of old because i know that the support or the updates for this um are going to end in 2022 i think something like that so it's pretty old that's why i got it for a good price i'm going to see how it performs if it does well i will keep it for for for another couple months i don't have a license right now and i'm trying to use it without a license but i'll probably reach out to fortigate and see if they can give me a license we have in front we have these port interfaces that i talked about we also have two usb interfaces that are i mean that are not useful in my case and we also have the console port and on the back we just have the power and i have this already connected to power so i just have to plug it in and it's going to be up so we have also some ventilation on the sides so what we need for this project is first of all the console cable this is the console cable on one end you have an rj45 connector on the other end in my case i have an usb interface already integrated so i'm going to connect this to the computer and the other end connected to the console port and then we will need at some point an ethernet cable or utp cable that we're going to connect one of these ports and connect it to our computer to have to have access to the web gui of the fortigate as i said we also may need to call the isp to change the configuration inside the modem but i'll try to do it myself here and see if we have any connectivity if not we'll have to call them all right so first of all we make sure that we connected our console cable to the computer so it's connected and then we grab the other end the rj45 end we connect it to the console port here and now before starting the photogates i need to go in and start my emulator that i have i currently use secure crt you might have party or something else and i start a new session here the session is going to be a serial session the com port is going to be come for if you want to verify what comport you connected to you can go under your windows explorer and do a right click on this pc and click on manage so once it comes up you go under device manager and you go on the report here you can see the the com number that you're using so we're using com4 right now so we keep it like that and i close this so we leave it at com4 and uh the board rates we are going to use 9600 as recommended and then i don't have to save this and i uh yeah i click on connect so now we have an interface to the photogate right now we don't have anything because the fortigate is still down so what i do next is grab this power cable and plug it into the photogate and it's going to to boot you can you can hear a little bit of noise there maybe not you have some output here on the screen we give it some time the forget is now uh booting all right so we have the output already and uh we're going to give it some time to boot and then we come back all right so this is my serial number of the four gates i don't have to hide it and uh if you have a new equipment if there's no configuration this uh serial number will be the hostname of your equipment for now you're going to see that i have a different hostname which means that i have some configuration in it alright so you can see the name here is main add that i configured last time when i did it and now i need i need to log in i know the username and the password so let's login all right so we have access to the equipment now and it's asking us to do a discount i'm not gonna do it because i did it lately um so we have some configuration here but um no i'm going to delete everything anyway so but if we take a look at show system interface you can see that um we have some configuration there so to do the factory reset i'm going to do exact factory reset and i click enter to ask me if i want to continue and i say yes and the system is going to reboot and reset everything to the factory configuration so from there we're going to restart everything so after the reboot you can see that the hostname is the serial number of the photogate and the login will be admin without password so just to admin with a password and you log into it so now we are inside the device so you have two ways of configuring a fortigate like this you can do it in the cli where i am right now you can do all your configuration here sometime it might be easier if you have all your configurations already set and built you just grab that and copy here or you can upload a file from your backup or whatever but in this case i think i'm going to spend most of my time in a gui or the graphic user interface maybe i will come back to the to a cli at some point i may create with a gui for a single vlan and then come back for other vlans we'll see all right so first of all let's take a look at what we have inside this equipment sure system interface will show us that we do have this ip here on the port 1 so we can connect the computer to the port 1 and make sure it's in the same subnet and we'll be able to access the gui of this 40 gig so to change my network setting on this computer i'm going to go under network settings and this is going to disconnect me from the internet but that's fine so i go under change adapter options and i bring it here so i need to i'm using this one here so i go under properties and um double click on internet protocol version 4 and i set the ip 192 that 168 that one that's 100 subnet is the same and the default gateway is uh here but i don't have to set it i'm just doing it just in case and then i validate this and i save this all right so what i'm going to do now is take this cable here and connect it to the port one on the photogate and then i'm going to connect the other end to my network interface card on my computer i have a message here telling me that i have an issue with my network which is okay so now i'm going to connect this ethernet cable to my computer all right we have the computer connected to the photogate let's see if we have access to it oh i think i should have access to the internet with my wi-fi um yeah i still have my uh wi-fi network interface card that's activated because i have both of them on this desktop here so let's see if we can ping uh yep we have internet access which is good all right at some point i'm going to disable this interface so we can make sure that we are connected to the internet with i mean through the 40 gate all right so i'll bring my browser here and i go under 192.168.1.99 and yep i have access to the 40 gates and i log in with admin without password and click on enter and it's asking me if i have if i want to change the password yeah i can change the admin password so i type in the new password and yep we also match the password and we click on ok so the new password is in and it asked me to log in i log in with admin password again all right so now we are inside the photograph it's asking us to scan the disk but it's not important because i powered down the photogate without you know shutting it down so it's fine so now i have access to the photogate as you can see i don't have anything as licensed or anything else so i can see some sessions that i have on the on the port one one of the first things that i like to do is go under system and settings and change the the name of the firewall i'm going to call it fg just like fortigate and this is good for my domain name and yeah so this is a voiceover for my english-speaking people out there um so i did the the whole thing in french and then i i'm doing the voiceover right now so the https port we're going to leave it um like this with 443 and everything else can stay the same on english and everything yep the color i can send it to this blue here which i don't like and let's see if there is any other no this is not good uh yep this one is much better but i forgot to click on apply which is a problem so i'm going to get back to it later on so i can go under my interfaces and we have port one port two port three and port four the port one will be connected to my isp and i'm going to configure it later on because right now we are connected to it and the port two will go to i mean is for my main vlan which is the vlan 35 so i'm going to configure it now the the name on it i'm going to say main um and the role is lane the ip on it is going to be manual with the ip of 10.35.0.1 and the subnet mask of 255.255.0.0 and we can have https access ssh as well and ping i don't have a 40 manager or anything else so everything i can stay like that snmp is not needed for now maybe in the future pop radius nothing like that and then i'm going to activate the dhcp server and i'm going to edit the starting point it's 100. let's see yep and uh yeah and uh everything else can stay the same the forget where is the same as the interface and the dns will be the same as the system uh yep that's all for now i think and when i have my windows server installed it's going to be our dhcp server but for now the photogate is heading out ips network devices divide detection yes that's a good option to have active scanning that's good so we can scan all the connected devices and admission security no we don't need this secondary ip nothing and the comment we can just say this this is the vlan 35 yep that's it and we click on um click on ok so it's saved for the port and then we go under port three at this level as i said where is my screen here okay so at the port three i'm going to have three vlans inside of it so i'm going to create those new vlan interfaces and the first one the name is going to be uh iut fif iot one vlan 15. and the alias is going to be iot 1 type it's going to be vlan and what port i'm going to put in the port 3 and the vlan id is going to be one five the role is lan of course and the ip on it is 10.15.0.1 with the subnet mask of 255.255.0.0 and we can just activate no we don't need http here we can just ping it and uh ssh no not needed so we are trying to limit access here for for security so we also enabled the dhcp server um we have yeah it can start from two to uh to the end and that's fine and everything else looks good device detection yes active scanning yes as well uh security mode nothing like that comment we can just say this is the oh what is this this is the vlan 15. and then we click on ok all right so when we have here we can uh see the the new vlan interface that we just created fail to return to retrieving so that's fine we'll see at this point i don't think i need to configure the physical interface so the physical interface can be not configured or like the the main or the untagged interface so now let's get some shortcuts if i come here and i log into the equipment uh see admin and the password so what i'm trying to do is grab the configuration from the cli and change it for each vlan and then just uh just paste it yeah and i i just realized that the domain name i mean the host name didn't change so that's fine i'm going to change it later on all right so if i do show system interface here i see that iot 581 is there and if i enter i can see all the configuration that i have under iot 15. so i'm going to grab this and copy this and i'm going to take a notepad and paste all of that so i can now come and put the beginning of the configuration by typing config system interface and here i can you know customize it for the other vlans so for the iot i'm gonna do iot2 there and uh vlan is going to be 20 and the ip will be 10 at 20 and that is 20 as well and we go at the end and we change it to 20. so this is now customized and the analysis will need to be iot2 so this is what i need for the iot2 and i just realized later on that i forgot to change the snmp index as well so you need to make sure that the snp index is different from what you have on all the different equipments i mean all the different interfaces and then i'm customizing the guest vlan 25 as well i'm going to skip ahead a little bit and i'll show you when everything is ready and when i'm pasting this inside the photogate right so when everything is ready i'm going to make sure that i copy this and i paste in inside the 48 so when i'm putting that configuration in it's all configured so all the other vlans are going to be configured just fine it's much faster when you use the cli like this when i do show system interface you can see that i have everything configured now okay um all right so i have the 15 the 20 the 25 the 75 and everything 35 is not here because there is no tag on on 35 so it's going to it's not a trunk actually all right so what we have to do now is also replicate the dhcp server configuration for everything so we need to go under interfaces i mean in under each interface to make sure that we activate the dhcp server so i go under guest and i enable dhcp as well so the range doesn't change all right so we click ok to validate that and then i go under the iot one interface and i okay it's already activated so i'm just confirming and then click ok and iot2 is next we activate the dhcp server and click ok and we need to do that for the lab too uh lab one we activate dhcp and um yeah i'll do the lab 75 later so we're good with dhcp and all the interfaces so what i'm going to do now is create um policy objects for the addresses so i'm going to create a policy object for every subnet so i'm going to click on add new and address so the first one i'm going to name it main it's going to be a subnet and the range is 10.35.0.0 that's 0 16 and uh the interface associated is the main interface uh yep sure you're not at least yet static routing configuration now comment just man vlan 35 and then click ok so we just created the address object for the main vlan and i can clone it to duplicate it so i can just change the name and the configuration inside so this one is iot 1 and click ok so it's duplicated and then i go inside iot one and change the subnet to 15 and the interface to iot one okay uh yeah just a comment here i need to make sure this is iot 1 vlan 15 and i click ok and then i duplicate that again for iut2 uh click on ok and i go inside to [Music] to customize it and change 15 to 20. okay and the 20 is there too iot2 and the interface is iot2 and i click on ok of course i do this for uh for guests for lab 1 and lab 75 so next guest we click ok and the subnet needs to be changed to 25 and the interface is guest vlan and here we have guest vlan 20 or 25 sorry and i click on ok and after that i create one for for the lab lab 75 okay and uh go under to change the ip to 75 and the interface is lab 75 and the comment we have live vlan 75 and we click on ok all right so we also need finally to do for uh nfslab1 uh yeah i should clone it but so i click on it and uh clone it and do lab lab1 and click ok and then double click into it to to modify the ip and the ip is 192 192.168.0.1 actually this is supposed to be that 254.0 but i'm going to correct it later on so it's linked to lab one and we comments by saying this is lab vlan number one and click on ok all right so now we have all the elements that we needed to create we have all the policy i mean all the address objects so this will help me to create ipv4 policy for allowing or denying traffic so what i'm gonna do next is go back into this and make sure the hostname is changed so i go under settings and i do fg and click on apply okay now it's changed and even if i go back to the cli i can see that the host name is now fg all right so now i'm going to connect my computer i'm going to remove my computer from the port 1 to port two so i'm also going to make sure that my computer is set for dhcp so that the ford gate can give me an ip and then we can do our changes on the port one so i'm disconnecting the port one bringing the cable to port two and then i go under my network configurations and make sure that this is set for dhcp all right okay and i'll click okay all right yeah the network has been detected so i'm changing this to 10.35.0.1 all right so we have access to the 48 and i'm logging into it now all right so do admin and the password all right i need to change the admin name to something uh not very known but it's it's fine for now so now we have the port one available so we can do some changes on it so if i come over here you can see that we are now on port 2 so right now if i open the cli and try to ping google of some exact ping all right so when i do that we don't get access to the internet so i'm going to plug in the cable that's coming from the bottom and connected here so here i'm going to my mechanical room where i have my setup so this is the modem and i'm going to make sure that the cable to which i'm connected is the only one that's connected to this modem here so i'm going to unplug everything else just to make sure that it's the only cable connected here so that i don't have to fight for the ip with any other thing um yep so just make sure it's connected right there to the first port and i also just uh disconnected the wing cable but this one need to go back because this is where the internet comes in all right and at some point i lost my lights on the phone okay i i turned it back on and uh all right so the one is connected and then i have this cable that i'm going to connect to the 40 gates all right so this is the cable from the modem and i'm going to connect it to the port 1 on the 40 gate and you can see that the port 1 is now green on the 48 on the gui all right it's now green so i double click on it and now the i change the ip to dhcp to see if it gets an address so i click on ok and i go back into it again and it's trying to get an ip okay i have a private ip from the inside so this is where i'm supposed to go in the modem and get it to be transparent but unfortunately i was not able to get it to work he was not successful and i tried to call my isp for help but i couldn't get them online because it was like 11 pm my time so i couldn't get a public ip on the photogate so what i did is that right now the modem is still there and my photogate is connected behind the modem with the private ip and i can still surf on it but i don't have a public ip directly on it so now i have like a double routing on the fortigate and on the modem as soon as i can i'm going to call the isp for help so i can have a public id on the fortigate directly all right so we keep this private ip here and uh yeah we are routing on this modem here and we also routing on the 40 gates so that's not bad i mean it's working for now um so what i'm going to do next is let me make sure that i have different subnets on these different interfaces because i i'm trying to make sure that lab 1 has a different ip okay this is 254 so there's no there's no confusion here we have zero there in 254 there so that's fine all right so right now my computer that is connected on port 2 has access to the internet through the wi-fi interface so i'm going to disable the wi-fi interface just to make sure that we can get to the internet through the fortigate so wi-fi is disabled you can see that the pings are now down yep we have pings timing out so to get access to the internet what i have to do is create an ipv4 policy to allow traffic from the main vlan to the internet so we have this implicit deny as always uh which is the last uh policy and i'm going to create a new one i will name it uh man to internet or men to when and the incoming interface is the main interface and the outgoing interface is port one um i don't like it like this let me put an alias on it so we have one instead of just port one so i go back to it and i double click on the interface and make sure the alias is set to when and also the role is when and yep everything looks good so i click on ok and i go back yeah so it's good so i'll go back to ipv4 policy and create new and the name is main men to when and even um incoming interfaces made an outgoing interface is one source um is the main ip this is the subnet that is going to send us traffic all right so destination is everything on the internet uh schedule always so it's always up uh services um all so everything should be going action enable i mean accept and not yes we need to not traffic outside and preserve source now we don't need that um and all this all of this is not important now because i don't even have a license so um logano traffic maybe not and the comment i would just say this is give this gives main access to the internet okay and the policy is enabled and i click ok and now if i go back to my computer let's see when it's activated we should have access to the internet yep now we can access the internet through the photogate the wi-fi is uh is disabled but i can get access to the internet so if i go back to the dashboard um i can see that let me add the widget here so i'm adding a new widget to show me the interface bandwidth i'm looking for it now and then i found it it's right there yep and then i click on interface and what interface is the main interface and when i add that i'm going to see exactly the bandwidth on that main interface going outside to the internet all right so it looks all good now and let's do some speed tests and see what we have speed test all right let's go and see okay 7.50 i mean it's not bad i mean we have two devices in line and uh i mean it's uh it's fine for now so i can i can live with it and we have two milliseconds of ping time which is okay that was the download 783 and the upload 780 something that's good all right so everything looks good here the all the basic configurations are in i'm going to create more videos when i have time to go into more advanced features on the ford gate and when i will add the switch to the network i will also add some ipv4 policies and some other features if you have any question check out the forget documentation or you can leave a comment below if you think can answer the question alright thank you for watching this and take care bye

Info

Channel: KBTrainings

Views: 37,284

Rating: undefined out of 5

Keywords: fortigate, fortinet, fortiOS, fortigate 80d, vlan, dhcp, ipv4 policies, ccna, ccnp, home network, new home, guy bisuku, kbtrainings, kbtraining, configuration, basic config, firewall, firewall config

Id: JioPibKhJEI

Channel Id: undefined

Length: 36min 36sec (2196 seconds)

Published: Tue Jan 19 2021