Configuring VLAN and Inter-vlan routing on Fortigate firewall

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone in this video I'm going to show you how to configure VLAN and Inter villain routing on a 48 firewall let's begin before we start this video I would like to encourage you to click on the Subscribe button this is to encourage me to keep creating more videos such as this so the first thing I'm going to do is I'm going to log in to my firewall this firewall is already pre-configured with the interfaces and also it also has some policy object that was also created for the interface so as you can see here I have a lan interface I have a one interface and they both have an IP address I also have um the cpip DSP configuration as well on them so in this case here I'm going to configure um VLAN on this Lan interface there's so many ways to go to the configuration one of the best way I find very interesting is to use no IP address on this physical interface and then configure VLAN on the sub interface so I'm going to click on the Lan port double click on it and then I'm going to remove this IP address on this interface foreign so whichever format you want to use both of them works so I like it this way using the cidr value I'm going to turn off the engine from the interface which the GPS of the interface um then I'm also going to turn off the CP under interface I do not need anything on the physical interface I'm going to click ok the next thing I'm going to do is I'm going to create create a new interface and this time around I'm basically going to be creating VLAN which is that the type of interface I'm creating here is a VLAN interface so VLAN you give it a name you can say we learn five you can say um you can name it space on the department let's see account in VLAN it's basically your choice the most important thing is the villain ID so we can say accounting VLAN is villain five and we are actually configuring it remember we're using the Lan ports so I'm going to choose Lan ports and then I'm going to move the IP address that I had earlier 192.168 .183.254 [Music] I'm using the slash 24. I'm going to move that iPad as I have on that physical interface which was what I removed I want to move that to my virtual interface which is going to be the IP address will belongs to accounting VLAN now so the role will learn and then um we're going to enable um ping for our needs we're gonna if you want to be able to access it using the web browser just like this you're gonna extend it with the https if you want to want to access it using SSH as well if you want to be able to monitor using uh software like RV car or prtg or all that kind of monitoring software uses an MP so um you can enable some of the things that you think you need I'm gonna leave it at this I'm going to go with this CP server in this case I'm just going to make this very simple I'm just going to start with uh 100 and I'm going to stop at 115. I'm actually not going to do more than that the notice that I leave out one to 99 and leave out of the one two two three because 254 is already assigned to this interface here I'm gonna use the same Gateway which is going to be this one here I'm gonna use the same DNS which is the dnsize configured here if you want to specify DNS you could just click here and add the DNS that you want to use like in this case you could just say it would I don't want to do that I just want to use the same DNS so I'm going to change this to um a day and then make sure that this is enabled and then click ok so that um I've just said yeah because this is actually trial version um I have some limitation on the number of object I can set uh let me quickly make some corrections to that give me a moment so let me just explain what is basically going on what is actually going on here is because this is a uh an evaluation um uh version um I'm limited to three interfaces so I have the ISP interface I have a lan Port I have the port three so um creating the is um a villain interface as well it's considered as for interface so that wouldn't work so I'm going to remove this was a code base Port 3 I'm going to remove it out of the my network interface so that will allow me to create the VLAN okay so as you can see I've been able to remove the interface you may be wondering what did I do how did I remove the interface because this is a VM on my ex I host what I just did was to shut down um my um 40 gauge and then I went to edits then I removed um the other interface the way that was there I just left only these two interfaces here so that allows me to be able to create um so that will allow me to to um create my VLAN so in this case I have two physical interface before now I have more than two so um with this now we can actually continue what we're creating so I'm going to create a new interface um like we're rightly named Alia accounts and VLAN and then um we are using the physical interface we said it was villain five and um we gave it a 192.168 .183 the 254 slash 24 and then um we allow it to Pink and we are now SSH relationship GPS realizing MP and we created a DCP um server IP range and then we name it from 100 to 150 and then um we change the list time and then um but let the DNS that we use which is enable we click OK and you notice in this case it was created so all I'm trying to say is that because this is a v this is an evaluation version um we won't be able to create more than three physical interfaces as in three interface with a physical or logical so in this case here as you can see my VLAN is created if I try to recreate a new villain you're going to have that same object Arrow let's say for example we name this sales three man and then we see the interface is basically going to be the Lan interface and then let's call this freelance 6. let's name this 192.168.184.254 slash 24 and then uh we could allow this as well just the same way or we're just only allow pin your nets whichever one but I want to just make it the same thing and then um configure the CP on AIDS let's say begin from 100 stop at 150 um then change this to 86400 then make sure it's enabled if you click OK you'll see that the Arrow come back comes back again so basically it's telling you you can have more than three interfaces so the fourth one is actually no allow so there's nothing you can do is basically the limitation for um the evaluation license so if you have a license you definitely could create as many interfaces as you want all right so we're just going to work with the three interfaces we have we have we have um what's it called we have ISP we have a VLAN what I can do is since I since I have was a code um so I can only use three interfaces what I can do is I can actually configure IP address on the Lan Port as well so you could actually still use a lan port in this case so let's use this 184.254 slash 24 uh let me name is 182. okay and then uh I'm gonna allow the land boards to have those access I'm also going to configure a dcpe on the Lan Port as well as we came from 100 and I will stop by 150. now there is no rule that says this can begin from one or from two because we basically using the last available available IP address that you're not really using it's they're still there you can always extend them if you want to so that um those devices that is IP can get the IP address and those those that don't need IP address like all those Rogue device that connects your network will not be getting any IP address so I'm just going to click on okay so right now as you can see I have a physical interface and physical an IPS on my physical interface and I put it to my virtual interface or my VLAN interface now it's very important for you to understand that I made a mistake here I was wondering why it was showing me is the Netherland IP I just noticed that I wrote 160 still 168 so the address is actually a public address I need to make a correction to that it's supposed to be 168 not 1 6. when you make Corrections of that you need to be sure that your DCP also had the correct information notice in this case it doesn't so this is going to be 168 so this is going to be 168. now sometimes it's always very good to make some mistake during training when you have environment you don't want to make this kind of um mistake all right so here I wanted to once I say notice that the Netherlands logo is no longer showing because this is now a private IP address basically saying that this address that you're seeing here is a private IP so here we have two interfaces one is physical one is a virtual so um this is how you create your VLAN just by coming to create new interface and then selecting the villain number on the Alias name which is the name the interface will be at the identifiers notice this says VLAN notice this is physical inter so you can identify a physical interval which is this one here from a virtual interface virtual land so this is what we have so next thing you want to do which is very important is that you're gonna create a firewall policy so the firewall policy is what will allow communication from your VLAN so for example if you have um users in accounting VLAN for example what do you want them to have access to do you want them to have access to the internet if you want to devices to the Internet only this is what you do access to the internet only this will do go to firewall policy and we creates and then we'll say accounting to ISP please remember this naming is basically whatever you want to name it us however you want them so we're going to say incoming coming from accounting going to the ISP the source is the accounting VLAN address and then the destination is going to haul because it's going out then um the services which also going to be whole then it's we're going to be using that so go to the Internet definitely uh you could turn on your antivirus your DNS filter your application control your IPS these are the defaults when you can basically edit them we could look at all this um uh was it called profiles leader security profile it and make some changes but for now I'm just gonna leave it the way it is um as you can see the this is the current states of the antivirus scan um you also have the web filter um the this is what you have basically have some of the monitoring and so on like that so for now we're not going to go deep into that so you could actually change the security profile of course there's somewhere here um for now we're just going to leave it that way and then make sure the policy is enabled click ok so what that does is that it creates a profile for accounting that allows you to try is the traffic over the Internet so this rule is very important for users in accounting to go outside to the internet now you remember this video is about intervalent communication now because we're not able to create modern um one VLAN I'm just gonna make an assumption that this is also a line of virtual land like let's say you're using a license version of course you have more than two villains so let's say I want to create a traffic I want to run traffic between these two network interfaces here between my land and my account so I want people in my land Network to have access to my account Network and I want the same thing from accounting Network to have access to my land Network so what you're going to do is you're gonna go back to policy and object firewall policy I'm gonna create this time we're going to create a policy that allow the land to accounting so any traffic coming from the land and is going to accounting the source is my land which is basically my port two and the destination is accounting notice in this case I'm not using all and then the service here I wanted to be able to go through all ports whether they want to do https they want to Ping they want to do DNS whatever they want to do pop whatever they want to do in this case I'm going to disable that I do not need nuts in between the two um interfaces so here you also do not need um this but you can as well turn them on if you want I basically donated but you can turn them on if you have them customized so any traffic coming from your land to your account and you also want the web free the DNS filter whatever option you want it's basically your choice if you don't if you don't know it's also fine so we'll log in this time we just want to log all session of traffic and then make sure the policy is enabled and then click ok so what happens here oh yeah this is an unlimitation the maximum number of Entry has been reached uh that's because I have let me see I have four policies so yeah there's there's a serious limitation for the evolution period let me see if I can try that again um I was trying doing um account um sorry Lan to account and I have um a particular one I did in the last video but I need to remove to give me access to the number of police I can create so here it's coming from my land which is my port 2 and then my destination is my accounting so here whole then term of nuts and then we said you can turn some of this on if you want um then we'll log in all the sessions and then we're going to show the policies enable click on OK notice this time it worked the reason why it worked is because now I have three policies one two three so um halia had three one of them was the Sable which I had to remove and that particular policy is actually mixed it before when I created the next one so and that's actually um was against the um the free or the evaluation uh policy which basically means I can create more than three interface monetary policy and so on like that so in this case here this allowed traffic to go from the land to the accountant but notes this traffic will not be able to come from accounting to the land if you wanted to come from accounting to the land what you would do is to create new and you can see accounting to plan now sometimes you don't want traffic to come from accounting into your land where you want your land to go to your accountant which whichever reason why you're doing that is basically up to you but in this case please note I won't be able to complete this because of the limitation but we're still going to go through this step so here we're coming from accounting we're going to the land not just my landing spot too that's why you see me saying uh Port 2 address here and so my source is my accountant will an address my destination is my port 2 address so and then I'm using whole Services I'll explain that to you so ton of nuts we do not need nuts and like I said you're going to use any of this and you could choose not to use them but use some of them or none of them then uh you can log all the policy make sure this is enabled and then we click OK and now gives us gives us the maximum entry as memory so even if I don't let me see if I don't know yeah even written in the office it's not going to work so police has to be enabled anyway so basically this is what to do and how to create it so this would allow traffic from accounting to go to land but if you don't do it this way uh what you basically have in this rule here the first rule here says accounting can go to the ISP so what you see here is from anything from coming from the accounting land going outside um is allowed then um and the second rule says land to accounts and so on anything coming from the land can actually go to their accounting so basically in this case here you might have some servers and accounting department the people in the Land network you want them to access but you don't want people in accounting to have access access to any resources in the land so that's why you would do a policy like this the third policy we have here says landwise we miss the land people also can go to the internet as well so in this case you notice any plan can actually go uh this is actually very very nice land can go uh land coming from anywhere and then can go anywhere so land can go to the ISP as well of course we can see that we have some traffic already uh in this case there is no traffic here because I have no assigned any uh device to any of this network that's why you don't have any trouble with normally once you have a device in accounting VLAN you have a device in the land you will begin to see some of this traffic as well here so and then the final one which is the implicit deny this basically means that any traffic that doesn't match these two I'm sorry there's nothing much just three traffic these three rules should be denied so someone like anybody coming from accounts and trying to go into the land will hit this last one here because the rules are going as in a followed line by line so it will first check the traffic is going to talk from accounting and the traffic is going to the land the first one says traffic coming from accounting to ISP so that doesn't match so we'll jump to the next one it's coming from accounting but this one says land to account so this one doesn't match so we're gonna jump to the next one next one says lanto is it doesn't matter he's gonna jump to the last one which is deny so basically that traffic will be blocked so that is how to create um VLAN and into VLAN routing on 40 gig firewall Please Subscribe like this video um if you have any question please place it if you have any comments as well um there will be well appreciated thank you so much for viewing

Info

Channel: Techy-World

Views: 12,269

Rating: undefined out of 5

Keywords: fortigate firewall configuration, fortinet firewall configuration tutorial, fortinet firewall rules, fortinet firewall setup, fortigate firewall configuration step by step in english

Id: 2T8PPVAu1nM

Channel Id: undefined

Length: 22min 20sec (1340 seconds)

Published: Sat Feb 18 2023