Deploying Fortigate Firewall | Lecture#4

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video you will get to see the deployment of our fortigate 60e firewall in our network for basic internet access we will first get to know our existing network design so that we have a firm understanding of what's already running in our network then we will take a bird's-eye view on how we will deploy our fortigate firewall and what configurations need to be done on the fortigate device after that we will begin deploying the fortigate by configuring the poe van interfaces for internet access afterwards we will be altering the distance of the default route received by our isps to facilitate an active backup isp design then we will configure the layer 3 vlan interfaces so that our data users can get internet access we will also configure dhcp on that interface so that clients can get automatic ip address assignments finally we will set up a very basic firewall policy with network address translation enabled to get the users out towards the internet my name is emman mukhtar and you're watching the fortigate installation series where we install a 40 kit firewall on our network step by step don't forget to like this video so that it gets to other people subscribe to our youtube channel and click the bell icon to get future update notifications from this channel so let's begin now before we move on towards deploying the fortigate device on our home network we need to understand the existing infrastructure on how it's already running let's start from the van side so i have two van links dropped down by the isps which are ethernet links which i have terminated on my cisco 9800 series router both the links are triple poe so that means they have some authentication parameters in terms of username and passwords which we will pull out from the cisco router before deployment so in terms of the van side we have configured floating static routes on our cisco router to make isp1 as a primary isp because that's a link of 15 mb and isp 2 as a secondary isp and it's a 5 mb link as the cisco router is an edge router so network address translation or nat is also being performed on it and if you would like to learn more on nat do check out our free course on network address translation for beginners on our website and it's also available on youtube you can check that series out by clicking over here last but not the least the cisco router is also acting as a dhcp server for multiple vlans now in the middle we have a distribution or you could call it a core switch on which all of the devices are connecting to the core switch is connected to the router while a trunk link and the svis or switched virtual interfaces are all present on the router for all the vlans in our network which are vlan 25 35 and 199 colored in green blue and brown for your understanding respectively so the router is essentially acting as a router on a stick to facilitate inter vlan routing and the routing towards the van then we have an esxi hypervisor running for our virtual machines terminating on the core this is also a trunk link which carries two vlans the esxi's management is on vlan 199 and the vms or virtual machines are on vlan 35 which is a server vlan in our network then we have a bare metal server which is a windows 2012 server terminating directly on the core this is an access port of vlan 35 this server acts as a domain controller and has many services running on it which i use in my videos whenever i need a windows server now my room switch which is an access switch and the core switch are in different rooms so i have an ethernet cable running from the core to my access switch on which two to three computers reside on access ports in vlan 25 the link between the switches is a trunk link to carry multiple vlan traffic whenever required finally we have a wireless access point which is terminating on the core switch directly and is connected via an access port as it does not understand vlans hence as you can see the end users on the lan which is the wired network and the wireless lan which is a wireless network are on the same network of 192.168.25.0634 the best practice would be to separate them which we may do in a later video now in our first phase we will be replacing the cisco router with our fortigate 60e firewall and configuring all the essential steps needed for at least the basic internet connectivity for that we will need to configure the van interfaces on the 40 gig firewall for triple poe replicate the router on a stick to a fireball on a stick to facilitate the inter vlan routing and the routing towards the van and set up dhcp for the required vlans last but not the least do basic network address translation on it for internet access all right finally this firewall is getting deployed in my home network and i feel so much relieved believe me on this okay first of all we need to take care of the van interfaces that we have at our disposal the triple poe interfaces now if you were to look at our topology uh the fortigate installation phase we have actually uh replaced this router which was over here with this one and i have actually plugged in the ports uh coming from ispa to n1 and the port that was coming from isp2b is now in van interface 2 and the port that was coming in from the core switch or the distribution switch is in port number one now apart from these ports there is one other port that i have connected to um my firewall which is the dmz actually uh the port name is dmz oh there's a confusion there already i guess uh but don't worry it's for just for out-of-band management of this 48 device because we don't actually have anything set up right now right so there is no data packets that are going through this 40 gig firewall or any ip addresses that have been configured here so network connectivity is kind of down uh but i need access of this 40 gig device so that's why i you know like uh made an out-of-band management interface or there's no big just one interface with an ip address and i myself have that ip address configured on my laptop so let's begin first of all let's take care of the way interfaces so let's go to network interfaces and these are the kind of all the interfaces that you have at your disposal and this is the temporary management interface that i'm going to be using to access this 48 device and you can see i have access this device with this ip address which is configured over here and my laptop also has the same series configured on its lan port okay so this ip address on man 1 was actually taken from the previous or maybe the second lab which on which i was showing you how the van interfaces would work it was a previous one or i guess it was a previous no the previous one was firmware upgrade right so this should be uh the second one okay so um this is a going to be our isp1 this is a primary isp so i'm going into that okay so um first of all you cannot change the name um as far as i think you cannot change the name if you have any id how to change these names just let me know uh so this is gonna be termed the alias is going to be termed as primary primary isp primary isp okay the type is physical obviously it's a physical interface the role is when we'll talk more about that later and you can actually estimate some bandwidths if you want to again not needed as either right now um so address is coming to the addresses part or the address part uh we have three ways we can configure the address uh the manual way if you have an isp that actually gives you an ip address that hey configure your for the gate or any device you want internet access on off with this public ip address then you go with this one dhcp is uh normally i haven't actually seen a dcb being configured straight off the bat coming from an isp but there could be cases or there may be a case where you have a modem in front of you and you just want internet access so you could uh configure the usb there as well so that will work as well for in our case um we need to configure pue so the first thing that you need and the only thing you need for this lab at least is the username and password of the isps triple poe so uh a numbered ip is used when you have to statically define an ip address but that's not in my case um so where do i get these username and password so the router was there obviously it got a it's got to have them so this is a cisco router that was in place before uh this fortigate device so going to show running config interface dialer one i guess it was one no it was two okay so this is the username and this is the password so putting in my username copying that pasting that here real quick and password let me check that okay great now i just have to press ok and technically it should work but sometimes there are issues that you gotta see uh let me check that it looks like that oh there it is beautiful now i've just got an ip address so obtained ip is 182 176 157 221 and that's a flat 32-bit ip address so it's a host ip and here's the default gateway that i've gotten and this is the acquired dns now the thing to keep in mind over here is the distance you should know actually that the distance is the key parameter to uh i mean breaking the tie between two routes um especially when you have the photo hours coming in from pppoe like that so um let's leave it at five for the time being and let's configure the other event interface and let's see what happens but actually before going towards the man two let me show you something here let's go to dashboard and in there you have the network tab and look at that routing expand that and as you can see this is kind of a routing table um in a gui kind of mode uh so you can see that i have a default route coming in uh your ppp2 interface which is the logical name of that interface and that's why static and the distance is five now uh this type address i got this is the ip address of the default route again this is basically how um triple pua just works okay so you have a host drawers coming in again we're not talking about those details that much here but the thing is you've got that router now let's configure the other one which is um when two and trip let's okay uh that will be backup or maybe a secondary ic would be secondary isp that's going to be the alias name of that leave everything at default now i need the username and password of that so let's head on towards our cisco guy here and say cisco guy can you tell me the actually he told me here over here so this is the password and that is the username so i'll just copy the password emma m m m h m a d a h m a that's a username there's a password again no statically i assign ip address from the um from the isp okay selecting okay and let's see what we get beautiful i got the ip address um in a jiffy actually now um this is a local isp which is actually giving me services it's not a direct isp it basically has some upstream isps on itself so they're giving services on in my area so that is why i get the 10 subnet from them okay so don't get confused on that but nonetheless we have internet access on this one too as well now going towards the dashboard and network again let me show you this now i have eight routes and check this out now i have two routes two default routes to be specific and they both have the same administrative distance now what happens when you have the same administrative distance well let's see get a router info uh routing table all uh kind of hard command of our show up your route and cisco huh okay so you can see there are two default routes now this basically means that it's kind of like load sharing as of right now it's not load balancing remember that because you don't have any control over this so any packet could go towards isp1 and any packet could go towards isp2 for load balancing you will have to configure sd van feature which is inside of 40k but we will look at sdvan later first of all uh we had seen in the topology that this one is gotta be the primary isp right and this is gonna be the secondary now isp1 is a pdf one so what i'm going to be doing is i'm going to reduce the distance for this primary one that way this one which is a distance of 5 won't get into the routing table and that's how we will achieve this as of right now so going to our interfaces again this is our primary again this is one or two one okay what's that that's not good okay let's see that later okay i'll just go into the primary one and what i could do is i could just decrease the distance so it's more preferred now okay or i could just increase that distance of the secondary one and that will work too um why is this uh down i don't know let's see okay uh what's gonna happen is uh is that the session is gonna bounce for the triple p okay uh we actually missed that one but now you can see that only one default route is inside the rolling table uh hang on a second i mean why was that down maybe it was let me just refresh that it happened sometime it happens let me see if this is working fine if we have the ipad or is config i should have checked with the cli oh what's up with this i mean good roller info routing table all um kind of looks that i ha i am yeah i am actually connected that's why i'm seeing those um ip addresses or triple p 3 which is a secondary isp in my case i'm not sure why the digi why is it showing me this let me just check that real quick initializing well it's a local isp you never know what happens but it's kind of like initializing but it'll it will get through that hopefully uh but you understand the concept right so this is what we did uh in making isp one as primary again there are many ways you could do that this is just one of the ways if you don't want to get involved in sd-wan and all that stuff this is just the easiest way and simple way to actually get a route from out from the routing table and get one in to the routing table and stay there okay next up what we're going to be doing is we are going to be configuring interfaces uh specifically the svis which are the switch virtual interfaces now in the previous or a previous uh or in the second video i told you that these ports are kind of like bundled together you can remove them if you want in this video i won't be removing them okay so what i will do now is go to create new and add an interface and name that interface svi i'll call it 25. in this case um there is really no need to specify alias you could actually do that but it will just overlap with this in this name of the interface because you have the ability to configure names in these interfaces so what will be the type of this we this interface this virtual interface it's going to be vlan but there are many types you could actually configure but for the time being i'm just going to be configuring um as a type as a vlan interface okay and the vlan protocol is 802.1q which is the dot 1q protocol for trunking um okay so what is the physical interface that i'm going to be using again this is a virtual interface that we're creating just the same as we do create in cisco switches what will be the physical interface on which you will be creating this well it's going to be internal you can actually take some parts out of the internal um group and make that a separate interface you could actually configure on that as well if you want to but in our case i'm not doing that i'm using the default internal port you could actually do that later if you want to but for this video sake i'm going to be sticking with this internal interface um and what is going to be the vlan identifier or vlan id on which it will trigger and that will be 25 okay so the la the role is lan we'll just leave that as it be and we're going to specify an ip address over here now what is going to be the ip address uh as we specified over here that x is going to be the vlan number and then dot one so we got to be careful here because some of these interfaces are still live over here on this router so i hope i don't make any duplication here actually i'll just check it out right now so show ip interface brief oops show ip interface brief exclusive sign it's on cisco and um okay oh 25 is okay down i just uh administered totally shut it down so let's just go and configure that ip address 25.1 and slash 24 it works just well as the subject match you can specify the mask as well like 255 the 255.255.0 is your call whatever you want to do then you have also have an option to create an object for the matching subnet which is uh in my case it's good because you have an object created and you can call those objects uh whenever you want in your policies no secondary address is needed as of right now administrative access uh this is actually a norm with the firewalls now i've been deploying apollo aldo firewall as you can see over here as a propolo primary and secondary the it also has um what do you call that management that's something which what they call i do i don't recall the name of that uh management profile remember that management profile that is that gets called on an interface whatever interface that might be in fortigate we have a separate section in which we have we can specify administrative access obviously it's not that much granular as in palo alto but still it's pretty good so you can specify what can happen on this interface for example if you want to set gui access or not so i'll be doing gui access because this is an out of my band management interface that i've configured kind of on this uh um for the device on the dmz actually oh and okay so um i would require pings obviously i need that ssh also sometimes i'll take the cli and the other things i don't actually need so i'll just leave that at it be now dhcp is a must over here because my device is my wireless everything is on port of vlan 25 and we are configuring vlan 25 right now so we need dhcp services enabled here now the address range is 25.2 we could do okay i think it's okay or should we do like five just put it like that um to 50 only 50 because i don't have any users maximum would be 10 at a time if i had guests over here so the subnet mask is two five five two five five two five zero that's size 24. default give it same as interface uh that means if it can also serve at the dhcp server for other guys so by default it's the same as interface ip or you could specify the ip address once you hit specify it basically shows you the interface ip address that is already configured which we are configuring right now over here as you can see and i'm going too fast right now i don't know why okay so same as interface ip leave it to that and the dns server so if you want a result google google google facebook and youtube whatever whatnot um you can use the system dns servers there are configure somewhere i don't remember vera exactly right now but they are present you could see them as interface ip so kind of like a cache dns server you can make this for to get at the cache dna server same way your diesel modems works and everything and you could also specify as a standalone dns server if you have a windows server that is running dns services and stuff like that or any other server that has dns services in your environment so you can actually do that okay i'll just set it to oh i'll just specify that i'll just specify 28.8.8.8 so that you can see how it works now at least time is by default for seven days if you want to change that save your time get a calculator seconds to days actually and and and change the second value if you want to otherwise for seven days that address will be leased to whoever takes that ip address okay so we're done i guess okay so just hit okay and so if i were to do this again oops time out what happened uh press enter i am pressing enter okay get router info routing table all and as you can see we got svi 25 created now and it's in place now as we are creating the sva over here for the v125 um let's create an spi for vlan 35 as well and we will create the svis on the fly but let's create a vlan 35 svi and vlan 199 as well now you can see a plus over here right so if i hit plus over here it will expand and look at that align and showing you that this internal interface has an svi interface okay so i can connect my switch to this internal interface exactly the physical interfaces would be one of these guys it could be any one of them and it will respond if a tagged packet comes in it will respond with the pings if you want to ping 25.1 uh actually we could just check that real quick if i may i have that core switch i'll just tell it that 19168 25.202 oh sorry it's sva is down um i won't be able to log in as a right now but we will test that soon don't worry about it uh because right now that svi over there on this router is down again complex topology don't don't get into that okay let's create another svi or vlan interface uh create new interface i'll say svi svi 35 and everything is at b and the physical interface will be internal interfaces and they in turn call other interfaces remember one two seven and the sva will be 35 and manually ip address assignment 35.01 size 24 this time this oh huh oh there that's weird is it that's because my router is still on the network and it's using 35.1 gotcha so let's go ahead and say interface um what is bvi 35 that's actually bridge virtual interface in the router again complex topology uh let's shut that down shut that down and now let's try to create again interface and svi oops svi 35 and everything interface will be internal 35 and let's try that out 192.168.30 size 24 it should work now you see there is no error so i'll just allow only ping on this subnet for the time being and i don't need any dcp services as of right now because um the thing is that uh it's a server vlan maybe i will be needing the sub services i'll do that later uh for the further timing it's okay so we've configured that so hitting the plus again you can see two svi or virtual interfaces can create right now now um what else do we need to do here turns out it's pretty much done from the interface point of view and it's pretty much done on the van interface point of view so we could actually go into the console of the fortigate and execute a ping if you give it a ping to 42.2 and sure enough you have internet access on the 40 gate itself that's the first thing okay so now i will be changing my a turn cable i've kind of like directly connected towards the 40 gate i'm getting on the network of vn25 and let's see if we get an ip address or not so i'm changing the cable as a right now and to check if things are working well let's go to open network settings and adapter settings okay going to adapters and fair enough you've got 192.168.25.5 as an ip address and the default gateway is 25.1 which is a 48 device and look at that the inner server is a.a.a.a that we just configured so kind of looks like we're connected but we have no internet access now why would that be well that's because we don't have any what i think is we don't have any policies in place so if i ever do ping 2501 that's working but if i were to ping 4.2.2 which is going on towards the van that isn't working well nat is i guess not configured let me check that out real quick now i can't actually connect to this interface as of now right now because routing and everything is not in place for this out of man management interface uh so i will have to use 25.1 oops not triple one but not one oh there it is you see because we enabled the admin access on this specific interface so we have the ability to now go and manage inbound so this is called inbound management in band management sorting okay giving my password and logging in and we just need to create a policy there may be a default policy already created so we go into policy and objects and go into firewall policy and there is a default route actually in place that is actually specifying internal interface now specifically you must understand that okay these suvis do fall inside of the internal interface but these are uh full-blown interfaces now in terms of their the firewall okay so if you want policies to be in place you have to specify those interfaces on in the policy so for example let's see what's happening over here and we will talk about more on policies uh let me just give you an overview what's happening over here uh so we don't have a name for the policy that's just specified internet intro not a good spelling internet internet okay the incoming interface is uh from the internal part this should be changed for the time being to esp825 if i just hit ok right now i think it will work but let me just give you a overview of how and what it what what is happening over here uh we will take a deep dive in the next lecture on this uh but the thing is we have an incoming interface and outgoing interface source ip addresses or usernames and stuff um sore uh destination ip addresses and all schedules so you can schedule this specific policy to be enabled or disabled at a specific time period and services these are the port numbers and stuff everything is allowed full ip stack over here is allowed and then what do you want to do with it so you could accept or deny inspection mode flow base proxybit we'll discuss this later and then we have some nat options and it's a really really simple option as of right now it's kind of like the net overload if you know me i do a lot of nat videos so this is kind of like the nat overload in cisco uh okay so everything else security policies which we have this for you licensed for we're not using as of right now but we will look into all of them um so security log allowed traffic so you could um log the traffic security events only or all sessions so let's do all sessions for now and hit ok now if i'm not wrong it should work now i should be getting internet access now and there it is so we've got internet access let's open google.com and let's see if google opens up so there it is there it is so we've got google open up so this was the basic 40 gig installation uh phase one i would call it and we're gonna go deep into this 40 gate device now that it's operational and in place finally finally it is in place i was so worried about this man because all those cool features were delayed because i hadn't actually put that firewall in its place and deployed it so now it's finally deployed in the network we will take a look a lot of stuff sd van all those policies you are filtering every everything almost hopefully so i hope this has been informative for you and i'd like to thank you for viewing you
Info
Channel: Doctor Networks
Views: 9,374
Rating: undefined out of 5
Keywords: enable dhcp in fortigate, fortigate basic configuration, fortigate dhcp, fortigate firewall configuration step by step, fortigate firewall training, fortigate pppoe, fortinet tutorial, how to configure dhcp in fortigate, how to configure fortigate firewall, lan configuration fortigate
Id: Ra2TY_MUg4E
Channel Id: undefined
Length: 34min 51sec (2091 seconds)
Published: Tue Nov 30 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.