Today we're looking at setting up a basic network with a FortiGate
a FortiSwitch and a FortiAP. Hey everyone! If you're new here, I'm Gregabyte
and I talk all things network and security
and focusing lately on Fortinet Solutions. So I'm a visual person,
so I wanted to break this down for you. How? I've got this set up today. We've got our Fortigate
90 G setup hooked up to the internet. It's hooked over on port A to the port eight of our FortiSwitch 108F-FPOE. Then on port one
we have our FortiAP hooked up using Poe. And right now the only thing that's
configured is that basic configuration we've done in the first couple videos
with the Fortigate 90 G. So we'll hook up the FortiSwitch,
which is currently not configured at all, and the FortiAP,
which is also not configured at all. First off let's double check which ports
are our for to link just to make sure. So we can see here at the top that we've
got FortiLink with members A and B. And we've got a currently connected. Before we do anything else let's go turn
on the wireless and switch controller. If we go to system feature visibility
and then turn on the switch controller and the wireless controller
and then hit apply. You'll see now over here on the left
that we have Wi-Fi and switch controller. If we drop that down, the first thing
that we're going to want to look at is the FortiLink interface. So if we look at this right now
this is just set to the default. it's using the IP space of 10.255.1.1/24. And it sees one FortiSwitch
currently connected. By default, in a secure state,
we don't want to authorize new devices. So we've got that turned off currently. We do have the ability
to do split interface, which is something you might want to do. And we've got DHCP set up now FortiLink
is going to be the type of protocol that we're going to use to communicate
with our FortiSwitch. So this is purely management
and configuration. So we'll move over into
the managed FortiSwitches. And in here you can
see that we have one unauthorized switch. So if we click on this
we can actually go and choose to authorize it. Now that we've off authorized this it's
going to sync up with this device. And it's going to start
giving it a configuration. Right now there is nothing configured. After a minute we refresh the page
and our FortiSwitch is online. We can even see that it's connecting from an IP
within the subnet that was in FortiLink. So the next thing we're going to look at
is actually the FortiSwitch VLANs. By default we have a handful of different VLANs
preconfigured Vlan one. And then a lot of the top Vlan IDs
We're not going to use any of those today, What we're going to do is going to create a Vlan
for the FortiSwitch administration. If we go to create new. Create a for AP Vlan, we're
going to choose to call this Vlan 60. We're going to give it an IP
address of 192.168.60.99/24. Inside of here
We'll turn on ping administrative access, as well as the security fabric connection
so that it can talk over CAPWAP. We'll turn on DHCP server,
which should grab the IP space from the IP that we created earlier. We're gonna have device
detection turned on. And other than that we're going to leave
everything else the same. Okay. So we've got the FortiAP Vlan created. Let's go over to the port
and change it over into that Vlan. We'll head over to FortiSwitch ports. We're going to go to port one because
that's where our FortiAPs hooked into. And we're going to change the native Vlan
from the default FortiLink over to the FortiAP Vlan that we created. And we're going to apply that. So now our FortiAP has DHCP that it can hook into. Now that we've done
that let's go over to managed FortiAPs. And we should see that
a FortiAP is waiting for authorization. So let's click on that. And just like in the FortiSwitch
we're going to authorize it. I'll right click it and select authorize. Now this is also going to take some time to get updated with the configuration
that is created inside of this Fortigate. So while it is figuring all of that out,
we'll go create that. We'll head over to SSIDs, create a new SSID. I'm just going to name this one Example SSID. But that's not actually the SSID
that will be broadcast. We'll change this
IP space to 192.168.61.1/24. We're going to turn on ping, but for this we're going to expect
that there are no admins. So we don't want to turn on any web access
or anything else. We'll turn on DHCP server
which again will have the IP space based on the address for this SSID. And then we can change the SSID
that is broadcast down here. we'll type EXAMPLE. We can scroll down a bit further and we'll set a password for it. And we'll just be Fortinet1! We're not going to set any Vlan IDs here. We're just going to keep it like that. We'll hit okay to apply it. And now we've got a tunnel SSID
that's the default mode. And that's what we're going to use
if we double check our for the AP profiles will automatically see the default
for the AP 231 G profile that was created. And the thing
that we were really looking for is to see we are using tunnel
access IDs in all of the radios. Tunnel, Tunnel and Tunnel. So that's what we want
because we created a tunnel SSID if you want you can go manual on yours. But that's what we're going to do
in this one. let's check out our managed FortiAP
and see if it's connected now. so after a little while, we can see that our access point
is up and running. And we're running on channels 1 and 165. And we don't have any clients
running right now. So the next thing that we need to do
is actually allow this traffic to talk across. So we'll go to our policy and objects firewall policy, create a new one. We'll name it wireless. Select
the incoming interface as the example SSID and let it go pretty much anywhere. Not a secure design,
but it's just for testing. We'll do source
and destination of anything. And a service of anything. We're going to accept it. We'll use Nat and we're not going to do
any filtering on it right now. We'll log all sessions right now and hit
okay. I'll drag this above my testing policy,
which is just a fail open. Now let's take a look and see if we can
hook up into this wireless network. We'll turn on my wireless card and we'll connect to this example. Wireless. I had already typed in the password,
but now we're connected and secure. We go to wireless and switch controller
and look at Wi-Fi clients. We'll see that. We can see my computer,
which for the AP it is connected to, and a bunch of other information about it. So now we have one side configured on our FortiAP,
which has access to the outside world. but our FortiSwitch
still doesn't have a Vlan that can be used to get access out
for wired clients. So let's go back to FortiSwitch VLANs. And we can choose to either
utilize this default for link which is the default Vlan
but it is Vlan one. Now we could choose to use this default
FortiLink Vlan one, which currently does not have an IP address assigned to it,
and change that over to something else. Or what I like to do is create a new Vlan. So we'll go to create new. name this wired. Go to vlan ID of 70. And just like before
we'll give it a 192.168.70.1 slash 24. We're going to turn on the ability
to ping. We don't have any downstream,
Fortinet devices that we would expect. So we're not going to turn on
security fabric connection. And we're going to turn on the DHCP
server, which should fill out this information. I would still like to detect different
devices on here but nothing else. We'll go and select okay. And now you can see we have a wired Vlan. We just now need to apply it
over at our FortiSwitch ports. So we'll go to ports two through seven. I'm just going to hold shift
to select all of those. And we're going to change
over the native Vlan from default FortiLink over to wired. And I'll apply that. And now I can see all of these ports
have a wired port on here,
just like we did with the FortiAP. We'll need to go into policy and objects firewall policy and then create a new. We'll call this one wired. Using the wired Vlan. Allow to go to anything source of anything. Destination of anything with a service of anything. Now it will log all traffic hit okay I'm going to drag this again
above my testing. So I'm going to switch over my wired port into this device
and we'll see what we can do. So now that we've disconnected
the wired connection, let's test out that wireless connection
that we had before. We'll just go to fortinet.com. And we can see that we got access. As we connect back over into we'll go into port seven. Since it was ports two through seven that was enabled. I'll go and turn off my wireless. That's always a good sign. We'll turn off our wireless here. And again we're going to go
and let's go to fortiguard.com. And we can see we can get out to websites. All right.
I hope that was helpful for you. and setting up
a really basic configuration with a switch and an access point with your fortigate. If you've got a different network
that you'd like to see me test out and setup,
let me know in the comments below. I'm always looking for unique,
different use cases and even common use cases
that I may not be thinking of. If you've got a Fortinet stack today,
is this how you've got it configured or is it something else?
