Fortinet SD-Branch Basic Setup | Product Demo

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello i'm jim stewart with fortinet and in this video we are going over basic setup of a fortinet branch office deployment that is we're going to focus on getting the network up and running in short order with basic security and taking advantage of fortilink as is typical in a smaller or branch office first of all our equipment typical branch deployment requires three types of fortinet equipment fortigate for the internet borderline 40 switches 40 aps in addition to those we need all the necessary ethernet cables and we need some kind of internet uplink and this is everything cabled on a desktop for ease of view naturally in real deployment those aps should be hanging from the ceiling somewhere connected via longer ethernet runs but we want to be able to see everything keep in mind there are some variations over different models of fortigates on how ports are pre-configured and labeled here i'm using a fortigate81e in this example and i will have to enable ford links specifically on certain ports if you have a more recent fortigate in the f series there will be ports that are pre-configured for 40 link they're already up and running which will save you a couple of steps and they will be labeled with the letters a and b or possibly a chain sign but you should be looking for the a or b sign so if you've got f series it'll save you some effort all right so just how have we cabled this arrangement so blue cable here is my isp uplink going into wan one on the fortigate wan one will be on every fortigate model it is pre-configured to act as a dhcp client so it's basically expecting to be plugged into your isp and then get an address so it works it's just as easy as a consumer grade linksys plug it in it'll be up and running you don't have to think about it beyond that red cable red cable is my four to link cable it is running from my highest numbered port on my fortigate to my highest numbered port on my switch that is a convention it is not a requirement again if you have one of the more recent fortigates you may have a pre-configured port which would be here labeled a or b either one of those will work i'd probably use a just for consistency beyond that i have green cables running into my aps now keep in mind the 40 switch here this 40 switch half the ports support poe so the red labeled ports support power over ethernet the black labeled ones do not so make sure we connect the aps to poe ports and don't connect other things there when you have black ports open you know don't waste them yet devices that need to be powered make sure they're in the poe ports that said on the other end of the green cable make sure you use the poe port on the ap it's a silly it could be a silly mistake and might take you a while to chase down so don't accidentally plug it in the lan 2 or the console make sure it's lan 1 poe port and finally i have a white cable connecting to my management station which is receiving a dhcp address by default from the fortigate again variations a high a a larger fortigate model may have a pre-configured management port labeled mgmt these ports operate the same it's a variation on sort of what you're going to be doing with the lower end ports so if you have one labeled mgmt that's what you want to plug into otherwise uh what's typical in the small branch deployment the models that are typically deployed just plug it into any one of the lan ports and you'll be fine and there we go up and running so let's power everything up and then we'll move on to configuration so if you have not connected the power cables go ahead and do that now all right our management station is connected to fortigate as we saw before and it has received a dhcp address and it is in fact on the internet because that's the the default settings on the fortigate you know or i can go to maybe something a little different there you go notice my white while you can't see it my wi-fi is turned off this is going through the fortigate in the default settings there so going back here what are the default settings so the default address for the fortigate is 192.168.1.99 it'll automatically redirect to an https and of course it's shocking that i already have it cached so we'll go there and we will get an error now this is very typical you should get this air from pretty much uh any browser and it's not really important it boils down to that the fortigate does not have it has a self-signed certificate instead of a publicly uh purchase certificate so to make this error go away involves getting a certificate from from some service and installing it so we're not worried about that right at the moment we know we're not in a man-in-the-middle attack because we can see the wire straight through and that nobody is tapped into it so we can go to advanced and continue there is one thing i should point out though i use chrome so chrome is a little trickier than others chrome may not give you the advanced ability to proceed unless you type anywhere in the browser not the top line here i'm just going to do it so you can see this is unsafe if you type that anywhere here if if you don't get the proceed to where you want to go type that anywhere here in this window you won't see it but it will then enable that so trick for chrome users proceeding we get the firewall or we get the fortigate login screen default login so default address 192.168.1.99 and that's a slash 24. default login is admin and blank no password and it immediately i mean is a security device insists that we change the password to something more viable or more defendable i guess is the word i should be looking for and that brings us back log in with the new password change the password log in with the new password and we're in 40 well yeah we have some setup material here we're going to skip this this is something you can always you know does say later you can go back to it later register with 40k change your password this kind of thing we actually have already changed the password it must have cached my 40 gear when i reset this thing so dashboard said a post name we don't really care about that much at the moment that's for a later and we're not going to watch the video of what the new features are we're going to get straight into the meat of it so we have fortigate it's up and running we have the fortigate's very powerful it can do a lot of things the dashboard is very useful for troubleshooting and whatnot we're going to stay focused on just getting the baseline network up and running so where we want to go uh is not so much in the dashboard the security fabric we want to go to the network section yeah and after that we'll be concerned with wi-fi and switch controller and a little bit of firewall here in the firewall policies so back to the network the interfaces we've got a view of the interfaces on the physical box we see that when one we see in the illustration here when one is up port one is up port 12 is up that is they're up physically they're they're at a lower layer they're up uh way on one i have a weird address here because i'm going through yet another uh port before getting to the the actual internet i'm kind of hiding behind my isp otherwise this would be an isp if we double clicked on this we will see that we're getting a dhcp address and this is where we're routing everything through that said what we're interested in right at the moment is the 40 link is the 40 links set up for the switches now again if you have a more recent model than mine there should already be a member or two here if there's already a member here or two here you can ignore the next part it's not really relevant because it's already been done for you i have this older model it doesn't quite do that it's set up 40 link is set up but i have to tell it who the members are now i have to find a member hardware switch has all of my available physical ports one through twelve so i need to remove one from the hardware switch let's go over that a little one more time a little more slowly i have a hardware switch it's ports one through twelve i have the other oddballs the dmz the h uh the high availability the way out when one wand ii i have 40 link which is an aggregate of some of these ports so i have to remove from the hardware switch at least one port to service the 40 gate so i'm going to remove port 12 because that's the one i wired up to use with the switches and that's all i have to do remove it now that it's removed it's available to add to the 40 link aggregate so i go to interface members i go into 40 link i go to interface members and i add port 12. now from there there's a couple of choices we could make not going to make them right at the moment i'm not going to make any changes i'm going to say with the defaults but automatically authorized devices if you're deploying 50 aps in one day you might want to click this right and then come back to it later and turn it off that would be a security best practice 40 link split interface is also some variations we're going to use one port for 40 link we could turn this off and use two ports to have a kind of failover but a more advanced one would be have more more than one switch for which you would leave this in the defaults so the defaults are fine they're more secure we're going to go with that and there we go we have a port assigned to 40 link and it is of course the port the switch is in if it looks red for a moment don't worry about it the port is just resetting it'll turn green momentarily all right now while we were there i deliberately did not turn on automatically authorized devices so where do we authorize devices i.e the switch switch and the aps in fact need to be authorized so if we go to security fabric and physical topology there's three or four different places you can actually authorize devices depending on what's appropriate there are other views of switches and whatnot this is usually the easiest one to go and it shows the very nice map that gets automatically built it's not quite right but that's because these devices haven't been fully authorized and whatnot so i'm going to go to the switch right click authorize we get the spinning wheel that will take just a moment and for good measure we'll authorize our aps although we still have to set up things the aps need the security fabric extended to them a little bit more and we will get to that in just a moment everything is red for the moment because they are rebooting and or resetting they'll turn blue momentarily so while we're waiting for authorization to complete i want to show everyone something so if we go to policy and objects and firewall policy fundamentally the fortigate is the next generation firewall so it has a basic firewall policy included so that you can get automatic i showed earlier that we already have internet traffic right and that's because this basic rule has already been added land traffic going to wan one which we wired up to begin with we're allowing all outgoing traffic no incoming traffic no other kind of traffic is allowed but outgoing traffic is allowed so a basic firewall rule was included if we double click on that we can see the structure that's typical we have interface incoming outgoing source addresses internal addresses subnet answers destination addresses schedule service and this is some advanced policies for later again today is not about our advanced security policies today is about our basic networking but the basic networking does require the minimal firewall policy let's allow traffic to get to the internet so that's there by default just so we all know about it it's important to be aware of that basic firewall rule because we're going to have to add a match to it when we get to the aps and we set up some ssids all right that said time to look into the wi-fi switch controller so structure fortigate covers an awful lot of area right so we have our network interfaces we have policy and objects which is the security policies and the wi-fi and switch controller which is what makes this a branch solution the fact that we are managing the entire network from one spot not just the security policies as they apply at the network edge let's expand wi-fi and switch controller and let's go to managed 40 switch and here we can see 40 gate 40 link this is an alternative topology view of switches 40 link to port 24 on our switch and this topology is very useful once you get to a bunch of different switches we only have one switch so it's not that interesting so i generally prefer the topology view but sometimes the list view is more reasonable when we have a series of switches you're trying to scroll through so from 40 managed 40 switch let's look at 40 switch ports i didn't worry about renaming a switch so that i could look at all of them if i had multiple switches we can expand and go through them all here but so i have this one switch what i want to point out is my 40 link connection and then we have the ability to change the vlans on it allowed vlans if you're doing a trunk port native vlan this can also come into knack but we're not going to worry about that today so we already have a native vlan on all of these deployed default.40 link is its name so looking at 40 switch vlans we see some predefined vlans and we have a native vlan with no ip addresses assigned to it now we want vlans on our switch the aps are plugged into the switch but they are not getting an ip address there's no dhcp server on this now we could create a vlan specifically for for the aps which might be an interesting more advanced security policy but again we're just kind of getting things up and up and running in a relatively small network so i'm going to take advantage of the existing vlan here that is already deployed on all of my switch ports and i'm going to enable dhcp on it oops no sorry manual because this is the assignment to the vlan so let's assign an ip address assign a net mask we're going to allow security fabric connection now this is administrative access like what can the administrator do we don't have to worry about the rest of this this is going to allow normal traffic but security fabric connection is necessary for the aps be fully connected to the security fabric then we're going to turn on the dhcp server now this would be true if this would be the same process if i was building a vlan completely from scratch but i'm going to take advantage of the existing one dhcp server has come up based on the address i already created well you know that's great so i really don't need to mess with that i really don't need to change any of this i don't need to do the advanced unless there's something more i'm digging into but for now i'm fine and now their ip address is being assigned and the security fabric connection is deployed on this vlan which is already the native vlan on all of these ports and we can see port 1 and 2 where i have the aps connected are delivering power what device has been connected to them now if we go to the security fabric and the physical topology we see that everything has settled down blue authorized and connected as we can see here two aps going into one switch the one switch feeding into the fortigate which then connects to the internet so we're up and running well our network is up and running but nobody on the wi-fi there's no wi-fi being broadcast or being sent anywhere so there's two more things we have to do we have to set up ssids and then we have to enable those ssids in the firewall policy to get to the internet so back to my wi-fi and switch controller ssids we're going to create a new ssid create new ssid name 40 ssid we're going to leave it in tunnel mode because that's the best security option for the most part this is a classic controller you certainly have the option to bridge traffic locally and we can set up mesh but what we basically want to do is have all the traffic go into the ford gate for security processing anyway so let's create a network and give it a net mask create add create address object matching subnet that's basically going to save us effort in the firewall policy that is we will have a set of addresses already associated with this so we have security isolation automatically but we have an easy time setting up the firewall policy for it we don't need any administrative access through here we do need a dhcp server so that wi-fi clients when they connect the ssid will get an ip address we don't have to worry about advanced we do have to do a couple of things in here difference here is between the name in the system and the ssid itself that will be broadcast i'm not going to worry about client limit or all the rest of we don't have large enough in office to worry about that under these circumstances we're going to stick with wpa2 personal so we don't have to walk right through do we have a radius server all of this is well documented in the documentation which is going to keep it simple don't tell anybody that's my passphrase my pre-shared key radius server will skip over so we don't have to worry about any of this there we go now that is status is up it's automatically deployed to both of my aps because they're in a default group default deployment we could get really subtle and sophisticated about that but we don't have to worry about that again branch office we've only got a few aps we only need one public ssid we'll worry about guest access and things like that later we want things up and running and be satisfied that they're running so we don't have to look at manchester aps we do have to look at policy and objects firewall policy so right now you can connect to the wi-fi but if you connect to the wi-fi the firewall will stop you from going anywhere we have to replicate this kind of policy so we're going to create new so let's call it wi-fi internet policy name incoming interface well that incoming interface is this ssid it's being created treated automatically as its own interface outgoing interface well the internet is over here on wam one that's where we want to go source so our working assumption is that anybody who has access to this ssid is basically an employee we're going to allow all ip addresses to go to any ip address we're going to leave it on all the time again we could get really subtle about this maybe you're a school district and you want to have an only open during during school hours something along these lines but we're not going to worry about that today and we're going to allow all services oops i double clicked when i needed to single click accept yeah it's coming from this ssid it's going out on the internet everything is okay nat is our default everything's good it replicates the policy above it it's basically the same policy but it's coming from a different interface from a different set of ip addresses from a different vlan effectively isolating it from the rest of the network and if i can make an interesting demo out of connecting to wi-fi i am going to cut off my wired access well i'm just going to unplug it off stage i am going to go to my wi-fi which has been disabled this whole time turn it on and pick 40 ssid there we go i'm connected and just to prove oops no i'm associated or i'm authenticated i'm not associated and there we go now i'm fully connected we go to advanced we can see yes i got a proper ip address everything looks great i've lost connection my firewall because i can only get to my firewall from the inside network and my internet access works so i'm going to reconnect my wired for a moment i'm going to turn off my wi-fi off stage so they don't confuse each other with two different gateways so what did we do we went to our network we put an interface we wired up everything we put the 40 like predefined we assigned told it what port it needed once we did that once we did that we authorized we authorized our switch and our aps oh and by the way it's detected my wired device now that everything is up and running my wired device management system is showing right here and i can change that view that's a nice tangent so again network connection we checked our we authorized our devices we went to the wi-fi switch controller we floated around we corrected the 40 switch vlans to authorize things authorize security fabric connection we created ssid and we had to add a firewall policy once that ssid existed to allow internet traffic and we're up and running so thank you very much

Info

Channel: Fortinet

Views: 8,806

Rating: undefined out of 5

Keywords: Fortinet, FTNT, cybersecurity, SD-Branch, SD-WAN, FortiAP, AP, Switch, FortiSwitch, Branch security, Palo Alto Networks, Check Point Software, Juniper Networks, Oracle Security, Cisco Secure, Sonic Wall, WatchGuard, McAfee

Id: GZ7eQbmIrBs

Channel Id: undefined

Length: 26min 28sec (1588 seconds)

Published: Wed Mar 31 2021