New Firewall: Configuration of WAN, WAN2, LAN, LACP, VLAN, SDWAN and on a FortiGate 60E

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey what's up guys this is gee here with cabba trainings i'm back with another video on the fortigate here i have the fortigate add this has been my main fortigate for two years now and if you remember i've made two videos about this the first one was in 2019 when i bought the device on ebay i made a video in my apartment and i showed you how i changed my apartment's router to the fortigate and i showed you all the configurations and everything in detail it was a long video over 30 minutes i think the link is in the description and then when i moved into this new house i also made a video showing you how i was configuring the photigate for my home network and talking about my home network this is the design that i've been sharing with you uh showing you all the different equipment that i'm using and the connections that i have so just a quick rundown i have two one connection i have the first one coming from uh central link with fiber uh with one gigabyte per second i mean one gigabit per second i have the second one coming with cable uh from comcast on this side with 20 megabits per second this one is just for backup so if the first one fails i have a second one coming in and i made a video about sd1 configuration on these two links so that i will always use the best connection and if i ever lose the connectivity with fiber i'm going to switch to cable automatically so that video is on the channel i also have different networks internally and i differentiate them by vlan tags so i have the tag 15 for iot one for example 20 for iot 2 and so on i am going to install my new 40 gate so i'm going from the 80d to the 60e that i bought back in may if you follow me on instagram you might have seen that post where i showed you the box that came with this device and i promised you to install the device i know it's been six months i've been just very busy but now i'm back with the video so if you like what i'm doing don't forget to like the video it's it's very simple it's free and it helps me a lot please like the video and also share it with your community and if you like what i do if you like the kind of project that i do with you here what i'm learning and everything please subscribe to the channel to get all the notification and watch my videos alright so i'm going to install this one here this is the 60e and the issue with the 80d is that it's getting old and fortigate basically announced that they're going to stop the support of the 80d actually they will not push new updates to the 80d and we have an example with a new firmware i was trying to install the 40 os 7.0 the new one that came out i couldn't install it on the photogate and i'm like no i can live that way i need to have the new version because i have some cool features that i want to try out from that os version so this one is old i'm going to get rid of it and i have way more ports now with the 40-gate 80d i had only four ports but with the 60e i have 10 ports in the back one two one one dmz and some lan ports over here i'm going to show you how i do the configurations on these different ports and actually this is what we're going to do today so we're going to have console access to this device and i'm going to show you how to have access to the gui as well using the web browser and we're going to configure when one which is my primary connection my primary fiber connection i have the cable for it right here with me we are also going to configure the lan ports and i'm going to use lacp which will allow me to aggregate some of the ports for some of my big vlans so i won't have any any issue and if you know about lacp aggregating three ports for example doesn't make it a three gig connection it's still a one gig but you have three uh three ports or three links available at the same time for that same vlan which is a good thing i'm going to make another video on lacp on the fortigate later on so after configuring the lan and vlans and everything we're going to configure went to which is my secondary connection and i've finished by configuring sd1 to allow me to use these two connections i'm still going to keep my old 80d because i will use it for some more videos i'm going to do i will have some fun here i'm going to create like some site to set vpn and all kinds of things with the two ford gates that i have here and this one will primarily be on my home network so i won't be touching it as much um i'll be playing with this more maybe i'm assuming that your device is reset and you have access to it by default you know that when a device is new and reset you don't need the password you just put admin with that password you're gonna do it so if you have some configurations and you can have access to the device that's fine you can just um keep moving you can reset it if you want to restore everything from scratch but if you don't have access to it you can do some password recovery process or some reset process the 60e has a reset button over here that you can um click to reset it there is a whole process the very very small process that you have to follow and if you have a different unit than this one here go online and try to find the process for your specific unit for example this one didn't have any reset button i had to do a bunch of other things that i showed you in the first video that one has more detail the first thing we're going to do is um having access to it and we are going to use a console cable and then after that we will use an ethernet cable to have gui access to it so let's start with the console access so what i'm going to do is first connect the console cable to the console port and i'm going to go on the computer and connect this one here okay so when it's connected let's go on the desktop oh i deleted something all right let's go on the desktop so what i want to know is what is the communication port i am using now so to do that we need to go under this pc right click manage and this one will open up go under device manager and scroll down and select ports all right so we can see that we are using the communication number one or the com3 so what i have to do now is open my emulator in this case i'm using secure crt and i'm going to launch a new connection it's going to be a similar connection and i will use the com3 you may have come to three or four and just choose the one that is appropriate i mean the one that matches the the cable that you connected and the speed is 9 600 everything stays the same and we're going to click on connect here we have some outputs but we don't see anything because we didn't trigger any output so if i click on enter on my keyboard here we can see that now we can log into the fortigate and make some changes to it and by default you have the name of the photogate as fortigate60e as i said we do admin without password and we are in now it's asking us to configure a new password we can do it here but i prefer going in the gui to do that there because it's uh just much cleaner or different all right so what i'm going to do now is grab my ethernet cable connected to my computer and then we're going to connect it to the photigate that we have here and just for information by default all these ports here are in the same hardware switch so there is a virtual switch that contains all these ports so any of this port is responding to the ip of 192.168.1.99 so that's the ip you can go to access this device with the web browser you need to make sure that your computer is in the same network so let's connect the cable and we're going to check the ip okay so i have the cable here i'm going to connect it to the port 7. you know what i just realized that i haven't really given you uh some more details on my port layout here uh let me show it to you so this is the fortigate itself and this went to is going to be connected of course to my cable connection the one with 20 megabits per second this is for backup connectivity if this one is not available and this one is my primary connection when one connected to fiber and this one has a speed of 1 gb per second with very very low latency and then the dmz will be connected to the lab for some use uh in the future and the port number seven will have the vlan 75 for the lab and the vlan 15 for iot one the port 6 will be for a guest vlan or guest network they will have access to the internet only and the port 5 and 4 will be grouped together with lacp so i'm going to use lacps to aggregate these two interfaces under a single virtual link and as i said i'm going to make some more videos about it later on but today we're just going to use it and one two three are going to be used for the vlan uh for the main vlan which is the vlan 35 and this is my biggest vlan i have a lot of videos on there i have um a video here on kb trainings where i showed you how i installed my camera and everything so those cameras are in the vlan 35 and i want them to have as much bandwidth i mean this doesn't increase the bandwidth just like i said we have three links of one gigabit per second so the the sessions will be spread between the three links that we have there so that's what i'm going to do now and for that let's go and try to connect to the equipment of course i have the cable connected to it so i'm just going to make sure that i have the ip configured properly my desktop has two network interface card the first one and the second one i'm going to make some changes to them so the first one is what i use for my primary network so i'm not i'm not going to touch that i will touch my second nic that is there just for things like this so i'm going to make sure under properties that the ipv4 that i have here is in the same subnet as the 40 gate that's why you see here 192.168.1.1 because the 40 gate is that 99 so these two these two devices should be able to communicate so i click on ok and then i can just confirm uh if i can ping it so right now we don't have access to the internet this is a google ping that i'm launching here so i have also another ping i can launch some ping to the photogate to see if we can ping it yes we can ping it just fine so now i'm going to open my browser and go to that ip and click enter all right you have this warning for certificate and then i'm going to proceed here i can log in without the password because as i said by default you don't have any password so now it's asking me to set up a new password so the old password is empty the new password is going to be this all right when i put the new password in it's asking me to log in with a new password let me remove this uh cap okay all right so after entering the new password i'm now in and here it's asking me to configure some other things like the host name and the dashboard i can just click on begin and i'm going to give it the hostname of fg as in fortigate and click ok for the dashboard i have two options i can take the optimal one and or the comprehensive one i think this one has more information just click there and okay all right so by default you have a video coming here about the 40 os 7.0 if you want to watch it you can but and if you are connected to the internet so you can load but i can just say don't show it and click ok all right so now we are inside the fortigate you can see all the different options all the layouts so basically let's go back to our assignments so we are done with console access we are done with gui access so now i want to do when one or primary connection as i said i have this cable here this is connected to my ont i'm going to use it on my when one port so my connection is pppoe pppoe means point to point over ethernet i mean point-to-point protocol over ethernet that's what i'm given by my isp i also have credentials i have a username and a password and there's a vlan tag on that traffic so i need to make sure my when connection has um a vlan tag i mean it receives the traffic from that specific tag which is the tag 201 so let's go in and configure that interface so we're going to go under network um interfaces you have a lot of things here that are coming with the device itself so what you have to do is create a new interface and we're going to give it a name of when and the type of interface is a vlan interface the physical interface to which it's attached is when one and the vm id is 201 what is the role of that interface into one interface so it goes outside to the internet and what is the addressing mode we're going to use pppoe as i said i have my username and password that i'm going to plug in now okay my username and password are in everything else can be left to default i'd like to ping it yes i don't think i need any of these and i'll just click on ok and if you go back here oh that's that's google talking to me because there's no internet connection oh actually because i have these two devices here with me i don't have internet connection so if we look under when one we have this interface that is created and i'm just going to connect this cable to the firewall under when one when one doesn't come up so i think it's not connected to the ont let me go connect it and i'll be back [Music] okay it's connected when one is blinking here and if we go back here we just need to refresh the page and when one is now green and the vlan is i mean the this port is up and we also have a public ip which is good which means that we are now able to connect to the internet i mean from the device only if i think google from here no exact ping all right so we can ping google without any problem that's fine so now we have internet connectivity i'll just come here and say that this is done so next we need to work on our lan interfaces or these interfaces that we have here going in our network internally as i said 123 will be aggregated with lacp so i'm going to do that now let's go back to the screen here first of all one two three four five six seven all of them are linked to this hardware switch here there is an internal switch that comes by default in a device so i need to release those interfaces from here so yeah one two three four five six seven is being used by me because this is the ip that i have access to so i don't have to mess with that one i'll just uh change the other six it's asking me to confirm i say okay all right so when i'm back here then i can create a new interface or um a new lacp interface so i'm going to say interface create new the name will be main this is going to be for my main network and it's going to be an 802.38 aggregate interface because this is the code or the the code name for 802. i mean for lacp all right so it's going to have one two and three okay and i am also going to give it the role of lan of course so the manual ip for the interface would be 10.35.0.1 and the subnet mask will be a slash 60 oh slash 24 everything else can stay the same i don't need a dhcp server here but i need to ping speed test i need http https i need ssh as well okay i think that's it for this one here i just click on ok so it's ready to be used all right so now i'm going to create another aggregate interface for the trapeze network the name would be trappist it's going to be in 802.3 a.d members 4 and 5. it's a lan the ip would be 10.0.0.1 with a subnet mask of 255.25 that's 255.0 here i need to ping and do all of this alright so i need a dhcp server here and i want it to start at 11 because i always like to reserve 1 through 10 for my static ips and i want it to go all the way to 249 because 250 all the way to 254 i use it for my vpn devices which are basically just me and my other devices that i have all right so i think that's it for this interface here i'll just click on okay the last thing we need to do is um let's go back to the configuration so we did we did these three we did these two now i need to configure seven but because i'm connected to seven i think i'm going to switch it to six and seven will be for the guest so i'm going to set up the internal number six it's here and i'm going to make sure that i have i don't have to go in actually i'm just going to create two uh vlan interfaces the first one is going to be lab 75 this is for my lab the it's going to be linked to the internal six with a villain id of 75 it's a lane and the ip would be 10.75 that's 0.1 with the 250 i mean the slash 24 and uh i don't need any of this i don't need jcp server uh i may need it i'll just click on ok that's one interface and then i'm going to add another one for my guest vlan which has the tag of let's see 25 all right so i'm going to create a new interface call it polaris all right um link to nfs6 with id the id of 25 with the ip of 10.25 10.25.0.1 okay and everything else can stay the same i would need dhcp server on it and that's it okay so now that we have our lan configured let's say this is done or we can now go and install the device because i don't want to bring the cable for the secondary network all the way here i already have this one going all the way to my rack so i'm just going to go and place the device where it's supposed to be and from there we are going to add some more configurations to configure one two and configure sd1 let me do it and i'll be back with you all right so the 40 gate is in the rack as you can see we don't have connectivity here so um because this is down i need to go to the 35.0.1 yes and i have access to it over here okay and by the way we still don't have access to the internet because nothing is configured to allow us to go to the internet and i also connected the one two connection which is a cable connection so there is not much to do there if i go under interface i'm pretty sure it should be up by now yes one two is up and we have a public ip assigned to it because that one has only dhcp it's ethernet with dhcp so after the modem i just connect to the the photogate and it it auto-configured um itself which is a redundancy all right so now i am going to let's see we are done with this so now i'm going to configure sd1 okay to do that let me go under network sd1 and by default we have these two zones here all these two interfaces here that are delivered by default i'm just going to add the ports that i have to this virtual one link so i'll do create new sd1 member and i'm going to select when and i can leave the cost zero that's fine but the cost can help you just manually pick what what you prefer so i'm just gonna leave it to zero and click ok so if we go down we can see when is here i'm also going to add one two so i have one two because zero and click okay so after doing that sd1 now or the virtual one link has the two members that we need the next thing we have to do i think is to configure the performance sla what are we going to use for sd1 to know which connection is better and pick it instead of the other so i'm going to create a new one there are some here that come by default i'll just say create one and we'll give it the name of best first all right it's going to be active all the time it will be pinging the google server okay all right so the next thing is to select what are the participants all the members are in do we have a target sla and no in this case i just want the best connection to be used so how often do we check that connection we check it every 500 milliseconds which is good and if we have five failure we consider that link disabled and if it's successful five times we consider it enabled and if it's ever down we remove the static route from the routing table and i'm i'm gonna click ok there's also something that i have to do that i was about to forget we need to create um a static route for the sd1 so let's go under static routes and create one so it's going to go to the internet the gateway will be found automatically because we are going to select the ip here which is the one link or the the sd1 link all right so that's it for this and we're going to click on ok we still don't have access to the internet because we haven't finished everything yet but let's go back to sd1 and i also always want to create an sd1 rule to make sure that we are using the performance sla to select the best route and here i'm going to give it the name of best and for what i p all the ips going where going everywhere so i'm going to use for protocol number any protocol number so i'm going to use the best quality for the for the when and when to so i have these two interfaces here that are going to compete to be the best what is the zone that we consider it's the first dome with the zone is like the interface that we just created so measured sla is going to be best first okay and we are going to use the latency as the the component that we'll be looking at if we just hover over here you can see that when one has lower latency so it will always be the best unless it's down then when two will take over all right so that's it so we just do okay i think we're good the only thing that is preventing us to go to the internet is the ipv4 policy so i'm going to create a new ipv4 policy by coming here and do new i'll give it a name of man to internet and the incoming interface is going to be the main network the outgoing is the sd1 or i can just say man to sd1 i think that's better all right so the source would be the main address and the destination will be [Music] um everything on the internet the service all the services and everything else can stay the default and i'll click on ok so if i go back here we should a be able to ping now nice so now we have access to the internet and as you can see we have very low latency so we are using the fiber i'm pretty sure the only thing that i would like to test is to see if i disconnect one two if our connection is going to be those are my devices coming back online so i'll see if my connection is going to switch to when one i mean if i disconnect when one or when if we're going to switch to one two all right so we can see that we only missed a single thing but we are back online with nine milliseconds of latency which means that we went from fiber to cable with little uh change in the latency here i mean in the response time which is good so sd1 is working as intended if i go back to the sd1 interface i can see some more details actually i made a video i made a whole video where i showed you how i did the sd1 on the 80d we can see that uh now the sessions are switching over to when to like oh yeah all the sessions all the sessions are overwhen too alright guys that's it for now that's it for this video thank you for watching and if you have any questions send me an email or leave a comment below and do not forget to like the video if you've reached this point and also follow me on social media facebook instagram and twitter thank you so much and if you are preparing for the ccna i have a course on kbc.com that's going to help you for that i'll see you the next one until then take care bye you
Info
Channel: KBTrainings
Views: 35,760
Rating: undefined out of 5
Keywords: fortigate, firewall, firewall configuration, sdwan, lacp, vlan, fortios, fortinet, ccna, guy bisuku, kbtrainings, wan, wan2, firewall policy
Id: dEy7gUKwIeM
Channel Id: undefined
Length: 27min 51sec (1671 seconds)
Published: Sat Dec 04 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.