Chapter 2 – Getting Started

Leave a reply

 

Redundant Internet Installation

In this configuration, a WAN link interface is created that provides the FortiGate with redundant Internet connections from two Internet service providers (ISPs). The WAN link interface combines these two connections, allowing the FortiGate to treat them as a single interface.

Installing a FortiGate with Redundant Internet

If you have previously configured your FortiGate using the standard installation, you will have to delete all routes and policies that refer to an interface that will be used to provide redundant Internet. This includes the default Internet access policy that is included on many FortiGate models.

1. Connect the FortiGate’s Internet-facing interfaces (typically WAN1 and WAN2) to your ISP-supplied equipment.

2. Go to Network > WAN LLB to create a WAN link interface, which is used to group multiple Internet connections together so that the FortiGate can treat them as a single interface.

3. Select an appropriate method of WAN Load Balancing from the following options:

  • Source IP based – The next hop is based on the traffic’s source IP address.
  • Weighted Round Robin – Weight is input for all the active members of the WAN link.
  • Spillover – A traffic cap is defined for active members; when it is exceeded, the traffic will automatically activate the standby link.
  • Source-Destination IP based – The next hop is based on both the traffic’s source and destination IP address.
  • MeasuredVolume based – A volume ratio is set for each active member of the WAN link.
  • 4. Add your Internet-facing interfaces to the WAN link interface and configure load balancing as required for each interface.
  • 5. Go to Network > Static Routes and create a new default route. Set Device to the virtual WAN link.
  • 6. Go to Policy & Objects > IPv4 Policy and select Create New to add a security policy that allows users on the private network to access the Internet.

 

If your network uses IPv6 addresses, go to Policy & Objects > IPv6 Policy and select Create New to add a security policy that allows users on the private network to access the Internet. If the IPv6 menu option is not available, go to System > Feature Select, turn on IPv6, and select Apply. For more information on IPv6 networks, see the IPv6 Handbook.

4. In the policy, set the Incoming Interface to the internal interface and the Outgoing Interface to the WAN link interface. You will also need to set Source Address, Destination Address, Schedule, and Service according to your network requirements. You can set these fields to the default all/ANY settings for now but should create the appropriate objects later after the policies have been verified.

5. Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Destination Interface Address is selected. Select OK.

It is recommended to avoid using any security profiles, such as AntiVirus or web fil- tering, until after you have successfully installed the FortiGate. After the installation is verified, you can apply any required security profiles.

For more information about using security profiles, see the Security Profiles handbook.

 

Results

Users on the internal network are now able to browse the Internet. They should also be able to connect to the

Internet using any other protocol or connection method that you defined in the security policy.

The amount of traffic will use an individual member of the WAN link interface will depend on the load balancing method you selected. You can view this usage by going to FortiView > All Sessions and viewing the Destination Interface column. If this column is not shown, right-click on the title row and select Destination Interface from the dropdown menu. Scroll to the bottom of the menu and select Apply.

 

Using a Virtual Wire Pair

A virtual wire pair consists of two interfaces that have no IP addressing and are treated similar to a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded out the other interface, provided that a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair.

Virtual wire pairs are useful for unusual topologies where MAC addresses do not behave normally: for example, port paring can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.

In FortiOS 5.4, virtual wire pair replaces the feature port pairing from earlier firmware versions. Unlike port pairing, virtual wire pair can be used for FortiGates in NAT/Route mode as well as Transparent mode.

In the example configuration below, a virtual wire pair (consisting of port3 and port4) make it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network will access the web server through the ISFW over the virtual wire pair.

 

Adding a virtual wire pair and virtual wire pair policy

Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port configured to allow admin access using your preferred protocol.

1. Go to Network > Interfaces and select Create New > Virtual Wire Pair.

2. Select the interfaces to add to the virtual wire pair. These interfaces cannot be part of a switch, such as the default

lan/internal interface.

3. (Optional) If desired, enable Wildcard VLAN.

4. Select OK.

5. Go to Policy & Objects > IPv4 Virtual Wire Pair Policy, select the virtual wire pair, and select Create New.

6. Select the direction that traffic is allowed to flow.

7. Configure the other firewall options as desired.

8. Select OK .

9. If necessary, create a second virtual wire pair policy to allow traffic to flow in the opposite direction.

 

Results

If you have a USB-wan interface, it will not be included in the interface list when build- ing a wired-pair.

Traffic can now flow through the FortiGate using the virtual wire pair.

 

Troubleshooting your FortiGate Installation

If your FortiGate does not function as desired after completing the installation, try the following troubleshooting tips:

1. Use FortiExplorer if you can’t connect to the FortiGate over Ethernet.

If you can’t connect to the FortiGate GUI or CLI, you may be able to connect using FortiExplorer. See your

FortiGate’s QuickStart Guide for details.

2. Check for equipment issues.

Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for information about connecting your FortiGate to the network. You will also find detailed information about the FortiGate LED indicators.

3. Check the physical network connections.

Check the cables used for all physical connections to ensure that they are fully connected and do not appear damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that device.

Also, check the Unit Operation widget, found in the Dashboard, to make sure the ports used in the connections

are shown in green.

4. Verify that you can connect to the internal IP address of the FortiGate.

Connect to the GUI from the FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the internal interface IP address; for example, ping 192.168.1.99.

If you cannot connect to the internal interface, verify the IP configuration of the PC. If you can ping the interface

but can’t connect to the GUI, check the settings for administrative access on that interface.

5. Check the FortiGate interface configurations.

Check the configuration of the FortiGate interface connected to the internal network, and check the configuration of the FortiGate interface that connects to the Internet to make sure Addressing Mode is set to the correct mode.

6. Verify the security policy configuration.

Go to Policy & Objects > IPv4 Policy and verify that the internal interface to Internet-facing interface security policy has been added and is located near the top of the policy list. Check the Sessions column to ensure that traffic has been processed (if this column does not appear, right-click on the title row, select Sessions, and select Apply).

If you are using NAT/Route mode, check the configuration of the policy to make sure that NAT is turned on and that Use Outgoing Interface Address is selected.

7. Verify that you can connect to the Internet-facing interface’s IP address.

Ping the IP address of the FortiGate’s Internet-facing interface. If you cannot connect to the interface, the

FortiGate is not allowing sessions from the internal interface to Internet-facing interface.

8. Verify the static routing configuration.

Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor and verify that the default route appears in the list as a static route. Along with the default route, you should see two routes shown as Connected, one for each connected FortiGate interface.

9. Verify that you can connect to the gateway provided by your ISP.

Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact your ISP to verify that you are using the correct gateway.

10. Verify that you can communicate from the FortiGate to the Internet.

Access the FortiGate CLI and use the command execute ping8.8.8.8. You can also use the execute traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.

11. Verify the DNS configurations of the FortiGate and the PCs.

Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping www.fortinet.com

If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that the DNS server IP addresses are present and correct.

12. Confirm that the FortiGate can connect to the FortiGuard network.

Once registered, the FortiGate obtains antivirus and application control and other updates from the FortiGuard network. Once the FortiGate is on your network, you should confirm that it can reach the FortiGuard network. First, check the License Information widget to make sure that the status of all FortiGuard services matches the services that you have purchased.

Go to System > FortiGuard. Expand Web Filtering and Email Filtering Options and select Test

Availability. After a minute, the GUI should indicate a successful connection.

13. Consider changing the MAC address of your external interface.

Some ISPs do not want the MAC address of the device connecting to their network cable to change. If you have added a FortiGate to your network, you may have to change the MAC address of the Internet-facing interface using the following CLI command:

config system interface edit <interface>

set macaddr <xx:xx:xx:xx:xx:xx>

end end

14. Either reset the FortiGate to factory defaults or contact the technical assistance center.

If all else fails, reset the FortiGate to factory defaults using the CLI command execute factoryreset. When prompted, type y to confirm the reset.

You can also contact Fortinet Support for assistance. Read the following article found on the Fortinet Cookbook website: How to work with Fortinet Support to understand what type of support is available and to determine which level of support is right for you. For further information, go to support.fortinet.com.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.