FortiGate Basic Configuration Using CLI
The configuration steps provided are valid for FortiOS, which is the operating system used by Fortinet’s FortiGate firewall appliances. Specifically, these steps should work with FortiOS versions 6.x and 7.x, which are common and widely used in many environments. However, always refer to the specific documentation for your version of FortiOS, as there can be minor differences and enhancements in newer releases.
Here are the general versions of FortiOS for which the given configuration is valid:
- FortiOS 6.0.x
- FortiOS 6.2.x
- FortiOS 6.4.x
- FortiOS 7.0.x
- FortiOS 7.2.x
To verify the exact version you are using, you can check your FortiGate device with the following CLI command:
get system status
Configuration
Setup for WAN Interface (Internet), Two LAN Interfaces (LAN1 and LAN2), DMZ Interface, LAN1 restricted from accessing the Internet.
1. Connect to FortiGate CLI
Access the FortiGate CLI via console, SSH, or web-based CLI.
2. Configure WAN Interface
config system interface
edit "wan1"
set ip <WAN_IP_ADDRESS> <SUBNET_MASK>
set allowaccess ping https ssh
next
end
Replace <WAN_IP_ADDRESS> and <SUBNET_MASK> with your WAN IP address and subnet mask.
3. Configure LAN Interfaces LAN1 (Internal Network)
config system interface edit "lan1" set ip <LAN1_IP_ADDRESS> <SUBNET_MASK> set allowaccess ping https ssh next end
Replace <LAN1_IP_ADDRESS> and <SUBNET_MASK> with your LAN1 IP address and subnet mask.
LAN2 (Internal Network)
config system interface edit "lan2" set ip <LAN2_IP_ADDRESS> <SUBNET_MASK> set allowaccess ping https ssh next end
Replace <LAN2_IP_ADDRESS> and <SUBNET_MASK> with your LAN2 IP address and subnet mask.
4. Configure DMZ Interface
config system interface edit "dmz" set ip <DMZ_IP_ADDRESS> <SUBNET_MASK> set allowaccess ping https ssh next end
Replace <DMZ_IP_ADDRESS> and <SUBNET_MASK> with your DMZ IP address and subnet mask.
5. Create Security Policies allow LAN2 and DMZ to Access the Internet
config firewall policy edit 1 set name "LAN2_to_WAN" set srcintf "lan2" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end config firewall policy edit 2 set name "DMZ_to_WAN" set srcintf "dmz" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
Restrict LAN1 from Accessing the Internet
config firewall policy edit 3 set name "LAN1_to_WAN_Deny" set srcintf "lan1" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action deny set schedule "always" set service "ALL" next end
6. Create Policies for Internal Communication allow LAN1 to Communicate with DMZ and LAN2
config firewall policy edit 4 set name "LAN1_to_DMZ" set srcintf "lan1" set dstintf "dmz" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end config firewall policy edit 5 set name "LAN1_to_LAN2" set srcintf "lan1" set dstintf "lan2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
7. Configure Static Routes
config router static edit 1 set dst 0.0.0.0/0 set gateway <ISP_GATEWAY_IP> set device "wan1" next end
Replace <ISP_GATEWAY_IP> with your ISP’s gateway IP address.
8. DNS Configuration
config system dns set primary 8.8.8.8 set secondary 8.8.4.4 end
Replace 8.8.8.8 and 8.8.4.4 with your preferred DNS servers if different.
9. Configure DHCP Server for LANs and DMZ
config system dhcp server edit 1 set interface "lan1" set dns-server1 8.8.8.8 set dns-server2 8.8.4.4 set netmask <SUBNET_MASK> config ip-range edit 1 set start-ip <LAN1_DHCP_START_IP> set end-ip <LAN1_DHCP_END_IP> next end next end
Replace <SUBNET_MASK>, <LAN1_DHCP_START_IP>, and <LAN1_DHCP_END_IP> with the appropriate values for your network.
DHCP for LAN2
config system dhcp server edit 2 set interface "lan2" set dns-server1 8.8.8.8 set dns-server2 8.8.4.4 set netmask <SUBNET_MASK> config ip-range edit 1 set start-ip <LAN2_DHCP_START_IP> set end-ip <LAN2_DHCP_END_IP> next end next end
Replace <SUBNET_MASK>, <LAN2_DHCP_START_IP>, and <LAN2_DHCP_END_IP> with the appropriate values for your network.
DHCP for DMZ
config system dhcp server edit 3 set interface "dmz" set dns-server1 8.8.8.8 set dns-server2 8.8.4.4 set netmask <SUBNET_MASK> config ip-range edit 1 set start-ip <DMZ_DHCP_START_IP> set end-ip <DMZ_DHCP_END_IP> next end next end
Replace <SUBNET_MASK>, <DMZ_DHCP_START_IP>, and <DMZ_DHCP_END_IP> with the appropriate values for your network.
10. Final Checks and Monitoring
Ping Test: Ensure devices in LAN2 and DMZ can access the Internet, but LAN1 cannot.
Policy Monitoring: Use diag debug console and diag debug enable to review active policies.
Log and Report: Enable logging for the policies to monitor traffic.
11. Backup Configuration
execute backup config <filename>
Replace <filename> with your desired backup file name.