In this lab I will show you how you can setup Fortigate firewall in GNS3.
Pre-requisites: Having an understanding of how basic firewalls work? zones and security policies.
Step 1: Download the VM image from Fortinet website. You will need to setup an account first to gain access.
https://support.fortinet.com/asset/#/views/products
Step 2: Under the Support Menu click VM images.
Step 3: Choose product Fortigate and platform KVM and then download the version you would like to test. This image comes with a limited time license.
Step 4: Once the image is downloaded, in GNS3 add appliance by selecting New Template, click on Next and under the Firewall select Fortigate. You will see a list of firewall with version numbers, if you do not see the latest version, create one and add the name of the image file that you just downloaded from Fortinet Support website. Click on next till you are prompted that the appliance will be found under security devices list on the left.
Now you can drag and drop the appliance in a new project like I have done in this topology.
Once you have a topology setup power on all the devices. Once the fortigate firewall boots up you will be prompted to enter the default username admin and the password is to be left blank. After first login recommended to change/set new password.
Once you have a telnet session to the fortigate firewall you can setup the IP on the interface and basic configurations before moving to the webui which makes doing configurations much more easy.
FortiGate-VM64-KVM # get system status
Version: FortiGate-VM64-KVM v7.0.0,build0066,210330 (GA)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
.
.
.
VM Resources: 1 CPU/1 allowed, 997 MB RAM/2048 MB allowed
Log hard disk: Available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 0066
Release Version Information: GA
FortiOS x86-64: Yes
System time: Sun May 9 17:02:40 2021
Last reboot reason: warm rebootTo configure the interface IP. You will switch to configuration mode.
FortiGate-VM64-KVM # config system interface
FortiGate-VM64-KVM (interface) #
edit Add/edit a table value.
delete Delete a table value.
purge Clear all table values.
get Get dynamic and system information.
show Show configuration.
end End and save last config.
FortiGate-VM64-KVM (interface) # show
config system interface
edit "port1"
set vdom "root"
set ip 10.1.1.2 255.255.255.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set alias "WAN"
set lldp-reception enable
set role wan
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping ssh
set type physical
set alias "Connected to Switch"
set role dmz
set snmp-index 2
next
edit "port3"
set vdom "root"
set ip 172.16.10.1 255.255.255.0
set allowaccess ping https
set type physical
set alias "LAN"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 3
next
edit "port4"
set vdom "root"
set type physical
set snmp-index 4
next
edit "port5"
set vdom "root"
set type physical
set snmp-index 5
next
edit "port6"
set vdom "root"
set type physical
set snmp-index 6
next
edit "port7"
set vdom "root"
set type physical
set snmp-index 7
next
edit "port8"
set vdom "root"
set type physical
set snmp-index 8
next
edit "port9"
set vdom "root"
set type physical
set snmp-index 9
next
edit "port10"
set vdom "root"
set type physical
set snmp-index 10
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 11
next
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 12
next
end
FortiGate-VM64-KVM (interface) #We then type edit and port number to make changes to a port.
FortiGate-VM64-KVM (interface) # edit port1
<Enter>
FortiGate-VM64-KVM (port1) #
FortiGate-VM64-KVM (port1) # ?
config Configure object.
set Modify value.
unset Set to default value.
select Select multi-option values.
unselect Unselect multi-option values.
append Append values to multi-option.
clear Clear multi-option values.
get Get dynamic and system information.
show Show configuration.
next Configure next table entry.
abort End and discard last config.
end End and save last config.Apply the configuration as I have done for port1, port2 or port3 and type end this will save the configuration.
Once the ports are configured and I have done a ping to the router R1 IP 10.1.1.1.
FortiGate-VM64-KVM # execute ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=1.2 ms
64 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=1.5 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=1.1 ms
64 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=2.0 ms
64 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=1.6 ms
--- 10.1.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.1/1.4/2.0 msNow we need to make this firewall reachable from our desktop browser in order to access the webui. On your desktop in my case I am using Windows 10, but if you have a Mac/Linux you will need to add a route for this subnet from the terminal. On your taskbar you have a search option type cmd and you will see command prompt, on the right select Run as administrator.
Type route print to see all the available routes. Then we add a route for this subnet which we have configured for the Fortigate port1 interface 10.1.1.2
route add -p 10.1.1.0 mask 255.255.255.0 192.168.xxx.xxx
!- The gateway IP 192.168.xxx.xxx is configured on R1 which is connected to the Nat0 interface.
Now I should be able to ping the fortigate IP from my command prompt.
C:\WINDOWS\system32> ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=3ms TTL=254
Reply from 10.1.1.2: bytes=32 time=4ms TTL=254
Reply from 10.1.1.2: bytes=32 time=2ms TTL=254
Reply from 10.1.1.2: bytes=32 time=3ms TTL=254
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 4ms, Average = 3msNow I will open my web browser and enter the IP 10.1.1.2.
View of the dashboard
Network interfaces configured
Firewall security policy to allow the traffic between different zones.
This concludes this lab, I will show the configuration done for the Trust and DMZ in a separate wiki page. Though I have added the screenshot for the security policies configured on Fortigate firewall, but I have not added the end to end testing results, the configuration required and showing the terminal reaching the wordpress server and google DNS server. I will also show you how configuration can be done on Cumulus Linux which I am using in this lab.
If you have any comments please let me now.