Configuration

First step when we get fresh firewall

Firewall models: 30 series to 7000 series
 Firewall models from 30 to 90 series we will not have mgmt port,
so use Lan port to connect system to firewall.
 Models from 100 to 6000 series we have mgmt port connect that
only for 1st time.
The IPv4 default gateway address will be 192.168.1.99 for all fortinet
devices.
Then in search enter run under that select the ncpa.cpl then click ok

Then go to network connection under that click on properties in that

select Internet Protocol Version 4(TCP/IPv4) again click on
properties then select DHCP option click ok.

After assign the system with DHCP then open the browser login with the
IPv4 default gateway https://192.168.1.99.

Username: admin Password: no password

Step 1:
System ---> Settings
Change the Hostname and Time Zone then click apply

Step 2:
Network ----> Interface
Select any one LAN/mgmt interface as show below then edit

Fig 2.1
Edit the following details:
 Alias: Lan
 Role: Lan
 IP/Network Mask: x.x.x.x/24
 Administrative Access: Enable which is required

Once we give the IP/Network Mask as per the requirement then we need
to change the system IP address into manual from automatic.
[Note: Firewall default gateway and your system default gateway should
be same.]

Http: Hypertext Transfer Protocol (HTTP) is an application-layer

protocol for transmitting hypermedia documents, such as HTML. It was
designed for communication between web browsers and web servers.

Https: Hypertext Transfer Protocol secure is an extension of

the (HTTP). It is used for secure communication over a computer
network, and is widely used on the Internet.
PING: is the Packet InterNet Groper. It is a computer network
management system software or utility software used to test the network
communication between the two devices.

FMG-Access: It is a wan interface would be used for something like

forticloud or fortimanager if you want to manage the firewall from
another device via your public ip address.

CAPWAP: The Control and Provisioning of Wireless Access Points

(CAPWAP) protocol is a standard, interoperable networking protocol
that enables a central wireless LAN Access Controller (AC) to manage a
collection of Wireless Termination Points (WTPs), more commonly
known as wireless access points.

SSH: Secure Shell (SSH) is a cryptographic network protocol for

operating network services securely over an unsecured network

To create WAN interface select one wan click on that and edit the
followings details as shown below:
 Alias: Internet
 Role: WAN
 Addressing mode: DHCP
 Distance: 10
 Administrative access: Enable as per requirement
 Scan Outgoing Connections to Botnet Sites:
Disable Block Monitor
Manual: We will assign the IP addresses
DHCP: Automatically assign the IP addresses
PPPOE: is used to connect a PC or a router to a modem via an Ethernet
link

Step 3:
Network ----> Static routes
Edit the Interface: Internet
Gateway address: 192.168.10.1 click ok
Step 4:
Policy and Objects ----> Addresses
Click on create new under that select address
  Name: x.x.x.x
 Subnet/ IP range: x.x.x.x/x.x.x.x

Step 5:
Policy and Objects ----> IPv4
If any policies are existing means edit that policy, otherwise create new
policy as follows:

 Name: Internet
 Incoming Interface: Lan
 Outgoing Interface: Internet
 Source: all/Based on requirement select
 Destination: all/Based on requirement select
 Services: all/Based on requirement select
 Action: Accept/Deny
Firewall / Network Options
 Nat: enable
Security Profiles
 Antivirus: Enable
 Web Filter: Enable/Disable
 Application Control: Enable/Disable
Logging Options
 Log Allowed Traffic: All sessions

Step 6:
1. Security Profiles ---> Antivirus
To enter the name first go to Adding name for
System ---> settings ---> feature visibility select both Web Filter
 Multiple Interface Policies and Application
Then to add address select + and add address Filter

2. Security Profiles ----> Web Filter

Web Filter:
Static URL Filter -
URL filter Enable it
then create new to block/enable any specific URL

Fig 6.2 a
 Fig 6.2 b

For example from the above mention (fig 6.2 a) We Enable specific
links (google.com, gmail.com, and youtube.com) enter that then select
 URL: google.com
 Type: Wildcard
 Action: Exempt

3. Security ---> Application Control

Application Control:
Application Overrides -
Click on Add Signatures then add filter under that
select name (enter which one should be blocked) and
select all (option) then click use selected signatures
 Fig 6.3

For example in the above mention (fig 6.3) we have blocked gmail,
google and youtube
[ Click Add Signature then enter Add Filter under that select Name
(google.com) then click Select all ]

Step 7:
Log and Report ---> Forward Traffic click on anyone to view the
details
NOTE:
1. Default IP of Fortigate -192.168.1.99
2. Connect to mgmt port for 1st time
3. Then go to interface (Fortigate) add address which you needed then
connect to the port which you required and change the system IP
4. In interface if the IP address is (172.20.20.10/24) then system ip
should be (172.20.20.12/24).
5. To access internet, we have to create one policy with the system IP
address in the source.
6. To access Fortigate, IP default gateway address only.
7. Enable Multiple Interface Policy and then click implicit enable the
Log Violation Traffic.