Fortigate Setup

-

 

Entry-level models port1 is LAN, mid-range and high end models has MGMT interface,  with default IP 192.168.1.99

User: admin
Password:  blank

super_admin
Prof_admin   (vdom admin)


super-admin provides full access to the device globally.
prof_admin provides full access to a VDOM but not globally.


Fortiguard
1. Package updates: antivirus and IPS    (update.fortiguard.net)
2. Live queries: Web filter, DNS filter,  antispam 
    service.fortiguard.net   -- Proprietary protocol on UDP 53 or 8888
    securewf.fortiguard.net   -- HTTPS over 443, 53, or 8888


FortiGate-VM virtual appliance evaluation license

The FortiGate-VM virtual appliance includes a limited 15-day evaluation license that supports:


diag debug vm-print-license


After license expired:   exe factoryreset  or exe factoryreset2 (keep vdom, interface and route settings)


    1 CPU maximum
    1024 MB memory maximum
    Low encryption only (no HTTPS administrative access, 7.2 has HTTPS access )

    All features except FortiGuard updates



System is starting...
Formatting shared data partition ... done!
Starting system maintenance...
Serial number is FGVMEVX455AXV9CD

FortiGate-VM64-KVM login: admin
Password:
You are forced to change your password. Please input a new password.
New Password:
Confirm Password:
Welcome!

FortiGate-VM64-KVM # config system interface
FortiGate-VM64-KVM (interface) # edit port1
FortiGate-VM64-KVM (port1) # set mode static
FortiGate-VM64-KVM (port1) # set ip 192.168.2.101/24
FortiGate-VM64-KVM (port1) # set allowaccess http    --- (optional)
FortiGate-VM64-KVM (port1) # end
FortiGate-VM64-KVM #
FortiGate-VM64-KVM # config router static
FortiGate-VM64-KVM (static) # edit 1
new entry '1' added


FortiGate-VM64-KVM (1) # set dst 0.0.0.0/0
FortiGate-VM64-KVM (1) # set gateway 192.168.2.1
FortiGate-VM64-KVM (1) # set device port1
FortiGate-VM64-KVM (1) # end


FortiGate-VM64-KVM # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=14016 ttl=117 time=12.3 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=11.3 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 11.3/11.8/12.3 ms

FortiGate-VM64-KVM # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default


Routing table for VRF=0

C       192.168.2.0/24 is directly connected, port1



























FortiGate-VM64-KVM # execute shutdown


Configure Time Zone and specify NTP server











Set DNS server:









NGFW mode and Central SNAT:
Profile-based:  Central SNAT is disabled by default, SNAT can be turned on in Firewall Policy.    
Policy-based: (Central NAT is always enabled)


Security Profile
1. Created base AntiVirus (cloned from default)
2. Created base Web Filter (cloned from default)
    if no active license, enable the following option:
    Allow websites when a rating error occurs
3. Create base Application Control  (cloned from default)
4. Create base DNS Filter  (cloned from default)
     if no active license, enable the following option:
    Allow DNS requests when a rating error occurs













============Fortigate 60==========




















































Entry Level models port1 is LAN,  has default IP 192.168.1.99

connect http://192.168.1.99 for initial setup, configure WAN, default route, outbound security policy.

support.fortinet.com to register device

Out of box, all LAN ports are in VLAN switch  internal:









To disable Telnet.
# config system global
    set admin-telnet disable
end

 

Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more