Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Configuring the FortiGate 3600-2

The FG-3600-2 is running FortiOS 6.4.0 (build 1572) and has the following local topology:

Configured VDOMs:

Configuring BGP

To configure the root VDOM:
config router prefix-list
    edit "allroutes"
        config rule
            edit 1
                set prefix 0.0.0.0 0.0.0.0
                unset ge
                unset le
            next
        end
    next
    edit "Subnet_192.168.254"
        config rule
            edit 1
                set prefix 192.168.254.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
    edit "Subnet_172.26"
        config rule
            edit 1
                set prefix 172.26.1.0 255.255.255.0
                unset ge
                unset le
            next
            edit 2
                set prefix 172.26.2.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
    edit "Subnet_192_168_255_128"
        config rule
            edit 1
                set prefix 192.168.254.0 255.255.254.0
                unset ge
                unset le
            next
        end
    next
    edit "Subnet_192_168_255_0"
        config rule
            edit 1
                set prefix 192.168.255.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
    edit "CORP_LAN"
        config rule
            edit 1
                set prefix 192.168.2.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end
config router route-map
    edit "allroutes"
        config rule
            edit 1
                set match-ip-address "allroutes"
                set set-aspath "65001"
            next
        end
    next
    edit "To_CORP"
        config rule
            edit 1
                set match-ip-address "Subnet_172.26"
                set set-aspath "65001" "65002"
            next
            edit 2
                set match-ip-address "Subnet_192.168.254"
                set set-aspath "65001" "65002"
            next
        end
    next
    edit "Subnet_192.168.254"
        config rule
            edit 1
                set match-ip-address "Subnet_192.168.254"
            next
        end
    next
    edit "To_Cust_VDOM"
        config rule
            edit 1
                set match-ip-address "Subnet_192_168_255_0"
                set set-aspath "65001" "65002"
            next
        end
    next
    edit "CORP_LAN_ToCloud"
        config rule
            edit 1
                set match-ip-address "CORP_LAN"
                set set-aspath "65001 65001"
            next
        end
    next
end
config router bgp
    set as 64532
    set keepalive-timer 1
    set holdtime-timer 3
    set network-import-check disable
    config neighbor
        edit "10.100.253.254"
            set remote-as 64533
            set route-map-out "CORP_LAN_ToCloud"
        next
        edit "10.101.253.254"
            set remote-as 64534
            set route-map-out "CORP_LAN_ToCloud"
        next
        edit "10.102.253.254"
            set remote-as 64535
            set route-map-out "To_Cust_VDOM"
        next
        edit "192.168.1.1"
            set remote-as 64530
            set route-map-out "To_CORP"
        next
    end
    config network
        edit 1
            set prefix 192.168.255.0 255.255.255.0
        next
    end
end
To configure the Azure VDOM:
config router bgp
    set as 64533
    set keepalive-timer 1
    set holdtime-timer 3
    config neighbor
        edit "10.100.253.253"
            set remote-as 64532
        next
        edit "172.16.2.1"
            set remote-as 64516
        next
    end
end
To configure the AWS VDOM:
config router bgp
    set as 64534
    set keepalive-timer 1
    set holdtime-timer 3
    config neighbor
        edit "10.101.253.253"
            set remote-as 64532
        next
        edit "172.16.1.1"
            set remote-as 64517
        next
    end
end
To configure the Customer VDOM:
config router prefix-list
    edit "Subnet_192_168_255_0"
        config rule
            edit 1
                set prefix 192.168.255.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
    edit "Subnet_192_168_254_0"
        config rule
            edit 1
                set prefix 192.168.254.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end
config router route-map
    edit "To_CORP_Side"
        config rule
            edit 1
                set match-ip-address "Subnet_192_168_254_0"
            next
        end
    next
    edit "To_Cust_Side"
        config rule
            edit 1
                set match-ip-address "Subnet_192_168_255_0"
                set set-aspath "65002" "65003"
            next
        end
    next
end
config router static
    edit 1
        set dst 10.200.255.252 255.255.255.252
        set gateway 172.16.1.1
        set device "VLAN_Cust"
    next
end
config router bgp
    set as 64535
    set keepalive-timer 1
    set holdtime-timer 3
    set network-import-check disable
    config neighbor
        edit "10.102.253.253"
            set remote-as 64532
            set route-map-out "To_CORP_Side"
        next
        edit "10.203.255.254"
            set remote-as 64518
            set route-map-out "To_Cust_Side"
        next
    end
    config network
        edit 1
            set prefix 192.168.254.0 255.255.255.0
        next
        edit 2
            set prefix 192.168.254.128 255.255.255.128
        next
    end
end

Configuring the policies

To configure the root VDOM:
config firewall ippool
    edit "Pool"
        set startip 192.168.255.1
        set endip 192.168.255.127
    next
end
config firewall vip
    edit "VIPCust"
        set extip 192.168.255.129-192.168.255.254
        set extintf "Root_Cust"
        set color 7
        set mappedip "192.168.2.129-192.168.2.254"
    next
end
config firewall policy
    edit 2
        set name "VIP_2_CORP"
        set srcintf "Root_Cust"
        set dstintf "CORP_LAN"
        set srcaddr "all"
        set dstaddr "VIPCust"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 3
        set name "CORP_2_Customer"
        set srcintf "CORP_LAN"
        set dstintf "Root_Cust"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set ippool enable
        set poolname "Pool"
        set nat enable
    next
    edit 1
        set name "policy"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end
To configure the Azure VDOM:
config firewall policy
    edit 1
        set name "policy"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
    next
end
To configure the AWS VDOM:
config firewall policy
    edit 1
        set name "policy"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
    next
end
To configure the Customer VDOM:
config firewall ippool
    edit "Pool"
        set startip 192.168.254.1
        set endip 192.168.254.127
    next
end
config firewall vip
    edit "VIP_2Customer"
        set extip 192.168.254.129-192.168.254.254
        set extintf "Cust_Root"
        set mappedip "192.168.2.129-192.168.2.254"
    next
end
config firewall policy
    edit 3
        set name "toCORPNetwork"
        set srcintf "to_Customer"
        set dstintf "Cust_Root"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set ippool enable
        set poolname "Pool"
        set nat enable
    next
    edit 2
        set name "VIP"
        set srcintf "Cust_Root"
        set dstintf "to_Customer"
        set srcaddr "all"
        set dstaddr "VIP_2Customer"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 1
        set name "policy"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

Configuring the FortiGate 3600-2

The FG-3600-2 is running FortiOS 6.4.0 (build 1572) and has the following local topology:

Configured VDOMs:

Configuring BGP

To configure the root VDOM:
config router prefix-list
    edit "allroutes"
        config rule
            edit 1
                set prefix 0.0.0.0 0.0.0.0
                unset ge
                unset le
            next
        end
    next
    edit "Subnet_192.168.254"
        config rule
            edit 1
                set prefix 192.168.254.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
    edit "Subnet_172.26"
        config rule
            edit 1
                set prefix 172.26.1.0 255.255.255.0
                unset ge
                unset le
            next
            edit 2
                set prefix 172.26.2.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
    edit "Subnet_192_168_255_128"
        config rule
            edit 1
                set prefix 192.168.254.0 255.255.254.0
                unset ge
                unset le
            next
        end
    next
    edit "Subnet_192_168_255_0"
        config rule
            edit 1
                set prefix 192.168.255.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
    edit "CORP_LAN"
        config rule
            edit 1
                set prefix 192.168.2.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end
config router route-map
    edit "allroutes"
        config rule
            edit 1
                set match-ip-address "allroutes"
                set set-aspath "65001"
            next
        end
    next
    edit "To_CORP"
        config rule
            edit 1
                set match-ip-address "Subnet_172.26"
                set set-aspath "65001" "65002"
            next
            edit 2
                set match-ip-address "Subnet_192.168.254"
                set set-aspath "65001" "65002"
            next
        end
    next
    edit "Subnet_192.168.254"
        config rule
            edit 1
                set match-ip-address "Subnet_192.168.254"
            next
        end
    next
    edit "To_Cust_VDOM"
        config rule
            edit 1
                set match-ip-address "Subnet_192_168_255_0"
                set set-aspath "65001" "65002"
            next
        end
    next
    edit "CORP_LAN_ToCloud"
        config rule
            edit 1
                set match-ip-address "CORP_LAN"
                set set-aspath "65001 65001"
            next
        end
    next
end
config router bgp
    set as 64532
    set keepalive-timer 1
    set holdtime-timer 3
    set network-import-check disable
    config neighbor
        edit "10.100.253.254"
            set remote-as 64533
            set route-map-out "CORP_LAN_ToCloud"
        next
        edit "10.101.253.254"
            set remote-as 64534
            set route-map-out "CORP_LAN_ToCloud"
        next
        edit "10.102.253.254"
            set remote-as 64535
            set route-map-out "To_Cust_VDOM"
        next
        edit "192.168.1.1"
            set remote-as 64530
            set route-map-out "To_CORP"
        next
    end
    config network
        edit 1
            set prefix 192.168.255.0 255.255.255.0
        next
    end
end
To configure the Azure VDOM:
config router bgp
    set as 64533
    set keepalive-timer 1
    set holdtime-timer 3
    config neighbor
        edit "10.100.253.253"
            set remote-as 64532
        next
        edit "172.16.2.1"
            set remote-as 64516
        next
    end
end
To configure the AWS VDOM:
config router bgp
    set as 64534
    set keepalive-timer 1
    set holdtime-timer 3
    config neighbor
        edit "10.101.253.253"
            set remote-as 64532
        next
        edit "172.16.1.1"
            set remote-as 64517
        next
    end
end
To configure the Customer VDOM:
config router prefix-list
    edit "Subnet_192_168_255_0"
        config rule
            edit 1
                set prefix 192.168.255.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
    edit "Subnet_192_168_254_0"
        config rule
            edit 1
                set prefix 192.168.254.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end
config router route-map
    edit "To_CORP_Side"
        config rule
            edit 1
                set match-ip-address "Subnet_192_168_254_0"
            next
        end
    next
    edit "To_Cust_Side"
        config rule
            edit 1
                set match-ip-address "Subnet_192_168_255_0"
                set set-aspath "65002" "65003"
            next
        end
    next
end
config router static
    edit 1
        set dst 10.200.255.252 255.255.255.252
        set gateway 172.16.1.1
        set device "VLAN_Cust"
    next
end
config router bgp
    set as 64535
    set keepalive-timer 1
    set holdtime-timer 3
    set network-import-check disable
    config neighbor
        edit "10.102.253.253"
            set remote-as 64532
            set route-map-out "To_CORP_Side"
        next
        edit "10.203.255.254"
            set remote-as 64518
            set route-map-out "To_Cust_Side"
        next
    end
    config network
        edit 1
            set prefix 192.168.254.0 255.255.255.0
        next
        edit 2
            set prefix 192.168.254.128 255.255.255.128
        next
    end
end

Configuring the policies

To configure the root VDOM:
config firewall ippool
    edit "Pool"
        set startip 192.168.255.1
        set endip 192.168.255.127
    next
end
config firewall vip
    edit "VIPCust"
        set extip 192.168.255.129-192.168.255.254
        set extintf "Root_Cust"
        set color 7
        set mappedip "192.168.2.129-192.168.2.254"
    next
end
config firewall policy
    edit 2
        set name "VIP_2_CORP"
        set srcintf "Root_Cust"
        set dstintf "CORP_LAN"
        set srcaddr "all"
        set dstaddr "VIPCust"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 3
        set name "CORP_2_Customer"
        set srcintf "CORP_LAN"
        set dstintf "Root_Cust"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set ippool enable
        set poolname "Pool"
        set nat enable
    next
    edit 1
        set name "policy"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end
To configure the Azure VDOM:
config firewall policy
    edit 1
        set name "policy"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
    next
end
To configure the AWS VDOM:
config firewall policy
    edit 1
        set name "policy"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
    next
end
To configure the Customer VDOM:
config firewall ippool
    edit "Pool"
        set startip 192.168.254.1
        set endip 192.168.254.127
    next
end
config firewall vip
    edit "VIP_2Customer"
        set extip 192.168.254.129-192.168.254.254
        set extintf "Cust_Root"
        set mappedip "192.168.2.129-192.168.2.254"
    next
end
config firewall policy
    edit 3
        set name "toCORPNetwork"
        set srcintf "to_Customer"
        set dstintf "Cust_Root"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set ippool enable
        set poolname "Pool"
        set nat enable
    next
    edit 2
        set name "VIP"
        set srcintf "Cust_Root"
        set dstintf "to_Customer"
        set srcaddr "all"
        set dstaddr "VIP_2Customer"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 1
        set name "policy"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end