Configuring basic settings
Complete the following basic settings on the FortiGate to get the device up and running
-
Plan interface usage for MGMT, WAN, and LAN access, and configure the interfaces. See Planning and configuring the MGMT, WAN, and LAN interfaces.
-
Configure the default route. See Configuring the default route.
-
Configure the hostname if not done when completing the FortiGate Setup wizard. See Configuring the hostname.
-
Ensure internet and FortiGuard connectivity. See Ensuring internet and FortiGuard connectivity.
-
Use the default certificate for HTTPs administrative access. See Using the default certificate for HTTPS administrative access.
After configuring the basic settings, the FortiGate can access the internet and communicate with FortiGuard. Next, you can register the FortiGate with Fortinet. See Registering FortiGate. Firewall policies are also ready to be configured using the WAN and LAN interfaces.
Planning and configuring the MGMT, WAN, and LAN interfaces
On a typical deployment where the FortiGate NGFW is configured as an edge firewall, the administrator typically sets up access control between the LAN and WAN interface, and permanent management access either through in-band management or out-of-band management. The following sections outline steps to plan and configure your management, WAN, and LAN interfaces
Management access
So far the new FortiGate setup has been completed over a management interface, which is either a dedicated MGMT port named MGMT or MGMT1 or a port on the internal switch interface.
What interface to use for FortiGate management can depend on the FortiGate model. Some FortiGate models have a dedicated MGMT interface and some do not:
-
Mid-size and high-end FortiGate models typically have a dedicated MGMT interface, and you can use the MGMT interface for FortiGate management. There is also a separate management network for accessing the FortiGate and other devices on the network. This is called out-of-band management.
-
Desktop FortiGate models typically do not have a dedicated MGMT interface. In this case, you might be using the Internal or LAN interface for FortiGate management. There is no dedicated management network, and the management traffic is shared with internal traffic. This is called in-band management.
Following is a summary of what FortiGate models typically support in-band and out-of-band management:
FortiGate model |
MGMT interface |
In-band management |
Out-of-band management |
---|---|---|---|
Desktop models |
No |
Recommended |
Not supported* |
Mid-size models |
Yes |
Supported |
Recommended |
High-end models |
Yes |
Supported |
Recommended |
*Although natively the FortiGate does not support out-of-band management, you can pick an unused interface and configure it as a dedicated interface for out-of-band management.
WAN interface
Similar to the management interface, some models have an interface labelled WAN, WAN1, or WAN2, and other models do not. On models with dedicated WAN interface(s), the interfaces are also configured as DHCP clients. Therefore, if a DHCP server is present in the WAN network that points to the correct internet gateway, then internet access is available without further configuration.
On models without dedicated WAN interfaces, or in situations where you choose to configure the WAN interface statically, select an interface for WAN access. Connect the interface to your upstream router, L3 switch, or modem. Then use the following steps to configure your WAN interface.
To configure a WAN interface in the GUI:
-
Go to Network > Interfaces. Select an interface and click Edit.
-
(Optional) Enter an Alias, such as WAN.
-
In the Address section, enter the IP/Netmask.
-
In Administrative Access section, select the access options as needed. For a WAN interface, it is recommended to only allow PING.
-
Click OK.
To configure a WAN interface in the CLI:
config system interface edit "port2" set ip 203.0.113.99 255.255.255.0 set allowaccess ping set alias "WAN" next end
LAN interface
On desktop and some mid-range models, a set of ports are grouped together by default in virtual switch mode for LAN access. The virtual switch interface may be called internal or lan, and it helps facilitate connecting endpoints directly to the FortiGate on the same L2 switching network.
Endpoints connected this way will also share the same access control configured for the internal or lan interface.
On models that lack a default LAN interface, or when you choose to configure a LAN interface manually, select an interface for LAN access. Connect this interface to an internal switch that connects to your LAN network. Then use the following steps to configure your LAN interface.
To configure a LAN interface in the GUI:
-
Go to Network > Interfaces. Select an interface and click Edit.
-
(Optional) Enter an Alias, such as LAN.
-
In the Address section, enter the IP/Netmask.
-
In Administrative Access section, select the access options as needed, such as PING. For in-band management, you may also want to allow administrative access for HTTPS and SSH.
-
Optionally, enable DHCP Server and configure as needed.
-
Click OK.
To configure a LAN interface in the CLI:
config system interface edit "port1" set ip 192.168.10.99 255.255.255.0 set allowaccess ping https ssh set alias "LAN" next end config system dhcp server edit 1 set dns-service default set default-gateway 192.168.10.99 set netmask 255.255.255.0 set interface "port1" config ip-range edit 1 set start-ip 192.168.10.2 set end-ip 192.168.10.254 next end next end
Configuring the default route
Setting the default route enables the FortiGate to route traffic through this interface and default gateway when no specific routes are found for a particular destination. The gateway address should be your upstream router or L3 switch that the FortiGate is connected to. Set the interface to be the WAN interface that the gateway is connected to.
If the WAN interface uses DHCP for address assignment, the default route may already be learned from the DHCP server, and this step is not needed.
To configure the default route in the GUI:
-
Go to Network > Static Routes and click Create New.
-
Leave the destination subnet as 0.0.0.0/0.0.0.0. This is known as a default route, since it would match any IPv4 address.
-
Enter the Gateway Address.
-
Select an Interface.
-
Click OK.
To configure the default route in the CLI:
config router static edit 0 set gateway 203.0.113.1 set device port2 next end
Configuring the hostname
Setting the FortiGate’s hostname assists with identifying the device, and it is especially useful when managing multiple FortiGates. Choose a meaningful hostname as it is used in the CLI console, SNMP system name, device name for FortiGate Cloud, and to identify a member of an HA cluster.
To configure the hostname in the GUI:
-
Go to System > Settings.
-
Enter a name in the Host name field.
-
Click Apply.
To configure the hostname in the CLI:
config system global set hostname 200F_YVR end
Ensuring internet and FortiGuard connectivity
This step is not necessary for the configuration; however, it is necessary in order to keep your FortiGate up to date against the latest threats. Updates are provided to FortiGates that are registered and make a request to the FortiGuard network to verify if there are any more recent definitions.
Use execute ping <domain.tld>
to ensure the DNS resolution is able to resolve the following FortiGuard servers:
-
fds1.fortinet.com
-
service.fortiguard.net
-
update.fortiguard.net
You also need to ensure the necessary ports are permitted outbound in the event your FortiGate is behind a filtering device. Refer to the Ports and Protocols document for more information.
Using the default certificate for HTTPS administrative access
By default, the FortiGate uses the Fortinet_GUI_Server certificate for HTTPS administrative access. Administrators should download the CA certificate and install it on their PC to avoid warnings in their browser. See Using the default certificate for HTTPS administrative access for more information.