Configuring the FortiGate 3600-2
The FG-3600-2 is running FortiOS 6.4.0 (build 1572) and has the following local topology:
Configured VDOMs:
Configuring BGP
To configure the root VDOM:
config router prefix-list
edit "allroutes"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
edit "Subnet_192.168.254"
config rule
edit 1
set prefix 192.168.254.0 255.255.255.0
unset ge
unset le
next
end
next
edit "Subnet_172.26"
config rule
edit 1
set prefix 172.26.1.0 255.255.255.0
unset ge
unset le
next
edit 2
set prefix 172.26.2.0 255.255.255.0
unset ge
unset le
next
end
next
edit "Subnet_192_168_255_128"
config rule
edit 1
set prefix 192.168.254.0 255.255.254.0
unset ge
unset le
next
end
next
edit "Subnet_192_168_255_0"
config rule
edit 1
set prefix 192.168.255.0 255.255.255.0
unset ge
unset le
next
end
next
edit "CORP_LAN"
config rule
edit 1
set prefix 192.168.2.0 255.255.255.0
unset ge
unset le
next
end
next
end
config router route-map
edit "allroutes"
config rule
edit 1
set match-ip-address "allroutes"
set set-aspath "65001"
next
end
next
edit "To_CORP"
config rule
edit 1
set match-ip-address "Subnet_172.26"
set set-aspath "65001" "65002"
next
edit 2
set match-ip-address "Subnet_192.168.254"
set set-aspath "65001" "65002"
next
end
next
edit "Subnet_192.168.254"
config rule
edit 1
set match-ip-address "Subnet_192.168.254"
next
end
next
edit "To_Cust_VDOM"
config rule
edit 1
set match-ip-address "Subnet_192_168_255_0"
set set-aspath "65001" "65002"
next
end
next
edit "CORP_LAN_ToCloud"
config rule
edit 1
set match-ip-address "CORP_LAN"
set set-aspath "65001 65001"
next
end
next
end
config router bgp
set as 64532
set keepalive-timer 1
set holdtime-timer 3
set network-import-check disable
config neighbor
edit "10.100.253.254"
set remote-as 64533
set route-map-out "CORP_LAN_ToCloud"
next
edit "10.101.253.254"
set remote-as 64534
set route-map-out "CORP_LAN_ToCloud"
next
edit "10.102.253.254"
set remote-as 64535
set route-map-out "To_Cust_VDOM"
next
edit "192.168.1.1"
set remote-as 64530
set route-map-out "To_CORP"
next
end
config network
edit 1
set prefix 192.168.255.0 255.255.255.0
next
end
end
To configure the Azure VDOM:
config router bgp
set as 64533
set keepalive-timer 1
set holdtime-timer 3
config neighbor
edit "10.100.253.253"
set remote-as 64532
next
edit "172.16.2.1"
set remote-as 64516
next
end
end
To configure the AWS VDOM:
config router bgp
set as 64534
set keepalive-timer 1
set holdtime-timer 3
config neighbor
edit "10.101.253.253"
set remote-as 64532
next
edit "172.16.1.1"
set remote-as 64517
next
end
end
To configure the Customer VDOM:
config router prefix-list
edit "Subnet_192_168_255_0"
config rule
edit 1
set prefix 192.168.255.0 255.255.255.0
unset ge
unset le
next
end
next
edit "Subnet_192_168_254_0"
config rule
edit 1
set prefix 192.168.254.0 255.255.255.0
unset ge
unset le
next
end
next
end
config router route-map
edit "To_CORP_Side"
config rule
edit 1
set match-ip-address "Subnet_192_168_254_0"
next
end
next
edit "To_Cust_Side"
config rule
edit 1
set match-ip-address "Subnet_192_168_255_0"
set set-aspath "65002" "65003"
next
end
next
end
config router static
edit 1
set dst 10.200.255.252 255.255.255.252
set gateway 172.16.1.1
set device "VLAN_Cust"
next
end
config router bgp
set as 64535
set keepalive-timer 1
set holdtime-timer 3
set network-import-check disable
config neighbor
edit "10.102.253.253"
set remote-as 64532
set route-map-out "To_CORP_Side"
next
edit "10.203.255.254"
set remote-as 64518
set route-map-out "To_Cust_Side"
next
end
config network
edit 1
set prefix 192.168.254.0 255.255.255.0
next
edit 2
set prefix 192.168.254.128 255.255.255.128
next
end
end
Configuring the policies
To configure the root VDOM:
config firewall ippool
edit "Pool"
set startip 192.168.255.1
set endip 192.168.255.127
next
end
config firewall vip
edit "VIPCust"
set extip 192.168.255.129-192.168.255.254
set extintf "Root_Cust"
set color 7
set mappedip "192.168.2.129-192.168.2.254"
next
end
config firewall policy
edit 2
set name "VIP_2_CORP"
set srcintf "Root_Cust"
set dstintf "CORP_LAN"
set srcaddr "all"
set dstaddr "VIPCust"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 3
set name "CORP_2_Customer"
set srcintf "CORP_LAN"
set dstintf "Root_Cust"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set ippool enable
set poolname "Pool"
set nat enable
next
edit 1
set name "policy"
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
To configure the Azure VDOM:
config firewall policy
edit 1
set name "policy"
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
To configure the AWS VDOM:
config firewall policy
edit 1
set name "policy"
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
To configure the Customer VDOM:
config firewall ippool
edit "Pool"
set startip 192.168.254.1
set endip 192.168.254.127
next
end
config firewall vip
edit "VIP_2Customer"
set extip 192.168.254.129-192.168.254.254
set extintf "Cust_Root"
set mappedip "192.168.2.129-192.168.2.254"
next
end
config firewall policy
edit 3
set name "toCORPNetwork"
set srcintf "to_Customer"
set dstintf "Cust_Root"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set ippool enable
set poolname "Pool"
set nat enable
next
edit 2
set name "VIP"
set srcintf "Cust_Root"
set dstintf "to_Customer"
set srcaddr "all"
set dstaddr "VIP_2Customer"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 1
set name "policy"
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end