Configuring basic settings
Complete the following basic settings on the FortiProxy to get the device up and running
-
Plan interface usage for MGMT, WAN, and LAN access, and configure the interfaces. See Planning and configuring the MGMT, WAN, and LAN interfaces.
-
Configure the default route. See Configuring the default route.
-
Configure the hostname. See Configuring the hostname.
-
Change the password by clicking the account icon at the top right corner and selecting Change Password.
-
Set up the dashboard according to your needs. See Dashboard.
-
Ensure internet and FortiGuard connectivity. See Ensuring internet and FortiGuard connectivity.
-
Use the default certificate for HTTPs administrative access. See Using the default certificate for HTTPS administrative access.
After configuring the basic settings, the FortiProxy can access the internet and communicate with FortiGuard. Next, you can register the FortiProxy with Fortinet. See Registering FortiProxy. Policies are also ready to be configured using the WAN and LAN interfaces.
Planning and configuring the MGMT, WAN, and LAN interfaces
On a typical deployment where the FortiProxy is configured as an edge firewall, the administrator typically sets up access control between the LAN and WAN interface, and permanent management access either through in-band management or out-of-band management. The following sections outline steps to plan and configure your management, WAN, and LAN interfaces
Management access
So far the new FortiProxy setup has been completed over a dedicated management interface. There is also a separate management network for accessing the FortiProxy and other devices on the network. This is called out-of-band management and is the recommended option.
WAN interface
FortiProxy models do not have dedicated WAN interfaces. You can configure an interface for WAN access and then connect the interface to your upstream router, L3 switch, or modem.
To configure a WAN interface in the GUI:
-
Go to Network > Interfaces. Select an interface and click Edit.
-
(Optional) Enter an Alias, such as WAN.
-
In the Address section, enter the IP/Netmask.
-
In Administrative Access section, select the access options as needed. For a WAN interface, it is recommended to only allow PING.
-
Click OK.
To configure a WAN interface in the CLI:
config system interface edit "port2" set ip 203.0.113.99 255.255.255.0 set allowaccess ping set alias "WAN" next end
LAN interface
FortiProxy does not have a default LAN interface. You must select an interface for LAN access and connect this interface to an internal switch that connects to your LAN network.
To configure a LAN interface in the GUI:
-
Go to Network > Interfaces. Select an interface and click Edit.
-
(Optional) Enter an Alias, such as LAN.
-
In the Address section, enter the IP/Netmask.
-
In Administrative Access section, select the access options as needed, such as PING. For in-band management, you may also want to allow administrative access for HTTPS and SSH.
-
Optionally, enable DHCP Server and configure as needed.
-
Click OK.
To configure a LAN interface in the CLI:
config system interface edit "port1" set ip 192.168.10.99 255.255.255.0 set allowaccess ping https ssh set alias "LAN" next end config system dhcp server edit 1 set dns-service default set default-gateway 192.168.10.99 set netmask 255.255.255.0 set interface "port1" config ip-range edit 1 set start-ip 192.168.10.2 set end-ip 192.168.10.254 next end next end
Configuring the default route
Setting the default route enables the FortiProxy to route traffic through this interface and default gateway when no specific routes are found for a particular destination. The gateway address should be your upstream router or L3 switch that the FortiProxy is connected to. Set the interface to be the WAN interface that the gateway is connected to.
If the WAN interface uses DHCP for address assignment, the default route may already be learned from the DHCP server, and this step is not needed.
To configure the default route in the GUI:
-
Go to Network > Static Routes and click Create New.
-
Leave the destination subnet as 0.0.0.0/0.0.0.0. This is known as a default route, since it would match any IPv4 address.
-
Enter the Gateway Address.
-
Select an Interface.
-
Click OK.
To configure the default route in the CLI:
config router static edit 1 set gateway 203.0.113.1 set device port2 next end
Configuring the hostname
Setting the FortiProxy’s hostname assists with identifying the device, and it is especially useful when managing multiple FortiProxies. Choose a meaningful hostname as it is used in the CLI console, SNMP system name, device name for FortiProxy Cloud, and to identify a member of an HA cluster.
To configure the hostname in the GUI:
-
Go to System > Settings.
-
Enter a name in the Host name field.
-
Click Apply.
To configure the hostname in the CLI:
config system global set hostname 2000E end
Ensuring internet and FortiGuard connectivity
This step is not necessary for the configuration; however, it is necessary in order to keep your FortiProxy up to date against the latest threats. Updates are provided to FortiProxies that are registered and make a request to the FortiGuard network to verify if there are any more recent definitions.
Use execute ping <domain.tld>
to ensure the DNS resolution is able to resolve the following FortiGuard servers:
-
fds1.fortinet.com
-
service.fortiguard.net
-
update.fortiguard.net
You also need to ensure the necessary ports are permitted outbound in the event your FortiProxy is behind a filtering device. Refer to the Ports and Protocols document for more information.
Using the default certificate for HTTPS administrative access
By default, the FortiProxy uses the Fortinet_GUI_Server certificate for HTTPS administrative access. Administrators should download the CA certificate and install it on their PC to avoid warnings in their browser. See Using the default certificate for HTTPS administrative access for more information.