This post will explain some useful command on a fortigate firewall. This post assume you have a Fortinet Fortigate device and want to use it to connect your local network (192.168.1.0/24) to internet and you have an internet connection. This post also assume that you have a router with a pubblic IP address 111.222.111.1 and you have a pubblic subnet 111.222.111.0/29. In this case I’ve used a point-to point device to detect the connection failure with IP address 111.222.111.123.
Obviously you must change your private (INTERNAL) IP address to adapt it to your network, and use your public subnet and not the one used here for the example (111.222.111.0/29).
Obviously you must change your private (INTERNAL) IP address to adapt it to your network, and use your public subnet and not the one used here for the example (111.222.111.0/29).
config system global # Set the http admin port to 80/tcp set admin-port 80
# Set the https admin port to 443/tcp set admin-sport 443
# Set the ssh admin port to 22/tcp set admin-ssh-port 22
# Set the telnet admin port to 23/tcp set admin-telnet-port 23
# Set the hostname set hostname “FGT50B-MAGAZZINO”
# Set the ntp server to “time.ien.it” and enable it set ntpserver “time.ien.it” set ntpsync enable
# Set to 43200 seconds the tcp-halfclose timer set tcp-halfclose-timer 43200 end
# Set the telnet 23/tcp port timeout to 43200 seconds. # This is very useful if you have an AS400 (iSeries) to avoid session timeout. config system session-ttl set default 43200 config port edit 23 set timeout 43200 next end
# Set the IP address and administrative access options (ping https http) for INTERNAL interface. config system interface edit “internal” set ip 192.168.1.254 255.255.255.0 set allowaccess ping https http set type physical next
# Set the IP address and administrative access options (ping https) for WAN1 interface. # Set “gateway Detect” option enable and set the “Ping Server” destination. # Set the interface speed to 10 Mb/s Half Duplex, this is useful for some connections like radio bridge. edit “wan1″ set ip 111.222.111.2 255.255.255.248 set allowaccess ping https set gwdetect enable set detectserver “111.222.111.123″ set type physical set speed 10half next end
# Set DNS Servers and DNS options config system dns set primary 192.168.1.3 set secondary 212.97.32.2 set domain ” set autosvr disable set dns-cache-limit 5000 set cache-notfound-responses disable end
# Set a firewall policy to enable traffic from INTERNAL TO WAN1 using NAT # Set a protection profile (a default one) called “scan” config firewall policy edit 1 set srcintf “internal” set dstintf “wan1″ set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ANY” set profile-status enable set profile “scan” set nat enable next end
# Set a default gateway on the WAN1 interface config router static edit 1 set device “wan1″ set gateway 111.222.111.2 end
No comments:
Post a Comment