How to create a basic configuration on a Fortigate

Let’s see some useful command on a fortigate firewall.

Assuming that you have a Fortinet Fortigate device, your local ip address is in the range of 192.168.200.0/24 and you have a router with a public IP address 185.186.187.1 and a public subnet 185.186.187.0/29.

config system global
# Set the http admin port to 80/tcp
set admin-port 80
# Set the https admin port to 443/tcp
set admin-sport 443
# Set the ssh admin port to 22/tcp
set admin-ssh-port 22
# Set the telnet admin port to 23/tcp
set admin-telnet-port 23
# Set the hostname
set hostname “CompanyFirewall”
# Set the ntp server to “time.ien.it” and enable it
set ntpserver “time.ien.it”
set ntpsync enable
# Set to 43200 seconds the tcp-halfclose timer
set tcp-halfclose-timer 43200
end
# Set the telnet 23/tcp port timeout to 43200 seconds.
# This is very useful if you have an AS400 (iSeries) to avoid session
timeout.
config system session-ttl
set default 43200
config port
edit 23
set timeout 43200
next
end
# Set the IP address and administrative access options (ping https http) for
INTERNAL interface.
config system interface
edit “internal”
set ip 192.168.200.254 255.255.255.0
set allowaccess ping https http
set type physical
next
# Set the IP address and administrative access options (ping https) for WAN1
interface.
# Set “gateway Detect” option enable and set the “Ping Server” destination.
# Set the interface speed to 10 Mb/s Half Duplex, this is useful for some
connections like radio bridge.
edit “wan1″
set ip 185.186.187.2 255.255.255.248
set allowaccess ping https
set gwdetect enable
set detectserver “185.186.187.123″
set type physical
set speed 10half
next
end
# Set DNS Servers and DNS options
config system dns
set primary 192.168.200.3
set secondary 212.97.32.2
set domain ”
set autosvr disable
set dns-cache-limit 5000
set cache-notfound-responses disable
end
# Set a firewall policy to enable traffic from INTERNAL TO WAN1 using NAT
# Set a protection profile (a default one) called “scan”
config firewall policy
edit 1
set srcintf “internal”
set dstintf “wan1″
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set profile-status enable
set profile “scan”
set nat enable
next
end
# Set a default gateway on the WAN1 interface
config router static
edit 1
set device “wan1″
set gateway 185.186.187.2
end
%d bloggers like this: