FCP_FGT_AD-7.4 Deployment and system configuration

Deployment and System Configuration Detailed Explanation

1.1 Initial Deployment of FortiGate

Initial Access and Configuration

1. Access the FortiGate Device:

   • By default, FortiGate devices come with a predefined management IP (e.g., 192.168.1.99) assigned to the management interface.
   • Connecting:
     • Use an Ethernet cable to connect your PC directly to the FortiGate’s management port.
     • Assign your PC an IP address in the same subnet (e.g., 192.168.1.x with a subnet mask of 255.255.255.0).
   • Open a web browser and navigate to https://192.168.1.99. You may encounter a certificate warning since FortiGate uses a self-signed certificate; accept it to proceed.
   • The default credentials are:
     • Username: admin
     • Password: (blank, leave empty).

2. CLI (Command Line Interface) Access:

   • Connect to the console port using a serial cable and a terminal application (e.g., PuTTY).

   • Alternatively, SSH can be used if SSH is enabled and accessible.

   • CLI allows you to configure the device using commands. For example:

     config system interface
     edit port1
     set ip 192.168.2.1/24
     end
     

3. Modify the Default Management Port IP:

   • Navigate to Network > Interfaces (GUI) or use the CLI.

   • Change the management port IP to fit your network’s addressing scheme. For instance:

     config system interface
     edit port1
     set ip 192.168.10.1/24
     end
     

4. Restrict Access to Specific Source IPs:

   • Limit administrative access to trusted IP ranges for security. In the GUI:

     • Go to Network > Interfaces > Management and edit the interface.
     • Under Administrative Access, specify permitted IP ranges.

   • Example in CLI:

     config system interface
     edit port1
     set allowaccess https ssh
     set trustedhosts 192.168.10.0 255.255.255.0
     end
     

Network Interface Configuration

1. Physical Interfaces:

   • Assign IP addresses and roles to physical ports (e.g., LAN, WAN):

     • LAN (Internal Network): IP address for the internal network, such as 192.168.1.1/24.
     • WAN (Internet): Public IP or dynamic IP if connected to a service provider.

   • Configure in the GUI under Network > Interfaces, or use CLI:

     config system interface
     edit port2
     set mode static
     set ip 203.0.113.2/24
     end
     

2. VLAN Interfaces:

   • Virtual LANs (VLANs) allow you to segment traffic over a single physical interface.

   • Example:

     config system interface
     edit VLAN10
     set vdom root
     set mode static
     set ip 192.168.10.1/24
     set vlanid 10
     set interface port2
     end
     

3. Software Switch Interfaces:

   • Bind multiple physical interfaces into a single logical switch for redundancy and load balancing.

   • Example:

     config system switch-interface
     edit Switch1
     set member port1 port2
     end
     

1.2 FortiGate Basic Features

DNS Configuration

1. Set Up FortiGate as a DNS Forwarder:

   • Redirect DNS queries from your network to external DNS servers.

   • GUI: Network > DNS > Set mode to Forward to System DNS.

   • CLI:

     config system dns
     set primary 8.8.8.8
     set secondary 8.8.4.4
     end
     

2. Custom DNS Servers:

   • Specify a custom DNS for specific domains using overrides.

NTP (Time Synchronization)

1. Configure NTP Servers:

   • Accurate time settings are critical for logging and certificates.

   • GUI: System > Settings > Time > Enable NTP, then configure servers.

   • CLI:

     config system ntp
     set ntpsync enable
     set server "time.google.com"
     end
     

Admin User Management

1. Create Local Admin Accounts:

   • GUI: System > Administrators > Add a new admin.

   • CLI:

     config system admin
     edit admin2
     set password your_password
     set accprofile super_admin
     end
     

2. Enable Multi-Factor Authentication (MFA):

   • FortiToken devices or FortiToken Cloud can be used for added security.
   • GUI: Assign tokens under User & Device > FortiTokens.

1.3 High Availability (HA) Deployment

HA Architecture Modes

1. Active-Passive Mode:

   • One primary device processes traffic, and the secondary takes over if the primary fails.

2. Active-Active Mode:

   • Both devices handle traffic simultaneously, balancing the load.

HA Configuration

1. Synchronize Configurations:

   • Both devices must have the same firmware version and configurations before enabling HA.

2. Set Up HA Interfaces:

   • Configure heartbeat connections using dedicated interfaces.

   • CLI:

     config system ha
     set mode a-p
     set hbdev port3 50
     end
     

3. Master Device Priority:

   • Assign higher priority to the desired master.

   • CLI:

     set priority 200
     

1.4 System Upgrades and Backups

Firmware Upgrades

1. Upgrade Steps:

   • Download the correct firmware from Fortinet.
   • GUI: System > Firmware > Upload the new firmware.

2. For HA Environments:

   • Upgrade devices one at a time to ensure continuous availability.

Backup and Restore

1. Backup Configuration Files:

   • GUI: System > Configurations > Backup.

   • CLI:

     execute backup config tftp <IP> <filename>
     

2. Restore Files:

   • Use the same menus or CLI commands for restoring backups.

1.5 System Monitoring and Diagnostics

Monitoring Tools

1. Resource Usage:

   • Monitor CPU, memory, and session usage under Dashboard > System Resources.

2. Traffic Statistics:

   • View traffic per interface or policy under Network > Interfaces.

Diagnostic Commands

1. Flow Troubleshooting:

   • Enable debug logs for traffic analysis:

     diag debug enable
     diag debug flow
     

2. System Performance:

   • Monitor CPU load:

     diag sys top
     

Summary

This detailed breakdown is tailored for beginners to understand each step in deploying and configuring a FortiGate device.

Deployment and System Configuration (Additional Content)

1. Virtual Domains (VDOMs)

VDOMs are a FortiGate feature that allows you to partition a single physical device into multiple virtual instances, each acting as an independent firewall. This is especially useful in multi-tenant environments or large organizations that need segmented security policies and administration.

Enabling VDOMs

Before you can create or manage VDOMs, you must enable the feature in the global configuration.

CLI:

config system global
set vdom-admin enable
end

Once enabled, the GUI will also show the VDOM configuration options.

Creating and Managing VDOMs

Step 1: Create a new VDOM

config vdom
edit vdom1
next
end

Step 2: Assign a physical interface to the new VDOM

config system interface
edit port3
set vdom vdom1
end

This ensures that the interface port3 operates under the control of vdom1, isolating its configuration and policies from other VDOMs.

Use Cases

• Service providers managing multiple clients on a single device.
• Departments within a large enterprise needing isolated networks.
• Lab/test environments within a production firewall.

2. Interface Role Assignment

Although FortiGate interfaces are technically flexible, they are typically assigned specific roles in a deployment to reflect their usage.

Common Roles:

1. LAN (Local Area Network):

• Usually an internal interface.
• Connects end-user devices like PCs, printers, or local servers.
• Commonly configured with a static IP and DHCP services.
• Typically has policies allowing outbound traffic to the internet.

2. WAN (Wide Area Network):

• Connects to the internet or external networks.
• Usually requires NAT (Network Address Translation).
• Typically receives dynamic or static public IP addresses from the ISP.

3. DMZ (Demilitarized Zone):

• Hosts public-facing servers like web, FTP, or mail servers.
• Isolated from both LAN and WAN to limit exposure in case of compromise.
• Requires strict firewall rules to control access.

Why Interface Roles Matter:

• Exam questions often describe network scenarios using these terms (LAN, WAN, DMZ), so understanding their purpose helps in identifying correct policy or NAT configurations.
• Some default settings in FortiGate (e.g., firewall policies, services) are optimized based on assumed roles.

3. Factory Reset and Basic Licensing

Factory Reset

A factory reset returns the FortiGate device to its original configuration, removing all custom settings, including:

• Interface IPs
• Admin passwords
• Policies
• Licenses

CLI Command:

execute factoryreset

After the reset, you must reconnect to the default management IP (typically 192.168.1.99) to reconfigure the device.

Device Registration and Licensing

1. Registering the Device:

• Go to https://support.fortinet.com.
• Enter the serial number to register the device under your account.

2. Activating Subscriptions:

• After registration, you can activate and associate your subscriptions (e.g., Web Filtering, Antivirus, IPS, Application Control).
• Some features (like FortiGuard security services) require active licenses to function.

3. Connecting to FortiCloud:

• FortiCloud enables cloud-based logging, analytics, and centralized management.
• Can be enabled via System > FortiCloud in GUI or via CLI.

Summary

Feature	Purpose	CLI Command Example
VDOM	Segment one device into multiple virtual firewalls	set vdom-admin enable
Interface Roles	Logical classification (LAN, WAN, DMZ)	Interface-specific, not enforced in CLI
Factory Reset	Restore to default configuration	execute factoryreset
Licensing & Registration	Enable FortiGuard features, activate subscriptions	FortiCloud portal or GUI system settings