FCSS_EFW_AD-7.4 System configuration

System Configuration Detailed Explanation

This section explains System Configuration step-by-step, starting with Device Initialization and covering each subtopic in detail.

1.1 Device Initialization

1.1.1 Setting up FortiGate for the First Time

When you power on a FortiGate device for the first time, it requires some initial configurations to make it operational. Let’s break it down into manageable steps:

Step 1: Connect to FortiGate

1. Physical Connection:

   • Use a console cable to connect your computer’s serial port to the console port of the FortiGate device.
   • Alternatively, connect your PC to one of the LAN ports (default IP is 192.168.1.99 for FortiGate) and use a web browser or SSH client.

2. Access the CLI (Command Line Interface):

   • Use terminal software (e.g., PuTTY or Tera Term) to access the CLI.
   • Default credentials:
     • Username: admin
     • Password: (blank, press Enter).

Step 2: Configure Management IP Address and Default Gateway

• To allow remote management via HTTP/HTTPS or SSH, assign an IP address to the management interface:

  config system interface
      edit <interface_name>  # e.g., port1
      set ip <IP_address> <Subnet_mask>  # e.g., 192.168.1.1/255.255.255.0
      set allowaccess ping https ssh  # Allow secure management access
      set alias "Management"  # Optional description
      end
  

• Configure the default gateway for internet access:

  config router static
      edit 1
      set gateway <Gateway_IP>  # e.g., 192.168.1.254
      set device <interface_name>  # e.g., port1
      end
  

Step 3: Set Hostname, DNS, and System Time

1. Set Hostname:

   • A descriptive hostname helps identify the device:

     config system global
        set hostname <Device_Name>  # e.g., FortiGate_Main
        end
     

2. Set DNS Servers:

   • Configure the device to resolve domain names:

     config system dns
        set primary <Primary_DNS>  # e.g., 8.8.8.8
        set secondary <Secondary_DNS>  # e.g., 8.8.4.4
        end
     

3. Configure System Time:

   • Either manually set the time:

     config system time
        set time <HH:MM:SS>  # e.g., 12:30:00
        set date <YYYY/MM/DD>  # e.g., 2024/12/25
        end
     

   • Or, use an NTP server for automatic time synchronization:

     config system ntp
        set status enable
        set server "pool.ntp.org"
        end
     

Step 4: Enable Secure Management Access

• To enhance security, enable HTTPS and SSH management:

  config system global
      set admin-https enable
      set admin-ssh enable
      end
  

1.2 Interface and VLAN Management

1.2.1 Configuring Physical and Virtual Interfaces

Interfaces on FortiGate devices act as the connection points for networks. Here's how to set them up:

Step 1: Assign Roles (LAN, WAN) to Interfaces

• Configure each interface based on its function (e.g., internal LAN, external WAN):

  config system interface
      edit <interface_name>  # e.g., port2 for LAN, port3 for WAN
      set role lan  # LAN interface
      set ip <IP_address> <Subnet_mask>  # e.g., 192.168.10.1/255.255.255.0
      set allowaccess ping http https ssh  # Allow management if needed
      end
  

Step 2: VLAN Configuration

• VLANs (Virtual Local Area Networks) are used for segmentation. To create a VLAN interface:

  config system interface
      edit <vlan_name>  # e.g., VLAN100
      set type vlan
      set vlanid <VLAN_ID>  # e.g., 100
      set interface <physical_interface>  # e.g., port1
      set ip <IP_address> <Subnet_mask>  # e.g., 192.168.100.1/255.255.255.0
      set allowaccess ping https
      end
  

Step 3: Trunking

• If the FortiGate is connected to a switch with trunking enabled, configure VLAN interfaces for all tagged VLANs. Ensure the physical interface supports multiple VLANs.

Step 4: Configuring DHCP Services

• To automatically assign IPs to devices in a network, enable DHCP:

  config system dhcp server
      edit 1
      set interface <interface_name>  # e.g., port2
      set default-gateway <Gateway_IP>  # e.g., 192.168.10.1
      set netmask <Subnet_mask>  # e.g., 255.255.255.0
      set range <Start_IP> <End_IP>  # e.g., 192.168.10.100 192.168.10.200
      end
  

1.3 High Availability (HA)

1.3.1 Establishing HA

High Availability ensures redundancy and fault tolerance. Here's how to configure it:

Step 1: Enable HA Mode

• Access the HA configuration:

  config system ha
      set mode <a-p|a-a>  # Active-Passive (a-p) or Active-Active (a-a)
      set group-name <Cluster_Name>  # e.g., FortiHACluster
      set password <Cluster_Password>
      set hbdev <heartbeat_interface>  # e.g., port4
      end
  

Step 2: Configure Cluster ID and Priority

• The Cluster ID identifies the HA group, and Priority determines the primary unit:

  config system ha
      set clusterid <ID>  # e.g., 1
      set priority <Priority>  # Higher value = higher priority
      end
  

Step 3: Enable Session Synchronization

• Synchronize session tables between cluster members:

  config system ha
      set session-pickup enable
      end
  

1.4 Virtual Domains (VDOMs)

Virtual Domains (VDOMs) allow a single FortiGate device to function as multiple independent logical units. This is especially useful for multi-tenant environments or networks requiring logical segmentation.

1.4.1 VDOM Modes

FortiGate supports two VDOM modes:

1. Split VDOM Mode:

   • Divides the FortiGate into two logical domains: one for NAT/Firewall operations and the other for Transparent Layer 2 operations.
   • Suitable for simple network scenarios.

2. Multi-VDOM Mode:

   • Enables multiple independent VDOMs on the same device.
   • Ideal for multi-tenant environments where different departments or clients require separate configurations.

To enable VDOM mode:

config system global
    set vdom-admin enable
    end

1.4.2 Creating and Configuring VDOMs

1. Create a New VDOM:

   • Add a VDOM and allocate resources:

     config vdom
        edit <vdom_name>  # e.g., HR_VDOM
        set operation-mode <nat|transparent>  # NAT or Transparent
        end
     

2. Assign Interfaces to VDOMs:

   • Allocate physical or VLAN interfaces to the VDOM:

     config system interface
        edit <interface_name>  # e.g., port2
        set vdom <vdom_name>  # e.g., HR_VDOM
        end
     

3. Configure Inter-VDOM Links:

   • For traffic between VDOMs, create a virtual link:

     config vdom-link
        edit <link_name>  # e.g., vdom_link_1
        set src <source_vdom>  # e.g., HR_VDOM
        set dst <destination_vdom>  # e.g., Finance_VDOM
        end
     

4. Switching Between VDOMs:

   • Use the CLI to switch to a specific VDOM for management:

     config vdom
        edit <vdom_name>  # e.g., HR_VDOM
        end
     

1.5 NAT and Firewall Policies

Network Address Translation (NAT) and Firewall Policies are key to managing traffic flow in FortiGate.

1.5.1 Source NAT (SNAT)

SNAT modifies the source IP address of outbound traffic to match the FortiGate’s public IP address.

1. Basic SNAT Configuration:

   • Add a NAT rule within a firewall policy:

     config firewall policy
        edit 1
        set srcintf <LAN_interface>  # e.g., port2
        set dstintf <WAN_interface>  # e.g., port1
        set srcaddr <LAN_subnet>  # e.g., 192.168.10.0/24
        set dstaddr all
        set action accept
        set nat enable
        end
     

2. Central NAT Table:

   • For complex environments, use the Central NAT Table:

     config firewall central-nat
        edit 1
        set orig-addr <source_IP_range>  # e.g., 192.168.10.0/24
        set orig-port 0-65535
        set trans-addr <public_IP>  # e.g., 203.0.113.1
        end
     

1.5.2 Destination NAT (DNAT)

DNAT redirects inbound traffic from an external IP to an internal server.

1. DNAT in Firewall Policies:

   • Add a DNAT rule within a firewall policy:

     config firewall vip
        edit <VIP_name>  # e.g., Web_Server_VIP
        set extip <public_IP>  # e.g., 203.0.113.10
        set mappedip <private_IP>  # e.g., 192.168.10.10
        end
     
     config firewall policy
        edit 1
        set srcintf <WAN_interface>  # e.g., port1
        set dstintf <LAN_interface>  # e.g., port2
        set srcaddr all
        set dstaddr <VIP_name>  # e.g., Web_Server_VIP
        set action accept
        end
     

1.6 Logging and Monitoring

Logging and monitoring help administrators track and troubleshoot network activity.

1.6.1 Local and Remote Logging

FortiGate can store logs locally or forward them to external systems like FortiAnalyzer or Syslog servers.

1. Configure Local Logging:

   • Enable logging on specific policies:

     config firewall policy
        edit 1
        set logtraffic all  # Log all sessions
        end
     

   • View logs using the Web GUI or CLI:

     execute log filter device-id <device_id>
     execute log display
     

2. Configure Remote Logging:

   • Forward logs to FortiAnalyzer:

     config log fortianalyzer setting
        set status enable
        set server <Analyzer_IP>  # e.g., 192.168.1.100
        set source-ip <interface_IP>  # e.g., 192.168.1.1
        end
     

   • Forward logs to a Syslog server:

     config log syslogd setting
        set status enable
        set server <Syslog_IP>  # e.g., 192.168.1.101
        end
     

1.6.2 Monitoring Tools

FortiGate provides several tools to monitor system health and traffic.

1. Dashboard Monitoring:

   • Use the Web GUI to check widgets for:
     • System Resource Usage (CPU, Memory).
     • Session Counts.
     • Interface Bandwidth.

2. CLI Monitoring Commands:

   • Monitor system performance:

     diag sys top
     

   • View active sessions:

     diag sys session list
     

   • Analyze packet flow for troubleshooting:

     diag debug flow
     diag debug enable
     

System Configuration (Additional Content)

1. Admin Profiles & Access Control

Proper administrative control ensures that only authorized personnel can access and perform actions on the FortiGate device. Fortinet allows granular role-based access using admin profiles.

1.1 Creating Admin Accounts

To manage administrative access securely, it is a best practice to create unique accounts for each administrator. This enables audit tracking and role segregation.

config system admin
    edit "admin_read"
    set password YourSecurePassword
    set accprofile "read-only"
    set vdom "root"
end

• edit sets the username.

• set accprofile assigns the permission level (e.g., super_admin, read-only, or custom profile).

• set vdom restricts access to a specific Virtual Domain.

1.2 Creating Custom Access Profiles

You can define custom profiles that permit access to specific features or commands.

config system accprofile
    edit "custom_admin"
    set secfabgrp read-write
    set loggrp read-only
    set sysgrp read-only
end

This example allows full access to Security Fabric and limited access to logging and system settings.

1.3 Lockout Policy for Failed Logins

To enhance security, you can configure automatic account lockout after a number of failed attempts.

config system global
    set admin-lockout-threshold 3      # Number of failed attempts
    set admin-lockout-duration 300     # Lockout duration in seconds
end

These settings prevent brute-force attempts by locking the user out temporarily.

2. Configuration Backup & Restore

Backing up configuration is a critical part of system maintenance and disaster recovery.

2.1 Backup to Local Flash

execute backup config flash mybackup.conf

This saves the current configuration file to the internal flash storage with the specified filename.

2.2 Restore from Local Flash

execute restore config flash mybackup.conf

This command restores a previously backed-up configuration file from the flash storage.

2.3 Backup via TFTP or FTP (Remote Backup)

To TFTP:

execute backup config tftp mybackup.conf 192.168.1.10

To FTP:

execute backup config ftp mybackup.conf ftpserver 21 user password

These methods allow you to push configuration backups to a remote server for redundancy.

3. Firmware Upgrade Management

Firmware updates are important for performance improvements, security patches, and new features.

3.1 Manual Upgrade via CLI

To manually upgrade firmware using a previously uploaded image:

execute restore image <image_file_name> <device_storage_location>

Or to trigger a system update (mainly for FortiGuard updates, but relevant in some cases):

execute update-now

3.2 GUI-Based Upgrade Process (for context)

In practice, most administrators use the Web GUI to:

• Upload new firmware

• Check for compatibility warnings

• View system restore points

This process typically involves:

1. Navigating to System > Firmware

2. Choosing Upload Firmware or Check for Updates

3. Following prompts for reboot and backup

3.3 Best Practices

• Always back up your configuration before an upgrade.

• Verify the release notes for hardware compatibility and behavior changes.

• Test new firmware in a lab environment for critical networks.

Summary

Supplement Topic	Key Focus
Admin Profiles	Create accounts, assign access levels, enforce lockout security
Configuration Backup	Use execute backup and execute restore for local or remote storage
Firmware Upgrade	Manage via CLI or GUI; ensure compatibility and create backups