# FortiGate Practice Lab — Configuration Reference **Topology:** EXT-USER — INET-R1 — FortiGate (port1/2/3/4) — SW1 — PC1/PC2 | DMZ-SRV on port3 | Interface | Zone | IP | Gateway | |-----------|------|----|---------| | port1 | outside / WAN | 203.0.113.2/28 | 203.0.113.1 | | port2 | inside / LAN | 192.168.1.1/24 | — | | port3 | dmz | 172.16.10.1/24 | — | | port4 | mgmt (DHCP) | via DHCP | — | | Host | IP | |------|----| | PC1 | 192.168.1.10 | | PC2 | 192.168.1.11 | | DMZ-SRV | 172.16.10.10 | | EXT-USER | 198.51.100.10 | | Public VIP | 203.0.113.10 | --- ## 1. Interfaces ``` config system interface edit "port1" set alias "outside" set mode static set ip 203.0.113.2 255.255.255.240 set allowaccess ping set role wan next edit "port2" set alias "inside" set mode static set ip 192.168.1.1 255.255.255.0 set allowaccess ping https ssh set role lan next edit "port3" set alias "dmz" set mode static set ip 172.16.10.1 255.255.255.0 set allowaccess ping set role dmz next edit "port4" set mode dhcp set allowaccess https http ping ssh set role lan next end ``` --- ## 2. DNS ``` config system dns set primary 8.8.8.8 set secondary 1.1.1.1 end ``` --- ## 3. Default Route ``` config router static edit 1 set gateway 203.0.113.1 set device "port1" next end ``` --- ## 4. Firewall Address Objects ``` config firewall address edit "INSIDE_NET" set subnet 192.168.1.0 255.255.255.0 next edit "DMZ_NET" set subnet 172.16.10.0 255.255.255.0 next edit "DMZ-SRV" set subnet 172.16.10.10 255.255.255.255 next edit "EXT-USER" set subnet 198.51.100.10 255.255.255.255 next end ``` --- ## 5. VIP — DNAT (203.0.113.10 → 172.16.10.10) ``` config firewall vip edit "VIP-DMZ-SRV" set extip 203.0.113.10 set extintf "port1" set mappedip "172.16.10.10" set portforward disable next end ``` --- ## 6. Firewall Policies | # | Name | Src Intf | Dst Intf | Action | NAT | |---|------|----------|----------|--------|-----| | 1 | INSIDE-TO-INET | port2 | port1 | accept | yes | | 2 | INSIDE-TO-DMZ | port2 | port3 | accept | no | | 3 | INET-TO-DMZ-VIP | port1 | port3 | accept | no | | 4 | EXTUSER-TO-DMZ-ONLY | port1 | port3 | accept | no | | 5 | DENY-DMZ-TO-INSIDE | port3 | port2 | deny | no | ``` config firewall policy edit 1 set name "INSIDE-TO-INET" set srcintf "port2" set dstintf "port1" set srcaddr "INSIDE_NET" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable set logtraffic all next edit 2 set name "INSIDE-TO-DMZ" set srcintf "port2" set dstintf "port3" set srcaddr "INSIDE_NET" set dstaddr "DMZ_NET" set action accept set schedule "always" set service "ALL" set logtraffic all next edit 3 set name "INET-TO-DMZ-VIP" set srcintf "port1" set dstintf "port3" set srcaddr "all" set dstaddr "VIP-DMZ-SRV" set action accept set schedule "always" set service "HTTP" "HTTPS" set logtraffic all next edit 4 set name "EXTUSER-TO-DMZ-ONLY" set srcintf "port1" set dstintf "port3" set srcaddr "EXT-USER" set dstaddr "DMZ-SRV" set action accept set schedule "always" set service "HTTP" "HTTPS" set logtraffic all next edit 5 set name "DENY-DMZ-TO-INSIDE" set srcintf "port3" set dstintf "port2" set srcaddr "DMZ_NET" set dstaddr "INSIDE_NET" set action deny set schedule "always" set service "ALL" set logtraffic all next end ``` --- ## 7. Management GUI Access (port4) port4 is set to DHCP and connected to a CML External Connector bridge so the host machine can reach the web GUI. ``` config system interface edit "port4" set mode dhcp set allowaccess https http ping ssh set role lan next end ``` Check the assigned IP after boot: ``` get system interface physical ``` Then browse to `https://` from your host machine and accept the self-signed cert warning. --- ## 8. Verification Commands ``` # Interface IPs and status get system interface physical # Routing table get router info routing-table all # Active sessions diagnose sys session list # Policy hit counts diagnose firewall iprope show 100004 # Test outbound from FortiGate execute ping 8.8.8.8 # Test outbound sourced from outside IP execute ping-options source 203.0.113.2 execute ping 8.8.8.8 # Live flow debug diagnose debug flow filter addr 198.51.100.10 diagnose debug flow show function-name enable diagnose debug flow trace start 50 diagnose debug enable # Stop debug diagnose debug disable diagnose debug flow trace stop ``` --- ## 9. Stretch Goals ### Web Filter on Inside-to-Internet ``` config webfilter profile edit "INSIDE-WEBFILTER" config ftgd-wf config filters edit 1 set category 62 set action block next end end next end config firewall policy edit 1 set webfilter-profile "INSIDE-WEBFILTER" set ssl-ssh-profile "certificate-inspection" next end ``` ### IPS on DMZ Inbound Policy ``` config ips sensor edit "DMZ-IPS" config entries edit 1 set severity medium high critical set action drop next end next end config firewall policy edit 3 set ips-sensor "DMZ-IPS" next end ``` --- ## 10. Factory Reset Wipes everything and returns to factory defaults. Use when starting over. ``` execute factoryreset ``` Type `y` to confirm. Device reboots. Log back in with `admin` / blank password and set a new password when prompted.