FortiGate Practice Lab — Configuration Reference

Topology: EXT-USER — INET-R1 — FortiGate (port1/2/3/4) — SW1 — PC1/PC2 | DMZ-SRV on port3

Interface	Zone	IP	Gateway
port1	outside / WAN	203.0.113.2/28	203.0.113.1
port2	inside / LAN	192.168.1.1/24	—
port3	dmz	172.16.10.1/24	—
port4	mgmt (DHCP)	via DHCP	—

Host	IP
PC1	192.168.1.10
PC2	192.168.1.11
DMZ-SRV	172.16.10.10
EXT-USER	198.51.100.10
Public VIP	203.0.113.10

1. Interfaces

config system interface
    edit "port1"
        set alias "outside"
        set mode static
        set ip 203.0.113.2 255.255.255.240
        set allowaccess ping
        set role wan
    next
    edit "port2"
        set alias "inside"
        set mode static
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping https ssh
        set role lan
    next
    edit "port3"
        set alias "dmz"
        set mode static
        set ip 172.16.10.1 255.255.255.0
        set allowaccess ping
        set role dmz
    next
    edit "port4"
        set mode dhcp
        set allowaccess https http ping ssh
        set role lan
    next
end

2. DNS

config system dns
    set primary 8.8.8.8
    set secondary 1.1.1.1
end

3. Default Route

config router static
    edit 1
        set gateway 203.0.113.1
        set device "port1"
    next
end

4. Firewall Address Objects

config firewall address
    edit "INSIDE_NET"
        set subnet 192.168.1.0 255.255.255.0
    next
    edit "DMZ_NET"
        set subnet 172.16.10.0 255.255.255.0
    next
    edit "DMZ-SRV"
        set subnet 172.16.10.10 255.255.255.255
    next
    edit "EXT-USER"
        set subnet 198.51.100.10 255.255.255.255
    next
end

5. VIP — DNAT (203.0.113.10 → 172.16.10.10)

config firewall vip
    edit "VIP-DMZ-SRV"
        set extip 203.0.113.10
        set extintf "port1"
        set mappedip "172.16.10.10"
        set portforward disable
    next
end

6. Firewall Policies

#	Name	Src Intf	Dst Intf	Action	NAT
1	INSIDE-TO-INET	port2	port1	accept	yes
2	INSIDE-TO-DMZ	port2	port3	accept	no
3	INET-TO-DMZ-VIP	port1	port3	accept	no
4	EXTUSER-TO-DMZ-ONLY	port1	port3	accept	no
5	DENY-DMZ-TO-INSIDE	port3	port2	deny	no

config firewall policy
    edit 1
        set name "INSIDE-TO-INET"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "INSIDE_NET"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set logtraffic all
    next
    edit 2
        set name "INSIDE-TO-DMZ"
        set srcintf "port2"
        set dstintf "port3"
        set srcaddr "INSIDE_NET"
        set dstaddr "DMZ_NET"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 3
        set name "INET-TO-DMZ-VIP"
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "VIP-DMZ-SRV"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
        set logtraffic all
    next
    edit 4
        set name "EXTUSER-TO-DMZ-ONLY"
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "EXT-USER"
        set dstaddr "DMZ-SRV"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
        set logtraffic all
    next
    edit 5
        set name "DENY-DMZ-TO-INSIDE"
        set srcintf "port3"
        set dstintf "port2"
        set srcaddr "DMZ_NET"
        set dstaddr "INSIDE_NET"
        set action deny
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

7. Management GUI Access (port4)

port4 is set to DHCP and connected to a CML External Connector bridge so the host machine can reach the web GUI.

config system interface
    edit "port4"
        set mode dhcp
        set allowaccess https http ping ssh
        set role lan
    next
end

Check the assigned IP after boot:

get system interface physical

Then browse to https://<port4-ip> from your host machine and accept the self-signed cert warning.

8. Verification Commands

# Interface IPs and status
get system interface physical

# Routing table
get router info routing-table all

# Active sessions
diagnose sys session list

# Policy hit counts
diagnose firewall iprope show 100004

# Test outbound from FortiGate
execute ping 8.8.8.8

# Test outbound sourced from outside IP
execute ping-options source 203.0.113.2
execute ping 8.8.8.8

# Live flow debug
diagnose debug flow filter addr 198.51.100.10
diagnose debug flow show function-name enable
diagnose debug flow trace start 50
diagnose debug enable

# Stop debug
diagnose debug disable
diagnose debug flow trace stop

9. Stretch Goals

Web Filter on Inside-to-Internet

config webfilter profile
    edit "INSIDE-WEBFILTER"
        config ftgd-wf
            config filters
                edit 1
                    set category 62
                    set action block
                next
            end
        end
    next
end

config firewall policy
    edit 1
        set webfilter-profile "INSIDE-WEBFILTER"
        set ssl-ssh-profile "certificate-inspection"
    next
end

IPS on DMZ Inbound Policy

config ips sensor
    edit "DMZ-IPS"
        config entries
            edit 1
                set severity medium high critical
                set action drop
            next
        end
    next
end

config firewall policy
    edit 3
        set ips-sensor "DMZ-IPS"
    next
end

10. Factory Reset

Wipes everything and returns to factory defaults. Use when starting over.

execute factoryreset

Type y to confirm. Device reboots. Log back in with admin / blank password and set a new password when prompted.