Archives May 2023

Traffic shaping is a method of optimizing network traffic by prioritizing different types of traffic according to their importance. FortiGate firewall offers a traffic shaping feature that can be used to prioritize traffic, limit bandwidth usage, and control network congestion. In this blog post, we’ll discuss how to configure traffic shaping on FortiGate firewall.

Step 1: Configure Traffic Shaping Policy

1. Login to your FortiGate firewall and go to Policy & Objects > Policy > IPv4 Policy. Here you can create a new policy or edit an existing policy to configure traffic shaping settings.
2. In the policy settings, go to the Traffic Shaping tab and select the Enable Traffic Shaping checkbox.
3. Select the traffic shaping algorithm that you want to use from the Algorithm dropdown list. You can choose between fair queuing, weighted fair queuing, and priority queuing.
4. Set the maximum bandwidth for the policy in the Maximum Bandwidth field. You can also set the minimum bandwidth and maximum burst size if needed.

Step 2: Configure Traffic Shaping Profiles

1. In this step, you’ll create traffic shaping profiles that can be used in traffic shaping policies. Go to Policy & Objects > Traffic Shaping > Profiles and create a new profile.
2. In the profile settings, you can configure different traffic shaping parameters such as maximum bandwidth, minimum bandwidth, and maximum burst size.
3. You can also set traffic shaping rules for specific applications or traffic types by creating a new traffic shaping rule in the profile settings.

Step 3: Configure Traffic Shaping Classes

1. Traffic shaping classes are used to categorize traffic and apply different traffic shaping policies to different traffic classes. Go to Policy & Objects > Traffic Shaping > Classes and create a new class.
2. In the class settings, you can configure different traffic shaping parameters for the class such as maximum bandwidth, minimum bandwidth, and maximum burst size.
3. You can also assign traffic shaping profiles to the class by selecting the profile from the Profile dropdown list.

Step 4: Assign Traffic Shaping Classes to Policies

1. Once you’ve created traffic shaping policies, profiles, and classes, you need to assign the traffic shaping classes to the policies. Go to Policy & Objects > Policy > IPv4 Policy and edit the policy that you want to assign the traffic shaping class to.
2. In the policy settings, go to the Traffic Shaping tab and select the Enable Traffic Shaping checkbox.
3. Select the traffic shaping class that you want to assign to the policy from the Traffic Shaping Class dropdown list.

Step 5: Monitor Traffic Shaping

1. After you’ve configured traffic shaping on your FortiGate firewall, you can monitor the traffic shaping statistics to ensure that the traffic shaping is working properly. Go to FortiView > Traffic Shaping to view the traffic shaping statistics.
2. In the traffic shaping view, you can see the traffic shaping policies, classes, and profiles that are currently active. You can also view the bandwidth usage and packet loss statistics for each policy.

Conclusion: Traffic shaping is a powerful feature that can be used to optimize network traffic and improve network performance on FortiGate firewall. By following the above steps, you can easily configure traffic shaping on FortiGate firewall and start using it to prioritize traffic, limit bandwidth usage, and control network congestion. Make sure to monitor the traffic shaping statistics regularly to ensure that it’s working properly.

A captive portal is a web page that is presented to users when they attempt to connect to a network. Captive portals are commonly used in public Wi-Fi hotspots, hotels, and other places where the network owner wants to control the access to the network. FortiGate firewall offers a captive portal feature that can be used to authenticate users and control network access. In this blog post, we’ll discuss how to configure captive portal on FortiGate firewall.

Step 1: Configure FortiGate Firewall

1. Login to your FortiGate firewall and go to User & Device > Authentication > Captive Portal. Here you can configure the captive portal settings such as authentication method, user groups, and web page settings.
2. Configure User Groups: In this step, you’ll create user groups to which users will be assigned after authentication. Go to User & Device > User Groups and create the user groups that you want to use for captive portal authentication.
3. Configure Web Page Settings: In this step, you’ll configure the web page settings for the captive portal. You can upload your own HTML file or use the default web page provided by FortiGate firewall.

Step 2: Configure Authentication Method

1. FortiGate firewall supports various authentication methods for captive portal, including local users, RADIUS, LDAP, and TACACS+. Choose the authentication method that you want to use and configure it accordingly.
2. If you’re using local user authentication, go to User & Device > User > User Definition and create the local users that you want to use for captive portal authentication.

Step 3: Configure Firewall Policies

1. Once you’ve configured the captive portal settings and authentication method, you need to create firewall policies to allow traffic to and from the captive portal. Go to Policy & Objects > IPv4 Policy and create a new policy for the captive portal traffic.
2. In the source field, select the interface where the captive portal will be presented. In the destination field, select the destination address range for the captive portal. In the service field, select the HTTP and HTTPS services.

Step 4: Test the Captive Portal

1. Once you’ve completed the configuration, you can test the captive portal by connecting to the network and attempting to access the internet. You should be presented with the captive portal login page.
2. Enter the username and password that you created in the authentication method configuration and click login. If the authentication is successful, you should be redirected to the internet.

Conclusion: Captive portal is a powerful feature that can be used to authenticate users and control network access on FortiGate firewall. By following the above steps, you can easily configure captive portal on FortiGate firewall and start using it to control network access. Make sure to test the captive portal after configuration to ensure that it’s working properly.

FortiGate IPsec VPN Site to Site provides a secure and reliable connection between two networks located in different locations. This is a crucial feature for businesses with remote offices and a requirement for remote workers. In this blog post, we’ll discuss how to configure FortiGate IPsec VPN Site to Site and provide training on its usage.

Step 1: Configure FortiGate Firewall

1. Login to your FortiGate firewall and go to VPN > IPsec > Wizard. Here you can configure the IPsec VPN settings such as authentication, encryption, and VPN topology.
2. Configure Phase 1 Settings: In this step, you’ll configure the Phase 1 settings for the VPN connection, which includes the remote gateway IP address, authentication method, and encryption algorithm.
3. Configure Phase 2 Settings: In this step, you’ll configure the Phase 2 settings for the VPN connection, which includes the local and remote subnets, encryption algorithm, and key lifetime.
4. Configure Firewall Policies: Once you’ve configured the VPN settings, you need to create firewall policies to allow traffic between the two networks. Go to Policy & Objects > IPv4 Policy and create a new policy for the VPN traffic.

Step 2: Configure Remote Site

1. Configure Phase 1 and Phase 2 Settings: Configure the Phase 1 and Phase 2 settings on the remote site to match the configuration on the FortiGate firewall.
2. Configure Firewall Policies: Create firewall policies on the remote site to allow traffic between the two networks.

Step 3: Verify the Connection

1. Once you’ve completed the configuration on both sites, you can verify the connection status. Go to VPN > Monitor > IPsec Monitor to view the status of the VPN connection.
2. You can also check the firewall logs to ensure that the traffic is flowing between the two networks.

Step 4: Troubleshooting

1. If the VPN connection is not established, you can troubleshoot the connection by checking the firewall logs and the configuration on both sites.
2. You can also use the FortiGate diagnostic tools such as ping and traceroute to troubleshoot the connection.

Conclusion: FortiGate IPsec VPN Site to Site provides a secure and reliable connection between two networks located in different locations. By following the above steps, you can easily configure FortiGate IPsec VPN Site to Site and start using it for remote access. Make sure to verify the connection status and troubleshoot any issues that may arise.

In today’s digital era, remote access is becoming a fundamental requirement for businesses to ensure continuous productivity. But with remote access comes the risk of cyber threats, making VPN security a top priority.

“Welcome to my channel! In this video, I will describe how to configure firewall policies with multiple source and destination interfaces in FortiGate. We’ll be looking at how to allow traffic between multiple interfaces on your FortiGate firewall, which is particularly useful when you have different subnets that you want to control traffic between or when you have multiple VLANs that need to communicate with each other. By the end of this video, you’ll have a better understanding of how to configure these policies in FortiGate and how they can help secure your network.

As you can see in this topology, we have three PCs located in three different VLANs or interfaces, and we want to write a policy to give access to the web server that is located in VLAN 4. If you want to use FortiGate’s default features, you must write a policy for each VLAN or interface to access the web server VLAN because input interfaces are different. However, by using multiple interface policies, you can accomplish this job with just one policy. Another example in this topology is when you want to give system administrators access to their servers from the VPN. In a normal and standard feature, you have to write a policy for each VLAN. Still, with multiple interface policies, you can grant access to all desired servers with just one policy, making managing your firewall and policies more manageable.

Now, let’s move on to the configuration. In my topology that was shown earlier, I have four interfaces, but because I am using a trial license, I only have three interfaces. That’s not important; you can add all your interfaces to policies in your production environment. First, I need to enable this feature in my firewall.

I’m going to feature visibility under the System menu and enable multiple interface policies, then click on apply.

Next, I’ll write the policy that allows access from different VLANs to the web server.

I’ll go to Policy and Objects > Firewall Policy > Create New and write the name of the policy, for example, “Allow all Interfaces to Webserver.”

Click on incoming interface and select the incoming interface. Select the outgoing interface and select your web server interface. You can add multiple outgoing interfaces if your web servers are located on different interfaces.

For the source, you can specify your source IP; it can be all or specific IP addresses.

For the destination, you can add all or specific addresses, and for the service, I’ll leave it as HTTPS.

These settings are based on your production environment. With just one policy, I grant access to the web server from different interfaces.

For the other topology shown at the beginning of this video, the policy is the same.

I’ll create the policy, name it “Allow System Admin to Servers,”

select incoming interface, select SSL VPN,

select outgoing interface, for example, Port 1, 2, and 3 are our server VLANs.

For the source, select all or your VPN addresses and select VPN username.

For the destination IP addresses, you can add all or IP addresses.

For the service, you can select SSH, RDP, or other services based on your production environment.

Click OK, and the policy is complete.

that is finished , by writing just one policy you can grant access for system administrator vpn connection to the multiple servers that raised on different vlans.

I hope this video will be useful for you to manage your firewall. If you would like to see more videos, please subscribe to my channel and like my videos. Also, if you have any questions, you can ask them in the comments. Have a good day! Bye-bye.”