Category Network Training

FortiGate Traffic Shaping Configuration

Traffic shaping is a method of optimizing network traffic by prioritizing different types of traffic according to their importance. FortiGate firewall offers a traffic shaping feature that can be used to prioritize traffic, limit bandwidth usage, and control network congestion. In this blog post, we’ll discuss how to configure traffic shaping on FortiGate firewall.

Fortigate Traffic Shaping

Step 1: Configure Traffic Shaping Policy

  1. Login to your FortiGate firewall and go to Policy & Objects > Policy > IPv4 Policy. Here you can create a new policy or edit an existing policy to configure traffic shaping settings.
  2. In the policy settings, go to the Traffic Shaping tab and select the Enable Traffic Shaping checkbox.
  3. Select the traffic shaping algorithm that you want to use from the Algorithm dropdown list. You can choose between fair queuing, weighted fair queuing, and priority queuing.
  4. Set the maximum bandwidth for the policy in the Maximum Bandwidth field. You can also set the minimum bandwidth and maximum burst size if needed.

Step 2: Configure Traffic Shaping Profiles

  1. In this step, you’ll create traffic shaping profiles that can be used in traffic shaping policies. Go to Policy & Objects > Traffic Shaping > Profiles and create a new profile.
  2. In the profile settings, you can configure different traffic shaping parameters such as maximum bandwidth, minimum bandwidth, and maximum burst size.
  3. You can also set traffic shaping rules for specific applications or traffic types by creating a new traffic shaping rule in the profile settings.

Step 3: Configure Traffic Shaping Classes

  1. Traffic shaping classes are used to categorize traffic and apply different traffic shaping policies to different traffic classes. Go to Policy & Objects > Traffic Shaping > Classes and create a new class.
  2. In the class settings, you can configure different traffic shaping parameters for the class such as maximum bandwidth, minimum bandwidth, and maximum burst size.
  3. You can also assign traffic shaping profiles to the class by selecting the profile from the Profile dropdown list.

Step 4: Assign Traffic Shaping Classes to Policies

  1. Once you’ve created traffic shaping policies, profiles, and classes, you need to assign the traffic shaping classes to the policies. Go to Policy & Objects > Policy > IPv4 Policy and edit the policy that you want to assign the traffic shaping class to.
  2. In the policy settings, go to the Traffic Shaping tab and select the Enable Traffic Shaping checkbox.
  3. Select the traffic shaping class that you want to assign to the policy from the Traffic Shaping Class dropdown list.

Step 5: Monitor Traffic Shaping

  1. After you’ve configured traffic shaping on your FortiGate firewall, you can monitor the traffic shaping statistics to ensure that the traffic shaping is working properly. Go to FortiView > Traffic Shaping to view the traffic shaping statistics.
  2. In the traffic shaping view, you can see the traffic shaping policies, classes, and profiles that are currently active. You can also view the bandwidth usage and packet loss statistics for each policy.

Conclusion: Traffic shaping is a powerful feature that can be used to optimize network traffic and improve network performance on FortiGate firewall. By following the above steps, you can easily configure traffic shaping on FortiGate firewall and start using it to prioritize traffic, limit bandwidth usage, and control network congestion. Make sure to monitor the traffic shaping statistics regularly to ensure that it’s working properly.

Fortigate Captive Portal Configuration

A captive portal is a web page that is presented to users when they attempt to connect to a network. Captive portals are commonly used in public Wi-Fi hotspots, hotels, and other places where the network owner wants to control the access to the network. FortiGate firewall offers a captive portal feature that can be used to authenticate users and control network access. In this blog post, we’ll discuss how to configure captive portal on FortiGate firewall.

Fortigate Captive Portal Configuration

Step 1: Configure FortiGate Firewall

  1. Login to your FortiGate firewall and go to User & Device > Authentication > Captive Portal. Here you can configure the captive portal settings such as authentication method, user groups, and web page settings.
  2. Configure User Groups: In this step, you’ll create user groups to which users will be assigned after authentication. Go to User & Device > User Groups and create the user groups that you want to use for captive portal authentication.
  3. Configure Web Page Settings: In this step, you’ll configure the web page settings for the captive portal. You can upload your own HTML file or use the default web page provided by FortiGate firewall.

Step 2: Configure Authentication Method

  1. FortiGate firewall supports various authentication methods for captive portal, including local users, RADIUS, LDAP, and TACACS+. Choose the authentication method that you want to use and configure it accordingly.
  2. If you’re using local user authentication, go to User & Device > User > User Definition and create the local users that you want to use for captive portal authentication.

Step 3: Configure Firewall Policies

  1. Once you’ve configured the captive portal settings and authentication method, you need to create firewall policies to allow traffic to and from the captive portal. Go to Policy & Objects > IPv4 Policy and create a new policy for the captive portal traffic.
  2. In the source field, select the interface where the captive portal will be presented. In the destination field, select the destination address range for the captive portal. In the service field, select the HTTP and HTTPS services.

Step 4: Test the Captive Portal

  1. Once you’ve completed the configuration, you can test the captive portal by connecting to the network and attempting to access the internet. You should be presented with the captive portal login page.
  2. Enter the username and password that you created in the authentication method configuration and click login. If the authentication is successful, you should be redirected to the internet.

Conclusion: Captive portal is a powerful feature that can be used to authenticate users and control network access on FortiGate firewall. By following the above steps, you can easily configure captive portal on FortiGate firewall and start using it to control network access. Make sure to test the captive portal after configuration to ensure that it’s working properly.

FortiGate IPsec VPN Site to Site Configuration

FortiGate IPsec VPN Site to Site provides a secure and reliable connection between two networks located in different locations. This is a crucial feature for businesses with remote offices and a requirement for remote workers. In this blog post, we’ll discuss how to configure FortiGate IPsec VPN Site to Site and provide training on its usage.

Step 1: Configure FortiGate Firewall

  1. Login to your FortiGate firewall and go to VPN > IPsec > Wizard. Here you can configure the IPsec VPN settings such as authentication, encryption, and VPN topology.
  2. Configure Phase 1 Settings: In this step, you’ll configure the Phase 1 settings for the VPN connection, which includes the remote gateway IP address, authentication method, and encryption algorithm.
  3. Configure Phase 2 Settings: In this step, you’ll configure the Phase 2 settings for the VPN connection, which includes the local and remote subnets, encryption algorithm, and key lifetime.
  4. Configure Firewall Policies: Once you’ve configured the VPN settings, you need to create firewall policies to allow traffic between the two networks. Go to Policy & Objects > IPv4 Policy and create a new policy for the VPN traffic.

Step 2: Configure Remote Site

  1. Configure Phase 1 and Phase 2 Settings: Configure the Phase 1 and Phase 2 settings on the remote site to match the configuration on the FortiGate firewall.
  2. Configure Firewall Policies: Create firewall policies on the remote site to allow traffic between the two networks.

Step 3: Verify the Connection

  1. Once you’ve completed the configuration on both sites, you can verify the connection status. Go to VPN > Monitor > IPsec Monitor to view the status of the VPN connection.
  2. You can also check the firewall logs to ensure that the traffic is flowing between the two networks.

Step 4: Troubleshooting

  1. If the VPN connection is not established, you can troubleshoot the connection by checking the firewall logs and the configuration on both sites.
  2. You can also use the FortiGate diagnostic tools such as ping and traceroute to troubleshoot the connection.

Conclusion: FortiGate IPsec VPN Site to Site provides a secure and reliable connection between two networks located in different locations. By following the above steps, you can easily configure FortiGate IPsec VPN Site to Site and start using it for remote access. Make sure to verify the connection status and troubleshoot any issues that may arise.

FortiGate Remote Access IPSec VPN Configuration

In today’s digital era, remote access is becoming a fundamental requirement for businesses to ensure continuous productivity. But with remote access comes the risk of cyber threats, making VPN security a top priority.


In today’s digital era, remote access is becoming a fundamental requirement for businesses to ensure continuous productivity. But with remote access comes the risk of cyber threats, making VPN security a top priority. FortiGate Remote Access IPSec VPN offers a reliable and secure solution for remote workers. In this blog post, we’ll discuss how to configure FortiGate Remote Access IPSec VPN and provide training on its usage.
FortiGate Remote Access IPSec VPN Configuration:
Step 1: FortiGate Firewall Configuration Before configuring FortiClient, you need to configure the FortiGate firewall. Login to your FortiGate firewall and go to VPN > IPSec > Wizard. Here you can configure the IPSec VPN settings such as authentication, encryption, and VPN topology.
Step 2: FortiClient VPN Configuration FortiClient is a client software that allows secure remote access to your network. It supports various operating systems such as Windows, macOS, Linux, and Android. Follow the steps below to configure FortiClient VPN:
Download and Install FortiClient: Download FortiClient from the official Fortinet website and install it on your device.
Configure VPN Settings: Open FortiClient and click on the “Configure VPN” option. Enter the VPN IP address and port number of your FortiGate firewall, select IPSec VPN, and enter the username and password. Click “Save”.
Connect to VPN: Once you’ve configured VPN settings, click on the “Connect” button to establish a VPN connection.
Step 3: FortiGate VPN Training Fortinet offers various training courses and resources to help you become proficient in using FortiGate Remote Access IPSec VPN. You can start with the following resources:
Fortinet Training: Fortinet offers various training courses on FortiGate and VPN security. You can check out their training portal for more information.
Documentation: Fortinet provides comprehensive documentation on FortiGate Remote Access IPSec VPN configuration and usage. You can check out their documentation portal for more information.
Conclusion:
FortiGate Remote Access IPSec VPN offers a secure and reliable solution for remote workers to access their network resources. By following the above steps, you can easily configure FortiGate Remote Access IPSec VPN and start using it for remote access. Make sure to also take advantage of Fortinet’s training resources to become proficient in using FortiGate Remote Access IPSec VPN.

Fortigate Multiple Interface Policy

“Welcome to my channel! In this video, I will describe how to configure firewall policies with multiple source and destination interfaces in FortiGate. We’ll be looking at how to allow traffic between multiple interfaces on your FortiGate firewall, which is particularly useful when you have different subnets that you want to control traffic between or when you have multiple VLANs that need to communicate with each other. By the end of this video, you’ll have a better understanding of how to configure these policies in FortiGate and how they can help secure your network.

As you can see in this topology, we have three PCs located in three different VLANs or interfaces, and we want to write a policy to give access to the web server that is located in VLAN 4. If you want to use FortiGate’s default features, you must write a policy for each VLAN or interface to access the web server VLAN because input interfaces are different. However, by using multiple interface policies, you can accomplish this job with just one policy. Another example in this topology is when you want to give system administrators access to their servers from the VPN. In a normal and standard feature, you have to write a policy for each VLAN. Still, with multiple interface policies, you can grant access to all desired servers with just one policy, making managing your firewall and policies more manageable.

Now, let’s move on to the configuration. In my topology that was shown earlier, I have four interfaces, but because I am using a trial license, I only have three interfaces. That’s not important; you can add all your interfaces to policies in your production environment. First, I need to enable this feature in my firewall.

I’m going to feature visibility under the System menu and enable multiple interface policies, then click on apply.

Next, I’ll write the policy that allows access from different VLANs to the web server.

I’ll go to Policy and Objects > Firewall Policy > Create New and write the name of the policy, for example, “Allow all Interfaces to Webserver.”

Click on incoming interface and select the incoming interface. Select the outgoing interface and select your web server interface. You can add multiple outgoing interfaces if your web servers are located on different interfaces.

For the source, you can specify your source IP; it can be all or specific IP addresses.

For the destination, you can add all or specific addresses, and for the service, I’ll leave it as HTTPS.

These settings are based on your production environment. With just one policy, I grant access to the web server from different interfaces.

For the other topology shown at the beginning of this video, the policy is the same.

I’ll create the policy, name it “Allow System Admin to Servers,”

select incoming interface, select SSL VPN,

select outgoing interface, for example, Port 1, 2, and 3 are our server VLANs.

For the source, select all or your VPN addresses and select VPN username.

For the destination IP addresses, you can add all or IP addresses.

For the service, you can select SSH, RDP, or other services based on your production environment.

Click OK, and the policy is complete.

that is finished , by writing just one policy you can grant access for system administrator vpn connection to the multiple servers that raised on different vlans.

I hope this video will be useful for you to manage your firewall. If you would like to see more videos, please subscribe to my channel and like my videos. Also, if you have any questions, you can ask them in the comments. Have a good day! Bye-bye.”

FortiGate Two Factor Authentication with Email

Hello everyone, in this video, I will introduce how you can set up 2-step verification for SSL VPN users by sending a token through email. By default, there is no way to enable this option via the graphical user interface. We must enable this feature from the CLI.

First, we must set up an SMTP server. Click on “Settings” under the system menu and enable “Use custom settings”. Write your SMTP server settings. These pieces of information depend on your environment.

Next, go to SSL-VPN portals under the VPN menu. Because I am using this firewall as a test environment, I have to do some configurations to activate SSL VPN on this firewall.

Then, configure SSL-VPN settings. Again, as I told you, I did some configurations to activate SSL-VPN on this firewall, and you don’t need to do these steps in your environment.

Now, I am going to create a user. Click on “User Definition” under “User and Authentication”. Because I don’t have any users, I am going to create one and then enable email-based 2-factor authentication for that user. In your environment, you might be using local users or LDAP users, no matter which type of users you are using; you can enable email-based 2-factor authentication for any type of user.

Click on “Create User”, “Local User”, enter username and password. At this step, I am not enabling 2-factor authentication because we don’t have any option to enable email-based 2-factor authentication, and then submit.

Now, it’s time to enable mail token on this user. As I told you, this can be a local or LDAP user. Edit user, open edit in CLI. You can shortcut to edit this user from CLI or write these commands:

Config user local or LDAP

Edit, then write your selected username

Now write “set two-factor email”

Then write the user’s email address by using “set email-to email address”.

End

Refresh user lists.

Ok, as you can see, email-based two-factor authentication is enabled.

Now, I am writing a test policy to create an SSL-VPN session. It’s time to test email-based token.

Write firewall VPN settings in FortiClient. Enter the username and password of the user.

Ok, FortiGate sends the token to my email address. Let me check my mailbox.

I copied and pasted the received token, and then my VPN connection established.

I hope this video was useful in securing your environment and improving your knowledge. Don’t forget to subscribe to my channel and like videos. Also, if you have any questions, you can ask in the comments.

Install and Config Cisco ASA on GNS3

Hello, today we will install GNS3 with you and then we will install CISCO ASA on it. I will also explain how we can connect to Cisco ASA with ASDM.

Let’s start.

First we go to google.com, then here we can download GNS3 for the Windows version from this link.

I downloaded the app beforehand so that the video would be shorter.

click on download GNS3 VM at the bottom.

Then click on download for the Microsoft Hyper-V version.

Yes, after downloading these files, we need to activate HYPER-V on our computer.

When we write HYPER-V, we will be able to activate it from the Add Windows Features section.

Select HYPER-V from below and make sure two are selected under It.

I say ok

I restart my computer.

Yes, friends, our computer has restarted.

Now I open HYPER-V, yes HYPER-V is installed on our computer, but no virtual machine is available at the moment.

There is one GNS3 HYPER-V file from the files I just downloaded. I’m extracting it to the folder.

Yes, now when we go into the folder, there is the install-VM.bat file, I open it with cmd.

But be careful, we need to open cmd as Admin.

I go to the folder where the file is located

I’m running install-VM.bat here now.

At this stage, I have to wait a bit because it imports the virtual machine to our Hyper-V environment.

Yes, friends, the GNS3 machine on our virtual environment has been prepared.

Now we run this machine from hyperv environment

Our machine is ready, by default the machine receives IP from DHCP. But I will define its IP as statistic.

At first I check them to see what IP and Gateway got.

I press the shell. Now here we can see what our ip is with the ip address command.

as you can see the IP of our eth0 interface is 172.22.162.81

Now we see the default gateway with the netstat -rn command.

As you can see, the default gateway got 172.22.160.1 from DHCP.

Now, after saying exit 2 times, we can switch to GNS3’s self-created interface.

From here, we will first create a user password from the Security section.

Then we need to change the IP address from the network section.

After removing the #s, we must write our IP information.

We save the file with Ctrl+x, then press Y and press enter.

After pressing enter, the machine will restart and our new settings will be applied.

I’m pinging the machine’s IP by the way.

172.22.162.81 Yes, as you can see, we have Ping access.

We can also go to the web interface

Username GNS3 password GNS3 enter.

Here we can see the status of the system.

Now I will also install GNS3 application for convenience.

I just choose GNS3

Yes, GNS3 installation is finished, now I open the application.

cancel the first screen, I will customize the performance section from the edit option.

I’m removing the Enable local server tick from the server section. Because I will use a GNS VM and connect the application to it.

I choose HTTP, write the IP of the virtual machine, enter the port as 80, enter the username and password.

I close the app and open it again.

now I’m going to the web interface to create a project for testing purposes, let’s see if it comes here.

I create blank project , you can see our application is now connected to our virtual environment.

Here we can see the projects we created there.

we will now import the CISCO ASA Firewall.

You will be able to download the firmware file of CISCO ASA from the link in the description.

as you can see version is 9

I click on New template, Next,

I choose update from online registry and wait for the database to be updated.

Ok, now I type ASA in the search section and CISCO ASAV appears.

install

next

I choose Usr/bin from here, as you can see,

 Next

Yes, as you can see, I choose the following, then we will import the file we downloaded from SinaOnline here.

Now I am creating a new project

The project I just opened had the same name, so it gave an error.

I add CISCO ASAv from Devices section

Now I’m adding a Cloud here to connect ASA to my own computer.

I’m dragging

Now I connect the management interface of the firewall to the cloud.

I right click on the firewall and say configure. We need to choose console type as telnet.

If we do not choose telnet, we will have problems when we turn on the machine.

After waiting for a while, we click on the machine.

It is normal for the machine to reboot twice.

Of course, it will ask us for a password and I write the password.

Yes, first we went to enable mode, now we set the management interface IP to get it from DHCP.

If you want, you can give the ip yourself, but since we have DHCP on our cloud, I set it that way.

config t,

interface management 0/0

ip address dhcp ,

no shut

nameif

end

now let’s see what is the IP of our machine

Show interface ip brief

Yes, as you can see, our machine has taken a ip.

You need to follow the steps in the video to connect to our firewall from the web interface and download ASDM.

I enter the ASA interface management ip address , click the Install ASDM launcher and install the ASDM application.

I enter the enable password I created at the beginning

Okey

Next

install

finish

We will find the path of the Cisco ASDM application

We right click on the application shortcut and delete it completely from the Target section. Instead, we write this path, there should be a space between invasible

apply

ok now i am running the app

I am typing the IP address of our firewall

Yes, we are connected to our firewall with ASDM

Now you can configure and managing your firewall by using ASDM

If you want more of these videos, you can support our channel by subscribing. I hope this video was useful for you. Don’t forget to like and comment on the video.

Thanks for watching.

How to Configure VXLAN on Fortigate

Hello everyone, in this video I will show how can you extend VLANs over IP. In FortiGate by using vxlan you can do this.

How to Configure VXLAN on Fortigate

You can see my topology in this picture. I have 2 firewall that connects to each other, this connection can be through a layer 2 switch, layer 3 routers, or IPSec tunnels, no matter which connection type you are using because by using VXLAN technology your ethernet frames encapsulate and send to another side via IP packets and then decapsulate.

I have 2 trunk ports (port number 2 on both firewalls) that connect to layer 2 switches and carry VLAN 3500 and 3600 traffic.

you can see the IP numbers in this picture, I use 10.10.10.141 and 10.10.10.142 to manage firewalls, and also our vxlan tunnel will bring up over these IPs.

Ok, let’s start the configuration

Start configuration on 10.10.10.141, at the first we have to create vxlan interface, you cannot do from GUI , so open the console

Write config system vxlan

Edit vxlan3500, you can use any name for your interface name

Set nvi 3500, this command Is used to tell this tunnel caries which VLAN

Set por …… , sorry set interface port1, that means initiate my vxlan tunnel from this interface, it can be physical or IPSec tunnel

Set remote-ip 10.10.10.142, this command sets the tunnel destination IP address, another means, other points of our vxlan tunnel.

Ok, end

As you can see on the interfaces under port1 I can see vxlan3500 interface and the type is vxlan

Let’s create VLAN on port2 to carry our VLAN 3500 traffic to the layer 2 switch as I have already shown on the topology

Give the name, set the interface, enter 3500 as VLAN id, and click ok

As you can see I have a VLAN interface and vxlan interface and both of them are set to VLAN 3500 , now I need to create a software switch and assign these interface to it

Select software switch

Gives a name

Select VLAN and vxlan as member

Give an IP to this interface, you can skip that but at this time I give an IP address to test my vxlan configuration

Ok, our software switch on this firewall was created and it has an IP address, now I have to config another firewall

Create vxlan on this firewall

Edit vxlan 3500 ,

Huummm, what is the problem? oh I put the space in the name

Names can be different on the firewalls but I use the same name on both end

Set vni

Set interface

Then set the remote IP that points to another end of my tunnel, its reverses from the first firewall

Ok, vxlan interface created,

Now create a VLAN on port 2

Set the VLAN id

That is ok,

Same as the earlier configuration I create a software switch and assign IP address to it

The name can be different, but I use the same name on both ends

Set the members

Give the IP address,

As you can in this topology this side IP address is 192.192.35.142

Ok,

As you can see software switch created,

Now I am going to text my vxlan tunnel,

Execute ping 192.192.35.141 , as you can see this IP is located on another side of our tunnel

Ok, our tunnel configuration is correct and we can ping IP from VLAN 3500 from another side of our tunnel.

With this diagnostic command, you can see the mac addresses that are learned from another end of the tunnel for specific vxlan interface  

diagnose sys vxlan fdb list vxlan3500

As you can see this mac address is our port2 interface on another end of the tunnel

I copy this command to execute on another firewall to see the result

Now create another vxlan interface to carry VLAN 3600 traffic

Set nvi 3600

Configuration is the same as vxlan 3500 but vni is different,

Vxlan 3600 created,

Now create a VLAN 3600 interface on port 2

Set VLAN id to 3600

Ok

Again create another software switch and assign vxlan 3600 and VLAN 3600 interface as a member to it

Give a name

Select members,

Give an IP address,

As you can see in the topology this VLAN subnet is 192.192.36

Ok

Software switch created

As you can see without config vxlan on both firewalls I can not ping VLAN 3600 IP address

Create vxlan 3600 on this firewall

Set vni

Set remote IP to another side of the tunnel

End

Try to ping,

its failed because I don’t create a software switch and assign vxlan and VLAN as members

Create VLAN 3600

set VLAN id

ok

now create a software switch

assign vxlan and VLAN 3600 to it

give an IP address based on our topology

ok I have 2 software switches now and vxlan and VLAN interfaces assigned to them

now test IP address from VLAN 3600

that is it

also, you can see the mac addresses learned on this VLAN from another end of the tunnel

by using this method you can extend your layer 2 networks between the different locations over the wan links, its used for any purpose, that’s depend on you,

for each VLAN you have to create a different vxlan interface and software switch.

I hope you enjoy this video, if you have any questions you can ask them in the comments, don’t forget to subscribe to my channel and watch other videos, have a good day.