Archives May 2023

FortiGate Traffic Shaping Configuration

Traffic shaping is a method of optimizing network traffic by prioritizing different types of traffic according to their importance. FortiGate firewall offers a traffic shaping feature that can be used to prioritize traffic, limit bandwidth usage, and control network congestion. In this blog post, we’ll discuss how to configure traffic shaping on FortiGate firewall.

Fortigate Traffic Shaping

1. Log in to the FortiGate Web Interface:

  • Open a web browser and enter the IP address of your FortiGate firewall.
  • Log in with the appropriate credentials.

2. Define Traffic Shaping Policy:

  • Navigate to the “Policy & Objects” tab.
  • Click on “Traffic Shaper” to access the Traffic Shaping policies.

3. Create a New Traffic Shaping Policy:

  • Click the “+ Create New” button to create a new policy.
  • Give your policy a name and optionally add a comment for reference.

4. Set Traffic Shaping Parameters:

  • In the “Guaranteed Bandwidth” section, specify the minimum guaranteed bandwidth (in Kbps or Mbps) for the traffic you want to shape. This is the minimum speed that will be allocated to the traffic matching this policy.
  • In the “Maximum Bandwidth” section, set the maximum bandwidth (in Kbps or Mbps) that the traffic can use.
  • You can also configure a burst rate and burst time if needed. Burst rate allows traffic to exceed the defined limits for a short period if there’s available bandwidth.

5. Define Traffic Matching Criteria:

  • In the “Matching Criteria” section, specify the criteria for matching traffic to this policy. You can configure this based on source and destination IP addresses, ports, services, etc.
  • Click the “+” icon to add multiple conditions if necessary.

6. Enable the Policy:

  • In the “Actions” section, set the action to “Apply Shaper” to enable traffic shaping for the matched traffic.
  • Click “OK” to save the policy.

7. Apply Traffic Shaping Policy to Firewall Policy:

  • After creating the traffic shaping policy, you need to apply it to a firewall policy.
  • Go to the “Policy & Objects” tab and click on “Firewall Policy.”
  • Edit an existing policy or create a new one, and in the “Traffic Shaping” section, select the traffic shaping policy you created earlier from the dropdown menu.

8. Monitor Traffic Shaping:

  • You can monitor the traffic shaping policies in action by going to the “Monitor” tab and selecting “Traffic Shaping Monitor.” Here, you can see statistics and real-time information on the traffic matching your policies.

9. Test and Fine-Tune:

  • After configuring traffic shaping, it’s essential to monitor network performance and adjust policies as needed to ensure your network operates efficiently and as intended.

10. Save and Apply Changes:

  • Don’t forget to save your changes and apply the configuration for it to take effect.

Remember that traffic shaping should be used judiciously, as improper configuration can negatively impact network performance. It’s essential to understand your network’s traffic patterns and prioritize traffic accordingly to achieve your desired outcomes with traffic shaping on a FortiGate firewall.

Fortigate Captive Portal Configuration

A captive portal is a web page that is presented to users when they attempt to connect to a network. Captive portals are commonly used in public Wi-Fi hotspots, hotels, and other places where the network owner wants to control the access to the network. FortiGate firewall offers a captive portal feature that can be used to authenticate users and control network access. In this blog post, we’ll discuss how to configure captive portal on FortiGate firewall.

Fortigate Captive Portal Configuration

1. Log in to the FortiGate Web Interface:

  • Open a web browser and enter the IP address of your FortiGate device.
  • Log in using your administrative credentials.

2. Configure Network Interfaces:

  • Ensure that you have configured your network interfaces correctly. You should have at least two interfaces: one for the unauthenticated guest network and another for the trusted network.

3. Create a User Group:

  • Before setting up the captive portal, create a user group that will contain the users allowed to access the network through the captive portal.
    • Go to “User & Device” > “User Groups” and click “Create New.”
    • Define the group’s name and add users to it if needed.

4. Create a Security Policy:

  • You need to create a security policy to control traffic between the unauthenticated network and the trusted network.
    • Go to “Policy & Objects” > “IPv4 Policy” and click “Create New.”
    • Configure the source interface, source address (unauthenticated network), destination interface, and destination address (trusted network).
    • Set the “Action” to “Captive Portal.”

5. Configure Captive Portal:

  • Now, you need to set up the captive portal itself.
    • Go to “Security Fabric” > “Captive Portal” and click “Create New.”
    • Enter a name for the captive portal.

6. Configure Authentication Settings:

  • Under the “Authentication” tab:
    • Select the user group you created earlier.
    • Choose the authentication method (usually, you’d use “Local Database” for basic username and password authentication).
    • Set the authentication timeout.
    • Customize the authentication message if desired.

7. Configure Authentication Portal Settings:

  • Under the “Authentication Portal” tab:
    • Define the portal message and login message.
    • Customize the look and feel of the portal page, including logos and background images.

8. Configure Redirect Settings:

  • Under the “Redirect” tab:
    • Specify the redirection type. Typically, you’d use “External Web Page” to direct users to a terms and conditions page or login page hosted externally.

9. Create a Firewall Policy for Redirect:

  • Create a firewall policy to redirect traffic to the captive portal.
    • Go to “Policy & Objects” > “IPv4 Policy” and click “Create New.”
    • Set the source and destination interfaces and addresses.
    • Set the action to “SSL-VPN” and choose the captive portal you created earlier as the SSL-VPN portal.

10. Configure DNS and Web Filtering: – You may want to configure DNS and web filtering policies to control access for authenticated users.

11. Test the Captive Portal: – To test the captive portal, connect a device to the unauthenticated network and attempt to access the internet. You should be redirected to the captive portal login page.

12. Monitor and Troubleshoot: – Continuously monitor the captive portal for user activity and any issues that may arise. Check logs and statistics for troubleshooting.

Remember that this is a high-level overview of the FortiGate captive portal configuration process. Depending on your specific requirements and network setup, there may be additional configuration options and steps needed to meet your needs. Always refer to the FortiGate documentation and consult with Fortinet support if you encounter any difficulties or require advanced features.

FortiGate IPsec VPN Site to Site Configuration

FortiGate IPsec VPN Site to Site provides a secure and reliable connection between two networks located in different locations. This is a crucial feature for businesses with remote offices and a requirement for remote workers. In this blog post, we’ll discuss how to configure FortiGate IPsec VPN Site to Site and provide training on its usage.

Prerequisites:

  • Two FortiGate devices (FortiGate A and FortiGate B) with administrative access.
  • A dedicated public IP address for each FortiGate device.
  • Proper network routing configured on both FortiGate devices.

Step 1: Log in to the FortiGate Web Interface

  1. Open a web browser and enter the IP address of FortiGate A in the address bar.
  2. Log in with administrative credentials.

Step 2: Create Phase 1 Configuration on FortiGate A: Phase 1 sets up the initial connection between the two VPN peers.

  1. Go to “VPN” > “IPsec Wizard” on FortiGate A.
  2. Select “Custom” for the VPN Template.
  3. Configure the following Phase 1 settings:
    • Name: Give the VPN connection a name.
    • Remote Gateway: Enter the public IP address of FortiGate B.
    • Authentication Method: Pre-shared Key (PSK).
    • Pre-shared Key: Enter a strong, secret key.
    • Local Interface: Select the local interface connected to the internet.
    • Mode: Main Mode.
    • IKE Version: IKEv2 or IKEv1, depending on your requirements.
    • Phase 1 Proposal: Define encryption and authentication algorithms.
  4. Click “Next” to save the Phase 1 settings.

Step 3: Create Phase 2 Configuration on FortiGate A: Phase 2 defines the parameters for the actual data encryption.

  1. After saving Phase 1 settings, click “Next” to configure Phase 2.
  2. Configure the following Phase 2 settings:
    • Phase 2 Name: Give it a name.
    • Local Subnet: Enter the local network subnet behind FortiGate A.
    • Remote Subnet: Enter the remote network subnet behind FortiGate B.
    • P2 Proposal: Define encryption and authentication algorithms.
  3. Click “Next” to save the Phase 2 settings.

Step 4: Create Phase 1 and Phase 2 Configuration on FortiGate B: Repeat Steps 2 and 3 on FortiGate B with the corresponding settings, but make sure to reverse the “Remote Gateway” and the “Local Subnet” and “Remote Subnet” settings.

Step 5: Establish the Connection:

  1. After configuring both FortiGate devices, return to FortiGate A.
  2. Go to “VPN” > “IPsec Tunnels” and click the “Create New” button.
  3. Select the Phase 1 and Phase 2 configurations you created for FortiGate B.
  4. Click “OK” to create the VPN tunnel.
  5. Repeat the same steps on FortiGate B, using the Phase 1 and Phase 2 configurations for FortiGate A.

Step 6: Monitor and Troubleshoot:

  1. You can monitor the VPN connection status under “VPN” > “Monitor” > “IPsec Monitor.”
  2. If there are any issues, check the logs and firewall policies for any blocking rules.

That’s it! You should now have a functioning FortiGate IPsec VPN site-to-site connection between the two locations. Ensure that your firewall policies allow traffic to flow over the VPN tunnel, and test the connectivity between the remote networks.

FortiGate Remote Access IPSec VPN Configuration

In today’s digital era, remote access is becoming a fundamental requirement for businesses to ensure continuous productivity. But with remote access comes the risk of cyber threats, making VPN security a top priority.


1. Access the FortiGate Web Interface:
Connect to your FortiGate firewall’s web interface using a web browser. Enter the IP address of the FortiGate in the address bar and log in with administrator credentials.
2. Create a VPN User Group:
Navigate to “User & Device” > “User Groups.”
Click on “Create New.”
Name the group (e.g., “VPN_Users”).
Add the remote users who will be connecting to this group.
3. Configure the VPN Tunnel:
Navigate to “VPN” > “IPsec Wizard.”
Select “Custom” and click “Next.”
Enter a name for the VPN tunnel.
Select “Remote Access” as the type of VPN.
Choose “Pre-shared Key” for authentication.
Create a Pre-shared Key (PSK) and make note of it. This will be used by remote clients to authenticate.
Select the appropriate interface for the VPN (usually the WAN interface).
Configure the Local Interface and Local IP Address settings.
Under Authentication/Phase 1, select the appropriate encryption and authentication settings.
Under Authentication/Phase 2, select the appropriate encryption and authentication settings.
Click “Next” and review your settings.
Click “Finish” to create the VPN tunnel.
4. Configure the Firewall Policies:
Navigate to “Policy & Objects” > “IPv4 Policy.”
Create a new policy for traffic from the VPN to the internal network.Set the source interface to the VPN interface.
Set the destination interface to the internal network.
Specify the appropriate source and destination addresses and services.
Allow the traffic.
5. Configure DNS Settings (optional):
If you want remote users to resolve internal hostnames, configure DNS settings for the VPN users. Navigate to “Network” > “DNS.”
Add internal DNS servers to the list and enable DNS settings for the VPN tunnel.
6. Configure NAT (optional):
If your internal network uses NAT, configure NAT settings for the VPN users. Navigate to “Policy & Objects” > “NAT.”
Create a new NAT policy to translate VPN user traffic to the internal network.
7. Configure User Authentication:
Navigate to “System” > “Administrators” and create a user account for remote authentication.
Ensure the user has permissions to connect via VPN.
8. Configure VPN Client:
On the remote client side, configure the VPN client software (e.g., FortiClient) with the FortiGate’s public IP address and the Pre-shared Key you created earlier.
9. Test the Connection:
Connect the remote client to the FortiGate using the configured VPN settings.
Verify that the connection is established successfully.
These are the basic steps for configuring a FortiGate Remote Access IPSec VPN. Depending on your specific network requirements and security policies, you may need to make additional configurations or adjustments. Always refer to the FortiGate documentation for the most up-to-date and specific instructions for your device.

Fortigate Multiple Interface Policy

“Welcome to my channel! In this video, I will describe how to configure firewall policies with multiple source and destination interfaces in FortiGate. We’ll be looking at how to allow traffic between multiple interfaces on your FortiGate firewall, which is particularly useful when you have different subnets that you want to control traffic between or when you have multiple VLANs that need to communicate with each other. By the end of this video, you’ll have a better understanding of how to configure these policies in FortiGate and how they can help secure your network.

  1. Network Interfaces:
    • In a FortiGate device, you typically have multiple network interfaces, each connected to a different network segment or zone. These interfaces can be physical (Ethernet ports) or virtual (VLANs, subinterfaces, loopback interfaces, etc.).
  2. Traffic Flow:
    • Traffic flows between these interfaces as data packets are transmitted through the FortiGate device. Each interface represents a different security zone, and traffic between these zones must be controlled and inspected for security purposes.
  3. Security Policies:
    • FortiGate uses security policies to determine how traffic is treated as it passes between these interfaces. Security policies are rules that define the permitted actions for specific types of traffic. They include criteria like source and destination IP addresses, ports, protocols, and more.
  4. Multiple Interface Policy:
    • The “Multiple Interface Policy” feature in FortiGate allows you to create a single security policy that applies to traffic flowing between multiple interfaces or zones. This is especially useful when you want to define a consistent policy for a specific category of traffic across multiple interfaces.
  5. Use Cases:
    • There are several use cases for Multiple Interface Policies:
      • DMZ Configuration: If you have a DMZ zone with multiple servers that need different levels of access, you can create a single policy to control traffic from different internal zones to the DMZ.
      • Guest Network Isolation: You can use this feature to control traffic from the guest network to multiple internal networks with a single policy.
      • VPN Traffic: When you have multiple VPN tunnels terminating on different interfaces, you can create a policy that applies to traffic from all those tunnels.
  6. Policy Configuration:
    • When configuring a Multiple Interface Policy, you define the policy’s source and destination interfaces (security zones), specify the criteria for matching traffic (source/destination addresses, services, users, etc.), and define the action to take (allow, deny, NAT, etc.).
  7. Policy Order:
    • Policy order is important. FortiGate processes policies from top to bottom, and the first matching policy is applied. So, you should order your Multiple Interface Policies appropriately to ensure that more specific policies are evaluated before broader ones.
  8. Logging and Monitoring:
    • FortiGate provides extensive logging and monitoring capabilities, allowing you to track traffic as it traverses the different interfaces and the policies applied to it.
  9. Traffic Inspection:
    • Depending on your policy settings, FortiGate can perform various security functions like antivirus scanning, intrusion detection and prevention, content filtering, and more on the traffic as it flows between interfaces.

In summary, FortiGate Multiple Interface Policies are a crucial part of network security configuration. They enable you to manage and secure traffic between multiple network interfaces by defining specific security policies that dictate how traffic should be handled. This feature is particularly useful in complex network environments with diverse security requirements.