Fortinet Fortigate FW

overview this document is designed to assist with integrating fortigate next generation firewall (ngfw) in high availability (ha) to allow traffic to be received from the nile service block (nsb) or send traffic into the nsb the purpose of this guide is to help with seamless integration between the nile access service and the customer’s extended network (e g , upstream internet gateway, datacenter) prerequisites fortigate version 7 2 2 or higher is required five unique /30 subnets as we are designing a high definition and an always on service, we will be using equal cost multi path (ecmp) to create 4 point to point links to act as a l3 transit between the nsb and the edge the fifth /30 network will be used to host a dynamic host configuration protocol (dhcp) server alternatively, the customer can use their own managed dhcp server integration there are a few sections that need to be created on the fortigate, including interfaces wide area network (wan) interface nile service block (nsb) interfaces routing static (wan) ospf (nsb) firewall rules dhcp setup 1\ interfaces to setup interfaces, navigate to network → interfaces → \[wan interface] name isp alias details of the isp vrf id default (0) role wan addressing mode manual ip/netmask ip address/netmask of wan interface (our example used 172 16 13 2/30) administrative access allow the required ipv4 services status enabled within the selected wan port, fill in the following information click the “save” button when done nile gateway interfaces expand on network → interfaces → create new → interface name nsb switch type software switch vrf id default (0) interface members select 2 available ports (in the image, 4 ports are selected, but 2 will be enough) role lan addressing mode manual ip/netmask ip address of interface (our example used 192 168 120 18/30 (used as dhcp server)) secondary ip address enable (radio button turned on) create new ip/netmask example used (192 168 120 1/30) ip/netmask example used (192 168 120 5/30) ip/netmask example used (192 168 120 9/30) ip/netmask example used (192 168 120 13/30) administrative access allow the required ipv4 services (ping should be enabled) receive lldp enable transmit lldp enable status enabled click the “save” button when done 2\ routing customers need to use static routing to add the default route towards the wan interfaces, but on the lan, it is recommended to use ospf whenever possible, if there are certain limitations where ospf cannot be used on the fortigate, then create static routing on the lan as well ospf (lan) 1\ expand on network → ospf router id fortinet’s best practice is to not use the existing ip of the interface, as area id is defined as 0 0 0 0, we are using the router id as 0 0 0 1 in this example areas create new ( area id 0 0 0 0 || type regular || authentication none) networks\ create new ( area 0 0 0 0 || ip/netmask 0 0 0 0 0 0 0 0) interfaces create new ( name nsb || interface nsb switch || cost 0 || authentication none || timers hello(1); dead(4)) inject default route always static routing (wan) 1\ expand on network → static routes → create new destination subnet (0 0 0 0/0) gateway address enter the gateway ip provided by the isp interface select the wan interface connected to the provider circuit administrative distance 5 (lower the ad, higher the priority) status enabled then click on “ok” to save the changes 2\ repeat the same steps for setting up with a default static route for wan2; set the ad as 10 while setting up the default route for wan2, if wan1 is desired as the primary link then click on “ok” to save the changes 3\ fortigate firewall rules fortigate has an implicit rule of denying all the traffic to ensure the nsb subnet and the sensor subnet is able to access the internet, a rule needs to be created the following example policy will allow any traffic coming from the nsb switch interfaces to the internet the example rule is intended to be used as reference and should be modified to fit the customer needs in case the customer wants to allow communication from host a to host b within the nsb, they will need to create firewall rules to allow that traffic to hairpin and enter into the nsb outgoing to internet navigate to policy & objects >> firewall policy >> create new a name provide a name to the rule b incoming interface select the “nsb switch” c outgoing interface wan1 d source create a source address with either a summarized subnet of all the subnets managed by the nsb or provide a ip range or select “allow all” e destination all f schedule always g service specify any specific service like http/https to be allowed or allow all h action accept i inspection mode flow based j firewall/network options enable nat, use outgoing interface address for ip pool setup note nat may need to be disabled while creating the firewall policy for some firewall rules to allow access to certain protocols (e g , dhcp, dns, radius, ntp) 4\ dhcp server to define a dhcp scope for multiple ip pools in fortigate, access to the cli is required below is an example of how to set up l3 dhcp on fortigate config system dhcp server edit 10 set lease time 86400 set ntp service default set default gateway 192 168 127 1 set netmask 255 255 255 0 set interface "nsb switch" config ip range edit 1 set start ip 192 168 127 10 set end ip 192 168 127 250 next end set dns server1 8 8 8 8 set dns server2 1 1 1 1 next edit 11 set lease time 86400 set ntp service default set default gateway 192 168 128 1 set netmask 255 255 255 0 set interface "nsb switch" config ip range edit 1 set start ip 192 168 128 10 set end ip 192 168 128 250 next end set dns server1 8 8 8 8 set dns server2 1 1 1 1 next edit 12 set lease time 86400 set ntp service default set default gateway 192 168 129 1 set netmask 255 255 255 0 set interface "nsb switch" config ip range edit 1 set start ip 192 168 129 10 set end ip 192 168 129 250 next end set dns server1 8 8 8 8 set dns server2 1 1 1 1 next end