Evaluación y Selección de alternativas

Configuring the FortiGate unit includes: • Configure the external interface • Add VLAN subinterfaces • Add the firewall addresses • Add the security policies

Configure the external interface

The FortiGate unit’s external interface will provide access to the Internet for all internal networks, including the two VLANs.

To configure the external interface - web-based manager 1. Go to System > Network > Interface.

2. Select Edit for the external interface.

3. Enter the following information and select OK:

To configure the external interface - CLI config system interface

edit external set mode static

set ip 172.16.21.2 255.255.255.0 end

Add VLAN subinterfaces

This step creates the VLANs on the FortiGate unit internal physical interface. The IP address of the internal interface does not matter to us, as long as it does not overlap with the subnets of the VLAN subinterfaces we are configuring on it.

The rest of this example shows how to configure the VLAN behavior on the FortiGate unit, configure the switches to direct VLAN traffic the same as the FortiGate unit, and test that the configuration is correct.

Adding VLAN subinterfaces can be completed through the web-based manager, or the CLI. To add VLAN subinterfaces - web-based manager

1. Go to System > Network > Interface. 2. Select Create New.

3. Enter the following information and select OK: Addressing mode Manual

IP/Network Mask 172.16.21.2/255.255.255.0

Name VLAN_100

Interface internal

VLAN ID 100

4. Select Create New.

5. Enter the following information and select OK:

To add VLAN subinterfaces - CLI config system interface

edit VLAN_100 set vdom root

set interface internal set type vlan

set vlanid 100 set mode static

set ip 10.1.1.1 255.255.255.0 set allowaccess https ping telnet next

edit VLAN_200 set vdom root

set interface internal set type vlan

set vlanid 200 set mode static

set ip 10.1.2.1 255.255.255.0 set allowaccess https ping telnet end

Add the firewall addresses

You need to define the addresses of the VLAN subnets for use in security policies. The FortiGate unit provides one default address, “all”, that you can use when a security policy applies to all addresses as a source or destination of a packet. However, using “all” is less secure and should be avoided when possible.

In this example, the “_Net” part of the address name indicates a range of addresses instead of a unique address. When choosing firewall address names, use informative and unique names. To add the firewall addresses - web-based manager

IP/Network Mask 10.1.1.1/255.255.255.0 Administrative Access HTTPS, PING, TELNET

Name VLAN_200

Interface internal

VLAN ID 200

Addressing mode Manual

IP/Network Mask 10.1.2.1/255.255.255.0 Administrative Access HTTPS, PING, TELNET

VLANs Page 167 Install and System Administration for FortiOS 5.0

3. Enter the following information and select OK:

4. Select Create New.

5. Enter the following information and select OK:

To add the firewall addresses - CLI config firewall address

edit VLAN_100_Net set type ipmask

set subnet 10.1.1.0 255.255.255.0 next

edit VLAN_200_Net set type ipmask

set subnet 10.1.2.0 255.255.255.0 end

Add the security policies

Once you have assigned addresses to the VLANs, you need to configure security policies for them to allow valid packets to pass from one VLAN to another and to the Internet.

You can customize the Security Policy display by including some or all columns, and customize the column order onscreen. Due to this feature, security policy screenshots may not appear the same as on your screen.

If you do not want to allow all services on a VLAN, you can create a security policy for each service you want to allow. This example allows all services.

To add the security policies - web-based manager 1. Go to Policy > Policy > Policy and select Create New.

2. Leave the Policy Type as Firewall and the Policy Subtype as Address. 3. Enter the following information and select OK:

Name VLAN_100_Net Type Subnet Subnet / IP Range 10.1.1.0/255.255.255.0 Name VLAN_200_Net Type Subnet Subnet / IP Range 10.1.2.0/255.255.255.0

Incoming Interface VLAN_100 Source Address VLAN_100_Net Outgoing Interface VLAN_200 Destination Address VLAN_200_Net

4. Select Create New.

5. Leave the Policy Type as Firewall and the Policy Subtype as Address. 6. Enter the following information and select OK:

7. Select Create New.

8. Leave the Policy Type as Firewall and the Policy Subtype as Address. 9. Enter the following information and select OK:

10.Select Create New.

11.Leave the Policy Type as Firewall and the Policy Subtype as Address. 12.Enter the following information and select OK:

Schedule Always

Service ALL

Action ACCEPT

Enable NAT Enable

Incoming Interface VLAN_200 Source Address VLAN_200_Net Outgoing Interface VLAN_100 Destination Address VLAN_100_Net

Schedule Always

Service ALL

Action ACCEPT

Enable NAT Enable

Incoming Interface VLAN_100 Source Address VLAN_100_Net Outgoing Interface external Destination Address all

Schedule Always

Service ALL

Action ACCEPT

Enable NAT Enable

VLANs Page 169 Install and System Administration for FortiOS 5.0

To add the security policies - CLI config firewall policy

edit 1

set srcintf VLAN_100 set srcaddr VLAN_100_Net set dstintf VLAN_200 set dstaddr VLAN_200_Net set schedule always set service ALL set action accept set nat enable set status enable next

edit 2

set srcintf VLAN_200 set srcaddr VLAN_200_Net set dstintf VLAN_100 set dstaddr VLAN_100_Net set schedule always set service ALL set action accept set nat enable set status enable next

edit 3

set srcintf VLAN_100 set srcaddr VLAN_100_Net set dstintf external set dstaddr all set schedule always set service ALL set action accept set nat enable set status enable next

edit 4

set srcintf VLAN_200 set srcaddr VLAN_200_Net Outgoing Interface external Destination Address all

Schedule Always

Service ALL

Action ACCEPT

set dstintf external set dstaddr all set schedule always set service ALL set action accept set nat enable set status enable end