Open in app

Sign in

Write

Sign in

#5 LAVAEL: Deploy FortiGate VM

Vladyslav Diadenko
2 min read6 hours ago

--

In first steps of environment setup the FortiGate box was created using Packer with custom config. This configuration is very basic. Additionally, an SSL certificate was generated and applied to enable HTTPS access to the GUI. You may change this certificate in the System settings after you access the FortiGate.

This FortiGate VM will be configured via SSH to simplify this guide. Also due to license limitations we can not implement a lot of subinterfaces or policies.

Vagrant.configure("2") do |config|
  config.vm.define "fortigate" do |fortigate|
    fortigate.vm.box = "fortinet-fortigate"
    fortigate.vm.provider :libvirt do |libvirt|
      libvirt.management_network_name = 'lab_wan'
      libvirt.management_network_address = '192.0.2.0/28'
    end
    fortigate.vm.network "public_network", 
                         bridge: "virbr100",
                         type: "bridge",
                         dev: "virbr100",
                         auto_config: false
  end
end

Run Vagrant VM

vagrant up fortigate

Use SSH to log in to the FortiGate from any already implemented VM or from the host. The default credentials are either admin/admin or vagrant/admin.

Change hostname

config system global
    set hostname "lab-fortigate"
end

Configure interface port1 (LAB_WAN)

config system interface
    edit "port1"
        set vdom "root"
        set mode static
        set ip 192.0.2.10 255.255.255.240
        set description "LAB_WAN"
    next
end

Reconnect to FortiGate using new IP address 192.0.2.10

Configure interface port2 (LAB_LAN)

config system interface
    edit "port2"
        set vdom "root"
        set mode static
        set ip 192.168.100.254 255.255.255.0
        set allowaccess http https ping ssh
        set description "LAB_LAN"
    next
end

Configure static route

config router static
    edit 0
        set dst 0.0.0.0/0
        set gateway 192.0.2.14
        set device "port1"
        set distance 10
    next
end

Configure DHCP server on port2

config system dhcp server
    edit 0
        set interface "port2"
        set dns-service default
        set default-gateway 192.168.100.254
        set netmask 255.255.255.0
        set dns-server1 192.0.2.14
        set lease-time 86400
        config ip-range
            edit 0
                set start-ip 192.168.100.60
                set end-ip 192.168.100.100
            next
        end
    next
end

Create firewall address object

config firewall address
    edit "LAN-192.168.100.0/24"
        set subnet 192.168.100.0 255.255.255.0
    next
end

Create firewall address group

config firewall addrgrp
    edit "LAN-networks"
        set member "LAN-192.168.100.0/24"
    next
end

Create firewall policy

config firewall policy
    edit 0
        set name "LAN->WAN"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "LAN-networks"
        set dstaddr "all"
        set action accept
        set schedule always
        set service "ALL"
        set nat enable
        set logtraffic all
    next
end

Configure syslog

config log syslogd setting
    set status enable
    set server "192.168.100.50"
    set port 5145
    set facility syslog
    set source-ip "192.168.100.254"
    set format rfc5424
    set mode udp
end
Vagrant
Fortigate

--

--

Vladyslav Diadenko

Written by Vladyslav Diadenko

12 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams