Category Archives: Fortigate

To format and upgrade a firmware on Fortigate 40C, We will need 3 types of cables.

<<<<<<<>>>>>>>>

1. Connect console cable to console port of the Fortigate.
Use a serial to USB converter and connect to a USB on your laptop.
2. Connect USB cable (same cable we use with printers) to mng port of the fortigate.
3. Connect ethernet cable to port 5 (This port is special i think).
connect other end to your laptop.

Now all connections are in place.

Next:
Give your laptop an IP (manually):
192.168.1.168 – 255.255.255.0 – no need for Gateway
( you can use any IP, but i suggest to use this.)

Install 3 softwares,
1. Putty (link)
2. tftpd32 (link)
3. fortiexplorer (link)

if you have a Config backup, open it with a text editor.

You will see the build number and version of the firmware for that specific config file.
Download the firmware from FortiNet website.

For ease of use we can put all these files in a folder:
(in my case C:\Users\MyName\Desktop\Fortigate_40c_Format)

make a copy of the firmware file,
Rename the firmware file to image.out

Open TFTPD32.
Set the interface to the one to which we gave the IP 192.168.1.168
Set the root directory by clicking “Browse” on the tftp server window, and select
the folder with our files.
(in my case C:\Users\MyName\Desktop\Fortigate_40c_Format)

Next..

Open putty.
Set connection type to serial. and enter the COM port.
serial connection properties:
8 bits
no parity
1 stop bit
9600 baud (For a FortiGate-300, use 115,000 baud.)

You can find the COM port number from:
Right-click-Computer > Manage > Devices >
This will list all COM ports. Note the number for USB-Serial-connection. in my case it was COM4.

Now click connect on Putty.
Turn the power off and then on at the FortiGate unit.

Stuff will start to pop up on the console screen.
When the console displays

“Press any key to display configuration menu.”
Press any key.

[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.

Enter G,F,B,Q,or H:

these opetions will come.
Select F for now to format the boot device.

[note: Some console prompts in this procedure include a default value in square brackets, e.g., [image.out]. To use this default value, just press Enter.]

When format is finished, device will restart.
Do the same. When you reach this options. This time select G.
“Get firmware image from TFTP server.”

it will ask for IP of TFTP server. if you gave the same IP as above just click enter.
"Enter TFTP server address [192.168.1.168]: "
(if you gave another IP to your laptop, type the ip at the prompt
example: "Enter TFTP server address [192.168.1.168]:192.168.1.25")

now the console will ask for IP of the fortigate. enter to proceed with default value.
"Enter local address [192.168.1.188]: "

Now give the name of the firmware file.
Enter firmware image file name [image.out]:
(since we renamed our file to image.out we can just press enter)

The Fortigate downloads the firmware from the TFTP server and displays a message similar to the following:

MAC:001122B15D94 (MAC of your laptop)
########################### (transfer progress)
Total 28385179 bytes data downloaded.(firmware file size)
Verifying the integrity of the firmware image.. (verification stage)

Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?
type D to make load the firmware as the default firmware.

(if the download fails after the integrity check with the error message:
invalid compressed format (err=1) )

The fortigate downloads the firmware from the TFTP server.
Then installs the firmware and restarts.
The time required varies by the size of the file and the speed of your network connection.

Now we have installed the firmware.

Open the FortiExplorer software. this will detect the connected device (through mng USB cable)

Select web GUI from the given options.
Login with default password.
Username: admin
Password: (blank)

if you can login and the window is loading fine. You can restore your config file through the GUI.
this app gives you non IP dependend connection to the device. (Console acces otherwise called out of bound access).

In my experience I found that the app is slow for real stuff. So this is what I did.
There is an option to do basic configuration through a wizard. select this and set IP, username, and password etc. Basic stuff no need to care much, we will replace this config in coming steps.

when finished. make sure the IP of your laptop and fortigate are on the same subnet.

Open a browser window and type in the IP address of the device.
Login with your username and password. (the one we set above)

In the main window (dashboard) you will see option to restore a configuration.
selct ‘restore’, then choose the Backup config file. then click restore.
Fortigate will apply the configuration and restart.

You can see these happening on your console window. (just watch don’t type anything)
then it will say firewall is initialising…

you can do another thing. ping to to the fortigate IP with the -t operator.

Ping -t
wait until you start getting results for the ping.

Open the web browser window.
if the IP you gave when setting basic config through the wizard and the IP in your config files are different,
after the upgrade you need to use the IP in your config file.

login with your old username and password (from the backup config).
The username and password are the ones you used while you had the old configuration.

thats it.
Now you have formated the device.
installed a firmware.
loaded a backup configuration.

Now register your device through the portal to activare your forticare licences.

By default all ports are members of a hardware switch. remove one of the port from the switch. for example port 4. Now we will create our VLANs under this port.

fgt#config system interface
fgt(interface)#edit <vlan-name>#if vlan-name not exist, vlan will be created.
fgt(<vlan-name>)#set interface lan4 #assign this vlan to the lan4 port.
fgt(<vlan-name>)#set ip <give an ip in vlan range/24>#set ip for the vlan port
fgt(<vlan-name>)#set vlanid <id># set VLAN ID
fgt(<vlan-name>)#next
fgt(<vlan-name>)#end
#Vlan ID and Name are not same,eg. Vlan-Name = Wireless, VlanID= 70

DMZ – with vlan 100D + 30D

This post discuss how we managed to isolate each of our servers to its own network (vlan).

In this scenario, We have 2 firewalls in place for some reason.
Fortigate 30D and Fortigate 100D. All wan-side incoming traffic will be received by 30D. 30D will then send them to the servers based on the Virtual IP configuration (port forwarding).
The reply packets from servers will go out through the 100D fortigate (100D is the gateway).

1. Create and assign vlan in switch port.
   create a vlan for each server. Then assign them to the port to which the physical servers are connected.
   on cisco:
   #Switchport mode access
   #switchport access vlan
2. create vlan in esxi:
   open esxi server,
   select physical server and goto configurations tab,
   selct networing on left panel then click on properties
   click add, select virual machine, give a network lable and vlan ID. (network label: name for the vlan)
3. assign the vlan to VM:
   select VM
   right clik – edit server
   select netowrk adapter
   change network label.(select the vlan label created in step 2)
4. Open the server and make necessory changes
   Change RDP port in server.
   give ip address in the vlan range.
   set default gateway 100D
5. open 30D and Add vlan.
   basically we need to create a vlan port and assign an ip in vlan range.
6. OPEN 30D- create virtual IPs and group
   Policy and object
   virtual IP
   create virtual ip ( rdp,http,https )
   create virtual ip group, for example:server-vlan-group. #Change RDP port in server.
7. create wan-incoming policy on 30D
   name:DMZ-name
   incoming:WAN port
   Outgoing interface: VlanInterface
   destination: server-vlan-group( virtual ip group )
   schedule: always
   service:all
   action: accept
   security profile: select default.
8. Open 100D and create vlan.
   open vdom
   network – interfaces – create new – interface
   name: vlanname
   alias:
   type:vlan
   interface: new vlan will come under this interface.
   Vlan ID: give vlan number
   vitual domain: select your vdom
   role: LAN
   IP/Network: IP address/Subnet mask for the vlan port
   administrationve access: give none.
9. create address for vlan subnet in 100D. example: DMZ01
   or create a device-address for the server.
10. create lan-wan policy on 100D:
    Name: give a name
    incoming int: vlan interface
    outgoing int: WAN port
    source:name of address group we created in step 9
    destination:all
    schedule:always
    service:all
    accept
    select security profiles.

2 WAN connection combines to provide internet for a VDOM in fortigate. How to configure this is explained below.

Created VDOM for Wifi

Global > System > VDOM > Create New
Virtual Domain: Wifi
Inspection Mode: Proxy

OK

Assigned ports to VDOM wifi

Before moving ports to vdom, Make sure there are no reference to those ports from policies, routes, etc. Also make sure the ports have no IP assigned.

Global > Network > Interfaces >
Select and interface and Edit> change virtual domain of the interface.

In our case there is two WAN ports and and a LAN port for our Wifi topology.
(Port9 = LAN, Port 11 & Port 12 = WAN )

Now we need to create load balancing to combine the speed of both WAN connections. We can do this through FortiGate SD-WAN option.

Go to VDOM Wifi > Networ > SD-WAN > Enable SD-WAN
Click create New.
Seq1: Port 11 – Gateway IP is the IP of the 1st modem.
Seq2: Port 12 – Gateway IP is the IP of the 2nd Modem.

Select load balancing algorithm as “Volume”
Set the volume weight to 1 on both WAN connections.

Apply the changes.

Now create a SD-WAN status check.
It will check wan connection health against an external server.

Goto VDOM Wifi > Network > SD-WAN Status check> Create new
Name: Give a name
Protocol: Ping
Server: 8.8.8.8

Leave other stuff default. Then click ok. This will ocationally ping the google server through
the ports in SD-WAN to check the health of the connection.

Goto VDOM Wifi > Network > Static Routes
Destination: 0.0.0.0/0.0.0.0
Device: sd-wan
Admin distance:10
status: enabled

then press OK.

Assign a policy to allow traffic.
Goto VDOM Wifi > Policy and Objects> IPv4 policy > Create New
Name: Wireless devices
Incoming int: LAN port of the VDOM (port 9)
OutGoing int: SD-WAN
Select appropriate for Source, Destination, Schedule,Service, and Action.
Nat: on
Apply security profiles.
Log allowed traffic: log all sessions.

Now when we assign a new device to this policy the user will be able to access internet through the SD-WAN interface.