Recent changes

This is an old revision of the document!

Lab 5. Fortigate introduction

Setup

Story

After gaining some experience with Cisco FTD, our company decided to a firewall product from a different vendor: Fortinet, called FortiGate. It will be used firstly to create simple configs (like the ones did on lab3): create the qemu image path, create the node and deploy the machine, configure the interfaces and policy rules between interfaces.

Lab infra

The FortiOS version of our FortiGate machine (FGT) is 6.4.2. You can find qcow2 image located in your $HOME directory, called virtioa.qcow2 (this is based on this qemu images naming conventions).

t0. ssh to the eve-ng machine (use user root and -X flag) - for win use putty or mobaxterm:

user: root

password: student 

user@host:~# ssh -l root -X 10.3.0.A (where A is your 4th byte in ipv4 address)

t1. create the directory of the FGT image, using the format fortinet-FGT-vX-buildABCD (where X is the max version, in our case 6 and ABCD is the fortios build, in our case 1723): 

root@SRED:~# cdq 
root@SRED:/opt/unetlab/addons/qemu# mkdir fortinet-FGT-v6-build1723

t2. move the qcow2 image (found in your home dir) to this path 

root@SRED:~# mv virtioa.qcow2 /opt/unetlab/addons/qemu/fortinet-FGT-v6-build1723

t3. solve the permissions: 

root@SRED:~# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

t4. go to eve-ng webui from your browser (http://10.3.0.A) and create a new lab by closing the old one (left > expand > close lab), create a new one (add new lab + add name lab5) and open it.

Create a new node for the FGT:

Right click > Add new object Node > Search for 'Fortinet FortiGate' (if you cannot find it, go back to steps t1,t2 and t3) > select the required image name (it is based on the folder name):

See the configuration:

- ram 2 GB

- 1 cpu

- 4 ethernet interfaces

Q: why do we need 4 ethernet interfaces?

On FGT machines, interfaces are named portX, where X is a digit from 1+ (in our case port1→4):

- the first interface, called port1 (you can name it outside - see below how), is the management one and also used for Internet access (remember outside on FTD). It has by default a static route to 0.0.0.0/0 via def gw of ESX vswitch: 

FGT81 # get router  info routing-table details 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [5/0] via 10.3.255.254, port1
C       10.3.0.0/16 is directly connected, port1

- the next interfaces are used as traffic ports. In this lab we are going to use only the first 2 for internal clients (inside1 and inside2).

Regarding the MAC address issue found on FTD labs: if you deploy multiple FTGs in the same network with management interfaces connected there (plus the ip configured via dhcp), the interfaces will have different MAC addresses, so no conflicts will be seen (the same mgmt ip taken by all firewall instances).

Remote setup

Local setup

SRED project 2023

Cookbooks:

Courses

See them on course page

Lectures

Labs

Support

Table of Contents

sred/lab5.1606435042.txt.gz · Last modified: 2020/11/27 01:57 by horia.stoenescu
Old revisions
Media ManagerBack to top
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0