FortiGate Firewall Guidance

9 min readAug 18, 2024

Hello, this write up will be about pretty much every thing about FortiGate Firewall that you should know in a regular basis. First of all, I would like to give you a heads up that I don’t use any sort of AI in my articles if I ever make any lingual mistake while I am explaining, please bear me in advance :)

After completely reading and implementing everything I will show in this article. You will be able to understand and have a great deal of knowledge about FortiGate Firewall.

I am skipping to explain what is firewall why do we need firewall because if you are here and reading this article you already know what it is and why do we spend a lot of money and use it :)

But I would like to list a FortiGate Firewall hardware appliances briefly;

Entry Level: FG-80F , FWF-80F
Mid-Range : FG-100F, FG-1000F, FG-420F
High-End : FG-4800F, FG-7081F, FG-7121F, FG-5114C

Let’s get into details;

FortiGate offers the following features;

-Firewall authentication, both local and remote
-VPNs
-Security scanning such as antivirus, web filtering and application control
-Monitoring

1- OVERLOOK TO THE DASHBOARD AND SETTINGS:

As soon as you reach out to your FortiGate Dashboard. You should change the name of your Firewall and adjust the time because time is one of the most important thing when monitoring the logging events and the reports. Go to System and then Settings;

You may also adjust what ports would you like to use for HTTP, HTTPS, SSH and also change he preferred language, Password requirements.

2- CONFIGURING INTERFACES, STATIC ROUTING AND DHCP

Physical and Virtual Interfaces allow traffic to flow between internet and internal network. You can scale your organization with interface options. Each interface that is assigned to your departments may be configured as DCHP.

In order to configure the interface click on Network and then Interfaces

Once you get in one of the ports that you would like to configure, you may write the name, IP address and subnet with it, determine what services you would like to have access such as SSH, HTTPS, PING, then activate the DHCP and configure the pool that you would like the devices to take the IP addresses from

In order to reach out to the internet you may need to configure a WAN port and static route along with it. If you have mor than one ISP you may configure different static routes with each ISP by creating WAN port.

3- FIREWALL POLICIES

Firewall policies are pretty much the main part that we use in FortiGate. Anything we do in firewall are usable or not usable with the policies that we write. The Policies are always goes from top to bottom. For instance; we configured one web filter for marketing department but we placed this policy under full allow policy. In this case your web filter will not be affective because every packet will be allowed before this filter implemented. You will get a better understanding with the picture please examine the pictures well.

What is an Implicit Deny ?

Implicit Deny says; basically I am going to deny anything is not matching the policies before me. This feature comes as default along with firewall. If you do not configure any policy firewall will not allow any users to do anything. Coming form that; If you would like to communicate in between your departments, If you would like to reach out to internet etc. you have to write a policy. First thing you need to check while using firewall is policy. NO POLICY NO CONNECTION !

It would also be good to know that there’s 2 types of inspection modes Flow-Based and Proxy-Based.

Flow-Based; examines the files passes through FortiGate without any buffering.
Proxy-Based; FortiGate buffers the traffic in this mode. It literally stops the file and examines it deeper and let’s through and also does the same incoming files. But this creates more latency on internet traffic.

4- AUTHENTICATING NETWORK USERS

In order to add users and authenticate them you should click on Users & Authentication and then User Definition. There, you may add the users from Active Directory with LDAP or add them directly. You may also configure 2 factor authentication on 3rd step.

This is how to creat a group. IF you already Configured a Remote group you may add it below Remote Group section as you see in the picture.

After creating the users and groups you are ready to create a policy for that groups and users with their Interface.

Creating Addresses;

There’s 6 types of address we can create;
-Subnet: basically an IP address with it’s subnet.
-IP Range: A range of IP that you would like to add
-FQDN: A website
-Geography: adding a Specific country/zone as address to allow or block
-Device : If there’s any specific device that you would like to add with it’s MAC address.

-Dynamic : Represents a range of IP addresses that may change over time

5- INSPECT SSL TRAFFIC

Https provides protection with the encryption to web traffic however, it has it’s vulnerability because attackers may attempt to use encryption traffic to get around our network’s normal defenses. There’s 2 types of inspection.

Certificate Inspection: FortiGate inspects SSL TLS handshake when the session begins. By doing this FortiGate verifies the identity of the webserver and make sure that the HTTPS protocol is not used as work around to access sites you have blocked using web-filtering. You may only use SSL Certificate Inspection is Web-Filtering.

Deep Inspection: FortiGate impersonates recipients of the originating SSL session then decrypts and inspects the content to find threats and block them. If the content is safe FortiGate re-encrypts the content and sends it to the real recipient. You may use Deep inspection with all type of filters including Web-Filtering. Deep inspection also provides protection for SMTPS, POP3S, IMAPS and FTPS.

To avoid the certificate warnings you should download the fortinet Certificate.

After downloading the certificate, anytime we use the filtering we may use the deep inspection.

6- WEB-FILTER, ANTIVIRUS, APPLICATION CONTROL AND INTRUSION PREVENTION

We may create our own filters on FortiGate or we may also customize the default filters that FortiGate provides.

Web-Filter

We may allow or block the categories of the websites that FortiGate gets the list from fortiguard.com .

If you would like to block or allow the specific website, you may need to use URL Filter.

Antivirus / Malware Protection

Application Control

Intrusion Prevention

With intrusion prevention system you may block the malicious activities with the refences of published former incidents. Some has their CVE IDs some don’t. You may also narrow down the list suitable for your OS, The severity of vulnerability, and the target.

7a- IPsec VIRTUAL PRIVATE NETWORK

First of all we need to download the VPN that Fortinet provides free from https://www.fortinet.com/support/product-downloads.

IPsec allows us to build a safe connection between 2 different networks. This is called VPN. IPsec provides; Data Authentication, Data Integrity, Data Confidentiality, Anti-Replay Protection. IPsec also doesn’t need and internet intervention this is one of the best advantages of the IPsec. It builds a VPN tunnel between two end of the connection.

It can be used as 2 types;

-Remote Access VPN : Allows a client to connect to a remote network. In this type client always initiates the connection. Remote user uses a username and password. Multi Factor Authentication may also be configured as extra security.

-Site-to-Site VPN : Allows networks in two different physical locations to reach each other securely. Either side can initiate the connection. You may create Hub-and-Spoke, Partial Mesh, Full Mesh topologies. FortiGate can establish site-to-site VPN with other FortiGate devises as well as devices from other vendors such as Palo Alto, Cisco and also cloud service providers such as AWS or Azure.

To sum up; In both types of VPNs once the connection established, devices in different networks become a part of the same logical network. We may say that this connection type is WAN to WAN connection. From that being said; the connection between two different location.

For IPsec VPN configuration we need 2 firewall devices in iorder to create a tunnel between them. But for this write up I will only configure oen firewall. The process identical for both devices.

Please see the topology below.

Before Creating the Tunnel, Make the topology ready to make the corrections !

Click VPN on the menu bar and then click IPsec wizard to start configuring.

For the remote IP address you need to enter the other Firewall’s Public IP address and select your interface and then enter the pre-shared key.

Next step, please make sure that your local subnet and interface is correct and also the remote subnet is correct. It is always better to keep the topology ready to check for correction of the subnets.

After that step click next and create the tunnel. You may see the tunnels created on the IPsec Tunnel section.

All set! Now you may do the same steps on the other firewall but make sure the subnets are correct. Do not forget to check and make the corrections with the topology.

7b- SSL VPN

SSL VPN is connecting from clients network to the firewall and then to the other network. This type of VPN is more like client-to-site. The connectivity of this type all depends in the policy that we configure on the firewall.

First create a SSL VPN Portal;