Desparate for help

tbv · ‎12-18-2018

When our old firewall died, we moved to a Fortinet. The OS is a little different, and we are down in this office until I get it right. I have reviewed the docs, but would really appreciate it if somebody could fill in the exact params to get me initially connected.

My former firewall operated in transparent mode, which is not the same as Fortinet's transparent. We had 20 public IP addresses and did not use any private IP addresses. I understand I am not doing that in the Fortinet, but so you understand here are my old IP info, assuming a public set of 30 IP addresses on 201.86.251.32/27 (255.255.255.224). x.32 is the ISP address, and .33 is the address of the provided router (T1). In the old system we gave the firewall the .34 and set the gateway on each PC to be .34. Each PC had a public IP in our range, and we used the rules/policy to restrict traffic. This was done because the stations need to be access from outside the LAN (not just ports forwarded) and when the station reached outside the LAN they showed that public IP.

Now it seems in Fortinet what I need is private IPs reaching out to the Internet with some VIP's as needed. I wanted to start by just having 1 LAN PC with a private IP be able to access the Internet. The docs say I need to set the Internet facing interface to the pubic IP of the ISP, then it says if I have equipment from the ISP (non DHCP) I need to set the correct private IP, and then set the internal interface to a private IP (I did 10.1.1.34). Then add a default route entry.

I need those steps please with the exact IP's based on my info. TIA!!!!!!!

lobstercreed · ‎12-18-2018

Hi T,

It sounds like your old firewall was doing NAT rather than transparent, but maybe their terminology was wrong and led you to believe otherwise.

First thing you'll want to put the FortiGate in NAT mode if you haven't already. Then you need to configure your WAN interface with the same IP you were using before (201.86.251.34/27).

You also need to set up a static default route (Network > Static Routes) to go out your WAN interface with a gateway address of 201.86.251.33 (your ISP's router).

At this point the firewall itself should have Internet. You can test by going into CLI and running execute ping 8.8.8.8

Now you need to make sure your internal network configuration works. It sounds like you've decided on 10.1.1.34 for the firewall's internal address, but I would generally recommend using the first address in a subnet for your router, as in 10.1.1.1. Either way, you probably want it to hand out DHCP to your internal hosts, so you'll accomplish this on the interface configuration for your lan (Network > Interfaces). If you have an internal DNS server (i.e. running Microsoft AD?), you'll want to use that under the "specify" DNS option, or you can specify 8.8.8.8 for now.

Lastly you need at least one firewall policy. Under Policy & Objects > IPv4 Policy, you need to define one with a source interface of your lan, a destination interface of your wan, and you can use "all" for the source and destination addresses. For now you can do ALL services as well, though I recommend allowing only needed traffic (HTTP/HTTPS for a start). You will need to make sure the NAT option is selected, and for now you can just use the outgoing interface IP.

Later you will want to create IP Pools and use those to NAT traffic from specific hosts to get you back to the addressing you had before. You will also need VIP objects to go the other way (outside to inside) and use in the WAN to LAN firewall policies.

I hope this is helpful. It does sound like you're in a little bit over your head...if you can find a local professional to assist you, that will be ideal. :) I would help remotely if you could pay me, but it would be hard to do until you get Internet access on the device you're using to configure the device...catch-22, ha.

- Daniel

tbv · ‎12-18-2018

You are awesome. I am a little in deep, but I worked a lot before with policies, so once I get up hopefully I will be OK. If not you are hired :)

tbv · ‎12-18-2018

You saved the day so far. And I see what I thought was my previous firewall knowledge was bush league. Perhaps you can answer 2 follow up questions so I can be operational, and after that I will pay for any further advice or assistance. I have feeling these 2 questions are really one:

1. I do not see where I can assign DHCP address leases to specified MAC addresses. I do see a whole bunch of devices captured and listed and am not sure if that is relevant.

2. IP Pool vs Virtual IP - when to use each?

In my old firewall I would have issued IP X to MAC Y for server Z, and then set incoming/outging services for that IP. (I.e. a web server, RDP server, etc.)

I am grateful, TIA!

lobstercreed · ‎12-19-2018

You're welcome! :) If we need to take this offline in the future, my email address is detectivedanham@gmail.com

Ok, to answer your two questions...

[ol]

This is in the Interface configuration...if you go into your lan interface under the DHCP section you will see a place you can expand to get advanced options. This is where you can set MAC-based reservations as well as other DHCP options.

By default Fortinet separates the concept of source-NAT (SNAT) from destination-NAT (DNAT), and that's why these two objects exist. [ul]

For outgoing connections (say, when you try to load Google.com), you can attach an IP pool to the outgoing policy to tell the traffic matching that policy to use such and such public IP(s). I mentioned this briefly in my previous post that you would want to change your NAT configuration to use IP pools instead of outgoing interface IP. You will also need to define multiple specific policies allowing outbound traffic from such and such source to NAT to such and such IP pool, and then another policy for such and such other source to NAT to a different IP pool. These should be set up to mirror what you use on your incoming policies (below).

For incoming connections (say if you are accessing your web server from the Internet), you would program the inbound policy to use the Virtual IP (VIP) as the destination. The VIP itself is then configured with your public IP and has the NAT translation so that the traffic actually reaches your web server (at for example 10.1.1.25).[/ul][/ol]

Also, you may or may not be aware of the great documentation Fortinet provides. Most common scenarios seem to be covered (as well as some pretty advanced ones). https://docs.fortinet.com/fortigate/admin-guides can help get you started. Make sure to check out the cookbooks too...you can actually just go to https://cookbook.fortinet.com/ and find lots of good information.

Hope I was able to help. Have a great day! - Daniel

ede_pfau · ‎12-19-2018

If you already see DHCP leases listed in Monitor > DHCP Monitor, just right-click an entry and choose 'reserve IP'. This is a (welcome) shortcut into the interface config.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

ede_pfau · ‎12-19-2018

Having read OP's first post I do wonder why you wouldn't just use the FGT in Transparent mode. It's a Layer 2 device then. No NAT, no routing. Your T1 router already does the routing.

The FGT would carry one IP address, mainly for being able to manage it. This could be one of the public IPs or any other.

But then again, I am not onsite and there might be a good reason...

Ede

"Kernel panic: Aiee, killing interrupt handler!"

lobstercreed · ‎12-19-2018

tbv wrote:
In the old system we gave the firewall the .34 and set the gateway on each PC to be .34. Each PC had a public IP in our range, and we used the rules/policy to restrict traffic. This was done because the stations need to be access from outside the LAN (not just ports forwarded) and when the station reached outside the LAN they showed that public IP.

To me that says that he had to be using NAT mode previously, so I was trying to keep it as simple as possible. I can think of lots of reasons to use NAT mode over transparent though, not least of which is scalability. What if he has (or gets) more hosts on the inside than he has public addresses for? Unless some other device inside is providing NAT to the extra hosts, he would have to redesign it at that time, right? Why not just do it better out of the box? :)

ede_pfau · ‎12-19-2018

The correct gateway would have been the IP of the access router. But, as .34 is in the same subnet, a redirect per ICMP ("better route available") would correct that without anybody noticing.

Maybe the old firewall lend that gateway IP, or did routing,...speculation.

Using TP mode or not is a design question. Consider the effort of obtaining public addresses (which in some parts of the world seems to be easy) and the probability of future need of these, against creating VIPs and/or IP pools for NATting.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

rohitchoudhary1978 · ‎12-20-2018

Hi,

It can be done. Set the UTM to transparent mode.

config system settings set opmode transparent set manageip <address and netmask> set gateway <address> end

Rohit K