1. Creating a user and a user group

Go to User & Device User Definition. Create a local user account for a SSL VPN user.

Go to User & Device > User Groups. Create a user group for SSL VPN users and add the new user account.

2. Creating an SSL VPN portal for remote users

Go to VPN > SSL-VPN Portals. Edit the full-access portal. The full-access portal allows the use of tunnel mode and/or web mode.

Make sure Enable Split Tunneling is not selected, so that all Internet traffic will go through the FortiGate.

Set Source IP Pools to use the default IP range SSLVPN_TUNNEL-ADDR1.

Under Predefined Bookmarks, select create new to add a new bookmark. Bookmarks are used as links to internal network resources.

In the example, a bookmark is added to connect to a FortiGate being used as an ISFW, which can be accessed at https://192.168.200.111.

3. Configuring the SSL VPN tunnel

Go to VPN > SSL-VPN Settings and set Listen on Interface(s) to wan1.

To avoid port conflicts, set Listen on Port to 10443. Set Restrict Access to Allow access from any host.

In the example, the Fortinet_Factory certificate is used as the Server Certificate. It is, however, recommended that you purchase a certificate for your domain and upload it for use with an SSL VPN.

Under Tunnel Mode Client Settings, set IP Ranges to use the default IP range SSLVPN_TUNNEL-ADDR1.

Under Authentication/Portal Mapping, add the SSL VPN user group and map it to the full-access portal.

If necessary, map a portal for All Other Users/Groups.

4. Adding an address for the local network

Go to Policy & Objects > Addresses.

Add the address for the local network. Set Type to IP/Netmark, Subnet/IP Range to the local subnet, and Interface to an internal port.

5. Adding security policies for access to the internal network and Internet

Go to Policy & Objects > IPv4 Policy. Add a security policy allowing access to the internal network through the VPN tunnel interface. Set a policy name that will identify what this policy is used for (in the example, SSL-VPN-internal)

Set Incoming Interface to ssl.root and Outgoing Interface to the local network interface. Select Source and set Address to all and Source User to the SSL-VPN user group. Set Destination Address to the local network address, Service to ALL, and enable NAT.

Configure any remaining firewall and security options as desired.

Add a second security policy allowing SSL VPN access to the Internet.

For this policy, Incoming Interface is set to ssl.root, Outgoing Interface is set to wan1, and Destination is set to all.

6. Setting the FortiGate unit to verify users have current AntiVirus software

Go to the Dashboard. In the CLI Console widget, enter the following commands to enable the host to check for compliant AntiVirus software on the remote user’s computer:

config vpn ssl web portal
  edit full-access
    set host-check av
  end

7. Results

Web mode:

Using a supported Internet browser, connect to the SSL VPN web portal using the remote gateway configured in the SSL VPN settings (in the example, 172.20.121.46:10443)

Use the SSL VPN user’s credentials to authenticate.

The web portal appears.

An SSH connection will open in your browser, connecting to the requested Host.

Java is required for an SSH connection.

Tunnel mode:

If you have not done so already, download FortiClient from www.forticlient.com.

Open the FortiClient Console and go to Remote Access. Add a new connection.

Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening FortiGate interface (in the example, 172.20.121.46). Select Customize Port and set it to 10443.

Select Add.

1. Configuring the IPsec VPN using the IPsec VPN Wizard

Go to VPN > IPSec Wizard, and you will be taken to the VPN Creation Wizard.

Name the VPN connection (in the example, WinPhoneVPN).

Select the Remote Access template, select the Windows Native device type, and select Next.

Set the Incoming Interface to the internet-facing interface (wan1).

Select the Pre-shared Key authentication method and enter a pre-shared key.

Select the user group created earlier and select Next.

Set Local Interface to the internal interface and set Local Address to all.

Enter an IP address range for VPN users in the Client Address Range field, enter a Subnet Mask, and select Create.

Make sure no other interfaces on the FortiGate are using the same address range.

2. Connecting to the IPsec VPN from the Windows 10 Phone

Enter a Connection name and set the Server name or address to the FortiGate’s IP address of the Internet facing interface.

Set VPN type to Automatic and enter the pre-shared key — this key is the same one you added to the FortiGate.

Select Save.

3. Results

You will now connect to the IPsec VPN tunnel. From the VPN screen, select TheOffice.

Sign in and connect using dprince‘s credentials.

You should now be connected to the IPsec VPN.

1. Configuring a CA

On FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new Local CA. Enter a Certificate ID and Name (CN). Leave all other settings default.

This creates a root CA certificate that is self signed. This certificate must be copied to the supplicant.

Go to Certificate Management > End Entities > Local Services and create a new service. Enter a Certificate ID, Issuer (your local CA), and Name (CN). Leave all other settings default.

This creates a certificate for the authentication server.

2. Configuring RADIUS authentication

On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create a new client. Enter the Name, Client name/IP, and shared Secret. For Realms, use the local user realm and set EAP types to use EAP-TTLS.

Go to Authentication > User Management > Local Users and create a local user and password.

This is your user account for 802.1X authentication.

Go to WiFi & Switch Controller > VLANs

Modify your VLAN and change the admission control authentication method to RADIUS, and select you RADIUS server.

(This example follows on from the local user configuration, given in the video.)

Test the RADIUS configuration from the the FortiGate CLI:

# diagnose test authserver radius myRADIUS mschap2 mike@local mypassword authenticate 'mike@local' against 'mschap2' succeeded, server=primary assigned_rad_session_id=790684157 session_timeout=0 secs idle_timeout=0 secs!

3. Configure the supplicant and test

4. Results

1. Configure the FortiAuthenticator

2. Add the RADIUS server to the FortiGate configuration

 Go to User & Device > RADIUS Servers. Select Create New.
Enter the FortiAuthenticator IP address and the server secret that you entered on the FortiAuthenticator. Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.

 3. Create an SSID with dynamic VLAN assignment

4. Create the VLAN interfaces

Go to Network > Interfaces.

Create the VLAN interface for default VLAN-10 and set up DHCP service.

Create the VLAN interface for marketing-100 and set up DHCP service.

5. Create security policies

Create a policy that allows outbound traffic from techdoc-200 to the Internet.

For this policy too, in Logging Options enable logging for all sessions.

6. Create the FortiAP Profile

Go to WiFi Controller > FortiAP Profiles.

Create a new profile for your FortiAP model and select the new SSID for both Radio 1 and Radio 2.

7. Connect and authorize the FortiAP

Go to Network > Interfaces and choose an unused interface.
Set Addressing mode to Dedicated to Extension Device.
Connect the FortiAP unit to the this interface and apply power.

Results

The SSID will appear in the list of available wireless networks on the users’ devices.
Both twhite and jsmith can connect to the SSID with their credentials and access the Internet.
(If a certificate warning message appears, accept the certificate.)

Go to Log & Report > Forward Traffic.

Note that traffic for jsmith and twhite pass through
different policies.

(The column selections were customized for clarity.)

The security policies could be made different so that Marketing and Techdoc departments were allowed different access, but didn’t think that was fair.

1. Create the user accounts and user group on the FortiAuthenticator

Go to Authentication > User Management > Local Users and create a user account.

User Role settings are available after you click OK.

Create additional user accounts as needed, one for each employee.

2. Register the FortiGate as a RADIUS client on the FortiAuthenticator

 Go to Authentication > RADIUS Service > Clients and create a client account.

Enable all of the EAP types.

3. Configure FortiGate to use the RADIUS server

4. Create the SSID and set up authentication

5. Connect and authorize the FortiAP

Go to WiFi Controller > FortiAP Profiles and edit the profile.

This example used a FortiAP-221C, so the FAP221C-default profile applies.

For each radio:

• Enable Radio Resource Provision.
• Select your SSID.

6. Create the security policy

Results

Connect to the example-staff network and browse Internet sites.

Go to Monitor > Client Monitor to see that clients connect and authenticate.

1. Create the backhaul SSID

Go to WiFi Controller > SSID.

Create a new SSID. Set Traffic Mode to Mesh Downlink.

You will need the pre-shared key when configuring the mesh-connected FortiAP.

2. Create the client SSID

3. Create the FortiAP Profile

Go to WiFi Controller > FortiAP Profiles and create a profile for the Platform (FortiAP model) that you are using.

Configure Radio 1 for the client channel on the 2.4GHz 802.11n/g Band.

Configure Radio 2 for the backhaul channel on the 5GHz 802.11ac/n Band.

4. Configure the security policy

5. Configure an interface dedicated to FortiAP

6. Preauthorize FortiAP-1

Go to WiFi Controller > Managed FortiAPs and create a new entry.

Enter the serial number of the FortiAP unit and give it a name. Select the FortiAP profile that you created earlier.

6. Configure FortiAP-2 for mesh operation

In the CLI Console, enter
exec telnet 192.168.2.4
(your address might be different) to log in to the FortiAP as admin. Enter these commands:

Disconnect FortiAP-2.

7. Connect and authorize the FortiAPs

Connect FortiAP-1. Go to WiFi Controller > Managed FortiAPs. Click Refresh every 15 seconds until FortiAP-1 is listed.

Go to WiFi Controller > Managed FortiAPs. Select FortiAP-2 entry (identified by serial number) and edit it. Enter the Name and select the FortiAP Profile that you created earlier.

Authorize FortiAP-2. 

Click Refresh to update the display as needed. Within a minute or two, FortiAP-2 will be listed as Online. 

Results

Go to Monitor > WiFi Client Monitor. Both backhaul and client SSIDs are shown. Click Refresh as needed to see updated information.

Connect to the network near FortiAP-2. The FortiAP column shows  the client is associated with the mesh-connected FortiAP-2.

Connect to the network near FortiAP-1. The FortiAP column shows  the client is associated with FortiAP-1.

1. Connecting the network devices and logging onto the FortiGate

Connect the FortiGate’s Internet-facing interface (typically WAN1) to your ISP-supplied equipment and Connect a PC to the FortiGate using an internal port (typically port 1).

Power on the ISP’s equipment, the FortiGate unit, and the PC on the internal network.

From the PC on the internal network, connect to the FortiGate’s web-based manager using either FortiExplorer or an Internet browser (for information about connecting to the web-based manager, please see your models QuickStart Guide).

Login using an admin account (the default admin account has the username admin and no password).

2. Configuring the FortiGate’s interfaces

Go to Network > Interfaces and edit the Internet-facing interface (in the example, wan1).

If your FortiGate is directly connecting to your ISP, set Addressing Mode to Manual and set the IP/Netmask to the public IP address your ISP has provided you with.

If you have some ISP equipment between your FortiGate and the Internet (for example, a router), then the wan1 IP will also use a private IP assigned by the ISP equipment. If this equipment uses DHCP, set Addressing Mode to DHCP to get an IP assigned to the interface. 

If the ISP equipment does not use DHCP, your ISP can provide you with the correct private IP to use for the interface.

Edit the lan interface (called internal on some FortiGate models).

Make sure the interface’s Role is set to LAN.

Set Addressing Mode to Manual and set the IP/Netmask to the private IP address you wish to use for the FortiGate.

3. Adding a default route

Go to Network > Static Routes and create a new route.

Set Destination to [glossary_exclude]Subnet[/glossary_exclude], Destination IP/Mask to 0.0.0.0/0.0.0.0, the Device to the Internet-facing interface, and the Gateway to the gateway (or default route) provided by your ISP or to the next hop router, depending on your network requirements.

4. (Optional) Setting the FortiGate’s DNS servers

5. Creating a policy to allow traffic from the internal network to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet).

Set the Incoming Interface to the lan interface and the Outgoing Interface to the Internet-facing interface. Set Source, Schedule, and Services as required.

Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Outgoing Interface Address is selected.

5. Results

You can now browse the Internet using any computer that connects to the FortiGate’s [glossary_exclude]internal interface[/glossary_exclude].

You can view information about the traffic being processed by your FortiGate by going to FortiView > All Sessions and selecting the now view.

Select Add Filter and filter for Policy, selecting the name of your new policy. Only traffic flowing through the new policy is displayed.

1. Changing the FortiGate’s operation mode

From the PC on the internal network, connect to the FortiGate’s web-based manager using either FortiExplorer or an Internet browser (for information about connecting to the web-based manager, please see your models QuickStart Guide).

Login using an admin account (the default admin account has the username admin and no password).

Go to the Dashboard and enter the following command into the CLI console widget, substituting your own IP addresses where necessary:

config system settings
  set opmode transparent
  set manageip 192.168.200.111 255.255.255.0
  set gateway 192.168.200.99
end

You can now access the FortiGate using the new Management IP address (in the example, [glossary_exclude]https[/glossary_exclude]://192.168.200.111).

Go to the Dashboard. The System Information widget shows the Operation Mode is Transparent.

2. (Optional) Setting the FortiGate’s DNS servers

The FortiGate unit’s DNS Settings are set to use FortiGuard DNS servers by default, which is sufficient for
most networks. However, if you need to change the DNS servers, go to Network > DNS, select Specify, and add Primary and Secondary DNS servers.

3. Creating a policy to allow traffic from the internal network to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet).

Set the Incoming Interface to the internal interface (called internal on some FortiGate models) and the Outgoing Interface to the Internet-facing interface (typically wan1). Set Source, Schedule, and Services as required.

Make sure the Action is set to ACCEPT.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

4. Connecting the network devices

Go to the Dashboard and locate the System Resources widget. Select Shutdown to power off the FortiGate unit.

Alternatively, you can enter the following command in the CLI Console:

execute shutdown

Wait until all the lights, except for the power light, on your FortiGate have turned off. If your FortiGate has a power button, use it to turn the unit off. Otherwise, unplug the unit.

You can now connect the FortiGate unit between the internal network and the router.

Connect the wan1 interface to the router [glossary_exclude]internal interface[/glossary_exclude] and connect the internal network to the FortiGate [glossary_exclude]internal interface[/glossary_exclude] port.

Power on the FortiGate unit.

5. Results

You can now browse the Internet using any computer that connects to the FortiGate’s [glossary_exclude]internal interface[/glossary_exclude].

You can view information about the traffic being processed by your FortiGate by going to FortiView > All Sessions and selecting the now view.

Select Add Filter and filter for Policy, selecting the name of your new policy. Only traffic flowing through the new policy is displayed.

1. Switching to VDOM mode and creating two VDOMs

Connect a PC to FortiGate using an Ethernet cable, as described in your model’s QuickStart Guide.

Log in using the admin account (the default admin account has the username admin and no password).

Go to the Dashboard and locate the System Information widget. Find Virtual Domain and select Enable.

You will be required to re-login after enabling virtual domains because the GUI menu options change.

Certain FortiGate models will not show the above option in the System Information widget. For these models, go to the Dashboard and enter the following command in the CLI Console:

config system global
 set vdom-admin enable
end

Enter y when you are asked if you want to continue.

You will be required to re-login to the GUI after enabling virtual domains because the GUI menu options change.

Make sure that Global is selected from dropdown menu located in the top-left corner. This allows you to make changes to the global configuration.

Go to System > VDOM and create two VDOMs: VDOM-A and VDOM-B.

In this example, the Inspection Mode is set to Proxy for VDOM-A. This will allow this VDOM to use both proxy and flow-based security scanning.

2. Configuring the root VDOM for FortiGate management

Go to Network > Interfaces. By default, all interfaces are in the root VDOM.

Edit the interface you wish to use to manage the FortiGate (in the example, mgmt). If you wish to use this interface exclusively for FortiGate management, you can enable Dedicated Management Port.

Set Administrative Access to HTTPS, PING, and SSH.

Go to System > Administrators and edit the admin account.

Select Change Password to add a password to this account.

Enable Restrict login to trusted hosts and add the IP/Netmask of the admin PC. This ensures that the admin must login using the admin PC to be able to manage the FortiGate.

3. Adding interfaces to VDOM-A

In this example, two interfaces will be added to VDOM-A: one for Internet access and one for use by the local network.

If an interface is used in an existing FortiGate configuration, its VDOM assignment cannot be changed. Because some FortiGate models have a default configuration, you may need to delete existing policies and routes in order to add a particular interface.

Go to Network > Interfaces and edit the interface that VDOM-A will use for Internet access (in the example, wan1). 

Set Virtual Domain to VDOM-A and Role to WAN.

If your FortiGate is directly connecting to your ISP, set Addressing Mode to Manual and set the IP/Netmask to the public IP address your ISP has provided you with (in the example, 172.20.121.46/255.255.255.0).

If you have some ISP equipment between your FortiGate and the Internet (for example, a router), then the wan1 IP will also use a private IP assigned by the ISP equipment. If this equipment uses DHCP, set Addressing Mode to DHCP to get an IP assigned to the interface. 

If the ISP equipment does not use DHCP, your ISP can provide you with the correct private IP to use for the interface.

Go to Network > Interfaces and edit the interface that will be connected to VDOM-A’s internal network (in the example, port1).

Set Virtual Domain to VDOM-A and Role to LAN.

Set Addressing Mode to Manual, assign an IP/Network Mask to the interface (in the example, 192.168.100.1/255.255.255.0), set Administrative Access to HTTPS, PING, and SSH.

4. Adding interfaces to VDOM-B

In this example, multiple interfaces will be added to VDOM-B: one for Internet access and four additional interfaces for use by the internal network. These four interfaces will be combined into a hardware switch interface called LAN-B, which the FortiGate treats as a single interface. This example also adds a DHCP server to LAN-B to provide IP addresses for the VDOM-B’s internal network.

Go to Network > Interfaces and edit the interface that VDOM-B will use for Internet access (in the example, wan2).

Set Virtual Domain to VDOM-B and Role to WAN. Set an appropriate Addressing Mode and IP/Netmask (in the example, 172.20.120.100/255.255.255.0).

Go to Network > Interfaces and edit a physical interface that will be used by VDOM-B’s internal network (in the example, port5).

Set Virtual Domain to VDOM-B and Role to LAN.

Repeat this process for any other physical interfaces that will be used by VDOM-B (in the example, port6, port7, and port8).

Go to Network > Interfaces and create a new interface to be used by VDOM-B’s internal network, called LAN-B.

Set Type to Hardware Switch and Virtual Domain to VDOM-B. Add VDOM-B’s physical interfaces as Physical Interface Members. Set Role to LAN.

Set Addressing Mode to Manual, assign an IP/Network Mask to the interface (in the example, 192.168.200.1/255.255.255.0), set Administrative Access to HTTPS, PING, and SSH and enable DHCP Server.

5. Adding administrators to each VDOM

Go to System > Administrators. Create an administrator for VDOM-A, called admin-a.

This administrator will be able to access and configure VDOM-A, without accessing either the root VDOM or VDOM-B. The account will also not be able to affect global settings.

Enter and confirm a Password. Set Type to Local User and Administrator Profile to prof_admin. Remove the root VDOM from the Virtual Domains list, then add VDOM-A.

Create an administrator that can access VDOM-B, called admin-b.

Enter and confirm a Password. Set Type to Local User and Administrator Profile to prof_admin. Remove the root VDOM from the Virtual Domains list, then add VDOM-B.

6. Configuring VDOM-A

Access VDOM-A‘s configuration using the dropdown menu and go to Network > Static Routes to add a default route.

Set Destination to [glossary_exclude]Subnet[/glossary_exclude], Destination IP/Mask to 0.0.0.0/0.0.0.0, the Device to the Internet-facing interface, and the Gateway to the gateway (or default route) provided by your ISP or to the next hop router, depending on your network requirements.

Go to Policy & Objects > IPv4 Policies and create a new policy to allow Internet access for VDOM-A. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet-VDOM-A).

Set Incoming Interface to port1, Outgoing Interface to wan1, Source to all, Destination Address to all, and Service to ALL. Make sure NAT is enabled.

Because this VDOM uses proxy inspection, you can enable a variety of security profiles that use either proxy or flow-based inspection.

For testing purposes, under Logging Options, enable Log Allowed Traffic and select All Sessions.

7. Configuring VDOM-B

Access VDOM-B‘s configuration using the dropdown menu and go to Network > Static Routes to add default route.

Set Destination to Subnet, Destination IP/Mask to 0.0.0.0/0.0.0.0, the Device to the Internet-facing interface, and the Gateway to the gateway (or default route) provided by your ISP or to the next hop router, depending on your network requirements.

Go to Policy & Objects > IPv4 Policies and create a new policy to allow Internet access for VDOM-B. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet-VDOM-B).

Set Incoming Interface to LAN-B, Outgoing Interface to wan2, Source to all, Destination Address to all, and Service to ALL. Make sure NAT is enabled.

Because this VDOM uses flow-based inspection, you can only enable security profiles that use flow-based inspection.

For testing purposes, under Logging Options, enable Log Allowed Traffic and select All Sessions.

8. Results

Using a PC located on VDOM-A’s internal network, browse to the IP of the LAN-A interface (in the example, https://192.168.100.1).

Login to the VDOM using admin-a‘s credentials. When the GUI loads, only the options for configuration VDOM-A appear.

Generate Internet traffic for VDOM-A.

Go to FortiView > Policies and select the now view. You can see traffic flowing through the Internet-VDOM-A policy.

Right-click on the policy, then select Drill Down to Details. You can see more information about the traffic.

Logout of the VDOM, then attempt to login using the global admin‘s credentials. You will not be able to log in. You can also not log in using admin-b‘s credentials.

Using a PC located on VDOM-B’s internet network, browse to the IP of the LAN-B interface (in the example, https://192.168.200.1).

Login to the VDOM using admin-b‘s credentials. When the GUI loads, only the options for configuration VDOM-B appear.

Generate Internet traffic for VDOM-B.

Go to FortiView > Policies and select the now view. You can see traffic flowing through the Internet-VDOM-B policy.

1. Configuring the Internet policy

Go to Policy & Objects > IPv4 Policy and edit the policy allowing outgoing traffic. Set Name to Internet.

Set Service to HTTP, HTTPS, and DNS.

Ensure that you have enabled NAT. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

2. Creating the Mobile policy

Go to Policy & Objects > IPv4 Policy and create a new policy. Set Name to Mobile.

Set Incoming Interface to lan, Source Device Type to Mobile Devices (a custom device group that includes tablets and mobile phones), Outgoing Interface to your Internet-facing interface, and Service to HTTP, HTTPS, and DNS.

Enable NAT.

Under Security Profiles, enable Web Filter and set it to use the default profile. Enable SSL Inspection and and set it to certificate-inspection to allow HTTPS traffic to be inspected. Doing this will enable Proxy Options; set that to use the default profile. 

Enable Log Allowed Traffic and select All Sessions.

3. Defining SysAdminPC

Go to User & Device > Custom Devices & Groups and create a new device. This will identify the system administrator’s PC.

Select an approprate Alias, then set the MAC Address. Set the appropriate Device Type.

4. Creating the Admin policy

Go to Policy & Objects > IPv4 Policy and create a new policy. Set Name to Admin.

Set Incoming Interface to lan, Source Device Type to SysAdminPC, Outgoing Interface to your Internet-facing interface, and Service to ALL.

Enable NAT. Enable Log Allowed Traffic and select All Sessions.

5. Ordering the policy table

Go to Policy & Objects > IPv4 Policy to view the policy table. Select the By Sequence view, which shows the policies in the order that they are used by the FortiGate.

Currently, the policies are arranged in the order they were created.

In order to have the correct traffic flowing through each policy, they must be arranged so that the more specific policies are located at the top.

To rearrange the policies, select the column on the far left (in the example, Seq.#) and drag the policy to the desired position, as shown on the right.

6. Results

Go to FortiView > Policies and select the now view. You can see traffic flowing through all three security policies.

Right-click on the Admin policy and select Drill Down to Details.

View the Sources tab to confirm that this policy is being used exclusively by SysAdminPC.

1. Creating a user group for remote users

Go to User & Device > User Definition. Create a local user account for an IPsec VPN user.

2. Adding a firewall address for the local network

Go to Policy & Objects > Addresses and create an address for the local network.

Set Type to IP/Netmark, Subnet/IP Range to the local subnet, and Interface to an internal port.

3. Configuring the IPsec VPN using the IPsec VPN Wizard

Go to VPN > IPsec Wizard and create a new tunnel using a pre-existing template.

Name the VPN connection. Set Template to Remote Access, and set Remote Device Type to FortiClient VPN for OS X, Windows, and Android.

Set the Incoming Interface to the internet-facing interface and Authentication Method to Pre-shared Key.

Enter a pre-shared key and select the new user group, then click Next.

Set Local Interface to an internal interface (in the example, lan) and set Local Address to the local LAN address.

Enter an Client Address Range for VPN users.

Make sure Enable IPv4 Split Tunnel is not selected, so that all Internet traffic will go through the FortiGate.

Select Client Options as desired.

After you create the tunnel, a summary page appears listing the objects which have been added to the FortiGate’s configuration by the wizard.

4. Creating a security policy for access to the Internet

The IPsec wizard automatically created a security policy allowing IPsec VPN users to access the internal network. However, since split tunneling is disabled, another policy must be created to allow users to access the Internet through the FortiGate.

Go to Policy & Objects > IPv4 Policies and create a new policy. Set a policy name that will identify what this policy is used for (in the example, IPsec-VPN-Internet)

Set Incoming Interface to the tunnel interface and Outgoing Interface to wan1. Set Source to the IPsec client address range, Destination Address to all, Service to ALL, and enable NAT.

Configure any remaining firewall and security options as desired.

5. Configuring FortiClient

Open FortiClient, go to Remote Access and Add a new connection.

Set the Type to IPsec VPN and Remote Gateway to the FortiGate IP address.

Set Authentication Method to Pre-Shared Key and enter the key below.

6. Results

On FortiClient, select the VPN, enter the username and password, and select Connect.

Once the connection is established, the FortiGate assigns the user an IP address and FortiClient displays the status of the connection, including the IP address, connection duration, and
bytes sent and received.

On the FortiGate unit, go to Monitor > IPsec Monitor and verify that the tunnel Status is Up.

The monitor also shows the IP address of the FortiClient user, under Remote Gateway.

Browse the Internet, then go to FortiView > Policies and select the now view. You can see traffic flowing through the IPsec-VPN-Internet policy.

Right-click on the policy, then select Drill Down to Details. You can see more information about the traffic.

1. Enabling the FortiGate modem interface

The modem configuration is hidden in the FortiGate GUI by default. Enter the CLI commands shown on the right to enable it. 

Log in and out to refresh the GUI page.

config system modem
 set status enable
end

2. Viewing the supported modem lists

1. Enabling the FortiGate to show FortiExtender configurations

Enable the Control And Provisioning of Wireless Access Points (CAPWAP) on the port which the FortiExtender is connected to. This allows the FortiExtender to communicate with the FortiGate using CAPWAP. Enter the following CLI commands:

config system interface
 edit [port]
  append allowaccess capwap
end

The FortiExtender configuration is hidden in the FortiGate GUI by default. Enter the following CLI commands to enable it:

config system global
 set fortiextender enable
 set wireless-controller enable
end

2. Authorizing the FortiExtender

3. Viewing the supported modem lists

Go to Network > FortiExtender select Configure Settings.

Select Supported Modems to go to the supported modem lists.

Click the FortiGuard button to get the latest version of the supported modem lists, and then select the plus button to expand either list.

Configuring the FortiVoice Unit

Before configuring the Grandstream Gateway, you will need to configure the FortiVoice unit 

1. Go to Trunks > Office Peers > Office Peers.
2. Select New.
3. Enter your Grandstream information. Enter the IP in the Remote server textbox and leave the authentication  settings unchecked.
4. Go to Call Routing > Outbound > Outbound.
5. Select New.
6. Create a new Dialed Number Match. In the example to the right all calls with the prefix “5” are forwarded to the PSTN lines connected to the Grandstream gateway. 
7. Go to Call Routing > Inbound > Inbound. 
8. Select New.
9. Add inbound call routing rules for incoming calls on the GXW4104 gateway. 
10. Open the From Trunk dropdown menu and select the gateway (peer office) as the incoming trunk.

Configuring the Grandstream GXW4104 Gateway

Now that the FortiVoice unit is properly configured, we can move to configuring grandstream.

1. Create an account with the FortiVoice IP address as the SIP server.
2. Go to Accounts > SIP Settings.
3. Disable the SIP registration.
4. Add a channel using the account created above.
5. Configure the channel settings to unconditionally forward calls from the PSTN to the FortiVoice unit.
6. Set the dialing method to 1 stage.

Verify the incoming call from PSTN side to SIP side.

Creating a Spreadsheet

Before we begin, open your preferred spreadsheet software and create a new spreadsheet. Include all of the new extensions with the correct MAC addresses of each phone, as shown in the image to the right. 

Your CSV file must have a headline containing the column names User ID, Extension, Display Name, Phone Type, Mac Address, and Phone Profile.

Auto Provisioning Internal Extensions

Open the FortiVoice web UI and perform the following steps 

1. Go to Extension > Extensions > IP Extensions.
2. Select Import.
3. Select Choose File and select the previously created CSV file.
4. Select OK.
5. Go to Phone System > Advanced Settings > Auto Provisioning.
6. Select Enabled and configure the server settings for phone configuration.
7. Connect the phones to the network and turn them on. The FortiVoice unit will discover phones with factory default settings. After auto provisioning, reboot the phones and register with the FortiVoice unit.

Make a test phone call to verify the extension was provisioned successfully.

Auto Provisioning External Extensions

To auto provision external extensions

1. Go to Phone System > Advanced Settings > Auto Provisioning.
2. Select Enabled and configure the server settings.
3. Go to Phone System > Advanced Settings > SIP.
4. Expand the Networks tab.
5. Enter the external IP address and port number of the FortiVoice unit. 
6. Go to Extension > Extensions > IP Extensions.
7. Configure the external extensions with the correct MAC addresses.
8. Reboot the external phones.

Make a test call to make sure the extensions are successfully provisioned.

Obtaining the IP Addresses

1. Reset the primary station
2. Obtain the IP address of the base using the handset. Press Menu and then “47” to start the Search function.
3. Check the IP address associated to the MAC address of your station

Configuring the Primary Station

Once you have rebooted the base, log in to the FVE interface.

1. Go to Status > Phone System > Unassigned Phone. 
2. Select the MAC address of the intended primary station and select Action and then Assign to 870i device.
3. Set the station as the primary with chain ID and select Create. 
4. Go to Phone System > Device > 870i Phone Page.
5. Select the recently created primary station, select Action, and then select Assign new extension or Apply existing extension.
6. Configure the extension information and enter Handset ID, which should start with 1. Leave the Base MAC address field empty and select Create. See the example to the right.
7. Add the next extension as needed using a different handset ID.
8. Repeat the previous step to add all the handsets (one extension per handset) into the system. Once you’re done, you’ll see all the extensions listed for the primary station.

Configuring the Secondary Station

Once you have rebooted the primary station you can begin to provision the secondary station.

Factory reset the intended secondary station and connect it to the network. If the network and the FVE are configured properly, the secondary station will appear under the Unassigned Phone page.

1. Go to Status > Phone System > Unassigned Phone.
2. Select the unassigned 870i station and then select Action > Assign to 870i device. 
3. Set the base station as secondary and select the primary station from the drop down list.
4. Remove the temporary extension setting on the secondary station and reboot the station.

1. Downloading the certificate used for full SSL inspection

Go to Security Profiles > SSL/SSH Inspection. Use the dropdown menu in the top right corner to select deep-inspection, the profile used to apply full SSL inspection.

The default FortiGate certificate is listed as the CA Certificate. Select Download Certificate.

2. Installing the certificate on the user’s browser

Internet Explorer, Chrome, and Safari (on Windows or Mac OS):

The above browsers use the operating system’s certificate store for Internet browsing. If your users will be using these applications, you must install the certificate into the certificate store for your OS.

If you are using Windows 7/8/10, double-click on the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard.

Use the wizard to install the certificate into the Trusted Root Certificate Authorities store. If a security warning appears, select Yes to install the certificate.

If you are using Mac OS X, double-click on the certificate file to launch Keychain Access.

Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.

If you have the right environment, the certificate can be pushed to your users’ devices. However, if Firefox is used, the certificate must be installed on each individual device, using the instructions below.

Firefox (on Windows or Mac OS)

Firefox has its own certificate store. To avoid errors in Firefox, then the certificate must be installed in this store, rather than in the OS.

Go to Tools > Options > Advanced or Firefox > Preferences > Advanced and find the Certificates tab.

Select View Certificates, then select the Authorities list. Import the certificate and set it to be trusted for website identification.

3. Results

Before installing the certificate, an error message would appear in the browser when a site that used HTTPS was accessed (the example shows an error message appearing in Firefox).

After you install the certificate, you should not experience a certificate security issue when you browse to sites on which the FortiGate unit performs SSL content inspection.

If you view information about the connection, you will see that it is verified by Fortinet.

1. Creating a certificate with OpenSSL

If necessary, download and install Open SSL. Make sure that the file openssl.cnf is located in the BIN folder for OpenSSL.

Using Command Prompt (CMD), navigate to the BIN folder (in the example, the command is cd c:\OpenSSL\openssl-0.9.8h-1-1bin\bin.

Generate an RSA key with the following command:

OpenSSL genrsa -aes256 -out fgcaprivkey.pem 2048 -config openssl cnf

This RSA key uses AES 256 encryption and a 2058-bit key.

When prompted, enter a pass phrase for encrypting the private key.

Use the following command to launch OpenSSL, submit a new certificate request, and sign the request:

openssl req - new -x509 -days 3650 -extensions v3_ca -key fgcaprivkey.pem -out fgcacert.pem - config openssl.cnf

The result is a standard x509 binary certificate that is valid for 3,650 days (approx. 10 years)

When prompted, re-enter the pass phrase for encryption, then enter the details required for the certificate request, such as location and organization name.

Two new files have been created: a public certificate (fgcacert.pem) and a private key (in the example, fgcaprivkey.pem).

2. Enabling certificate configuration in the web-based manager

3. Importing the self-signed certificate

Go to System > Certificates and select Import > Local Certificate.

Set Type to Certificate, then select your Certificate file and Key file. Enter the Password used to create the certificate.

The certificate now appears on the Local CA Certificates list.

4. Edit the SSL inspection profile

To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH Inspection. Use the dropdown menu in the top right corner to select deep-inspection, the profile used to apply full SSL inspection.

Set CA Certificate to use the new certificate.

Select Download Certificate, to download the certificate file needed in the next step.

5. Importing the certificate into the web browser

Internet Explorer, Chrome, and Safari (on Windows or Mac OS):

The above browsers use the operating system’s certificate store for Internet browsing. If your users will be using these applications, you must install the certificate into the certificate store for your OS.

If you are using Windows 7/8/10, double-click on the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard.

Use the wizard to install the certificate into the Trusted Root Certificate Authorities store. If a security warning appears, select Yes to install the certificate.

If you are using Mac OS X, double-click on the certificate file to launch Keychain Access.

Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.

If you have the right environment, the certificate can be pushed to your users’ devices. However, if Firefox is used, the certificate must be installed on each individual device, using the instructions below.

Firefox (on Windows or Mac OS)

Firefox has its own certificate store. To avoid errors in Firefox, then the certificate must be installed in this store, rather than in the OS.

Go to Tools > Options > Advanced or Firefox > Preferences > Advanced and find the Certificates tab.

Select View Certificates, then select the Authorities list. Import the certificate and set it to be trusted for website identification.

6. Results

Before installing the certificate, an error message would appear in the browser when a site that used HTTPS was accessed (the example shows an error message appearing in Firefox).

After you install the certificate, you should not experience certificate errors when you browse to sites on which the FortiGate unit performs SSL content inspection.

If you view information about the certificate in the browser, you will see that your self-signed certificate is used.

1. Configure the Hub FortiGate

Using the CLI, configure phase 1 parameters.

The auto-discovery commands enable the sending and receiving of shortcut messages to spokes (the hub is responsible for lettings the spokes know that they should establish those tunnels).

Note: aggressive mode is not supported currently for ADVPN.

config vpn ipsec phase1-interface
    edit "ADVPN"
        set type dynamic
        set interface "wan1"
        set proposal aes128-sha1
        set add-route disable
        set dhgrp 2
        set auto-discovery-sender enable
        set psksecret fortinet
    next
end

Configure the phase2 parameters.

This is a standard phase 2 configuration.

config vpn ipsec phase2-interface
    edit "ADVPN-P2"
        set phase1name "ADVPN"
        set proposal aes128-sha1
    next
end

Configure the tunnel interface IP.

ADVPN requires that tunnel IPs be configured on each device connecting to the topology. Those IP addresses need to be unique for each peer. A particularity of the hub is that it needs to define a bogus remote-IP address (10.10.10.254 in our example). This address should be unused in the topology and it will not be actually considered as part of the configuration for the hub.

config system interface
    edit "ADVPN"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.255
        set type tunnel
        set remote-ip 10.10.10.254
        set interface "wan1"
    next
end

 Configure iBGP and route-reflection.

iBGP will be our overlay protocol of choice for enabling ADVPN communications. We are using an arbitrary private AS number (65000) in our example, and configuring a dynamic client group to reduce provisioning requirements.

While we are advertising our LAN network directly (“config network” command), route redistribution is a perfectly valid alternative.

config router bgp
    set as 65000
    set router-id 10.10.10.1
    config neighbor-group
        edit "ADVPN-PEERS"
            set remote-as 65000
            set route-reflector-client enable
        next
    end
    config neighbor-range
        edit 1
            set prefix 10.10.10.0 255.255.255.0
            set neighbor-group "ADVPN-PEERS"
        next
    end
    config network
        edit 1
            set prefix 192.168.1.0 255.255.255.0
        next
    end
end

Configure basic policies to allow traffic to flow between the local network and the ADVPN VPN topology. As we generally desire traffic to be allowed between spokes in an ADVPN setup, we must remember to create a policy allowing spoke to spoke communications.

config firewall policy
    edit 0
        set name "OUT ADVPN"
        set srcintf "lan"
        set dstintf "ADVPN"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set status enable
    next
    edit 0
        set name "IN ADVPN"
        set srcintf "ADVPN"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set status enable
    next
    edit 0
        set name "ADVPNtoADVPN"
        set srcintf "ADVPN"
        set dstintf "ADVPN"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set status enable
    next
end

2. Configure the Spoke FortiGates

Using the CLI, configure phase 1 parameters.

Note that we are configuring only one of the spokes in this example – the parameters that need to change for each spoke are highlighted in red.

config vpn ipsec phase1-interface
 edit "ADVPN"
  set interface "wan1"
  set proposal aes128-sha1
  set add-route disable
  set dhgrp 2
  set auto-discovery-receiver enable
  set remote-gw 10.1.1.1
  set psksecret fortinet
 next
end

Configure the phase2 parameters.

config vpn ipsec phase2-interface
    edit "ADVPN-P2"
        set phase1name "ADVPN"
        set proposal aes128-sha1
	set auto-negotiate enable
    next
end

 Configure the tunnel interface IP.

Notice that on the spokes, the remote IP is actually used and points to the IP defined on the hub.

config system interface
    edit "ADVPN"
        set vdom "root"
        set ip 10.10.10.2 255.255.255.255
        set type tunnel
        set remote-ip 10.10.10.1
        set interface "wan1"
    next
end

Config iBGP.

This is a static standard configuration and as stated for the hub, redistribution could be used instead of explicit route advertisement.

config router bgp
    set as 65000
    set router-id 10.10.10.2
    config neighbor
        edit "10.10.10.1"
            set soft-reconfiguration enable
            set remote-as 65000
        next
    end
    config network
        edit 1
            set prefix 192.168.2.0 255.255.255.0
        next
    end
end

Configure a static route for the tunnel IP subnet.

This is an important special step for the spokes as they need a summary route that identifies all tunnel IP used over your topology to point towards the ADVPN interface. In our example, we use 10.10.10.0/24 (if our network planning expects less than 255 sites). Be sure to adequately plan this IP range as it needs to be hardcoded in the spokes.

config router static
    edit 3
        set dst 10.10.10.0 255.255.255.0
        set device "ADVPN"
    next
end

Configure policies.

config firewall policy
    edit 0
        set name "OUT ADVPN"
        set srcintf "lan"
        set dstintf "ADVPN"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set status enable
    next
    edit 0
        set name "IN ADVPN"
        set srcintf "ADVPN"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set status enable
    next
end

Results

We can validate the behaviour of our configuration using a few commands. We are going to run these commands from SPOKE A.

get router info routing-table bgp will at a minimum display the learned routes from the topology. Note the recursive routing – a result of our spoke’s required static route. In this case, there has not been any traffic between our local subnet (192.168.2.0/24) and the other spoke’s subnet, as the routes are both going through the hub.

B       192.168.1.0/24 [200/0] via 10.0.0.1, ADVPN, 22:30:21
B       192.168.3.0/24 [200/0] via 10.0.0.3 (recursive via 10.0.0.1), 22:30:21

However once we initiate a ping between both spokes, we obtain a different display of routing information – routing now goes through a newly established dynamic tunnel directly through the remote spoke rather than through the hub. The ping hiccup that occurs is the tunnel rerouting through a newly negotiated tunnel to the other spoke.

Our routing information now displays the remote subnet as being available through the spoke directly, through interface ADVPN_0, a dynamically instantiated interface going to that spoke.

FG # exec ping-options source 192.168.2.1

FG # exec ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1): 56 data bytes
64 bytes from 192.168.3.1: icmp_seq=0 ttl=254 time=38.3 ms
64 bytes from 192.168.3.1: icmp_seq=1 ttl=254 time=32.6 ms
Warning: Got ICMP 3 (Destination Unreachable)
64 bytes from 192.168.3.1: icmp_seq=2 ttl=255 time=43.0 ms
64 bytes from 192.168.3.1: icmp_seq=3 ttl=255 time=31.7 ms
64 bytes from 192.168.3.1: icmp_seq=4 ttl=255 time=31.2 ms

--- 192.168.3.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 31.2/35.3/43.0 ms

FG # get router info routing-table bgp 

B       192.168.1.0/24 [200/0] via 10.0.0.1, ADVPN, 22:34:13
B       192.168.3.0/24 [200/0] via 10.0.0.3, ADVPN_0, 00:02:28

FG # diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ADVPN_0 ver=1 serial=a 10.1.1.2:0->10.1.1.3:0
bound_if=6 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/0
 parent=ADVPN index=0
proxyid_num=1 child_num=0 refcnt=19 ilast=3 olast=604 auto-discovery=2
stat: rxp=7 txp=7 rxb=1064 txb=588
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ADVPN-P2 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA: ref=3 options=2f type=00 soft=0 mtu=1438 expire=42680/0B replaywin=2048 seqno=8 esn=0
  life: type=01 bytes=0/0 timeout=43152/43200
  dec: spi=9a487db3 esp=aes key=16 55e53d9fbc8dbeaa6df1032fbc80c4f6
       ah=sha1 key=20 a1470452c6a444f26a070add087f0d970c18e3a7
  enc: spi=3c37fea7 esp=aes key=16 8fd62a6745a9ba4fda062d4504b76851
       ah=sha1 key=20 44c606f1ef1bf5739ba62f6572031aa956974d0a
  dec:pkts/bytes=7/588, enc:pkts/bytes=7/1064
------------------------------------------------------
name=ADVPN ver=1 serial=9 10.1.1.2:0->10.1.1.1:0
bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=1 refcnt=22 ilast=8 olast=8 auto-discovery=2
stat: rxp=3120 txp=3120 rxb=399536 txb=191970
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=12
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ADVPN-P2 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA: ref=3 options=2f type=00 soft=0 mtu=1438 expire=4833/0B replaywin=2048 seqno=5ba esn=0
  life: type=01 bytes=0/0 timeout=43148/43200
  dec: spi=9a487db2 esp=aes key=16 4f70d27edad656cfcacbae61b23d4b11
       ah=sha1 key=20 b19ea87c90dd92d1cab58cbf24ae8fe12ee927cb
  enc: spi=b3dde355 esp=aes key=16 efbb4440df75018610b4ba8f5756167d
       ah=sha1 key=20 81cc9cee3bee1c2dba0eb1e7ac66e9d34b67bde9
  dec:pkts/bytes=1465/90152, enc:pkts/bytes=1465/187560
------------------------------------------------------