(http://www.ipspace.

eu)

Home (http://www.ipspace.eu/) About (http://www.ipspace.eu/about-2/) Contact (http://www.ipspace.eu/contact/) <

Home (http://www.ipspace.eu) Cisco (http://www.ipspace.eu/category/cisco/) Fortinet (http://www.ipspace.eu/category/fortinet/) Genera !ecurity (http://www.ipspace.eu/category/genera -security/) "inu# (http://www.ipspace.eu/category/ inu#/) $ews (http://www.ipspace.eu/category/news/) %i&erbe' (http://www.ipspace.eu/category/ri&erbe'/) !cripts (http://www.ipspace.eu/category/scripts/) (in'ows (http://www.ipspace.eu/category/win'ows/)

Creating a Fortigate )*$

May 28th, 2012 Daniel

Looking For A VPN?

Check Out Spotflux, the 100% Free One-Click US VPN Solution Toda !
"""#$potflux#co%

Hello,

In this post i will show you how to create a po icy base' Fortigate )*$ (http://www.ipspace.eu/fortinet/creating-a-fortigate-&pn/). I will be using Forti+! version ,.- .%/. For the )*$ tunne we use the !ollowing topology"
(http://www.ipspace.eu/wp-content/ga ery/fortigate-&pn-po icy-base'/fortigatetopo ogy0-.1pg)

Creating Fortigate )*$ !teps:

2. Go to )*$ 3 2*sec -3Auto 4ey (245) an' se ect 6Create *hase 76
(http://www.ipspace.eu/wp-content/ga ery/fortigate-&pn-po icy-base'/fortigate-&pnphase7-7.1pg)

22. 5nter the fo owing information in *hase7

(http://www.ipspace.eu/wp-content/ga ery/fortigate-&pn-po icy-base'/fortigate-&pn-phase7-2.1pg)

$ame: Fortigate0)*$ 7- #his is a na$e to i enti!y the %&' tunnel, you $ust re$e$ber this na$e as it will appear when con!iguration the &hase2. %emote Gateway ( )nter the static I& o! the %&' re$ote peer. In our e*a$ple it is +2.2.2.2, "oca 2nterface ( -elect the inter!ace that has outsi e Internet access. In our case we pic.e +/0'1,. $ote " #his inter!ace cannot be a loopbac. inter!ace. .o'e " Main Mo e Authentication" &re -hare 1ey 23 pic. a share .ey with $ore than 4 letters.

5lic. A'&ance': -elect the *7 *roposa s 6we pic.e 7" 5ncryption: 8D)Authentication: MD9 8H Group: 2 4ey i&e: 28800 "oca 28: <none3 9A:;H" Disable $A; ;ra&ersa : Disable 8ea' *eer 8etection: Disable < $ote "please .eep in $in to set this to isable in case you are peering with another %&' ven or. I have !oun out that this can brea. the %&' tunnel 5lic. +:1; #he %&' &hase1 one was now create success!ul.

222. $ow we nee' to create )*$ *hase2= be ow are the steps:

(http://www.ipspace.eu/wp-content/ga ery/fortigate-&pn-po icy-base'/fortigate-&pnphase2-7.1pg)

$ame " -elect a na$e that suits you, we pic.e +*hase20Fortigate0)*$7; *hase7" -elect the na$e o! the &hase1 you create earlier. /e pic.e ; Fortigate0)*$7; 5ncryption" 8D)Authentication" MD9 >uic? .o'e !e ector" #his escribes the I& ranges that you want passing through the %&'. 0s in the picture, we pic.e " ;he !ource A''ress" 10.10.10.0<2= , that is behin our Fortigate>1 %&' appliance. ;he 8estination A''ress" 10.20.20.0<2=. that is behin our Fortigate>2 %&' appliance.

2). 8efine )*$ !ource !e ectors

1. 5reate a !irewall a ress, go to Firewa +b1ects 3 A''resses 3 A''ress an select +Create $ew +.

)nter the !ollowing in!or$ation an press ++4+" A''ress $ame " -ales>'etwor. !ubnet/2* %ange " 10.10.10.0<2= 2. 5reate another !irewall a ress6 that is behin Fortigate 27 an go to Firewa +b1ects 3 A''resses 3 A''ress an select +Create $ew +.

)nter the !ollowing in!or$ation an press ++4+" 0 ress 'a$e" ?e$ote>-ales>'etwor.

-ubnet<I& ?ange" 10.20.20.0<2=

). Create a Firewa *o icy on the Fortigate:

a. @o to *o icy 3 *o icy b. -elect 5reate 'ew c. )nter the !ollowing in!or$ation an press +:1;

-ource Inter!ace<Aone ( -elect 2nterna -ource 0 ress 'a$e ( -elect +-ales>'etwor.;

Destination Inter!ace<Aone ( -elect (A$7 Destination 0 0ction ( 2*!5C %&' tunnel" Fortigate>%&'1 -elect :'BC the !ollowing option" 0llow Inboun an 0llow :utboun ress 'a$e ( ;?e$ote>-ales>'etwor.;

)verything shoul be up an running now. &lease let $e .now i! you have any Duestions.

%e ate' *osts
Fortigate ;ips an' ;ric?s (http://www.ipspace.eu/fortinet/fortigate-tips-an'-tric?s/) Fortigate ;roub eshooting < )*$ (http://www.ipspace.eu/fortinet/fortigate-troub eshooting-&pn/) &oste in Fortigate (http://www.ipspace.eu/category/fortinet/fortigate/), Fortinet (http://www.ipspace.eu/category/fortinet/) #ags" fortigate po icy base' &np (http://www.ipspace.eu/tag/fortigate-po icy-base'-&np/), fortigate &pn (http://www.ipspace.eu/tag/fortigate-&pn/), fortinet &pn (http://www.ipspace.eu/tag/fortinet-&pn/) E ip!pace Forum @ (http://www.ipspace.eu/news/ipspace-forum/) CC25 !ecurity &, A ueprint is out (http://www.ipspace.eu/cisco/asa/ccie-security-&,-b ueprint-is-out/) F Cou can s.ip to the en an leave a response. &inging is currently not allowe .

B %esponses to 6Creating a Fortigate )*$C

1. Santosh Kumar Nayak (http://santoshnayak.in) says" Dune 2= 2-72 at E:-F pm (http://www.ipspace.eu/fortinet/creating-a-fortigate-&pn/Gcomment-/H/7) 5an you please help $e in Gloc.ing @oogleH in Fortinet FirewallI I have alrea y bloc.e -ocial 'etwor.ing but it oesnJt get bloc.e by Firewall. %ep y (/fortinet/creating-a-fortigate-&pn/@rep ytocomI/H/7Grespon') Daniel (http://www.ipspace.eu) says" Dune 2= 2-72 at E:22 pm (http://www.ipspace.eu/fortinet/creating-a-fortigate-&pn/Gcomment-/H//) -anthosh, Cou can create a new K?B !ilter, or a to an e*isting one the +plus.google.co$; K?B an $ar. it as bloc.e . 0lso please be care!ull that when applying the /eb Filter, you also $ar. the inspection !or H##&- 6as google plus coul be using --B7. Hope it helps. %ep y (/fortinet/creating-a-fortigate-&pn/@rep ytocomI/H//Grespon') Santosh Kumar Nayak (http://santoshnayak.in) says" Dune 7/= 2-72 at F:/, am (http://www.ipspace.eu/fortinet/creating-a-fortigate-&pn/Gcomment-/BJ/) HiLLLL I trie that also, it i nJt wor.. It wor.s only i! I set https6Deep -can7. Gut in this case all $y websites are as.ing !or certi!icates even in outloo. also. Is there any other way. %ep y (/fortinet/creating-a-fortigate-&pn/@rep ytocomI/BJ/Grespon') Daniel (http://www.ipspace.eu) says" Dune 7E= 2-72 at B:77 pm (http://www.ipspace.eu/fortinet/creating-a-fortigate-&pn/Gcomment-,--E) -o you a e plus.google.co$ as a bloc.e K?B an it i nJt wor. I

&lease try so$ething li.e this in the url !ilter" url" .M ropbo*N.co$.M type" rege* action" bloc.e enable" yes 6tic.e 7

I i not try this, but it shoul wor.. &lease let $e .now the outco$e %ep y (/fortinet/creating-a-fortigate-&pn/@rep ytocomI,--EGrespon') Santosh Kumar Nayak (http://santoshnayak.in) says" Dune 7B= 2-72 at B:-J am (http://www.ipspace.eu/fortinet/creating-a-fortigate-&pn/Gcomment,-H7)

HiL It wor.s !or other sites. Gut !or @oogle &lus it oesnJt bloc.. I! I give eep scanning then it bloc.s as -ocial 'etwor.ing category. Gut !or $ost o! the sites it is getting 5erti!icate issues. Is there any other solutionsI 2. Daniel (http://www.pc-howto.com) says" Dune 77= 2-72 at 7-:E/ am (http://www.ipspace.eu/fortinet/creating-a-fortigate-&pn/Gcomment-/B7/) HiL %ery nice escription. Cou escribe the settings !or one Fortigate. Is it right that I have to set up the re$ote sales networ. Fortigate the sa$e way as the sales networ. FortigateunitI #han. you in a vanceL %ep y (/fortinet/creating-a-fortigate-&pn/@rep ytocomI/B7/Grespon') Daniel (http://www.pc-howto.com) says" Dune 7/= 2-72 at H:// am (http://www.ipspace.eu/fortinet/creating-a-fortigate-&pn/Gcomment-/BHB) /ell, now I can answer $y Duestion $ysel!" C)-L %ep y (/fortinet/creating-a-fortigate-&pn/@rep ytocomI/BHBGrespon') Daniel (http://www.ipspace.eu) says" Du y B= 2-72 at E:,7 pm (http://www.ipspace.eu/fortinet/creating-a-fortigate-&pn/Gcomment-,HJF) /hich I) browser are you using I I)O wor.s !ine. %ep y (/fortinet/creating-a-fortigate-&pn/@rep ytocomI,HJFGrespon')

8.

"ea&e a %ep y
'a$e 6reDuire 7

Mail 6w ill not be publishe 7 6reDuire 7

/ebsite

-ub$it 5o$$ent -earch

(G) (http://www.a''this.com/boo?mar?.php@&I2E-KwinnameIa''thisKpubI#a-,aHEe7'F/c'JEeF,KsourceItb#2E-K ngIfrKsI'e iciousKur IhttpL/AL2FL2Fwww.ipspace.euL2FfortinetL2Fcreating-a-fortigate&pnL2FKtit eICreatingL2-aL2-FortigateL2-)*$L2-LJCL2-$etwor?L2-L2HL2-!ecurityL2-A ogKateIA;-#a,aHEe7'F/c'JEeF,/-/-/E--HabH,2cb//J''/7KfrommenuI7Kui'IE--HabH,EJ/-EbebKctI7KttI-) (G) (http://www.a''this.com/boo?mar?.php@&I2E-KwinnameIa''thisKpubI#a,aHEe7'F/c'JEeF,KsourceItb#2E-K ngIfrKsI'iggKur IhttpL/AL2FL2Fwww.ipspace.euL2FfortinetL2Fcreating-a-fortigate&pnL2FKtit eICreatingL2-aL2-FortigateL2-)*$L2-LJCL2-$etwor?L2-L2HL2-!ecurityL2-A ogKateIA;-#a-,aHEe7'F/c'JEeF,/-/-

/E--HabH,2cb//J''/2KfrommenuI7Kui'IE--HabH,7/H,2eFHKctI7KttI-) (http://www.a''this.com/boo?mar?.php@ &I2E-KwinnameIa''thisKpubI#a-,aHEe7'F/c'JEeF,KsourceItb#2E-K ngIfrKsIstumb euponKur IhttpL/AL2FL2Fwww.ipspace.euL2FfortinetL2Fcreating-a-fortigate&pnL2FKtit eICreatingL2-aL2-FortigateL2-)*$L2-LJCL2-$etwor?L2-L2HL2-!ecurityL2-A ogKateIA;-#a-,aHEe7'F/c'JEeF,/-//E--HabH,2cb//J''//KfrommenuI7Kui'IE--HabH,HE//EaJJKctI7KttI-) (G) (G)

(https://twitter.com/ip!pace0eu)Fo ow .e on ;witterM (https://twitter.com/ip!pace0eu)

-earch
(http://fee's.fee'burner.com/ipspace/&Hc.)

(in'ows ;oo s
-top Data Boss Q -ecurity #hreats. )*pert 0nalysis, #ips an #ools.
techtarget.co$<Data2-ecurity

*erformance 5ngineering
#utorials, HowtoRs Q ?eviews on &er!or$ance Q 5apacity Manage$ent
www.practicalper!or$anceanalyst.co$

8rayte? .anufacturer
K-0 Hea Duarters 2 -upport, -ales Inventory, -ervice 8012O2=2S=00
ata2connect.co$<Dray#e.>&ro ucts

!O$5%G29 2nternationa
:nline sales #elegartner, In!ilin. #yco,Flu.e'etwor.s 'etwor. -olution
www.synergi*2int.co$

Certifications

%ecent *osts
Fortinet :sefu "in?s
(http://www.ipspace.eu/fortinet/fortinet-usefu - in?s/)

CC25 !ecurity &, A ueprint is out (http://www.ipspace.eu/cisco/asa/ccie-security-&,-b ueprint-is-out/) Creating a Fortigate )*$ (http://www.ipspace.eu/fortinet/creating-a-fortigate-&pn/) ip!pace Forum @ (http://www.ipspace.eu/news/ipspace-forum/) "inu# Fi e !ystem (http://www.ipspace.eu/ inu#/ inu#-fi e-system/)

Categories
A!A (http://www.ipspace.eu/category/cisco/asa/) Ca .anager (http://www.ipspace.eu/category/cisco/ca manager/) Fortigate (http://www.ipspace.eu/category/fortinet/fortigate/) Fortinet (http://www.ipspace.eu/category/fortinet/) Genera !ecurity (http://www.ipspace.eu/category/genera -security/) "inu# (http://www.ipspace.eu/category/ inu#/) $ews (http://www.ipspace.eu/category/news/) (in'ows (http://www.ipspace.eu/category/win'ows/)

A ogro
8anie s CC25 b og (http:// ostintransit.se) 8arrenNs CC25 mission (http://me ow'.co.u?/ccie/) 8e&irusare (http://'e&irusare.com/)

%ecent Comments
%outer!ecure (http://routersecure.com) on ;witter Account (http://www.ipspace.eu/news/twitter-account/Gcomment-,JB2) 8anie (http://www.ipspace.eu) on Fortigate 2*! (http://www.ipspace.eu/fortinet/fortigate/fortigate-ips/Gcomment-,J-F) Pblast$an on Fortigate 2*! (http://www.ipspace.eu/fortinet/fortigate/fortigate-ips/Gcomment-,J-B)

8anie (http://www.ipspace.eu) on Creating a Fortigate )*$ (http://www.ipspace.eu/fortinet/creating-a-fortigate&pn/Gcomment-,HJF)

A e# (http://a e#amaran'ei.ca) on 2nsecure .agaPine (http://www.ipspace.eu/news/insecure-magaPine/Gcomment-,2BE)

Archi&es
Dune 2-72 (http://www.ipspace.eu/2-72/-H/) .ay 2-72 (http://www.ipspace.eu/2-72/-E/) Apri 2-72 (http://www.ipspace.eu/2-72/-,/) .arch 2-72 (http://www.ipspace.eu/2-72/-//) February 2-72 (http://www.ipspace.eu/2-72/-2/) Danuary 2-72 (http://www.ipspace.eu/2-72/-7/)

Feature' )i'eo

5opyright T $etwor? K !ecurity A og (http://www.ipspace.eu) 2 ItRs all about -ecurity &owere by (or'*ress (http://wor'press.org/) U Designe by" !hare*oint Hosting (http://www.apps,rent.com/sharepoint.htm ) U #han.s to Ausiness 5mai Hosting (http://businessemai hosting.com/), *ro1ect !er&er Hosting (http://pro1ectser&erhosting.com/) an Hoste' )irtua 8es?top (http://&irtua 'es?topon ine.com/hoste'-'es?top/) A!A (http://www.ipspace.eu/category/cisco/asa/) Ca .anager (http://www.ipspace.eu/category/cisco/ca manager/) Cata yst !witches (http://www.ipspace.eu/category/cisco/switches/) FortiAna yPer (http://www.ipspace.eu/category/fortinet/fortiana yPer-fortinet/) Fortigate (http://www.ipspace.eu/category/fortinet/fortigate/) Fortimai (http://www.ipspace.eu/category/fortinet/fortimai /) %e'Hat (http://www.ipspace.eu/category/ inu#/re'hat/) :buntu (http://www.ipspace.eu/category/ inu#/ubuntu/)