Purpose:
Our goal with this config is to inspect/restrict traffic sourced/destined
from servers on our LAN without causing much impact to the existing network.
Caution:
Failing to specify VLAN, Forwarding-domain and strict
src/dst addresses may result in a Layer2 loop/broadcast storm. Please make sure
to follow the directions carefully.
Topology:
1.
Deploy OVF Template
a.
Follow the instructions in http://docs.fortinet.com/uploaded/files/1734/fortigate-vm-install-50.pdf
b.
I prefer to thin provision everything but that
is your choice
c.
Do not power on the Virtual machine after
deploying.
2.
Shut off your VM servers that you would like to
add to the port group so that we may edit their port assignments.
3.
Create a Port Group in ESXi
Make sure that you assign a unique vlan id here.
Edit your server VM and assign the network adapter to your new port
group.
Edit your FGTVM.
Disconnect all ports that will not be used.
You will need 3 ports: In/Out/mgmt.
In this case, we are using:
Port1 for out to our network.
Port2 for management.
Port8 for connection the VM port group.
Your port group should now look something like this if you had 2 servers
in it. The only exception is that your ports are not green as we have not
powered anything on yet.
4.
Power on your FGT VM and console into FortiOS CLI.
5.
As a precaution, we should shut all ports.
config sys interface
edit port1
set status down
next
#repeat for all ports
6.
Set the box transparent mode.
config system settings
set opmode transparent
set manageip
end
#this will log you out so log back in.
7.
Set DNS and static route if needed.
config system dns
set primary x.x.x.x
set secondary x.x.x.x
end
config router static
edit 0
set dst x.x.x.x x.x.x.x
set gateway x.x.x.x
end
8.
Set the forward-domain for your interfaces that
are not used for management.
config system interface
edit port1
set forward-domain 100
next
edit port8
set forward-domain 100
end
9.
Set the allowaccess for your mgmt. interface.
config system interface
edit port2
set allowaccess ping https
end
10. Setup
the in/out firewall policies for your Server communications.
It is very
important that you set specify srcaddr/dstaddr to avoid layer2 issues on your
network .
config firewall policy
edit 0
set name “p1-p8”
set srcintf port1
set dstintf port8
set srcaddr all
set dstaddr "/32 srvIP"
set service any
set schedule always
set action accept
next
edit 0
set name “p8-p1”
set srcintf port8
set dstintf port1
set dstaddr all
set srcaddr "/32 srvIP"
set service any
set schedule always
set action accept
next
11. Enable
your 3 interfaces on the FGTVM and power on your VM servers. Traffic towards
your servers should now be routed through your FGTVM and the FGT should be accessible
via the management IP.
12. Go
back and apply any UTM policies, restrict services, etc in your policies that
you may require.