Fortinet's FortiGate Next-Generation Firewall

This document is designed to assist with integrating FortiGate Next-Generation Firewall (NGFW) in High Availability (HA) to allow traffic to be received from the Nile Service Block (NSB) or send traffic into the NSB. The purpose of this guide is to help with seamless integration between the Nile Access Service and the customer’s extended network (e.g., upstream Internet Gateway, datacenter).

Overview
Prerequisites
Example Topology Diagram
Integration

Overview

Prerequisites

FortiGate version 7.2.2 or higher is required.
Five unique /30 subnets:
- As we are designing a high-definition and an always-on service, we will be using Equal Cost Multi-Path (ECMP) to create 4 point-to-point links to act as a L3 transit between the NSB and the edge.
- The fifth /30 network will be used to host a Dynamic Host Configuration Protocol (DHCP) server. Alternatively, the customer can use their own managed DHCP server.

Example Topology Diagram

Integration

There are a few sections that need to be created on the FortiGate, including:

Interfaces
1. Wide Area Network (WAN) Interface
2. Nile Service Block (NSB) Interfaces
Routing
1. Static (WAN)
2. OSPF (NSB)
Firewall Rules
DHCP Setup

1. Interfaces

To setup Interfaces, navigate to Network → Interfaces → [WAN Interface]

Within the selected WAN port, fill in the following information:

Name:
Alias:
VRF ID:
Role:
Addressing Mode:
IP/Netmask:
Administrative Access:
Status:

ISP
Details of the ISP
Default (0)
WAN
Manual
IP address/Netmask of WAN interface (our example used 172.16.13.2/30)
Allow the required IPv4 services
Enabled

Click the “Save” button when done.

Nile Gateway Interfaces

Expand on Network → Interfaces → Create New → Interface

Name:
Type:
VRF ID:
Interface Members:
Role:
Addressing Mode
IP/Netmask:
Secondary IP address:

NSB Switch
Software Switch
Default (0)
Select 2 available ports (in the image, 4 ports are selected, but 2 will be enough)
LAN
Manual
IP address of interface (Our example used 192.168.120.18/30 (Used as DHCP server))
Enable (Radio button turned on)
Create New:

Administrative Access:
Receive LLDP:
Transmit LLDP:
Status:

Allow the required IPv4 services (PING should be enabled)
Enable
Enable
Enabled

Click the “Save” button when done.

2. Routing

Customers need to use Static Routing to add the default route towards the WAN interfaces, but on the LAN, it is recommended to use OSPF whenever possible, if there are certain limitations where OSPF cannot be used on the FortiGate, then create static routing on the LAN as well.

OSPF (LAN):

1. Expand on Network → OSPF:

Router ID:

Fortinet’s best practice is to NOT use the existing IP of the interface, as Area ID is defined as 0.0.0.0, we are using the Router ID as 0.0.0.1 in this example.

Areas:
Networks:

Create New (Area ID: 0.0.0.0 || Type: Regular || Authentication: None)
Create New (Area: 0.0.0.0 || IP/Netmask: 0.0.0.0 0.0.0.0)

Interfaces:

Create New (Name: NSB || Interface: NSB Switch || Cost: 0 || Authentication: None || Timers: Hello(1); Dead(4))

Inject Default Route:

Always

Then click on “OK” to save the changes.

Static Routing (WAN):

1. Expand on Network → Static Routes → Create New:

Destination:
Gateway Address:
Interface:
Administrative Distance:
Status:

Subnet (0.0.0.0/0)
Enter the Gateway IP provided by the ISP
Select the WAN interface connected to the provider circuit
5 (lower the AD, higher the priority)
Enabled

Then click on “OK” to save the changes.

2. Repeat the same steps for setting up with a default static route for WAN2; set the AD as 10 while setting up the default route for WAN2, if WAN1 is desired as the primary link.

3. FortiGate Firewall Rules

FortiGate has an implicit rule of denying all the traffic.To ensure the NSB subnet and the Sensor subnet is able to access the Internet, a rule needs to be created.

The following example policy will allow any traffic coming from the NSB switch interfaces to the internet. The example rule is intended to be used as reference and should be modified to fit the customer needs. In case the customer wants to allow communication from Host A to Host B within the NSB, they will need to create firewall rules to allow that traffic to hairpin and enter into the NSB.

Outgoing to Internet

Navigate to Policy & Objects >> Firewall Policy >> Create New:

a. Name
b. Incoming Interface
c. Outgoing Interface
d. Source

Provide a name to the rule
Select the “NSB Switch”
WAN1
Create a source address with either a summarized subnet of all the subnets managed by the NSB or provide a IP range or select “Allow All”

e. Destination
f. Schedule
g. Service
h. Action
i. Inspection Mode
j. Firewall/Network Options

All
Always
Specify any specific service like HTTP/HTTPS to be allowed or allow all
Accept
Flow based
Enable NAT, Use Outgoing interface address for IP pool setup

Note: NAT may need to be disabled while creating the firewall policy for some firewall rules to allow access to certain protocols (e.g., DHCP, DNS, Radius, NTP)

4. DHCP Server

To define a DHCP scope for multiple IP pools in FortiGate, access to the CLI is required. Below is an example of how to set up L3 DHCP on FortiGate.

				
					config system dhcp server
    edit 10
        set lease-time 86400
        set ntp-service default
        set default-gateway 192.168.127.1
        set netmask 255.255.255.0
        set interface "NSB Switch"
        config ip-range
            edit 1
                set start-ip 192.168.127.10
                set end-ip 192.168.127.250
            next
        end
        set dns-server1 8.8.8.8
        set dns-server2 1.1.1.1
    next
    edit 11
        set lease-time 86400
        set ntp-service default
        set default-gateway 192.168.128.1
        set netmask 255.255.255.0
        set interface "NSB Switch"
        config ip-range
            edit 1
                set start-ip 192.168.128.10
                set end-ip 192.168.128.250
            next
        end
        set dns-server1 8.8.8.8
        set dns-server2 1.1.1.1
    next
    edit 12
        set lease-time 86400
        set ntp-service default
        set default-gateway 192.168.129.1
        set netmask 255.255.255.0
        set interface "NSB Switch"
        config ip-range
            edit 1
                set start-ip 192.168.129.10
                set end-ip 192.168.129.250
            next
        end
        set dns-server1 8.8.8.8
        set dns-server2 1.1.1.1
    next
end

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Solution Overview

Nile Access Service

DHCP Service

Guest Service

Solution by Industry

Enterprise

Higher Education

Primary Education

Resource Center

Customer Stories

Newsroom

Partners

About Nile