Beyond Bare Metal

Setting up the network for the Main Office

Gabriel Gonzalez's photo
Gabriel Gonzalez
·

7 min read

Setting up the network for the Main Office

Table of contents

It’s time to set up the network for our main branch.

Due to some limitations, the environment will be as follows:

Firewall: Fortigate VM 7.6.1 (Evaluation license)

Switching: There won’t be switches, we will use VMware workstation vNETs

Virtualization: VMware Workstation Pro

Below is a diagram of the network topology we want to accomplish, we will try to adjust as much as possible to it

On top, we have the Internet (Modem) and our Fortigate VM Firewall to filter any traffic, with 2 LANS: CORP: for Servers and Workstations and MGMT: For managing the Firewall, Switches and any other devices as needed, then we should have a Switch to distribute the VLANs per ports (but for this post we will use VMware workstation vSwitch), finally we have all devices, servers, workstations, printers etc.

VLAN IDNAMESUBNET
99MGMT10.99.99.0/24
100CORP10.100.100.0/24

Set up Fortigate VM

Fortinet SSO offers us the possibility to download a Fortigate VM (compatible with many virtualization platforms)

For our case, we will download the Fortigate VM 7.6.1 VMware Workstation version and import the .ova on VMware Workstation:

For our case, I named it FTGG:

Once open let’s log in via CLI and set up the WAN Interface so we can connect:

Notice that port 1 will be the WAN Interface and will have a private IP for now.

configure system interface
edit port 1
set ip 192.168.1.20 255.255.255.0
set allowaccess https ping
set Alias "WAN"
next
end

Next, let’s set up the Hostname and HTTP and HTTPs ports:

Set up Interfaces

Let’s start with the Fortigate VM settings:

Network Adapter: Bridged (Automatic): this will be WAN (Port 1) and will be on the same subnet as the host - 192.168.1.0/24

Network Adapter 2 Custom (VMnet8): this will be CORP (Port 2) - 10.100.100.0/24

Network Adapter 3 Custom (VMnet1): this will be MGMT (Port 3) - 10.99.99.0/24

Set up Interfaces on the Fortigate VM:

Let’s go Network > Interfaces:

Port 1 / WAN: 192.168.1.20 / 255.255.255.0 (Already set up via CLI)

Port 2 / CORP: 10.100.100.1 / 255.255.255.0

This will be the Network for Corporate devices (Servers, workstations, printers, scanners etc)

Notice that in Administrative Access we will only enable PING

We will also enable DHCP:

  • Address range: 10.100.100.101-10.100.100.199

  • DNS: 10.100.100.10 (BBM-DC01) / 8.8.8.8 (Google)

  • Lease time: 259200 seconds (3 days)

Port 3 / MGMT: 10.99.99.1 / 255.255.255.0

This network will be the one for Management (Access to the Firewall, switches, APs, etc).

Notice the following:

  • For Administrative Access will enable: HTTPS, SSH, PING and SNMP

  • DHCP will be disabled

With that, we have all Interfaces set up:

Set up default static route

This route will provide us access to the Internet sending all traffic (that doesn’t have a more specific route) to our gateway address, then going to the Internet.

Now let’s go to Network > Static Routes:

Destination: Subnet - 0.0.0.0 / 0.0.0.0

Gateway Address: 192.168.1.1

Interface: WAN (Port 1)

Administrative Distance: 10

Set up Firewall Policies

Let’s go now to Policy & Objects > Firewall Policy

Let’s create a policy to ACCEPT/Allow devices on the CORP subnet (10.100.100.0/24) to reach the Internet.

Name: CORP OUT

Incoming Interface: CORP (Port2)

Outgoing Interface: WAN (Port1)

Source: all

Destination: all

Schedule: Always

Service: ALL (Here we can determine which outgoing ports we want to allow, for e.g. HTTPS, DNS, FTP, IPsec, etc)

Action: ACCEPT

NAT: Enabled

IP Pool configuration: Use Outgoing Interface Address

Manage source port: Enabled (Preserve source port)

Protocol options: Default

Security profiles: Since we are using an evaluation version we will leave it all off and SSL no-inspection

Log allowed traffic: Enabled / Security events

Enable this policy: Enabled

Finally, hit OK to save.

Now let’s create another Firewall Policy for MGMT subnet (10.100.100.0/24) to reach the Internet called MGMT OUT:

Name: MGMT OUT

Incoming Interface: MGMT(Port3)

Outgoing Interface: WAN (Port1)

Source: all

Destination: all

Schedule: Always

Service: ALL (Here we can determine which outgoing ports we want to allow, for e.g. HTTPS, DNS, FTP, IPsec, etc)

Action: ACCEPT

NAT: Enabled

IP Pool configuration: Use Outgoing Interface Address

Manage source port: Enabled (Preserve source port)

Protocol options: Default

Security profiles: Since we are using an evaluation version we will leave it all off and SSL no-inspection

Log allowed traffic: Enabled / Security events

Enable this policy: Enabled

Finally, hit OK to save.

Finally, we have all our Policies created:

Notice that at the end we will have an Implicit DENY that will reject any traffic, it’s why we need to set any ACCEPT/Allow Policies we need manually

Set up DNS

Let’s go to Network > DNS

DNS Servers: Specify

Primary DNS Server: 8.8.8.8

Secondary DNS Server: 1.1.1.1

DNS Protocols: Enabled - DNS (UDP/53)

Hit Apply

Set up Network Time Protocol (NTP)

The NTP service is fundamental in any Firewall and network setup, having accurate time stamps is a stepping stone for security, logging, auditing, and much more.

For this one, we will open the CLI and enter the following commands:

Verify the NTP service is running:

diag sys ntp status

Notice it’s using the default fortiguard.com NTP server:

Let’s configure NTP with custom servers:

config system ntp
set ntpsync enable
set type custom
config ntpserver
edit 1
set server "0.pool.ntp.org"
next
edit 2
set server "1.pool.ntp.org"
next
edit 3
set server "2.pool.ntp.org"
next
edit 4
set server "3.pool.ntp.org"
end

Let’s check again the NTP status:

diag sys ntp status

We can confirm it’s now using: custom / 0.pool.ntp.org

Set up Simple Network Management Protocol (SNMP) v1/v2

This protocol will allow us to monitor network devices in our case our Fortigate VM, for now, we will enable it.

SNMP Agent: Enabled

Description: BBM-FTG01

Location: MainOffice

Contact Info:

Let’s select Create New:

Community Name: BBM

Enabled

IP Address: 10.99.99.56 255.255.255.255 (This will be our Zabbix server / a monitoring software we will fully set up later)

Host Type: Accept queries and send traps

Queries:

v1 Enabled

Port 161

v2c Enabled

Port 161

Traps:

v1 Enabled

Local Port 162

Remote Port 162

For SNMP Events, let’s leave them enabled as default:

With that, we will have SNMP v1/v2 enabled:

We will study / fully implement it on upcoming posts.

Set up Syslog

Let’s go to Log & Reports > Log Settings:

Log settings

Event logging: All

Local traffic logging: All

Syslog logging: Enable

IP address/FQDN: 10.99.99.55 (BBM-MGMT01 / where we will install our Syslog server)

Now we can go to BBM-MGMT01 which will be connected to Port 3 / MGMT: 10.99.99.1 / 255.255.255.0:

Let’s set the IP address as the following:

IPv4 Address: 10.99.99.55

Subnet mask: 255.255.255.0

Default Gateway: 10.99.99.1

Let’s install and open Visual Syslog Server:

As we can see we are getting Syslog messages no from BBM-FTG01

If we enter a wrong password trying to log in, it will register it:

We can fine-tune the Syslog application by defining a specific drive and location for logs, but for now, we will leave it as it is.

Testing

Let’s now log in to BBM-WS01:

First, let’s set up the Network Adapter to Custom (VMnet8) - This will connect to the CORP subnet: 10.100.100.0/24:

We can confirm it’s getting an IP in the CORP subnet via DHCP / 10.100.100.102:

We can also reach the Internet and do a tracert to 8.8.8.8 and confirm the traffic is going out 10.100.100.1 (Fortigate VM Port 1)

We can also try to open the Fortigate VM Port 1 via the web browser:

It won’t open because the HTTPS management is disabled on that port (for security reasons)

Let’s go now to BBM-MGMT01 and set the Network Adapter to Custom (VMnet1) - This will connect to the MGMT subnet: 10.99.99.0/24:

As a reminder, DHCP is disabled for this subnet so we set up static IP as follows:

Let’s test now a tracert to 8.8.8.8:

We can confirm it goes out of 10.99.99.1 (MGMT / Port 2)

We can test trying to reach the Fortigate via Web browser (HTTPs) and SSH, it works because both protocols are enabled on Port 2.

Conclusion

In this post, we successfully set up a Fortigate VM 7.6.1 firewall with two primary networks - CORP (10.100.100.0/24) for corporate devices and MGMT (10.99.99.0/24) for management access. We configured essential services including firewall policies, DNS, NTP, SNMP, and Syslog logging. The environment was tested by connecting workstations to both networks, confirming proper network segmentation, internet access, and management capabilities. Even though we have some limitations this basic setup is a great start in setting up the networking foundations for our main office.

Stay tuned for more content.

Thanks for reading!

Link to the series 👉 beyondbaremetal.hashnode.dev/series/beyond-..

networkingFortinet FortigateFirewallsdhcpdnssyslogsnmpNTP