Hands-On Practice: Simulating a Company Network with a FortiGate Firewall Tutorial Device

So, having configured the interface, the LAN, WAN, and the DMZ last week, I tried to spin off a random company network using the FortiGate firewall device, as shown in the topology.

Port1 (LAN), being the default, fetched the IP address from my ISP, which is 192.168.65.130, and the gateway 192.168.65.0/65. So this was the configuration I got automatically with the help of DHCP.

The topology I created includes a fake company called JFK.com and BAY.com, their LAN segment using the private IP address 172.16.29.0/24. The company devices have IP addresses that fall within this range and are connected to the switch. There are two FortiGate devices in the topology, but the focus will be on the FTG-1 device for the purpose of this lab. The Sales-PC belongs to the same range, and Port3 of the FTG-1 must be on the same range. The dot one (.1) on the FTG-1 will be used as the gateway for the devices inside the company, and Port1 on the FTG will act as the default gateway for moving everything out.

The Sales-PC will have 172.16.32.20 as the configured IP address, and 172.16.32.1 will be Port3 of the FortiGate firewall (FTG-1) in the topology. I went on my FortiGate firewall device GUI to configure Port3, giving it a LAN and the alias as "internal" because it connects to Port1 LAN of FTG-1 by default, assigning it 172.16.32.1/24 as the IP address. I enabled the PING to maintain connectivity. You can also enable SSH and HTTPS if you wish to access the FortiGate firewall from Port3.

The hostname configuration, which is the locational functionality, gives an idea of which firewall you are logging into. For example, if it is your DMZ firewall, let's say you have multiple firewalls in your organization. If you're logging into a firewall responsible for your server farms, then it should be called the farm firewall, DMZ firewall, or whatever name is appropriate according to your company. The hostname really plays a significant role in identifying what kind of firewall and what location that particular firewall belongs to. Go over to the GIU system and make a change to the hostname, which I did using the FortiGate firewall name in the topology (FTG-1).

I was able to create a static route too, which defines the path for network traffic to reach a specific destination, like the internet, by specifying the gateway (usually your ISP's router) and the interface to use. I avoided using DHCP for the static route because it kept causing the gateway IP to change, leading to connectivity issues. Instead, I used a static IP for consistent and reliable routing, which I was unaware of until I watched several tutorial videos. I learned that in the case of "Multiple route" that was next to the static router on the selection, if the company needs to have other routes, this is where the other FortiGate Firewalls (FGT-2, FGT-3, FGT-4) in the topology come in, you can connect to them.

I did the DNS configuration and learned that DNS attacks are the biggest targets of malicious actors because they can easily be reused to create multiple fake domains to deceive their victims, which is why I suggest never using a public domain server in a corporate environment. So I can configure the DNS server using one of the servers in the topology, the AD-Server of the JFK.com company, 172.16.32.3, just to avoid using the FortiGuard Servers. You can leave the secondary DNS column blank if you don't have another server. The good thing about using the internal DNS server is that all the DNS queries of the company remain inside the company and do not leave, which should always be the case. (I did not configure the DNS because there was no real server available, but I had to pivot in the topology).

In conclusion, this hands-on exercise gave me valuable experience in setting up and managing a FortiGate firewall in a simulated network. This is just one step in my ongoing journey to master FortiGate devices. I'll continue learning and sharing more insights as I go further.