Fortigate Firewall

Lab Tasks:

Lab Task 1: Restrict Internet Access

Objective: Modify the existing firewall policy to allow only HTTP and HTTPS traffic from the LAN to the WAN, enhancing security by limiting unnecessary traffic.

Steps:

  1. Log in to the Fortinet firewall’s web interface.

  2. Go to Policy & Objects > Firewall Policy.

  3. Find the policy named LAN_to_WAN_Access and click Edit.

  4. In the Service field, replace ALL with DNS, HTTP and HTTPS.

  5. Ensure Action is ACCEPT and NAT is enabled.

  6. Click OK to save.

Verification:

  • From a PC (e.g., PC1), open a browser and visit a website (e.g., www.example.com). It should load.

  • From the same PC, open a command prompt and type ping 8.8.8.8. The ping should fail, as ICMP is no longer allowed.

Ping Before and After + Web Verification
  • You can also check the logs to see the failed ping commands.

How and Why:

  • How: The firewall policy is updated to filter traffic by service, allowing only HTTP (port 80) and HTTPS (port 443) while blocking others like ICMP (ping).

  • Why: Restricting traffic to essential services reduces the attack surface, a common security practice in real networks. This task teaches policy specificity, a fundamental firewall skill.

Lab Task 2: Set Up Port Forwarding

Objective: Allow external access to the Remote Desktop Protocol (RDP) service on PC1 (e.g., IP 192.168.1.101) via the WAN IP, simulating remote access.

Steps:

  1. Go to Policy & Objects > Virtual IPs.

  2. Click Create New > Virtual IP.

  3. Configure:

    • Name: RDP_PC1

    • Interface: port1 (WAN)

    • External IP Address/Range: Enter the WAN IP (assume static, e.g., 203.0.113.1)

    • Mapped IP Address/Range: 192.168.1.101

    • Port Forwarding: Enable

    • Protocol: TCP

    • External Service Port: 3389

    • Map to Port: 3389

  4. Click OK.

  5. Go to Policy & Objects > Firewall Policy.

  6. Click Create New and configure:

    • Name: WAN_to_LAN_RDP

    • Incoming Interface: port1 (WAN)

    • Outgoing Interface: port2 (LAN)

    • Source: all

    • Destination: Select RDP_PC1

    • Schedule: always

    • Service: RDP

    • Action: ACCEPT

    • NAT: Disable

    • Log Allowed Traffic: Enable

  7. Click OK.

Verification:

  • From an external device in EVE-ng (e.g., another VM), use an RDP client to connect to 203.0.113.1:3389. You should access PC1’s desktop.

  • Check logs in Log & Report > Forward Traffic for RDP connections.

Before Port Forwarding
After Port Forwarding

How and Why:

  • How: A Virtual IP maps the WAN IP’s port 3389 to PC1’s internal IP and port, and a policy allows this traffic without NAT since it’s inbound.

  • Why: Port forwarding is used in real networks to expose internal services (e.g., RDP for remote work). This task demonstrates NAT control and policy creation for inbound access, critical for service hosting.

Lab Task 3: Implement Web Filtering

Objective: Block social media websites from the LAN to simulate content control policies.

Steps:

  • Go to Security Profiles > Web Filter.

  • Click Create New.

  • Configure:

    • Name: Block_Social_Media

    • Categories: Find “Social Media” and set to Block

Policy Addition
  • Click OK.

  • Go to Policy & Objects > Firewall Policy.

    • Edit LAN_to_WAN_Access.

    • Under Security Profiles, select Block_Social_Media in the Web Filter dropdown.

    • Click OK.

Verification:

  • From a PC, try accessing www.facebook.com. It should be blocked (e.g., a Fortinet block page appears).

  • Access www.google.com. It should work normally.

Web Page Blocked

How and Why:

  • How: A web filter profile blocks the “Social Media” category, applied to the outbound policy.

  • Why: Web filtering is common in workplaces to boost productivity or security. This task introduces security profiles, a key Fortinet feature, though some advanced options might be limited in the trial.

Lab Task 4: Monitor Traffic Logs

Objective: Analyze firewall logs to verify policy enforcement and understand network activity.

Steps:

  1. Ensure Log Allowed Traffic is enabled on LAN_to_WAN_Access and WAN_to_LAN_RDP.

  2. Go to Log & Report > Forward Traffic.

  3. Use filters (e.g., source IP, service) to view logs.

  4. Generate traffic (e.g., browse from a PC, attempt RDP from outside).

Verification:

  • See allowed HTTP/HTTPS traffic from LAN IPs (e.g., 192.168.1.100).

  • Confirm denied traffic (e.g., ICMP pings or social media attempts).

  • Check RDP logs if tested externally.

How and Why:

  • How: Logs record allowed and denied traffic based on policy settings, viewable in the GUI.

  • Why: Logging is vital for auditing, troubleshooting, and security monitoring in real networks. This task builds skills in traffic analysis, essential for network administration.

Lab Task 5: Restrict Access for Specific IPs

Objective: Limit internet access for IPs 192.168.1.150–192.168.1.157 to HTTP and HTTPS, simulating a restricted user group.

Steps:

  1. Go to Policy & Objects > Addresses.

  2. Click Create New > Address.

  3. Configure:

    • Name: Restricted_IPs

    • Type: Subnet

    • IP/Netmask: 192.168.1.3-192.168.1.3

  4. Click OK.

  5. Go to Policy & Objects > Firewall Policy.

  6. Click Create New and configure:

    • Name: Restricted_Access

    • Incoming Interface: port2 (LAN)

    • Outgoing Interface: port1 (WAN)

    • Source: Restricted_IPs

    • Destination: all

    • Schedule: always

    • Service: HTTP, HTTPS

    • Action: DENY

    • NAT: Enable

  7. Move this policy above LAN_to_WAN_Access in the list.

  8. Click OK.

Verification:

  • Open the PC with the IP like 192.168.1.3, browse the web (doesn't work).

  • From 192.168.1.2 or other, browse the web (should work).

Verification Tests

How and Why:

  • How: A specific policy for the IP range takes precedence due to top-down matching, overriding the broader policy for those IPs.

  • Why: IP-based restrictions are used to differentiate access levels (e.g., guests vs. staff). This task shows policy prioritization and address objects, useful for network segmentation without extra interfaces.

Last updated