Konfigurasi dasar Fortinet dengan CLI
Postingan ini akan menjelaskan beberapa perintah yang berguna pada firewall Fortinet.
Saya menganggap Anda memiliki perangkat Fortinet Fortigate dan ingin menggunakannya.
Saya menganggap Anda memiliki perangkat Fortinet Fortigate dan ingin menggunakannya.
Sambungkan jaringan lokal Anda (192.168.1.0/24) ke internet dan Anda memiliki
koneksi internet.
koneksi internet.
Saya juga menganggap Anda memiliki router dengan alamat IP Public, contoh :
111.222.111.1 dan Anda memiliki subnet Public 111.222.111.0/29.
111.222.111.1 dan Anda memiliki subnet Public 111.222.111.0/29.
Dalam hal ini saya telah menggunakan perangkat point-to point untuk mendeteksi koneksi
kegagalan dengan alamat IP 111.222.111.123.
kegagalan dengan alamat IP 111.222.111.123.
Jelas Anda harus mengubah alamat IP Lokal (INTERNAL) Anda untuk menyesuaikannya
jaringan Anda, dan gunakan subnet Publik Anda dan bukan yang digunakan di sini untuk
contoh (111.222.111.0/29).
config system global
# Set the http admin port to 80/tcp
set admin-port 80
# Set the http admin port to 80/tcp
set admin-port 80
# Set the https admin port to 443/tcp
set admin-sport 443
set admin-sport 443
# Set the ssh admin port to 22/tcp
set admin-ssh-port 22
set admin-ssh-port 22
# Set the telnet admin port to 23/tcp
set admin-telnet-port 23
set admin-telnet-port 23
# Set the hostname
set hostname “FGT50B-MAGAZZINO”
set hostname “FGT50B-MAGAZZINO”
# Set the ntp server to “time.ien.it” and enable it
set ntpserver “time.ien.it”
set ntpsync enable
set ntpserver “time.ien.it”
set ntpsync enable
# Set to 43200 seconds the tcp-halfclose timer
set tcp-halfclose-timer 43200
end
set tcp-halfclose-timer 43200
end
# Set the telnet 23/tcp port timeout to 43200 seconds.
# This is very useful if you have an AS400 (iSeries) to avoid session
timeout.
config system session-ttl
set default 43200
config port
edit 23
set timeout 43200
next
end
# This is very useful if you have an AS400 (iSeries) to avoid session
timeout.
config system session-ttl
set default 43200
config port
edit 23
set timeout 43200
next
end
# Set the IP address and administrative access options (ping https http) for
INTERNAL interface.
config system interface
edit “internal”
set ip 192.168.1.254 255.255.255.0
set allowaccess ping https http
set type physical
next
INTERNAL interface.
config system interface
edit “internal”
set ip 192.168.1.254 255.255.255.0
set allowaccess ping https http
set type physical
next
# Set the IP address and administrative access options (ping https) for WAN1
interface.
# Set “gateway Detect” option enable and set the “Ping Server” destination.
# Set the interface speed to 10 Mb/s Half Duplex, this is useful for some
connections like radio bridge.
edit “wan1”
set ip 111.222.111.2 255.255.255.248
set allowaccess ping https
set gwdetect enable
set detectserver “111.222.111.123”
set type physical
set speed 10half
next
end
interface.
# Set “gateway Detect” option enable and set the “Ping Server” destination.
# Set the interface speed to 10 Mb/s Half Duplex, this is useful for some
connections like radio bridge.
edit “wan1”
set ip 111.222.111.2 255.255.255.248
set allowaccess ping https
set gwdetect enable
set detectserver “111.222.111.123”
set type physical
set speed 10half
next
end
# Set DNS Servers and DNS options
config system dns
set primary 192.168.1.3
set secondary 212.97.32.2
set domain ”
set autosvr disable
set dns-cache-limit 5000
set cache-notfound-responses disable
end
config system dns
set primary 192.168.1.3
set secondary 212.97.32.2
set domain ”
set autosvr disable
set dns-cache-limit 5000
set cache-notfound-responses disable
end
# Set a firewall policy to enable traffic from INTERNAL TO WAN1 using NAT
# Set a protection profile (a default one) called “scan”
config firewall policy
edit 1
set srcintf “internal”
set dstintf “wan1”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set profile-status enable
set profile “scan”
set nat enable
next
end
# Set a protection profile (a default one) called “scan”
config firewall policy
edit 1
set srcintf “internal”
set dstintf “wan1”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set profile-status enable
set profile “scan”
set nat enable
next
end
# Set a default gateway on the WAN1 interface
config router static
edit 1
set device “wan1”
set gateway 111.222.111.2
end
config router static
edit 1
set device “wan1”
set gateway 111.222.111.2
end
mantulll nih min
BalasHapuslampu servis hp