Basic configuration of the FortiOS v.6.2 operating system in SIM-Cloud

Important

After installing the virtual FortiOS we recommend that you carry out its basic configuration. This will configure the network interfaces, security settings and other factors that will contribute to correct and trouble-free operation of the OS.
The basic configuration is done via the command line interface (CLI).
  1. Preliminary actions

    To accurately identify the internal and external network interfaces of the created FortiOS instance, define their MAC addresses from the SIM-Cloud side.
  2. Particularities of working with a temporary ОS FortiOS licence

    For ordinary work with a virtual machine based on FortiOS, a user licence is required.
    To make the initial settings and to work via a web interface, however, it is possible to use the temporary licence. This is activated automatically if the instance is allocated a size of SIM-C1R1 (1 CPU, 1GB RAM). Once a permanent licence has been acquired and set up, the size of the instance can be increased as required.

    Warning

    Note that the temporary licence remains active for 15 days from the moment that the instance is created. During this period the web interface will be inaccessible until the permanent licence is purchased and set up.
    More information on the types of licence and their restrictions can be found in the official FORTINET resources.
  3. Defining the external (WAN) and internal (LAN) interfaces

    After the first launch of the FortiOS v.6.2 instance, go to its console (INSTANCE CONSOLE) and enter its default user name and password (admin/no password).

    • Determine the total number of available network ports and their current names
    get hardware nic
      port1
      port2
    
    • Define the MAC address for each port
    get hardware nic port1 | grep Hwaddr
    Hwaddr:     fa:16:3e:34:27:fa
    
    get hardware nic port2 | grep Hwaddr
    Hwaddr:     fa:16:3e:7e:35:8d
    
  4. Naming the network interfaces and setting IP addresses for them

    Once the above steps are completed, you can define which port is the internal and which the external.
    For the current example this is:
    port1   - WAN
    port2   - LAN
    

    For convenience, set the pseudonym ‘WAN’ for the external interface and check that it receives network settings via the DHCP protocol.

    • Set the pseudonym ‘WAN’ for the external interface
    config system interface
        edit port1
        set alias WAN
        end
    
    • Check that it receives network settings via DHCP and configure the access protocols to the interface
    config system interface
        edit port1
        set mode dhcp
        set allowaccess ping https http
        end
    

    For convenience, set the pseudonym ‘LAN’ for the internal interface and configure a static IP address for it.

    • Set the pseudonym ‘LAN’ for the internal interface
    config system interface
        edit port2
        set alias LAN
        end
    
    • Configure a static IP address for the interface and configure the access protocols
    config system interface
        edit port2
        set ip 192.168.0.1 255.255.255.0
        set allowaccess ping https ssh http
        end
    
  5. Viewing equipment information

    Check the configuration of the equipment after setting it up

    • View the IP addresses assigned to the network interfaces
    show system interface
    name    Name.
    port1   dhcp   0.0.0.0 0.0.0.0  172.16.0.10 255.255.240.0  up   disable   physical  enable
    port2   static   0.0.0.0 0.0.0.0  192.168.0.1 255.255.255.0  up   disable   physical  enable
    ssl.root   static   0.0.0.0 0.0.0.0  0.0.0.0 0.0.0.0  up   disable   tunnel  enable
    
    • View the full equipment configuration
    show full-configuration
    #config-version=FGVMK6-6.2.0-FW-build0866-190328:opmode=1:vdom=0:user=admin
    #conf_file_ver=183609851946744
    #buildno=0866
    #global_vdom=1
    config system global
        set admin-concurrent enable
        set admin-console-timeout 0
        set admin-http-connection-receive-timeout 2
        set admin-https-pki-required disable
        set admin-https-ssl-versions tlsv1-1 tlsv1-2
        set admin-lockout-duration 60
        set admin-lockout-threshold 3
        set admin-login-max 100
        set admin-maintainer enable
        ...
    
  6. Permitted address pairs

    It now remains to specify the permitted address pair for the LAN interface from the side of SIM-Cloud.
    This is necessary to allow network traffic to pass from the local network via OPNsense.
    This process is described in detail in our article.
  7. Final configuration of FortiOS via web interface

    After all the actions described above, the equipment will be accessible via the web interface. For this the IP address set for the LAN interface or the floating IP assigned to the instance should be used.

    Note

    When you log in for the first time, you will be asked for the password for the user ‘admin’. To ensure security, be sure to do this.

    In this step, configure the router so that the hosts located beyond the router (with addresses from the LAN) have the possibility of exiting to the internet via the router. To do this:
    • Log into the router via the web interface
    • Go to the ‘Policy & Objects’ > ‘IPv4 Policy’
    • Press the ‘+ Create New’ button to create a new rule
    • In the ‘New Policy’ form that now appears, complete the following fields using the data obtained in the previous steps above:
    Name LANtoWAN
    Incoming Interface LAN (port2)
    Outgoing Interface WAN (port1)
    Source all
    Destination all
    Schedule always
    Service ALL

    Save the rule by clicking the ‘OK’ button.