Basic configuration of the FortiOS v.6.2 operating system in SIM-Cloud¶
- Preliminary actions
- Particularities of working with a temporary ОS FortiOS licence
- Defining the external (WAN) and internal (LAN) interfaces
- Naming the network interfaces and setting IP addresses for them
- Viewing equipment information
- Permitted address pairs
- Final configuration of FortiOS via web interface
Preliminary actionsTo accurately identify the internal and external network interfaces of the created FortiOS instance, define their MAC addresses from the SIM-Cloud side.For this, use the instructions available in our documentation
Particularities of working with a temporary ОS FortiOS licenceFor ordinary work with a virtual machine based on FortiOS, a user licence is required.To make the initial settings and to work via a web interface, however, it is possible to use the temporary licence. This is activated automatically if the instance is allocated a size of SIM-C1R1 (1 CPU, 1GB RAM). Once a permanent licence has been acquired and set up, the size of the instance can be increased as required.
WarningNote that the temporary licence remains active for 15 days from the moment that the instance is created. During this period the web interface will be inaccessible until the permanent licence is purchased and set up.More information on the types of licence and their restrictions can be found in the official FORTINET resources.
Defining the external (WAN) and internal (LAN) interfaces
After the first launch of the FortiOS v.6.2 instance, go to its console (INSTANCE CONSOLE) and enter its default user name and password (admin/no password).
- Determine the total number of available network ports and their current names
get hardware nic port1 port2
- Define the MAC address for each port
get hardware nic port1 | grep Hwaddr Hwaddr: fa:16:3e:34:27:fa get hardware nic port2 | grep Hwaddr Hwaddr: fa:16:3e:7e:35:8d
Naming the network interfaces and setting IP addresses for themOnce the above steps are completed, you can define which port is the internal and which the external.For the current example this is:
port1 - WAN port2 - LAN
For convenience, set the pseudonym ‘WAN’ for the external interface and check that it receives network settings via the DHCP protocol.
- Set the pseudonym ‘WAN’ for the external interface
config system interface edit port1 set alias WAN end
- Check that it receives network settings via DHCP and configure the access protocols to the interface
config system interface edit port1 set mode dhcp set allowaccess ping https http end
For convenience, set the pseudonym ‘LAN’ for the internal interface and configure a static IP address for it.
- Set the pseudonym ‘LAN’ for the internal interface
config system interface edit port2 set alias LAN end
- Configure a static IP address for the interface and configure the access protocols
config system interface edit port2 set ip 192.168.0.1 255.255.255.0 set allowaccess ping https ssh http end
Viewing equipment information
Check the configuration of the equipment after setting it up
- View the IP addresses assigned to the network interfaces
show system interface name Name. port1 dhcp 0.0.0.0 0.0.0.0 172.16.0.10 255.255.240.0 up disable physical enable port2 static 0.0.0.0 0.0.0.0 192.168.0.1 255.255.255.0 up disable physical enable ssl.root static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable tunnel enable
- View the full equipment configuration
show full-configuration #config-version=FGVMK6-6.2.0-FW-build0866-190328:opmode=1:vdom=0:user=admin #conf_file_ver=183609851946744 #buildno=0866 #global_vdom=1 config system global set admin-concurrent enable set admin-console-timeout 0 set admin-http-connection-receive-timeout 2 set admin-https-pki-required disable set admin-https-ssl-versions tlsv1-1 tlsv1-2 set admin-lockout-duration 60 set admin-lockout-threshold 3 set admin-login-max 100 set admin-maintainer enable ...
Permitted address pairsIt now remains to specify the permitted address pair for the LAN interface from the side of SIM-Cloud.This is necessary to allow network traffic to pass from the local network via OPNsense.This process is described in detail in our article.
Final configuration of FortiOS via web interface
After all the actions described above, the equipment will be accessible via the web interface. For this the IP address set for the LAN interface or the floating IP assigned to the instance should be used.
When you log in for the first time, you will be asked for the password for the user ‘admin’. To ensure security, be sure to do this.
- In this step, configure the router so that the hosts located beyond the router (with addresses from the LAN) have the possibility of exiting to the internet via the router. To do this:
- Log into the router via the web interface
- Go to the ‘Policy & Objects’ > ‘IPv4 Policy’
- Press the ‘+ Create New’ button to create a new rule
- In the ‘New Policy’ form that now appears, complete the following fields using the data obtained in the previous steps above:
Name LANtoWAN Incoming Interface LAN (port2) Outgoing Interface WAN (port1) Source all Destination all Schedule always Service ALL
Save the rule by clicking the ‘OK’ button.