Basic configuration of the FortiOS v.6.2 operating system in SIM-Cloud

Important

After installing the virtual FortiOS we recommend that you carry out its basic configuration. This will configure the network interfaces, security settings and other factors that will contribute to correct and trouble-free operation of the OS.

The basic configuration is done via the command line interface (CLI).

• Preliminary actions
• Particularities of working with a temporary ОS FortiOS licence
• Defining the external (WAN) and internal (LAN) interfaces
• Naming the network interfaces and setting IP addresses for them
• Viewing equipment information
• Permitted address pairs
• Final configuration of FortiOS via web interface

1. Preliminary actions

   To accurately identify the internal and external network interfaces of the created FortiOS instance, define their MAC addresses from the SIM-Cloud side.

   For this, use the instructions available in our documentation

2. Particularities of working with a temporary ОS FortiOS licence

   For ordinary work with a virtual machine based on FortiOS, a user licence is required.

   To make the initial settings and to work via a web interface, however, it is possible to use the temporary licence. This is activated automatically if the instance is allocated a size of SIM-C1R1 (1 CPU, 1GB RAM). Once a permanent licence has been acquired and set up, the size of the instance can be increased as required.

   Warning

   Note that the temporary licence remains active for 15 days from the moment that the instance is created. During this period the web interface will be inaccessible until the permanent licence is purchased and set up.

   More information on the types of licence and their restrictions can be found in the official FORTINET resources.

3. Defining the external (WAN) and internal (LAN) interfaces

   After the first launch of the FortiOS v.6.2 instance, go to its console (INSTANCE CONSOLE) and enter its default user name and password (admin/no password).

   • Determine the total number of available network ports and their current names

   get hardware nic
     port1
     port2
   

   • Define the MAC address for each port

   get hardware nic port1 | grep Hwaddr
   Hwaddr:     fa:16:3e:34:27:fa
   
   get hardware nic port2 | grep Hwaddr
   Hwaddr:     fa:16:3e:7e:35:8d
   

4. Naming the network interfaces and setting IP addresses for them

   Once the above steps are completed, you can define which port is the internal and which the external.

   For the current example this is:

   port1   - WAN
   port2   - LAN
   

   For convenience, set the pseudonym ‘WAN’ for the external interface and check that it receives network settings via the DHCP protocol.

   • Set the pseudonym ‘WAN’ for the external interface

   config system interface
       edit port1
       set alias WAN
       end
   

   • Check that it receives network settings via DHCP and configure the access protocols to the interface

   config system interface
       edit port1
       set mode dhcp
       set allowaccess ping https http
       end
   

   For convenience, set the pseudonym ‘LAN’ for the internal interface and configure a static IP address for it.

   • Set the pseudonym ‘LAN’ for the internal interface

   config system interface
       edit port2
       set alias LAN
       end
   

   • Configure a static IP address for the interface and configure the access protocols

   config system interface
       edit port2
       set ip 192.168.0.1 255.255.255.0
       set allowaccess ping https ssh http
       end
   

5. Viewing equipment information

   Check the configuration of the equipment after setting it up

   • View the IP addresses assigned to the network interfaces

   show system interface
   name    Name.
   port1   dhcp   0.0.0.0 0.0.0.0  172.16.0.10 255.255.240.0  up   disable   physical  enable
   port2   static   0.0.0.0 0.0.0.0  192.168.0.1 255.255.255.0  up   disable   physical  enable
   ssl.root   static   0.0.0.0 0.0.0.0  0.0.0.0 0.0.0.0  up   disable   tunnel  enable
   

   • View the full equipment configuration

   show full-configuration
   #config-version=FGVMK6-6.2.0-FW-build0866-190328:opmode=1:vdom=0:user=admin
   #conf_file_ver=183609851946744
   #buildno=0866
   #global_vdom=1
   config system global
       set admin-concurrent enable
       set admin-console-timeout 0
       set admin-http-connection-receive-timeout 2
       set admin-https-pki-required disable
       set admin-https-ssl-versions tlsv1-1 tlsv1-2
       set admin-lockout-duration 60
       set admin-lockout-threshold 3
       set admin-login-max 100
       set admin-maintainer enable
       ...
   

6. Permitted address pairs

   It now remains to specify the permitted address pair for the LAN interface from the side of SIM-Cloud.

   This is necessary to allow network traffic to pass from the local network via OPNsense.

   This process is described in detail in our article.

7. Final configuration of FortiOS via web interface

   After all the actions described above, the equipment will be accessible via the web interface. For this the IP address set for the LAN interface or the floating IP assigned to the instance should be used.

   Note

   When you log in for the first time, you will be asked for the password for the user ‘admin’. To ensure security, be sure to do this.

   In this step, configure the router so that the hosts located beyond the router (with addresses from the LAN) have the possibility of exiting to the internet via the router. To do this:

   • Log into the router via the web interface
   • Go to the ‘Policy & Objects’ > ‘IPv4 Policy’
   • Press the ‘+ Create New’ button to create a new rule
   • In the ‘New Policy’ form that now appears, complete the following fields using the data obtained in the previous steps above:

   Name	LANtoWAN
   Incoming Interface	LAN (port2)
   Outgoing Interface	WAN (port1)
   Source	all
   Destination	all
   Schedule	always
   Service	ALL

   Save the rule by clicking the ‘OK’ button.