FortiGate Firewall

Configuration

Presented By:
Shehroz Ahmed Khan
Fortinet Certified Associate in Cybersecurity
Credly Badge
 Table OF Content
1.introduction 03
2.network overview 05
3.FortiGate VM: Basic Setup and Initial 06
Configuration
4.exploring the Network Tab 10
5.Interface Configuration 11
6.Firewall Policies Overview 12
7.LAN to WAN – Internet Access Policy 14
8.LAN to Internal Critical Server 15
9.Configuring Working Hours 16
10.Restricting Access to the Specific 17
Devices to servers
11.Security Profiles Configuration and 18
Testing
12.Antivirus (AV) Configuration and 18
Malware Blocking
13.Deep Packet Inspection Policy and 20
Usage Overview
14.Web Filter Test: Blocking Access to 24
EICAR Website Using Static URL
Filter
15.File Filter Configuration: Blocking 27
Specific File Types
16.Advanced Intrusion Prevention 30
System (IPS) Deployment on
FortiGate Firewall
17.Data Loss Prevention (DLP) 34
Implementation for Secure Outbound
Traffic
18.FortiGate Denial-of-Service (DoS) 37
Protection Policy Implementation
19.Local Authentication Implementation 40
Introduction
1.1 What is FortiGate Firewall?
FortiGate is a next-generation firewall (NGFW) developed by
Fortinet, designed to provide comprehensive network
security solutions. It is a hardware and virtual appliance that
integrates essential security features such as stateful
inspection firewalling, intrusion prevention, application
control, antivirus protection, web filtering, and VPN
capabilities—all managed from a single platform.
What makes FortiGate stand out is its use of FortiOS, a
proprietary operating system optimized for performance,
scalability, and integrated threat intelligence. FortiGate
devices can operate in transparent mode, NAT/Route mode,
and virtual domains (VDOMs) to adapt to various
deployment needs.

1.2 FortiGate as Part of the Fortinet Security Fabric

FortiGate is a core component of the Fortinet Security Fabric,
an integrated cybersecurity platform developed by Fortinet.
The Security Fabric is designed to deliver broad, integrated,
and automated security across an organization’s entire
digital infrastructure—from endpoints and networks to
applications and the cloud.
What is the Fortinet Security Fabric?
The Fortinet Security Fabric is an architecture that connects
multiple Fortinet products—and even third-party solutions—
into a unified system. It enables centralized visibility,
streamlined management, and coordinated threat
intelligence sharing across all connected security elements.
Key features of the Fortinet Security Fabric include:
Broad Protection: Covers the entire attack surface,
including LAN, WAN, cloud, and endpoints.
Open Ecosystem: Supports integration with third-party
products through open APIs and Fabric Connectors.
3
 Integrated Solutions: Combines firewalls, endpoint
protection, secure SD-WAN, web application firewalls
(WAF), email security, and more into a single platform.
Automated Response: Uses AI-driven threat intelligence
and automation to detect, contain, and respond to
threats in real time.
FortiGate’s Role in the Security Fabric
FortiGate firewalls serve as the central enforcement point in
the Security Fabric. They monitor and control all traffic
entering and leaving the network, while also interacting with
other Fortinet solutions like:
FortiAnalyzer for centralized logging and analytics
FortiManager for centralized policy and device
management
FortiClient for endpoint protection and VPN access
FortiSandbox for advanced threat detection
By participating in the Security Fabric, FortiGate helps
organizations achieve a unified security posture, enabling
them to detect threats faster, respond more effectively, and
reduce complexity across their network environment.

4
Network Overview
The network is designed using a FortiGate firewall to
segment and secure access between
users and sensitive resources. It consists of three main
interfaces—LAN, WAN, and an
Internal Critical Server—with specific policies and access
restrictions in place.
1. LAN (Internal Network for Employees)
Assigned to general user devices (employees).
Provides internet access through the FortiGate WAN
interface.
Only specific LAN users (e.g., Employees group) are
permitted to access the internal critical server.
Security profiles such as web filtering, antivirus, and
Data Loss Prevention(DLP) are applied to LAN-to-WAN
traffic for safe browsing.
2. WAN (Internet Connection)
Connected to the public internet.
Provides outbound internet access for LAN users.
Inbound traffic from WAN to internal networks is strictly
blocked to enhance security.
3. Internal Critical Server
Dedicated interface for a server storing important files
and documents.
Isolated from the internet (no WAN access allowed).
Access is tightly controlled—only authorized LAN users
(like Shehroz, ICS group) can reach this server via internal
firewall policies.
Serves as a secure repository for internal use only.
4. Firewall Policies
Configured to control traffic between zones (LAN → WAN,
LAN → Internal Server).
Enforces least privilege by blocking unnecessary access.
Custom rules ensure only specified traffic is allowed
based on source, destination, and user identity.
5
5. Security Implementation
Profiles applied on outbound policies to filter harmful
content and threats.
Critical server is protected from both external and
unauthorized internal access.

FortiGate VM: Basic Setup and Initial

Configuration
Initial Setup of FortiGate Firewall on a Virtual Machine
Create a FortiCloud Account: Begin by registering for a
FortiCloud account, which is required for licensing and
management of your FortiGate

6
Download the FortiGate VM Image: After logging into
FortiCloud, download the appropriate FortiGate OS image
compatible with your virtualization platform.

Deploy the FortiGate VM: Open the downloaded

FortiGate OS file in VMware Workstation or VMware ESXi.

Assign the recommended resources such as RAM and

CPU according to FortiGate’s minimum requirements.
Power On the Virtual Machine: Start the VM and proceed
with the initial configuration through the console
interface.

7
This sets a static IP (192.168.100.181/24) on port1, and allows
access to it via HTTPS and ping.

execute ping 192.168.100.1 – Tests connectivity to the local

gateway or another internal device.
config router static ... end – Adds a default route (0.0.0.0/0)
via gateway 192.168.100.1 using port1 to enable internet
access.
execute ping 8.8.8.8 – Tests internet connectivity by pinging
Google’s public DNS. 8
config system dns ... end – Sets Google DNS (8.8.8.8) as the
primary DNS server for domain name resolution.

Once this configuration is complete, the FortiGate firewall

becomes accessible at the assigned IP address (e.g.,
https://192.168.100.181) via a web browser using HTTPS. You
can now log in to the web-based GUI for further
configuration and management.

After logging in, you are greeted by the Dashboard, which

provides a comprehensive overview of the system's status.

9
Purpose of the Dashboard
The dashboard provides a quick health check and real time
monitoring of your FortiGate firewall. It helps administrators.
Identify issues (e.g., high CPU usage or disconnected
interfaces)
Monitor traffic patterns
View alerts or license expirations
Access shortcuts to deeper configuration sections

Exploring the Network Tab from the Dashboard

From the FortiGate dashboard, navigating to the
Network tab provides valuable insights into
the firewall’s connectivity and routing configuration.
Under this section, you can:
View Connected Devices: See which devices are
currently connected to the firewall, including their IP
addresses, MAC addresses, and interface
associations.
Monitor Routing Information: Access the routing
table to identify static routes and active
connections. This helps verify whether routes are
properly configured for internet and internal
network access. 10
 Check Interface Status: Each interface (e.g., port1,
port2) shows its status (up/down), assigned IP
address, and traffic activity.

Interface Configuration
Interface Configuration on FortiGate Firewall
In this setup, three interfaces are configured on the
FortiGate firewall to manage communication between
the internet, LAN users, and a secure internal critical
server.
1. WAN Interface (port1)
IP Address: 192.168.100.81/24
Role: Connects to the internet through the
upstream router/gateway.
Administrative Access: Enabled for PING and
HTTPS to allow remote management and
connectivity testing.
DHCP Server: Not configured (static IP)

11
2. LAN Interface (port2)
IP Address Range (via DHCP): 192.168.10.2 – 192.168.10.255
Role: Connects to internal employee/client machines.
DHCP Server: Enabled to assign IPs to client devices.
Administrative Access: Enabled for PING and HTTPS for
GUI and remote testing.
3. Internal Critical Server Interface (e.g., port3)
IP Address Range (via DHCP): 192.168.2.2 – 192.168.2.255
Role: Isolated network segment for sensitive
systems/files.
DHCP Server: Enabled for internal critical server network.
Administrative Access: Disabled to enhance security
(no HTTPS or PING access).

Firewall Policies Overview

Firewall policies define how traffic flows between interfaces,
ensuring only authorized communication is allowed.
Below are the configured rules in this FortiGate setup.
1. Internal Server to WAN – Deny Policy
Prevents the Internal Critical Server (port3) from accessing
the internet through the WAN (port1), ensuring complete
isolation from external networks

12
2. LAN to Internal Critical Server – Restricted Access
Allows only authorized LAN users (Shehroz and Shehroz-
Laptop) to access the Internal Critical Server during work
hours.
Security Profiles Applied: DLP, Antivirus, Custom Deep
Inspection, Protect_HTTPS_Server.
3. LAN to WAN – Internet Access for Employees
Grants LAN users internet access through the WAN interface
during work hours.
Security Profiles Applied: Antivirus, IPS (Protect_Client), DLP,
File Filter, Web Filter, EICAR Block.
4. Implicit Deny – Default Block Rule
Denies all traffic not explicitly allowed by the above rules,
serving as a default safeguard.

13
LAN to WAN – Internet Access Policy

14
LAN to Internal Critical Server – Controlled
Access Policy

Security Profiles

15
 Configuring Working Hours in FortiGate Firewall
Policies
This section explains how to create and apply a custom
schedule in FortiGate, such as "Work Time," to control when
specific policies (e.g., LAN to WAN or LAN to Internal Server)
are active. This enhances security by limiting access to
predefined hours

16
 Restricting Access to a Specific Laptop
Only my laptop (Shehroz’s laptop) is allowed to access the
Internal Critical Server. This is done by identifying the device
using its static IP or MAC address in the policy settings. It
ensures that no other LAN device can reach the server,
adding an extra layer of control and security.

17
 Security Profiles Configuration and Testing
This section covers the setup and application of advanced
security profiles such as Antivirus (AV), Web Filtering,
Intrusion Prevention System (IPS), File Filtering, Data Loss
Prevention (DLP), and Deep Inspection. These profiles are
applied to firewall policies to inspect and control traffic,
ensuring protection against malware, data leaks, and
unauthorized content.Testing was performed to confirm
each profile's functionality.
Antivirus (AV) Configuration and Malware Blocking
Using
Custom External List
In this section, I configured the Antivirus security profile to
scan HTTP, HTTPS, FTP, and email traffic. Instead of using
FortiGuard's threat database, I used a custom external
malware block list containing the hash of the EICAR test file.
This setup demonstrates how FortiGate can detect and block
specific malicious files using user-defined threat indicators
for testing and educational purposes.

18
 EICAR File Testing and Result
To verify the Antivirus profile with the custom external
malware list, I attempted to download the EICAR test file from
a public source. The FortiGate firewall successfully blocked
the file in real-time, and the event was clearly logged in the
monitor section under Security Events. This confirmed that
the custom threat feed and AV profile were working as
expected.

BLOCKED;

19
LOGS;

Deep Packet Inspection Policy and Usage Overview

1. Edit SSL/SSH Inspection Profile:
Customizable Inspection Names and Comments for
identification.
2. SSL Inspection Options:
Enable SSL inspection for multiple clients connecting to
multiple servers.
Methods available: SSL Certificate Inspection and Full SSL
Inspection.
3. Certificate Management:
Options to block or allow certificates, including untrusted
ones.
Server certificate SNI check for compliance.
4. Protocol Port Mapping:
Inspection can be applied across various protocols
(HTTPs, SMTPs, etc.).
Specific settings to inspect, bypass, or block traffic.
5. Exemptions from SSL Inspection:
Allowance for reputable websites and specific web
categories to bypass inspection.

20
21
Test 1: Without Fortinet_CA_SSL Certificate Installed
Result: Browsers like Firefox show certificate errors (e.g.,
"Warning: Potential Security Risk Ahead").
Reason: Deep inspection decrypts HTTPS traffic using
FortiGate’s CA certificate, which is untrusted by the browse

User Experience: HTTPS sites may not load or require users

to accept a security exception manually

22
Test 2: With Fortinet_CA_SSL Certificate Installed in
Firefox
Result: No certificate warnings; HTTPS sites load normally.
Reason: Browser trusts the Fortinet_CA_SSL certificate
used during SSL inspection.
User Experience: Transparent inspection with no security
warnings; full DPI functionality enabled

23
Web Filter Test: Blocking Access to EICAR Website
Using Static URL Filter
Objective: Demonstrate how FortiGate blocks access to
malicious websites (e.g., EICAR) using Static URL Filtering
without a FortiGuard subscription.
Configuration:
1. Go to Security Profiles > Web Filter.
2. Create or edit a Web Filter profile (e.g., eicar_block_profile).
3. Under Static URL Filter, enable it and add this entry:
URL: *eicar.org*
Type: Wildcard 24
Action: Block
4. Apply this Web Filter profile to the desired Firewall Policy
Test: Open a browser and try visiting https://www.eicar.org.
Result: Access is blocked. A FortiGate block page appears
stating the site is blocked by Web Filter.
Conclusion: This proves that even without a FortiGuard
license, FortiGate can block access to specific websites
using static URL filtering.

25
1. Test: Blocking Access to eicar.org
2. Step: Open a web browser and navigate to
https://www.eicar.org.
3. Expected Result: The website is blocked by the FortiGate
firewall.
4. Observed Behavior:
A FortiGate block page is displayed, denying access to the
site.
In the Log & Report > Web Filter section, a log entry shows
the action as "Blocked" with UTM Filter listed as the reason.
5. Conclusion: This confirms that the Web Filter is working
correctly, preventing access to potentially harmful or test
malware websites without using FortiGuard.

26
File Filter Configuration: Blocking Specific File
Types
Objective: Block the transfer of specific file types (.iso, .exe,
.png, .zip) across various protocols (HTTP, HTTPS, FTP, SMTP,
and others).
Configuration Steps:
1. Go to Security Profiles > Antivirus.
2. Create or edit a profile (e.g., File_Filter_PNG).
3. Enable File Filter.
4. Under File Filter Settings, add the following entries:
.iso
.exe.
png
.zip
5. Set Direction to Both (uploads and downloads).
6. Set Action to Block.
7. Enable file filtering on all protocols, including:
HTTP
HTTPS
FTP
SMTP
IMAP/POP3 (if needed)
8. Apply this antivirus profile to the relevant Firewall Policy.

27
28
Test: Blocking File Downloads (ISO, PNG)
1.Step: Attempt to download the following file types from a web
browser:
.iso image (e.g., netinst ISO)
.png image (e.g., media_optical png from a website)
2.Expected Result:
The download is blocked by the FortiGate firewall.
A block page appears in the browser stating that the file type is
restricted.
3.Observed Behavior:
Firewall displays a "Blocked by File Filter" message.
In Log & Report > Antivirus, entries show the blocked file type,
URL, and the action as Blocked (File Filter).
4.Conclusion:
Confirms that the File Filter profile is correctly blocking .iso, .png,
and other specified file types across supported protocols.

29
Advanced Intrusion Prevention System (IPS)
Deployment on FortiGate Firewall
To fortify network security and mitigate evolving cyber threats, two
specialized Intrusion Prevention System (IPS) sensors have been
strategically deployed on the FortiGate firewall:
1. Protect_Client – Safeguarding Outbound Traffic (LAN→WAN
Policy)
This sensor is engineered to protect internal users from client-side
exploits, which are
increasingly leveraged in phishing, drive-by downloads, and
malware attacks. Key features
include:
Blocking malicious URLs to prevent access to compromised or
fraudulent websites.
Scanning outgoing connections to detect and block
communication with known botnet command-and-control (C2)
servers.
Enabled packet logging for forensic analysis and threat hunting.
Prevents zero-day exploits by leveraging FortiGuard’s
continuously updated threat intelligence.
Why It Matters:
By applying this sensor to the LAN→WAN policy, organizations
reduce the risk of malware infections, data exfiltration, and
compliance violations caused by user-initiated connections
to malicious domains.

30
31
2. Protect_HTTPS_Server – Shielding Critical Internal
Servers (LAN→Internal Server Policy)
This sensor is tailored to defend web servers and applications
from sophisticated server-side attacks, including:
OWASP Top 10 threats (SQL Injection, XSS, Path Traversal,
Code Injection).
Denial-of-Service (DoS) attempts and buffer overflow
exploits.
Vulnerability-based signatures (e.g., CVE-2003-0245 for
Apache memory corruption).
Strict blocking mode with logging for real-time incident
response.
Why It Matters:
Deploying this on the LAN→Critical Server policy ensures that
internal web applications—such as databases, APIs, and admin
portals—are shielded from both external and insider threats,
minimizing breach risks and service disruptions.

32
33
 →
Data Loss Prevention (DLP) Implementation for
Secure Outbound Traffic (LAN WAN Policy)
To enhance data security and prevent sensitive
information leaks, a Data Loss Prevention (DLP) sensor has
been deployed on the LAN→WAN firewall policy for
demonstration and real world protection.
1.Key Components of the DLP Deployment:
DLP Sensor: "DLP-Example-Sensor"
Match Criteria: Triggers when the keyword "dlptest" is
detected in outbound traffic.
Action: Blocks HTTP-POST requests containing the
flagged term.
Logging: Generates immediate alerts for SOC visibility.
2.DLP Profile: "DLP-Example-Profile"
Rule: Uses the sensor to scan HTTP-POST traffic
(common in form submissions, uploads, and APIs).
Enforcement: Blocks unauthorized data transmission in
real time.
3.Test Scenario:
A user attempts to submit the keyword "dlptest" (e.g.,
via web form, email, or cloud upload).
The FortiGate detects and blocks the request instantly,
triggering an alert.
4.Purpose:
Validates DLP efficacy in preventing accidental or
intentional data leaks.
Serves as a foundation for scaling to regulated data
(PII, credit cards, intellectual property).

34
 →
Data Loss Prevention (DLP) Implementation for Secure
Outbound Traffic (LAN WAN Policy)

35
Demonstration & Validation

36
FortiGate Denial-of-Service (DoS) Protection Policy
Implementation
A Denial-of-Service (DoS) Protection Policy has been
configured on the WAN (port1) interface to mitigate
volumetric attacks, SYN floods, port scans, and other
network-layer anomalies. This ensures uninterrupted
service availability by automatically blocking malicious
traffic before it impacts network performance.

37
FortiGate Denial-of-Service (DoS) Protection Policy
Implementation

Key Benefits of WAN DoS Policies

Prevents Service Disruption – Blocks floods before they
saturate bandwidth.
Reduces Firewall/Server Load – Stops malicious traffic
early, preserving resources.
Complements IPS & Firewall Rules – Adds an extra layer
before application-level protections.
Supports Compliance – Meets NIST, CIS, and PCI-DSS
requirements for DoS mitigation.
Demonstration & Validation

38
Attack Simulation

FortiGate DoS Policy in Action

39
Local Authentication Implementation
Deployed FortiGate local LDAP server for user
authentication.
Employees: Must authenticate to access internet
(LAN→WAN).
ICS Group: Requires credentials for critical server access
(LAN→Internal).
Policies enforce role-based controls with logging

User Groups:

40
By implementing authentication, we achieve granular user-
level visibility, enabling precise tracking of individual internet
activity—as demonstrated in the log analysis figure.

41