How to create DHCP server and a policy in the Fortigate

-
Here is an example script that demonstrates how to use the  fortigate-api  package to create a DHCP server and a policy in the Fortigate   from fortigate_api import FortigateAPI # Create a FortigateAPI object fgt = FortigateAPI(host="host", username="username", password="password") # Create a DHCP server data = {     "default-gateway": "192.168.255.1",     "netmask": "255.255.255.0",     "interface": "vlan.123",     "ip-range": [         {"start-ip": "192.168.255.2", "end-ip": "192.168.255.254",}     ], } fgt.dhcp_server.create(data) # Create a policy in the Fortigate data = dict(     name="POLICY",     status="enable",     action="accept",     srcintf=[{"name": "any"}],     dstintf=[{"name": "any"}],     srcaddr=[{"name": "all"}],     dstaddr=[{"name&quo
Post a Comment

IPsec Tunnel Between FortiGate Firewall and Cisco Router

-

 

IPsec Tunnel Between FortiGate Firewall and Cisco Router


Cisco IPsec Tunnel Configuration: -



hostname WAN_ROUTER

 


Phase-1

crypto isakmp policy 2

 hash md5

 authentication pre-share


 group 2

crypto isakmp key Admin@123 address 172.16.1.1

 

Phase-2

crypto ipsec transform-set Cisco_to_Fortinet esp-des esp-md5-hmac


 mode tunnel

 

 

crypto map Cisco_to_Fortinet 2 ipsec-isakmp


 set peer 172.16.1.1

 set transform-set Cisco_to_Fortinet

 match address vpn-traffic
 


ip dhcp pool LAN

 network 10.1.1.0 255.255.255.0

 default-router 10.1.1.254

 

 

interface GigabitEthernet0/0

 ip address 172.16.1.2 255.255.255.252


 duplex auto

 speed auto

 media-type rj45

 crypto map Cisco_to_Fortinet

 


ip access-list extended vpn-traffic

 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

 


access-list 100 permit ip 192.168.1.0 0.0.0.255 any

 

 

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 172.16.1.1


end


 


write mem


FortiGate IPsec Tunnel Configuration: -

Step 1: Configuring the Remote Gateway IP Address (Here I have chosen my WAN interface).

Phase-1





 

Step 2: Configuring the Pre-Share Key & and the encryption type (Here I have chosen DES-MD5 as my encryption technique).



Phase-2

Step 3: Configuring the Phase-2 Local LAN and Remote LAN Address. (Here I have my local LAN of 192.168.1.0/24 under the FortiGate firewall and my Remote LAN of 10.1.1.0/24 under the Cisco Router)


Step 4: Configuring the Phase-2 Encryption method (Here I have chosen DES-MD5 as my encryption technique and the key lifetime same as the Cisco side router)

Step 5: Configuring the Policy for incoming and Outgoing traffic through the tunnel (Here I have created two policies one is the incoming i.e., TUNNEL_TO_LAN, and the other one is outgoing i.e., LAN_TO_TUNNEL)


Step 6: Configuring the Static IP route towards the Remote Site towards the VPN tunnel.

 

Note: This document has been made on the basis of a Virtual Machine using Eve-Ng emulator environment. I would request to please follow the official vendor document before doing it in a Real-world environment as the scenario may differ in the Real world.

Comments

Post a Comment

Popular posts from this blog

How to Configure VXLAN in FortiGate Firewall

-
Image
How to Configure VXLAN in FortiGate Firewall A brief explanation of the given topology: - Ø On top of all, there are two FortiGate Firewalls with L3 connectivity in between. Ø Under Each Firewall we have one Cisco Switch with two VLAN configured i.e.;3500 & 3600 Ø Uplink for switches has been configured with 802.1Q trunk which is connected to FortiGate Firewall. Ø Each switch has two PCs connected one in VLAN 3500 & other one in 3600 VLAN. Ø We have configured VLAN and VXLAN on both the FortiGate Firewall. Ø In this topology PCs in the same VLAN will be able to communicate with each other through a L3 link using VXLAN technology and they will be encapsulated such that both the PCs will think that they are within the L2 domain.           FortiGate Firewall Configuration VXLAN Configuration: - FGT-1: config system vxlan     edit "vxlan3500"         set interface "port
Read more

Higher Availability in FortiGate and VRRP in Cisco

-
Image
  Higher Availability in FortiGate and VRRP in Cisco A brief explanation of the given topology: - Ø On top of all, there are two FortiGate Firewalls one Active other one as Standby. Ø With the Higher Availability (HA) configured for handling the Failover of active Firewall. Ø There are two CORE switches with VRRP Configuration: CORE-1 as Master and CORE-2 as Slave. Ø Between two CORE-1 and CORE-2, two links in the Port Channel have been configured. Ø SVIs and static default route toward the Firewall has been configured for LAN users. Ø Also, the DHCP server has been configured for DATA and VOICE VLANs. Ø Two Layer 2 switches with uplinks as trunk and VLANs. FortiGate Firewall Configuration HA Configuration in FortiGate Firewall: - Here I have kept by default priority i.e.; 128 for “ ACTIVE-FIREWALL ” whose role is primary and I have set 100 for the “ STANDBY-FIREWALL ” whose role is secondary.   By default, the selection process of HA in FortiGat
Read more

Python Script to take the Backup of Multiple device in a Network

-
Image
from netmiko import ConnectHandler Sw_1 = { 'device_type': 'cisco_ios', 'host': '192.168.6.10', 'username': 'admin', 'password': 'Admin@123', 'port': 22, # optional, defaults to 22 'secret': 'secret', # optional, defaults to '' } Sw_2 = { 'device_type': 'cisco_ios', 'host': '192.168.6.20', 'username': 'admin', 'password': 'Admin@123', 'port': 22, # optional, defaults to 22 'secret': 'secret', # optional, defaults to '' } Sw_3 = { 'device_type': 'cisco_ios', 'host': '192.168.6.30', 'username': 'admin', 'password': 'Admin@123', 'port': 22, # optional, defaults to 22 'secret': 'secret', # optional,
Read more