How to create DHCP server and a policy in the Fortigate

-
Here is an example script that demonstrates how to use the  fortigate-api  package to create a DHCP server and a policy in the Fortigate   from fortigate_api import FortigateAPI # Create a FortigateAPI object fgt = FortigateAPI(host="host", username="username", password="password") # Create a DHCP server data = {     "default-gateway": "192.168.255.1",     "netmask": "255.255.255.0",     "interface": "vlan.123",     "ip-range": [         {"start-ip": "192.168.255.2", "end-ip": "192.168.255.254",}     ], } fgt.dhcp_server.create(data) # Create a policy in the Fortigate data = dict(     name="POLICY",     status="enable",     action="accept",     srcintf=[{"name": "any"}],     dstintf=[{"name": "any"}],     srcaddr=[{"name": "all"}],     dstaddr=[{"name&quo
Post a Comment

Higher Availability in FortiGate and VRRP in Cisco

-

 Higher Availability in FortiGate and VRRP in Cisco


A brief explanation of the given topology: -

Ø On top of all, there are two FortiGate Firewalls one Active other one as Standby.

Ø With the Higher Availability (HA) configured for handling the Failover of active Firewall.

Ø There are two CORE switches with VRRP Configuration: CORE-1 as Master and CORE-2 as Slave.

Ø Between two CORE-1 and CORE-2, two links in the Port Channel have been configured.

Ø SVIs and static default route toward the Firewall has been configured for LAN users.

Ø Also, the DHCP server has been configured for DATA and VOICE VLANs.

Ø Two Layer 2 switches with uplinks as trunk and VLANs.


FortiGate Firewall Configuration

HA Configuration in FortiGate Firewall: -


Here I have kept by default priority i.e.; 128 for “ACTIVE-FIREWALL” whose role is primary and I have set 100 for the “STANDBY-FIREWALL” whose role is secondary.

 

By default, the selection process of HA in FortiGate


Note: Here I have given Higher priority to make “Fortinet1” as “Active Firewall”.

 

 

Step-1: Go to the system select HA and do the Following Configuration: - (Here I have Selected mode as “Active-Passive” i.e.; one Firewall as active other as standby waiting for the active to fail, and the Group name as “Higher-Availability” and the password as “Admin@123” but it can be anything as per your choice, the Monitor interface will the one you want to keep a track that if it goes down than the Standby will become active in my case it’s the LAN interface “port2” and the Heartbeat interface should be the link between the two firewalls which is in my case “port4”)


Step 2: Go to the Standby Firewall and do the duplicate configuration on it except the Priority as it should be lower than the Active to make it a standby.

Note: On both the Firewalls the Group name and Password Should match or else it could form Higher Availability (HA)


Policy Configuration in FortiGate Firewall: -


Step 1: Go to Policy & Objects -> select Firewall Policy -> Click on Create New-> and do the following configuration: - (Here I have done the following configurations Name as “LAN-TO-WAN” Incoming interface in my case LAN interface i.e.; port2 and outgoing interface in my case WAN interface i.e.; port1, source “all” destination “all” and services also “all” i.e.; from all source to all destination and all the services is been allowed, NAT is been enabled as the traffic is going to reach the internet.)


 

 

 

Note: Here I have created two routes one is the default route towards the internet and the other one is the static summary route towards the two VLANs i.e.; DATA and VOICE via the core switch.


 

 

Step 2: Go to Network -> select Static Route -> Click on Create New-> and do the following configuration: -

Static Default Route for the Internet: -


Static Summary Route for LAN users (DATA & VOICE VLANs): -




Cisco Router Configuration


hostname CORE-1

 

ip dhcp excluded-address 192.168.1.252 192.168.1.254

ip dhcp excluded-address 192.168.2.252 192.168.2.254

ip dhcp excluded-address 192.168.10.252 192.168.10.254

 

track 100 interface GigabitEthernet0/2 line-protocol


 delay down 5 up 5

 

ip dhcp pool DATA

 network 192.168.1.0 255.255.255.0


 default-router 192.168.1.254

 dns-server 8.8.8.8

ip dhcp pool VOICE

 network 192.168.2.0 255.255.255.0


 default-router 192.168.2.254

 dns-server 8.8.8.8

 option 43 ip 192.168.2.254

 


interface Port-channel1

 switchport trunk encapsulation dot1q

 switchport mode trunk

 

interface GigabitEthernet0/0

 switchport trunk encapsulation dot1q


 switchport mode trunk

 negotiation auto

 channel-group 1 mode active

 

interface GigabitEthernet0/1


 switchport trunk encapsulation dot1q

 switchport mode trunk

 negotiation auto

 channel-group 1 mode active


interface GigabitEthernet0/2

 switchport trunk encapsulation dot1q

 switchport mode trunk

 negotiation auto
 


interface GigabitEthernet0/3

 switchport trunk encapsulation dot1q

 switchport mode trunk

 negotiation auto


interface GigabitEthernet1/0

 switchport access vlan 100

 switchport mode access

 negotiation auto

 

interface Vlan10

 ip address 192.168.1.252 255.255.255.0

 vrrp 10 ip 192.168.1.254

 vrrp 10 priority 110


 vrrp 20 track 100 decrement 20

interface Vlan20

 ip address 192.168.2.252 255.255.255.0

 vrrp 20 ip 192.168.2.254

 vrrp 20 priority 110

 vrrp 20 track 100 decrement 20

interface Vlan100

 ip address 192.168.10.1 255.255.255.240

 vrrp 10 track 100 decrement 20

 vrrp 100 ip 192.168.10.14

 vrrp 100 priority 110

 vrrp 100 track 100 decrement 20

ip route 0.0.0.0 0.0.0.0 192.168.10.7

end

write memory

Note: CORE-2 has the replicate configuration with changes in IP and interface.

Comments

Post a Comment

Popular posts from this blog

How to Configure VXLAN in FortiGate Firewall

-
Image
How to Configure VXLAN in FortiGate Firewall A brief explanation of the given topology: - Ø On top of all, there are two FortiGate Firewalls with L3 connectivity in between. Ø Under Each Firewall we have one Cisco Switch with two VLAN configured i.e.;3500 & 3600 Ø Uplink for switches has been configured with 802.1Q trunk which is connected to FortiGate Firewall. Ø Each switch has two PCs connected one in VLAN 3500 & other one in 3600 VLAN. Ø We have configured VLAN and VXLAN on both the FortiGate Firewall. Ø In this topology PCs in the same VLAN will be able to communicate with each other through a L3 link using VXLAN technology and they will be encapsulated such that both the PCs will think that they are within the L2 domain.           FortiGate Firewall Configuration VXLAN Configuration: - FGT-1: config system vxlan     edit "vxlan3500"         set interface "port
Read more

Python Script to take the Backup of Multiple device in a Network

-
Image
from netmiko import ConnectHandler Sw_1 = { 'device_type': 'cisco_ios', 'host': '192.168.6.10', 'username': 'admin', 'password': 'Admin@123', 'port': 22, # optional, defaults to 22 'secret': 'secret', # optional, defaults to '' } Sw_2 = { 'device_type': 'cisco_ios', 'host': '192.168.6.20', 'username': 'admin', 'password': 'Admin@123', 'port': 22, # optional, defaults to 22 'secret': 'secret', # optional, defaults to '' } Sw_3 = { 'device_type': 'cisco_ios', 'host': '192.168.6.30', 'username': 'admin', 'password': 'Admin@123', 'port': 22, # optional, defaults to 22 'secret': 'secret', # optional,
Read more