FortiGate Configuration Reference
Authentication
Radius
Management
Create a VDOM
Create Cluster
NAT
Centeral SNAT
Network
Interface Setup
Route
Default Route
Security
Firewall rule
| 1 | config user radius |
| 2 | edit "Radius-1" |
| 3 | set server {{ ip }} |
| 4 | set secret {{ key }} |
| 5 | set radius-port 1645 |
| 6 | set auth-type ms_chap_v2 |
| 7 | set secondary-server {{ sec_ip }} |
| 8 | set secondary-secret {{ sec_key }} |
| 9 | next |
| 10 | |
| 11 | config user group |
| 12 | edit {{ group }} |
| 13 | set member "Radius-1" |
| 14 | config match |
| 15 | edit 1 |
| 16 | set server-name "Radius-1" |
| 17 | set group-name {{ group }} |
| 18 | end |
| 1 | config system global |
| 2 | set vdom-admin enable |
| 3 | end |
| 4 | |
| 5 | config vdom |
| 6 | edit {{ vdom_name }} |
| 7 | end |
| 1 | config system global |
| 2 | set hostname {{ host_name }} |
| 3 | end |
| 4 | |
| 5 | config system ha |
| 6 | set group-id {{ number }} |
| 7 | set group-name "{{ name }}" |
| 8 | set mode a-p |
| 9 | set password |
| 10 | set hbdev "portX" 50 "portY" 50 |
| 11 | set session-pickup enable |
| 12 | set ha-mgmt-status enable |
| 13 | set ha-mgmt-interface "mgmt1" ****make sure no references (DHCP-server, route) |
| 14 | set ha-mgmt-interface-gateway {{ gateway_ip }} |
| 15 | set override disable |
| 16 | set ha-direct enable |
| 17 | end |
| 18 | |
| 19 | config system interface |
| 20 | edit mgmt1 ****** This is an individual IP address to login to the specific unit |
| 21 | set ip {{ ip }} {{ subnet }} |
| 22 | set dedicated-to management |
| 23 | set allowaccess ping https ssh fgfm |
| 24 | next |
| 25 | |
| 26 | edit "mgmt2" **** This is a VIP only logs into active |
| 27 | set vdom |
| 28 | set ip |
| 29 | set allowaccess ping https ssh snmp fgfm |
| 30 | set role |
| 31 | next |
| 1 | config system settings |
| 2 | set central-nat enable |
| 3 | end |
| 4 | |
| 5 | config firewall central-snat-map |
| 6 | edit {{ number }} |
| 7 | set orig-addr {{ source_ip }} |
| 8 | set dst-addr "all" |
| 9 | set nat-ippool {{ nat_ip }} |
| 10 | next |
| 11 | |
| 12 | config firewall ippool |
| 13 | edit {{ description }} |
| 14 | set startip {{ start_ip }} |
| 15 | set endip {{ end_ip }} |
| 16 | set arp-reply enable |
| 17 | set arp-intf {{ arp_int }} |
| 18 | end |
| 1 | config system interface |
| 2 | set vdom {{ vdom }} |
| 3 | set alias {{ description }} |
| 4 | set allowaccess {{ ping|ssh|https }} |
| 5 | set role {{ role }} |
| 6 | edit {{ port }} |
| 7 | set ip {{ ip }} |
| 8 | end |
| 1 | config router static |
| 2 | edit 1 |
| 3 | set gateway {{ ip }} |
| 4 | set device {{ interface }} |
| 5 | end |
| 1 | config firewall policy |
| 2 | edit 15 |
| 3 | set name {{ description }} |
| 4 | set srcintf {{ src_interface }} |
| 5 | set dstintf {{ dest_interface }} |
| 6 | set srcaddr {{ src_ip }} |
| 7 | set dstaddr "all" |
| 8 | set action accept |
| 9 | set schedule "always" |
| 10 | set service "ALL" |
| 11 | set nat enable |
| 12 | set utm-status enable |
| 13 | set logtraffic all |
| 14 | set logtraffic-start enable |
| 15 | set comments {{ comments }} |
| 16 | set av-profile {{ av }} |
| 17 | set webfilter-profile {{ web }} |
| 18 | set ips-sensor {{ ips }} |
| 19 | set application-list {{ application }} |
| 20 | end |