πŸ›‘οΈ FortiGate Security Essentials

Dipali BhaleraoDipali Bhalerao
5 min read

Module 1 of the "Packets & Protocols" Series

Get started with security fundamentals and understand how to harden a network from the edge:

  • Initial firewall setup & interface configuration

  • Deploying Fortinet’s Security Fabric

  • Crafting firewall policies and NAT rules

  • Enabling user authentication and access control

  • Web filtering and application control

  • Antivirus, IPS, DoS protection

  • SSL VPN deployment for remote users

  • Logging, monitoring, and certificate management

πŸ” What is a Firewall?

A firewall acts as a gatekeeper between your internal network and the internet. It decides what traffic is allowed, denied, or inspected based on pre-defined security rules.

FortiGate is a Next-Generation Firewall (NGFW) β€” meaning it offers:

  • Deep packet inspection

  • Application-aware filtering

  • Intrusion prevention

  • VPN services

  • Web & content filtering

  • DoS protection

  • Advanced threat detection (AV/IPS)

  • Traditional Firewalls work at Layer 3/4 (IP, port, protocol) and are limited to basic traffic filtering.

  • NGFWs operate up to Layer 7, providing deep packet inspection, app control, user awareness, and advanced security features like IPS, AV, DoS protection, and SSL inspection.

    πŸ” If you're securing modern networks against today's threats, NGFWs like FortiGate are essential.

    Today, let’s not just list features β€” let’s walk through a real-life scenario that brings FortiGate firewall concepts to life πŸ’‘

The Story: You’re Securing a Mid-Sized Company

Imagine you're hired as a Network Security Engineer at "DAB Solutions", a 100-employee company with:

  • 2 offices (Mumbai HQ & Pune Branch)

  • Sales, HR, IT, and Guest Wi-Fi departments

  • Remote staff working from home

  • Growing attack surface with cloud apps & web services

Your job? βœ… Deploy FortiGate Firewall to secure and optimize everything!

Let’s begin the deployment...

βš™οΈ Step 1: Initial FortiGate Setup

You rack-mount the FortiGate 100F, power it up, and access it via web GUI.

πŸ”§ Real Config:

  • Management IP: 192.168.1.99/24

  • DNS: Cloudflare 1.1.1.1

  • Hostname: FG-Mumbai

  • Admin password hardened

πŸ’‘ Tip: Keep port1 for LAN, port2 for WAN.
Once basic setup is done, you move on to...

πŸ”— Step 2: Connect Devices with Fortinet Security Fabric

Since DAB has FortiSwitches and FortiAPs too, you enable Security Fabric.

This lets you:

  • Authorize downstream devices from HQ FortiGate

  • Share threat intel (if FortiClient detects malware β†’ firewall knows)

  • View all devices in a topology map

🧠 Example: When an infected laptop connects to Wi-Fi, FortiAP notifies FortiGate β†’ blocks internet β†’ alerts admin!

πŸ” Step 3: Create Firewall Policies + Enable NAT

You define LAN to WAN policies for Internet access.

Example Policy:

# LAN β†’ To: WAN
Source: HR_Group
Destination: All
Service: HTTP, HTTPS, DNS
Action: Accept
NAT: Enabled βœ…

πŸ”’ NAT is key β€” it hides internal IPs from the internet.

🎯 Use Case:

  • Allow Sales full internet

  • Restrict Intern VLAN to business tools only (no YouTube/Netflix)

πŸ“› Step 4: Enable User Identity & Role-Based Access

DAB doesn’t want to depend on IPs alone.
So you configure LDAP authentication with Active Directory.

Example:

  • Group: Sales_Users

  • User: DAB

  • Access: Internet + Zoom + CRM

πŸ’‘ HR users now log in to Wi-Fi using AD credentials β€” and get internet access based on their role, not their IP.

🌐 Step 5: Secure with Web Filtering & App Control

Management wants to block distractions.

You apply:

  • βœ… Web Filter: Block Gambling, Adult, Gaming, Hacking

  • βœ… App Control: Block BitTorrent, Snapchat, PUBG, Zoom (for interns)

🎯 Real Impact:

  • Marketing team can use Instagram Ads

  • Guest Wi-Fi blocks torrents and dark web

🧠 Tip: Add deep inspection profile to detect hidden traffic (like QUIC over port 443)

πŸ›‘οΈ Step 6: Antivirus, IPS & DoS Defense

You enable:

  • Antivirus: Stops malware downloads

  • IPS: Blocks known attacks Brute Force Attacks, DoS, Malware (Viruses, Worms, Ransomware) etc.

  • DoS Policy: Prevents SYN flood attacks on web server

πŸ’‘ Real Case:
Your public-facing web server (192.168.10.10) is safe from:

  • CVE exploits

  • Botnet scans

  • Traffic floods

πŸ” Step 7: SSL VPN for Remote Users

Remote engineers need access to internal Git, Jira & Linux servers.

You configure:

  • SSL VPN Portal (10443 port)

  • Map to Engineering_Group

  • IP pool: 10.10.20.0/24

πŸ§‘β€πŸ’» DAB user (DevOps) connects via FortiClient, logs in with AD, and directly RDPs into 192.168.3.100

βœ… WFH team now securely connects β€” without exposing critical infra to the internet!

πŸ“Š Step 8: Logging, Certificates & Monitoring

To stay audit-compliant:

  • You forward logs to FortiAnalyzer

  • Set up alerts for:

    • Policy violations

    • Blocked websites

    • VPN logins

πŸ“œ Also installed:

  • Internal CA certs for SSL deep inspection

  • NTP sync to ensure accurate log timestamps

🎯 Real Result:
You can trace who downloaded what, when, and which user triggered a policy block

πŸ’‘ : Local-in Policy Concept

Not all traffic goes through FortiGate. Some traffic is destined to it.

Example:

  • HTTPS admin access (443)

  • SSL VPN connections (10443)

  • Ping or SNMP from NMS

These are controlled by local-in policies.

firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "all"
set dstaddr "all"
set service "HTTPS"
set action deny
next
end

βœ… This prevents attackers from reaching your FortiGate GUI via public WAN.

🧠 Final Thoughts – Tie It All Together

Here’s how all these features worked at DAB:

FeatureReal Impact
Security FabricUnified visibility from switch to endpoint
Policies + NATDepartment-wise access + Internet routing
Identity ControlEnforced per-user firewall rules
Web FilterBlocked distractions + threats
IPS & AVProtected from malware & known exploits
SSL VPNWFH staff securely accessed resources
Local-InHardened FortiGate from direct attack

This is the power of an NGFW like FortiGate when it’s deployed thoughtfully and practically.

🧾 Summary: Checklist for Your FortiGate Deployment

βœ… Basic Setup
βœ… Fabric Connection
βœ… Layered Policies (Users, VLANs)
βœ… NAT Rules
βœ… SSL VPN for remote
βœ… Logging + Certs
βœ… Web & App Filters
βœ… IPS, AV, DoS
βœ… Local-in Policies for lockdown

πŸ™Œ What’s Next?

Next week in Packets & Protocols, we’ll cover:
πŸ›£οΈ FortiGate Infrastructure & Advanced Features

Follow me on Hashnode or LinkedIn to stay updated!
Until then, stay secure & keep learning πŸ”πŸš€

0
Subscribe to my newsletter

Read articles from Dipali Bhalerao directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Dipali Bhalerao
Dipali Bhalerao

πŸ‘‹ Hello, I’m Dipali! πŸ‘€ I like sharing my technical journey through writing. My main goal is to clearly share what I learn, the problems I face, and how I solve them as I explore new technologies and work on real-world projects.