Explore

INSTALLING FORTINET FIREWALL ON VMWARE WORKSTATION AND HOW TO USE IT

April 4, 2023

by the

RIVAN TECHNOLOGICAL INSTITUTE⁠

⁠

SETUP 1: INITIAL SETUP

Send the file to your selected path. You may download the files from this

link.⁠

⁠

Go to your VMWare Workstation 16 Pro. If you don’t have one, you may need to download it from the official website of

VMWare.⁠

You can use the free trial version or buy it from them.

⁠

Open Virtual Network Editor..

NOTE: Please remember your third octet in your NAT (VmNet8), in my case my third octet is 108. So if yours is 72 or whatsoever then that’s default octet for you to use in the next process.

Select Add Network.

⁠

Select any VMNet of your choice, but for my case I will use VMNet5.

⁠

Wait for the settings to be applied.

A VMnet has been added.

⁠

Set the Subnet IP to 10.2.0.0, and uncheck this setting:

Use local DHCP service to distribute IP address to VMs.

⁠

Save the settings by clicking Apply.

⁠

SETUP 2: INSTALLING WINDOWS SERVER 2019/2022

Go back to your VMWare and click Create a Virtual Machine.

⁠

Select Typical (recommended).

⁠

Choose I will install the operating system later.

⁠

Choose Windows Server 2019 from the dropdown menu.

Or it might be better if the VM has Windows Server 2022 in the options, then select it.

⁠

Name the VM of your choice.

⁠

Set to 40 - 60GB (recommended), and choose Store virtual disk as a single file.

⁠

Click Customize Hardware.

⁠

Select “New CD/DVD...” and click “Use ISO image file”.

⁠

Then click “Browse”.

Select the .iso file that contains the Windows Server OS.

⁠

Select Network Adapter, and select VMNet_ (Host-only).

Click Finish.

⁠

Select Power on this virtual machine.

⁠

When open, click your VM screen, and press Enter multiple times.

⁠

⁠

Click Next.

⁠

Select the second option which has Desktop Experience.

⁠

Accept the License Terms.

⁠

Wait for the installation to finish.

Click Restart now.

⁠

Add a password:

Password: C1sc0123

⁠

SETUP 3: IMPORTING FORTIGATE FIREWALL VM

Click Open to import VMs.

⁠

Find the folder where you download the Fortigate VM.

Select Fortigate-VM64

and click Open.

⁠

Accept the Terms of License

Click “Next”.

⁠

Type the VM name of your choice.

⁠

Select the Network Adapter 2 and set the following options:

Network Adapter 1: NAT

Network Adapter 2: Custom (for my case I will use VMnet5)

⁠

From Network Adapter 3 to 10, you need to uncheck the Connect at power on.

⁠

After unchecking all Network Adapters, click OK.

⁠

SETUP 4: CONFIGURING FORTIGATE FIREWALL IN THE CLI

Select Power on this Virtual Machine.

⁠

Wait for the system to load.

After loading, login your Fortigate with following credentials.

FortiGate-VM65 login: admin

Password: <press Enter Key>

You are force to change your password. Please input your new password:

New Password: pass

Confirm Password: pass

⁠

Type this command to check the license of your Fortigate:

get systemstatus

⁠

NOTE: The license of your Fortigate should appear as “EXPIRED/INVALID”, since I was fast enough to type the command and didn’t finish loading the system, that’s why it appeared as “VALID”. You should retype the command again after loading the system for a few minutes, then the License would now appear as “INVALID”.

Press Ctrl+C to skip command/display.

Type this command to factory reset your Fortigate:

exec factoryreset

Then type y to confirm.

⁠

Wait for the system to reboot

Re-enter the credentials:

FortiGate-VM65 login: admin

Password: <press Enter Key>

You are force to change your password. Please input your new password:

New Password: pass

Confirm Password: pass

⁠

Type this command to check ports and IP:

get system interface physical

⁠

Now you will have a view of your ports and IP.

⁠

*REMINDER: Still remember your third octet? Well in case you forgot, you could check here at this option after we enter the command. Oops, before I forgot, also remember your fourth octet.

SET YOUR PORT1 TO STATIC IP IN YOUR FORTINET INTERFACE BY TYPING THIS COMMAND:

config system interface

edit port1

set mode static

set ip 192.168._._/24

set allowaccess http https ssh telnet ping

exit

SETUP 5: SETTING UP FORTIGATE FIREWALL IN YOUR BROWSER:

Put the IP Address in your browser:

192.168._._

In my case its 192.168.108.69

Enter your credentials:

Username: admin

Password: pass

⁠

Set the name of your choice then click OK.

⁠

Click OK.

⁠

Fortigate Firewall Interface Dashboard.

⁠

Expand the Network Tab, then select Static Routes, and click Create New.

Set the following configurations below:

Gateway Address: 192.168._.2

Interface: port1

Administrative Distance: 10

Status: Enabled

Save changes by clicking OK.

⁠

Ping 8.8.8.8 to the CLI of the Fortigate to check if internet is existing.

exec ping 8.8.8.8

⁠

Expand the Policy & Objects Tab, and select Firewall Policy.

Click Create New.

⁠

Set the following configuration:

Name: <you select>

Incoming Interface: port2

Outgoing Interface: port1

Source: all

Destination: all

Schedule: always

Service: ALL

Action: ✔ ACCEPT

NAT: Enable

Others are default. Click OK to save changes.

⁠

Policy saved.

⁠

Expand the Network Tab, and select port2.

⁠

Set the following configurations:

Alias: WinServerNetwork

Type: Physical Interface

Role: LAN

Addressing Mode: Manual

IP/Netmask: 10.2.0.2/24

IPV4: ✔ (check all options)

⁠

Scroll down and set the following configurations:

**Enable DHCP Server**

DHCP status: Enable

Address range: 10.2.0.101-10.2.0.200

Netmask: 255.255.255.0

Others are default. Click OK to save changes.

⁠

Back to your Windows Server, press Windows+R key to enter Run.

Type this to go to your Network :

ncpa.cpl

Right click Ethernet Adapter then choose Disable.

⁠

Right click again, but this time Enable it.

Go to the Properties of your network to check if the Windows Server has an IP Address.

⁠

SETUP 6: NGFW - WEB FILTER POLICY

FYTE: Go to this website

https://www.fortiguard.com/webfilter⁠

⁠

Type any website you are familiar with to check the Category.

⁠

Go back to your Fortinet, then expand Security Profiles, and select Web Filter.

⁠

Click Create New, and set the following configurations:

URL: *youtube.com \\don't remove the asterisk\\

Type: Wildcard

Action: Block

Status: Enable

Or you could add the website you’ve searched on the WebFilter Lookup.

⁠

After-save.

⁠

Policy Saved.

⁠

Expand Policy & Objects, and select Firewall Policy.

Double click Internet Access.

⁠

Add this option.

Web Filter: \\the policy you've set on Web Filter, in my case it's called "No_Youtube"\\

SSL Inspection: no-inspection

⁠

Go to your Windows Server, and test the website if it’s still accessible or blocked.

⁠

Now try adding *facebook.com and test it yourself.

⁠

SETUP 7: NGFW - DNS FILTER

Expand the Security Profiles Tab, and select DNS Filter.

⁠

Click Create New. Set the name to as No_Shopping.

Find the Category named Shopping, then click “Redirect to Block Portal” above.

⁠

Find Redirect to Portal IP below.

Click “Specify”, and set the IP Address to 69.69.69.69, save changes by clicking OK.

⁠

Go back to Policy and Objects, and select Firewall Policy.

⁠

Select the pen icon under Security Profiles column, and then choose the No_Shopping you set at DNS Filter. Save it by clicking Apply.

⁠

Go back to your Windows Server, and then check some websites that is associated with Shopping to see if it is still accessible or blocked. You can use the

Web Filter Lookup⁠

to check the category of the website.

Whether it works or not, you can just simply just check by opening the Command Prompt and typing this command:

nslookup <url>

⁠