Share
Explore

icon picker
INSTALLING FORTINET FIREWALL ON VMWARE WORKSTATION AND HOW TO USE IT

April 4, 2023

SETUP 1: INITIAL SETUP

Send the file to your selected path. You may download the files from this


Go to your VMWare Workstation 16 Pro. If you don’t have one, you may need to download it from the official website of You can use the free trial version or buy it from them.
Untitled.png

Open Virtual Network Editor..

NOTE: Please remember your third octet in your NAT (VmNet8), in my case my third octet is 108. So if yours is 72 or whatsoever then that’s default octet for you to use in the next process.
Select Add Network.



Untitled.png

Select any VMNet of your choice, but for my case I will use VMNet5.
Untitled.png

Wait for the settings to be applied.


A VMnet has been added.
Untitled.png

Set the Subnet IP to 10.2.0.0, and uncheck this setting:
Use local DHCP service to distribute IP address to VMs.
Untitled.png



Save the settings by clicking Apply.
Untitled.png


SETUP 2: INSTALLING WINDOWS SERVER 2019/2022

Go back to your VMWare and click Create a Virtual Machine.
image.png

Select Typical (recommended).
image.png

Choose I will install the operating system later.
Untitled.png

Choose Windows Server 2019 from the dropdown menu.
Or it might be better if the VM has Windows Server 2022 in the options, then select it.
Untitled.png

Name the VM of your choice.
Untitled.png

Set to 40 - 60GB (recommended), and choose Store virtual disk as a single file.
image.png

Click Customize Hardware.
image.png

Select “New CD/DVD...” and click “Use ISO image file”.
image.png
Then click “Browse”.

Select the .iso file that contains the Windows Server OS.
Untitled.png

Select Network Adapter, and select VMNet_ (Host-only).



Click Finish.
image.png

Select Power on this virtual machine.
image.png

When open, click your VM screen, and press Enter multiple times.
pasted image 0.png

Click Next.
pasted image 0.png

Select the second option which has Desktop Experience.
pasted image 0.png

Accept the License Terms.
pasted image 0.png

Wait for the installation to finish.
Click Restart now.
pasted image 0.png

Add a password:
Password: C1sc0123
Untitled.png

Login your Windows Server and let’s proceed to the next setup.
pasted image 0.png


SETUP 3: IMPORTING FORTIGATE FIREWALL VM

Click Open to import VMs.
image.png

Find the folder where you download the Fortigate VM.
Select Fortigate-VM64
and click Open.
image.png

Accept the Terms of License
Click “Next”.
image.png

Type the VM name of your choice.
Untitled.png

Select the Network Adapter 2 and set the following options:
Network Adapter 1: NAT
Network Adapter 2: Custom (for my case I will use VMnet5)
pasted image 0.png

From Network Adapter 3 to 10, you need to uncheck the Connect at power on.
image.png
After unchecking all Network Adapters, click OK.
pasted image 0.png


SETUP 4: CONFIGURING FORTIGATE FIREWALL IN THE CLI

Select Power on this Virtual Machine.
image.png

Wait for the system to load.
After loading, login your Fortigate with following credentials.
FortiGate-VM65 login: admin
Password: <press Enter Key>

You are force to change your password. Please input your new password:
New Password: pass
Confirm Password: pass
pasted image 0.png

Type this command to check the license of your Fortigate:
get systemstatus
pasted image 0.png
NOTE: The license of your Fortigate should appear as “EXPIRED/INVALID”, since I was fast enough to type the command and didn’t finish loading the system, that’s why it appeared as “VALID”. You should retype the command again after loading the system for a few minutes, then the License would now appear as “INVALID”.

Press Ctrl+C to skip command/display.



Type this command to factory reset your Fortigate:
exec factoryreset

Then type y to confirm.
Untitled.png

Wait for the system to reboot
Re-enter the credentials:
FortiGate-VM65 login: admin
Password: <press Enter Key>

You are force to change your password. Please input your new password:
New Password: pass
Confirm Password: pass
Untitled.png

Type this command to check ports and IP:
get system interface physical

pasted image 0.png

Now you will have a view of your ports and IP.
Untitled.png
*REMINDER: Still remember your third octet? Well in case you forgot, you could check here at this option after we enter the command. Oops, before I forgot, also remember your fourth octet.

SET YOUR PORT1 TO STATIC IP IN YOUR FORTINET INTERFACE BY TYPING THIS COMMAND:
config system interface
edit port1
set mode static
set ip 192.168._._/24
set allowaccess http https ssh telnet ping
exit


SETUP 5: SETTING UP FORTIGATE FIREWALL IN YOUR BROWSER:

Put the IP Address in your browser:
192.168._._
In my case its 192.168.108.69

Enter your credentials:
Username: admin
Password: pass
Untitled.png

Set the name of your choice then click OK.
Untitled.png

Click OK.
pasted image 0.png

Fortigate Firewall Interface Dashboard.
Untitled.png

Expand the Network Tab, then select Static Routes, and click Create New.
Set the following configurations below:
Gateway Address: 192.168._.2
Interface: port1
Administrative Distance: 10
Status: Enabled
Save changes by clicking OK.
pasted image 0.png

Ping 8.8.8.8 to the CLI of the Fortigate to check if internet is existing.
exec ping 8.8.8.8
pasted image 0.png

Expand the Policy & Objects Tab, and select Firewall Policy.
Click Create New.
pasted image 0.png

Set the following configuration:
Name: <you select>
Incoming Interface: port2
Outgoing Interface: port1
Source: all
Destination: all
Schedule: always
Service: ALL
Action: ✔ ACCEPT
NAT: Enable

Others are default. Click OK to save changes.
pasted image 0.png

Policy saved.
pasted image 0.png

Expand the Network Tab, and select port2.
Untitled.png

Set the following configurations:
Alias: WinServerNetwork
Type: Physical Interface
Role: LAN
Addressing Mode: Manual
IP/Netmask: 10.2.0.2/24
IPV4: ✔ (check all options)
Untitled.png

Scroll down and set the following configurations:
**Enable DHCP Server**

DHCP status: Enable
Address range: 10.2.0.101-10.2.0.200
Netmask: 255.255.255.0

Others are default. Click OK to save changes.
Untitled.png

Back to your Windows Server, press Windows+R key to enter Run.
Type this to go to your Network :
ncpa.cpl
Right click Ethernet Adapter then choose Disable.
image.png
Right click again, but this time Enable it.
Go to the Properties of your network to check if the Windows Server has an IP Address.
Untitled.png


SETUP 6: NGFW - WEB FILTER POLICY

FYTE: Go to this website
Type any website you are familiar with to check the Category.
Untitled.png

Go back to your Fortinet, then expand Security Profiles, and select Web Filter.
Untitled.png

Click Create New, and set the following configurations:
URL: *youtube.com \\don't remove the asterisk\\
Type: Wildcard
Action: Block
Status: Enable
Or you could add the website you’ve searched on the WebFilter Lookup.
Untitled.png

After-save.
Untitled.png

Policy Saved.
Untitled.png

Expand Policy & Objects, and select Firewall Policy.
Double click Internet Access.
Untitled.png

Add this option.
Web Filter: \\the policy you've set on Web Filter, in my case it's called "No_Youtube"\\
SSL Inspection: no-inspection
Untitled.png

Go to your Windows Server, and test the website if it’s still accessible or blocked.
Untitled.png

Now try adding *facebook.com and test it yourself.
Untitled.png


SETUP 7: NGFW - DNS FILTER

Expand the Security Profiles Tab, and select DNS Filter.
Untitled.png

Click Create New. Set the name to as No_Shopping.
Find the Category named Shopping, then click “Redirect to Block Portal” above.
Untitled.png

Find Redirect to Portal IP below.
Click “Specify”, and set the IP Address to 69.69.69.69, save changes by clicking OK.
Untitled.png

Go back to Policy and Objects, and select Firewall Policy.
Untitled.png

Select the pen icon under Security Profiles column, and then choose the No_Shopping you set at DNS Filter. Save it by clicking Apply.
Untitled.png

Go back to your Windows Server, and then check some websites that is associated with Shopping to see if it is still accessible or blocked. You can use the to check the category of the website.

Whether it works or not, you can just simply just check by opening the Command Prompt and typing this command:
nslookup <url>
pasted image 0.png
If you see the IP address 69.69.69.69, that means the policy works.


SETUP 8: NGFW - APPLICATION CONTROL

Expand the Security Profiles, and then select Application Control.
Untitled.png

Click Create New.
Name the Profile as No_Email.
Find Email Category. Click the eye icon and change it to Block/Disallow.
Untitled.png

Select the pen icon under Security Profiles column, and then choose the No_Email you set at Application Control. Save it by clicking Apply.
pasted image 0.png

Test some website related to Emails if it is still accessible or blocked. You can use the to check the category of the website.
pasted image 0.png


SETUP 9: USER AUTHENTICATION (Basic Setup)

Expand the User & Authentication Tab.
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.