In this hands-on guide, we will configure a FortiGate firewall starting from a factory reset state. We will cover establishing connectivity, configuring SD-WAN for failover, setting up Link Aggregation (LAG/LACP) to a switch, creating VLANs, and defining firewall policies including port forwarding and traffic shaping.
After performing a factory reset, the FortiGate firewall defaults to a specific IP address on its management ports. To connect, plug your PC directly into one of the switch ports (LAN ports) on the device.
Ensure your computer obtains an IP address via DHCP. The default gateway for this model (60E) is usually 192.168.1.99. Open a browser and navigate to:
https://192.168.1.99Log in using the default credentials:
You will be prompted to change the password immediately upon login. Once inside, it is recommended to set your correct Time Zone under System > Settings and optionally enable Dark Mode for better visibility.
We will configure Software-Defined WAN (SD-WAN) to manage two internet connections (WAN1 and WAN2) for failover redundancy.
Before creating an SD-WAN zone, you must ensure the WAN interfaces are not being used by any existing firewall policies. Delete any default policies referencing "WAN1" to free up the interface.
Navigate to the Network tab and create a new SD-WAN zone. Add both WAN1 and WAN2 as members of this zone. Because the FortiGate creates dynamic routes for DHCP WAN connections automatically, you generally do not need to add static routes manually.
You can verify connectivity by running a continuous ping from the CLI console while physically unplugging one WAN cable at a time. The failover should occur with minimal packet loss.
execute ping google.com
To increase bandwidth and redundancy to the downstream switch, we will configure Link Aggregation (LAG) using LACP (802.3ad).
In the Network > Interfaces menu, select the ports you wish to aggregate (e.g., Port 1 and Port 2). Create a new interface set to 802.3ad Aggregate. Assign an IP address to this interface for management purposes.
[Image of network diagram showing VLAN trunking and access ports]We will segment the network into two VLANs: one for Clients and one for Servers. These VLANs will be created on top of the LAG interface we just configured.
Create a new interface with the type VLAN. Set the Interface to your LAG/Switch interface. Assign VLAN ID 20 and an IP address (e.g., 192.168.20.1). Enable a DHCP server for this VLAN.
Repeat the process for the Server VLAN using ID 30 and a different subnet (e.g., 192.168.30.1).
By default, the FortiGate blocks traffic between interfaces. We need to create policies to allow traffic to flow.
Create a policy allowing traffic from the Client VLAN to the SD-WAN Zone. Enable NAT (Network Address Translation) for this rule so clients can reach the internet.
Create a policy allowing traffic from the Client VLAN to the Server VLAN. For internal traffic, disable NAT. You can restrict services to HTTP/HTTPS only to secure the web server.
To allow external access to an internal web server, we use a Virtual IP (VIP).
Go to Policy & Objects > Addresses. Create a new VIP. Map the External Interface IP (WAN Public IP) to the Internal IP of your server (e.g., 192.168.30.100). You can specify "Port Forwarding" to map external port 80 to internal port 80.
Create a firewall policy from the SD-WAN Zone to the Server VLAN. Set the destination as your VIP object. To increase security, you can set the source address to a specific country (e.g., Sweden) using GeoIP objects, blocking all other countries.
To ensure fair bandwidth usage, we can apply traffic shaping policies.
Create a "Per-IP Shaper" and set the maximum bandwidth (e.g., 20 Mbps). Navigate to your internet access policy (Client to SD-WAN) and enable Traffic Shaping. Select your new shaper to enforce the limit on every client.