Who is this guide for?
This guide is for IT support engineers, junior network admins, and anyone who keeps hearing “FortiGate”, “policy”, “NAT”, “VPN” in meetings but never got a simple explanation of what’s actually happening.
We’ll keep it beginner-friendly, practical, and written in a human tone — no heavy theory, just enough so you feel confident when you log in to a Fortinet firewall.
What is a Firewall (in simple words)?
A firewall sits between your internal network and the outside world (usually the internet) and decides which traffic is allowed and which traffic is blocked.
You can think of it like a smart security gate in front of your office building. Every person (packet) must pass that gate. The guard checks:
- Who are you (source IP)?
- Where are you going (destination IP and port)?
- What are you trying to do (application/protocol)?
- Do we have a rule that allows this?
What is Fortinet & FortiGate?
Fortinet is a security company, and FortiGate is their firewall product line. When people say “Fortinet firewall”, they usually mean a FortiGate appliance or virtual firewall.
Key features of FortiGate (at a glance)
- NGFW (Next-Generation Firewall): Not just IP/port, but application-aware filtering.
- IPS (Intrusion Prevention System): Detects and blocks known attacks.
- Web filtering: Block categories (social media, adult, malware, etc.).
- Application control: Block/allow apps like Tor, torrents, proxies.
- Anti-virus / Anti-malware: Scan traffic going through the firewall.
- VPN: Site-to-site IPsec VPN and SSL VPN for remote users.
- SD-WAN: Use multiple internet links in smart way.
- Logging & reporting: Local logs or via FortiAnalyzer / syslog.
Basic FortiGate Concepts You Must Know
1. Interfaces & Zones
Every physical or virtual port (WAN, LAN, DMZ) is an interface. You can:
- Assign IP addresses to interfaces (e.g. LAN 192.168.10.1/24).
- Group interfaces into zones (e.g. “Internal”, “WAN”).
Using zones makes policy management easier when you have many interfaces.
2. Firewall Policies (Rules)
Policies decide what traffic is allowed. Each policy has:
- From (source interface/zone)
- To (destination interface/zone)
- Source (IP, address group)
- Destination
- Service (port/port-group like HTTP, HTTPS, DNS)
- Action (accept/deny)
- NAT (on/off)
- Security profiles (web filter, AV, app control, IPS)
FortiGate processes policies from top to bottom. First match wins. So policy order is very important.
3. Address & Service Objects
- Address objects: Store hosts, ranges, subnets (e.g. “Server-DMZ”, “HR-PCs”).
- Service objects: Define ports (e.g. HTTP = TCP/80, RDP = TCP/3389).
Instead of typing IPs everywhere, you use objects. This makes policies easier to read and maintain.
4. NAT & VIP (Port Forwarding)
- Source NAT (SNAT): Hide internal IP (192.168.x.x) behind the WAN IP.
- Virtual IP (VIP): Publish internal server to the internet (e.g. NAT 1.2.3.4:443 → 192.168.10.10:443).
VIPs are used for web servers, mail servers, VPN portals, etc.
5. Security Profiles
Security profiles are extra protections you can attach to a policy:
- Web filter: Block harmful or unwanted websites.
- Application control: Control apps even if they use common ports.
- IPS: Stop known exploits and attacks.
- Anti-Virus: Scan files and downloads.
- SSL inspection: Inspect HTTPS traffic (careful — requires planning).
Common Deployment Scenarios
1. Edge Firewall (Most common)
FortiGate placed between your ISP modem and your internal switches. It acts as the default gateway for your LAN and protects everything behind it.
2. Transparent / Bridge Mode
Firewall is placed in-line but without changing IP addressing (layer 2). Useful when you can’t easily redesign the network but still want inspection and policies.
3. Internal Segmentation Firewall
FortiGate placed between critical servers and the rest of the network to isolate sensitive areas, like finance or HR servers.
4. Branch Office with SD-WAN
Branch FortiGate uses multiple WAN links (fibre + LTE) and builds secure VPN tunnels to the head office.
Step-by-Step: Basic FortiGate Setup (High Level)
Note: This is a conceptual overview, not a full config guide.
- Connect your laptop to a LAN port of the FortiGate.
- Access the web GUI via browser (HTTPS to the management IP).
- Log in as admin and immediately change the default admin password.
- Configure WAN interface:
- Set IP (static or DHCP from ISP).
- Configure DNS servers.
- Configure LAN interface:
- Assign LAN IP (e.g. 192.168.10.1/24).
- Enable DHCP server for clients if needed.
- Create a basic policy: LAN → WAN:
- Source: LAN subnet or “all”.
- Destination: “all”.
- Service: “all” (or common ports first).
- Action: Accept, NAT: enabled.
- Attach web filter, AV, IPS profiles if licensed.
- Test internet from a LAN PC: ping, browse, etc.
- Gradually tighten access (specific destinations, categories, apps).
Licensing: Free vs Paid Features
FortiGate will still route and do basic firewalling even without a subscription, but most advanced security profiles (AV, IPS, web filter databases) require a valid licence.
For lab and learning, you can use:
- FortiGate VM evaluation builds (time-limited).
- Offline lab with basic policies (no live threat feeds).
Everyday Tasks for IT Support on FortiGate
- Check why a user cannot reach a website or server — policy, DNS, routing, or web filter?
- Temporarily allow a new app/port for a specific team.
- Check logs: which policy is matching, is traffic being blocked?
- Create/modify a VPN user account (in integration with AD or local).
- Monitor bandwidth usage: who is consuming a lot of internet?
Leave a Comment