Fortigate Firewall Setup SOP Draft 13 Mar 2023

[Turritopsis Dohrnii Teo En Ming <tdtemccnp@gmail.com>]

Subject: Fortigate Firewall Setup SOP Draft 13 Mar 2023

Collated by: Mr. Turritopsis Dohrnii Teo En Ming
Country: Singapore
Date: 13 Mar 2023 Monday
Time: 9:21 PM GMT+8 Singapore

01. Register the brand new Fortigate firewall at https://support.fortinet.com

02. Key in the Contract Registration Code. This is very important.

03. Upgrade firewall firmware to the latest version.

04. Set hostname.
XXX-FWXX

05. Set regional date/time. Time zone is important.

06. Enable admin disclaimer page.
config system global
set pre-login-banner enable

07. Create firewall super-admin accounts.
a. admin
b. xx-admin
c. si-company
d. abctech

08. Configure WAN1 interface.
Most business broadband plans are using DHCP.

09. Enable FTM / SNMP / SSH / HTTPS for WAN1 interface.

10. Configure default static route.

11. Configure LAN interface.
Optional: DHCP Server

12. Set DHCP lease time to 14400.

13. Configure HTTPS port for firewall web admin to 64444.

14. Configure SSL port for VPN to 443.

15. Configure LDAP Server.

16. Create Address Objects.

17. Create Address Groups.

18. Configure firewall policies for LAN to WAN (outgoing internet access).

19. Configure and apply security profiles to above firewall policies.

20. Create Virtual IPs.

21. Create custom services.

22. Create service groups.

23. Create firewall policies for port forwarding (WAN to LAN).

24. Configure other firewall policies.

25. Disable FortiCloud auto-join.
config system fortiguard
set auto-join-forticloud disable
end

26. Configure FTM Push.
config system ftm-push
set server-port 4433
set server x.x.x.x (WAN1 public address)
set status enable

27. Remove existing firewall/router and connect brand new Fortigate
firewall to the internet.

28. Configure FortiGuard DDNS.
xxx-fw.fortiddns.com

29. Configure DNS.

30. Activate FortiToken.

31. Create SSL VPN Group.

32. Create SSL VPN Users (local or LDAP).

33. Configure 2FA for SSL VPN Users.

34. Create SSL-VPN Portals.

35. Configure SSL VPN Settings (split or full tunneling).

36. Configure firewall policies for SSL VPN to LAN.
Optionally configure firewall policies for SSL VPN to WAN (if full tunneling).

37. Configure C-NetMOS Network Monitoring Service.
configure log syslogd setting
set status enable
set server "a.b.c.d"
set mode legacy-reliable
set port 601
set facility auth
end

38. Apply hardening steps (Systems Integrator's Internal Document).

39. Convert SOHO wireless router to access point mode.

40. Configure and apply security profiles (REMINDER).

Testing
=======

1. Internet access for all users.

2. VPN connection using FortiToken.

Documentation
==============

Firewall documentation for administrator (settings / policies / VPN).

User Training
==============

A. For Administrator
====================

1. How to access Fortigate firewall URL.

2. How to add/remove/reassign FortiToken.

3. How to add/remove VPN users.

4. How to generate usage report for Government PSG Grant.

B. For End User
================

1. How to connect to VPN.

2. How to use FortiToken.

3. How to connect company laptop to VPN.

===EOF===




REFERENCES
===========

[1] https://pastebin.com/raw/yg0QUcv6
[2] https://controlc.com/85e667fb