Fortinet – How to Connect AP to Fortinet

fortigatefortinetnetworking

I'm very new to Firewalls. Internet to my servers goes through a Fortinet Firewall. I wanted to add a wifi connection for other users as well, so I connected a NetGear Router as Access Point and gets DHCP from the firewall. It worked, and users connected to the AP have an internet connection.

But, I also want to access servers from that router, but the router does not see the servers and can't access any Application that is on those servers.
what should I do to make that. Bellow are the port settings

Best Answer

By default, the Fortigate blocks all connections, like any real firewall does. You need to add policies to permit wireless users to access the servers.

You could simply allow all wireless users to make any kind of connection to any server, but it's generally better to permit only what is required: ADS/SMB for Windows server, SMTP/IMAP/POP3 for mail server, etc. Note that the specific applications are explicitly off-topic here.

For wireless clients to find the servers by name they'll need access to your internal DNS - either directly per policy or if you use the Fortigate's DNS server by delegation.

Related Solutions

Fortigate Logging: Prevent Ping to Firewall Interface While Logging Implicitly Denied Traffic

For Fortigate firewalls running FortiOS 5.0 or newer, it is possible to use the CLI to specifically disable logs for accepted traffic directed to the firewall itself:

Log on to firewall using SSH, then run the following commands (assuming the firewall has a VDOM named 'root')

config vdom
edit root
config log settings
set local-in-allow disable

This has to be done on a per VDOM basis.

Once this is done, the firewall keeps logging all denied traffic, without logging accepted pings, SNMP monitoring queries etc.

Fortinet has more informationg here: http://docs-legacy.fortinet.com/fgt/handbook/cli_html/index.html#page/FortiOS%25205.0%2520CLI/config_log.17.13.html

For Fortigate firewalls running FortiOS older than 5.0, I suppose the best advice is to upgrade to 5.0 or newer and then apply the setting suggested above. It seems like the feature 'set local-in-allow disable' is not available before FortiOS 5.0.

How to pinpoint bandwidth consumers on the Fortigate

This sounds like a case study for sFlow. The best way for you to figure out what's going wrong is to figure out who's talking to who - and how much. Just spin up your favorite sFlow analyzer and start tracking the bandwidth consumption of individual users.

Here's an example sFlow configuration pulled from sflow.com that you'd put on your WAN interface:

config system sflow
   set collector-ip 10.X.X.X
   set collector-port 6343
end

config sys interface
    edit
       set sflow-sampler enable
       set sample-rate 64
       set sample-direction both
       set polling-interval 30
    next
end

^{Configuration snippet pulled from sflow.com, Configuring FortiGate appliances.}

Best Answer

Related Solutions

Fortigate Logging: Prevent Ping to Firewall Interface While Logging Implicitly Denied Traffic

How to pinpoint bandwidth consumers on the Fortigate

Related Topic