Monday, 10 June 2013

Guide to allowing access from certain IP to external Network in FortiGate 200A.


In FortiGate firewall you can exclude certain IP to access without any thing to block or giving them priority of certain speed/ bandwidth of internet. Usually we need this for VIP users or giving stable connection for VOIP devices. We can manage this setting by certain IP address, subnet, etc...
**Note of reminder: If you network are using proxy server, you must disable proxy setting in the web browser in client PC before they can start browsing without any interruption.

Step 1: Provide IP for PC’S. Get related information and details.
As usual, before we can configure the IP address in firewall, we need to make sure that we have the appropriate details before we can proceed to next step.
Address IP: 10.8.18.20
Subnet Mask: 255.255.255.0/24
IP Default Gateway: 10.8.1.1
Primary DNS servers: 10.8.1.21
Secondary DNS servers: 10.8.1.31

Step 2: Add user IP address in Firewall Objects.
After getting all the details that you need, you can start adding these IP in firewall.

  1. Go to Firewall Objects > Address > Address
  2.  Click Create New
  3.  After that there will be page like below. Fill up the information given appropriate to your settings.

Address Name: PC-test
Type: Subnet/IP Range
Subnet /IP Range: 10.8.18.20/255.255.255.0
Interface: Any

     4.     Click OK for the changes to take effect.

 Step 3: Create bypass group in Firewall Objects. (Optional)
If you have creating multiple users for the same purposes, you can ease up the management of those IP by putting it together into single group.
    1.      Go to Firewall Objects > Address >  Group
    2.      Click Create New at the above page.
    3.      Fill up the information given appropriate to your settings.
    4.      Click OK for the changes to take effects.

Step 4:  Add information in Firewall Policy.
    1.      Go to Policy > Policy.
    2.      Click Create New on the upper of the page.
    3.      A new page with several details will be display. You need to fill in details like example below.
    Source Interface/Zone: Internal interface
    Source Address: pc-test
    Destination Interfaces/Zone: External interface
    Destination Address: All
    Schedule: Always
    Service: Any
    Action: Accept
    Log Allowed Traffic: Enable
    Enable NAT: Enable. Use Destination Interface Address
    UTM: Enable. (If you have purchase activation key for UTM service, choose your UTM service that                                     
   you’ve desired.)    

    4.      Click OK before any changes can take effects.


Step 5: Create static IP in Client PC. (Optional)
If you have DHCP server in your network and each user are bind with their own IP, you do not need to configure static IP for these users. If not, you need to manually configure static IP in their PC’s.
     1.      Go to Control Panel > Network and Sharing Center
     2.      Click Change Adapter Settings.
     3.      Change properties of connected adapter. Make sure you have entered the right configuration.
     4.      Click OK for changes to take effect.

Step 6: Verify the network connections.

You set up is done. You can check the internet speed and others sort things you have set in the firewall in those client PC’s.
Posted by at
Labels: , ,
Location: Pasir Gudang, Johor, Malaysia

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)