The initial configuration you put on your SOHO FortiGate is critical. FortiOS 7.4.2 brings some new features and approaches to things. Follow this video to get a basic foundational configuration live that will give you the starting point you need.
Thanks for this video. I was scratching around the internet and saw this video. I use forti at home and work and I implemented the OUTSIDE SDWAN treatment over my existing home/lab setup. I've since had 8 outages due to water infiltrating the carriers systems down the road and the fail-over to my backup 4G service has been flawless. I was aware that this could be done but... just too many things got in the way of doing the book learning to stand this up. Your video quickly plugged that knowledge gap and I've now happily moved into playing more with the SDN functionality away from the traditional routed world... awesome stuff, easy to config, easy to control across link failures and restoration - total no brainer. Thank you.
I am using Fortigates for my MSP customers for quite some time now and have automated all the steps (and more of cause) using the API and a config script. It's always nice to see the basics again. 👍
Hi Mike, always liked your videos, thank you. Just a couple of points to note about your basic setup, that few new fortigate guys might not have noticed. You were administrating over the WAN interface with https ON, make sure you tell everyone to close that off and you didnt put any administrative protocols on the LAN, maybe use local-in policies to trusted hosts?, also I noticed you were using flow inspection policies instead of proxy, which I might add has caused a few issues with Lets Encrypt certs of late. Perhaps you could explain the difference to folks about best practice on inspection modes are with protocols to use them with.
Very helpful. Been using Fortigate for 2+ years and still learning. A big problem is WRONG things can MOSTLY work which can provide a false sense that its all good. But still holding off of 7.4.3. They say SD-WAN isn't really working.
Just getting started (with 7.4.3 on a 60F) and already stuck at 2:50 and Internal Zones. An "internal" option is not showing in New Zone>Interface Members>Select Entries. In fact, none of the entry options are the same except "dmz". Actually, my switch does not have a Network>Interfaces>Hardware Switch, but rather has Network>Interfaces>VLAN which are not available as something that can be put in a Zone. But it also has a FortiSwitch connected to it. Perhaps that overrides something but it seems the VLAN (unique to the FortiGate Internal ports) could still be put in a Zone. Looks like I need to learn more on Zones before I can implement them on a Base Configuration.
Fantastic content. I think the best way will be for you to make an entire course. However long at least you will lay out all the details. RUclips is ok but we have to search through to specific videos.
Hello. I'm new to Fortinet FW's so Thank you for all your great and helpful videos. I used to working with PA Fw's, so I'm a bit confused on the Zones with firtinet FW's. I tried following this video and lost you on the zones section. I was able to create an inside zone and assign it the trusted interface I configured. When I try to the same with the outside zone it I have the option to select any interface but my WAN1 interface I configured as my outbound traffic. I'm sure I'm doing something wrong just have not been able to figure out what it is. BTW I'm using a 61F. Thank you
Great video it helped me alot, small problem though...when i remove all polices youtube is still blocked? i have no clue why. and ssl inspection is still on police in monitoring mode
In iptables, I can redirect traffic to any DNS I choose, including internal without the user knowing. To them it's the one they put in DNS. How do I do that in FortiGate? I can't figure it out!
@@FortinetGuru I'll "second" the request to see how you generate reports to chip away at the outbound allow all rule. Also, I noticed on your firewall, under the list of Security Profiles, I did not see IPS. Where'd it go? It's my understanding, though I could be wrong, that the most basic support plan, the Essential plan, includes licensing for Application Control and IPS security profiles, right? Thanks for the great vids! Been following you for years!
Would you recommend the same inside zone if I am setting up a LACP with multiple VLAN's and will be looking to do policies that allow some VLAN's to talk between one another and for some to not have internet breakout
You would add the VLANs to the zone not the aggregate interface. If you block intra-zone communication you can use policy to allow vlan to vlan communication.
@@FortinetGuru Thank you , I suppose then if I have a Local IP on the aggregate interface and wanted to use it as "Native" then that too would be added to the zone?
That is briefly mentioned in the video. When I’m talking about building more specifics higher up you can use the database for destinations that may be dynamic. Absolutely right.
Mike, can you please explain the differences between Fortigate and Ubiquiti udm-pro? I’m more custom to Fortigate but recently looked into ubiquiti and their GUI is outstanding. But wanted to ask if there is a way to put each device through a series of benchmark tests if you will to determine which one is more secure.
Hey @bl7937, years ago I ran USGs with Unifi APs. But, I found the feature set of USGs to be lacking, along with Unifi's support. I switched over to Fortigate firewalls with Unifi APs (Fortigate's APs are still too pricey IMO)... and haven't looked back since... especially since Unifi released the CloudKey v2 with built in 1TB drive for video camera support. To be fair, I've heard Unifi support has improved. But, I'm not sure their firewall is up to Fortigate's maturity level.
The initial configuration you put on your SOHO FortiGate is critical. FortiOS 7.4.2 brings some new features and approaches to things. Follow this video to get a basic foundational configuration live that will give you the starting point you need.
Can't wait for the heavy hitters episodes 😅 but it's always great to get back to basics. This episode could be called Fortigate 101 😂
Thanks for this video. I was scratching around the internet and saw this video. I use forti at home and work and I implemented the OUTSIDE SDWAN treatment over my existing home/lab setup. I've since had 8 outages due to water infiltrating the carriers systems down the road and the fail-over to my backup 4G service has been flawless. I was aware that this could be done but... just too many things got in the way of doing the book learning to stand this up. Your video quickly plugged that knowledge gap and I've now happily moved into playing more with the SDN functionality away from the traditional routed world... awesome stuff, easy to config, easy to control across link failures and restoration - total no brainer. Thank you.
I am using Fortigates for my MSP customers for quite some time now and have automated all the steps (and more of cause) using the API and a config script. It's always nice to see the basics again. 👍
The API is making things sooo much smoother
Hey there, im tinkering with the API as well. Do you mind sharing? Would greatly appreciate
mind sharing the script? 😢
Hi Mike, always liked your videos, thank you. Just a couple of points to note about your basic setup, that few new fortigate guys might not have noticed. You were administrating over the WAN interface with https ON, make sure you tell everyone to close that off and you didnt put any administrative protocols on the LAN, maybe use local-in policies to trusted hosts?, also I noticed you were using flow inspection policies instead of proxy, which I might add has caused a few issues with Lets Encrypt certs of late. Perhaps you could explain the difference to folks about best practice on inspection modes are with protocols to use them with.
All excellent points. And all will make excellent videos. Thank you sir!
Can't you leave https and restrict to specific hosts?
@xDefq0n1x you can. A lot of ways to approach it. Next video will cover locking a unit down.
Always enjoy your content and way of explaining things. Keep it coming! 🙌🏼
Merry Christmas Mike! Thanks for another informative video.
Very helpful. Been using Fortigate for 2+ years and still learning. A big problem is WRONG things can MOSTLY work which can provide a false sense that its all good. But still holding off of 7.4.3. They say SD-WAN isn't really working.
Merry Xmas for you and your family !
Just getting started (with 7.4.3 on a 60F) and already stuck at 2:50 and Internal Zones. An "internal" option is not showing in New Zone>Interface Members>Select Entries. In fact, none of the entry options are the same except "dmz". Actually, my switch does not have a Network>Interfaces>Hardware Switch, but rather has Network>Interfaces>VLAN which are not available as something that can be put in a Zone. But it also has a FortiSwitch connected to it. Perhaps that overrides something but it seems the VLAN (unique to the FortiGate Internal ports) could still be put in a Zone. Looks like I need to learn more on Zones before I can implement them on a Base Configuration.
HI! Can you do an updated video on the profile based vs policy based NGFW of fortigate. I would like to know if the policy based mode have improved
Thanks for your video Mike !
Fantastic content. I think the best way will be for you to make an entire course. However long at least you will lay out all the details.
RUclips is ok but we have to search through to specific videos.
Hello. I'm new to Fortinet FW's so Thank you for all your great and helpful videos. I used to working with PA Fw's, so I'm a bit confused on the Zones with firtinet FW's. I tried following this video and lost you on the zones section. I was able to create an inside zone and assign it the trusted interface I configured. When I try to the same with the outside zone it I have the option to select any interface but my WAN1 interface I configured as my outbound traffic. I'm sure I'm doing something wrong just have not been able to figure out what it is. BTW I'm using a 61F. Thank you
Great video it helped me alot, small problem though...when i remove all polices youtube is still blocked? i have no clue why. and ssl inspection is still on police in monitoring mode
In iptables, I can redirect traffic to any DNS I choose, including internal without the user knowing. To them it's the one they put in DNS. How do I do that in FortiGate? I can't figure it out!
I would love to look over your shoulder on what you do after. You mention running a report and chipping away....how? Thank you for your channel.
Sir. It’s coming 😊
@@FortinetGuru I'll "second" the request to see how you generate reports to chip away at the outbound allow all rule. Also, I noticed on your firewall, under the list of Security Profiles, I did not see IPS. Where'd it go? It's my understanding, though I could be wrong, that the most basic support plan, the Essential plan, includes licensing for Application Control and IPS security profiles, right? Thanks for the great vids! Been following you for years!
Would you recommend the same inside zone if I am setting up a LACP with multiple VLAN's and will be looking to do policies that allow some VLAN's to talk between one another and for some to not have internet breakout
You would add the VLANs to the zone not the aggregate interface. If you block intra-zone communication you can use policy to allow vlan to vlan communication.
@@FortinetGuru Thank you , I suppose then if I have a Local IP on the aggregate interface and wanted to use it as "Native" then that too would be added to the zone?
Why not use the Internet Services database which is build in Fortinet for known destinations / services (like Google DNS)?
That is briefly mentioned in the video. When I’m talking about building more specifics higher up you can use the database for destinations that may be dynamic. Absolutely right.
Great video
c'mon man, where is your beard? Thanks for tutorial!!! 🙃
lol. Baby face in the housee
Mike, can you please explain the differences between Fortigate and Ubiquiti udm-pro? I’m more custom to Fortigate but recently looked into ubiquiti and their GUI is outstanding. But wanted to ask if there is a way to put each device through a series of benchmark tests if you will to determine which one is more secure.
Hey @bl7937, years ago I ran USGs with Unifi APs. But, I found the feature set of USGs to be lacking, along with Unifi's support. I switched over to Fortigate firewalls with Unifi APs (Fortigate's APs are still too pricey IMO)... and haven't looked back since... especially since Unifi released the CloudKey v2 with built in 1TB drive for video camera support. To be fair, I've heard Unifi support has improved. But, I'm not sure their firewall is up to Fortigate's maturity level.