Fortinet Fortigate Deployment

Deployment of Fortigate 100E

Just wanted to share my experience of a recent engagement where I configured and deployed (remotely :)) a Fortigate firewall. Configuring the Fortigate was relatively simple. The network in place was a Sonicwall, and this was going to be a rip and replace scenario. The client was very aprehensive of the upgrade because A.) they had no idea how everything was setup. (“It was all inherited” as they like to say”). I did an onsite visit (THE most important part of a deployment in my opinion).

I went on site with the client. Got an idea of how everything was laid out physically. Did a diagram that I could not only use to improve the design but I was able to rely on the night of the cutover in case there were cables moved that we did not know where they were previously. From there the design is relatively easy depending on what needs to be done. Pretty much the firewall is acting as the edge device for both security and layer 3. The most uncertainty during the deployment was the IPSEC tunnels that ran to various locations for various reasons. None of which was documented. (and still isn’t…) 

The night of the cutover, the local hands gets on site and has to do a couple of configuration items before we finalize the deployment. So, some back story on this, they do not have a management vlan for the network devices. So, the current firewall was giving out the IP to the new Fortigate device. This needed to be changed on the Fortigate since it would be the new default gateway/DHCP server. Then the trunk link would need to be relocated to the new firewall. So with all that being said, the on site help was responsible for this as I could not be on site (even though I really really wanted to be, that is another story though). So, the on site help begins the cutover and running through the steps above. I see the firewall come up in Forticloud and I was able to catch for a sec the configuration of the main VLAN interface. This was misconfigured. I get on the phone with the on site tech and he just simply says nothing was working after moving the cable. Well duh right? If its not configured correctly, its not going to work. That simple. So, luckily I was able to catch this and keep him honest. He had to revert for a sec because there were still users in the office unfortunately. So, round 2, the change is implemented and almost everything is working LAN wise. The 2nd issue, which actually took most of the time, was the IPSEC tunnels. I ultimately had to run through configuring each one of these manually as I could not get the Fortigate VPN wizard working (even on remote Fortigate firewalls) I did not have time to investigate as we were in the middle of the cutover. I would like at some point to see where I might have gone wrong in my config. Nonetheless, I get pretty much all of them working and we call it a night. 

The only issues that were reported the next few weeks were wifi slowness. Which we attributed to users needing to disconnect and reconnect to the new firewall/dhcp server. Secondly, there was just policy needed between certain VLANs. Pro tip, there is no automatic interzone traffic allowed on the Fortigates by default. If you do not have zones setup, it appears that policy is needed for VLANs/subinterfaces to communicate with other subinterfaces. 

All in all, for an almost surprise upgrade, I thought it went fairly well.