Have you ever wondered how to simulate real-world internet access scenarios in a virtual environment?

In this blog, I’ll show you how to seamlessly configure a FortiGate firewall in GNS3, transforming your lab setup into a powerful tool for mastering network security. 

By the end of this guide, you’ll learn how to create a lab environment in GNS3, integrate it with a FortiGate firewall, and configure the firewall to enable internet access. 

Whether you’re a networking enthusiast or a professional, this step-by-step tutorial has got you covered!

For this lab, I have utilized the following topology. Below is a brief overview of the topology and the components used –

AVvXsEijZSzDDvY8 BJQarATu7gfiJ8i9pVIL8xvBLs694k84tVjTPEHUZ8lN31ezDtmATd8F7ToWOBHqizOfiQTX2HShN6w GsjKshkbwN4siHLKMUnNjJM P Cr65hW3kyD4NKGrWSNDlVttjn2Y W8YnT4q Zlj9 YACrJU7X8 YHDf8WLdSwXZt06zzAD5o=w604 H640


Webterm – Using the Webterm in GNS3 provides a convenient and lightweight way to interact with devices in your lab environment directly from a web browser. It eliminates the need for external terminal applications, streamlining the configuration and management process for network simulations.

I configured DHCP on FortiGate Firewall Port3, allowing LAN devices to automatically receive IP addresses from the DHCP server. To enable DHCP on Webterm, simply right-click on the Webterm node, select “Edit Config,” and uncomment the two DHCP lines as shown in the image below.

AVvXsEhZaoIXAzToIF0BUaZddjg4lCzuvVt4s6uHSK3J RsHDKW4aZ5QKqgF88tCP2NMTfmK7ySrbLnaLxRJUMCSx FR0NzUT8a6MIGycd6x0d4RFg2KzSd6laGgbDVtYRto5kwxe 9TD Ev0969nsZzeb1eRghvRUyvpfpXxeTtRmPO14EaZ9KJ0Cl0JWFdW58=w640 H586

Cloud – The Cloud node in GNS3 acts as a bridge between your virtual lab and the physical network, enabling seamless integration with external networks or the internet. It is essential for scenarios where devices in your GNS3 topology need to communicate with real-world systems.

NAT – The NAT node in GNS3 simplifies internet connectivity by providing a pre-configured gateway that translates private IP addresses to public ones. It’s a quick and efficient way to enable internet access for your virtual devices without complex configurations.

1. Now, let’s begin the actual configuration of the firewall. Set up the connectivity as illustrated in the topology above, then start the firewall by right-clicking on it and selecting “Start.”

2. Access the FortiGate firewall console by right-clicking on the firewall and selecting “Console.” The firewall may take some time to reboot initially. Once the reboot is complete, you’ll be prompted to log in. The default username is admin, and there is no default password, so simply press the Enter key. The firewall will then prompt you to set a new password. Enter your desired password, confirm it by retyping the same password, and proceed.

3. By default, DHCP is enabled on the Port1 interface of the FortiGate firewall, so Port1 will automatically receive an IP address. However, to log in to the firewall’s GUI, we’ve connected the Cloud device to Port2, which is set to static by default. To enable automatic IP address assignment from the Cloud, we need to change the mode of Port2 to DHCP. This will allow us to access the firewall’s GUI from our physical system.

AVvXsEjctlBXuhf9lrbCL NzxNcXIaoj2x 9JMm6jbY G ZjYd1ok G7ck3nwpyirzc H IUxP2qNPkTKvMXrR DOTijDGaSYI O DnykKWChJG7cDuXX 29r5zwsXUrA0aFErN 2m2DmYl0cj0q21xduSLMzhrujDEzz VN6Gv5hMcOZ N3oAiAG S8NJ27GdI=w640 H369

4.To change the mode of Port2 and enable HTTP access, follow these steps in the CLI:

FortiGate-VM64-KVM # config system interface

FortiGate-VM64-KVM (interface) # edit port2

FortiGate-VM64-KVM (port2) # set mode dhcp

FortiGate-VM64-KVM (port2) # set allowaccess https http ssh ping fgfm

FortiGate-VM64-KVM (port2) # end

5. Now check which IP address received on port2 from DHCP  – 

AVvXsEhuNTRuAV0ZoQrCHKUuFp8Nt3Q1BhGVNoCeGVwZSjvk7dbZkR73mLvacj0ekUmWrtWtXl W6QtSE EeH6FVQD87IQL4KRKWTBlQxVtvjXZXsaZopQVK ZMAmsF27xLKmW7BGoipKRz IKshEHDDo2Yk7tyDoQUL06wDTxocsK3aRXwpeIiH SuStEipzk8=w640 H293


6. Copy the IP address and log in to the FortiGate firewall through the GUI (use HTTP instead of HTTPS).

AVvXsEhoE40wrU216vfR3aXnDaUO1O0tQykrptkoa4hDF99BeamZnQNhaPEbJ3CUkxAFUhkEUkt4tXS4gaQmqbTad6BqaUDO7hLClhaG0sxZq6cI9g4FjUfro78xcH3 VmcK2UDvcfeMdXU VyliVJEZxm 3jzAMiffvtJI7xpNDCIMW4lVYtYAu5c 5FCRiCV0=w640 H339


7. Once you gain access to the GUI, there’s an important step to follow: you need to change the Port2 mode from DHCP to Manual to avoid routing issues between Port1 and Port2. To do this, go to the Network section in the left pane, click on Interfaces, and then double-click on Port2. Afterward, click on the Manual button (which was initially set to DHCP) and confirm it  by clicking on the OK in the next window.

AVvXsEhRnXHMKDrWT2pS1d9ciNnRQseP0ghJTuTSsylyK5QISmyAiWKY4Ofpsi7WgKj0weEnw5U 6CaNW70XW4H1FjmHyEUe6RFXHUaWyNwcRSbwJNUiu0KyjxEb1KMEvBKsf1AhTZZR RLaCMKtfcxs0QkgJANWXuqFF3YMGnNkn3rYNUhTNNTF6QLJR0EoAOU=w640 H384

8. Now, let’s proceed with the LAN port configuration. 

I have assigned the IP address 10.1.1.100/24 to the LAN interface (Port3) and enabled DHCP on this interface, ensuring that LAN devices will automatically receive IP addresses.

AVvXsEjchAvjZc1QUu4S5E9FBb8i0awtQWnfVZllqazq YjssHA37WBLFuHvMuLNqDWC47t1DV8yR1cLljSIuuZAMzreyGmO3jTfGhop1 Kg0YfEkPr5Fl6b7dDNaIQ37Q9eZUkRPoRbxQP7QbHAcwrVA0j5EGR3MxFhqF9YNpyc7OnEr93mE4r8HmtNHb87SPI=w640 H364


9. Now, access the consoles of VPC1 and VPC2 and enter the command ip dhcp on each. This will change the port settings of the VPCs to DHCP, initiating the DHCP DORA process. After this, the VPCs will receive IP addresses from the FortiGate DHCP server. Please refer to the image below for reference.

AVvXsEjQiFP By0i9GLUpvfFUwZKnf CwqUvvV5N6JddcTvQfF3z3nDWJgFmls03yLVbz2qVCnKCFX29V2Elw0fGuaUMW EZJIbtctj4NVqNG BZcbgMrAaUfLiieCHdKhpXolTdxu95LOSoR TMpdjlqBTdSn Om95hbNHcPbsptew7zrQDc6ADxf1kjiessAA=w597 H640
AVvXsEiQtds0c5WD3B CcqmUKCFkMXpSLkjtpefneR FXb9WGnD7WCb12j5HnYpalD8sGnf8NM94ST6xbZTlpFF6LDcsizp1CWUmmIJi9IzqKN3dF39mATEhcfLU35gY2wDbOuZ2uykP2Bmc31BWFj4MBGY86q9hz7v0bYkon3WloQjM070MxGC06u88cI5N8Zw=w640 H545

10. Additionally, configure DHCP on Webterm and verify the IP address it has received from the FortiGate firewall. Please refer to the image below to check the assigned IP address.

AVvXsEhB1GAr7k9qc5z1SrFZvsP0Z2g7wjXFVLGS1TefBe3f9x6fImhKEOzrcOCsWq7but6wcpO3Zk1q05FwPhNXXdfo55eC842x8i6ZG9l4bM1ZHaIC4GAKgpNoO1lwYN7r EZHyRYoLf7uh5IusfcNWNldwnBs4xqcb50N7YImVR1AozXa J2XdMmXzxPBVGY=w640 H398

 11. Before configuring the firewall policy and routing, let’s check the reachability from the VPC to the internet by pinging Google’s DNS IP (8.8.8.8) and the website www.facebook.com. Below is the output of the test:

AVvXsEglv1jcMUfZW4yGmlC4cW0kplwTiR7hRVEpT1PF2B 0W5KYvSWqt4WHsNWEGgxGTMOwMFdfv46 D Zy6dXmjk00ySuDq20nveV10kqnPiZGvheE2l2AJ 2Ab0HH Q6QVBq7eIYmznGnwViacOgu5aCrRMoAq UaQ64XtjhKSbbJgw9qnbzv5rChbMOMgyk=w640 H384

AVvXsEjwv0yBh4VDXsKqaMPMwBHcCveiPkqwpoSWjjJM1SOzgtccLgfURF4CRtjA4ttR6Lp4BJRtXibvoK1Y512yPSEukx OPd3294BF DuM 8y9i92vUxmzB Wb0UFYCkZOxhRQlv6z2BcX0VmYKlQvMt8AplMCSYiaOjED FNW3kejLA A GmoRoQlG9tXyYw=w640 H392

 

AVvXsEj6sAUAC1ikd8oC I5pb7NnY DdNzWPGnKeIy3MecQKLnUrS4A9SK6e2nJQikFEwh1MjE3sHYPepvFOmquLbaL Ftj6ltI7S3SHq6R87HOnHleEGOgDQyJ1XMzmJ4lkoPTY89eZ97XD5urbavf55yKfA2hVhVunvSH PknvaC4iDIgsnA419NMKEue3khk=w640 H107

12. We currently have no internet reachability due to the firewall’s default Deny policy. The firewall is blocking all traffic from the LAN port to the WAN port. To enable communication, we need to configure a static default route on the firewall, along with the necessary firewall policy. Let’s proceed with these configurations.

12.1. To configure the static route, go to Network and click on Static Routes in the left pane. Then, click on the Create New button.

AVvXsEjLgvyJuWV9CQuvXr7M3BJ36PhzT2ctnz2wTAdM9bAPZh4v 6owz Zc199rZBCesna55PHkV6DA3rxepDhbJbYoDeH6OY5wAyyRkr7v KU7WZfbV6YhtTgxaM1VMAd8RuZvOshJxld7yzJY ImQkE NLK9N7ndDBsFvSrZ5AfDQlx0n6Ex1t2ibsaQRQEk=w640 H388

12.2. Set the Destination subnet to the default value of 0.0.0.0/0.0.0.0. Click on the Dynamic button to automatically obtain the gateway address. Select Port1 as the outgoing interface, and then click on the OK button to apply the changes.

AVvXsEgwGP6P RRE3ZN B4TcXkHUWVMaAKX5fw8EQi4m7ICOgVh8jxK Yph02AdscKG66FeNdNbyLj88 79EmgXy8mdARt2QPzoyKeX J2WwgPIBBvCsSPrcm EP WWIlTt75smdox8I35aqem31BBCzla8sqOT4K4CMRHIs 5LxDc7M1Rzc3hH8852bKile2Ls=w640 H258

12.3. To configure the firewall policy, go to Policy & Objects and click on Firewall Policy in the left pane. From there, you can create and manage your firewall policies.

AVvXsEg6vxlIYdoRT90gbE1GjDxf3Ha1WWoszDvndNZXk Au1gLDxAGR1kSSIbOIUlTpXDlsefYROrffDgv3cuo7aFoz0X9mdge345Cot36A2mM6FY1UmV KVa8sx3TylWaVfQAKb OfJ5u2xaU MADDyE9JWM71 NJdhVytc6SRvPYXusfcrGvnN0G4ny9N7es=w640 H320


12.4. Configure all the following settings in the firewall policy:

AVvXsEjB NdgB1g0QwxSAzlT9ej05R4gn2Erslv2XBHPj8vvTcBBrZ8tqSITPMlWC7Cy4S7d0wRsCJ0sq7eDD Qf2T9H8AJgsZI3Zy0LA7IXIiFwFgr2FCJXWaBZ NFuZTDxlQpj71DNNw3G5P2QYUlb5ZRQxx ZXhfJu1eO DY5u6r LUNXTrInr6XCsksvx8=w640 H446

13. We’ve completed the configuration! 😊 Now, let’s go to the Logs & Report section to check the forwarded traffic. Oops, it seems we don’t have any logs yet. 

AVvXsEitQB8AD FqNEpGb1GnbFia XgshdHWWpTbQ20KKk5yer5aUnS0qjVoX6BuJf AAOgYfpMm4BE KHRVYJNaD DqHlvdkAoCVPs0C6fCNbglEgoH9MoQ R3Cudr7nen1xjFtT4qRZCVD2qj4NMXJZkGRWrPLp7NE8GxD0Ub3z5SbpX4XBNL7Pj96cBroDXE=w640 H300

14. Let’s generate some traffic from the LAN to create logs. We’ll ping Google’s DNS IP (8.8.8.8) and www.facebook.com from VPC1, VPC2, and Webterm.

Logs From VPC2 – 

Wow, it’s amazing to see that I can successfully ping the Google DNS IP (8.8.8.8) and www.facebook.com! This means DNS resolution is working perfectly from VPC2. Let’s now check the status on VPC1 and Webterm!

AVvXsEi9hgdXQrsB3lOsGQhvOVjgbLUAb KaCEM00q1ncW5I6LDubA388pvstuCw9BPCJP0XtXlmCc1xfHd8NqAAK0mj97hOfj9w3E7Mggt6hJCZByt 8 NI7hhpEd1LnlZrgH C1Rwn JO8kPRGLpAcK67DtClXAdeuJS2RnRyKAyKygzcKkPtng7GnFu0DwL4=w640 H470

Logs from VPC1 – 

 That’s fantastic! “Oh, great! I’m also able to ping from VPC1, which means everything is working smoothly. Let’s now check Webterm to make sure everything is in order!”

AVvXsEjH1eBkRrS7B UzOPKUDpdu3xYtqiZ5mU7WsFhXWRZGN2mshF573oHZCh2guZ5vjRqlCDwPB3tHwtY96DTLyLBpKrkDmIbLm1 Wq4Aaxrc1XKCTEoLqkKz3RFl88DylcSIvoNSSNM0e92umoVOismX0GYDl9UP6YcrZw4vplzdMG6bg4 7kgNZd9lbifc=w640 H356

Logs From Webterm – 

That’s incredible! “Even Webterm is successfully pinging Google and Facebook—everything is working flawlessly! It feels amazing to see everything come together perfectly!”

AVvXsEgpWRi5dtu Mm6PcOoQ8b0sF3CTjTySMYwk9hVAvrcisTwKMZyTfi8I9Uhbgp0IcAt9rtSIvejyeCAYUxplUzjXE8iaDiGluPaHMJ758lpW7980Z03XRzH0eo97fvJDjbUuczkiWRgan0YZ7aukJIHfzk0B9ZyQYOE48G7l Lsrxb8EtlKun917MRHoFjg=w640 H375

15. Here are the logs generated by the firewall, showing the successful traffic flow and confirming that everything is functioning as expected.

AVvXsEhyaM4KwkkxcWa9 DluIa7xRcj8G5wqzBR6fEac8grAa8 I78HjKNClmYCkix8CCq45Vrt GXL5YgneWftTE0bzDNMq6cwXE2DB4HWjyttUiztC PuwokFD93qCHP FaJs1Ie5Y3agKUQGRnY1Dk5ZoUzfqUin0zquqYaSRaLwa8vsgjEGAHyVUrOyxJ2Y=w640 H403

16. Here are some logs from Webterm, showing the traffic activity and confirming that the configurations are working correctly.

AVvXsEgbcfBWHeh32tu9xUoL9YRzn6iiWCR QnqTXwTOeAFbuaJpIHkJTPrM CX1SOqoKBjiC6JWMvy9n CnYvYWlzSpVZo BP3Ij39S SQL CsJUYfARkUXPkYcc9qs0Mb8AsVrhx9oHb82bLMPMOqLVOzRG6fJRRPAxU 44yDLH5zHfhX3ldW3ID1MQ33tpCw=w640 H312

AVvXsEjSNAZh PnZmiiTp6KKENJoY9GRq28tNal9K4tC8e8r4mGWDBfam0D6aKDByVlt M 8xjp2AEV4WKDXuql0gkvecKq7XWGSJhnVdYSpTBkPHVy4AlK9U0jiGD6p9Y Yfm0G2oElhU0oDCLEdt2mOs3vfVVwovVoE5hl1slU Xd O4hGr0tQVRBAmAt7LOM=w640 H318

With the configuration complete and everything working as expected, we’ve achieved seamless internet connectivity through the FortiGate firewall in GNS3. I hope this guide has been insightful, and I encourage you to experiment further with different firewall and network settings


Thank You !!