Have you ever wondered how to simulate real-world internet access scenarios in a virtual environment?
In this blog, I’ll show you how to seamlessly configure a FortiGate firewall in GNS3, transforming your lab setup into a powerful tool for mastering network security.
By the end of this guide, you’ll learn how to create a lab environment in GNS3, integrate it with a FortiGate firewall, and configure the firewall to enable internet access.
Whether you’re a networking enthusiast or a professional, this step-by-step tutorial has got you covered!
For this lab, I have utilized the following topology. Below is a brief overview of the topology and the components used –
Webterm – Using the Webterm in GNS3 provides a convenient and lightweight way to interact with devices in your lab environment directly from a web browser. It eliminates the need for external terminal applications, streamlining the configuration and management process for network simulations.
I configured DHCP on FortiGate Firewall Port3, allowing LAN devices to automatically receive IP addresses from the DHCP server. To enable DHCP on Webterm, simply right-click on the Webterm node, select “Edit Config,” and uncomment the two DHCP lines as shown in the image below.
Cloud – The Cloud node in GNS3 acts as a bridge between your virtual lab and the physical network, enabling seamless integration with external networks or the internet. It is essential for scenarios where devices in your GNS3 topology need to communicate with real-world systems.
NAT – The NAT node in GNS3 simplifies internet connectivity by providing a pre-configured gateway that translates private IP addresses to public ones. It’s a quick and efficient way to enable internet access for your virtual devices without complex configurations.
1. Now, let’s begin the actual configuration of the firewall. Set up the connectivity as illustrated in the topology above, then start the firewall by right-clicking on it and selecting “Start.”
2. Access the FortiGate firewall console by right-clicking on the firewall and selecting “Console.” The firewall may take some time to reboot initially. Once the reboot is complete, you’ll be prompted to log in. The default username is admin, and there is no default password, so simply press the Enter key. The firewall will then prompt you to set a new password. Enter your desired password, confirm it by retyping the same password, and proceed.
3. By default, DHCP is enabled on the Port1 interface of the FortiGate firewall, so Port1 will automatically receive an IP address. However, to log in to the firewall’s GUI, we’ve connected the Cloud device to Port2, which is set to static by default. To enable automatic IP address assignment from the Cloud, we need to change the mode of Port2 to DHCP. This will allow us to access the firewall’s GUI from our physical system.
4.To change the mode of Port2 and enable HTTP access, follow these steps in the CLI:
FortiGate-VM64-KVM # config system interface
FortiGate-VM64-KVM (interface) # edit port2
FortiGate-VM64-KVM (port2) # set mode dhcp
FortiGate-VM64-KVM (port2) # set allowaccess https http ssh ping fgfm
FortiGate-VM64-KVM (port2) # end
5. Now check which IP address received on port2 from DHCP –
6. Copy the IP address and log in to the FortiGate firewall through the GUI (use HTTP instead of HTTPS).
7. Once you gain access to the GUI, there’s an important step to follow: you need to change the Port2 mode from DHCP to Manual to avoid routing issues between Port1 and Port2. To do this, go to the Network section in the left pane, click on Interfaces, and then double-click on Port2. Afterward, click on the Manual button (which was initially set to DHCP) and confirm it by clicking on the OK in the next window.
8. Now, let’s proceed with the LAN port configuration.
I have assigned the IP address 10.1.1.100/24 to the LAN interface (Port3) and enabled DHCP on this interface, ensuring that LAN devices will automatically receive IP addresses.
9. Now, access the consoles of VPC1 and VPC2 and enter the command ip dhcp on each. This will change the port settings of the VPCs to DHCP, initiating the DHCP DORA process. After this, the VPCs will receive IP addresses from the FortiGate DHCP server. Please refer to the image below for reference.
10. Additionally, configure DHCP on Webterm and verify the IP address it has received from the FortiGate firewall. Please refer to the image below to check the assigned IP address.
11. Before configuring the firewall policy and routing, let’s check the reachability from the VPC to the internet by pinging Google’s DNS IP (8.8.8.8) and the website www.facebook.com. Below is the output of the test:
12. We currently have no internet reachability due to the firewall’s default Deny policy. The firewall is blocking all traffic from the LAN port to the WAN port. To enable communication, we need to configure a static default route on the firewall, along with the necessary firewall policy. Let’s proceed with these configurations.
12.1. To configure the static route, go to Network and click on Static Routes in the left pane. Then, click on the Create New button.
12.2. Set the Destination subnet to the default value of 0.0.0.0/0.0.0.0. Click on the Dynamic button to automatically obtain the gateway address. Select Port1 as the outgoing interface, and then click on the OK button to apply the changes.
12.3. To configure the firewall policy, go to Policy & Objects and click on Firewall Policy in the left pane. From there, you can create and manage your firewall policies.
12.4. Configure all the following settings in the firewall policy:
13. We’ve completed the configuration! 😊 Now, let’s go to the Logs & Report section to check the forwarded traffic. Oops, it seems we don’t have any logs yet.
14. Let’s generate some traffic from the LAN to create logs. We’ll ping Google’s DNS IP (8.8.8.8) and www.facebook.com from VPC1, VPC2, and Webterm.
Logs From VPC2 –
Wow, it’s amazing to see that I can successfully ping the Google DNS IP (8.8.8.8) and www.facebook.com! This means DNS resolution is working perfectly from VPC2. Let’s now check the status on VPC1 and Webterm!
Logs from VPC1 –
That’s fantastic! “Oh, great! I’m also able to ping from VPC1, which means everything is working smoothly. Let’s now check Webterm to make sure everything is in order!”
Logs From Webterm –
That’s incredible! “Even Webterm is successfully pinging Google and Facebook—everything is working flawlessly! It feels amazing to see everything come together perfectly!”
15. Here are the logs generated by the firewall, showing the successful traffic flow and confirming that everything is functioning as expected.
16. Here are some logs from Webterm, showing the traffic activity and confirming that the configurations are working correctly.
With the configuration complete and everything working as expected, we’ve achieved seamless internet connectivity through the FortiGate firewall in GNS3. I hope this guide has been insightful, and I encourage you to experiment further with different firewall and network settings
Thank You !!