FT-EFW-ATC – Fortinet Enterprise Firewall

Links:

CheatSheets

Hardware Acceleration Guide

Parallel Path Processing

---

Chapter «ADVPN»: Copy & Paste Templates

Lab Guide, page 168:

config vdom
edit Core1
config router static
edit 0
set gateway 100.64.1.254
set device "port1"
next
end
config router bgp
unset as
unset router-id
config neighbor
delete "100.64.1.254"
end
end
config router ospf
unset rfc1583-compatible
unset router-id
config network
delete 1
end
config area
delete 0.0.0.0
end
config redistribute static
set status disable
end
end
end
config vdom
edit Core2
config router ospf
unset rfc1583-compatible
unset router-id
config network
delete 1
end
config area
delete 0.0.0.2
end
config redistribute static
set status disable
end
end
end

Lab Guide, page 190-192:

config vdom
edit Core1
config vpn ipsec phase1-interface
edit "hub_to_hub"
set interface "port1"
set peertype any
set net-device disable
set proposal aes256-sha256
set auto-discovery-forwarder enable
set remote-gw 100.64.2.1
set psksecret 123456789
next
edit "VPN1"
unset comments
set mode-cfg enable
next
end
config vpn ipsec phase2-interface
edit "PH2_hub_to_hub"
set phase1name "hub_to_hub"
set proposal aes256-sha256
next
edit "VPN1"
unset comments
next
end
config system interface
edit "VPN1"
set allowaccess ping
next
edit "hub_to_hub"
set vdom "Core1"
set ip 10.255.255.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.255.255.2 255.255.255.0
set interface "port1"
next
end
config router bgp
config neighbor
edit "10.255.255.2"
set attribute-unchanged next-hop
set ebgp-enforce-multihop enable
set remote-as 65200
next
end
end
config router static
edit 0
set dst 172.16.2.0 255.255.255.0
set device "hub_to_hub"
next
end
end
config vdom
edit Core2
config vpn ipsec phase1-interface
edit "VPN12"
set type dynamic
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set network-overlay enable
set network-id 2
set ipv4-start-ip 172.16.2.2
set ipv4-end-ip 172.16.2.254
set ipv4-netmask 255.255.255.0
set psksecret 123456789
set dpd-retryinterval 60
next
edit "hub_to_hub2"
set interface "port2"
set peertype any
set net-device disable
set proposal aes256-sha256
set auto-discovery-forwarder enable
set remote-gw 100.64.1.1
set psksecret 123456789
next
end
config vpn ipsec phase2-interface
edit "PH2_hub_to_hub"
set phase1name "hub_to_hub2"
set proposal aes256-sha256
next
edit "VPN12"
set phase1name "VPN12"
set proposal aes256-sha256
next
end
config system interface
edit "VPN12"
set vdom "Core2"
set ip 172.16.2.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 172.16.2.254 255.255.255.0
set interface "port2"
next
edit "hub_to_hub2"
set vdom "Core2"
set ip 10.255.255.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.255.255.1 255.255.255.0
set interface "port2"
next
end
config router bgp
set as 65200
set router-id 172.16.2.1
config neighbor
edit "10.255.255.1"
set attribute-unchanged next-hop
set ebgp-enforce-multihop enable
set remote-as 65100
next
end
config neighbor-group
edit "Overlay2"
set remote-as 65200
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 172.16.2.0 255.255.255.0
set neighbor-group "Overlay2"
next
end
config network
edit 1
set prefix 10.1.5.0 255.255.255.0
next
end
end
config router static
edit 0
set dst 172.16.1.0 255.255.255.0
set device "hub_to_hub2"
next
end
end

Lab Guide, page 193:

config vpn ipsec phase1-interface
edit "HUB1-VPN1"
unset comments
set net-device disable
next
end
config vpn ipsec phase2-interface
edit "HUB1-VPN1"
unset comments
next
end
config router static
edit 0
set dst 172.16.2.0 255.255.255.0
set device "HUB1-VPN1"
next
end

Lab Guide, page 193-194:

config vpn ipsec phase1-interface
edit "HUB1-VPN1"
unset comments
set net-device disable
set network-id 2
set remote-gw 100.64.2.1
next
end
config vpn ipsec phase2-interface
edit "HUB1-VPN1"
unset comments
next
end
config system interface
edit "HUB1-VPN1"
set ip 172.16.2.2 255.255.255.255
set allowaccess ping
set remote-ip 172.16.2.1 255.255.255.0
next
end
config router bgp
set as 65200
set router-id 172.16.2.2
config neighbor
delete 172.16.1.1
edit "172.16.2.1"
set remote-as 65200
next
end
end
config router static
edit 0
set dst 172.16.1.0 255.255.255.0
set device "HUB1-VPN1"
next
end