User Tools

Site Tools


networking:router:fortinet

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
networking:router:fortinet [2020/03/19 10:44]
jcooper
networking:router:fortinet [2020/03/19 13:27] (current)
jcooper
Line 12: Line 12:
 Fortinet offers: Fortinet offers:
  
-  * Inexpensive Next Generation firewall hardware+  * Inexpensive Next Generation Firewall hardware
   * Centrally managed wireless hardware   * Centrally managed wireless hardware
      
Line 19: Line 19:
 https://www.exclusive-networks.com/usa/ https://www.exclusive-networks.com/usa/
  
-===== Upgrading =====+===== CTAP Cyber Threat Assessment Program =====
  
-http://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS+https://ctap.fortinet.com/
  
-http://wiki.mikrotik.com/wiki/Bootloader_upgrade+  * CTAP is an assessment tool for sales generation 
 +  * Registered evaluations are worth $250 from Fortinet 
 +  * Supported models are 
 +FG-60E Threat Protection Throughput - 200 Mbps\\   
 +FG-100D Threat Protection Throughput - 200 Mbps\\   
 +FG-300D Threat Protection Throughput - 1.5 Gbps\\   
 +FG-300E Threat Protection Throughput - 3 Gbps\\  
 +FG-1500D Threat Protection Throughput - 5 Gbps\\ 
  
-http://blog.butchevans.com/2010/08/routeros-upgrade-process/ 
  
-http://wiki.bluecrow.net/index.php/Mikrotik_Upgrading 
  
-http://www.mikrotik.com/download 
  
-===== Safe Mode ===== 
  
-http://wiki.mikrotik.com/wiki/Console#Safe_Mode 
  
-**Enter Safe Mode:** ''[CTRL]+[X]'' 
- 
-**Save Changes and Exit:** ''[CTRL]+[X]'' again 
- 
-**Exit Without Saving:** ''[CTRL]+[D]'' 
- 
-Safe mode can be used to minimize the risk of losing contact with the router while performing configuration changes. 
- 
-  * Safe mode is entered by pressing [CTRL]+[X] 
-  * To save changes and quit safe mode, press [CTRL]+[X] again 
-  * To exit without saving the made changes, hit [CTRL]+[D] 
-  * All configuration changes that are made in safe mode are automatically undone if safe mode session terminates abnormally 
- 
-===== Backup and Restore ===== 
- 
-http://wiki.mikrotik.com/wiki/Manual:Configuration_Management#System_Backup 
- 
-==== Command Line ==== 
- 
-<file> 
-/system backup load name=[filename] 
- 
-/system backup save name=[filename] 
-</file> 
- 
-You can also ''export'' or ''import'' the configuration to the console or to a file. 
- 
-  * If you are not at the root of the configuration system, it will only export the section you are in 
-  * If you ''export compact'', it will only export the settings that are not default 
-  * If you specify a file, you can download the file using the web interface 
-  * If you don't specify a file, it will dump to the console 
-  * ''export compact'' is the default behavior from V6 on 
- 
-<file> 
-export compact file=mikrotik_config_backup 
-</file> 
- 
-===== Configuration ===== 
- 
-:!: Winbox runs well under Wine on Linux. 
- 
-http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 
- 
-http://wiki.mikrotik.com/wiki/How_to_configure_a_home_router 
- 
-http://wiki.mikrotik.com/wiki/How_to_Connect_your_Home_Network_to_xDSL_Line 
- 
-==== Default Configurations and Useful Command Line Examples ==== 
- 
-http://wiki.mikrotik.com/wiki/Manual:Default_Configurations 
- 
-==== Reset to Defaults ==== 
- 
-=== CLI === 
- 
-<file> 
-/system reset-configuration 
-</file> 
- 
-or 
- 
-<file> 
-/system reset-configuration no-defaults=yes  
-</file> 
- 
-=== Reset Button === 
- 
-The reset button has three functions. 
- 
-Hold the button, then apply power. 
- 
-Depending on when you release the button, it will do these things: 
- 
-  * release immediately (0-5 seconds) after starting the device to load backup bootloader 
-  * release when user LED starts to flash to reset RouterOS (5-10 seconds) 
-  * release after user LED stops flashing to start Etherboot (Netinstall) mode (10+ seconds) 
- 
-Link how to use Netinstall: http://wiki.mikrotik.com/wiki/Netinstall 
- 
-==== First Login ==== 
- 
-:!: Changing the LAN interface and DHCP pool probably requires a reboot! 
- 
-  * Default login name is **admin** and **blank password**. 
-  * The default IP address is **192.168.88.1/24** on **ether1**. 
-  * You can use the Winbox (Windows) utility to configure the unit by MAC address even if you don't know the IP address. 
-  * Most models have a useful default configuration, however the rackmount models just have the IP address configured. 
- 
-==== Set Password ==== 
- 
-**System -> Users -> Double-Click 'admin' -> Password** 
- 
-==== WAN Interface ==== 
- 
-=== Dynamic Address === 
- 
-**IP -> DHCP Client -> Add New -> ether1** 
- 
-=== Static Address === 
- 
-**IP -> DHCP Client -> Delete if exists 
-IP -> Addresses -> Add New** 
- 
-==== NAT ==== 
- 
-**IP -> Firewall -> NAT -> Add New** 
- 
-  * Enabled 
-  * Chain should be ''srcnat'' 
-  * Out. Interface should be set to WAN interface (ether1) 
-  * Action should be set to ''masquerade'' 
- 
-=== DMZ === 
- 
-This is like the DMZ feature of other router/firewall devices: 
- 
-<file> 
-/ip firewall nat add chain=dstnat dst-address=<external-IP> action=dst-nat to-addresses=<internal-IP> 
-</file> 
- 
-==== Default Gateway ==== 
- 
-**IP -> Routes -> Add New** 
- 
-  * Enabled 
-  * Dst. Address should be ''0.0.0.0/0'' 
-  * Gateway (+) should be your WAN gateway address 
-  * Comment ''Default Route'' 
- 
-==== Name Resolution ==== 
- 
-**IP -> DNS -> Add New** 
- 
-==== Time ==== 
- 
-**SNTP Client -> Primary -> 199.102.46.73 
-SNTP Client -> Secondary -> 64.16.214.60** 
- 
-**Clock -> Time Zone Name -> America/Phoenix** 
- 
-==== Interfaces ==== 
- 
-Interfaces can be: 
- 
-  * Individual 
-  * Bridged 
-  * Switched (Slaved) 
- 
-=== WAN Interfaces === 
- 
-**IP -> Addresses -> Add New -> Use Ether1 as WAN 
-IP -> Addresses -> Add New -> Use Ether2 if WAN2 is needed** 
- 
-=== LAN Interfaces === 
- 
-  * To see if an interface is switched (slaved), look for ''Master Port'' setting in interface details 
-  * On smaller routers, LAN ports are typically configured as a switch (ether2 as master + slaves) 
-  * For bridging, create a bridge interface, then assign ports to it 
-  * Only single or master (switch) ports can be added to a bridge; slaved ports cannot 
- 
-**IP -> Addresses -> Add New -> Use others as LAN** 
- 
-==== Wireless ==== 
- 
-http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#Wireless 
- 
-  * Check if Ethernet LAN interfaces are switched, bridged or if they are separate ports 
-    * Smaller routers have LAN interfaces and wireless bridged together 
-  * Apply an appropriate security profile for wireless network security 
- 
-=== Wireless Channels === 
- 
-:!: The scan feature cannot be run if you are connected wirelessly 
- 
-  * The default channel is channel 1 (2412 MHz) 
-  * Click on ''Advanced'' and set the country to ''United States'' 
-  * Ideally, you will select a channel of 5-10 (2432-2457 MHz) and select HT (wide channels) 
-  * The scan feature shows other, possibly competing wireless networks 
-  *  
- 
-=== Bridged === 
- 
-  * Router must have have level 4 or higher license 
-  * Bridged LAN interface must exist 
-  * Wireless interface mode is set to ''ap-bridge'' 
-    * If set to ''bridge'', only one client (station) will be able to connect to the router using wireless 
- 
-=== Wireless Security === 
- 
-**Wireless -> Security Profiles -> Add New** 
- 
-  * Mode 
-    * ''Dynamic Keys'' 
-    * Select ''WPA'' and ''WPA2'' 
-  * Unicast and Group Ciphers 
-    * Select ''AES CCM'' 
-  * WPA and WPA2 pre-shared keys 
-    * Should each be different :?: 
-    * Turn blue when sufficient length 
- 
-==== DHCP Server ==== 
- 
-:!: If you have any problems with the DHCP server (maybe it didn't hand out a gateway address?), try deleting all existing pools and all existing DHCP servers, then run the **DHCP Setup Wizard**.  In fact, this is probably the fastest, easiest way to configure the DHCP server in most all cases. 
- 
-**IP -> DHCP Server -> DHCP -> DHCP Setup** 
- 
-<file> 
-/ip dhcp-server setup 
- 
-/ip dns set allow-remote-requests=yes 
-</file> 
- 
-=== Manual DHCP Server Configuration === 
- 
-Create the address pool first: 
- 
-**IP -> Pool -> Add New** 
- 
-  * Addresses: ''192.168.1.65-192.168.1.199'' 
- 
-Add the DHCP server: 
- 
-**IP -> DHCP Server -> Add New** 
- 
-  * Use mostly defaults 
-  * Interface: ''ether2'' 
-  * Assign the pool just created 
-  * Also configure caching DNS for DHCP clients 
- 
-This will also create a caching DNS server for use by DHCP clients: 
- 
-**IP -> DNS -> Settings -> Click (+) twice then enter two DNS server 
-IPs -> DNS -> Settings -> Allow Remote Requests** 
- 
-==== Port Forwarding (Destination NAT) ==== 
- 
-http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#Port_forwarding 
- 
-  * If change of port is not required,then to-ports can be left unset 
-  * UPnP is available if dynamic port forwarding is desired 
- 
-**IP -> Firewall -> NAT -> Add New** 
- 
-<file> 
-/ip firewall nat add chain=dstnat dst-address=<external address> protocol=tcp dst-port=<external port> \ 
- action=dst-nat to-address=<internal address> to-ports=<internal port> 
-</file> 
- 
-==== Remote Management ==== 
- 
-http://aacable.wordpress.com/2011/08/15/mikrotik-howto-prevent-mt-host-from-invalid-login-attempts-from-lanwan-users/ 
- 
-**IP -> Services -> www** 
- 
-  * Port: 81 
-  * Available From: 209.193.64.248/29 (+) 192.168.1.0/24 
- 
-===== Firewall ===== 
- 
-http://wiki.mikrotik.com/wiki/Home_Firewall 
- 
-http://wirelessconnect.eu/articles/securing_mikrotik_router_firewall 
- 
-http://wiki.mikrotik.com/wiki/Manual:IP/Firewall 
- 
-<file> 
-/ ip firewall filter 
-add chain=input connection-state=established comment="Accept established connections" 
-add chain=input connection-state=related comment="Accept related connections" 
-add chain=input connection-state=invalid action=drop comment="Drop invalid connections"  
-add chain=input protocol=udp action=accept comment="Allow all UDP" disabled=no  
-add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"  
-add chain=input protocol=icmp action=drop comment="Drop excess pings"  
-add chain=input in-interface=ether2 src-address=192.168.1.0/24 comment="From our LAN" action=accept 
-add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else" 
-add chain=input action=drop comment="Drop everything else" 
-</file> 
- 
-===== Dynamic DNS ===== 
- 
-http://networkingforintegrators.com/2012/08/dyndns-updater-for-mikrotik/ 
- 
-http://wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_dynDNS 
- 
-http://wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_dynDNS_behind_NAT 
- 
-===== Scripts ===== 
- 
-http://networkingforintegrators.com/2013/02/mikrotik-how-to-import-a-script-in-an-rsc-file/ 
- 
-===== Serial Port ===== 
- 
-http://wiki.mikrotik.com/wiki/Manual:System/Serial_Console 
- 
-==== Serial Console ====  
- 
-The Serial Console feature is for configuring the router. 
- 
-  * Enabled by default 
-  * 115200,8,N,1 
-  * No flow control 
-  * Requires null-modem cable 
- 
-:!: If choosing a USB serial adapter, choose one with a FTDI chipset such as this one: 
- 
-http://www.amazon.com/Premium-Speed-Serial-RS-232-Converter/dp/tech-data/B006PIU2KO 
- 
-:!: When choosing a serial terminal program, you can use Putty: 
- 
-http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html 
- 
-**System -> Console 
-System -> Ports** 
- 
-<file> 
-/system console print 
-/port print detail 
-</file> 
- 
- 
-==== Serial Terminal ==== 
- 
-http://wiki.mikrotik.com/wiki/Serial_Port_Usage 
- 
-  * The Serial Terminal feature is for connecting to other devices 
networking/router/fortinet.1584636269.txt.gz · Last modified: 2020/03/19 10:44 by jcooper