Home

FortiGate 60F Basic Configuration: A Step-by-Step Guide for Beginners

The FortiGate 60F is a popular and robust next-generation firewall (NGFW) ideal for small to medium-sized businesses, offering comprehensive security features in a compact form factor. Properly configuring this device is crucial for establishing a secure and efficient network. This guide provides a step-by-step walkthrough of the basic setup process.

Initial Setup and Access

The very first step involves physically connecting the FortiGate 60F and accessing its management interface. Unbox the FortiGate 60F, connect the power adapter, and plug it into an electrical outlet. Connect one end of an Ethernet cable to the FortiGate's "MGMT" or "internal" port (often port1) and the other end to your computer's Ethernet port. By default, the FortiGate's internal interface is configured with a static IP address of 192.168.1.99 with a subnet mask of 255.255.255.0. To access the web-based manager, you'll need to configure your computer's network adapter to be on the same subnet, for example, by setting its IP address to 192.168.1.100 and the subnet mask to 255.255.255.0.

Once your computer's IP address is configured, open a web browser and navigate to https://192.168.1.99. You may encounter a certificate warning, which you can safely bypass for the initial setup. The default username is admin and there is no password initially. Upon your first login, the FortiGate will prompt you to change the default password, which is a critical security step.

Basic System Settings

After successfully logging in, you'll be presented with the FortiGate dashboard. The next logical step is to configure basic system settings.

Hostname and Time Zone

It's good practice to assign a descriptive hostname to your FortiGate for easier identification within your network. Navigate to System > Settings (or System > Dashboard > System Information in some firmware versions) and locate the "Hostname" field.[6] Enter a suitable name, such as "FortiGate-60F-Main."

Equally important is setting the correct time zone. This ensures accurate logging and proper functioning of time-based policies. In the same System > Settings area, select your appropriate time zone from the dropdown menu. You can also configure Network Time Protocol (NTP) servers to automatically synchronize the FortiGate's clock with reliable time sources. This is typically found under System > Settings > System Time.

Interface Configuration (WAN and LAN)

Configuring the network interfaces is fundamental to enabling network connectivity through the FortiGate.

WAN Interface (Internet Connection)

The WAN interface connects your FortiGate to the internet. The configuration will depend on your Internet Service Provider (ISP).

  1. Navigate to Network > Interfaces.
  2. Locate the interface designated as your WAN port (often "wan1" or "port1" if not used for management).
  3. Edit the WAN interface.
  4. Addressing Mode:
    • DHCP: If your ISP provides an IP address automatically, select DHCP. This is common for residential and small business connections.
    • Static: If your ISP provides a static IP address, select Manual and enter the IP address, subnet mask, and default gateway provided by your ISP.
    • PPPoE: For DSL connections, you might need to select PPPoE and enter your username and password.
  5. DNS Servers: You can choose to "Get DNS from System" (which will use DNS servers provided by DHCP or configured globally) or "Specify" custom DNS servers (e.g., Google DNS 8.8.8.8 and 8.8.4.4).

Internal/LAN Interface

The internal interface connects to your local area network (LAN).

  1. Navigate to Network > Interfaces.
  2. Locate the internal interface (often "internal" or a group of ports like "lan").[6]
  3. Edit the internal interface.
  4. Addressing Mode: Typically, this will be set to Manual with a private IP address (e.g., 192.168.1.99, if not changed during initial setup) and a subnet mask (e.g., 255.255.255.0). This IP address will serve as the default gateway for devices on your LAN.
  5. DHCP Server: For convenience, you can enable a DHCP server on the internal interface to automatically assign IP addresses to devices on your LAN. Enable the DHCP Server and configure the IP address range (e.g., 192.168.1.100 - 192.168.1.200).

Creating Firewall Policies

Firewall policies are the core of the FortiGate's security functionality, controlling traffic flow between different network segments.

  1. Navigate to Policy & Objects > Firewall Policy.
  2. Click "Create New."
  3. Name: Give the policy a descriptive name (e.g., "LAN_to_WAN_Access").
  4. Incoming Interface: Select your internal/LAN interface.
  5. Outgoing Interface: Select your WAN interface.
  6. Source:
    • Source Address: For basic internet access, you can select "all" to allow all devices on your LAN. For more granular control, you can create address objects for specific subnets or individual IPs.
    • Source User: (Optional) If you have user authentication configured, you can specify user groups here.
  7. Destination:
    • Destination Address: For basic internet access, select "all" to allow access to any external destination.
  8. Service: For basic internet access, select "ALL" or specific services like "HTTP," "HTTPS," and "DNS."
  9. Action: Set to ACCEPT to allow traffic matching the policy.
  10. NAT: Ensure NAT is enabled (typically "Use Outgoing Interface Address") so that your internal network's private IP addresses are translated to the public IP address of your WAN interface when accessing the internet.
  11. Logging Options: It's recommended to enable logging for "All Sessions" for troubleshooting and security auditing.
  12. Click "OK" to save the policy.

This basic policy allows devices on your internal network to access the internet. You will need to create additional policies for more specific traffic flows or to restrict access.

Enabling DHCP Server (if not done during interface config)

If you didn't enable the DHCP server when configuring the internal interface, you can do so separately.

  1. Navigate to Network > DHCP Servers.
  2. Click "Create New."
  3. Interface: Select your internal/LAN interface.
  4. IP Range: Define the start and end IP addresses for the DHCP lease pool (e.g., 192.168.1.100 - 192.168.1.200).
  5. Default Gateway: This should automatically populate with the IP address of your internal interface.
  6. DNS Server: You can use the FortiGate as the DNS server or specify external DNS servers.
  7. Click "OK."

Verifying Connectivity

After completing these steps, it's crucial to verify that your network is functioning as expected.

  1. Connect a device (e.g., a laptop) to a LAN port on the FortiGate.
  2. Ensure the device obtains an IP address from the FortiGate's DHCP server.
  3. Try to access the internet from the connected device.
  4. From the FortiGate CLI (accessible via the dashboard or SSH), you can use commands like execute ping google.com or diagnose sniffer packet any 'host 8.8.8.8' to troubleshoot connectivity issues.

Next Steps and Advanced Configuration

This guide covers the absolute basics. For a production environment, consider these next steps:

  • Firmware Updates: Always keep your FortiGate firmware updated to the latest stable version for security patches and new features.
  • Security Profiles: Implement Antivirus, Web Filtering, Application Control, and Intrusion Prevention System (IPS) profiles to enhance security.
  • User Authentication: Configure local users or integrate with external authentication systems like LDAP or RADIUS.
  • VPN: Set up Virtual Private Networks (VPNs) for secure remote access or site-to-site connectivity.
  • Logging and Reporting: Configure detailed logging and review reports regularly to monitor network activity and identify potential threats.
  • Backup Configuration: Regularly back up your FortiGate configuration to prevent data loss.

Frequently Asked Questions (FAQ)

Q1: What is the default IP address for a FortiGate 60F?

A1: The default IP address for the internal interface of a FortiGate 60F is 192.168.1.99.

Q2: What are the default login credentials for a new FortiGate 60F?

A2: The default username is "admin" and there is no password initially. You will be prompted to create a new password upon your first login.

Q3: How do I reset my FortiGate 60F to factory defaults?

A3: You can reset a FortiGate to factory defaults via the CLI using the command execute factoryreset or by holding down the reset button on the device for at least 10 seconds.

Q4: Why is it important to change the default password immediately?

A4: Changing the default password immediately is a critical security measure to prevent unauthorized access to your firewall. Default credentials are widely known and pose a significant security risk.

Q5: What is the purpose of a firewall policy?

A5: A firewall policy defines the rules for how traffic is allowed or denied between different network interfaces or zones on the FortiGate. It specifies the source, destination, service, and action for network traffic.

Q6: What is NAT and why is it important for internet access?

A6: NAT (Network Address Translation) translates private IP addresses used within your local network to a public IP address when communicating with the internet. This allows multiple devices on your internal network to share a single public IP address and helps conserve public IP addresses.