FortiGate Setup – Studi Kasus Imajiner
FortiGate Setup – Studi Kasus “Mataram IT (Imajiner)”
Panduan ringkas & praktis untuk menyalakan internet, memisah VLAN (Office/Guest/CCTV), publish web internal via VIP, serta akses jarak jauh dengan SSL-VPN. Disusun untuk FortiOS 7.4.x, siap langsung diterapkan (tinggal sesuaikan nama interface & kredensial).
Konfigurasi Cepat (HCB)
Target: Internet ONVLAN Office/Guest/CCTVVIP 443SSL-VPN 4443
Zona waktu: Asia/Jakarta. Prinsip: minim tapi aman → NAT aktif, Guest terisolasi, admin default dimatikan.
Target: Internet ONVLAN Office/Guest/CCTVVIP 443SSL-VPN 4443
Zona waktu: Asia/Jakarta. Prinsip: minim tapi aman → NAT aktif, Guest terisolasi, admin default dimatikan.
Daftar Isi
- Topologi & Parameter
- Langkah via GUI (ringkas)
- Konfigurasi via CLI (siap copas)
- Checklist Verifikasi
- Tips Hardening & Logging
1) Topologi & Parameter
| Perangkat | FortiGate 60F (FortiOS 7.4.x) |
|---|---|
| WAN | PPPoE (IP publik contoh 203.0.113.10) |
| LAN Trunk | port2 ke switch/AP |
| VLAN 10 – Office | Interface vlan10-office → 192.168.10.1/24 (DHCP 100–200) |
| VLAN 20 – Guest | Interface vlan20-guest → 192.168.20.1/24 (DHCP 50–200) |
| VLAN 30 – CCTV | Interface vlan30-cctv → 192.168.30.1/24 (DHCP 100–150) |
| Server Helpdesk | Internal 192.168.10.20:443 → dipublish via VIP (WAN:443) |
| SSL-VPN | Port 4443, Tunnel pool 10.10.10.10–10.10.10.200 |
| NTP & DNS | NTP: id.pool.ntp.org, DNS: ISP / 1.1.1.1 / 8.8.8.8 |
Catatan IP Publik: Jika IP publik dinamis, pertimbangkan DDNS pada FortiGate; untuk VIP berbasis port, arahkan melalui nama domain Anda.
2) Langkah via GUI (ringkas & urut)
A. System → Settings
- Timezone: Asia/Jakarta.
- Aktifkan NTP:
id.pool.ntp.org. - (Opsional) Ganti port admin: HTTPS → 10443, SSH → 10222.
B. Network → Interfaces
- port1 (WAN): PPPoE → isi user/pass ISP. “Administrative Access”: centang Ping saja.
- port2 (LAN trunk): biarkan up, allowaccess Ping/HTTPS/SSH.
- Tambah VLAN:
- vlan10-office (ID 10) →
192.168.10.1/24, allowaccess Ping/HTTPS/SSH. - vlan20-guest (ID 20) →
192.168.20.1/24, allowaccess Ping. - vlan30-cctv (ID 30) →
192.168.30.1/24, allowaccess Ping.
- vlan10-office (ID 10) →
C. Network → DHCP Server
- Aktifkan DHCP sesuai pool tiap VLAN (Office, Guest, CCTV).
D. Policy & Objects
- Addresses: buat
Office_Subnet,Guest_Subnet,CCTV_Subnet, (opsional)NVR_30.10. - Virtual IPs:
VIP_Helpdesk_443→ WAN:443 ke192.168.10.20:443. - Firewall Policy (urutkan spesifik → umum):
- WAN → LAN: izinkan ke
VIP_Helpdesk_443(Service: HTTPS, Log: All). - ssl.root → vlan10-office: untuk SSL-VPN.
- vlan20-guest → vlan10-office: DENY (isolasi Guest).
- vlan30-cctv → WAN: NTP only (jika hanya butuh update waktu).
- vlan10-office → WAN: ACCEPT + NAT (aktifkan Security Profiles bila ada).
- vlan20-guest → WAN: ACCEPT + NAT (webfilter opsional).
- WAN → LAN: izinkan ke
E. VPN → SSL-VPN Settings
- Listen on: port1, Port: 4443.
- Tunnel address range:
10.10.10.10–10.10.10.200(buat objek ippool). - Buat user & group SSLVPN_Users → Portal tunnel mode + split-tunneling ke
Office_Subnet.
F. Logging & Admin
- Aktifkan FortiGate Cloud logging (real-time atau periodic).
- Buat akun admin baru (batasi trusted hosts), lalu disable akun
admindefault.
3) Konfigurasi via CLI (siap copas)
Penting: Ganti username/password PPPoE, password admin/user, dan (bila statik) IP publik sesuai ISP Anda.
A. Interfaces & VLAN
config system interface
edit "port1"
set alias "WAN"
set mode pppoe
set username "mataramit@isp"
set password "SuperSecret123!"
set allowaccess ping
next
edit "port2"
set alias "LAN-Trunk"
set allowaccess ping https ssh
next
edit "vlan10-office"
set interface "port2"
set vlanid 10
set ip 192.168.10.1 255.255.255.0
set allowaccess ping https ssh
next
edit "vlan20-guest"
set interface "port2"
set vlanid 20
set ip 192.168.20.1 255.255.255.0
set allowaccess ping
next
edit "vlan30-cctv"
set interface "port2"
set vlanid 30
set ip 192.168.30.1 255.255.255.0
set allowaccess ping
next
endB. DHCP Server
config system dhcp server
edit 10
set interface "vlan10-office"
set lease-time 86400
set default-gateway 192.168.10.1
set netmask 255.255.255.0
config ip-range
edit 1
set start-ip 192.168.10.100
set end-ip 192.168.10.200
next
end
next
edit 20
set interface "vlan20-guest"
set lease-time 28800
set default-gateway 192.168.20.1
set netmask 255.255.255.0
config ip-range
edit 1
set start-ip 192.168.20.50
set end-ip 192.168.20.200
next
end
next
edit 30
set interface "vlan30-cctv"
set lease-time 86400
set default-gateway 192.168.30.1
set netmask 255.255.255.0
config ip-range
edit 1
set start-ip 192.168.30.100
set end-ip 192.168.30.150
next
end
next
endC. Objects (Address)
config firewall address
edit "Office_Subnet"
set subnet 192.168.10.0 255.255.255.0
next
edit "Guest_Subnet"
set subnet 192.168.20.0 255.255.255.0
next
edit "CCTV_Subnet"
set subnet 192.168.30.0 255.255.255.0
next
edit "NVR_30.10"
set subnet 192.168.30.10 255.255.255.255
next
endD. VIP (Publish Helpdesk 443)
config firewall vip
edit "VIP_Helpdesk_443"
set comment "Publish helpdesk web"
set extintf "port1"
set extip 203.0.113.10
set portforward enable
set extport 443
set mappedip "192.168.10.20"
set mappedport 443
next
endE. SSL-VPN (port 4443, split-tunneling ke Office)
config user local
edit "tech-andi"
set type password
set passwd "P@ssw0rd!"
next
end
config user group
edit "SSLVPN_Users"
set member "tech-andi"
next
end
config firewall address
edit "SSLVPN_TUNNEL_ADDR1"
set type ippool
set start-ip 10.10.10.10
set end-ip 10.10.10.200
next
end
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set web-mode disable
set split-tunneling enable
set split-tunneling-routing-address "Office_Subnet"
next
end
config vpn ssl settings
set servercert "Fortinet_Factory"
set port 4443
set source-interface "port1"
set source-address "all"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set default-portal "full-access"
endF. Policies (urutkan spesifik → umum)
config firewall policy
edit 1
set name "WAN_to_Helpdesk_VIP"
set srcintf "port1"
set dstintf "vlan10-office"
set srcaddr "all"
set dstaddr "VIP_Helpdesk_443"
set action accept
set schedule "always"
set service "HTTPS"
set logtraffic all
next
edit 2
set name "SSLVPN_to_Office"
set srcintf "ssl.root"
set dstintf "vlan10-office"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "Office_Subnet"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 3
set name "GUEST_block_to_Office"
set srcintf "vlan20-guest"
set dstintf "vlan10-office"
set srcaddr "all"
set dstaddr "all"
set action deny
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 4
set name "CCTV_to_NTP_only"
set srcintf "vlan30-cctv"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "NTP"
set nat enable
next
edit 5
set name "OFFICE_to_Internet"
set srcintf "vlan10-office"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
set utm-status enable
set av-profile "default"
set webfilter-profile "default"
set application-list "default"
set ips-sensor "default"
next
edit 6
set name "GUEST_to_Internet"
set srcintf "vlan20-guest"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
set utm-status enable
set webfilter-profile "default"
set ssl-ssh-profile "certificate-inspection"
next
endG. Hardening & Logging
config system global
set admin-port 10443
set ssh-port 10222
set revision-backup-on-logout enable
end
config log fortiguard setting
set status enable
set upload-option realtime
end
config system admin
edit "ops-admin"
set accprofile "super_admin"
set password "VeryStrongAndLong1!"
set trusthost1 192.168.10.10 255.255.255.255
next
# Disable akun 'admin' default via GUI direkomendasikan
end4) Checklist Verifikasi
- WAN UP & dapat IP PPPoE.
- Client VLAN10 & VLAN20 dapat IP DHCP.
- Guest (VLAN20) tidak dapat ping/akses Office (VLAN10).
- Akses https://IP-publik:443 mengarah ke
192.168.10.20. - Login SSL-VPN di https://IP-publik:4443 → IP 10.10.10.x → bisa akses 192.168.10.0/24.
- Log realtime mengalir ke FortiGate Cloud.
5) Tips Hardening & Operasional
- Batasi akses manajemen dari subnet tepercaya (Trusted Hosts), nonaktifkan HTTP/unused services di WAN.
- Review Local-In Policy bila membuka layanan publik (SSL-VPN, VIP).
- Gunakan backup konfigurasi setelah setiap perubahan mayor. ops
- Jika IP publik dinamis: gunakan DDNS & sertifikat (Let’s Encrypt melalui proxy/reverse atau FortiCA).
Selesai. Kalau mau, saya bisa buatkan versi “SOP teknisi” satu halaman (ceklist-only) atau menyesuaikan topologi asli Anda (Static IP/Multiple WAN/SD-WAN).
Komentar
Posting Komentar