Wednesday, April 29, 2026

FortiGate | Installing FortiOS on FortiGate Appliance

 Installing FortiOS on FortiGate hardware is typically done using the TFTP (Trivial File Transfer Protocol) method via a console cable for a clean installation.


Prerequisites:
1. Firmware Image (.out file): Download the specific FortiOS firmware file for your FortiGate model from the support site. Ensure you check the upgrade path if you are moving between major versions.

2. TFTP Server Software: Install a temporary TFTP server application (e.g., tftpd) on your management computer.

3. Console Cable: An RJ-45 to USB or DB-9 serial cable to connect your computer to the FortiGate's console port.

4. Fortinet Support Account: Access to the Fortinet Customer Service & Support website is required to download firmware images.

5 Terminal Emulation Program: Software like PuTTY or Tera Term for console access, configured with settings: Baud Rate 9600, 8 data bits, no parity, 1 stop bit, and no flow control.

6. Network Setup: The management computer running the TFTP server must be on the same local subnet as the FortiGate interface used for the transfer (e.g., port1 or a dedicated MGMT port).

TFTP Method:
This procedure will reset the FortiGate to factory default settings. 

1. Connect via Console: Connect the console cable between your management computer and the FortiGate's console port. Open your terminal emulation program.

2. Place Firmware: Copy the downloaded FortiOS firmware .out file to the root directory of your TFTP server software (e.g TFTP-Root on C:\ drive or another folder).

3. Configure IP Addresses: Ensure the FortiGate interface (e.g., port1) and your TFTP server's IP address are on the same subnet (e.g., FortiGate: 192.168.1.1, TFTP Server: 192.168.1.2).

4. Reboot the FortiGate: In the CLI session, execute the command execute reboot. Type y to confirm or hard reboot the FortiGate firewall.

5. Interrupt Boot Process: As the FortiGate reboots, a series of system startup messages will appear. When you see the message Press any key to display configuration menu.........., immediately press any key to enter the boot menu (you have only 3 seconds).

6. Configure Network & Transfer: Choose 'G' (Get firmware image from TFTP server) and enter the IP address of the FortiGate, subnet mask, TFTP server IP, and the firmware file name.

7. Installation: The device will download, flash, and format the boot device, finally rebooting with the new firmware. 

Important Notes:
1. A clean install via TFTP usually resets the configuration to factory defaults, so ensure you have a backup.

2. Ensure that the PC acting as the TFTP server is in the same subnet as the FortiGate.

3. Some models may require a format boot device step ('F') before fetching the new image to ensure a completely clean install.
By - No comments:
Labels:

Cisco | Configure Cisco (ISR C1121X-8P) Router

 When I had to configure a Cisco (ISR C1121X-8P) router, I noticed it only had a Micro USB console port. I was able to connect using a standard cable, and this generated a COM8 port in Device Manager. I then successfully established a connection to that port using PuTTY at a speed of 9600.

enable
show running-config
configure terminal
 
hostname lifeisrouting.com
enable secret PASSWORD
 
ip domain-name lifeisrouting.local
crypto key generate rsa modulus 2048
username admin secret PASSWORD
ip ssh version 2
line vty 0 4
login local
transport input ssh
 
Configured the WAN port:

interface GigabitEthernet0/0/0
description WAN
ip address dhcp
ip nat outside
no shutdown
 
Configured DHCP and NAT:

ip dhcp excluded-address 192.168.100.1 192.168.100.10
ip dhcp pool LAN-POOL
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 1.1.1.1 8.8.4.4
 
access-list 1 permit 192.168.100.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

The second interface was configured as a backup WAN. The switchport command is not applicable to this interface, meaning it cannot be logically combined with the other eight LAN ports. Therefore, it must be treated as a separate routed interface, which allows you to configure a distinct IP address (or a separate DHCP client) on it.

interface GigabitEthernet0/0/1
description WAN2
ip address dhcp
ip nat outside
no shutdown
 
Created interface vlan 1:
 
interface vlan 1
ip address 192.168.100.1 255.255.255.0
ip nat inside

Setting up eight LAN ports (default ports are in vlan 1, it is enough to specify mode access):

interface GigabitEthernet0/1/0
switchport mode access
switchport access vlan 1
no shutdown
 
 interface range GigabitEthernet0/1/0 - 0/1/7
switchport mode access
switchport access vlan 1
no shutdown
exit

Saving configuration:

write memory
copy running-config startup-config

Viewing various information:

show interfaces GigabitEthernet0/0/1 switchport
show ip interface brief
show ip route
show version
show ip interface brief
show running-config

Enabling an http server where you can view various statistics:

ip http server
ip http authentication local
By - No comments:
Labels:

Cisco | Cisco 2960 Switch Configuration (PID: WS-C2960-24TC-L)

  Cisco 2960 Switch Configuration (PID: WS-C2960-24TC-L):

Changing Switch Hostname:

Switch(config)#hostname DST-SW

Configuring Passwords:

DST-SW(config)#enable secret sysadmin
DST-SW(config)#enable secret sysadmin
Securing Console Port:
DST-SW(config)#line con 0 
DST-SW(config-line)#password sysadmin
DST-SW(config-line)#login 
Securing Terminal Lines:
DST-SW(config)#line vty 0 4 
DST-SW(config-line)#password sysadmin
DST-SW(config-line)#login
Encrypting Passwords:
DST-SW(config)#service password-encryption
Configuring Banners:
DST-SW(config)#banner motd 
$ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- UNAUTHORIZED ACCESS IS PROHIBITED -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- $
Giving the Switch an IP Address:
DST-SW(config)#interface vlan 1 
DST-SW(config-if)#ip address 192.168.101.2 255.255.255.0 
DST-SW(config-if)#shutdown 
Setting the Default Gateway:
DST-SW(config)#ip default-gateway 192.168.101.1
Saving Configuration:
DST-SW#copy running-config startup-config
Destination filename [startup-config]? 
Building configuration… [OK]
Or

DST-SW#wr 
Building configuration… [OK] 

Working Environment (name lookup, history, exec-timeout and logging behavior):
DST-SW(config)#no ip domain-lookup 
DST-SW(config)#line vty 0 4 
DST-SW(config-line)#history size 15 
DST-SW(config-line)# exec-timeout 10 30 
DST-SW(config-line)#logging synchronous

 

Configuring Switch to use SSH:
• Configure DNS domain name: 
DST-SW(config)#ip domain-name example.com 
• Configure a username and password: 
DST-SW(config)#username admin secrat cisco 
• Generate encryption keys: 
DST-SW(config)#crypto key generate rsa How many bits in the modulus [512]: 1024 
• Define SSH version to use: 
DST-SW(config)#ip ssh version 2 
• Enable vty lines to use SSH: 
DST-SW(config)#line vty 0 4 
DST-SW(config-line)#login local 
DST-SW(config-line)#transport input telnet ssh 
Description, Speed, and Duplex:
DST-SW(config)#interface fastEthernet 0/1 
DST-SW(config-if)#description ***To-Core RTR***
DST-SW(config-if)#speed 100 (options: 10, 100, auto) 
DST-SW(config)#interface range fastEthernet 0/5 – 10 
DST-SW(config-if-range)#duplex full (options: half, full, auto)
Verify Basic Configuration:

• Shows information about the switch and its interfaces, RAM, NVRAM, flash, IOS, etc.
DST-SW#show version 
• Shows the current configuration file stored in DRAM. 
DST-SW#show running-config 
• Shows the configuration file stored in NVRAM which is used at first boot process. 
DST-SW#show startup-config 
• Lists the commands currently held in the history buffer. 
DST-SW#show history 
• Shows an overview of all interfaces, their physical status, protocol status and ip address if assigned. 
DST-SW#show ip interface brief 
• Shows detailed information about the specified interface, its status, protocol, duplex, speed, encapsulation, last 5 min traffic. 
DST-SW#show interface vlan 1 
• Shows the description of all interfaces 
DST-SW#show interfaces description 
• Shows the status of all interfaces like connected or not, speed, duplex, trunk or access vlan. 
DST-SW#show interfaces status 
• Shows the public encryption key used for SSH. 
DST-SW#show crypto key mypubkey rsa 
• Shows information about the leased IP address (when an interface is configured to get IP address via a dhcp server)
DST-SW#show dhcp lease 

 

Configuring Port Security:

• Make the switch interface an access port
DST-SW(config-if)#switchport mode access 
• Enable port security on the interface: 
DST-SW(config-if)#switchport port-security 
• Specify the maximum number of allowed MAC addresses: 
DST-SW(config-if)#switchport port-security maximum 1 
• Define the action to take when violation occurs: 
DST-SW(config-if)#switchport port-security violation shutdown (options: shutdown, protect, restrict) 
• Specify the allowed MAC addresses: 
DST-SW(config-if)#switchport port-security mac-address 68b5.9965.1195 (options: H.H.H, sticky)


Verify and Troubleshoot Port Security: 

• Shows the entries of the mac address table 
DST-SW#show mac-address-table 
• An overview of port security of all interfaces 
DST-SW#show port-security 
• Shows detailed information about port security on the specified interface 
DST-SW#show port-security interface fa0/5 
Configuring VLANs: 
• Create a new VLAN and give it a name: 
DST-SW(config)#vlan 10 
DST-SW(config-vlan)#name ***To-IT-Users***
 • Assign an access interface to access a specific VLAN: 
DST-SW(config)#interface fastEthernet 0/5 
DST-SW(config-if)#switchport mode access 
DST-SW(config-if)#switchport access vlan 10 
Configuring an auxiliary VLAN for cisco IP phones: 
DST-SW(config)#interface fastEthernet 0/5 
DST-SW(config-if)#switchport access vlan 10 
DST-SW(config-if)#switchport voice vlan 12 
Configuring Trunks:
DST-SW(config)#interface fastEthernet 0/1 
DST-SW(config-if)#switchport mode trunk (options: access, trunk, dynamic auto, dynamic desirable) DST-SW(config-if)#switchport trunk allowed

Securing VLANS and Trunking:
• Administratively disable unused interfaces: 
DST-SW(config-if)#shutdown 
• Prevent trunking by disabling auto negotiation on the interface: 
DST-SW(config-if)#nonegotiate (or hardcode the port as an access port) 
DST-SW(config-if)#switchport mode access 
• Assign the port to an unused VLAN: 
DST-SW(config-if)#switchport access vlan 222 
STP optimization:
• Hard coding the root bridge (changing bridge priority): 
DST-SW(config)#spanning-tree vlan 1 root primary 
DST-SW(config)#spanning-tree vlan 1 root secondary 
DST-SW(config)#spanning-tree [vlan 1] priority 8192 
• Changing the STP mode: 
DST-SW(config)#spanning-tree mode rapid-pvst (options: mst, pvst, rapid-pvst) 
• Enabling portfast and BPDU guard on an interface: 
DST-SW(config-if)#spanning-tree portfast 
DST-SW(config-if)#spanning-tree bpduguard enable 
• Changing port cost: 
DST-SW(config-if)#spanning-tree [vlan 1] cost 25 
• Bundling interfaces into an etherchannel: 
DST-SW(config-if)#channel-group 1 mode on (options: auto, desirable, on)

STP Verification and Troubleshooting:

• Shows detailed info about STP state 
DST-SW#show spanning-tree 
• Shows STP info only on a specific port 
DST-SW#show spanning-tree interface fa0/2 
• Shows STP info only for a specific VLAN 
DST-SW#show spanning-tree vlan 1 
• Shows info about the root switch 
DST-SW#show spanning-tree [vlan1] root 
• Shows info about the local switch 
DST-SW#show spanning-tree [vlan1] bridge 
• Show the state of the etherchannels 
DST-SW#show etherchannel 1 
• Provides informational messages about the changes in the STP topology 
DST-SW#debug spanning-tree events 

Enabling or disabling CDP: 
• Enabling CDP globally on a switch: 
DST-SW(config)#cdp run 

• Disabling CDP on a given interface: 
DST-SW(config-if)#no cdp enable  

Using CDP for Network Verification and Troubleshooting:

• Shows global information about CDP itself 
DST-SWSW1#show cdp 
• Shows information about CDP on a specific interface 
DST-SW#show cdp interface fa0/2 
• Shows information about the directly connected cisco devices including interfaces names capabilities 
DST-SW#show cdp neighbors 
• Shows detailed information about the neighboring cisco devices including device address and version of IOS they run 
DST-SW#show cdp neighbors detail 
• Same as show cdp neighbor detail 
DST-SW#show cdp entry * 
• Shows detailed information about the specified entry only 
DST-SW#show cdp entry DST-SW2 
By - No comments:
Labels:
Subscribe to: Posts (Atom)