FortiGate 120G — Firewall Management (HA)
Basic Information
| Field | Value |
|---|---|
| Category | Infrastructure |
| Owner | Filip Kohák |
| Deputy | Artem Ryzhkov |
| SLA | 24x7 |
| Deployment | On-prem (2× FortiGate 120G, Active-Passive HA, 2 ISPs) |
Description
FortiGate 120G is Etnetera's perimeter firewall, running in an Active-Passive HA pair. It provides network protection, traffic filtering, VPN access, and SD-WAN for redundant connectivity across two ISPs.
Key features:
- Stateful firewall + NAT
- IPS/IDS (Intrusion Prevention System)
- Web Filtering (URL categorization)
- SSL Inspection
- SD-WAN with two ISPs (load balancing, failover)
- VPN: IPsec site-to-site, SSL-VPN for remote access
- FortiNAC integration for 802.1X
Access and Login
- URL:
https://[fortigate-mgmt-ip](management VLAN, internal network or VPN only) - Login: admin account (stored in Passbolt)
- CLI access:
ssh admin@[fortigate-mgmt-ip] - HA status: active node = node1, standby = node2
Warning
Make all configuration changes on the active HA node. The passive node syncs automatically. Discuss major changes (new policies, SD-WAN rules) with the owner before applying.
Procedure — Check HA Status
- Log in to FortiGate GUI
- Go to System → HA
- Verify both nodes are
Synchronizedand the active node is markedMaster - CLI:
get system ha status
Procedure — Add a Firewall Policy
- Go to Policy & Objects → Firewall Policy
- Click Create New
- Fill in: Incoming Interface, Outgoing Interface, Source, Destination, Schedule, Service
- Set Inspection Mode and NAT as needed
- Save and verify policy order (policies are evaluated top-down)
Tip
Always test new policies during off-peak hours. Use Address Groups and Service Groups for clean configuration.
Procedure — SD-WAN Management
- Go to Network → SD-WAN → SD-WAN Zones
- Check status of both ISP links (green = active)
- SD-WAN rules are under SD-WAN Rules — define which traffic uses which ISP
- SLA monitoring: Network → SD-WAN → SD-WAN Health Check
Procedure — Firmware Update
- Check current version: Dashboard → System Information
- Download new firmware from support.fortinet.com
- Backup config: System → Config → Backup
- Upload firmware: System → Firmware → Upload
- After update, verify HA sync and critical policy functionality
Troubleshooting
| Problem | Solution |
|---|---|
| Internet outage | Check ISP link status: Network → SD-WAN → Health Check; verify BGP/static routes |
| HA failover occurred | Check cause in System → Event Log; verify HA link physical connections |
| Traffic blocked | Policy & Objects → Firewall Policy → check order and rule match; Log & Report → Traffic Log |
| VPN not working | VPN → IPsec Tunnels or SSL-VPN Settings; check certificates and IKE phases |
| IPS false positives | Security Profiles → IPS → adjust signature action (Pass/Monitor instead of Block) |
Related Guides
- FortiNAC — FortiGate integration for 802.1X
- FortiClient EMS / ZTNA — VPN gateway on FortiGate
- Network Monitor — monitors FortiGate uptime and metrics
Contact
- Owner: Filip Kohák — Slack
@filip/ filip.kohak@etnetera.cz - Deputy: Artem Ryzhkov — Slack
@artem - Urgent incidents (internet/firewall outage): Slack
#it-alerts