Fortigate 50E: Connecting Second Building to LAN2 for Internet Access & File Server on Forti OS 5.4

Fortigate 50E and Forti OS 5.4. I want to connect the second building to LAN2 (separate addressing), give them access only to the Internet (via WAN1) and the file server in LAN1. I know I have to create a new interface on LAN2, you can choose from LAN or WAN. Anyone have experience with this device?

do as logic dictates, it should be the LAN2 interface, so set it to LAN
there is a chance that in the default configuration this interface is assigned to the zone internal
however, if I remember correctly, the issue of port naming is conventional.

The ports are described like that, but at least in the larger Fortigate it doesn't matter and it probably is the same here. I would just suggest checking if they are not connected to the switch by default (I don't know this particular device).
In order for computers on the other subnet to have access to the Internet, you need to create a policy with NAT in their policies that allows traffic to the WAN interface.
By default, traffic will not be passed between LAN1 and LAN2, so that computers from LAN2 have access to the server in LAN1, preferably in firewall objects (I do not know what it will be called for you) create a new entry with some server name and its IP, assign it to its subnets, and then in the policy create a rule that allows traffic from LAN2 to LAN1 and the created object (you can also type IP with your finger, but with more rules then it's hard to see).

Thanks for the answers. I have searched on foreign sites and the recommendations to disable port forwarding and NAT are repeated, but it still does not work for me.

The ports are "disconnected", so Lan1 is listed as "Hardware switch", Lan2 as "Physical interface".
Konfigurac...a LAN2.png Download (47.17 kB)
I have created Virtual IP (computer with XAMPP server in LAN1):
virtual...png Download (38.05 kB)
I made a policy (let it all go):
polity..png Download (73.05 kB)

Theoretically, a computer with IP 10.228.24.135 from LAN2 should ping 192.168.0.160 from LAN1 - it does not ping, nor does it load HTTP.

Hello,

A bit meaningless to me. You definitely have NAT between LAN 1 and LAN 2.
Where is 192.168.0.160.
External IP Address - entire subnet ?? and the one with the LAN2 interface address?
I guess you need to familiarize yourself with the general ideas of NAT and implementation details on FG.

You're right, I did "God's way" and it worked:
virtual_..2.png Download (42.16 kB)
polityk...png Download (63.2 kB)

Thank you very much.

This NAT between LAN1 and LAN2 is not needed at all.
Just adding a rule in Policy, just like you just have a server address instead of a natu rule name in destination address, and this should work as long as there are valid routes in the routing table.

In the Adresses tab, you probably have the option to just define a name for the server address in LAN1, so as not to manually pat the rules (I'm not sure because I have a slightly older version of FortiOS)

GrandMasterT - normally brilliant, and more convenient. Even file sharing works for me.
According to the instructions, created and named address:
new_addr..s.png Download (50.67 kB)
Created policy without NAT and as an 'Destination' object of address type, allowed HTTP and SMB services (for test):
polityka-b..nat.png Download (50.04 kB)
As for the routes, I only have for the internet:
TRASY.png Download (13.87 kB)

As for routes, apart from the window that you pasted, there should also be a Routing Monitor (it may be called otherwise - I have Forti 5.0 and 5.2) where you can see the entire currently used routing table, including all entries that jump there from the machine. A very useful thing, especially when, apart from physical interfaces, there will be various tunnels, many WANs, etc. - it always shows the current state that is currently in use.

However, if everything works for you now, these routes are definitely there, they are added automatically after assigning the interface to a given subnet, so I asked about them only prophylactically because I associate that you can deselect one of the interface options and then there are no entries.

Perhaps I have a lower model and that's why. I am still struggling with WEB filtering. As far as it filters by category, if I add a domain to block or allow it below, it does nothing. The DNS filter behaves the same. Even disabling filtering by category, and leaving manual entries will do nothing: /
http://cookbook.fortinet.com/blocking-facebook-54/

Show some screenshots of what it looks like in Forti 5.4, if necessary, wipe sensitive information if something like this is there.
Basically you have two options for blocking a given site.
The first one is "Override category" - it works on the principle that the page is in some category, but locally you can assign it to another, for example you have blocked or unblocked.
The second option is to create a local category, which can be assigned the same rules as those defined by default, then you add pages to this category. Manually defined ones have priority over global ones.

Some pages, such as YouTube or Facebook, are easier to block with the application filter.

EDIT: Oh, and one more thing. If you are blocking something for some computers by making an entry in Policy, the new entry must be above the old one. Entries are checked from top to bottom and the first match is always selected, so if you are allowed access to everything for the entire (sub) network, the rule below for selected computers from that subnet will not work anymore. Generally you have to stick to the rule that more detailed entries must be higher (computer> group of computers> whole subnet).

Default WebFilter Policy:
3.jpg Download (139.83 kB)

DNS Filter (when enabled in IPv4 Policy, no page loads):
DNS Fil...jpg Download (97.22 kB)
IPv4 Policy:
IPv4 Pol..y.jpg Download (212.74 kB)
I saw that they create separate policies on DNS, HTTP, EMAIL etc.
Ultimately, I want to give access to the network only to devices defined on Forti. On physical LAN5 I want to connect AP to WiFi for "foreign" devices and only Internet access with limited bandwidth.

In the category tree you can add a subcategory in local categories, for example "Blocked", to which you can add blocked pages. These categories can then be used in the same way as the predefined ones in different web filter profiles. In your profile, you block the entire category once and then drag new pages to it.

Simple URL block works poorly, at least in forti 5.0 and 5.2. If you want to block facebook just like in the screenshot, it is best to look at the application blocking configuration - there you can even set that on other pages you will see fb components (e.g. sliders, paws, etc.), but you cannot enter fb itself. This is quite a good option, because cutting out completely spoils some other websites (e.g. a frame with info about the blockade pops up in the place of the slider).

Breaking policies as you have in the screen is a bit pointless, as long as there is little, it can and looks nice, but if you started creating, for example, network / service access schedules, or various configurations for user groups, you will not get it later, because each entry it will split into several more. If the policies do not differ in the settings of av profiles, web filter, ips, etc., it is better to leave it as one entry. Note that forti is quite clever and if you turn on the email filter on a given policy entry, it doesn't mean that this filter works for all services - it will only work for emails automatically (this is defined in the system configuration). The same goes for other filters, antivirus, etc.

As for the DNS filter not working, it is possible you have something wrongly set up in the configuration of the system itself and eg DNS fortiguarda are unreachable.