Buying a used Fortigate 60-E

For better or worse, I bought myself a Fortigate 60-E to mess around with – a ton of folks I work with use them; these devices are everywhere. 

So I bought it – and it just sat, and sat, because only after I already spent a couple hundred dollars did I realize you need a subscription to do anything beyond a simple stateful firewall. 

This past week, I decided it was time to get it working. The first hurdle was trying to figure out which subscription to buy. First tip – don’t buy from Amazon. I found a company called Corporate Armor who quoted me 40% less than what was listed on Amazon.

Anyway – the subscriptions include Unified Threat Protection (UTP), Advanced Threat Protection (ATP), and Web/Video filtering.

The UTP basically includes everything including intrusion protection, malware protection, web/video filtering, and FortiCare (tech support). ATP really only is for malware protection and intrusion protection (IPS).

For me – I already have a stateful firewall, and while malware protection and IPS would be a step up in security, i’m more concerned about just web and video filtering. At the moment, I don’t think it’s worth the extra $200-300 a year.

Anyway – so next step is finding a place to buy it – and Fortinet does not make it easy. They have a partner page where you can supposedly find companies to sell you the subscriptions – but most of these places are consulting firms who want to sell you more than just the subscription. Like I said above, I found a great online shop called Corporate Armor – and they got me a fantastic price on the subscription.

But before getting it – I wanted to put my device on the network. That’s where the fun started.

Plugged the WAN port of my 60-E it into the LAN port on my router, and plugged a wireless access point into the LAN port of the 60-E. The firewall got DHCPd, so I gave it a static address and logged in the device for the first time. The web interface is nice, but annoyingly because of certificates, it doesn’t work in Chrome straight away – only firefox (and safari). Also the GUI doesn’t have every setting available, so I wanted to figure out how to use the CLI. But first things first..

I set up the WAN and LAN interfaces, put a static route to my router’s gateway, and got a couple of quick and dirty firewall rules in place. At this point, it could see my public IP and talk to the Fortinet servers. 

So my first debate with myself was – do I want this as an edge router, or is this going to be something inline as just a web filter. I eventually decided on an inline solution (which I changed later), but to do this, I needed to update the operating mode from NAT to Transparent. Eventually, I came to the conclusion that NAT would offer me better deep packet inspection – if that’s true or not, i’m still not sure. But before I came to that conclusion, I wanted to update the opmode – and unfortunately for the 60-E, this isn’t in the settings menu – it can only be done from the command line (CLI). 

So next step was figuring out the CLI – and I read on the forums that later versions of the firmware actually had a CLI edit feature directly in the settings menu. I tried to SSH into the device, but for the longest time couldn’t figure out why it wasn’t working (spoiler, after all the updates, I realized I was trying to SSH over the WAN port… oh man, i felt dumb). Anyway – on to updating the firmware.

Oh what a next step it would be… Turns out, most places say you need a FortiCare account to be able to access the updates. So I created a Fortinet account, and got a free 30 day trial of the web filtering – my hope was that if I got that, I’d be able to use it to update. No luck. I did manage to find a ‘downloads’ page for firmware, but i couldn’t get the links to work. On that same page, they did show an ‘update path’ – I was updating from 6.2.3 to the latest – so along the way I had to hit 6.4.4, 7.0.0 and a few others – updating one to the next. So I downloaded them – only to realize that there are multiple versions for each release. I had downloaded the wifi version, whereas mine was just the vanilla. I finally got the right updates, and over the next hours, applied one after another, until I reached 7.0.2, at which point, I could no longer click on anything in the GUI! I spent 10 minutes on the forums, and realized everything pointed to a browser issue – I cleared the cache, and voila! Back in business. I updated to the latest 7.2.0, and it worked flawlessly.

OK – next step was updating my firewall rules – and boom! I got web traffic coming in. CLI in the settings menu was working too!

Now it’s just a matter of tweaking the settings – there’s a great DNS blocker, where you can give it a ‘movie rating’ and it will block certain websites. it will also do deep packet inspection of the SSL certificates and block any bad sites. It’s an incredibly powerful little box – and I’m only starting my journey with it.

I’m also still debating if this will be my edge device – and honestly, I’m leaning toward it. There’s no reason not to – and if I update to the full package, I will get a truly complete next-gen firewall.