> For the complete documentation index, see [llms.txt](https://support.goodaccess.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://support.goodaccess.com/configuration-guides/branch-connector/fortigate.md).

# FortiGate

## Step 1 - Creating a new branch connection

[Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/)

Click **+ Add new**, enter a **Name** (e.g., Prague Office), select the required **Gateway**, and define your local **Subnets** (using CIDR notation).

Choose **IPSec** **Protocol**, and click **Continue**.

Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set on your device in the next steps.

Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control.

{% hint style="info" %}
You may return to the configuration via the **Edit** button of your Branch at any time.
{% endhint %}

{% hint style="info" %}
**Example of configuration (Default preset):**

* **Shared Secret** - Create a new strong password
* **Public IP** - IP of your FortiGate
* **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds)
* **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds)
* **Dead Peer Detection Delay** - 30 seconds
* **Encryption (Phase 1)** - aes256
* **Encryption (Phase 2)** - aes256
* **Integrity (Phase 1)** - sha256
* **Integrity (Phase 2)** - sha256
* **Diffie-Hellman Groups (Phase 1)** - 16 - modp4096
* **Diffie-Hellman Groups (Phase 2)** - 16 - modp4096
  {% endhint %}

## Step 2 - Creating new addresses

Log in to your FortiGate device, and go to **Policy & Objects** > **Addresses**. Click **Create New** and select **Address**.

Give the address a name and set the configuration as follows:

{% hint style="info" %}
You have to create **two** Addresses - **local** and **remote**.
{% endhint %}

<figure><img src="/files/mwzRK2EFZf8SktfZJJSa" alt="Router&#x27;s graphical user interface (GUI) with arrows highlighting key steps to creating a new address."><figcaption><p>Creating a new address</p></figcaption></figure>

### **Local Address**

* **Type** - Subnet
* **IP/Netmask** - Subnet of FortiGate's local network and mask (e.g. 131.31.231.0/255.255.255.0)
* **Interface** - Optional

<figure><img src="/files/CD3AOuRTXqDF4DAcqxfu" alt="Router&#x27;s graphical user interface (GUI) showing configuration of the local address."><figcaption><p>Creating a local address</p></figcaption></figure>

Click **OK** to confirm your settings.

### **Remote Address**

* **Type** - Subnet
* **IP/Netmask** - Subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0)
* **Interface** - Optional

<figure><img src="/files/LNBykjLq3jSgQy1LcRNs" alt="Router&#x27;s graphical user interface (GUI) showing configuration of the remote address."><figcaption><p>Creating a remote address</p></figcaption></figure>

Click **OK** to confirm your settings.

## Step 3 - Creating a new IPSec tunnel

Go to **VPN** > **IPsec Tunnels**. Click **Create New** and select **IPSec Tunnel**.

Give the tunnel a name, select **Custom**, and click **Next**.

**Edit** all the sections as follows:

<div><figure><img src="/files/3FdtqRrVioYzFLf7K8wj" alt="Router&#x27;s graphical user interface (GUI) with arrows highlighting key steps to creating a new IPSec tunnel."><figcaption><p>Creating a new IPSec tunnel</p></figcaption></figure> <figure><img src="/files/7CKaCwBSYSAvYi9yZ6Ls" alt="Router&#x27;s graphical user interface (GUI) showing first step of the VPN Creation Wizard."><figcaption><p>Naming a new IPSec tunnel</p></figcaption></figure></div>

<figure><img src="/files/9Xl94qjVxyEmF7Uj4kCG" alt="Router&#x27;s graphical user interface (GUI) with arrows highlighting key steps to configuring an IPSec tunnel."><figcaption><p>Setting up a new IPSec tunnel</p></figcaption></figure>

### Network

* **Remote Gateway** - Static IP Address
* **IP Address** - IP of your GoodAccess Gateway
* **Interface** - WAN (depends on your site)
* **NAT Traversal** - Optional
* **Deed Peer Detection** - Optional
* **Advanced:**
  1. **Add route** - Enabled
  2. **Auto discovery sender** - Disabled
  3. **Auto discovery receiver** - Disabled
  4. **Exchange interface IP** - Disabled
  5. **Device creation** - Enabled

<figure><img src="/files/JZuHYu2sML8BQT9O8bJy" alt="Router&#x27;s graphical user interface (GUI) showing configuration for the Network section of an IPSec tunnel."><figcaption><p>Setting up the network section of a IPSec tunnel</p></figcaption></figure>

### **Authentication**

**Method** - Pre-shared Key

**Pre-shared Key** - Shared Secret [(Step 1)](#step-1-creating-a-new-branch-connection)

**IKE Version** - 2

<figure><img src="/files/qbBlm5aMqO08SNQtJkHr" alt="Router&#x27;s graphical user interface (GUI) showing configuration for the Authentication section of an IPSec tunnel."><figcaption><p>Setting up the authentication section of a IPSec tunnel</p></figcaption></figure>

### **Phase 1**

{% hint style="info" %}
Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection).
{% endhint %}

<figure><img src="/files/jGBgxKkkPrvnVcpTcotK" alt="Router&#x27;s graphical user interface (GUI) showing configuration for the Phase 1 section of an IPSec tunnel."><figcaption><p>Setting up the Phase 1 section of a IPSec tunnel</p></figcaption></figure>

### **Phase 2**

{% hint style="info" %}
Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection).
{% endhint %}

* **Local/Remote Address** - Select **Named Address**, and choose Local/Remote Address [(Step 2)](#step-2-creating-new-addresses)

<figure><img src="/files/3RQ5FbrKCUBfND8QTuEx" alt="Router&#x27;s graphical user interface (GUI) showing configuration for the Phase 2 section of an IPSec tunnel."><figcaption><p>Setting up the Phase 2 section of a IPSec tunnel</p></figcaption></figure>

Click **OK** to confirm your settings.

## Step 4 - Creating a new static route

Go to **Network** > **Static Routes** and click **Create New**.

Set the **Destination** as **Subnet** and enter the subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0).

Click **OK** to confirm your settings.

<div><figure><img src="/files/xyrAHyp8qkxQ5BLXpwNs" alt="Router&#x27;s graphical user interface (GUI) with arrows highlighting key steps to creating a new static route."><figcaption><p>Creating a new static route</p></figcaption></figure> <figure><img src="/files/XnLMZkxk1Vf3944muwqe" alt="Router&#x27;s graphical user interface (GUI) showing configuration of a static route."><figcaption><p>Setting up the new static route</p></figcaption></figure></div>

You have now successfully connected your device to GoodAccess.

{% hint style="warning" %}
**Firewall rules**

Make sure that your device allows incoming connections from your **GoodAccess Gateway private subnet** on the following ports:

* **UDP 500**
* **UDP 4500**
  {% endhint %}

{% hint style="info" %}
**You may check the status of the connection in:**

* **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).
* **FortiGate:** Go to **Monitor > IPSec Monitor**.
  {% endhint %}
