LogoLogo
GoodAccess WebsiteRequest Free TrialDownload App
  • Getting Started
    • 1. What is GoodAccess?
    • 2. Architecture Overview
    • 3. Sign up for Free Trial
    • 4. Download App & Connect
  • 🖥️Configuration guides
    • Features
      • Zero Trust Access Control
        • Access Cards
        • Device Posture Check
        • Device Approval
        • Geo Restrictions
      • API Integration
        • API Reference
          • Members
          • Groups
          • Systems
          • Access Cards
          • Relations
          • Gateways
          • Logs
        • Acronis Integration
      • SIEM Integration
      • SSO/SCIM
        • Auth0
        • Cisco Duo
        • Google Workspace
        • JumpCloud
        • Microsoft Entra ID
        • Okta
        • OneLogin
        • Ping Identity
        • Universal (SAML)
      • MFA
      • Passkeys
      • MSI deployment
      • Threat Blocker
      • Custom Domain Blocking
      • DNS Management
      • Split Tunneling
      • Port Forwarding
    • Branch Connector
      • Cisco
      • Cisco Meraki
      • FortiGate
      • MikroTik
      • SonicWall
      • UniFi USG
      • Zyxel Nebula Control Center
      • Other supported routers and firewalls
    • Cloud Connector
      • AWS
      • Google Cloud
      • Microsoft Azure
      • Other Public Cloud providers
    • IP whitelisting
      • APACHE Web Server
      • AWS VPC
      • Azure (Office 365)
      • Google Cloud
      • Google Workspace
      • Magento
      • Microsoft IIS
      • NGINX
        • Domain
        • Subdomain
        • URL
      • OpenCart
      • PHP
      • PHPMyAdmin
      • Pipedrive
      • SalesForce
      • SSH server
      • WordPress
      • Zoho CRM
    • Linux
      • DEB repository
      • RPM repository
      • Manual installation
      • Linux Troubleshooting
  • 🆘FAQ & Troubleshooting
    • FAQ
      • Business
      • Technical
    • Troubleshooting
  • 📓Product Changelog
    • Windows
    • macOS
Powered by GitBook
On this page
  • Step 1 - Creating a new branch connection
  • Step 2 - Creating new addresses
  • Local Address
  • Remote Address
  • Step 3 - Creating a new IPSec tunnel
  • Network
  • Authentication
  • Phase 1
  • Phase 2
  • Step 4 - Creating a new static route

Was this helpful?

  1. Configuration guides
  2. Branch Connector

FortiGate

This guide will show you how to connect your FortiGate device to the GoodAccess Gateway via a site-to-site connection using the IPSec protocol.

PreviousCisco MerakiNextMikroTik

Last updated 3 months ago

Was this helpful?

Step 1 - Creating a new branch connection

Click + Add new, enter the Branch name and subnet, and select Gateway.

Choose IPSec Protocol, fill out the Settings configuration form, and click Save.

You may return to the configuration via the Edit button of your Branch at any time.

Example of configuration (Default preset):

  • Cloud/Branch subnet - Subnet of your local network

  • Shared Secret - Create a new strong password

  • Public IP - IP of your FortiGate

  • IKE Lifetime (Phase 1) - 8 hours (28800 seconds)

  • Tunnel Lifetime (Phase 2) - 1 hour (3600 seconds)

  • Dead Peer Detection Delay - 30 seconds

  • Encryption (Phase 1) - aes256

  • Encryption (Phase 2) - aes256

  • Integrity (Phase 1) - sha256

  • Integrity (Phase 2) - sha256

  • Diffie-Hellman Groups (Phase 1) - 16 - modp4096

  • Diffie-Hellman Groups (Phase 2) - 16 - modp4096

Step 2 - Creating new addresses

Log in to your FortiGate device, and go to Policy & Objects > Addresses. Click Create New and select Address.

Give the address a name and set the configuration as follows:

You have to create two Addresses - local and remote.

Local Address

  • Type - Subnet

  • IP/Netmask - Subnet of FortiGate's local network and mask (e.g. 131.31.231.0/255.255.255.0)

  • Interface - Optional

Click OK to confirm your settings.

Remote Address

  • Type - Subnet

  • IP/Netmask - Subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0)

  • Interface - Optional

Click OK to confirm your settings.

Step 3 - Creating a new IPSec tunnel

Go to VPN > IPsec Tunnels. Click Create New and select IPSec Tunnel.

Give the tunnel a name, select Custom, and click Next.

Edit all the sections as follows:

Network

  • Remote Gateway - Static IP Address

  • IP Address - IP of your GoodAccess Gateway

  • Interface - WAN (depends on your site)

  • NAT Traversal - Optional

  • Deed Peer Detection - Optional

  • Advanced:

    1. Add route - Enabled

    2. Auto discovery sender - Disabled

    3. Auto discovery receiver - Disabled

    4. Exchange interface IP - Disabled

    5. Device creation - Enabled

Authentication

Method - Pre-shared Key

IKE Version - 2

Phase 1

Phase 2

Click OK to confirm your settings.

Step 4 - Creating a new static route

Go to Network > Static Routes and click Create New.

Set the Destination as Subnet and enter the subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0).

Click OK to confirm your settings.

You have now successfully connected your device to GoodAccess.

Firewall rules

Make sure that your device allows incoming connections from your GoodAccess Gateway private subnet on the following ports:

  • UDP 500

  • UDP 4500

You may check the status of the connection in:

  • GoodAccess - Control Panel > Clouds & Branches > Edit button > Test connection

  • FortiGate - Monitor > IPSec Monitor

Pre-shared Key - Shared Secret

Must match configuration from GoodAccess .

Must match configuration from GoodAccess .

Local/Remote Address - Select Named Address, and choose Local/Remote Address

🖥️
Log in to the GoodAccess Control Panel, and go to Network > Clouds & Branches.
(Step 1)
(Step 1)
(Step 1)
(Step 2)
Creating a new address
Creating a local address
Creating a remote address
Creating a new IPSec tunnel
Naming a new IPSec tunnel
Setting up a new IPSec tunnel
Setting up the network section of a IPSec tunnel
Setting up the authentication section of a IPSec tunnel
Setting up the Phase 1 section of a IPSec tunnel
Setting up the Phase 2 section of a IPSec tunnel
Creating a new static route
Setting up the new static route
Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new address.
Router's graphical user interface (GUI) showing configuration of the local address.
Router's graphical user interface (GUI) showing configuration of the remote address.
Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new IPSec tunnel.
Router's graphical user interface (GUI) showing first step of the VPN Creation Wizard.
Router's graphical user interface (GUI) with arrows highlighting key steps to configuring an IPSec tunnel.
Router's graphical user interface (GUI) showing configuration for the Network section of an IPSec tunnel.
Router's graphical user interface (GUI) showing configuration for the Authentication section of an IPSec tunnel.
Router's graphical user interface (GUI) showing configuration for the Phase 1 section of an IPSec tunnel.
Router's graphical user interface (GUI) showing configuration for the Phase 2 section of an IPSec tunnel.
Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new static route.
Router's graphical user interface (GUI) showing configuration of a static route.