# FortiGate

## Step 1 - Creating a new branch connection

[Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/)

Click **+ Add new**, enter a **Name** (e.g., Prague Office), select the required **Gateway**, and define your local **Subnets** (using CIDR notation).

Choose **IPSec** **Protocol**, and click **Continue**.

Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set on your device in the next steps.

Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control.

{% hint style="info" %}
You may return to the configuration via the **Edit** button of your Branch at any time.
{% endhint %}

{% hint style="info" %}
**Example of configuration (Default preset):**

* **Shared Secret** - Create a new strong password
* **Public IP** - IP of your FortiGate
* **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds)
* **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds)
* **Dead Peer Detection Delay** - 30 seconds
* **Encryption (Phase 1)** - aes256
* **Encryption (Phase 2)** - aes256
* **Integrity (Phase 1)** - sha256
* **Integrity (Phase 2)** - sha256
* **Diffie-Hellman Groups (Phase 1)** - 16 - modp4096
* **Diffie-Hellman Groups (Phase 2)** - 16 - modp4096
  {% endhint %}

## Step 2 - Creating new addresses

Log in to your FortiGate device, and go to **Policy & Objects** > **Addresses**. Click **Create New** and select **Address**.

Give the address a name and set the configuration as follows:

{% hint style="info" %}
You have to create **two** Addresses - **local** and **remote**.
{% endhint %}

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F8JSTw8ynnnBvoT4J7nXd%2FBranch%20Connector%20guides%20-%20FortiGate_2.PNG?alt=media&#x26;token=185a2f36-3c5d-4eb6-9e91-0f338970bdd2" alt="Router&#x27;s graphical user interface (GUI) with arrows highlighting key steps to creating a new address."><figcaption><p>Creating a new address</p></figcaption></figure>

### **Local Address**

* **Type** - Subnet
* **IP/Netmask** - Subnet of FortiGate's local network and mask (e.g. 131.31.231.0/255.255.255.0)
* **Interface** - Optional

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FzNGhxA1DQzk5Z0FDiGPM%2FBranch%20Connector%20guides%20-%20FortiGate_3.PNG?alt=media&#x26;token=484ca2bd-8885-486e-837c-11e62836352a" alt="Router&#x27;s graphical user interface (GUI) showing configuration of the local address."><figcaption><p>Creating a local address</p></figcaption></figure>

Click **OK** to confirm your settings.

### **Remote Address**

* **Type** - Subnet
* **IP/Netmask** - Subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0)
* **Interface** - Optional

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FIBnSax5YGl4zZ3ZxImBM%2FBranch%20Connector%20guides%20-%20FortiGate_4.PNG?alt=media&#x26;token=4d595c3b-a0aa-4cb2-9b54-f5a8ff24d3b5" alt="Router&#x27;s graphical user interface (GUI) showing configuration of the remote address."><figcaption><p>Creating a remote address</p></figcaption></figure>

Click **OK** to confirm your settings.

## Step 3 - Creating a new IPSec tunnel

Go to **VPN** > **IPsec Tunnels**. Click **Create New** and select **IPSec Tunnel**.

Give the tunnel a name, select **Custom**, and click **Next**.

**Edit** all the sections as follows:

<div><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2Fzs0fSmsJRiodVc5MmnVi%2FBranch%20Connector%20guides%20-%20FortiGate_5.PNG?alt=media&#x26;token=65e0c51a-9557-43db-811e-c80cf84e262e" alt="Router&#x27;s graphical user interface (GUI) with arrows highlighting key steps to creating a new IPSec tunnel."><figcaption><p>Creating a new IPSec tunnel</p></figcaption></figure> <figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FolYY8hDHycNHHMrhCulY%2FBranch%20Connector%20guides%20-%20FortiGate_6.PNG?alt=media&#x26;token=ce6bd667-1ec5-4ced-b11b-bb7aebfdfafc" alt="Router&#x27;s graphical user interface (GUI) showing first step of the VPN Creation Wizard."><figcaption><p>Naming a new IPSec tunnel</p></figcaption></figure></div>

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FsUGtrpQ6GINY0NuWVZ6w%2FBranch%20Connector%20guides%20-%20FortiGate_8.PNG?alt=media&#x26;token=3641e588-49c9-4ad3-97f8-2a306f4d5199" alt="Router&#x27;s graphical user interface (GUI) with arrows highlighting key steps to configuring an IPSec tunnel."><figcaption><p>Setting up a new IPSec tunnel</p></figcaption></figure>

### Network

* **Remote Gateway** - Static IP Address
* **IP Address** - IP of your GoodAccess Gateway
* **Interface** - WAN (depends on your site)
* **NAT Traversal** - Optional
* **Deed Peer Detection** - Optional
* **Advanced:**
  1. **Add route** - Enabled
  2. **Auto discovery sender** - Disabled
  3. **Auto discovery receiver** - Disabled
  4. **Exchange interface IP** - Disabled
  5. **Device creation** - Enabled

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FHv0ev5FrCitCxKPCCYNH%2FBranch%20Connector%20guides%20-%20FortiGate_9.PNG?alt=media&#x26;token=1ffa37d8-0567-42ba-9f4c-3313c75a5c56" alt="Router&#x27;s graphical user interface (GUI) showing configuration for the Network section of an IPSec tunnel."><figcaption><p>Setting up the network section of a IPSec tunnel</p></figcaption></figure>

### **Authentication**

**Method** - Pre-shared Key

**Pre-shared Key** - Shared Secret [(Step 1)](#step-1-creating-a-new-branch-connection)

**IKE Version** - 2

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FoSUMIrosJyI2TvIMelqH%2FBranch%20Connector%20guides%20-%20FortiGate_10.PNG?alt=media&#x26;token=c181a400-1f09-4e4a-b917-da7912d04dee" alt="Router&#x27;s graphical user interface (GUI) showing configuration for the Authentication section of an IPSec tunnel."><figcaption><p>Setting up the authentication section of a IPSec tunnel</p></figcaption></figure>

### **Phase 1**

{% hint style="info" %}
Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection).
{% endhint %}

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FpTLGeyFk57hHt8IxAN0z%2FBranch%20Connector%20guides%20-%20FortiGate_11.PNG?alt=media&#x26;token=77c539c1-e3f0-4579-ab92-87401bc65359" alt="Router&#x27;s graphical user interface (GUI) showing configuration for the Phase 1 section of an IPSec tunnel."><figcaption><p>Setting up the Phase 1 section of a IPSec tunnel</p></figcaption></figure>

### **Phase 2**

{% hint style="info" %}
Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection).
{% endhint %}

* **Local/Remote Address** - Select **Named Address**, and choose Local/Remote Address [(Step 2)](#step-2-creating-new-addresses)

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FHhzBTkF31GOV0Rkp7lZw%2FBranch%20Connector%20guides%20-%20FortiGate_12.PNG?alt=media&#x26;token=207812a4-e4a3-4601-b2b8-98829165fd40" alt="Router&#x27;s graphical user interface (GUI) showing configuration for the Phase 2 section of an IPSec tunnel."><figcaption><p>Setting up the Phase 2 section of a IPSec tunnel</p></figcaption></figure>

Click **OK** to confirm your settings.

## Step 4 - Creating a new static route

Go to **Network** > **Static Routes** and click **Create New**.

Set the **Destination** as **Subnet** and enter the subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0).

Click **OK** to confirm your settings.

<div><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FiQZv8rWBmY1vAjvCRXxH%2FBranch%20Connector%20guides%20-%20FortiGate_13.PNG?alt=media&#x26;token=63276cb8-be9e-41dd-9774-2be610d04d5c" alt="Router&#x27;s graphical user interface (GUI) with arrows highlighting key steps to creating a new static route."><figcaption><p>Creating a new static route</p></figcaption></figure> <figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2Fc1jDlZqTqsdJqYqC4zba%2FBranch%20Connector%20guides%20-%20FortiGate_14.PNG?alt=media&#x26;token=0a693fd3-5273-4fd1-94fc-1f3f956d9b09" alt="Router&#x27;s graphical user interface (GUI) showing configuration of a static route."><figcaption><p>Setting up the new static route</p></figcaption></figure></div>

You have now successfully connected your device to GoodAccess.

{% hint style="warning" %}
**Firewall rules**

Make sure that your device allows incoming connections from your **GoodAccess Gateway private subnet** on the following ports:

* **UDP 500**
* **UDP 4500**
  {% endhint %}

{% hint style="info" %}
**You may check the status of the connection in:**

* **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).
* **FortiGate:** Go to **Monitor > IPSec Monitor**.
  {% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://support.goodaccess.com/configuration-guides/branch-connector/fortigate.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.