Professional Documents
Culture Documents
FortiGate - Student Guide
FortiGate - Student Guide
Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc., and other Fortinet names
herein may also be trademarks, registered or otherwise, of Fortinet. All other product or company names
may be trademarks of their respective owners. Copyright 2002 - 2014 Fortinet, Inc. All rights reserved.
Contents and terms are subject to change by Fortinet without prior notice. No part of this publication may
be reproduced in any form or by any means or used to make any derivative such as translation,
transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States
Copyright Act of 1976.
Table of Contents
VIRTUAL LAB BASICS .................................................................................. 7
Logging into the Virtual Lab ................................................................................................. 7
Transferring files to the VM .......................................................................................................................... 12
Using HTML instead of Java ........................................................................................................................ 12
International keyboards ................................................................................................................................ 13
Topology .............................................................................................................................. 14
Troubleshooting Tips ........................................................................................................... 14
MODULE 1 ................................................................................................... 16
Lab 1: Initial Setup and Configuration .................................................................................. 16
Objectives .................................................................................................................................................... 16
Time to Complete......................................................................................................................................... 16
Exercise 1 (Optional) Configuring Network Interfaces on Student and Remote FortiGate Devices ........... 17
Exercise 2 Exploring the Command Line Interface ..................................................................................... 19
Exercise 3 Restoring Configuration Devices ............................................................................................... 21
Exercise 4 Performing Configuration Backups ............................................................................................ 23
MODULE 2 ................................................................................................... 28
Lab 1: Status Monitor and Event Log................................................................................... 28
Objectives .................................................................................................................................................... 28
Time to Complete......................................................................................................................................... 28
Exercise 1 Exploring the GUI Status Monitor .............................................................................................. 29
Exercise 2 Event Log and Logging Options ................................................................................................ 31
MODULE 3 ................................................................................................... 36
MODULE 4 ................................................................................................... 52
Lab 1: User Authentication .................................................................................................. 52
Objectives .................................................................................................................................................... 52
Time to Complete......................................................................................................................................... 52
Exercise 1 Identity-based Firewall Policy .................................................................................................... 53
MODULE 5 ................................................................................................... 55
Lab 1: SSL VPN................................................................................................................... 55
Objectives .................................................................................................................................................... 55
Time to Complete......................................................................................................................................... 55
Exercise 1 Configuring SSL VPN for Web Access ...................................................................................... 56
Exercise 2 Configuring SSL VPN for Tunnel Mode ..................................................................................... 59
MODULE 6 ................................................................................................... 62
Lab 1: IPSec VPN ................................................................................................................ 62
Objectives .................................................................................................................................................... 62
Time to Complete......................................................................................................................................... 62
Exercise 1 Site to Site IPsec VPN............................................................................................................... 63
MODULE 7 ................................................................................................... 66
Lab 1: Antivirus Scanning .................................................................................................... 66
Objectives .................................................................................................................................................... 66
Time to Complete......................................................................................................................................... 66
MODULE 8 ................................................................................................... 70
Lab 1: Email Filtering ........................................................................................................... 70
Objectives .................................................................................................................................................... 70
Time to Complete......................................................................................................................................... 70
Exercise 1 Configuring FortiGuard AntiSpam ............................................................................................. 71
MODULE 9 ................................................................................................... 73
Lab 1: Web Filtering............................................................................................................. 73
Lab Objectives ............................................................................................................................................. 73
Time to Complete......................................................................................................................................... 73
Exercise 1 FortiGuard Web Filtering ........................................................................................................... 74
MODULE 10 ................................................................................................. 78
Lab 1: Application Identification ........................................................................................... 78
Objectives .................................................................................................................................................... 78
Time to Complete......................................................................................................................................... 78
Exercise 1 Creating an Application Control List .......................................................................................... 79
compatibility of your computer with the virtual lab environment's software, and
It can also diagnose problems with the Java Virtual Machine, company firewall, or proxy server.
Use the URL for your location.
North America/South America:
http://truelab.hatsize.com/syscheck
Europe/Middle East/Africa:
http://truelab.hatsize.com/syscheck/frankfurt/
Asia/Pacific:
http://truelab.hatsize.com/syscheck/singapore/
If a security confirmation dialog appears, click Run.
If your computer successfully connects to the virtual lab, the "Status" field will display "SUCCESS".
Continue to the next step.
If "FAILED" appears, read the messages to identify the problem. For help fixing problems, either click
the link for the troubleshooter or ask your trainer.
2. With the user name and password that your trainer provides, log into the URL for the virtual lab.
Either:
https://remotelabs.training.fortinet.com/
https://virtual.mclabs.com/
3. Select the time zone for your location, then click Update.
This ensures that your class schedule is accurate.
4. Select a screen resolution for the virtual lab's Java applet, then click Open.
A list of virtual machines that exist in the virtual lab will appear. Your trainer can describe each of the
virtual machines in the lab.
From this page, you can access the console of any of your virtual devices by either clicking on the
devices square, or selecting System > Open.
5. Click K1-Windows to open a connection to that server.
10
A new Java applet window should open within a few seconds. (By default, the web page uses Java to
connect to each VMs console. If this fails, you may need change browser settings to allow Java to run
on this web site.) Depending on the virtual machine, the applet provides access to either the GUI or a
text-based CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet
should automatically log in, then display the Windows desktop. For most lab exercises, you will connect
to this VM.
11
Note: If your computers connection with the virtual Windows server times out or if you are
accidentally disconnected, you can regain access by returning to your browser and
opening the Java applet again.
12
When connecting to a VM, your browser will then open a display in a new window or tab.
International keyboards
If special characters in your preferred language dont display correctly, keyboard mappings may not be
correct. To solve this, you can copy and paste between your computer and the Java applet. Alternatively,
you can use an on-screen keyboard. To do this, click the keyboard icon at the top of the applet window.
13
Topology
The network diagram below shows the configuration of your virtual environment.
Troubleshooting Tips
Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection,
including VPN tunnels or wireless such as 3G or WiFi. For best performance, use a stable
broadband connection such as a LAN.
Do not disable or block Java applets. On Mac OS X, since early 2014, to improve security, Java
has been disabled by default. In your browser, you must allow Java for this web site. On Windows,
if the Java applet is allowed and successfully downloads, but does not appear to launch, you can
open the Java console while troubleshooting. To do this, open the Control Panel, click Java, and
change the Java console setting to be Show console.
Network firewalls can also block Java executables.
Note: JavaScript is not the same as Java.
Prepare your computer's settings:
o Disable screen savers
o Change the power saving scheme so that your computer is always on, and does not go
to sleep or hibernate
If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.
If during the labs, particularly when reloading configuration files, you see a message similar to
the one shown below, the VM is waiting for a response to the authentication server.
14
15
Module 1
Lab 1: Initial Setup and Configuration
This first lab will provide an initial orientation to the CLI and administrative GUI and will guide the student
through the basic setup of a FortiGate. This lab will demonstrate how to properly backup and restore a
configuration file, as well as manipulate administrative access to a FortiGate unit.
If during the labs, particularly when reloading configuration files, you see a message similar to the one
shown below, go to the console and enter the CLI command execute update-now.
This message indicates that the FortiGate VM is waiting for a response from the authentication server.
The execute update-now command will resend the request and force a response.
Objectives
Time to Complete
Estimated: 15 minutes
16
17
edit port4
set ip 10.200.3.1/24
set allowaccess http ping
end
7. Next, check the route configuration by executing the following command:
show router static
If there is no static route configured on port4, execute the commands shown below to set this static
route. (Routing will be explained in more detail in a later section.)
conf route static
edit 0
set device port4
set gateway 10.200.3.254
end
8. You can enter the following commands to check your configuration:
show system interface
show router static
At this stage, you will not be able to connect to the remote FortiGate device until you have configured
your student FortiGate device with routing information and a firewall policy to allow that management
traffic. This configuration will be added later.
18
19
execute ?
8. Enter the following CLI commands and compare the available keywords for each one:
config ?
show ?
config begins the configuration mode while show displays the configuration. The only difference is
show full-configuration. The default behavior of the show command is to only display the
differences from the factory-default configuration.
9. Enter the CLI commands shown below to display the FortiGate units internal interface configuration
settings and compare the output for each of them.
Only the characters shown in bold type face need to be typed, optionally followed by <tab>, to
complete the command key word. Use this technique to reduce the number of keystrokes to enter
information. CLI commands can be entered in an abbreviated form as long as enough characters are
entered to ensure the uniqueness of the command keyword.
show system interface port3
show full-configuration system interface port3
20
3. Browse the Desktop and navigate to the Resources > Module1 > Student folder.
21
Go to Router > Static > Static Route and check your default route.
5. Next, perform the following steps on the student FortiGate to verify the DNS configuration settings for
the student and remote FortiGate devices. These DNS settings have been added to simplify access to
the lab devices.
Go to System > Network > DNS Server and review the student and remote DNS zones.
In the student DNS zone, verify the IPv4 Address (A) records and Pointer (PTR) records for the student
FortiGate device (10.0.1.254) and the Windows Server (10.0.1.10).
In the Remote DNS zone, check the IPv4 Address (A) records and Pointer (PTR) records for the
Remote FortiGate device (10.200.3.1) and the Windows host (10.0.2.10).
6. From a DOS command prompt on the virtual Windows Server, execute the following commands to
verify the DNS lookup functionality. DNS requests are being sent to port3, and recursive DNS requests
are allowed on this interface.
nslookup server.student.lab 10.0.1.254
nslookup fgt.student.lab 10.0.1.254
nslookup pc.remote.lab 10.0.1.254
nslookup fgt.remote.lab 10.0.1.254
Note: The parameters of the nslookup command are:
nslookup [-option] [hostname] [server]
7. In a web browser on the virtual Windows Server, connect to the following web pages to verify that the
GUI of the student and remote FortiGate devices can be accessed using their DNS hostnames:
http://fgt.student.lab
http://fgt.remote.lab
22
3. Select Encrypt configuration file and enter the password: fortinet. Click Backup and save the
encrypted configuration file to the Desktop with the filename student-initial-enc.conf. (You may need to
modify the web browsers settings to prompt for the location to save files. For Firefox, go to Tools >
Options > General and select Always ask me where to save files.)
Caution: When backing up the FortiGate units configuration, be sure to use a
naming convention that you understand and which identifies both the date and the
device information. Every time that you log in and make changes to your device
(even if the change seems minor or insignificant), you should ALWAYS make a
backup of the configuration file. This will always be the best form of protection
against problems.
4. Next try restoring the encrypted configuration file. Browse the Desktop and navigate to the file studentinitial-enc.conf and click Restore.
This time you will need to enter the password fortinet as this file is encrypted.
5. Using WordPad or Notepad++, open the file student-initial.conf. In another instance of WordPad,
open the file student-initial-enc.conf and compare the details in both.
Note: In both the normal and encrypted configuration the top of the file
acts as a header, describing the firmware and model information this
configuration belongs to.
23
Objectives
Time to Complete
Estimated: 10 minutes
24
Enable
1 Upper Case Letter
1 Numerical Digit
Enable
Enable Password Expiration:
90 days
Once the settings have been modified, click Apply to save the changes.
Must Contain:
2. Log out of the GUI, then log in again and you will be prompted to enter a new administrator password.
Enter a new password that meets the requirements configured above.
3. Next, go to System > Admin > Admin Profile and create a new Admin profile called
Security_Admin_Profile. Set Security Profile Configuration to Read-Write and set all other permissions
to Read Only.
Once the profile settings have been modified, click OK to save the changes.
4. Go to System > Admin > Administrators and click Create New to add a new Admin user called
Security_Admin. Set Admin Profile to the new profile you created in the previous step.
By doing this, you are limiting this administrators access so that they will only able to modify and create
security profiles.
Note: Administrator names and passwords are case-sensitive. You cannot
include the < > ( ) # characters in an administrator name or password.
Spaces are allowed, but not as the first or last character. Spaces in a name or
password can be confusing and require the use of quotes to enter the name
in the CLI.
Once the administrative user settings have been entered, click OK to save the changes.
5. To view the configuration for administrative users and profiles, type the following CLI commands:
show system admin
show system accprofile
6. Log out of the GUI on the student FortiGate device. Log in again as the Security_Admin user
created earlier.
7. Test this administrators access by attempting to create or modify various settings on the Student
FortiGate device. You should observe that this admin user is only able to configure settings under
Security Profiles.
25
For convenience in the labs, the admin password will not be set in the configuration files used in the
subsequent modules.
26
27
Module 2
Lab 1: Status Monitor and Event Log
The aim of this lab is for students to work with the event log and monitoring on a FortiGate unit.
Objectives
Time to Complete
Estimated: 10 minutes
28
If not already added, click the Sessions History widget from the pop-up window to add it to the
dashboard.
Close the widget list window.
3. Hover the mouse over the title bar of the System Resources widget and click Edit to create a custom
widget.
View Type:
Historical
Time Period:
Last 60 minutes
A line chart appears in a new custom System Resource History widget showing a trace of past CPU
and memory usage.
FortiGate Multi-Threat Security and Systems I
29
The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured.
4. The Alert Message Console widget displays recent system events, such as system restart and firmware
upgrade.
Hover the mouse over the title bar of the Alert Message Console widget and click History to view the
entire message list.
30
31
32
Objectives
Time to Complete
Estimated: 10 minutes
33
34
tail f /var/log/fortinet
5. Leave the SSH window open and return to the student FortiGate device and generate some log entries
by doing the following:
6. From the GUI on the Student FortiGate device, go System > Config > SNMP to enable SNMP
monitoring. Select Enable for the SNMP Agent then click Apply.
7. Create a new SNMP v3 security name using the settings displayed below. Set the Auth password to
fortinet.
Click OK.
8. Go to System > Network > Interface and edit port1. Confirm that SNMP is enabled under the
Administrative Access settings. If it is not enabled you will need to enable it first then click OK to save
the changes.
9. Leave the SSH window open that is currently running the tail command and run putty again to open
a new SSH connection to the LINUX host (10.200.1.254).
Next, execute the following snmpwalk command to find and display all of the monitoring options that a
device presents through SNMP:
snmpwalk -v 3 -a sha -A fortinet -u training -l authNoPriv 10.200.1.1
A tree listing of all the options available to monitor this FortiGate VM device will be displayed.
To make it easier to view the information available, you may also append >snmp.test to the command
entered above. This will save the output to a file named snmp.test. Enter the command view
snmp.test to view the output file.
35
Module 3
Lab 1: Firewall Policy
The aim of this lab is for students to work with firewall policies and examine the FortiGate unit behavior
when policies are re-ordered.
Objectives
Time to Complete
Estimated: 20 minutes
36
STUDENT_INTERNAL
Type:
Subnet
Subnet/IP Range:
10.0.1.0/255.255.255.0
Interface:
Any
Once the settings have been entered, click OK to save the changes.
3. The unrestricted port3port1 policy will need to be temporarily disabled in the policy list. To do this, go
to Policy > Policy > Policy, right-click the unrestricted port3port1 policy and select Status > Disable.
4. Next click Create New to add a new firewall policy to provide general Internet access from the internal
network. Configure the following settings:
Firewall
Address
port3
STUDENT_INTERNAL
port1
all
always
HTTP, HTTPS, DNS, ALL_ICMP, SSH
(Hold down the CTRL-key to select multiple services.)
ACCEPT
Action:
Enabled
Enable NAT:
Use Destination Interface Address: Enabled
Enable Log all Sessions and select Generate Logs
Log Options:
when Session Starts
General Internet access
Comments:
When creating firewall policies, keep in mind that the FortiGate device is a stateful firewall, therefore, a
firewall policy only needs to be created for the direction of the originating traffic.
Policy Type:
Policy Subtype:
Incoming Interface:
Source Address:
Outgoing Interface:
Destination Address:
Schedule:
Service:
Once the policy settings have been entered, click OK to save the changes.
5. From the virtual Windows Server desktop, open a web browser and connect to various external web
servers.
6. From the CLI, enter the following command to see the source NAT action.
#get system session list
Sample Output:
37
SOURCE-NAT
DESTINATION
tcp
3600
10.0.1.10:3677
10.0.1.254:22
tcp
3587
10.0.1.10:3717
10.200.1.1:64133 72.30.38.140:80
tcp
3570
10.0.1.10:3681
10.200.1.1:64097 69.171.228.70:80 -
tcp
3577
10.0.1.10:3710
10.200.1.1:64126 74.125.228.92:80 -
tcp
3587
10.0.1.10:3708
10.200.1.1:64124 74.125.228.92:80 -
tcp
3587
10.0.1.10:3706
10.200.1.1:64122 66.94.245.1:80
tcp
2274
10.0.1.10:3608
10.200.1.1:64024 10.200.1.254:22
tcp
3587
10.0.1.10:3712
10.200.1.1:64128 80.239.217.66:80 -
tcp
3566
10.0.1.10:3679
10.200.1.1:64095 74.125.227.24:80 -
Note that the new source address being applied is that of the destination interface port1(10.200.1.1).
38
2. From the Windows Server, open a DOS command prompt and ping the port1 gateway as follows.
ping t 10.200.1.254
Provided you have not changed the rule ordering, the ping should still work as it matches the ACCEPT
policy and not the DENY policy just created. This demonstrates the behavior of policy ordering. The
second policy was never checked because the traffic matched the first policy. Leave this window open
and perform the next step.
3. From the GUI on the Student FortiGate device, go to Policy > Policy > Policy and right-click any of the
column headings. Select Column Settings > ID. Move this column accordingly for easier viewing. By
default only the sequence number of the firewall policy is displayed in the GUI.
4. Next, click the Seq.# for the DENY policy created previously and drag this policy upwards to position it
before the General Internet access policy.
5. Return to the Windows Server and examine the DOS command prompt window still running the
continuous ping. You should observe that this traffic is now blocked and the replies appear as
Request timed out. Enter CTRL-C to end the ping command.
39
3. The firewall is stateful so any existing sessions will not use this new firewall policy until they time out or
are cleared. The sessions can be cleared individually from the session widget on the Status page or
from the CLI by executing the following:
diag sys session clear
4. Connect to the console of the remote Windows host. (From the virtual lab applet, go to Operations >
Connect to Secondary > WinXP to connect to the console of your WINXP host.)
On the WinXP desktop, open a web browser and access the following URL:
http://10.200.1.200
If the virtual IP operation is successful a simple web page appears displaying the message It
works!.
5. From the CLI on the Student FortiGate device, check the destination NAT entries in the session
table by using the following command:
40
3537
10.200.3.1:62426
SOURCE-NAT
DESTINATION
10.200.1.200:80
10.0.1.10:80
6. On the virtual Windows Server desktop open a web browser and connect to a few external web sites.
Now examine the session information again as follows:
#get system session list
Sample Output:
STUDENT # get sys session list
PROTO
EXPIRE SOURCE
DESTINATION-NAT
SOURCE-NAT
tcp
3591
10.0.1.10:3995
10.200.1.200:3995 66.94.241.1:80
tcp
3590
10.0.1.10:3977
10.200.1.200:3977 72.30.38.140:80
tcp
3553
10.0.1.10:3965
10.200.1.200:3965 184.150.187.83:80 -
tcp
3592
10.0.1.10:3998
10.200.1.200:3998 74.125.228.92:80 -
tcp
3584
10.0.1.10:3969
10.200.1.200:3969 69.171.237.16:80 -
tcp
3596
10.0.1.10:4001
10.200.1.200:4001 208.91.113.80:80 -
tcp
3590
10.0.1.10:3983
10.200.1.200:3983 216.115.100.102:80 -
tcp
3590
10.0.1.10:3979
10.200.1.200:3979 216.115.100.103:80 -
tcp
3590
10.0.1.10:3987
10.200.1.200:3987 216.115.100.102:80 -
tcp
3590
10.0.1.10:3981
10.200.1.200:3981 216.115.100.103:80 -
tcp
3590
10.0.1.10:3985
10.200.1.200:3985 216.115.100.102:80 -
tcp
1013
10.0.1.10:3608
10.200.1.1:64024 10.200.1.254:22
tcp
3589
10.0.1.10:3976
10.200.1.200:3976 72.30.38.140:80
tcp
3591
10.0.1.10:3996
10.200.1.200:3996 184.150.187.99:80 -
tcp
3554
10.0.1.10:3967
10.200.1.200:3967 74.125.228.65:80 -
tcp
3590
10.0.1.10:3990
10.200.1.200:3990 216.115.100.103:80 -
DESTINATION
41
tcp
3591
10.0.1.10:3978
10.200.1.200:3978 216.115.100.103:80 -
tcp
3590
10.0.1.10:3980
10.200.1.200:3980 216.115.100.103:80 -
Note that the outgoing connections from the Windows Server are now being NATed with the VIP
address as opposed to the firewall address. This is a behavior of the static NAT (SNAT) VIP. That is,
when SNAT is enabled on a policy, a VIP static NAT takes priority over the destination interface IP
address.
42
4. The firewall does stateful inspection so any existing sessions will not use this new firewall policy until
they time out or are cleared. The sessions can be cleared individually from the session widget on the
status page or from the CLI by executing the following:
diag sys session clear
5. Connect to a few external web sites and then examine the session table to check the source NAT
used. From the CLI on the Student FortiGate device enter the following command to verify the
source NAT IP address:
# get system session list
Sample Output:
STUDENT # get system session list
43
PROTO
EXPIRE SOURCE
DESTINATION-NAT
SOURCE-NAT
DESTINATION
tcp
3599
10.0.1.10:3963
10.200.1.100:64379 74.125.225.126:443 -
tcp
3599
10.0.1.10:3961
10.200.1.100:64377 74.125.225.111:443 -
tcp
3552
10.0.1.10:3953
10.200.1.100:64369 76.74.133.167:80 -
tcp
3597
10.0.1.10:3956
10.200.1.100:64372 74.125.225.118:80 -
tcp
3597
10.0.1.10:3954
10.200.1.100:64370 74.125.225.117:80 -
tcp
3598
10.0.1.10:3959
10.200.1.100:64375 199.7.57.72:80
tcp
16
10.0.1.10:3948
10.200.1.100:64364 66.36.238.121:22 -
tcp
3598
10.0.1.10:3958
10.200.1.100:64374 209.85.225.84:443 -
tcp
3599
10.0.1.10:3962
10.200.1.100:64378 74.125.225.99:443 -
tcp
10.0.1.10:3960
10.200.1.100:64376 98.139.200.238:80 -
tcp
3597
10.0.1.10:3955
10.200.1.100:64371 74.125.225.118:80 -
Observe that the source NAT address is now 10.200.1.100 as configured in the VIP pool, therefore
the order of precedence is IP Pool > Static-NAT VIP > Destination Interface.
44
Objectives
Time to Complete
Estimated: 5 minutes
45
46
Objectives
Time to Complete
Estimated: 10 minutes
47
Firewall
Device Identity
port3
STUDENT_INTERNAL
port2
Enabled. Select Use Destination Interface Address
3. Next click Create New under Configure Authentication Rules and create the following sub-policies:
Sub-policy 1:
Destination Address:
Device:
Schedule:
Service:
Action:
Click OK.
all
Windows PC
always
HTTP
Accept
Sub-policy 2:
Destination Address:
Device:
Schedule:
Service:
Action:
all
Collected Emails
always
HTTP, HTTPS, ALL_ICMP, SSH, SMTP, POP3, FTP
(Hold down the CTRL-key to select multiple services.)
ACCEPT
Click OK.
4. Under Device Policy Options enable Prompt E-mail Collection Portal for all devices as follows:
Once you have configured all the above policy settings, click OK to save the changes.
48
5. Use drag-and-drop to reorder the sub-policies. The captive portal policy should be last in the sub-policy
list because this rule should only be matched if the device has not already been identified.
In this example, the first web traffic from the client matches the email captive portal rule. The
subsequent traffic matches the collected email device object as we now have this information.
6. Check the device policy and sub-policies.
Click OK.
7. Test the device policy on the Student FortiGate device. First execute the following CLI commands to
disable the email DNS check for the captive portal. (This step is required for the purposes of this lab.)
config system settings
set email-portal-check-dns disable
end
8. From your web browser, connect to: http://10.200.1.254
The portal should appear. Accept the conditions and enter your email address when prompted.
FortiGate should now redirect you to the web site.
9. From the CLI, use debug flow to examine the traffic:
diag debug flow filter addr 10.200.1.254
diag debug flow show func en
diag debug flow show cons en
diag debug enable
diag debug flow trace start 20
10. Go to User & Device > Device > Device Definition and check the new device.
This is a dynamic device. FortiGate may update and stored its list of devices to the flash to speed up
FortiGate Multi-Threat Security and Systems I
49
detection.
diag user device list
11. Clear the device from the CLI:
diag user device clear
12. Reload the web page. You should observe that you are redirected to the email portal again. Accept the
conditions and enter your email address.
13. Perform a show from the CLI to confirm there are no devices in the configuration file.
show user device
14. From the GUI, go to User & Device > Device > Device Definition and edit your device from the device
list. Add an alias called myDevice. This creates a static device in the configuration file.
Once you have the alias entered, click OK to save the change.
Perform the following show command to confirm that the device now appears in the configuration file.
show user device
15. Go to User & Device > Device > Device Group. Note that your device is already a member of several
predefined device groups.
Click Create New and add a new device group called myDevGroup.
Next, add myDevice to the Members list and click OK.
Note that your device is still a member of the predefined groups and is now a member of the custom
group myDevGroup.
16. From a command prompt on the virtual Windows host, open an FTP connection to: 10.200.1.254
Once you have connected, close the FTP connection.
17. Now add a sub-policy to your firewall device policy blocking FTP.
Edit the device policy and create the following sub-policy:
Sub-policy 3:
Destination:
Device:
Schedule:
Service:
Action:
Log Violation Traffic:
LINUX_ETH1
myDevGroup
always
FTP
Deny
Enable
Click OK.
18. Use drag-and-drop to reorder the sub-policies so that this policy is first in the list.
19. From your PC test that you can open an FTP connection to ftp://10.200.1.254
50
51
Module 4
Lab 1: User Authentication
The aim of this lab is to introduce students to user authentication management on the FortiGate unit.
Objectives
Time to Complete
Estimated: 20 minutes
52
53
9. From the CLI, view the IP addresses and users which have successfully authenticated to the FortiGate
unit with the following command:
diag firewall auth list
Clear all authenticated sessions with the following command:
diag firewall auth clear
Caution: Be careful using this command on a live FortiGate as it will clear
ALL authenticated users.
54
Module 5
Lab 1: SSL VPN
The aim of this lab is for students to work with and manage user groups and portals for the SSL VPN.
Objectives
Time to Complete
Estimated: 30 minutes
55
56
You will notice that this rule contains many settings including Groups(s), User(s), Schedule, Service
and SSL-VPN Portal. Select Cancel to close the edit window for this sub-policy.
In an upcoming exercise, we will be adding on to this policy to allow tunnel access.
3. To observe the effect of this policy you will now access the SSL VPN. On the virtual external Windows
XP host desktop, open a web browser and access the SSL VPN by browsing to the following URL:
https://10.200.1.1.
Accept the security warnings for the self-signed certificate and log in using the following credentials:
student
Username:
F0rtinet
Password:
You should notice that you are successfully able to log in however, the web portal is currently in
default settings. We will now configure the web-access portal which is selected in the SSL VPN
policy. Log out and return to the virtual Windows Server host.
4. Go to VPN > SSL > Portal and from the drop-down list displayed in the top right hand corner, select
web-access to edit this portal. Verify that Include Bookmarks is selected and then in the table
shown, create the following bookmarks for the internal server.
Bookmark for HTTP:
Category:
Name:
Test
HTTP/HTTPS
57
Type:
Location:
Click OK.
HTTP/HTTPS
10.0.1.10
Test
RDP
RDP
10.0.1.10
Modify the Portal Message with a message of your choice then click Apply to save all the changes.
Select View Portal to review your changes.
5. Test the SSL VPN access again from the external Windows host (WINXP) by browsing to:
https://10.200.1.1
You should now observe that you have two book marks listed.
6. Select the HTTP/HTTPS bookmark and examine the items listed below to understand how the web
access functions.
Note the URL of the web site in the browser address bar:
https://10.200.1.1/proxy/http/10.0.1.10/
The first part of the address is the encrypted link to the FortiGate SSL
VPN gateway: https://10.200.1.1/
The second part of the address is the instruction to use the SSL VPN
HTTP proxy: .../proxy/http...
The final part of the address is the destination of the connection from
the HTTP proxy: .../10.0.1.10/
In this example, the connection is encrypted up to the SSL VPN gateway. The connection to the final
destination from the HTTP proxy is in clear text.
7. Return to the virtual Windows Server device and from the GUI on the Student FortiGate device, go
to VPN > Monitor > SSL-VPN Monitor. Locate the details of the SSL VPN connection.
Note the User, Source IP and Begin Time.
8. Go to Log & Report > Event Log > VPN and view the corresponding log entry. Look for the SSL
tunnel established message.
9. From the external Windows XP host, log out of the SSL VPN connection. Return to the log and look
for the SSL tunnel shutdown message.
58
training
Schedule:
always
SSL-VPN Portal:
full-access
student
F0rtinet
You should see the same portal as in the previous exercise. Why?
The training user group is associated with both sub-policies therefore the first one matching the webaccess portal is applied.
You could move the rule so that the rule for the full-access portal is first in the list however, this will end
up affecting all users in that group. Instead, edit the sub-rule created in step 1 above and set the user
group to training2.
Click OK to save the rule settings, then click OK again to save the policy changes.
4. In the web browser on the virtual remote Windows XP host, connect to the SSL VPN portal once again
using the URL: https://10.200.1.1. Note that you may need to clear the web browsers cache if the
login window is not displayed.
This time, log in to the SSL VPN using the following credentials:
student2
Username:
F0rtinet2
Password:
You should now observe that the portal established is the full-access portal.
Note: If using the SSL VPN client available with FortiClient, you do not
need to log in via the portal.
59
5. In the Tunnel Mode panel, click Connect. You should see a link status of UP and the bytes sent and
received incrementing.
6. On the virtual remote Windows host, open a DOS command prompt and perform the following:
ipconfig
Note down your assigned IP address for reference.
Note that the fortissl adapter has an IP address. Where does this IP address come from? Display
the routing information by entering the following command:
route print
Note the low metric routes and observe that there is a route to 10.0.1.10. Where did this come from?
Run a continuous ping to 10.0.1.10 as follows.
ping t 10.0.1.10
7. From the GUI on the Student FortiGate device go to VPN > Monitor > SSL-VPN Monitor. The SSLVPN Monitor displays the client connections and the IP allocated to the tunnel connection.
8. In the firewall policy list, examine the Count field to see the packets and bytes per policy. You may
need to reposition this column accordingly for easier viewing.
Notice that there is traffic associated with the incoming rule from the ssl.<vdom name> interface. This
rule is created automatically. This traffic is the incoming traffic from your SSL VPN client.
Where does your assigned address come from?
9. Go VPN > SSL > Portal to access the SSL VPN portal configuration. Edit the full-access portal.
Within the Enable Tunnel Mode options, note the IP Pool used which refers to a firewall address object.
10. Go to Firewall Objects to look up that firewall address object. What are the values of that object?
The object defines an address range that matches your assigned address, so this is how IP addresses
are configured and assigned to SSL VPN clients.
Where does the route to 10.0.1.10 come from?
HINT: In the policy list, look at the Destination address of the SSL VPN policy.
You will observe that the address object values for WIN2K3 are 10.0.1.10/32, so this is where
the SSL VPN client route came from.
With this present configuration, the SSL VPN client is split tunneling. This means that only traffic to
the specific destination behind the firewall is tunneled, and all other traffic goes to the default
gateway.
What configuration change would you need to make to give the client a default route into the tunnel?
Disable split tunneling in the full-access portal which means a default route is pushed to the client
FortiGate Multi-Threat Security and Systems I
60
61
Module 6
Lab 1: IPSec VPN
The aim of this lab is for students to configure an IPSec VPN on the FortiGate device using both interfacebased and policy-based modes.
Objectives
Time to Complete
Estimated: 30 minutes
62
-t 10.0.2.10
4. From the GUI on the Student FortiGate device, go to VPN > Monitor > IPsec Monitor and examine the
tunnel status.
You should observe a tunnel named remote with the destination 10.200.3.1 and the status is
currently up. This is the tunnel that is established to the Remote FortiGate device.
5. From the Student FortiGate device review the firewall policy port3remote. View the Count column so
that you can see the packets and bytes per policy.
Observe that the counter is incrementing for the port3remote policy.
What is the interface remote?
Go to System > Network > Interface and note the blue arrow head associated with port1. If you expand
this you will be able to see the remote interface and the type for this interface which is set to Tunnel
Interface.
6. Go to VPN > IPsec > Auto Key (IKE) and review the IPsec configuration. Note the Phase 1 and Phase
2 IKE objects.
Edit the Phase1 IKE object remote. Select Advanced to view all the settings. Note that IPsec Interface
Mode is selected.
These settings can also be viewed through the CLI as follows:
conf vpn ipsec phase1-interface
show
The Phase1 IKE object is the IPsec interface referenced in the interface list and firewall policy. How
is the traffic getting to this policy?
63
Traffic arrives at the FortiGate unit on the ingress interface. For new connections, a routing lookup is
performed to select the egress interface and gateway, and then there is a lookup in the firewall policy to
find a matching rule. It is the routing lookup that selects the egress, and therefore, the remote interface
is selected in this case. So a route is driving the traffic to the IPsec interface.
7. Go to Router > Monitor and view the current routing table. You will observe a static route to the
destination 10.0.2.0/24 pointing to the remote interface.
This is an example of the route-based VPN configuration. The alternative is the policy base VPN which
we will review next.
Generally, the route-based VPN is the preferred approach however there are a few exceptions where
you would need to use the policy-based VPN. These will be discussed later.
8. Open a web browser on the Windows Server and connect to the GUI on the Remote FortiGate device.
9. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote FortiGate device.
You should observe a tunnel named student with the destination 10.200.1.1 and the Status is up.
This is the tunnel that is established to the Student FortiGate device.
10. Still on the Remote FortiGate device, go to System > Network > Interface and note there is no tunnel
sub-interface for port4.
11. Go to Route > Monitor and view the current routing table. You will observe that there is no route to the
10.0.2.0/24 destination, there is only a default route.
How is the traffic entering the tunnel then?
12. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a policy from
port6 to port4 for address 10.0.2.0/24 (REMOTE_INTERNAL) to address 10.0.1.0/24
(STUDENT INTERNAL) with action IPsec.
Edit this policy to view its settings.
The policy subtype is IPsec, and it uses the VPN Tunnel called student. It also has permissions to
allow traffic inbound as well as outbound. We will look at these settings later.
How is the traffic matching this policy?
On the Student FortiGate device, a static route was sending traffic to the IPSec interface. Here there is
no static route and the traffic is being sent to the tunnel using the policy subtype setting, hence policybased.
The IPSec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the tunnel
student.
13. From the Remote FortiGate device, go to VPN > IPsec > Auto Key (IKE) and review the IPSec
configuration. Note the Phase 1 and Phase 2 IKE objects.
These settings can also be viewed through the CLI:
conf vpn ipsec phase1-interface
64
65
Module 7
Lab 1: Antivirus Scanning
The aim of this lab is to work with both flow-based and proxy-based Antivirus scanning.
Objectives
Time to Complete
Estimated: 30 minutes
66
67
The EICAR file is an industry-standard used to test antivirus detection. The file contains the following
characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
8. The HTTP virus message is shown when infected files are blocked or have been quarantined. In the
message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information about the
detected virus.
9. From the GUI on Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic and
locate the antivirus event messages.
In order to view summary information of the AV activity, add the Advanced Threat Protection Statistics
widget to the Dashboard.
10. On the Eicar web page, click Download ANTI MALWARE TESTFILE and then click the Download link
that appears on the left. This time, select the eicar.com file from the Download area using the secure
SSL enabled protocol HTTPS section.
The download should be successful because we have not enabled SSL inspection.
11. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy > Policy >
SSL/SSH Inspection and under SSL Inspection Options, ensure the protocol HTTPS on port 443 is
enabled.
Click Apply.
12. Next, go to Policy > Policy > Policy and edit the policy: port3port1. Under Security Profiles enable
SSL/SSH Inspection by setting this to ON. Click OK.
13. To ensure that there are no existing sessions prior to deep scanning the communication exchange,
connect to the CLI of the Student FortiGate unit and enter the following command:
diag sys session filter dport 443
diag sys session clear
14. Return to the Eicar web page and attempt to download the eicar.com file from the Download area
using the secure SSL enabled protocol HTTPS section.
This time, the download will be blocked by the FortiGate unit and the replacement message will be
displayed. If this is not the case, you may need to clear your recent browsing history as the object
may be cached. In Firefox select History > Clear Recent History > Everything.
68
15. Go to Security Profiles > Antivirus > Profile and change the Inspection Mode for the default Antivirus
Profile to Flow-based. Click Apply.
Try downloading the eicar.com file again. What happens now when the virus is detected?
69
Module 8
Lab 1: Email Filtering
The aim of this lab is for students to work with email filtering.
Objectives
Time to Complete
Estimated: 30 minutes
70
4. By default FortiGuard services are enabled. Go to System > Config > FortiGuard and check the status
of the service. (If you are using the hosted virtual lab environment you will need to change the service
port to UDP 8888).
5. Go to Policy > Policy > Policy and edit the port3port1 outgoing policy. Under Security Profiles, turn
ON Email Filter and ensure that the default email filter profile is selected.
In the steps that follow, you will generate and send test spam emails to your Microsoft Outlook
user@internal.lab inbox. In the classroom lab environment, you will initiate the spam generation using
a script called smtpmboxgen.pl which is provided in the Resources\Module8 folder. Details for using
this script will be provided in the steps that follow.
6. From the Windows server, open a command prompt and change directory to the C:\Documents and
Settings\Administrator\Desktop\Resources\Module8 folder as follows:
CD C:\Documents and Settings\Administrator\Desktop\Resources\Module8
Next run the spam script by entering the following:
smtpmboxgen.pl
7. From your Microsoft Outlook mail client, check the email inbox to review the tagged spam. To view the
corresponding logging events, go to Log & Report > Traffic Log > Forward Log.
8. From the CLI on the Student FortiGate device, execute the following commands to enable Banned
Word Check in the default email filter profile:
config spamfilter profile
edit "default"
set spam-filtering enable
set options bannedword spamfsip spamfsurl
71
set spam-bword-table 1
end
9. Next, run the commands below to review the banned words that have already been configured for you
in the configuration file being used for this lab.
config spam bword
show
Notice the use of both regular expression and wild cards in that list.
10. Go to Security Profiles > Email Filter > Profile again and this time modify the default email filtering
profile to set the SMTP Spam Action to Discard.
11. From your Microsoft Outlook mail client, generate a message to: test@gmail.com that will be caught by
the banned words that have been configured. For example, add the word training to the subject or
message body of your test email and attempt to send the message.
When you send the email the following message displays indicating the message was blocked:
Remember that some banned words apply only to the subject line, others apply only to the body and
others apply to both.
A banned word is only scored once, for example if a banned word has a score 10 and yet the word
occurs four times in the message body, it will only still be assigned a count of 10.
12. Go to Log & Report > Security Log > Email Filter and check the email filtering log entries for this
event as well. To make it easier to view all email activity, add the column Dst Port and filter on port
25.
FortiGate Multi-Threat Security and Systems I
72
Module 9
Lab 1: Web Filtering
The aim of this lab is for students to configure web filtering to block specific categories of web content. The
interaction of local categories and overrides will also be demonstrated.
Lab Objectives
Time to Complete
Estimated: 30 minutes
73
Adult/Mature Content
Security Risk
Click OK to save the settings.
6. Next right-click the web category Bandwidth Consuming, and select Warning. Accept the default
Warning Interval value of 5 minutes then click OK to save the settings.
7. Repeat the above step for the web category: Unrated.
Right-click the web category General Interest Business and select Block.
Click Apply to save your changes.
8. Go to Policy > Policy > Policy and edit the outing port3port1 policy. Under Security Profiles, turn
on Web Filter and ensure that the default profile is selected.
Next, turn ON SSL/SSH Inspection under Proxy Options and ensure the default profile is selected.
Click OK to save the policy changes.
9. From the CLI on the Student FortiGate device, check the low-level status information of the web
filtering service by entering the following command:
diag debug rating
74
The command diag debug rating shows the list of FDS servers for web filtering that the FortiGate
unit is using to send requests. Rating requests are only sent to the server on the top of the list in normal
operation. Each server is probed for RTT every 2 minutes.
The diag debug rating flags indicate the server status as explained below:
D indicates the server was found via the DNS lookup of the hostname. If the hostname
returns more than one IP address, all of them will be flagged with 'D' and will be used first for
INIT requests before falling back to the other servers.
I indicates the server to which the last INIT request was sent.
F signifies the server has not responded to requests and is considered to have failed.
T signifies server is currently being timed.
10. From a web browser on the virtual Windows Server, connect to a web site that is usually blocked by the
training policy and verify that the blocked message is displayed.
A FortiGuard replacement message should be displayed.
11. Go to System > Config > Replacement Message and under Security select FortiGuard Block Page and
change the text of the block message to customize it. Click Save located in the upper-right hand corner
of the edit pane to apply your changes.
12. Revisit the same web site and ensure that the customized FortiGuard Block Page Blocked message is
displayed.
You may need to clear your browsers cache or refresh the block page as the browser might take the
information from its local cache.
13. Next, in the web browser, attempt to connect to a web site category with an Authenticate action. For
example:
A Web Page Blocked message is displayed again, this time with a Proceed button.
75
14. Click Proceed to view the Web Filter Block Override page. Enter the username student and the
password F0rtinet and click Continue.
The web page should now be displayed.
15. From the GUI on the Student FortiGate device, go Log & Report > Traffic Log > Forward Traffic and
locate the log messages related to the web filtering activity.
In the following step, you will configure an access quota for a couple of categories. Quotas allow
access to web resources for a specified length of time.
16. Go to Security Profiles > Web Filter > Profile and edit the default web filter profile.
17. Expand Quota on Categories with Monitor, Warning and Authenticate Actions and click Create New to
create new quotas. Select the categories (same as in Step 4) to be assigned quotas and set the quota
time value to 5 minutes.
Once you have altered the web filter profile, click OK then click Apply to save the profile settings.
18. From a web browser on the Windows Server, attempt to visit a blocked category web site again.
19. Click Proceed on the Web Page Blocked page. Authenticate on the Web Filter Block Override page
using the username student and the password F0rtinet and click Continue.
Once authenticated properly, the quota timer is initiated.
20. To view the quota timer value, enable the Security Profiles monitors through the CLI as follows:
config sys global
set gui-utm-monitor enable
end
then, go to Security Profiles > Monitor > FortiGuard Quota. If the FortiGuard Monitor is not displayed,
you may need to clear the web browsers cache or refresh the page.
When the daily quota value is reached, the FortiGuard replacement message will be displayed again.
21. From the GUI on the Student FortiGate device go Log & Report > Traffic Log > Forward Traffic and
locate the log messages related to the web filtering activity.
22. Edit the default web filter profile, expand Quota on Categories with Monitor, Warning and Authenticate
Actions and delete the quotas on the selected categories. Click OK then click Apply to save the profile
settings.
23. Still in the web filter profile and select flow-based. A notification is displayed as follows:
76
77
Module 10
Lab 1: Application Identification
The aim of this lab is for students to use the application control feature to properly identify a given
application.
Objectives
Time to Complete
Estimated: 30 minutes
78
79
8. Go to Security Profiles > Application Control > Application Sensor and edit the default sensor again.
Click Create New to add a new application filter and select Specify Applications.
9. In the search field shown above the Application Name column enter Facebook. From the results that
display, select Facebook from the Application Name column. A window displays with a description of
the application including popularity, and a reference link that you can click to obtain more rating
information from the FortiGuard Center.
Set Action to block and ensure that this new signature is place at the top of the list.
Once you have added the filter to the profile, click Apply to save the changes.
Test that this site is now blocked. Go to Log & Report > Traffic Log > Forward Traffic and view the log
information to confirm that this action was correctly logged. The status of the connection should be
displayed as deny.
10. From the web browser, and attempt to access the following web site:
http://proxite.us
On the proxy web page, scroll down to the bottom and enter the URL of MySpace.com. Click Go.
You should observe this does allow some connectivity to the site. What action can be taken to stop
this?
You can create a new rule in the sensor to block the Proxy category.
80
Objectives
Students will complete the following tasks:
Time to Complete
Estimated: 10 minutes
81
YouTube
Maximum Bandwidth:
100
Note: The units are in kilobits per second. Take this into consideration
when setting values, as typically bandwidth measurements are done in
kilo bytes, or even larger units.
5. Go to Security Profiles > Application Control > Application Sensor and select the monitor-p2p-andmedia application control profile from the drop-down list shown in the upper right-hand corner of the
window.
6. Next, edit the sensor: ID2 (Video/Audio). If the ID column is not visible, modify the column settings to
add it.
Scroll to the bottom of the window, and set Action to Traffic Shaping. Enable both Forward and
Reverse Direction Traffic Shaping and from the drop-down list, select the YouTube traffic shaper you
created in the previous.
Once you have applied the YouTube shaper to both the normal and reverse direction for this signature,
click OK then click Apply.
7. Clear the web browser cache and re-open it. Connect to the YouTube web site again and stream
the same video. If you set the Shaper levels low enough the experience of playing the video will be
very different.
Note: Only shared shapers are allowed, so the maximum value here
would apply to everyone inside the network that was using the application
(YouTube videos in this case). Keep this in mind when using this option.
82
Objectives
Students will complete the following tasks:
Block user attempts to edit any Wikipedia article, while allowing read-only access to that website.
Time to Complete
Estimated: 10 minutes
83
84
85
86
Module Overview
Other products available from Fortinet
A FortiGates features
Administrative Access, Users and Profiles
FortiGuard
Operating Modes
Default Settings
Configuration Backup and Restoration
Proper upgrade and downgrade procedures
Console port
and other topics
2
87
Module Objectives
By the end of this module, participants will be able to:
Identify the major features of the FortiGate Unified Threat Management appliance
Modify administrative access restrictions
Create and manage administrative users
Create and manage administrator access profiles
Backup and restore configuration files
Create a DHCP server on a FortiGate units interface
Upgrade or downgrade a FortiGate units firmware
VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall
88
FortiGate Appliance
Unit Design
Firewall
AV
Web
Filter
IPS
FortiOS
Hardware
Security
Automated
and network-level
update
service
services
Specialized
operating
system
Purpose-driven
hardware
6
89
1
1
1
1
Application
control
WAN
Intrusion
Data
Antivirus
optimization
leak
prevention
prevention
Secure
VPN
Email
filtering
High
availability
Firewall
Endpoint
Dynamic
compliance
routing
Wireless
Logging
Authentication
and
reporting
Traffic
shaping
Virtual
Web
filtering
domains
Fortinet Products
Network Security
FortiGate appliances
High-end, mid-range and
desktop models
Network Access
Wireless: FortiWiFi, FortiAP
Switching: FortiSwitch
End-point and mobility:
FortiClient
User Identity:
FortiAuthenticator, FortiToken
Infrastructure Security
Application and Content Delivery:
FortiADC
DDos Mitigation: FortiDDos
Advanced Threat Protection
Voice and Video: FortiVoice,
FortiCamera, FortiRecorder
Application Security
FortiMail, FortiWeb, FortiDB
FortiCache
Management
FortiManager, FortiAnalyzer,
FortiCloud
90
Modes of Operation
NAT
Device operates on Layer 3 or
the OSI Model
Interfaces have IP addresses
Packets are routed VIA IP
Transparent
Device operates on Layer 2 of
the OSI
Device interface do not have IPs
Routing decisions are not
possible
Device is not a presence in
network routing.
10
91
OSI Model
11
92
Device Administration
Web GUI
HTTP, HTTPS
CLI
Console,SSH,Telnet, GUI Widget
13
Administrator Profiles
14
93
None Read
Read-Write
System Configuration
Network Configuration
Firewall Configuration
VPN Configuration
Wifi Configuration
etc.
Admin
Profile
15
Administrative Users
Full access
super_admin
profile
Custom access
custom
profile
prof_admin
profile
16
94
If logging in from the source IP is not possible, FortiGate will not respond to requests
for management traffic to its interfaces
17
18
95
19
Configuration Files
20
96
Build Number
#config-version=FWF60D-5.00-FW-build252131031:opmode=0:vdom=0:user=admin#conf_file_ver=1048892595416027
5734#buildno=0252#global_vdom=1
Encrypted
#FGBK|3|FWF60D|5|00|252|
Model
Firmware Major Version
22
97
Interface IPs
Every used interface on the
unit must have an IP
assigned (in NAT mode)
using one of three methods:
Manual IP, DHCP assigned,
PPPoE (CLI)
23
24
98
25
NGFW
Next Generation Firewall
Line Speed Inspection
ATP
Advanced Threat Protection
Focuses on protecting PCs
WF
Web Filtering
Full UTM
All Inspection profile options are available in the GUI
26
99
27
Static Gateway
There must be at least one default gateway
If an interface is DHCP or PPPoE, then a gateway can be added
to the routing dynamically
28
100
29
30
101
DHCP Logs
31
32
102
DNS Forwarding
FortiGate units can forward (or not) DNS requests sent to its
interfaces
Behavior on each interface is configured separately
33
34
103
Step 1: Backup and store old configuration (Full config backup from CLI)
Step 2: Have copy of old firmware available
Step 3: Have disaster recovery option on standby (especially if remote)
Step 4: READ THE RELEASE NOTES (upgrade path, bug information)
Step 5: Double check everything
Step 6: Upgrade
35
36
104
Maintainer Access
Available on all FortiGate devices and some non-FortiGate devices
Only available through the hardware console port
Highly secure (requires physical access)
Console Port
Depending on the FortiGate model, console port
access is provided in the following ways:
Serial port (older models)
Standard null model cable will work for console port access
RJ-45 port
RJ-45-serial cable is required for access
USB 2 port
Requires FortiExplorer to connect
38
105
FortiExplorer
Software used to Manage devices via USB-2
Some models of FortiGate/FortiWifis, FortiSwitch, FortiAP
39
Labs
Lab 1: Initial Setup and Configuration
Ex 1: Configuring Network Interfaces
Ex 2: Exploring the Command Line Interface
Ex 3: Restoring Configuration Files
Ex 4: Performing Configuration Backups
(OPTIONAL)
Lab 2: Administrative Access
Ex 1: Profiles and Administrators
Ex 2: Restricting Administrator Access
40
106
41
107
Module Overview
Log Severity Levels
Storage Locations
Log types and subtypes
Log Structure and Behavior
Traffic Log
Viewing Log Messages
Reading and Interpreting log messages
Alert Email
108
Module Objectives
By the end of this module participants will be able to:
State the Purpose of different log types on a FortiGate
Identify the storage location of log information
Navigate the relevant screens for Logging and Monitoring of a FortiGate
Read and Interpret log messages
View and search logs messages
109
FortiCloud
Syslog
Hard drive
SNMP
FortiAnalyzer
FortiManager
Memory
Local logging
Remote logging
6
110
FortiGate
FortiAnalyzer/FortiManager
Register
FortiAnalyzer/FortiManager: Comparison
FortiManager is a dedicated device designed to Centrally Manage
multiple FortiGate devices
FortiAnalyzer is dedicated device designed for long term storage of log
data
FMG has identical logging and reporting functionality to FAZ, except for 2Gig daily
limit on logs received
111
FortiAnalyzer/FortiManager: Configuration
10
112
Event Log
System (System related events)
User (Firewall authentication events)
Router, VPN, WanOpt & Cache, Wifi
Security Log
By Security profile type (Antivirus, Web Filter, Intrusion Protection, etc.)
Section is not created by default
11
113
Log Generation
FW Policy
Log Setting
No Log
Disabled
N/A
No Log
Enabled
Disabled
extended-utm-log
Behavior
No Log
Enabled
Enabled
Disabled
N/A
Enabled
Disabled
Enabled
Enabled
Disabled
N/A
Enabled
Disabled
Enabled
Enabled
13
14
114
15
16
115
17
Log body
policyid=12345 identidx=67890 sessionid=312 epoch=0
eventid=0 user="user" group="group" srcip=1.1.1.1
srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120
dstintf="port1" service=mm1 .
18
116
19
117
21
Alert Email
118
23
24
119
SNMP Monitoring
SNMP agent
Managed device
Fortinet MIB
SNMP manager
SNMP v1/v2
Plain Text
SNMP v3
Encrypted
25
120
27
121
29
122
Logging Monitor
Monitor
Monitor sub-menus found in CLI for all main function menus
User-friendly display of monitored information
View activity of a specific feature being monitored
Various settings are found under config system global
gui-antivirus
gui-ap-profile
gui-application-control
gui-central-nat-table
gui-certificates
gui-client-reputation
gui-dynamic-profile-display
gui-dlp
gui-dns-database
gui-dynamic-routing
gui-endpoint-control
gui-explicit-proxy
gui-ipsec-manual-key
gui-implicit-policy
gui-ips
gui-icap
gui-ipv6
gui-lines-per-page
gui-load-balance
gui-local-in-policy
gui-multicast-policy
gui-multiple-utm-profiles
gui-object-tags
gui-policy-interface-pairs-view
gui-replacement-message-groups
gui-spamfilter
gui-sslvpn-personal-bookmarks
gui-sslvpn-realms
gui-utm-monitors
gui-voip-profile
gui-vpn
gui-vulnerability-scan
gui-wanopt-cache
gui-webfilter
gui-wireless-controller
gui-wireless-opensecurity
32
123
GUI Monitors
Example: Security Profiles Monitor
Includes all security features
AV Monitor
Recent and top virus activity
Web Monitor
Top blocked FortiGuard categories
Application Monitor
Most used applications
Intrusion Monitor
Recent attacks
FortiGuard Quota
Per user list of quota usage
33
34
124
36
125
Labs
Lab 1: Status Monitor and Event Log
Ex 1: Exploring the GUI Status Monitor
Ex 2: Event Log and Logging Options
(OPTIONAL)
Lab 2: Remote Monitoring
Ex 1: Remote Syslog and SNMP Monitoring
37
38
126
Firewall Policies
Firewall Policies
Module Overview
How Packets are Handled
Policy Types and Subtypes
Network Address and Port Translation
Session Helpers
Proxy vs Flow based inspection
Firewall object usage
Monitoring Firewall policies
Debugging Firewall policies
127
Firewall Policies
Module Objectives
By the end of this module participants will be able to:
Identify the components used in a firewall policy
Create firewall policy objects
Create Address type firewall policies
Manage policy order
Test firewall policies
Monitor network traffic through firewall policies
b)
128
Firewall Policies
129
Firewall Policies
Step #4 - Egress
1. IPSec
2. Source NAT
3. Routing
130
Firewall Policies
Firewall Policies
Incoming and outgoing interfaces
Source and destination IP addresses
Services
Schedules
Action = ACCEPT
Authentication
Threat
Management
Traffic
Shaping
Logging
Address
Policy match based on IPs
User Identity
Policy match based on authentication information (user)
Device Identity
Policy match based on OS/Type
10
131
Firewall Policies
Match is based on IP
and port information
in the packets
11
12
132
Firewall Policies
Incoming
Interface
Outgoing
Interface
ZONE: A logical
group of interfaces
14
133
Firewall Policies
15
Packet
Protocol and Port
Firewall Policy
FortiGate uses Services to determine the port number of accepted or denied traffic
Default of ALL services available, applies to all ports and protocols
Select a Service from predefined list on FortiGate unit or create a custom service
Web Proxy Service also available if Incoming Interface is set to web-proxy
Group Services and Web Proxy Service Group to simplify administration
16
134
Firewall Policies
Recurring
Configured with a time that happens during a day(s) of the week
One-time
happens only once
17
Groups
Groups are logical collections of objects for ease of
configuration
If there will be multiple firewall policies using the same services, addresses or
schedules creating a group can facilitate configuration
18
135
Firewall Policies
Accept
Deny
19
Destination IP address
Destination port
Source IP address
Source port
20
136
Firewall Policies
11.12.13.14
Firewall policy
with NAT enabled
wan1 IP address: 200.200.200.200
wan1
200.200.200.200
Source IP address:
200.200.200.200
Source port: 30912
internal
10.10.10.10
Destination IP address:
11.12.13.14
Destination Port: 80
Source IP address:
10.10.10.1
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
21
Firewall policy
with NAT + IP pool enabled
wan1 IP pool: 200.200.200.2-200.200.200.10
11.12.13.14
wan1
200.200.200.200
internal
10.10.10.10
Source IP address:
10.10.10.1
Source port: 1025
Source IP address:
200.200.200.?
Source port: 30957
Destination IP address:
11.12.13.14
Destination Port: 80
Destination IP address:
11.12.13.14
Destination Port: 80
22
137
Firewall Policies
11.12.13.14
Firewall policy
with NAT + IP pool enabled + fixed port
wan1 IP pool: 200.200.200.201
wan1
200.200.200.200
10.10.10.10
Source IP address:
200.200.200.201
Source port: 1025
internal
Destination IP address:
11.12.13.14
Destination Port: 80
Source IP address:
10.10.10.1
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
23
Firewall policy
with destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200
11.12.13.14
wan1
internal
Source IP address:
11.12.13.14
10.10.10.10
Destination IP address:
200.200.200.222
Destination Port: 80
138
Firewall Policies
Firewall policy
with destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200
11.12.13.14
wan1
internal
10.10.10.10
Source IP address:
11.12.13.14
26
139
Firewall Policies
Session Helpers
What does a Session helper do?
When specific types of traffic pass through the FortiGate
additional actions may need to happen
Additional information may be needed from the packets in
order for traffic to flow properly
27
172.16.1.1
201.11.1.3
172.16.1.2
Media traffic to
172.16.1.2, port 12546
Media traffic to
201.11.1.3, port 12546
140
Firewall Policies
Traffic Shaping
Traffic shaping controls which
policies have higher priority when
large amounts of data is passing
through the FortiGate unit
Normalize traffic bursts by
prioritizing certain flows over
others
HTTP
FTP
IM
29
Traffic Shapers
Shared Traffic Shaper
Guaranteed Bandwidth
Maximum Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth
30
141
Firewall Policies
Traffic Shapers
Shared Traffic Shaper
Guaranteed Bandwidth
Maximum Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth
31
Threat Management
Security profiles are enabled within each Firewall policy
32
142
Firewall Policies
Tracks the Score for all devices within that VDOM by assigning
a value to various UTM events
Hard drive required to monitor Score (FortiAnalyzer, FortiManager or FortiCloud)
33
143
Firewall Policies
35
36
144
Firewall Policies
37
38
145
Firewall Policies
39
Less Accurate
Layer 3 unaffected
40
146
Firewall Policies
Endpoint Control
?
Up to date ?
Disallowed software
installed ?
41
147
Firewall Policies
DMZ
INTERNET
Agentless
Identification Techniques
Agentless
Agent Based
TCP Fingerprinting
Uses FortiClient
end
44
148
Firewall Policies
45
46
149
Firewall Policies
47
48
150
Firewall Policies
Object Usage
Allows for faster changes to settings
The Reference column allows administrators to
determine where the object is being used
Navigate directly to the appropriate edit page
49
50
151
Firewall Policies
Monitor
View policy usage by active sessions, bytes or packets
Policy > Monitor > Policy Monitor
51
52
152
Firewall Policies
Interface
Use the logical name
port1, lan, wan1
any can be specified by
super_admin users only
Level (1-6)
1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name
53
54
153
Firewall Policies
or
not
55
154
Firewall Policies
Shuts off all diagnostics running in the diag deb command tree
diag deb disable
Disables debug output
58
155
Firewall Policies
Level 6
# diag sniff packet lan 'host 4.2.2.2' 6
interfaces=[lan]
filters=[host 4.2.2.2]
3.258531 lan -- 192.168.100.110 -> 4.2.2.2: icmp: echo request
0x0000
...M....s{.4..E.
0x0010
.<G.........dn..
0x0020
....L....labcdef
0x0030
ghijklmnopqrstuv
0x0040
wabcdefghi
59
Single
decision
- 2 steps
Single
decision
- 2 steps
60
156
Firewall Policies
Labs
Lab 1: Firewall Policy
Ex 1: Creating Firewall Objects and Rules
Ex 2: Policy Action
Ex 3: Configuring Virtual IP Access
Ex 4: Configuring IP Pools
(OPTIONAL)
Lab 2: Traffic Log
Ex 1: Enabling Traffic Logging
61
62
157
Firewall Authentication
Firewall Authentication
Module Overview
Local User Authentication
Remote Server Authentication
User Groups
Authentication Rules
Disclaimer Page
Authentication Timeout
Two-Factor Authentication
LDAP Configuration and Testing
Radius Configuration and Testing
Monitoring Authenticated Users
158
Firewall Authentication
Module Objectives
By the end of this module participants will be able to:
Describe the authentication mechanisms available in FortiGate devices
Create local users and user groups
Describe and configure two-Factor authentication
Configure and test Radius authentication
Configure and test LDAP authentication
Create authentication rules
Configure user disclaimers
Monitor active users
Authentication
It is the act of confirming the identity of aA
A
A
person or other entity
A
Once the person or entity have been A
identified, the network device applies the
right firewall policies and profiles to allow or
deny the access to each network resource
159
Firewall Authentication
Fortigate
Username
and
password
1
OK
Username
and
password
Fortigate
Username
and
password
Remote Server
160
Firewall Authentication
RADIUS
LDAP
TACACS+
Directory
Services
RADIUS
161
Firewall Authentication
Paris
Firewall
User
Visitors
Guest User
Active
Directory
Radius
Server
FSSO
RSSO
User groups are assigned one of four group types: Firewall, Fortinet Single Sign On
(FSSO), Guest and Radius Single Sign On (RSSO)
Firewall user groups provide access to firewall policies that require authentication
FSSO and RSSO are used for Single Sign On Authentication
Authentication Rules
Authentication Rules are enabled
to require firewall authentication
They identify the users and user
groups that will be forced to
authenticate
They also define other aspects of
authentication, including services,
schedules, destination address,
profiles, logging and traffic
shaping
Authentication Rule
Destination Address
Users/ Groups
Services
Schedules
Logging
Security Profiles
Traffic Shaping
10
162
Firewall Authentication
All other services are not allowed until the user has first authenticated
successfully through one of the protocol above
11
Disclaimers
Displays the Terms and
Disclaimer Agreement page
before the user authenticates
User must accept the
disclaimer to proceed with the
authentication process
Once authenticated, the user
is directed to the original
destination
Policy
Disclaimer
12
163
Firewall Authentication
Authentication Timeout
13
Taken-based codes are good for one-time use only. So, even if it is
intercepted, it is already useless
One-Time Passwords (OTP) algorithms can be either time based or
event based:
Fortinet uses time, so it is important for the Fortigates system clock to be accurate
14
164
Firewall Authentication
15
OTP Generator
Validation Server
Algorithm
Algorithm
Time*
Time
Seed
Seed
Same Seed
Same Time
16
165
Firewall Authentication
Adding a FortiToken
17
LDAP Review
The Lightweight Directory Access Protocol (LDAP) is an application
protocol for accessing and maintaining distributed directory information
services
The LDAP structure is similar to a tree that contains entries (objects) in
each branch:
Each entry has a unique ID, the Distinguished Name (DN)
Each entry also has attributes
Each attribute has a name and one or more values
The attributes are defined in a directory schema
18
166
Firewall Authentication
19
dc=example,dc=com
c=usa
c=france
ou= it
ou= hr
uid= apiquet
c=canada
uid: jsmith
email:
jsmith@example.com
objectClass:
inetOrgPerson
uid= abush
167
Firewall Authentication
LDAP Configuration
Name of the
attribute that
identify each user
Parent branch
where all users
are located
Credentials for a
LDAP
administrator
21
Radius Overview
It is standard protocol that provides Authentication, Authorization and
Accounting (AAA) services
Access-Request
Access-Accept
or
Access-Reject
User
FortiGate
unit
or
Radius server
AccessChallenge
22
168
Firewall Authentication
Radius Configuration
A Fortinet Vendor-Specific Attributes (VSA) dictionary is provided to
identify the Fortinet-proprietary RADIUS attributes
IP address or
FQDN of the
Radius server
The Secret must
match the Radius
servers secret key
23
Users
Select an external
authentication
server if the
password is not
stored locally
Enable two-factor
authentication
24
169
Firewall Authentication
User Groups
25
Policy Configuration
26
170
Firewall Authentication
User Monitor
27
Output sample
Fortigate# diagnose test authserver ldap Lab jsmith fortinet
authenticate 'jsmith' against 'Lab' succeeded!
Group membership(s) CN=SSLVPN,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com
CN=TAC,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com
28
171
Firewall Authentication
29
Labs
Lab 1: User Authentication
Ex 1: Identity-based Firewall Policy
30
172
Firewall Authentication
31
173
SSL VPN
SSL VPN
Module Overview
VPN definition
SSL VPN vs. IPSec VPN
Web-only mode
Tunnel mode
Port Forward mode
Split-Tunneling
Client Integrity Checking
SSL VPN portal
SSL VPN configuration
Access modes comparison
SSL VPN monitor
2
174
SSL VPN
Module Objectives
By the end of this module participants will be able to:
Configure the different SSL VPN operating modes
Setup SSL VPN portals
Configure firewall policies and authentication rules for SSL VPN
Monitor SSL VPN connections
175
SSL VPN
FortiGate VPN
SSL VPN
Typically used to secure
web transactions
HTTPS link created to
securely transmit
application data
Client signs on through
secure web page (SSL
VPN portal) on the
FortiGate device
IPSec VPN
VPN
176
SSL VPN
Internet
Internal
network
Tunnel mode
Split Tunneling
Enabled
Split Tunneling
disabled
177
SSL VPN
10
178
SSL VPN
11
12
179
SSL VPN
Configuration Steps
1.
2.
3.
4.
5.
13
14
180
SSL VPN
15
+
Token Code (two factor)
16
181
SSL VPN
17
18
182
SSL VPN
19
20
183
SSL VPN
21
22
184
SSL VPN
23
Web-only user
24
185
SSL VPN
Web-only
Tunnel
Port Forward
No client software
required (web browser
only)
Uses FortiGate-specific
client downloaded to PC
(ActiveX or Java applet)
Requires admin/root
privilege to install
network tunnel adaptor
25
Labs
Lab 1: SSL VPN
Ex 1: Configuring SSL VPN for Web-only access
Ex 2: Configuring SSL VPN for Tunnel mode
26
186
SSL VPN
27
187
IPSec VPN
IPSec VPN
Module Overview
IPSec VPN Overview and Terminology
Internet Key Exchange
IKE Phase 1
IKE Phase 2
Diffie-Hellman
Quick Mode Selectors
Policy-based VPN
Route-based VPN
Configuring Point-to-point VPNs
VPN Monitor
188
IPSec VPN
Module Objectives
By the end of this module participants will be able to:
Define the architectural components of IPSec VPN
Identify the phases of Internet Key Exchange (IKE)
Identify and compare route-based and policy-based VPNs
Deploy a site-to-site VPN between two FortiGate devices
Monitor VPN connections
189
IPSec VPN
IPSec VPN
Suite of protocols for securing IP communications
by authenticating and/or encrypting packets
Private network
Data
confidential
Authentication
Data has
integrity
Data Integrity
Data Confidentiality
Sender
authenticated
5
IPSec VPN can protect upper layer protocols (such as TCP) but
the complexity, overhead and bandwidth required for the
exchange is increased
190
IPSec VPN
Diffie-Hellman
Diffie-Hellman is a key-agreement protocol to allow a pair of peers to
communicate over an unsecure channel and independently calculate a
shared secret key using only public keys
The shared secret key is then used to calculate keys for symmetric
encryption algorithms (such as 3DES, AES) and symmetric
authentication (HMACs)
With Perfect Forward Secrecy (PFS) a new common secret key is
recalculated each time the phase 2 session key expires
191
IPSec VPN
Phase 1
IKE phase 1 performs the following:
Authenticates and protects the parties involved in the IPSec transaction
Can use pre-shared keys or digital certificates (RSA signature)
Phase 2
IKE phase 2 performs the following:
Negotiates IPSec SA parameters
Protected by existing IKE SA
10
192
IPSec VPN
Selectors support:
Destination and source IP addresses
Protocol number, and source and destination ports
11
One firewall policy (with the action ACCEPT) is usually required per direction
193
IPSec VPN
Policy-based
Route-based
FortiGate operation
modes supported
L2TP-over-IPSec
Yes
No
GRE-over-IPSec
No
Yes
Routing Protocols
No
Yes
Number of policies
per VPN
13
Configuration
Step 1: Configure the phase 1
Step 2: Configure one or more phases 2
Step 3: Create the firewall policies
Step 4: Route the traffic to the IPSec interface (only for routebased VPNs)
14
194
IPSec VPN
15
16
195
IPSec VPN
17
18
196
IPSec VPN
IPSec
Interface
19
20
197
IPSec VPN
Key life
remaining time
Phase 1
name
Local Quick
Mode
Selector
Status
Remote
Quick Mode
Selector
21
Labs
Lab 1: IPSec VPN
Ex 1: Site to Site IPSec VPN
22
198
IPSec VPN
23
199
Antivirus
Antivirus
Module Overview
Terminology
Heuristic Scanning
Sandboxing
Botnet Connections
Proxy-Based scanning
Flow-Based scanning
Conserve mode
Memory Diagnostics
and more
2
200
Antivirus
Module Objectives
By the end of this module participants will be able to:
Identify conserve mode conditions and AV system behavior
Define the virus scanning techniques used on the FortiGate unit
Differentiate between proxy-based and flow-based virus scanning
Configure virus scanning
Update antivirus signature databases through FortiGuard services
Set up Grayware and Heuristic scanning
Submit unknown virus samples to Fortinet
Describe the virus scanning order of operations
Virus
Infects the computer and spreads on its own
User interaction is not required
o Behavior is modeled after a biological virus
o Size: very small
Grayware
User interaction is required for installation
Often comes bundled with installation of free software
o Size: highly variable (usually small)
4
201
Antivirus
Worm
Spread to other hosts
Replicates on the same host, repeatedly
Polymorphic
Payload uses changing encryption with each infection
Requires polymorphic engine as part of payload
Metamorphic
Rewrites payload with each infection
Requires metamorphic engine as part of payload
202
Antivirus
Adware
Automatically injects advertisements in order to generate revenue
Ransomware
Restricts user access and demands payment to remove
Rootkit
Obtains root admin access
Keylogger
Capture keystrokes
Mass Mailer
Sends out large volumes of emails
7
Antivirus
Detect and eliminate viruses,
worms, Trojans and spyware in realtime
Stop threats before they enter the
network
Antivirus
203
Antivirus
Heuristics scanning
Virus-like attribute
+ Virus-like attribute
+ Virus-like attribute
> Heuristic threshold
Heuristic scanning tests for virus-like or
dangerous behavior
Virus-like attributes totaled. If greater than a
threshold, the file is marked as suspicious
Possibility of false positives
Suspicious
Pass
Enable Heuristic scanning and pass detected files
Block
Enable Heuristic scanning and block detected files
Disable
Turn off Heuristic scanning
10
204
Antivirus
Grayware scanning
# config antivirus setting
# set grayware[enable|disable]
# end
11
Sandboxing
Helps detect Zero day vulnerabilities and provide data for the
FortiGuard AV analysts
12
205
Antivirus
Botnet Connections
13
Proxy-Based scanning
Antivirus proxy buffers
the file as it arrives
Once transmission is
complete, virus
scanner examines the
file
Higher detection and
accuracy rate
Comfort Clients can be
used to avoid timeouts
Multiple Database
options
14
206
Antivirus
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
95.08% 97.97% 98.88% 99.47% 99.76% 99.83% 99.89% 99.91% 99.94% 99.95%
100%
97.52% 99.24% 99.62% 99.80% 99.88% 99.93% 99.95% 99.97% 99.98% 99.98%
100%
98.27% 99.37% 99.63% 99.80% 99.88% 99.93% 99.95% 99.97% 99.98% 99.99%
100%
99.02% 99.65% 99.74% 99.86% 99.89% 99.92% 99.94% 99.94% 99.95% 99.96%
100%
15
START
Larger then
oversize?
No
Is an Archive?
Yes
Block the
file/Email
No
No
Virus Scan
Yes
Uncompress size
Limit?
Infected
Clean
Grayware
Enabled?
Pass the
file/Email
Grayware Scan
Clean
No
Heuristic
Enabled?
Infected
Yes
Block
Yes
No
Heuristic
Scan
Clean
Infected
Action?
Pass
16
207
Antivirus
Larger then
oversize?
START
Yes
Oversize
action?
Block
Pass
Block the
file/Email
Pass the
file/Email
17
Larger then
oversize?
START
Yes
Oversize
action?
Block
Is an Archive?
Yes
Pass
Block the
file/Email
No
No
Virus Scan
Yes
Uncompress size
Limit?
Infected
Clean
Grayware
Enabled?
Pass the
file/Email
Grayware Scan
Clean
No
Heuristic
Enabled?
Infected
Yes
Block
Yes
No
Heuristic
Scan
Clean
Infected
Action?
Pass
18
208
Antivirus
Flow-Based Scanning
File is scanned on a
packet-by-packet
basis as it passes
through the FortiGate
unit
Faster scanning, but
lower accuracy rate
Difficulty in catching
virus variants
Only available on
certain models
Non-proxy scanning
19
Clean
Virus Scan
Normalize
Packet
START
Infected
Block the
file/Email
209
Antivirus
21
22
210
Antivirus
Regular
Extended
Flow-Based
23
Automatically
24
211
Antivirus
25
26
212
Antivirus
27
Antivirus Profiles
28
213
Antivirus
29
30
214
Antivirus
31
System
Overall high memory situation
Occurs when system memory hits around 80% (exits at 70%)
Proxy
Occurs when proxy runs out of available connects
Max proxy connections varies by device model
32
215
Antivirus
34
216
Antivirus
35
36
217
Antivirus
37
1 Proxy
2 System
3 Both
38
218
Antivirus
39
6
0
0
0
122
130
0
2
5
2
0
30
6
26
6
0
0
0
157
150
0
2
5
2
0
30
6
26
1
1
2
1
1
1
1
1
1
1
1
1
1
1
0 :
0 :
0 :
0 :
35 :
20 :
0 :
0 :
0 :
0 :
0 :
0 :
0 :
0 :
252
124
124
124
124
124
124
252
124
252
124
252
252
252
126
62
62
62
62
62
62
126
62
126
62
126
126
126
40
219
Antivirus
RSS
16M
22M
12M
11M
15M
11M
51M
47M
4M
12M
343M
11M
11M
11M
11M
^CPU% MEM%
0.0 0.8
0.0 1.1
0.0 0.6
0.0 0.6
0.0 0.8
0.0 0.6
0.0 2.6
0.0 2.4
0.0 0.2
0.0 0.6
0.0 17.4
0.0 0.6
0.0 0.6
0.0 0.6
0.0 0.6
FDS
28
11
89
9
54
5
19
1465
43
7
71
5
7
7
8
TIME+
00:02.30
00:23.44
00:00.64
00:00.10
21:23.55
00:00.20
02:09.40
01:44.27
00:00.70
00:00.00
00:24.66
00:00.00
00:00.20
00:00.00
00:00.00
]
]
25.0%
55.0%
1101M/1975M
NAME
scanunitd [x4]
cmdbsvr
zebos_launcher [x12]
uploadd
miglogd [x2]
kmiglogd
httpsd [x7]
proxyd [x7]
imd
wad_diskd
ipsmonitor [x7]
getty
merged_daemons
fnbamd
fclicense
Memory usage
41
Labs
Lab 1: Antivirus Scanning
Ex 1: Antivirus Testing
42
220
Antivirus
43
221
Email Filtering
Email Filtering
Module Overview
The Building blocks of Email
Email Filtering Methods
Email Filtering Actions
Email Filtering Order of Operations
Email Filtering and Virus Scanning
Submitting False-Positives through FortiGuard
Creating an Email Filter Profile
Viewing Email Filtering Log Messages
Deployment strategies
222
Email Filtering
Module Objectives
By the end of this module participants will be able to:
Identify the email filtering methods used on a FortiGate device
Create Firewall policies for Spam detection and email scanning using Email Filter
profiles
Modify inspection rules in order to black or white list emails
State available inspection options for various transmission protocols
Describe the flow of email through various transmission protocols
Use logs to view and monitor email filtering activity and events
223
Email Filtering
>nslookup
> nslookup
> server 4.2.2.3
Default Server: [4.2.2.3]
Address: 4.2.2.3
> set q=mx
> google.com
Server: [4.2.2.3]
Address: 4.2.2.3
Non-authoritative answer:
google.com
MX preference
google.com
MX preference
google.com
MX preference
google.com
MX preference
google.com
MX preference
=
=
=
=
=
50,
10,
20,
40,
30,
mail
mail
mail
mail
mail
exchanger
exchanger
exchanger
exchanger
exchanger
=
=
=
=
=
alt4.aspmx.l.google.com
aspmx.l.google.com
alt1.aspmx.l.google.com
alt3.aspmx.l.google.com
alt2.aspmx.l.google.com
Non-authoritative answer:
Name:
google.com
Addresses:
2001:4860:4007:800::1005
74.125.224.164
74.125.224.169
74.125.224.168
74.125.224.165
74.125.224.161
74.125.224.163
74.125.224.167
74.125.224.162
224
Email Filtering
4
1
2
6
;; ANSWER SECTION:
example3.com
3600
example3.com
3600
IN
IN
MX
MX
50 relay.example2.net
100 mail.example3.com
;; ANSWER SECTION:
example3.com
3600
example3.com
3600
IN
IN
MX
MX
50 mail.example3.com
100 relay.example2.net
225
Email Filtering
Spam Actions
Tag to add a custom
phrase/word to subject line
or a MIME header and
value to body of an email
message for use in back
end or client filtering
Discard to immediately
drop the SMTP connection
if spam is detected,
sending a 5xx response
Tag
Discard
Email Filtering
FortiGate unit can detect and
manage spam email
Email filtering
SPAM?
10
226
Email Filtering
11
12
227
Email Filtering
13
Our online
pharmacy offers
great prices on
all your
prescription
medications.
hash
14
228
Email Filtering
15
From: bsmith@acme.com
Mark as Spam
Mark as Clear
16
229
Email Filtering
Confirms that
client EHLO
response resolves
to an IP address
17
18
230
Email Filtering
Drugs
Score=10
Pharmacy
Score=5
Prescription
Score=5
Threshold=18
10 +5 +5 =20
19
20
231
Email Filtering
21
FortiGate can walk through receive header and check all IPs
Can cause issues if DNS is slow (emails can pass through multiple servers)
# config spamfilter profile
# edit <profile_name>
# config [pop|imap|smtp]
# set hdrip [enable|disable(default)]
# end
22
232
Email Filtering
23
IP BWL Check
MIME Header
Email BWL
Banned word
(on Body)
IP BWL Check
(Receive Header)
Banned word
(on Subject)
24
233
Email Filtering
MIME Header
Email BWL
Banned Word
(on Subject)
IP BWL Check
Banned word
(on Body)
25
IP address:
10.10.10.1
URL:
www.acme.com
Message
checksum:
x65Fsd34c
#
#
#
#
#
26
234
Email Filtering
FortiGuard: Connectivity
#diagnose spamfilter fortishield servers
Locale
License
Expiration
: english
: Contract
: Mon Apr 28 16:00:00 2014
Weight
0
0
0
30
30
30
80
80
90
RTT Flags
1 DI
1 D
25
72
68
73
147
147
207
TZ
-8
-8
-8
-5
-5
-5
0
0
1
Packets
5
2
1
1
1
1
1
1
1
27
28
235
Email Filtering
29
SSL Options
SMTPS is SSL encapsulated SMTP
Decoding requires SSL/SSH Inspection profile
30
236
Email Filtering
Spam actions associated with the email DO NOT BYPASS the virus scan
Unless the action is DISCARD
Spam email passing through could also have a virus
31
32
237
Email Filtering
33
34
238
Email Filtering
http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains
Not all mail domains have suffix for their country of origin
#
#
#
#
35
Labs
Lab 1: Email Filtering
Ex 1: Configuring FortiGuard AntiSpam
36
239
Email Filtering
37
240
Web Filtering
Web Filtering
Module Overview
Web Filtering Functionality
Overview
Web Filtering
Communications
HTTP Inspection Order
Types of Web Filtering
Proxy-Based Web Filtering
Flow-Based Web Filtering
DNS-Based Web Filtering
Web Content Filtering
Web URL Filtering
Forcing SafeSearch
FortiGuard Category Filter
FortiGuard Caching
FortiGuard Usage Quotas
Web Site Rating Submissions
Web Site Rating Overrides
Local Categories
Web Filter Profiles
Web Filter Profiles Actions
241
Web Filtering
Module Objectives
By the end of this module participants will be able to:
Identify the web filtering mechanisms used on the FortiGate device
State available web filtering modes and their functionality differences
Select the most effective technique for blocking or allowing a web site
Create web content and URL filters
Configure FortiGuard Web Filtering exemptions and rating overrides
Create firewall policies for web filtering using web filter profiles
View and monitor logs for web filtering activity and events
Web Filtering
Means of controlling the web content that a user is able to view
Preserve employee productivity
Prevent network congestion where valuable bandwidth is used for non-business
purposes
Prevent loss or exposure of confidential information
Decrease exposure to web-based threats
Limit legal liability when employees access or download inappropriate or offensive
material
Prevent copyright infringement caused by employees downloading or distributing
copyrighted materials
Prevent children from viewing inappropriate material
242
Web Filtering
243
Web Filtering
244
Web Filtering
10
245
Web Filtering
DNS Request
DNS Response
HTTP GET
HTTP 200
11
Flow-Based
High throughput
No caching
Not as secure
DNS-Based
Very lightweight
Hostname and IP address filtering
No advanced options, URL, and FortiGuard only
12
246
Web Filtering
Pharmacy
Score=5
Prescription
Score=5
Score=10
Threshold=18
10 +5 +5 =20
Block or Exempt
www.acme.com
13
14
247
Web Filtering
URL: www.mypage.com/index.html
www.example.com
www.abc.com
www.mypage.com/index.html
Block
Allow
Monitor
Exempt
www.mypage.com
15
16
248
Web Filtering
URL: www.mypage.com
Categories
Allow
Block
Monitor
Warning
Authenticate
www.mypage.com
17
18
249
Web Filtering
19
20
250
Web Filtering
Games Quota
Games Quota
Games Quota
Category:
Games
21
Rating Submissions
Requests for rating of a web site, or to have a web sites rating
re-evaluated can be submitted by accessing:
http://www.fortiguard.com/ip_rep.php
22
251
Web Filtering
Rating Override (1 of 2)
Rating override
Category:
General Organizations
www.acme.com
Sub-Category: Information and Computer Security
23
Rating Override (2 of 2)
Can override the rating applied to a hostname by FortiGuard
Subscription Services
Hostname reassigned to a completely different category and uses that action
Hostnames only
google.com
www.google.com
www.google.com/index.html
24
252
Web Filtering
Local Categories
25
26
253
Web Filtering
Authenticate Action
Marketing
www.hackthissite.org
27
28
254
Web Filtering
Block
Exempt
URL
Web URL
Filter
FortiGuard
Filter
Allow
Block
Allow
Block Page
Block Page
Block
Allow
Advanced
Filter
Content
Filter
Block
Allow
Block Page
Block
Block Page
Allow
Virus Scan
Display Page
29
30
255
Web Filtering
31
Labs
Lab 1: Web Filtering
Ex 1: FortiGuard Web Filtering
32
256
Web Filtering
33
257
Application Control
Application Control
Module Objectives
By the end of this module participants will be able to:
State how a signature trigger is accomplished
Create application control lists
Define application control rules by category
Set up application control through firewall policies by using application
control lists
FortiGuard Application Control Database
Add/revise software through FortiGuard
Use application control to perform traffic shaping
View and search logs for application control activity and events
258
Application Control
Application Control
Application control is used to detect and take actions on network traffic
based on the application generating the traffic
Facebook, Skype, Gmail etc.
259
Application Control
260
Application Control
Order of Operations
261
Application Control
Implicit Rules
Implicit 1
Matches traffic against every possible application control signature
Implicit 2
Matches traffic that does not conform to any application control signature
10
262
Application Control
11
12
263
Application Control
Behavior Identification
13
Instant Messenger (1 of 3)
Support for MSN(defunct), Yahoo, ICQ and AIM
Software passes traffic through a single IM proxy
14
264
Application Control
Instant Messenger (2 of 3)
15
Instant Messenger (3 of 3)
16
265
Application Control
17
18
266
Application Control
Monitor
19
Traffic Shaping
Allows for traffic shaping to apply to only SOME of the traffic passing
through a profile/policy
Only traffic matching application control signature is shaped
Can track application bandwidth usage and use traffic shaping to
control heavy traffic applications
Can use all normal traffic shaping options: Shared, Per-IP, Reverse
20
267
Application Control
21
? ?
22
268
Application Control
How it Works
Peer-to-Peer Detection (1 of 3)
24
269
Application Control
Peer-to-Peer Detection (2 of 3)
Peer-to-peer transfer
1 Client
N Servers
25
Peer-to-Peer Detection (3 of 3)
270
Application Control
Labs
Lab 1: Application Identification
Ex 1: Creating an Application Control list
27
28
271