Professional Documents
Culture Documents
FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked
FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked
http://www.fortinet.com/training
http://docs.fortinet.com
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: courseware@fortinet.com
11/7/2018
TABLE OF CONTENTS
C hanLgoeg 7
V irtual LaB
b asics 8
Network Topology 8
Lab Environment 8
Remote Access Test 9
Logging In 10
Disconnections and Timeouts 12
Screen Resolution 12
Sending Special Keys 13
Student Tools 14
Troubleshooting Tips 14
LaR
1b:outing 17
E xercise1:C onfiguringR outeFailover 18
Before starting any course, check if your computer can connect t o the remote data center successfully. The
remote access test fully verifies if your network connection and your web browser can support a reliable
connection to the virtual lab.
You do not have to be logged in to the lab portal in order to run the remote acces s test.
If your computer connects successfully to the virtual la b, you will see the message All tests passed!:
Logging In
After you run the remot e access test to confirm that your system can run the labs successfully, you can proceed to
log in.
You will receive an email f rom your trainer with an invitation to auto-enroll in the class . The email will contain a
link and a passphrase.
10 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Virtual
LabBasics Logging
In
Your system dashboard appears, listing the virtual machines (VMs) in your lab topology.
l From the box of the VM you want to open, click View VM.
When you open a VM, your browser uses HTML5 to connect t o it. Depending on the VM you s elect, the web
browser provides access to either the GUI of a Windows or Linux VM, or the CLI- based console access of a
Fortinet VM.
You can use the Virtual Keyboardpanel to either send the Ctrl-Alt-Del combination, or the Windows key:
From the Virtual Keyboardpanel, you can also copy text to the guest VM's clipboard:
Student Tools
There are three icon s on the left for messaging the instructor, chatting with t he class, and requesting assistance:
Troubleshooting Tips
l Donot connect to t he virtual lab en vironment through Wi-Fi, 3G, VPN tunn els, or other low-bandwidth or high-
latency connections.
l Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that you r
computer is always on, and d oes not go to sle ep or hibernate.
l For best performance, use a stab le broadband connection, such as a LAN.
14 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
VirtualLabBasics TroubleshootingTips
l You can run a remote access test from within you r lab dashboard. It will measure your bandwidth, latency and
general performance:
l If t he connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. I f you can't reconnect,
notify the instructor.
l If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset:
l If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action
menu, and select Revert:
Reverting to the VM's initial state will undo all of your work. Try other solutions first.
In t his exercise, you'll configu re equal cost multipath (ECMP) routing on Loca l-FortiGate to balance the I nternet
traffic between port1 and port2. After that, you' ll configure a policy route to route HTTPS traffic through port1
only.
After you complete the challenge, see Change the ECMP Load Balancing Method on page 29.
5. Click OK.
28 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise 2: Equal Cost Multipath and Policy Routing Change the ECMP Load Balancing Method
By default, the ECMP load balancing method is based on source IP. This works well when there are multiple
clients generating traffic. In the lab network, becaus e you have only one client (Local-Windows), t he source IP
method will not balance any traffic to the second route. Only one route will always be used. For this reason, you
will change the load bala ncing method to use both source and destination IP. Using this method, as long as the
traffic goes to multiple de stination IP addresses, FortiGate will balance the traffic across both routes.
You will generate some HTTP traffic and verify traffic routing u sing the Forward Trafficlogs.
If you require assistance, or to verify your work, use the step-b y-step instructions that follow.
After you complete the challenge, see Configure Priority on page 30.
2. Return to the brows er tab where you are logged into the Local- FortiGate GUI, and click Log & Report > Forward
Traffic.
3. Identify the Destination Interfacein the relevant log entries for the websites you accessed.
Why are all the outgoing pac kets still being routed through port1?
The port2 route is not being used because it was configured with a higher priority value than the port1
route (see Configure a Second Default Route on page 19). When two routes to t he same destination have
the same administrative dis tance, both remain active. Howe ver, if the priorities are different, the route with
the lowest priority value is used. So, to achieve ECMP with static routes, the distance and priority values
must be the same for both routes.
Configure Priority
You will change the priority value for the port2 route to match the port1 route.
30 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise2: EqualCost MultipathandPolicyR outing VerifyE CMP
If you require assistance, or to verify your work, use the step-b y-step instructions that follow.
To configure priority
1. Continuing on the Local-FortiGate GUI, click Network > Static Routes.
2. Double-click the port2 default route to edit it.
3. Click the plus (+) icon to expand the Advanced Options section.
4. Change the Priority value t o 0 .
5. Click OK.
Verify ECMP
Now that both port1 and port2 routes share the same distan ce and priority values, they are eligible for
ECMP. First, you w ill verify the routing tabl e, and then verify traffic routing using the Forward Trafficlogs.
The filter 'tcp[13]&2==2' matches packets with the SYN flag on, so the output will s how
all SYN packets to port 80 (HTTP).
2. Return to the open LOCAL-FORTIGATE PuTTY session, and press Ctrl+C to stop the sniffer.
3. Analyze the sniffer output.
The SYN packets are egressing both port1 and port2. This verifies that Loca l-FortiGate is now load
balancing all Internet traffic across both routes.
You will force all HTTPS traffic to egress through port1 using a policy route. All other traffic should remain
unaffected and balanced between port1 and port2. To implement this, you will configur e a policy route.
32 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise 2: Equal Cost Multipath and PolicyR outing Verifyt he PolicyR oute
The SYN packets are egressing port1 only. This verifies that Local-FortiGate is applying the policy route for
HTTPS traffic .
2. On the Local-Windows VM, open new tabs in the web browser, and then go to a few HTTP w ebsites:
l http://www.pearsonvue.com/fortinet/
l http://cve.mitre.org
l http://www.eicar.org
3. Return to the open LOCAL-WINDOWS PuTTY session, and press Ctrl+C to stop the sniffer.
HTTP (port 80) traffic remains unaffected by the polic y route, and is still load bala nced across both port1 and
port2 routes.
The Local-FortiGate configu ration still has the two link health monitor s for port1 and port2. Do they also
enable routing failover for ECMP scenarios?
Yes. If Local-FortiGate detects a problem in any of the routes, the link monitor will remove the
corresponding route, and all I nternet traffic will be routed through the remaining route.
36 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Lab 2: SD-WAN
Objectives
l Configure SD-WAN load balancing.
l
Time to Complete
Estimated: 20 minutes
Prerequisites
Before beginning t his lab, you must restore a configuration file t o Local-FortiGate.
In this exercise, you will configure SD-WAN using the port1 and port2 interfaces on Local-FortiGate.
Before you can add port1 and port2 as SD-WAN member interfaces, you must remove all configur ation elements
referencing the two interfaces.
If you require assistance, or to verify your work, use the step-b y-step instructions that follow.
After you complete the challenge, see Configure SD-WAN Load Balancing on page 39.
4. Click OK.
5. Click Policy & Objects> IPv4 Policy.
6. Select the Full_Accesspolicy, and then click Delete.
7. Click OK.
38 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise1:SD-WAN ConfigureSD-WANLoadBalancing
You will configure SD-WAN load balancing for all Internet t raffic between port1 and port2.
l
Configure SD-WAN members with the following co nfiguration
lport1 with Gateway10.200.1.254 .
l port2 with Gateway10.200.2.254 .
l Edit SD-WAN Rules to use Source-Destination IPas the load-balancing method.
If you require assistance, or to verify your work, use the step-b y-step instructions that follow.
After you complete the challenge, see Create a Static Route for the SD-WAN Interface on page 41
Field Value
Interface port1
Gateway 10.200.1.254
Status <enable>
5. In the SD-WAN Interface Memberssection, click again + sign to add the second interface.
6. Configure the following:
Field Value
Interface port2
Gateway 10.200.2.254
Status <enable>
7. Click Apply.
8. Click Network > SD-WAN Rules.
9. Right click on sd-wan rule and click Edit.
40 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise 1: Creating VDOMsan d VDOM Objects Create a Per-VDOM Administrator
Notice that the drop -down menu at the top of the menu shows a third option: the VD OM-specific settings for
customer:
You will create an administrator account that has access only to the customerVDOM .
1. Return to the brows er tab where you are logged into the Local- FortiGate GUI, and click Global > System >
Administrators.
2. Click Create New > Administrator.
3. Configure the following values:
Field Value
Type LocalUser
Password fortinet
4. Remove root from the Virtual Domains list to restrict the new adminis trator's can access to customeronly.
5. Click OK.
The account customer-adminwill be able to log in only through an interface in the customerVDOM. So, move
the port3 interface, which connects to t he internal network, t o the customer VDOM.
4. Click OK.
48 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise 1: Creating VDOMsa nd VDOM Objects Add DNSs ervice to an Interface
For Local-Windows, the DNS server is port3. First, you will enable the DNS database in the Feature Visibility
section. Then, you will add DNS service to port3.
4. Click Apply.
In t his exercise, you will create an inter-V DOM link. Then, you will create the f irewall policies that allow Int ernet
access across both VDOMs. Finally, you will configure and test antiviru s inspection in the inspect VDOM.
Create the inter -VDOM link for routing tra ffic from the root VDOM to the Internet through the inspect VDOM.
Field Value
IP/Network Mask
10.200.1.1/24
Administrative Access HTTPS, PING, SSH
Field Value
7. Click OK.
The Interfacespage displays with t he updated configurations .
8. Review the inter-VDOM link interfaces you just created (expand vlink).
64 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise2:Inter-VDOMLink Createfirewallpolicies
Note that vlink0 and vlink1 are logical interfaces that you can use to route traffic between the root and
inspect VDOMs. An IP address is configurable only on the NAT mode VDOM interface.
l Create two firewa ll policies to allow Intern et traffic to pass through both VDOMs. One policy will be from
vlink1 to port1 and the other will be from port3 to vlink0.
l In the inspect VD OM, enable the default antivirus inspection profile on f irewall policy.
If you require assistance, or to verify your work, use the step-b y-step instructions that follow.
After you complete the challenge, see Route Inter-VDOM traffic on page 69.
Field Value
Name Inspected_Internet
Source all
Destination all
Schedule always
Service ALL
Action ACCEPT
5. In the Security Profilessection, t urn on the AntiVirus switch, and t hen, in t he antivirus profile drop-down menu,
select g-default.
66 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise2:Inter-VDOMLink Createfirewallpolicies
6. Click OK.
Field Value
Name Internet
Incoming Interface port3
Why did the IPsec wizard add a second route using the blackhole interface?
FortiGate drops all packets routed to the blac khole interface. The IPsec wizard added two static routes: one
to t heThe
IPsec virtual
withinterface,
with a distance of 10
t oand
the one
to tvirtual
he blackhole interface, with a distance of
254. route t he lowest distance, the one I Psec interface, takes precedence. However,
if t he VPN is down, the route to t he blackhole interface becomes active,even though it was srcinally the
higher-distance route. So, t raffic destined to the VPN is now routed to t he blackhole interface and dro pped.
The route to the blackho le interface pr events FortiGate from sendin g VPN traffic to the default route while
the VPN is down. The route to the blackhole interface also pre vents FortiGate from creating unnecessary
sessions in t he session table.
78 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise 2: Configuring Policy-Based IPsec VPN
For learning purposes, you will configure the second FortiGate device differently. During this exercise, you will
create the VPN on Remote-FortiGate using a policy-based configuration, without using the wizard.
By default, policy- based configurations are hidden in the GUI. Now, you will show polic y-based VPN settings in
the GUI.
Field Value
Name ToLocal
TemplateType Custom
4. Click Next.
5. Disable Enable IPsec Interface Mode.
Field Val ue
IP Address 10.200.1.1
Interface port4
Field Value
80 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise 2: Configuring Policy-Based IPsec VPN Create a Firewall Policy for a Policy-Based VPN
Now the quick mode selectors on both sides mirror each other. If that is not the case,
the tunnel will not come up.
Now, you will create a f irewall policy to allow traffic. I n a policy-based configuration, only one policy is required to
Field Value
Source REMOTE_SUBNET
Destination LOCAL_SUBNET
Schedule always
Service ALL
Action IPsec
Field Value
4. Click OK.
This is probably the first time you have seen the action IPsec for a firewall policy. In
previous exercises, t he available actions were Accept and Deny only. IPsec is
displayed in the GUI only when the policy-based VPN settings are not hidden.
The new policy was created below the firewall po licy for Internet traffic. Now, you will ne ed to move the new
policy up for the VPN traffic to match i t.
82 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise 2: Configuring Policy-Based IPsecV PN Move a Firewall Policy
In the previous exercise, the VPN wizard added a static route for the VPN traffic. Why don't you need to add
a static route in this case?
The VPN wizard creates the I Psec using a route-based configuration , which always requires additional
routes (usually static routes) to route the tra ffic through the IP sec virtual inte rface. This is usually not
required in a policy-based configuration. Policy -based configurations require the VPN t raffic to match a
firewall policy with the action IPsec. Because traffic from 10.0.2.0/24 to 10.0.1.0/24 matches the
existing default route, and so the IPs ec firewall policy from port6 to port4, no additional routes are needed.
You have finished the configuration on both FortiGate devices. Now, you will test the VPN.
The Status column of the VPN co ntains a green up arrow, indicating that the t unnel is up.
No. In the curren t configuration, the t unnel will stay down until you either bring it up manua lly, or there is
traffic that should be rou ted through the tunnel. Bec ause you are not generating traffic between
10.0.1.0/24 and 10.0.2.0/24 yet, t he tunnel is still down. I f you had generated the require d traffic
while the tunnel was down, it would have come up automatically .
4. On the Local-Windows VM, open a command prompt wind ow, and then run the following c ommand to ping
Remote-Windows:
ping 10.0.2.10
84 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Test FSSO Exercise 1: Configuring FSSO Collector Agent-Based Polling Mode
Field Val ue
Password password
5. Press Enter.
108 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Lab 7: High Availability (HA)
In this lab, you will set up a FortiGate Clu stering Protocol (FGCP) high availability (HA) cluster of FortiGate
devices. You will explore active-active HA mode and observe FortiGat e HA behavior. You will also perform an HA
failover and use diagnostic commands to observe the election of a new primary in the cluster.
Finally, you will configu re management port(s) on each FortiGate to reach each FortiGate individu ally for
management purposes.
Objectives
l Set up an HA cluster using FortiGate devices.
l Observe HA synchronization and interpr et diagnostic output.
l Perform an HA failover.
l Manage individual cluster members by configuring a reserved management interface.
Time to Complete
Estimated: 45 minutes
Lab HA Topology
After you upload the required configurations to each FortiGat e, the logical topology will change t o the following:
Prerequisites
Before beginning this lab, you must restore a configur ation file t o each FortiGate.
Use the procedure that f ollows to restore the correc t configuration to each FortiGate.
Failure to restore the correct configuration to each FortiGate will prevent you from
doing the lab exercise.
4. Click Desktop > Resources> FortiGate-Infrastructure> HA > local-ha.conf , and then click Open.
5. Click OK.
6. Click OK to reboot.
110 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Lab7:HighAvailability (HA) LabHA Topology
FortiGate High A vailability (HA) uses the FortiGate Cluster ing Protocol (FGCP), which uses a heartbeat link for
HA-related communications to discover other FortiGate devices in same HA group, elect a primary device,
synchronize configuration , and detect f ailed devices in an HA cluster.
In t his exercise, you will configur e HA settings on both FortiGate device s. You will obs erve the HA synchronize
status, and verify the configuration is in sync on both FortiGate devic es using the diagnose commands.
Field Val ue
Mode Active-Active
Devicepriority 200
Groupname Training
Password Fortinet
112 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise 1: Configuring High Availability(H A) Configure HA Settings on Remote-FortiGate
3. Click OK.
Now, you will configure HA-related settings on Remote-FortiGat e using the console.
config system ha
set group-name Training
set mode a-a
set password Fortinet
set hbdev port2 0
set session-pickup enable
set override disable
set priority 100
end
Now that you have configured HA on both FortiGate devic es, you will verify that HA has been established and the
configurations are f ully synchronized.
The checksums for all cluster members must match, in orde r for the FortiG ate devices to be in a synchronized
state.
2. Wait four to five minu tes for the FortiGate d evices to synchronize.
After the FortiGate devices are synchronized, the FortiGate console will log out all admin users.
slave succeeded to sync external files with master
slave starts to sync with master
logout all admin users
3. When prompted, log back in to the Remote-For tiGate console as admin and password password ..
4. To check the HA synchronize status, run the following command: .
9. Alternatively, you can run the followin g command on the cons ole of any FortiGate in the cluster , t o view the
checksums of all cluster members:
After the checksums of both F ortiGate devices match, you will verify the cluster member roles to confirm the
primary and secondary devices.
114 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Lab 8: Web Proxy
In t his lab, you will learn how to configure FortiGate to be an explicit and transpa rent web proxy.
Objectives
l Configure FortiGate to ac t as a web proxy.
l
Time to Complete
Estimated: 40 minutes
Prerequisites
Before beginning t his lab, you must restore a configuration file t o Local-FortiGate.
126 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise 1: Configuring an Explicit Web Proxy
During this exercise, you will configure the FortiGate to act as an explicit web proxy. You will also configur e the
FortiGate to authenticate and author ize Internet access for specific users. The authentication en forcement is
done with an authentica tion scheme and an authentic ation rule. The authoriza tion is done by adding the allowed
user groups to the source of the proxy policy.
After that, you will m anually configure Firefox with the proxy IP address and port.
By default, the explic it web proxy settings are hidden on the GUI. You w ill show them.
You will create an authentica tion scheme to use the local user database for web proxy authentication.
2. At the login prompt, enter the user name admin and password password .
3. Enter the following commands to create the authentication scheme:
config authentication scheme
edit WebProxyScheme
set method form
set user-database local
next
end
You will create the policy to allow explicit proxy traffic to access the Internet. Only the user studentwill be
authorized to browse the Internet through the proxy.
Field Value
128 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise 1: Configuring an Explicit Web Proxy Configure Firefox for Explicit Web Proxy
Field Value
Destination all
Schedule always
Service webproxy
Action ACCEPT
4. Click OK.
You have configured Local-FortiGate as an explicit web proxy. Now, you will configure Firefox to use the explicit
web proxy.
2. Click Options.
During this exercise, you will use the sn iffer and debug flow to t roubleshoot a network connectivity problem.
As you will see in t his procedure, there is a network connectivity problem bet ween the Local-Windows VM and the
Linux server.
ping -t 10.200.1.254
The ping is failing. You w ill use the sniffer and debug flow tools in Local-FortiGate to f ind out why.
3. Do not close the command prompt window. Keep the ping running.
If you require assistance, or to verify your work, use the step-b y-step instructions that follow.
After you complete the challenge, see Test the Fix on page 145.
You will start troubleshooting by sniffing the ICMP traffic going to the Linux server.
The packets are arriving to FortiGate, but FortiGate is not routing them.
Output should be similar to what is shown below. The FortiGate rec eives the ICMP packet from 10.0.1.10
to 10.200.1.254 from port3 :
id=20085 trace_id=1 func=print_pkt_detail line=5363 msg="vd-root received a packet
(proto=1, 10.0.1.10:1->10.200.1.254:2048) from port3. type=8, code=0, id=1,
seq=33."
It drops the packet. The debug flow s hows the error message:
id=20085 trace_id=1 func=fw_forward_handler line=586 msg="Denied by forward policy
check (policy 0)"
The message Den ied by for war d pol icy check indicates that the tra ffic is denied by a firewall
policy. It could be eithe r a denied policy explicitly configured by the administrator, or the implicit denie d policy
for traffic that doe s not match a ny configured policy.
The polic y 0 indic ates that the traffic was denied by the defau lt implici t policy. I f t he traffic were blocked
by an explicitly configured policy, its policy ID number would be indicated in this output, instead of the
number zero.
144 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
Exercise2: Troubleshootinga ConnectivityP roblem Fixt heProblem
Now that we have found the cause of the problem, let's fix it.
You will test t o confirm t hat t he configuration change f ixed the problem.
There should not be any output yet, becaus e the ping is not running.
5. Return to the command pr ompt window, and start the ping again :
ping -t 10.200.1.254
Additionally, you will see the debug flow logs from the return (ping reply) packets:
id=20085 trace_id=5 func=print_pkt_detail line=5363 msg="vd-root received a packet
(proto=1, 10.200.1.254:62464->10.200.1.1:0) from port1. type=0, code=0, id=62464,
seq=83."
id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session,
id-000003f2, reply direction"
id=20085 trace_id=5 func=__ip_session_run_tuple line=3178 msg="DNAT 10.200.1.1:0-
>10.0.1.10:1"
id=20085 trace_id=5 func=vf_ip_route_input_common line=2583 msg="find a route:
flag=04000000 gw-10.0.1.10 via port3"
The procedure in this exercise describes what you should usually do when
troubleshooting connectivity problems on a FortiGate. Sniffer the traffic first, to check
that the packets are arriving to FortiGate, and that FortiGate is properly routing them.
If the sniffer shows that the traffic is being dropped by FortiGate, us e the debu g flow
tool to find out why.
146 FortiGateInfrastructure6.0LabGuide
Fortinet Techno logies Inc.
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, andc ertain other marks areregistered trademarks of Fortinet,
Inc., in the U.S. andother jurisdictions, andother Fortinet names herein may alsobe registered and/or commonlaw trade marks of Fortin et. All otherproduct or company
names may be trademarks of their respective owners. Performanceand other metrics conta ined hereinwere attained in internallab tests under ideal conditions, and
actualperforma nce andother results may vary. Network varia bles, different network environ ments and other conditions may aff ect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims allwarrantie s, whether express or implied, except to the extent Fortine t enters a binding written
contract, signed by Fortinet’ s General Counsel, with a purchaser that expressly warra nts t hat the identifiedproduct willperform accord ingt o certain expressly-identified
performance metrics and, in such event, only the specific performancemetrics expressly id entified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal labt ests. In no event does Fortinet make any
commitment relatedt o futuredeliver ables, f eatures, or development, and circumstances may change such that any f orward-looking statements here in arenot accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whetherex press orimplied. Fortinet reserves the right to change, modify,
transfer, or otherwise reviset his publication without notice, andt he most curren t version of the publication shall be applicable.