FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked

FortiGate Infrastructure Lab Guide
for FortiOS 6.0

Fortinet Training
http://www.fortinet.com/training
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE)
https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: courseware@fortinet.com
11/7/2018
TABLE OF CONTENTS
C hanLgoeg 7
V irtual LaB
b asics 8
Network Topology 8
Lab Environment 8
Remote Access Test 9
Logging In 10
Disconnections and Timeouts 12
Screen Resolution 12
Sending Special Keys 13
Student Tools 14
Troubleshooting Tips 14
LaR
1b:outing 17
E xercise1:C onfiguringR outeFailover 18
Verify the Routing Configuration 18

Configure a Second Default Route 19
Configure the Firewall Policies 20
View
the Routing Table 22
Configure Link Health Monitors 23
Test the route failover 23
Restore the routing table 26
E xercise 2: E qual C ost Multipath and P olicy R outing 28
Configure Administrative Distance 28
Change the ECMPLoad Balancing Method 29
Verify Traffic Routing 29
Configure Priority 30
Verify ECMP 31
Configure Policy Route for HTTPS Traffic 32
Verify the Policy Route 34
La
S
2b:D -WA N 37
E xercise
1S: D -WA N 38
Remove Interface References 38
Configure SD-WANLoad Balancing 39
Createa Static Routef ort heS D-WANInterface 41
CreateaF irewallP olicyf orS D-WAN LoadB alancing 42
Verifyt heS D-WANLoadB alancingC onfiguration 42
Lab3V
: irtual D omains 44
E xercise 1: C reating V D OMs and VD OM Objects 46
Create a VDOM 46
Create a Per-VDOM Administrator 47
Move an Interface to a Different VDOM 48
Add DNS service to an Interface 49
Test the Per-VDOM Administrator Account 50
Execute Per-VDOM CLI Commands 51
E xercise2:Inter-V D OMLink 53
Create an Inter-VDOM Link 53
Configure Routing Between VDOMs 54
ConfigureF irewallP oliciesf orI nter-VDOMT raffic 56
Test the Inter-VDOM Link 58
Lab4T
: ransparenM
t od e 59
E xercise1:TransparentModeV D OM 61
Create a Transparent Mode VDOM 61
Moving an Interface to a Different VDOM 62
E xercise2:Inter-V D OMLink 64
Create an Inter-VDOM Link 64
Create firewall policies 65
Route Inter-VDOM traffic 69
Test the Transparent Mode VDOM 69
Lab 5:C onfiguring a S ite-to-Site IP sec V P N 72
E xercise 1: C onfiguring R oute-B ased IPsec V PN 74
Create a VPNUsing the VPNWizard 74
ReviewtheO bjects Createdb y the VPNWizard 75
E xercise 2: C onfiguring P olicy-B ased IP sec V P N 79
ShowPolicy-Based VPNSettings in the GUI 79
Create a Policy-Based VPN 79
Createa FirewallP olicy fora Policy-Based VPN 81
Move a Firewall Policy 82
E xercise 3:Testing and Monitoring the V P N 84
Test the VPN 84
Exer cise 4: Conf iguring an IPse c VPN Between Two FortiGate Devices 86
Prerequisites 86
Create Phases 1 and 2 on Local-FortiGate 87
Createa StaticRo utef or aRo ute-basedVP N onL ocal-FortiGate 88
Create an Interface Zone on Local-FortiGate 88
CreateF irewallP oliciesf or VPN Traffico nL ocal-FortiGate 89
Review theV PN Configurationo nR emote-FortiGate 91
Test the IPsec VPN 91
E xercise 5:C onfiguring a B ackup IP sec V P N 92
Configure a Backup VPNon Local-FortiGate 92
Review theBa ckupVP N Configurationo nRe mote-FortiGate 93
Test the VPNRedundancy 93
Lab6:FortinetS ingleS ign-On(FS S O) 95
Ex ercise 1: Co nfigu ring FS SO Co llector Ag ent-Ba sed Po lling Mod e 97
Install the FSSO Collector Agent 97
Configure the FSSO Collector Agent 99
Configure SSO on FortiGate 102
Assign Polled FSSO Users to a Firewall Policy 104
Test FSSO 105
Lab7:H ighA vailability(H A ) 109
Lab HA Topology 109
E xercise 1: C onfiguring H igh A vailability (H A ) 112
Configure HA Settings on Local-FortiGate 112
ConfigureH AS ettings on Remote-FortiGate 113
Observea ndV erifyt heH AS ynchronizationS tatus 113
Verify FortiGate Roles in a HA Cluster 114
ViewSession Statistics 115
E xercise2:H ighA vailabilityFailover 116
TriggerF ailoverb yR ebootingt heP rimaryF ortiGate 116
Verify the HA Failover and FortiGate Roles 117
Triggera nH AF ailoverb yR esettingt heH AUptime 118
ObserveH AF ailoverU singD iagnosticC ommands 118
E xercise 3: C onfiguring the H A Management Interface 120
Access the Secondary FortiGate through the Primary FortiGate CLI 120
Set Up a Management Interface 121
Configure and Access the Primary FortiGate Using the Management Interface 121
Configure and Access the Secondary FortiGate Using the Management Interface 122
Disconnect FortiGate From the Cluster 123
Restoret heR emote-FortiGateC onfiguration 124
La8
b
W : eP
broxy 126
E xercise 1: C onfiguring an E xplicit Web Proxy 127
Showthe Explicit Web Proxy Settings 127
Enable Explicit Web Proxy 127
Create an Authentication Scheme 127
Create an Authentication Rule 128
Create a Proxy Policy 128
Configure Firefox for Explicit Web Proxy 129
Test the Explicit Web Proxy Configuration 131
List the Active Explicit Web Proxy Users 132
List the Active Explicit Web Proxy Sessions 132
E xercise 2: C onfiguring the Transparent Web Proxy 134
Disable the Explicit Web Proxy in Firefox 134
Redirectt heT raffict ot heT ransparentW ebP roxy 135
Create the Proxy Policies 137
Testing the Transparent Web Proxy 138
L ab
9D: iagnostics 140
E xercise 1:K nowing Whatis H appening N ow 141
Execute Diagnostic Commands 141
Exercise 2: Troubleshoot ingaC onnectivityP roblem 143
Identify the Problem 143
Use the Sniffer 143
Use the Debug Flow Tool 144
Fix the Problem 145
Test the Fix 145
VirtualLabBasics RemoteAccess Test
Remote Access Test
Before starting any course, check if your computer can connect t o the remote data center successfully. The
remote access test fully verifies if your network connection and your web browser can support a reliable
connection to the virtual lab.
You do not have to be logged in to the lab portal in order to run the remote acces s test.
To run the remote access test

1. From a browser, access the following U RL:
https://use.cloudshare.com/test.mvc
If your computer connects successfully to the virtual la b, you will see the message All tests passed!:
2. Inside the Speed Test box, click Run.

The speed test begins. Onc e complete, you will get an estimate for your bandwidth and latency. I f t hose
estimations are not within the reco mmended values, you will get any error message:
FortiGate I nfrastructure 6.0 Lab Guide 9

Fortinet Techno logies Inc.
Logging
In Virtual
LabBasics
Logging In
After you run the remot e access test to confirm that your system can run the labs successfully, you can proceed to
log in.
You will receive an email f rom your trainer with an invitation to auto-enroll in the class . The email will contain a
link and a passphrase.
To log in to the remote lab

1. Click the login link provided by your instructor over email.
2. Enter your email address and the class passphrase provided by your trainer over email, and then click Login.
3. Enter your first and last name.

4. Click Register and Login.
10 FortiGateInfrastructure6.0LabGuide
Virtual
LabBasics Logging
In
Your system dashboard appears, listing the virtual machines (VMs) in your lab topology.
5. To open a VM from the dashboard, do one of the following:

l From the top navigation bar, click a VM's tab.
l From the box of the VM you want to open, click View VM.
Follow the same procedure to access any of your VMs.
When you open a VM, your browser uses HTML5 to connect t o it. Depending on the VM you s elect, the web
browser provides access to either the GUI of a Windows or Linux VM, or the CLI- based console access of a
Fortinet VM.

VirtualLabBasics SendingSpecialKeys
Sending Special Keys
You can use the Virtual Keyboardpanel to either send the Ctrl-Alt-Del combination, or the Windows key:
From the Virtual Keyboardpanel, you can also copy text to the guest VM's clipboard:

StudentTools VirtualLab
Basics
Student Tools
There are three icon s on the left for messaging the instructor, chatting with t he class, and requesting assistance:
Troubleshooting Tips
l Donot connect to t he virtual lab en vironment through Wi-Fi, 3G, VPN tunn els, or other low-bandwidth or high-
latency connections.
l Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that you r
computer is always on, and d oes not go to sle ep or hibernate.
l For best performance, use a stab le broadband connection, such as a LAN.
VirtualLabBasics TroubleshootingTips
l You can run a remote access test from within you r lab dashboard. It will measure your bandwidth, latency and
general performance:
l If t he connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. I f you can't reconnect,
notify the instructor.
l If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset:
l If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action
menu, and select Revert:
Reverting to the VM's initial state will undo all of your work. Try other solutions first.

Exercise 2: Equal Cost Multipath and Policy Routing
In t his exercise, you'll configu re equal cost multipath (ECMP) routing on Loca l-FortiGate to balance the I nternet
traffic between port1 and port2. After that, you' ll configure a policy route to route HTTPS traffic through port1
only.
Configure Administrative Distance

To establish ECMP, first you will configur e multiple static routes with the same administrative dis tance.
Take the Expert Challenge!

On the Local-FortiGate GUI (10.0.1.254 | admin/password ), complete t he following:
l Change the port2 static route administrative Distance to 10 .

l Verify that both port1 and port2 default routes are active in the routing table.
If you require assistance, or to verify your work, use the step-b y-step instructions that follow.
After you complete the challenge, see Change the ECMP Load Balancing Method on page 29.
To configure administrative distance

1. On the Local-Windows VM, open a browser and log in to the Loc al-FortiGate GUI at 10.0.1.254 with t he user
name admin and password password .
2. Click Network > Static Routes.
3. Double-click the port2 static route to edit it.
4. Change the Administrative Distanceto 10 .
5. Click OK.
Exercise 2: Equal Cost Multipath and Policy Routing Change the ECMP Load Balancing Method
To verify the routing table
1. Continuing on the Local-FortiGate GUI, click Monitor > Routing Monitor.

2. Verify that both default routes are now active:
Change the ECMP Load Balancing Method
By default, the ECMP load balancing method is based on source IP. This works well when there are multiple
clients generating traffic. In the lab network, becaus e you have only one client (Local-Windows), t he source IP
method will not balance any traffic to the second route. Only one route will always be used. For this reason, you
will change the load bala ncing method to use both source and destination IP. Using this method, as long as the
traffic goes to multiple de stination IP addresses, FortiGate will balance the traffic across both routes.
To modify the ECMP load balancing method

1. Continuing on the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved
session.
2. At the login prompt, enter the user name admin and password password .
3. Enter the following C LI commands to change the ECMP load-balancing method.
config system settings
set v4-ecmp-mode source-dest-ip-based
end
4. Leave the PuTTY session open.
Verify Traffic Routing
You will generate some HTTP traffic and verify traffic routing u sing the Forward Trafficlogs.

Configure Priority Exercise 2: Equal Cost Multipath and PolicyR outing

l On Local-Windows, open a few new brow ser tabs and generate some HTTP traffic.
l Verify the traffic routing on Local-FortiGate using the Forward Trafficlogs.
l Identify why all the outgoing packets are still being routed through port1.
After you complete the challenge, see Configure Priority on page 30.
To verify traffic routing

1. On the Local-Windows VM, open new tabs in the web browser, and go to a few webs ites:
l http://www.pearsonvue.com/fortinet
l http://cve.mitre.org
l http://www.eicar.org
2. Return to the brows er tab where you are logged into the Local- FortiGate GUI, and click Log & Report > Forward
Traffic.
3. Identify the Destination Interfacein the relevant log entries for the websites you accessed.
Why are all the outgoing pac kets still being routed through port1?
Stop and think!
The port2 route is not being used because it was configured with a higher priority value than the port1
route (see Configure a Second Default Route on page 19). When two routes to t he same destination have
the same administrative dis tance, both remain active. Howe ver, if the priorities are different, the route with
the lowest priority value is used. So, to achieve ECMP with static routes, the distance and priority values
must be the same for both routes.
Configure Priority
You will change the priority value for the port2 route to match the port1 route.
Exercise2: EqualCost MultipathandPolicyR outing VerifyE CMP

On Local-FortiGate, modify the static routing configuration so both default rou tes are eligible for ECMP.
After you complete the challenge, see Verify ECMP on page 31
To configure priority
1. Continuing on the Local-FortiGate GUI, click Network > Static Routes.
2. Double-click the port2 default route to edit it.
3. Click the plus (+) icon to expand the Advanced Options section.
4. Change the Priority value t o 0 .
5. Click OK.
Verify ECMP
Now that both port1 and port2 routes share the same distan ce and priority values, they are eligible for
ECMP. First, you w ill verify the routing tabl e, and then verify traffic routing using the Forward Trafficlogs.
To verify the routing table

1. Return to the open LOCAL-FORTIGATE PuTTY session, and enter the following CLI commands on Local-
FortiGate:
get router info routing-table database
2. Verify that both default routes are currently active:

Configure Policy Route for HTTPS Traffic Exercise 2: Equal Cost Multipath and Policy Routing
To configure the CLI sniffer
1. Continuing on the LOCAL-FORTIGATE PuTTY session, enter the following C LI commands:

diagnose sniffer packet any 'tcp[13]&2==2 and port 80' 4
The filter 'tcp[13]&2==2' matches packets with the SYN flag on, so the output will s how
all SYN packets to port 80 (HTTP).
2. Leave the PuTTY window open in the background.
To verify ECMP routing

1. On the Local-Windows VM, open new tabs in the web browser, and go to a few webs ites:
l http://www.pearsonvue.com/fortinet/
2. Return to the open LOCAL-FORTIGATE PuTTY session, and press Ctrl+C to stop the sniffer.
3. Analyze the sniffer output.
The SYN packets are egressing both port1 and port2. This verifies that Loca l-FortiGate is now load
balancing all Internet traffic across both routes.
4. Leave the PuTTY session open.
Configure Policy Route for HTTPS Traffic
You will force all HTTPS traffic to egress through port1 using a policy route. All other traffic should remain
unaffected and balanced between port1 and port2. To implement this, you will configur e a policy route.
Exercise 2: Equal Cost Multipath and PolicyR outing Verifyt he PolicyR oute
The SYN packets are egressing port1 only. This verifies that Local-FortiGate is applying the policy route for
HTTPS traffic .
To verify non-HTTPS traffic routing

1. Continuing on your LOCAL-FORTIGATE PuTTY session, enter the following C LI command:
diagnose sniffer packet any 'tcp[13]&2==2 and port 80' 4
2. On the Local-Windows VM, open new tabs in the web browser, and then go to a few HTTP w ebsites:
l http://www.pearsonvue.com/fortinet/
3. Return to the open LOCAL-WINDOWS PuTTY session, and press Ctrl+C to stop the sniffer.
4. Analyze the sniffer output:
HTTP (port 80) traffic remains unaffected by the polic y route, and is still load bala nced across both port1 and
port2 routes.

Verifyt he PolicyR oute Exercise 2: Equal Cost Multipath and PolicyR outing
Stop and think!
The Local-FortiGate configu ration still has the two link health monitor s for port1 and port2. Do they also
enable routing failover for ECMP scenarios?
Yes. If Local-FortiGate detects a problem in any of the routes, the link monitor will remove the
corresponding route, and all I nternet traffic will be routed through the remaining route.
5. Close the PuTTY session and browser.
Lab 2: SD-WAN
In this exercise, you will configure SD-WAN on Local-FortiGate.
Objectives
l Configure SD-WAN load balancing.
l
Configure routes and firewall policies for SD-WAN.

l Verify SD-WAN load balancing.
Time to Complete
Estimated: 20 minutes
Prerequisites
Before beginning t his lab, you must restore a configuration file t o Local-FortiGate.
To restore the Local-FortiGate configuration file

2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
3. Click Local PC, and then click Upload.

4. Click Desktop > Resources> FortiGate-Infrastructure> SDWAN > local-sdwan.conf , and then click
Open.
5. Click OK.
6. Click OK to reboot.

Exercise 1: SD-WAN
In this exercise, you will configure SD-WAN using the port1 and port2 interfaces on Local-FortiGate.
Remove Interface References
Before you can add port1 and port2 as SD-WAN member interfaces, you must remove all configur ation elements
referencing the two interfaces.

On the Local-FortiGate GUI (10.0.1.254 | admin/password ), remove all firewall polic ies and routes
referencing port1 and port2.
After you complete the challenge, see Configure SD-WAN Load Balancing on page 39.
To remove interface references

2. Click Network > Static Routes.
3. Select the port1 default route, and then click Delete.
4. Click OK.
5. Click Policy & Objects> IPv4 Policy.
6. Select the Full_Accesspolicy, and then click Delete.
7. Click OK.
Exercise1:SD-WAN ConfigureSD-WANLoadBalancing
Configure SD-WAN Load Balancing
You will configure SD-WAN load balancing for all Internet t raffic between port1 and port2.

On the Local-FortiGate GUI (10.0.1.254 ), complete the following:
l
Configure SD-WAN members with the following co nfiguration
lport1 with Gateway10.200.1.254 .
l port2 with Gateway10.200.2.254 .
l Edit SD-WAN Rules to use Source-Destination IPas the load-balancing method.
After you complete the challenge, see Create a Static Route for the SD-WAN Interface on page 41
To configure SD-WAN load balancing

1. Continuing on the Local-FortiGate GUI, click Network > SD-WAN .
2. Set Status to Enable.
3. In the SD-WAN Interface Memberssection, click + sign to add the f irst interface .
4. Configure the following:
Field Value
Interface port1
Gateway 10.200.1.254
Status <enable>

ConfigureSD-WANLoadBalancing Exercise1:SD-WAN
5. In the SD-WAN Interface Memberssection, click again + sign to add the second interface.
Field Value
Interface port2
Gateway 10.200.2.254
Status <enable>
The SD-WAN configuration should look like the following example:
7. Click Apply.
8. Click Network > SD-WAN Rules.
9. Right click on sd-wan rule and click Edit.
Exercise 1: Creating VDOMsan d VDOM Objects Create a Per-VDOM Administrator
Notice that the drop -down menu at the top of the menu shows a third option: the VD OM-specific settings for
customer:
Create a Per-VDOM Administrator
You will create an administrator account that has access only to the customerVDOM .
To create a per-VDOM administrator
1. Return to the brows er tab where you are logged into the Local- FortiGate GUI, and click Global > System >
Administrators.
2. Click Create New > Administrator.
3. Configure the following values:
Field Value
User Name customer-admin
Type LocalUser
Password fortinet
Confirm Password fortinet
Administrator Profile prof_admin
Virtual Domains customer
4. Remove root from the Virtual Domains list to restrict the new adminis trator's can access to customeronly.

Move an Interface to a Different VDOM Exercise 1: Creating VDOMs and VDOM Objects
5. Click OK.
Move an Interface to a Different VDOM
The account customer-adminwill be able to log in only through an interface in the customerVDOM. So, move
the port3 interface, which connects to t he internal network, t o the customer VDOM.
To move an interface to a different VDOM

1. Continuing on the Local-FortiGate GUI, click Global > Network > Interfaces.
2. Edit port3.
3. From the Virtual Domain drop-down menu, select customer.
4. Click OK.
Exercise 1: Creating VDOMsa nd VDOM Objects Add DNSs ervice to an Interface
Add DNS service to an Interface
For Local-Windows, the DNS server is port3. First, you will enable the DNS database in the Feature Visibility
section. Then, you will add DNS service to port3.
To enable the DNS database

1. Continuing on the Local-FortiGate GUI, select the customerVDOM in the drop-down menu at the top of the
menu.
2. Click System > Feature Visibility.

3. In the Additional Featuressection, t urn on the DNS Database switch.
4. Click Apply.
To add DNS service to an interface

1. Continuing on the Local-FortiGate GUI, in t he customerVDOM, click Network > DNS Servers.
2. Under DNS Service on Interface, click Create New, and then configure the following values:

Exercise 2: Inter-VDOM Link
In t his exercise, you will create an inter-V DOM link. Then, you will create the f irewall policies that allow Int ernet
access across both VDOMs. Finally, you will configure and test antiviru s inspection in the inspect VDOM.
Create an Inter-VDOM Link
Create the inter -VDOM link for routing tra ffic from the root VDOM to the Internet through the inspect VDOM.
To create an inter-VDOM link

2. Select the Global VDOM and click Network > Interfaces.
3. Click Create New, and then select VDOM Link.
4. In the Name field, type vlink .
5. In the Interface 0 (vlink0) section, configure the following settings:
Field Value
Virtual Domain root
IP/Network Mask
10.200.1.1/24
Administrative Access HTTPS, PING, SSH
6. In the Interface 1 (vlink1)section, configure the following settings:
Field Value
Virtual Domain inspect
Administrative Access HTTPS, PING, SSH
7. Click OK.
The Interfacespage displays with t he updated configurations .
8. Review the inter-VDOM link interfaces you just created (expand vlink).
Exercise2:Inter-VDOMLink Createfirewallpolicies
Note that vlink0 and vlink1 are logical interfaces that you can use to route traffic between the root and
inspect VDOMs. An IP address is configurable only on the NAT mode VDOM interface.
Create firewall policies
You will create

inspection firewall
in the polic
inspect ies to allow Internet t raffic to pass through both VDOMs. You will also ena ble antivirus
VDOM.

On the Local-FortiGate GUI (10.0.1.254 | admin/password ), complete t he following:
l Create two firewa ll policies to allow Intern et traffic to pass through both VDOMs. One policy will be from
vlink1 to port1 and the other will be from port3 to vlink0.
l In the inspect VD OM, enable the default antivirus inspection profile on f irewall policy.
After you complete the challenge, see Route Inter-VDOM traffic on page 69.
To create a firewall p olicy on the inspect V DOM

1. Continuing on the Local-FortiGate GUI, from the VDOM drop-down menu, select inspect.

Createfirewallpolicies Exercise2:Inter-VDOMLink
2. Click Policy & Objects > IPv4 Policy.

3. Click Create New.
4. Configure the following settings.
Field Value
Name Inspected_Internet
Incoming Interface vlink1
Outgoing Interface port1
Source all
Destination all
Schedule always
Service ALL
Action ACCEPT
5. In the Security Profilessection, t urn on the AntiVirus switch, and t hen, in t he antivirus profile drop-down menu,
select g-default.
Exercise2:Inter-VDOMLink Createfirewallpolicies
6. Click OK.
To create a firewall policy on the root VDOM

1. Continuing in the Local-For tiGate GUI, from t he VDOM drop-down menu, select root.
2. Click Policy & Objects > IPv4 Policy, and then click Create New.
3. Configure the following settings.
Field Value
Name Internet
Incoming Interface port3
Outgoing Interface vlink0

Review the Objects Created bythe VPN Wizard Exercise 1: Configuring Route-Based IPsecVP N
Stop and think!
Why did the IPsec wizard add a second route using the blackhole interface?
FortiGate drops all packets routed to the blac khole interface. The IPsec wizard added two static routes: one
to t heThe
IPsec virtual
withinterface,
with a distance of 10
t oand
the one
to tvirtual
he blackhole interface, with a distance of
254. route t he lowest distance, the one I Psec interface, takes precedence. However,
if t he VPN is down, the route to t he blackhole interface becomes active,even though it was srcinally the
higher-distance route. So, t raffic destined to the VPN is now routed to t he blackhole interface and dro pped.
The route to the blackho le interface pr events FortiGate from sendin g VPN traffic to the default route while
the VPN is down. The route to the blackhole interface also pre vents FortiGate from creating unnecessary
sessions in t he session table.
Exercise 2: Configuring Policy-Based IPsec VPN
For learning purposes, you will configure the second FortiGate device differently. During this exercise, you will
create the VPN on Remote-FortiGate using a policy-based configuration, without using the wizard.
Show Policy-Based VPN Settings in the GUI
By default, policy- based configurations are hidden in the GUI. Now, you will show polic y-based VPN settings in
the GUI.
To show policy-based VPN settings in the GUI

1. On the Local-Windows VM, open a browser and log in to the Remote-For tiGate GUI at 10.200.3.1 with the
user name admin and password password .
3. Under the Additional Featuressection, enable Policy-based IPsec VPN.
4. Click Apply.
Create a Policy-Based VPN
Now, you will create phases 1 and 2.

To create a policy-based VPN
1. Continuing on the Remote- FortiGate GUI, click VPN > IPsec Tunnels.
Field Value
Name ToLocal
TemplateType Custom
4. Click Next.
5. Disable Enable IPsec Interface Mode.

Create a Policy-Based VPN Exercise 2: Configuring Policy-Based IPsecV PN
6. Configure the following settings:
Field Val ue
Remote Gateway tatic IPSAddress
IP Address 10.200.1.1
Interface port4
Mode Config <disable> (leave it unchecked)
NAT Traversal <disable>
Dead Peer Detection On Idle
Method Pre-shared Key
Pre-shared Key fortinet
7. Keep the default values for the remaining settings.

8. In the Phase 2 Selectorssection, click the edit icon to edit the settings.
9. Complete the following:
Field Value
Local Address 10.0.2.0/24
Remote Address 10.0.1.0/24
Exercise 2: Configuring Policy-Based IPsec VPN Create a Firewall Policy for a Policy-Based VPN
10. Click OK.
Now the quick mode selectors on both sides mirror each other. If that is not the case,
the tunnel will not come up.
Create a Firewall Policy for a Policy-Based VPN
Now, you will create a f irewall policy to allow traffic. I n a policy-based configuration, only one policy is required to
allow traffic initiated on either side. The policy is applied bidirectionally.
To create a firewall policy for a policy-based VPN

1. Continuing on the Remote-FortiGate GU I, go to Policy & Objects > IPv4 Policy .
Field Value
Name VPN_traff ic_to_Local FGT
Incoming Interface port6
Source REMOTE_SUBNET
Destination LOCAL_SUBNET
Schedule always
Service ALL
Action IPsec

Move a Firewall Policy Exercise 2: Configuring Policy-Based IPsecV PN
Field Value
VPN Tunnel ToLocal
Allow traffic to be init iated <enable>

from the remote site
4. Click OK.
This is probably the first time you have seen the action IPsec for a firewall policy. In
previous exercises, t he available actions were Accept and Deny only. IPsec is
displayed in the GUI only when the policy-based VPN settings are not hidden.
Move a Firewall Policy
The new policy was created below the firewall po licy for Internet traffic. Now, you will ne ed to move the new
policy up for the VPN traffic to match i t.
To move a firewall policy

1. Continuing on the Remote- FortiGate GUI, click Policy & Objects > IPv4 Policy.
2. Expand the list of firew all policies for port6 to port4.
3. Drag the policy VPN_traffic_to_Local FGT above the Internet policy.
Exercise 2: Configuring Policy-Based IPsecV PN Move a Firewall Policy
Stop and think!
In the previous exercise, the VPN wizard added a static route for the VPN traffic. Why don't you need to add
a static route in this case?
The VPN wizard creates the I Psec using a route-based configuration , which always requires additional
routes (usually static routes) to route the tra ffic through the IP sec virtual inte rface. This is usually not
required in a policy-based configuration. Policy -based configurations require the VPN t raffic to match a
firewall policy with the action IPsec. Because traffic from 10.0.2.0/24 to 10.0.1.0/24 matches the
existing default route, and so the IPs ec firewall policy from port6 to port4, no additional routes are needed.

Exercise 3: Testing and Monitoring the VPN
You have finished the configuration on both FortiGate devices. Now, you will test the VPN.
Test the VPN
Now, you will test the VPN.
To test the VPN

2. Click Monitor > IPsec Monitor.
Notice that the VP N is currently down.
3. Right-click the VPN, and then select Bring Up .
The Status column of the VPN co ntains a green up arrow, indicating that the t unnel is up.
Stop and think!
Do I always have to bring up the tunnel manually after creating it?
No. In the curren t configuration, the t unnel will stay down until you either bring it up manua lly, or there is
traffic that should be rou ted through the tunnel. Bec ause you are not generating traffic between
10.0.1.0/24 and 10.0.2.0/24 yet, t he tunnel is still down. I f you had generated the require d traffic
while the tunnel was down, it would have come up automatically .
4. On the Local-Windows VM, open a command prompt wind ow, and then run the following c ommand to ping
Remote-Windows:
ping 10.0.2.10
The ping should work.
5. Close the command prompt window.

6. Return to the Loc al-FortiGate GUI, and then click Monitor > IPsec Monitor.
7. Click Refresh to refresh the screen.
Test FSSO Exercise 1: Configuring FSSO Collector Agent-Based Polling Mode
4. Select Other User and log on with the following credentials.
Field Val ue
User name Administrator
Password password
5. Press Enter.
Lab 7: High Availability (HA)
In this lab, you will set up a FortiGate Clu stering Protocol (FGCP) high availability (HA) cluster of FortiGate
devices. You will explore active-active HA mode and observe FortiGat e HA behavior. You will also perform an HA
failover and use diagnostic commands to observe the election of a new primary in the cluster.
Finally, you will configu re management port(s) on each FortiGate to reach each FortiGate individu ally for
management purposes.
Objectives
l Set up an HA cluster using FortiGate devices.
l Observe HA synchronization and interpr et diagnostic output.
l Perform an HA failover.
l Manage individual cluster members by configuring a reserved management interface.
Time to Complete
Lab HA Topology
After you upload the required configurations to each FortiGat e, the logical topology will change t o the following:
Prerequisites
Before beginning this lab, you must restore a configur ation file t o each FortiGate.

LabHA Topology Lab7:HighAvailability (HA)
Use the procedure that f ollows to restore the correc t configuration to each FortiGate.
Failure to restore the correct configuration to each FortiGate will prevent you from
doing the lab exercise.
To restore the Local-FortiGate configuration

4. Click Desktop > Resources> FortiGate-Infrastructure> HA > local-ha.conf , and then click Open.
5. Click OK.
To restore the Remote-FortiGate configuration

1. On the Local-Windows VM, open a browser and log in to the Remote-For tiGate GUI at 10.200.3.1 with the
user name admin and password password .
Lab7:HighAvailability (HA) LabHA Topology

4. Click Desktop > Resources> FortiGate-Infrastructure> HA > remote-ha.conf , and then click Open.
5. Click OK.

Exercise 1: Configuring High Avail ability (HA)
FortiGate High A vailability (HA) uses the FortiGate Cluster ing Protocol (FGCP), which uses a heartbeat link for
HA-related communications to discover other FortiGate devices in same HA group, elect a primary device,
synchronize configuration , and detect f ailed devices in an HA cluster.
In t his exercise, you will configur e HA settings on both FortiGate device s. You will obs erve the HA synchronize
status, and verify the configuration is in sync on both FortiGate devic es using the diagnose commands.
Configure HA Settings on Local-FortiGate
Now, you will configur e HA-related settings using t he Local-FortiGate GUI.
To configure HA settings on Local-FortiGate

2. Click System > HA , and t hen configure the followin g HA settings:
Field Val ue
Mode Active-Active
Devicepriority 200
Groupname Training
Password Fortinet
Tip: Click Change, and then type the password.
Session pickup <enable>
MonitorIn terfaces Click X to remove port4.
Heartbeat interfaces port2
The configuration should like the following example:
Exercise 1: Configuring High Availability(H A) Configure HA Settings on Remote-FortiGate
3. Click OK.
Configure HA Settings on Remote-FortiGate
Now, you will configure HA-related settings on Remote-FortiGat e using the console.
To configure HA settings on Remote-FortiGate

1. In the VM List, fro m the box of the Remote-FortiGate, click View VM to open the FortiGate console .
2. Log in as admin and password password .
3. Enter the following commands to configure the HA settings:
config system ha
set group-name Training
set mode a-a
set password Fortinet
set hbdev port2 0
set session-pickup enable
set override disable
set priority 100
end
Observe and Verify the HA Synchronization Status
Now that you have configured HA on both FortiGate devic es, you will verify that HA has been established and the
configurations are f ully synchronized.

VerifyFo rtiGate Roles in a HAC luster Exercise 1: Configuring High Availability (HA)
The checksums for all cluster members must match, in orde r for the FortiG ate devices to be in a synchronized
state.
To observe and verify the HA synchronization status

1. Continuing on the Remote- FortiGate console, you should see the error messages that FortiGate sends to the
console.
This sometimes shows useful status change information.
2. Wait four to five minu tes for the FortiGate d evices to synchronize.
After the FortiGate devices are synchronized, the FortiGate console will log out all admin users.
slave succeeded to sync external files with master
slave starts to sync with master
logout all admin users
3. When prompted, log back in to the Remote-For tiGate console as admin and password password ..
4. To check the HA synchronize status, run the following command: .
diagnose sys ha checksum show

5. In the VM List, fro m the box of the Local-FortiGate, click View VM to open the FortiGate console .
6. Log in as admin and password password .
7. To check the HA synchronize status, run the following command:
diagnose sys ha checksum show
8. Compare the output from both FortiGate device s.

If both FortiGate device s are synchronized, then t he checksums will match.
9. Alternatively, you can run the followin g command on the cons ole of any FortiGate in the cluster , t o view the
checksums of all cluster members:
diagnose sys ha checksum cluster
Verify FortiGate Roles in a HA Cluster
After the checksums of both F ortiGate devices match, you will verify the cluster member roles to confirm the
primary and secondary devices.
To verify FortiGate roles in an HA cluster

1. From the VM List, View VM, on both t he Local-FortiGate console and the Remote-For tiGate console, run t he
following command to verify that the HA cluster has been established:
get system status
2. View the Current HA mode line on both consoles.

Notice that t he Local-FortiGate is a-a mas ter , and the Remote-FortiGate devic e is a-a back up .
Lab 8: Web Proxy
In t his lab, you will learn how to configure FortiGate to be an explicit and transpa rent web proxy.
Objectives
l Configure FortiGate to ac t as a web proxy.
l
Apply security policies to web p roxy traffic based on HTTP headers.

l Authenticate, authori ze, and monitor web proxy users.
Time to Complete
Prerequisites
Before beginning t his lab, you must restore a configuration file t o Local-FortiGate.
To restore the Local-FortiGate configuration file

3. Select Local PC, and then click Upload.

4. Click Desktop > Resources> FortiGate-Infrastructure > Web-Proxy > local-web-proxy.conf , and then
click Open.
5. Click OK.
Exercise 1: Configuring an Explicit Web Proxy
During this exercise, you will configure the FortiGate to act as an explicit web proxy. You will also configur e the
FortiGate to authenticate and author ize Internet access for specific users. The authentication en forcement is
done with an authentica tion scheme and an authentic ation rule. The authoriza tion is done by adding the allowed
user groups to the source of the proxy policy.
After that, you will m anually configure Firefox with the proxy IP address and port.
Show the Explicit Web Proxy Settings
By default, the explic it web proxy settings are hidden on the GUI. You w ill show them.
To show the explicit web proxy settings

3. Under the Security Features section, enable Explicit Proxy.
4. Click Apply.
Enable Explicit Web Proxy

You will enable explicit web proxy on the network setting.
To enable explicit web proxy

1. Continuing on the Local-FortiGate GUI, click Network > Explicit Proxy.
2. Enable Explicit Web Proxy.
3. Click Listen on Interfaces, and select the int erface port3.
4. In the HTTP port field, type 8080 - 8080 .
5. In the HTTPS port field, select Use HTTP Port.
6. Click Apply.
Create an Authentication Scheme
You will create an authentica tion scheme to use the local user database for web proxy authentication.
To create an authentication scheme

1. Continuing on the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL_FORTIGATE saved
session.

Create an Authentication Rule Exercise 1: Configuring an Explicit Web Proxy
3. Enter the following commands to create the authentication scheme:
config authentication scheme
edit WebProxyScheme
set method form
set user-database local
next
end
Create an Authentication Rule

You will enforce web proxy authentication by creating an authen tication rule tha t m atches all traffic coming from
the internal subnet. You will use the authentication scheme created in the previous procedure.
To create an authentication rule

1. Continuing on the Local-FortiGate PuTTY session, enter the following commands to create the au thentication
rule:
config authentication rule
edit WebProxyRule
set srcaddr LOCAL_SUBNET
set active-auth-method WebProxyScheme
set protocol http
next
end
2. Leave the PuTTY session open (you can minimize it on your desktop).
Create a Proxy Policy
You will create the policy to allow explicit proxy traffic to access the Internet. Only the user studentwill be
authorized to browse the Internet through the proxy.
To create a proxy policy

1. Return to the brows er tab where you are logged in to t he Local-FortiGate GUI, and clic k Policy & Objects >
Proxy Policy.
Field Value
ProxyT ype ExplicitWeb

EnabledOn port3
Exercise 1: Configuring an Explicit Web Proxy Configure Firefox for Explicit Web Proxy
Field Value
Source Address>L OCAL_SUBNET
User > STUDENTS (under the USER GROUP section)
Destination all
Schedule always
Service webproxy
Action ACCEPT
4. Click OK.
Configure Firefox for Explicit Web Proxy
You have configured Local-FortiGate as an explicit web proxy. Now, you will configure Firefox to use the explicit
web proxy.
To configure Firefox to use the explicit web proxy

1. Continuing on the Local-Windows VM, and the Firefox browser, click the Open Menu icon in the upper-right
corner.
2. Click Options.

Exercise 2: Troubleshooting a Connectivity Problem
During this exercise, you will use the sn iffer and debug flow to t roubleshoot a network connectivity problem.
Identify the Problem
As you will see in t his procedure, there is a network connectivity problem bet ween the Local-Windows VM and the
Linux server.
To identify the problem

1. On the Local-Windows VM, open a command prompt windo w.
2. Start a continuous ping to the Linux server (IP address 10.200.1.254 ):
ping -t 10.200.1.254
The ping is failing. You w ill use the sniffer and debug flow tools in Local-FortiGate to f ind out why.
3. Do not close the command prompt window. Keep the ping running.
Use the Sniffer

Now that you understand what the problem is, try to fix it without lookin g at the FortiGate configura tion.
Use the built-in sniffer and debug flow tools to troubleshoot the proble m.
After you complete the challenge, see Test the Fix on page 145.
You will start troubleshooting by sniffing the ICMP traffic going to the Linux server.
To use the sniffer

1. On the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
3. Enter the following command to sniffer the ICMP traffic to 10.200.1.254 :
diagnose sniffer packet any "icmp and host 10.200.1.254" 4
4. Observe the output:

interfaces=[any]

Use the Debug Flow Tool Exercise 2: Troubleshooting a ConnectivityP roblem
filters=[icmp and host 10.200.1.254]

5.439019 port3 in 10.0.1.10 -> 10.200.1.254: icmp: echo request
The packets are arriving to FortiGate, but FortiGate is not routing them.
5. Press Ctrl-C to stop the sniffer.
Use the Debug Flow Tool

To get information about why the packets are being dropped, you will run the deb ug flow tool.
To use the debug flow tool

1. Continuing on the Local-FortiGate PuTTY session, enter the commands below. You will configure the de bug flow
filter to capture all ICMP traffic to and fr om the IP address 10.200.1.254 :
diagnose debug flow filter clear

diagnose debug flow filter proto 1
diagnose debug flow filter addr 10.200.1.254
diagnose debug enable
diagnose debug flow trace start 3
Output should be similar to what is shown below. The FortiGate rec eives the ICMP packet from 10.0.1.10
to 10.200.1.254 from port3 :
id=20085 trace_id=1 func=print_pkt_detail line=5363 msg="vd-root received a packet
(proto=1, 10.0.1.10:1->10.200.1.254:2048) from port3. type=8, code=0, id=1,
seq=33."
It creates a new session:

id=20085 trace_id=1 func=init_ip_session_common line=5519 msg="allocate a new session-
00000340"
It f inds a route for the destination 10.200.1.254 , through port1 :

id=20085 trace_id=1 func=vf_ip_route_input_common line=2583 msg="find a route:
flag=04000000 gw-10.200.1.254 via port1"
It drops the packet. The debug flow s hows the error message:
id=20085 trace_id=1 func=fw_forward_handler line=586 msg="Denied by forward policy
check (policy 0)"
The message Den ied by for war d pol icy check indicates that the tra ffic is denied by a firewall
policy. It could be eithe r a denied policy explicitly configured by the administrator, or the implicit denie d policy
for traffic that doe s not match a ny configured policy.
The polic y 0 indic ates that the traffic was denied by the defau lt implici t policy. I f t he traffic were blocked
by an explicitly configured policy, its policy ID number would be indicated in this output, instead of the
number zero.
Exercise2: Troubleshootinga ConnectivityP roblem Fixt heProblem
Fix the Problem
Now that we have found the cause of the problem, let's fix it.
To fix the problem

1. Continuing on the Local-Windows VM, open a browser and log in to the Loc al-FortiGate GUI at 10.0.1.254
with the us er name admin and password password .
2. Click Policy & Objects > IPv4 Policy.
3. Look at the firewall policies.
The Full_Accessfilewall policy does not allow ICMP traffic (only HTTP). This is why FortiGate is dropping
the ping packets.
4. Edit the Full_Access firewall policy.

5. Change the service from HTTP to ALL.
6. Click OK.
Test the Fix
You will test t o confirm t hat t he configuration change f ixed the problem.
To test the fix

1. Continuing on the Local-Windows VM, check the command pro mpt window to see if the con tinuous ping is
working now.
2. Stop the ping by pressing Ctrl-C, but leav e the command pro mpt open.
3. Return to the Local- FortiGate PuTTY session where you are running debug commands, and clear all the ICMP
sessions from the session t able:
diagnose sys session filter clear

diagnose sys session filter proto 1
diagnose sys session clear
4. Start the debug flow again:
diagnose debug flow filter clear

diagnose debug flow filter proto 1
diagnose debug flow filter addr 10.200.1.254
diagnose debug enable
diagnose debug flow trace start 3
There should not be any output yet, becaus e the ping is not running.
5. Return to the command pr ompt window, and start the ping again :
ping -t 10.200.1.254
6. Check the debug flow output.

It is a bit different now. The erro r message is not displayed and you will see a few new logs.

Test theFix Exercise2: TroubleshootingaConnectivityP roblem
Traffic is allowed by the firew all policy with the ID 1:

id=20085 trace_id=4 func=fw_forward_handler line=737 msg="Allowed by Policy-1: SNAT"
FortiGat e applies source NAT (SNAT):

id=20085 trace_id=4 func=__ip_session_run_tuple line=3164 msg="SNAT 10.0.1.10-
>10.200.1.1:62464"
Additionally, you will see the debug flow logs from the return (ping reply) packets:
id=20085 trace_id=5 func=print_pkt_detail line=5363 msg="vd-root received a packet
(proto=1, 10.200.1.254:62464->10.200.1.1:0) from port1. type=0, code=0, id=62464,
seq=83."
id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5438 msg="Find an existing session,
id-000003f2, reply direction"
id=20085 trace_id=5 func=__ip_session_run_tuple line=3178 msg="DNAT 10.200.1.1:0-
>10.0.1.10:1"
id=20085 trace_id=5 func=vf_ip_route_input_common line=2583 msg="find a route:
flag=04000000 gw-10.0.1.10 via port3"
The procedure in this exercise describes what you should usually do when
troubleshooting connectivity problems on a FortiGate. Sniffer the traffic first, to check
that the packets are arriving to FortiGate, and that FortiGate is properly routing them.
If the sniffer shows that the traffic is being dropped by FortiGate, us e the debu g flow
tool to find out why.
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, andc ertain other marks areregistered trademarks of Fortinet,
Inc., in the U.S. andother jurisdictions, andother Fortinet names herein may alsobe registered and/or commonlaw trade marks of Fortin et. All otherproduct or company
names may be trademarks of their respective owners. Performanceand other metrics conta ined hereinwere attained in internallab tests under ideal conditions, and
actualperforma nce andother results may vary. Network varia bles, different network environ ments and other conditions may aff ect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims allwarrantie s, whether express or implied, except to the extent Fortine t enters a binding written
contract, signed by Fortinet’ s General Counsel, with a purchaser that expressly warra nts t hat the identifiedproduct willperform accord ingt o certain expressly-identified
performance metrics and, in such event, only the specific performancemetrics expressly id entified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal labt ests. In no event does Fortinet make any
commitment relatedt o futuredeliver ables, f eatures, or development, and circumstances may change such that any f orward-looking statements here in arenot accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whetherex press orimplied. Fortinet reserves the right to change, modify,
transfer, or otherwise reviset his publication without notice, andt he most curren t version of the publication shall be applicable.

FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked

Uploaded by

Copyright:

Available Formats

FortiGate Infrastructure Lab Guide

for FortiOS 6.0

Fortinet Document Library

Fortinet Knowledge Base

Fortinet Network Security Expert Program (NSE)

Verify the Routing Configuration 18

Remote Access Test

To run the remote access test

2. Inside the Speed Test box, click Run.

FortiGate I nfrastructure 6.0 Lab Guide 9

To log in to the remote lab

3. Enter your first and last name.

5. To open a VM from the dashboard, do one of the following:

Follow the same procedure to access any of your VMs.

FortiGate I nfrastructure 6.0 Lab Guide 11

Sending Special Keys

FortiGate I nfrastructure 6.0 Lab Guide 13

FortiGate I nfrastructure 6.0 Lab Guide 15

Configure Administrative Distance

Take the Expert Challenge!

l Change the port2 static route administrative Distance to 10 .

To configure administrative distance

To verify the routing table

1. Continuing on the Local-FortiGate GUI, click Monitor > Routing Monitor.

Change the ECMP Load Balancing Method

To modify the ECMP load balancing method

4. Leave the PuTTY session open.

Verify Traffic Routing

FortiGate I nfrastructure 6.0 Lab Guide 29

Take the Expert Challenge!

To verify traffic routing

Stop and think!

Take the Expert Challenge!

After you complete the challenge, see Verify ECMP on page 31

To verify the routing table

2. Verify that both default routes are currently active:

FortiGate I nfrastructure 6.0 Lab Guide 31

To configure the CLI sniffer

1. Continuing on the LOCAL-FORTIGATE PuTTY session, enter the following C LI commands:

2. Leave the PuTTY window open in the background.

To verify ECMP routing

4. Leave the PuTTY session open.

Configure Policy Route for HTTPS Traffic

To verify non-HTTPS traffic routing

4. Analyze the sniffer output:

FortiGate I nfrastructure 6.0 Lab Guide 35

Stop and think!

5. Close the PuTTY session and browser.

In this exercise, you will configure SD-WAN on Local-FortiGate.

Configure routes and firewall policies for SD-WAN.

To restore the Local-FortiGate configuration file

3. Click Local PC, and then click Upload.

FortiGate I nfrastructure 6.0 Lab Guide 37

Remove Interface References

Take the Expert Challenge!

To remove interface references

Configure SD-WAN Load Balancing

Take the Expert Challenge!

To configure SD-WAN load balancing

4. Configure the following:

FortiGate I nfrastructure 6.0 Lab Guide 39

The SD-WAN configuration should look like the following example:

Create a Per-VDOM Administrator