DO NOT REPRINT

 FORTINET

FortiGate Security Study

Guide
for FortiOS 6.2
DO NOT REPRINT
 © FORTINET

Fortinet Training

http://www.fortinet.com/training

Fortinet Document Library

http://docs.fortinet.com

Fortinet Knowledge Base

http://kb.fortinet.com

Fortinet Forums

https://forum.fortinet.com

Fortinet Support

https://support.fortinet.com
https://support.fortinet.com

FortiGuard
FortiGuard Labs

http://www.fortiguard.com

Fortinet Network
Network Security Expert Program (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html

Feedback

Email: courseware
courseware@fortinet.com
@fortinet.com

5/15/2019
DO NOT REPRINT
 © FORTINET

TABLE OF CONTENTS

01 Introduction and Initial Co

Configuration 4
02 Security Fabric 55
03 Firewall Policies 94
04 Network A ddress Translation (NAT) 141
05 Firewall Authentication 194
06 Logging and Monitoring 251
07 Certificate Operations 310
08 Web Filtering 359
09 Application Control 417
10 Antivirus
Antiviru s 462
11 Intrusion Prevention and Denial of
of Service 514
12 SSL VPN 565
13 Dialup IPsec VP
V PN 622
 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

In this lesson, you will learn about FortiGate administration

administration basics and the components within
within FortiGate that
can be enabled to extend functionality.
functionality. This
T his lesson also includes details about how and where FortiGate fits
into your existing network architecture.

FortiGate Security 6.2 Study Guide 4

 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

In this lesson you

you will explore the topics shown
shown on this slide.

FortiGate Security 6.2 Study Guide 5

 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

 After completing
completing this section,
section, you should
should be able to achieve the objectives
objectives shown on this
this slide.

By demonstrating competence in identifying

identifying the platform design features of FortiGate, features of FortiGate in
virtualized
virtualized networks and the cloud,
cloud, as well
well as the FortiGate security processing
processing units, you
you will be able to
describe the fundamental components of FortiGate and explain the types of tasks that FortiGate can do.

FortiGate Security 6.2 Study Guide 6

 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

In the past, the common way of protecting

protecting a network was securing the perimeter and installing a firewall
firewall at the
entry point. Network administrators used to trust everything and everyone inside the perimeter.

Now, malware can easily bypass any entry-point

entry-point firewall and get inside the network. This could happen
through an infected USB stick, or an employee’s compromised personal device being connected to the
corporate network. Additionally, because attacks can come from inside the network, network administrators
can no longer inherently trust internal users and devices.

What’s more, today’s networks are highly complex environments whose borders are constantly changing.
Networks run vertically from the LAN to the Internet, and horizontally from the physical network to a private
virtual network and to the cloud. A mobile and diverse workforce (employees,
(employees, partners, and customers)
accessing network resources, public and private clouds, the Internet of Things (IoT), and bring-your-own-
bring-your-own-
device programs all conspire to increase the number of attack vectors against your network.

In response to this highly complex environment, firewalls have become robust multi-functional
multi-functional devices that
counter an array of threats to your network. Thus, FortiGate can act in different modes or roles to address
different requirements.
requirements. For example, FortiGate can be deployed as a data center firewall whose function is to
monitor inbound requests to servers and to protect them without increasing latency for the requester. Or,
FortiGate can be deployed as an internal segmentation firewall as a means to contain a network breach.

FortiGate can also function as DNS and DHCP servers, and be configured to provide web filter, anti-virus, and
IPS services.

FortiGate Security 6.2 Study Guide 7

 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

In the architecture
architecture diagram shown on this slide, you can see how FortiGate platforms add strength,
strength, without
without
compromising flexibility. Like separate, dedicated security devices, FortiGate is still internally modular. Plus:

• Devices add duplication. Sometimes, dedication doesn’t  mean efficiency.efficiency. If it’s overloaded,

overloaded, can one
device borrow free RAM from nine others? Do you you want to configure
configure policies, logging,
logging, and routing
routing on 10
separate devices?
devices? Does 10 times the duplication bring you 10 times the benefit, or is it a hassle? For 
smaller to midsize businesses or enterprise branch offices,
offices, unified threat management (UTM) is often a
superior solution, compared to separate dedicated appliances.
• FortiGate hardware isn’t just off-the-shelf. It’s carrier-grade.
carrier-grade. Most FortiGate
FortiGate models have one or more
specialized circuits, called ASICs, that are engineered by Fortinet. For example, a CP or NP chip handles
cryptography and packet forwarding more efficiently. Compared to a single-purpose device with only a
CPU, FortiGate can have dramatically better performance. This is especially critical for data centers and
carriers where throughput is business critical.
(The exception? Virtualization platforms—VMware, Citrix Xen, Microsoft, or Oracle Virtual Box—have
general-purpose
general-purpose vCPUs. But, virtualization might be worthwhile because of other benefits, such as
distributed computing and cloud-based security.)
• FortiGate is flexible. If all you need is fast firewalling and antivirus, FortiGate won’t require you to waste
CPU, RAM, and electricity on other features.
features. In each firewall policy, UTM and next-generation
next-generation firewall
modules can be enabled or disabled. Also, you won’t pay more to add VPN seat licenses later.
• FortiGate cooperates. A
cooperates. A preference for open standards
standards instead
instead of proprietary
proprietary protocols means
means less
vendor lock-in and more choice for system
system integrators. And, as your network
network grows, FortiGate can
leverage other Fortinet products such as as FortiSandbox and FortiWeb to distribute processing
processing for deeper 
security and optimal performance—a total Security Fabric approach.

FortiGate Security 6.2 Study Guide 8

 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

FortiGate virtual machines (VMs) have the same features as physical FortiGates,
FortiGates, except for hardware
acceleration.
acceleration. Why? First, the hardware abstraction layer software for hypervisors is made by VMware, Xen,
and other hypervisor manufacturers, not by Fortinet. Those other manufacturers don’t make Fortinet’s
proprietary FortiASIC chips. But there
there is another reason, ttoo.
oo. The purpose of generic
generic virtual CPUs and other 
other 
virtual chips for hypervisors is to abstract the hardware details. That way, all VM guest OSs can run on a
common platform, no matter the different hardware
hardware on which the hypervisors are installed. Unlike vCPUs or 
vGPUs
vGPUs that useuse generic,
generic, non-optimal  RAM andand vCPUs for abstraction,
abstraction, FortiASIC chips are specialized
optimized  circuits. Therefore, a virtualized
virtualized ASIC chip would not have the same performance benefits as a
physical ASIC chip.

If performance on equivalent hardware is less, you may wonder, why would anyone use a FortiGate VM? In
large-scale networks that change rapidly and may have many tenants, equivalent processing power and
distribution may be achievable using larger amounts of cheaper, general purpose hardware. Also, trading
some performance for other benefits may be worth it. You can benefit from faster network and appliance
deployment and teardown.

FortiGate VMX and thethe FortiGate Connector

Connector for Cisco ACI are specialized versions
versions of FortiOS and an API that
that
allows you to orchestrate rapid network changes through standards, such as OpenStack for software-defined
networking (SDN).
• FortiGate
FortiGate VM is deploye
deployed d as a guest VM on
on the hypervi
hypervisor.
sor.
• FortiGate
FortiGate VMX
VMX is deployed
deployed inside
inside a hype
hypervis
rvisor’s
or’s virtual
virtual networ
networks,
ks, between guest VMs.
• FortiGate
FortiGate Conne
Connector
ctor for Cisco
Cisco ACI
ACI allows
allows ACI to deploy
deploy phys
physical
ical or virtual FortiGate VMs for north-south
traffic.

FortiGate Security 6.2 Study Guide 9

 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

 All Fortinet hardware

hardware acceleration hardware has been
been renamed security
security processing
processing units (SPUs).
(SPUs). This
incl
includ
udes
es NPx
NPx and
and CPx
CPx proc
proces
esso
sors
rs..

Most FortiGate models have

have specialized
specialized acceleration
acceleration hardware,
hardware, called SPUs that can offload resource
intensive processing from main processing (CPU) resources. Most FortiGate devices include specialized
content processors (CPs) that accelerate a wide range of important security processes such as virus
scanning, attack
attack detection,
detection, encryption
encryption and decryption.
decryption. (Only selected entry-level
entry-level FortiGate models do not
not
include a CP processor.)
processor.) Many
Many FortiGate models also contain
contain security processors (SPs)
(SPs) that accelerate
accelerate
processing for specific security features such as IPS and network processors (NPs) that offload processing of 
high volume network traffic.

SPU and nTurbo data is now visible

visible in a number of
of places on the GUI. For
For example, the Active Sessions
Sessions
column pop-up in the firewall policy list and the Sessions dashboard widget. Per-session accounting is a
logging feature
feature that allows the FortiGate to report the correct
correct bytes/pkt
bytes/pkt numbers per
per session for sessions
sessions
offloaded to an NP6 or NP6lite processor.

The following example shows the Sessions dashboar

dashboard d widget tracking
tracking SPU and nTurbo
nTurbo sessions.
sessions. Current
sessions shows the total number of sessions, SPU shows the percentage of these sessions that are SPU
sessions and Nturbo shows
shows the percentage
percentage that
that are nTurbo
nTurbo sessions.
sessions.

NTurbo offloads firewall

firewall sessions that include flow-based security profiles to NP4 or NP6 network
network processors.
Without NTurbo, or
or with NTurbo disabled, all firewall
firewall sessions that
that include
include flow-based
flow-based security profiles are
are
processed
processed by the FortiGat
FortiGate
e CPU.

FortiGate Security 6.2 Study Guide 10

 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

Fortinet’s content processor (CP9) works outside of the direct flow of traffic, providing high-speed
cryptography and content inspection services. This frees businesses to deploy advanced security whenever it
is needed without impacting network
network functionality.
functionality. CP8 and CP9 provide a fast path for traffic inspected
inspected by
IPS, including sessions with flow-based inspection.

CP processors also accelerate intensive proxy-based tasks:

o Encryption and decryption (SSL)
o  Antivirus

FortiGate security processing (SP)

(SP) modules, such as the SP3 but also including the XLP, XG2, XE2, FE8, and
CE4, work at both the interface and system level to increase overall system performance by accelerating
specialized security processing. You can configure the SP to favor IPS over firewall processing in hostile high-
traffic environments.

FortiASIC network processors work

work at the interface level to accelerate traffic by offloading
offloading traffic from the
main CPU. Current models contain NP4, NP4Lite, NP6, and NP6lite network processors.

Fortinet integrates content and network processors along with RISC-based CPU into a single processor 
known as SOC3
SOC3 for entry-level
entry-level FortiGate security appliances
appliances used for distributed enterprises.
enterprises. This simplifies
simplifies
appliance design and enables breakthrough performance without compromising on security.

FortiGate Security 6.2 Study Guide 11

 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

FortiGate Security 6.2 Study Guide 12

 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

Good job! You now understand some of the high-level features of FortiGate.

Now, you will learn how to perform the initial setup of FortiGate and learn about why you might decide to use
one configuration over another.

FortiGate Security 6.2 Study Guide 13

 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

 After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in setting up FortiGate, you will be able to use the device effectively in your 
own network.

FortiGate Security 6.2 Study Guide 14

 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

What about the network architecture? W here does FortiGate fit in?

When you deploy FortiGate, you can choose between two operating modes: NAT mode or transparent mode.

• In NAT mode, FortiGate routes packets based on Layer 3, like a router. Each of its logical network
interfaces has an IP address and FortiGate determines the outgoing or egress interface based on the
destination IP address and entries in its routing tables.
• In transparent mode, FortiGate forwards packets at Layer 2, like a switch. Its interfaces have no IP
addresses and FortiGate determines the outgoing or egress interface based on the destination MAC
address. The device in transparent mode has an IP address used for management traffic.

Interfaces can be exceptions to the router versus switch operation mode, on an individual basis.

FortiGate Security 6.2 Study Guide 15

 Introduction and Initial Configuration

DO NOT REPRINT
 © FORTINET

Network address translation (NAT) mode is the default operation mode. What are the other factory default
settings? After you’ve removed FortiGate from its box, what do you do next?

Now you’ll take a look at how you set up FortiGate.

 Attach your computer’s network cable to port1 or the internal switch ports (depending on your model). In most
entry models, there is a DHCP server on that interface, so, if your computer’s network settings have DHCP
enabled, your computer should automatically get an IP, and you can begin setup.

To access the GUI on FortiGate or FortiWifi, open a web browser and go to http://192.168.1.99 .

The default login information is public knowledge. Never leave the default password blank. Your network is
only as secure as your FortiGate’s  admin account. Before you connect FortiGate to your network, you should
set a complex password.

 All FortiGate models have a console port and/or USB management port. The port provides CLI access without
a network. The CLI can be accessed by the CLI console widget on the GUI or from a terminal emulator, such
as PuTTY or Tera Term.

FortiGate Security 6.2 Study Guide 16