Secure sd wan

MCs Computer Science, Batch 2020

Submitted By

Safia Shabbir P19101062

Hina Jameel P19101022
Hina Saeed P19101023
Erum Saleem P19101015

Department of Computer Science-UBIT

University of Karachi
University Road, Karachi 75270

1
Final Year Project Report
Secure sd wan
MCs Computer Science, Batch 2020

Project Advisor

Dr. Muhammad Saeed

Assistant Professor
UoK

Submitted By:

Safia Shabbir P19101062

Hina Jameel P19101022
Hina Saeed P19101023
Erum Saleem P19101015

Department of Computer Science-UBIT

2
Preface

About This Book

3
ACKNOWLEDGMENTS

First and foremost, I would like to thank our Almighty Allah, for providing me the strength, courage
of conviction and the strong sense of dedication to my project that enabled me to take it to the level
that it has achieved today. Undoubtedly, I wouldn't have been now here, if it weren't for His Mercy
and Blessings.

This Work would have been impossible without the copious amounts of help, patience, and
encouragement from my kind supervisor Dr. Muhammad Saeed. I would like to thank to him for
teaching me so much and for inspiring me with the example of hard work, providing great help and
key information throughout the time required for the completion of this project report. I would also
very special thanks to Mr. Nadeem for his valuable support in the requirement analysis of this
project. I would also like to thanks the entire faculty member's for their able support and
encouragement which enable me able to complete my project report

To my family, thank you for letting me do what I want to do, supporting my decisions as crazy as
they may be. You are always there for me. My deepest love and gratitude goes to my father and
mother who played such a vital role all through my life by always placing my interests ahead of
theirs. This project work is dedicated to my parents, thank you for seeing me through every step of
the way, for praying for me and with me during times of trouble, and for rejoicing with me over
every little triumph. During my studies my family constantly provided me the hope that I needed to
complete my higher education. Also thanks to all other member of my family and friends whose love
and prayers are with me all the time.

4
 DECLARATION

We hereby declare that this project report is based on our original work except for citations and
quotations which have been duly acknowledged. We also declare that it has not been previously and
concurrently submitted for any other degree or award at University of Karachi or other institutions.

Name: Safia Shabbir Signature: ____________________________

Name: Hina Jameel Signature: ____________________________
Name: Hina Saeed Signature: ____________________________
Name: Erum Saleem Signature: ____________________________

5
 CERTIFICATE

I certify that this project report entitled "Secure SD Wan" was prepared by Safia Shabbir, Hina
Jameel, Hina Saeed and Erum Saleem has met the required standard for submission in partial
fulfillment of the requirements for the award of Masters in Computer Science at University of
Karachi.

Approved by,

Signature: _________________________

Supervisor: Dr. Muhammad Saeed

Date: ___________________________

6
 COPYRIGHT

The copyright of this report belongs to the author under the terms of the copyright Act 1987 as
qualified by Intellectual Property Policy of Sir Syed University of Engineering and Technology. Due
acknowledgement shall always be made of the use of any material contained in, or derived from, this
report.

© Batch 2020, Department of Computer Science-UBIT. All rights reserved.

7
 DEDICATION

All thanks and gratitude is due only to ALLAH, the most gracious, the most merciful and the most
beneficial, who bestowed upon me enlightenment, courage and energy to undertake and complete
this project

This humble effort is

Dedicated to My

Mother & Project Advisor

I thank, pray for and promise them to do whatever is possible in our powers to comfort them and
promote their good mission for the noble cause of spreading education and development of human
beings. They have served me with their best efforts and have brought me up to be the person I am
today, may Almighty Allah bless them

8
ABSTRACT

Over the past several years, Software Defined Networking (SDN) has emerged as a new and promising
paradigm for the management of computer networks. While we have seen many use-cases and deployments
of SDN in data center networks, wide-area networks still heavily rely on legacy routing and traffic
engineering technologies. Rapidly increasing traffic demands (mainly due to increasing usage of video
streaming and voice over LTE deployments), however, motivate the development of novel routing and more
efficient traffic engineering mechanisms.

New approaches leveraging an SDN paradigm in wide-area networks promise to mitigate many of today’s
limitations, inefficiencies, and scalability issues. In this paper, we give an overview of the current state of the
art in Software Defined wide-area networking research and technologies and give directions and discuss
ideas for future work.

9
 Table of Content
Statement of Submission………………………………………………………………………. ii
ACKNOWLEDGMENTS……………………………………………………………………....iii
CERTIFICATE………………………………………………………………………………… iv
DEDICATION…………………………………………………………………………………. v
ABSTRACT…………………………………………………………………………………….vi
Table of Content………………………………………………………………………………...vii
Chapter 1: Introduction………………………………………………………………………….1
1.1 OVERVIEW…………………………………………………………………………2
1.2 AIM AND OBJECTIVES…………………………………………………………...2
1.2.1 Enhanced safety……………………………………………………………………2
1.2.2 A more enjoyable application experience…………………………………………2
1.2.3 Provisioning from a central location………………………………………………2
1.2.4 Greater adaptability and flexibility………………………………………………...2
1.3 SCOPE AND LIMITATION………………………………………………………...3
1.3.2 The Architecture of the SD-WAN…………………………………………………3

Chapter 2: Requirements…………………………………………………………………….......6
2.SD-WAN Requirements………………………………………………………………7
Chapter 3: Design and Implementation……………………………………………………….....8
3.1 Configuring SD-WAN………………………………………………………………9
3.1.1 SD-WAN specifications…………………………………………………………..9
3.1.2 SD-WAN setup in its most basic form……………………………………………9
3.1.3 Setting up a simple SD-WAN deployment……………………………………….9
3.1.4 Removing existing configuration references to interfaces……………………….10
3.1.5 Creating SD-WAN interfaces…………………………………………………….10
3.1.6 Configuring SD-WAN load balancing……………………………………………12
3.1.7 Creating a static route for the SD-WAN interface………………………………..14
3.1.8 Configuring security policies for SD-WAN………………………………………15
3.1.9 Configuring SD-WAN rules……………………………………………………....15
3.2 Monitoring SD-WAN……………………………………………………………….16
3.2.1 Monitoring SD-WAN link usage………………………………………………….17
3.2.2 Monitoring SD-WAN traffic routing……………………………………………...17
3.2.3 Monitoring SD-WAN link quality status………………………………………….17
3.2.4 Monitoring system event logs……………………………………………………..18
3.2.5 Verifying SD-WAN traffic routing………………………………………………..18

10
3.2.6 Applying traffic shaping to SD-WAN traffic……………………………………..18
3.3 Viewing SD-WAN information in the Fortinet Security Fabric……………………18
3.4 High availability…………………………………………………………………….19
3.5 Firewall concepts……………………………………………………………………20
3.5.1 What is a firewall? ………………………………………………………………..21
3.7 Security Profiles……………………………………………………………………..22
3.7.1 Authentication……………………………………………………………………..22
3.7.1.A What is Authentication?..........................................................................................22
3.7.1.B Methods of authentication………………………………………………………….….22
3.7.1.C Types of authentication………………………………………………………………...23
3.7.1.D Administrator’s view of authentication ……………………………………………..23
3.8 IPsec VPN…………………………………………………………………………...24
3.8.1 IPsec VPN concepts……………………………………………………………….24
3.8.2 VPN tunnels……………………………………………………………………….25
3.9 SSL VPN…………………………………………………………………………….26
3.9.1 SSL VPN modes of operation……………………………………………………..26
3.9.1. A Tunnel mode…………………………………………………………………………….26
3.9.1.B Port forwarding mode………………………………………………………………….26
3.9.2 SSL VPN best practices…………………………………………………………...26
3.9.2.A Tunnel mode……………………………………………………………………………..27
3.9.2.B Web mode………………………………………………………………………………...27
3.9.3 Basic configuration………………………………………………………...27
3.9.4 SSL VPN web portal……………………………………………………….27
3.10 Networking…………………………………………………………………28
3.10.1 Interface……………………………………………………………………28
3.10.1.A Aggregate interfaces………………………………………………………….28
3.10.1.B On an interface, the DHCP addressing mode…………………………..29
3.10.1.C Interface configuration and settings……………………………………..30
3.10.1.D Routing………………………………………………………………………….30
3.11 DNS (Domain Name System)………………………………………………31
3.11.1 DNS servers……………………………………………………………….31
3.11.2 Dynamic Routing………………………………………………………….32
3.11.3 Multicast Forwarding……………………………………………………..32
3.11.3 Multicast Forwarding……………………………………………………..32
3.11.4 Modems…………………………………………………………………….33
3.12 Managing devices……………………………………………………………33
3.12.1 Managing “bring your own device”……………………………………...33
3.12.2 Device monitoring…………………………………………………………33
3.12.3 Device groups………………………………………………………………35
3.12.4 Controlling access with a MAC ACL…………………………………….35
3.12.5 Security policies for devices………………………………………………36
3.13 System Administration……………………………………………………….38
3.13.1 Administrators………………………………………………………………38
3.13.1.A Administrator profiles…………………………………………………………38

11
 3.13.1.B LDAP authentication for administrators…………………………………..38
3.13.1.C Monitoring Administrators……………………………………………………39
3.13.2 Management access…………………………………………………………39
3.13.3 Security precautions………………………………………………………..39
3.14 Monitoring……………………………………………………………………..40
3.14.1 Dashboard……………………………………………………………………40
3.14.2 Monitor menus………………………………………………………………40
3.14.3 Logging………………………………………………………………………40
3.14.4 Alert email…………………………………………………………………...41
3.14.5 Simple Network Management Protocol……………………………………41
3.15 Administration for schools……………………………………………………42
3.15.1 Security policies……………………………………………………………..42
3.15.2 DNS…………………………………………………………………………...42
3.15.3 Encrypted traffic (HTTPS)………………………………………………….42
3.15.4 FTP…………………………………………………………………………….42

Chapter 4:Quality Assurance……………………………………………………………….43

4.1 Traffic shaping…………………………………………………………………..44
4.1.1 Configuring traffic shaping…………………………………………………..44
4.1.3 Monitoring traffic shaping……………………………………………………45
4.1.4 Troubleshooting traffic shaping……………………………………………...45
4.2 Logging and reporting……………………………………………………………46
4.2.1 FortiOS features available for logging……………………………………….46
4.2.1.A Traffic………………………………………………………………………………….46
4.2.1.B Sniffer…………………………………………………………………………………46
4.2.1.C Event………………………………………………………………………………….46
4.2.1.D Traffic shaping………………………………………………………………….....47
4.2.1.E Data Leak Prevention…………………………………………………………….47
4.2.1.F Media Access Control (MAC) address………………………………………..48
4.2.1.G Web filter……………………………………………………………………………48
4.2.1.H Email filter…………………………………………………………………………48
4.3 Bug Issues……………………………………………………………………….49
4.3.1 Device Manager……………………………………………………………….49
4.3.2 FortiView………………………………………………………………………49
4.3.3 Log View……………………………………………………………………….50
4.3.4 Others…………………………………………………………………………..50
4.3.5 Reports………………………………………………………………………….51
4.3.6 System Settings…………………………………………………………………51

12
13
14
 Chapter 1
Introduction

15
1. INTRODUCTION
1.1. OVERVIEW
SD-WAN is a virtual interface made up of a collection of member interfaces that can be
connected to a variety of link types. The SD-WAN interface combines all physical member
interfaces into a single virtual interface. SDWAN makes network configuration easier by
allowing you to set up a single set of routes and firewall settings that are applied to all member
interfaces. You can also set up numerous parameters for selecting the optimal links for your
network traffic.

Effective WAN use with multiple WAN links, where you may utilize various load balancing
methods, such as bandwidth usage, sessions, and application-aware routing, to ensure high
availability for your business-critical apps, is one of the key motivators for installing SD-WAN.

1.2 AIM AND OBJECTIVES

1.2.1 Enhanced safety
With increased security concerns, particularly as IoT, cloud, and data aggregation become
more prevalent, SDN can help. SDN controllers make judgments on how and where to send
data on a packet-by-packet or flow-by-flow basis, rather than relying on endpoint security or
inspection at the network perimeter, which means they are far more sensitive to changes in
traffic patterns within an organisation.
1.2.2 A more enjoyable application experience
One of the main benefits of SDN, in addition to security, is the ability to shape and regulate
traffic on an application-by-application and flow-by-flow basis, resulting in improved
networking responsiveness and a better user experience.
1.2.3 Provisioning from a central location
It's easier to have a centralised view of the network when the decision-making process is
decoupled from the underlying hardware and moved to a controller. SDN can also expedite
and simplify the delivery of new services by abstracting the control and data planes—not just
across the network, but across all virtual infrastructure from a single location.
1.2.4 Greater adaptability and flexibility
A centralised controller allows a network to be more agile and adapt to change more quickly.
The fact that the controller is programmable gives enterprises a huge boost in flexibility,
allowing them to build networks that are tailored to their specific application and business
needs.

16
1.3 SCOPE AND LIMITATION

Despite the fact that network virtualization and SDN are relatively new technologies, International
Data Corporation (IDC) predicts that the SDN market will grow at a rate of 25% year over year until
2021, and that SDN is now moving from the early adopter to the early mainstream stage of
development.

Organizations should expect these benefits in today's more competitive climate, when flexibility and
agility are key. However, they rely on the organization's administrative control over the underlying
infrastructure. So what happens when they aren't, as is the situation with current Wide Area
Networks (WANs) that are managed by the service providers?

The Architecture of the SD-WAN

SD-WAN is a new automated and flexible architecture for WAN. It has diminished the
various cons of previously used WAN technologies. It provides all the advantages of
SDN into it. SD-WAN design is especially gainful to situations isolated by separation for
instance between fundamental workplaces and branch workplaces. Though conventional
WAN can be costly and complex, SD-WAN engineering diminishes repeating system costs,
offers arrange wide control and visibility, and improves the innovation with the zero-contact
organization and incorporated administration. Key to the SD-WAN engineering is that it can
speak with all system endpoints without the requirement for outside instruments or extra

17
conventions.
The architecture of SD-WAN can be divided into two types:
(1) On premises: An "on-prem-just" SD-WAN design is actually similar to it sounds. Any
organization/endeavor/association has a SD-WAN box (basically an attachment and play
switch), performing continuous traffic forming at each site as appeared in Figure 5.
Benefits:
• Lower or zero month to month SD-WAN cloud-enablement transmission capacity
 costs.
• Multi-circuit/ISP load-adjusting.
• Real-Time traffic forming, improving the presentation of all WAN applications.
• Improved fiasco recuperation (DR), by having better network reinforcement.

Figure 1.1: SD-WAN box comprised

(2) Cloud Enabled: This is another kind of SD-WAN design in a cloud- empowered SDWAN
engineering, the arrangement offers an on location SD- WAN box associating with
a cloud (virtual) portal as appeared in Figure 6. With this engineering, an organization
gets the advantages of an on-prem-just design (for example continuous traffic forming

18
and multi-circuit burden adjusting/failover), in addition to expanded execution and
unwavering quality of any cloud applications. The cloud passage is arranged
legitimately to the real cloud suppliers (for example Office 365, AWS, Salesforce, and so
forth.), which results in a general improvement in the exhibition of the cloud applications. What's
more, if an organization's Internet circuit comes up short while utilizing a
cloud application, the door can keep a cloud session dynamic (while the circuit folds). In
the event that any organization has another Internet circuit, the SD-WAN can re-course
any cloud application promptly to any organization's other Internet circuit, averting
interference of a solitary session.
Benefits:
• Cloud gateways, improving the performance and reliability of cloud applications.
• Multi-circuit/ISP load-balancing.
• Real-Time traffic molding, improving the exhibition of all WAN applications.
• Improved DR by having better network reinforcement.

Figure 1.2

19
 Chapter 2
Requirements

20
2. SD-WAN Requirements

The key components of an SD-WAN solution center around application awareness, visibility, and
performance. An SD-WAN solution must generally provide the following types of functionality:

 Multiple connection types – MPLS, Internet, LTE, ADSL, etc.

 Secure site-to-site connectivity - tunneling and VPNs

 An intuitive interface for managing WAN connections

 Ability to make use of all available uplink paths

 Ability to optimize use of WAN connection for cost savings

 Application-aware performance monitoring over WAN links

 Dynamic spoke/endpoint learning and reachability

In addition, modern SD-WAN solutions have evolved to offer even broader capabilities, including:

 Automation of end-to-end solution provisioning

 Enterprise network modeling, network definition

 Zero touch provisioning (ZTP) of on-premises devices, including establishing connectivity

 Provisioning of multiple node types (spoke, hub, concentrators, etc.)

 Dynamic path selection, and ability to load balance across multiple WAN connections

 End-to-end, application-level SLAs through continuous path measurement

 Dynamic application steering to counteract link degradation

 End-to-end visibility and monitoring of devices, connectivity, and application performance

 Support for 3rd-party services

 Intent-based policy creation to define traffic treatment

 Security through enterprise-wide policies

21
Chapter 3
Design

22
3.1 Configuring SD-WAN
Secure SD-WAN can be deployed in a variety of ways, depending on your organization's network
and the technology you wish to use.
3.1.1 SD-WAN specifications
The following are the prerequisites for a secure SD-WAN solution:
 Allows only one SD-WAN interface for each VDOM
 Supports SD-WAN configuration for IPv6 in the CLI
 Supports up to 4000 link health monitors, both globally and per VDOM
 Supports up to 4000 SD-WAN rules, both globally and per VDOM
3.1.2 SD-WAN setup in its most basic form
What are the most important prerequisites for a successful SD-WAN implementation?
A successful SD-WAN implementation is built on four pillars that must be fully understood at the
start of the project:
• Business-critical applications, their requirements, and their interrelationships
• The need for security.
• Site connectivity and each location's proportional priority.
• The price and availability of circuits.

3.1.3 Setting up a simple SD-WAN deployment

Static routing and the FortiGate's WAN interfaces are used in a simple SD-WAN configuration.
Configuring redundant Internet access for your network is one conceivable usage for a basic SD-
WAN configuration. This allows you to load balance your Internet traffic across numerous ISP links
while also providing redundancy for your network's Internet connection in the event that your
primary ISP goes down.
To configure a basic SD-WAN deployment, complete the following steps:

 Removing existing configuration references to interfaces

 Creating SD-WAN interfaces
 Configuring SD-WAN load balancing
 Creating a static route for the SD-WAN interface
 Configuring security policies for SD-WAN
 Configuring link health monitoring
 Configuring SD-WAN rules

23
3.1.4 Removing existing configuration references to interfaces
Any current configuration references to interfaces that you want to use as SD-WAN members should
be removed or redirected. The default Internet access policy offered with various FortiGate models is
an example of this. This must be done before the interfaces may be configured as SD-WAN
members.
You won't have to establish the routes and policies again if you redirect them to other interfaces.
After you've set up SD-WAN, you'll need to change the routes and policies to point to the SD-WAN
interface.

Remove interface references in routes – GUI

1. Go to Network > Static Routes.
2. Select each route that references the ports that you want to use for the SD-WAN interface.
3. Select Delete.
4. Select OK.

Remove interface references in security policies – GUI

1. Go to Policy & Objects > IPv4 Policy.
2. Select each policy that references the ports that you want to use for the SD-WAN interface.
3. Select Delete.
4. Select OK.
3.1.5 Creating SD-WAN interfaces
Specify at least two SD-WAN member interfaces and their associated gateways.

Create SD-WAN interface – GUI

1. Go to Network > SD-WAN.
2. In the SD-WAN section, set the Status field to Enable.
3. In the SD-WAN Interface Members section, select +. Select the down arrow to open the drop-
down menu. Select
the first port that you want to add to the SD-WAN interface.
4. In the Gateway field, enter the default gateway for this interface.
5. Ensure that the Status field is set to Enable.
6. Repeat steps 3 to 5 to add the remaining SD-WAN member interfaces.
7. Select Apply.
8. Select Network > Interfaces to verify that the virtual interface for SD-WAN appears in the
interface list. In the SDWAN Interface section, the SD-WAN interface is listed. Select – to view the
ports that are included in this interface.

24
Figure 3.1: Interfaces

Figure 3.2: Interfaces

25
3.1.6 Configuring SD-WAN load balancing

Specify the SD-WAN load balancing method that you want the FortiGate to use for all Internet
traffic between SD-WAN interface members.
Specify the SD-WAN load balancing method – GUI
1. Go to Network > SD-WAN Rules.
2. Select the rule named sd-wan and select Edit.
The load balancing options are displayed.
3. In the Load Balancing Algorithm field, select one of the following options:

3. Click OK.

26
 Figure
Figure 3.3 SD-WAN

Figure 3.4: SD-WAN Load balancing

27
3.1.7 Creating a static route for the SD-WAN interface

The FortiGate adds a virtual SD-WAN interface to the interface list once you build an SD-WAN interface.
This SD-WAN interface allows you to build routes.
For the SD-WAN interface, you must set a default route. Because the FortiGate forwards packets to the
appropriate gateway based on the SD-WAN member interface gateway information, you don't need to
establish a gateway address for the default route that uses the SD-WAN interface.

Create a static route for SD-WAN – GUI

1. Go to Network > Static Routes.
2. Select Create New.
3. In the Destination field, select Subnet and leave the destination IP address and subnet mask as
0.0.0.0/0.0.0.0.
4. In the Interface field, select the SD-WAN interface from the drop-down menu.

5. Ensure that the Status field is set to Enable.

6. Select OK.
If you previously removed or redirected existing references in routes to interfaces that you wanted to
add as SD-WAN
interface members, you can now reconfigure those routes to reference the SD-WAN interface.

3.1.8 Configuring security policies for SD-WAN

Figure 3.5: security policies for SD-WAN

28
The FortiGate adds a virtual SD-WAN interface to the interface list once you build an SD-WAN
interface. This SD-WAN interface allows you to set security policies.
A security policy that allows traffic from your organization's internal network to reach the SD-WAN
interface must be configured. Because security policies configured with the SD-WAN interface apply
to all SD-WAN member interfaces, you don't need to create numerous security policies for specific
SD-WAN member interfaces.
Configure security policies for SD-WAN – GUI
1. Go to Policy & Objects > IPv4 Policy.
2. Select Create New.
3. In the Name field, enter a name for the policy.
4. Set Incoming Interface to the interface that connects to your organization’s internal network.
5. In the Outgoing Interface field, select the SD-WAN interface from the drop-down menu.
6. In the Source field, select +. In the Select Entries window, select all. Select Close.
7. In the Destination field, select +. In the Select Entries window, select all. Select Close.
8. In the Schedule field, select always from the drop-down menu.
9. In the Service field, select +. In the Select Entries window, select ALL. Select Close.
10. In the Action field, select ACCEPT.
11. In the Firewall/Network Options section, set the following:
 Enable NAT.
 In the IP Pool Configuration field, select Use Outgoing Interface Address.
12. In the Security Profiles section, apply AntiVirus, Web Filter, DNS Filter, Application
Control, and SSL
Inspection profiles, as required.
13. In the Logging Options section, set the following:
 Enable Log Allowed Traffic and select All Sessions. This allows you to verify the results
later.
 Enable the Enable this policy option.
14. Select OK.
If you previously removed or redirected existing references in security policies to interfaces that you
wanted to add as
SD-WAN interface members, you can now reconfigure those policies to reference the SD-WAN
interface
where:

 virtual-wan-link is the SD-WAN interface

 dnsfilter-profile option isn't available for IPv6, since IPv6 isn't supported for DNS profiles

3.1.9 Configuring SD-WAN rules

SD-WAN rules allow you to specify which traffic should be routed through which interface (ISP). This gives
you a lot of options when it comes to configuring the FortiGate's traffic routing. You can, for example,

29
transport Netflix traffic from specified authenticated users through one ISP while the rest of your Internet
traffic is routed through a different ISP.

You may set up the rules to match traffic based on a variety of characteristics, such as source and destination
IP addresses.

ISDB address objects and destination port numbers

When traffic is matched to a rule, the rule specifies which egress interface the traffic will use.
To identify the egress interface, SD-WAN rules can be configured to employ one of the following strategies:

 Highest quality
 Lowest quality (SLA)
The FortiGate uses the first match to assess SD-WAN rules from top to bottom. SD-WAN rules are treated as
policy routes in the routing table, and they take precedence over other routes.
If none of the prerequisites for the SD-WAN rules are met, the FortiGate falls back on the implicit rule sd-
wan, which is generated automatically when SD-WAN is enabled. The sd-wan rule balances traffic based on
how SDWAN load balancing is implemented.

3.2 Monitoring SD-WAN

You can use SD-WAN diagnostics to maintain an efficient and effective SD-WAN solution.

Figure 3.6: SD-WAN Monitoring

3.2.1 Monitoring SD-WAN link usage

30
The SD-WAN usage monitor shows traffic distribution between SD-WAN member interfaces in real
time. You can view
traffic distribution by bandwidth, volume, and sessions.
Monitor SD-WAN link usage – GUI

1. Go to Network > SD-WAN.

2. In the SD-WAN Usage section, select one of the following options to view SD-WAN traffic
distribution between the member interfaces:
 Bandwidth: Shows traffic distribution percentage of the bandwidth that each interface is
using

 Volume: Shows traffic distribution percentage of the volume of sessions for each interface

 Sessions: Shows traffic distribution percentage of the number of sessions for each interface
3. Select Apply.
3.2.2 Monitoring SD-WAN traffic routing
You can see which applications are going through which destination interface in FortiView.
Monitor SD-WAN traffic routing – GUI
1. Go to FortiView > All Sessions.
2. View the information in the Destination Interface column.

3.2.3 Monitoring SD-WAN link quality status

You should monitor the link quality status of SD-WAN member interfaces, since link quality plays a
significant role in link
selection for SD-WAN. Investigate any prolonged issues with packet loss, latency, and jitter to
ensure that your network
doesn’t experience degraded performance or an outage.

Monitor SD-WAN link quality status – GUI

1. Go to Network > Performance SLA.

2. Monitor the information in the Packet Loss, Latency, and Jitter columns for each SLA.
The page displays arrows indicating the status of SD-WAN member interfaces. A green arrow
indicates that the interface
was active and a red arrow indicates that the interface was inactive when the FortiGate performed the
status checks.
The page also shows measurements for packet loss,

31
3.2.4 Monitoring system event logs
A FortiGate generates system event logs when an SD-WAN member interface route is added to or
removed from the
routing table. You can use system events to investigate any route failovers.
Monitor system event logs – GUI
1. Go to Log & Report > System Events.
2. Use information in system event logs related to SD-WAN to investigate issues.
3.2.5 Verifying SD-WAN traffic routing
You can verify that traffic is exiting the FortiGate through the SD-WAN member interfaces as
configured.
Verify SD-WAN traffic routing - GUI
1. Go to Log & Report > Forward Traffic.
2. Use information in the Destination Interface column to verify that traffic is routing correctly
3.2.6 Applying traffic shaping to SD-WAN traffic
SD-WAN traffic can be subjected to traffic shaping.
If a programme is required but you don't want it to consume too much bandwidth, you can set a
bandwidth limit for it rather than disabling it totally. You can, for example, limit storage and backup
apps while leaving enough bandwidth for more critical activities like video conferencing.

3.3 Viewing SD-WAN information in the Fortinet Security Fabric

You can view SD-WAN information for FortiGate devices that belong to a Security Fabric in the
Physical and Logical
topology views on upstream FortiGate devices. This allows you to see which FortiGate devices have
SD-WAN links
enabled and other basic SD-WAN information without having to log in to each FortiGate device.
View SD-WAN information in the Security Fabric – GUI
1. Go to one of the following:
 Security Fabric > Physical Topology
 Security Fabric > Logical Topology
2. Click a FortiGate device to see whether it has SD-WAN links enabled and view basic SD-WAN
information.

3.5 High availability

Keeping network traffic flowing is the basic high availability (HA) concern for TCP/IP networks and
security gateways.
Because important business activities come to a halt rapidly when the network is down, uninterrupted
traffic flow is a critical component for online systems and media.

32
Because all traffic travels through it, the security gateway is an essential component of most
networks. A solitary network security gateway is a single point of failure that can be harmed by a
variety of software or hardware issues, causing the device to become inoperable and halting all
network traffic.

Figure 3.7: Network traffic

An FGCP cluster appears to your network as a single FortiGate operating in NAT or transparent
mode, and configuration synchronisation allows you to configure a cluster in the same way as a
standalone FortiGate. If a failover happens, the cluster recovers quickly and automatically, while also
notifying administrators so that the fault that caused the failure can be fixed and any failed equipment
can be restored.

33
 Figure 3.8

Session failover happens when one of the FortiGates fails, and active sessions are transferred to the
unit that is still operational. There is no data loss as a result of this failover. External load balancers
or routers also notice the failover and redistribute all sessions to the still-running unit.
External routers or load balancers handle load balancing and session failover, not the FGSP. The
FortiGates only execute session synchronisation, which allows for packet loss-free session failover.

3.6 Firewall concepts

Before getting into the mechanics of how the FortiGate firewall works, there are a few core ideas that
must be understood. Some of these ideas are common across the firewall market, while others are
unique to more complex firewalls like the FortiGate. Having a firm grip of these concepts and words
might help you make better decisions.
You'll have a better understanding of what your FortiGate firewall can do and how it will fit into
your network's design.

34
 Figure 3.9
3.6.1 What is a firewall?
A firewall, which can be software- or hardware-based, is used to assist secure a network. Its main
goal is to manage incoming and outgoing network traffic by examining data packets and deciding
whether or not they should be allowed through based on a set of rules. A firewall connects an internal
network, which is presumed to be secure and trustworthy, to another network, usually an external
(inter)network, such as the Internet, which is not presumed to be secure and trustworthy.
There can also be a number of instructions associated with a FortiGate firewall in addition to the
ACCEPT or DENY
actions, some of which are optional. Instructions on how to process the traffic can also include such
things as:
 Logging Traffic
 Authentication
 Network Address Translation or Port Address Translation
 Use Virtual IPs or IP Pools
 Caching
 Whether the source of the traffic is based on address, user, device or a combination
 Whether to treat as regular traffic or IPsec traffic
 What certificates to use
 Security profiles to apply
 Proxy Options
 Traffic Shaping
Types of firewalls
 Next-generation firewalls (NGFW) 
 Proxy firewalls 
 Network address translation (NAT) firewalls 
 Stateful multilayer inspection (SMLI) firewalls

35
3.7 Security Profiles
FortiGate provide security features to protect your network from threats. As a whole, these features,
when included in a single Fortinet security appliance, are referred to as Security Profiles.
Security converse the areas as follow:
Traffic inspection, Contention and filtering Security profile components Security
profiles/lists/sensors Content inspection, traffic inspection, and cloud file sharing services.

3.7.1 Authentication
Identifying users and other computers—authentication—is a key part of network security. This
section describes some basic elements and concepts of authentication.
The following topics are included in this section:
 What is authentication?

 Methods of authentication

 Types of authentication User’s view of authentication

 FortiGate administrator’s view of authentication.

3.7.1.A What is Authentication?

Authentication is the act of confirming the identity of a person or other entity. In the context of a
private computer network, the identities of users or host computers must be established to ensure that
only authorized parties can access the network.
3.7.1.B Methods of authentication:
FortiGate unit authentication is divided into three basic types: password authentication for people,
certificate authentication for hosts or endpoints, and two-factor authentication for additional security
beyond just passwords.
Methods of authentication include:
 Local password authentication

 Server-based password authentication

 Certificate-based authentication

 Two-factor authentication

Local password authentication:

36
 Authentication is based on user accounts stored on the FortiGate unit. For each account, a user name
and password created. There is disable option in account so that you can suspend the account without
Local user accounts. If your network has multiple FortiGate units that will use the same accounts, the
use of an external authentication can simplify account configuration and maintenance. Create local
user accounts in the GUI under User & Device > User Definition. This page is also used to create
accounts where an external authentication server stores and verifies the password.
Server-based password authentication:
Using external authentication servers is desirable when multiple FortiGate units need to authenticate
the same users, or where the FortiGate unit is added to a network that already contains an
authentication server. FortiOS supports the use of LDAP,RADIUS,TACACS+,AD,orPOP3 servers
for authentication.
Certificate-based authentication:
An RSAX.509 server certificate is a small file issued by a certificate authority (CA) that is installed
on a computer or FortiGate unit to authenticate itself to other devices on the network. When one
party on a network presents the certificate as authentication, the other party can validate that the
certificate was issued by the CA. The identification is therefore as trustworthy as the CA that issued
the certificate.
Two-factor authentication:
A user can be required to provide both something they know (their username and password
combination) and something they have (certificate or a random token code). Certificates are installed
on the user’s computer. Two-factor authentication is available for PKI users.
3.7.1.C Types of authentication:
FortiOS supports two different types of authentication based on your situation and needs: security
policy authentication and Virtual Private Network (VPN) authentication.
Security policy authentication:
Security policies enable traffic to flow between networks. Optionally, the policy can allow access
only to specific originating addresses, device types, users or user groups. Where access is controlled
by user or user group, users must authenticate by entering valid username and password credentials.
Theuser’s authentication expires if the connection is idle for too long, five minutes by default but that
can be customized. Security policies are the mechanism for FSSO, NTLM, certificate based, and
RADIUS SSO authentication.
3.7.1.D Administrator’s view of authentication:
Authentication is based on groups of user. The administrator configures authentication for security
policies and VPN tunnels by specifying the groups of user whose members can use the resource.
multiple groups can belong Individual user accounts. A member of a user group can be: a user whose
password and username are stored on the FortiGate unit a user whose name is stored on the unit and
whose password is stored on are external authentication server are external authentication server with

37
a database that contains the password and username of each person who is permitted access The
process of setting up authentication is as:
1. If remote or external authentication is needed, configure the required servers.
2. Configure local and peer (PKI) user identities. For local user, you can choose whether the
FortiGate unit or a remote authentication server verifies the password.
3. Create user groups.
4. Addlocal/peer user members to each user group as appropriate. You can also add an authentication
server to a user group. In this case, all users in the server’s database can authenticate. You can only
configure peer user groups through the CLI.
5. Configure security policies and VPN tunnels that require authenticated access.

3.8 IPsec VPN

Virtual Private Network (VPN) technology enables remote users to connect to private computer
networks to gain access in a secure way to their resources. For example, an employee traveling or
working from home can use a VPN to securely access the office network through the Internet.
3.8.1 IPsec VPN concepts:
Virtual Private Network (VPN) technology enables remote users to connect to private computer
networks to gain access to their resources in a secure way.

Figure 3.10: IPsec VPN Tunnels

3.8.2 VPN tunnels:

38
 The data path between a user’s computer and a private network through a VPN is referred to as a
tunnel. Like a physical tunnel, the data path is accessible only at both ends.

Figure 3.11

Figure 3.12: Edit VPN Tunnels

39
 Figure 3.13

3.9 SSL VPN

3.9.1 SSL VPN modes of operation:

When a remote client connects to the FortiGate unit, the FortiGate unit authenticates the user based
on username, password, and authentication domain.
3.9.1. A Tunnel mode:
In Tunnel mode, remote clients connect to a FortiGate unit that acts as a secure HTTP/HTTPS
gateway and authenticates remote users as members of a user group.
3.9.1.B Port forwarding mode:
While tunnel mode provides a Layer 3 tunnel that users can run any application over, the user needs
to install the tunnel client, and have the required administrative rights to do so.
3.9.2 SSL VPN best practices:
Securing remote access to network resources is a critical part of security operations. SSL VPN
allows administrators to configure, administer, and deploy a remote access strategy for their remote
workers.

40
3.9.2.A Tunnel mode:
In tunnel mode, the SSL VPN client encrypts all traffic from the remote client computer and sends it
to the FortiGate through an SSL VPN tunnel over the HTTPS link between the user and the
FortiGate.
3.9.2.B Web mode:
Web-only mode provides clientless network access using a web browser with built-in SSL
encryption. Users authenticate to FortiGate's SSL VPN Web Portal, which provides access to
network services and resources, including HTTP/HTTPS, Telnet, FTP, SMB/CIFS, VNC, RDP, and
SSH.
3.9.3 Basic configuration:
Configuring SSL VPN involves a number of configurations within FortiOS that you need to
complete to make it all come together. This chapter describes the components required, and how and
where to configure them to set up the FortiGate unit as an SSL VPN server.
3.9.4 SSL VPN web portal:

Figure 3.14

41
 Figure 3.15

3.10 Networking
3.10.1 Interface:
Configure protocols for administrative access to interfaces using a graphical user interface
1. Select Network > Interfaces from the menu bar.
2. Select Edit for the interface you wish to configure administrative access for.
3. Select the protocols you want an administrator to be able to access in the Administrative Access
section.
The FortiGate is a security system.
4. Click OK.
3.10.1.A Aggregate interfaces:
To design a graphical user interface (GUI):
1. Select Create New, then Interface from Network > Interfaces.
2. Select Aggregate as the name.

42
3. Select 802.3ad Aggregate as the Type.
The FortiGate does not allow aggregate interfaces if this option does not present.
4. To add interfaces, click Add in the Interface Members column. Choose from ports 4, 5, and 6.
5. Select Manual in the Addressing mode field.
6. Type in the IP address for the 10.13.101.100/24 port.
7. Choose HTTPS and SSH for Administrative Access.
8. Click OK.
3.10.1.B On an interface, the DHCP addressing mode :
When Dynamic Host Configuration Protocol (DHCP) is enabled on a Fortigate interface, the
FortiGate broadcasts a DHCP request from the interface.
DHCP server configuration

Go to Network > Interfaces to add a DHCP server. Select DHCP in the addressing mode while
editing the interface.

43
3.10.1.C Interface configuration and settings:
To configure an interface, go to Network > Interfaces, and select Create New and then Interface.

3.10.1.D Routing:
You must configure a default route for each interface and indicate which route is preferred by specifying the
distance. The lower distance is declared active and placed higher in the routing table.

44
3.11 DNS (Domain Name System):
A DNS(Domain Name System) server is a service that converts symbolic names to IP addresses.

3.11.1 DNS servers:

Configure a primary DNS server - GUI:
1. Select Network ->DNS Servers, and Create New for DNS Database.
2. Select the Type of Master.
3. Select the View as Shadow.
4. The view is the accessibility of the DNS server. Selecting Public, external users can access it.
5. Enter the DNS Zone.
6. Enter the Domain Name for the zone.
7. In the Hostname of Primary Master field, enter the hostname of the DNS server.
8. In the Contact Email Address field, enter the contact address for the administrator.
9. Disable the Authoritative option.
10. Select OK.
11. Enter the DNS entries selecting Create New.
12. Choose the Type, for example, Address (A).
13. Enter the Hostname, for example web.example.com.
14. Enter the remaining information, which varies depending on the Type selected.
15. Enter OK

45
3.11.2 Dynamic Routing:

3.11.3 Multicast Forwarding:

RIPv2 uses multicasting to share routing table information, OSPF uses multicasting to send packets
and routing updates, Enhanced Interior Gateway Routing Protocol (EIGRP) uses multicasting to send
routing information to all routers on a network .
Multicast Farwarding and Rip2:

Figure 3.16

46
3.11.4 Modems
Used to give access to internet.

3.12 Managing devices

3.12.1 Managing “bring your own device”
You may limit network access for many sorts of personal mobile devices on your network using
FortiOS by performing the following:
• Recognizing and tracking the many sorts of devices that connect to your network.
• Allowing or disallowing particular devices using MAC address-based access control.
• Developing device-specific security policies.
• Using FortiClient devices to enforce endpoint control
3.12.2 Device monitoring
The FortiGate can monitor your networks and collect data on the devices that are connected to them.
The following data is collected:
• MAC address
• IP address
• Operating system
• Hostname
• User name
• When the device was discovered and which FortiGate interface it was detected on
To get this information, click to User & Device > Device Inventory. For additional information,
hover your mouse over the Device column.

47
 Figure 3.17

To configure device monitoring

1. Select Network > Interfaces from the menu bar.
2. Modify the interface on which you want to keep track of your gadgets.
3. Turn on Device Detection and, if desired, Active Scanning in Networked Devices.
4. Click OK.
5. Repeat steps 2–4 for each interface that will be used to keep track of devices.
To add a device manually
1. Select User & Device > Custom Devices & Groups from the drop-down menu.
2. Select Create New > Device from the drop-down menu.
3. Fill in the following details:
• MAC address
• Additional MACs
• Alias (needed) (other interfaces of this device)
• Type of device
• Add the device to Custom Groups if desired.
• Leave a comment if you'd like.
4. Click OK.

48
 Figure 3.18

3.12.3 Device groups

In a security policy, you may define numerous device kinds. You may also create a custom device
group and include it in the policy if you want to include various device kinds to it. This allows you to
define a policy for known devices that differs from the policy for all devices.
To create a custom device group and add devices to it
1. Select User & Device > Custom Devices & Groups from the drop-down menu. The device
groupings are shown in a list.
2. Choose Create New > Device Group from the drop-down menu.
3. Give the new device group a name.
4. Select a device type to add in the Members area. Add other devices by repeating the process.
5. Click OK.
3.12.4 Controlling access with a MAC ACL
To create a MAC ACL to allow only specific devices
1. Go to the network interface or SSID configuration.
2. Expand Advanced under the DHCP Server section.
The DHCP Server must be turned on.
Managing gadgets in 1982

49
3. Select Create New in MAC Reservation + Access Control and input the MAC Address of a
permitted device.

4. Choose one of the following options in the IP or Action column:

• Assign IP – an IP address is allocated to the device from the DHCP server address range.

• Reserve IP — the IP address you provide is assigned to the device.

5. Perform Steps Controlling access with a MAC ACL on page 1981 and Controlling access with a
MAC ACL on page 1981 again.

For each new MAC address entry, enter 1981.

6. Change the IP or Action of the Unknown MAC Address entry to Block. Devices that aren't on the
list will be disabled.
7. Click OK.
To create a MAC ACL to block specific devices
1. Go to the network interface or SSID configuration.
2. Expand Advanced under the DHCP Server section. The DHCP Server must be turned on.
3. Select Create New in MAC Reservation + Access Control and enter the MAC Address of a device
that needs to be blocked.
4. Select Block in the IP or Action column.
5. For each device that has to be prohibited, repeat Steps Controlling access with a MAC ACL on
page 1981 and Controlling access with a MAC ACL on page 1981.
6. Change the IP or Action of the Unknown MAC Address entry to Assign IP.
IP addresses will be assigned to devices that are not in the list.
7. Click OK.
3.12.5 Security policies for devices
You can use security policies to implement policies based on the type of device.

50
 • Gaming consoles, for example, are unable to connect to the workplace network or the
Internet.
• Although personal tablets and phones can connect to the Internet, they cannot connect to
company servers.
• Laptop computers provided by the company can connect to the Internet and company
servers.
• Antivirus and web filtering are used.
• Employee laptop computers have Internet access, although web blocking is in place. They
can also connect to company networks, but only if virus protection software like FortiClient
Endpoint Security is installed.
These policies have been applied for Wi-Fi access to the company network and the Internet, as seen
in the photos below.

Figure 3.19: Device policies for company laptop access to the company network

Figure 3.20: Device policies for Wi-Fi access to the Internet

51
3.13 System Administration
3.13.1 Administrators
The admin account on the FortiGate is a super administrator account that cannot be deactivated. For certain
functions, more administrators can be added, each with their own user name, password, and set of
access privileges.
The parts that follow will walk you through adding and securing administrator access to a FortiGate:
• Profiles of administrators
• Adding a local administrator
• LDAP authentication for administrators
• Administrator monitoring
• Management access
• Security measures
3.13.1.A Administrator profiles
Administrator profiles specify what a FortiGate administrator can accomplish while signed in. When
you create an administrator account, you must also create an administrator profile that specifies what
the administrator may see. You can give an administrator as much or as little access and
configuration as they need, depending on the nature of their job, their access level, and their
seniority.
Adding a local administrator
To add an administrator - GUI
1. Select System > Administrators from the drop-down menu.
2. Go to File > New > Administrator.
3. Give the administrator a username.
4. Select Local User as the user type.
5. Type in the user's password. It's possible that this is a temporary password that the administrator can alter at
a later time.
The length of a password can be up to 256 characters.
6. Determine if security settings such as SMS, Two-factor Authentication, Restrict login to trusted hosts, and
Restrict admin to guest account provisioning only are required.
7. Click OK.

3.13.1.B LDAP authentication for administrators

To connect to the FortiGate, administrators can use remote authentication, such as LDAP.
To accomplish this, you must take the following three steps:

52
 • add the LDAP server to a user group
• configure the administrator account
• configure the LDAP server
To configure the LDAP server – GUI
1. Select Create New from User & Device > LDAP Servers.
2. Give your server a name.
3. Type in the IP address or name of the server.
4. Fill in the Distinguished Name and Common Name Identifier.
5. Select Regular as the Bind Type and provide the Username and Password.
6. Click the OK button.
3.13.1.C Monitoring Administrators

The System Information widget on the Dashboard can be used to see who is logged in as an
administrator. The Current Administrator row displays the currently logged-in administrator as well
as the total number of administrators.
You can also use event logging to keep track of what the administrators are doing on the FortiGate.
There are several techniques for tracking configuration changes in event logs.
To set logging – GUI

1. Select Log & Report > Log Settings from the Log & Report menu.
2. Select Customize from the Event Logging menu and make sure System activity event is chosen.
3. Click the Apply button.
3.13.2 Management access

The management access setting determines how administrators can access the FortiGate. In NAT
mode, access is configured for each of the FortiGate's interfaces, and connections are made using the
IP address of the interface. A single management IP address is established to provide access in
transparent mode.
3.13.3 Security precautions
The management computer is one possible point of a security compromise. Administrators who keep
their workstations logged into the GUI or CLI for an extended period of time leave the firewall
vulnerable to malevolent intent.

53
3.14 Monitoring
The initial step in network administration is to install and configure the FortiGate as the internal
network's defender. The next step is to monitor the system and network traffic after it is up and
running. You can make configuration modifications as needed when a danger or vulnerability is
found.
The following topics are covered in this section:
• Dashboard
• Monitor menus
• Logging
• Alert email
• SNMP
3.14.1 Dashboard
The FortiOS dashboard displays real-time system data in a network operations centre (NOC) view,
with an emphasis on alerts. The dashboard by default shows critical FortiGate information such as
memory and CPU usage, port health, whether they are up or down, and throughput. Widgets allow
you to interact with them.
You may receive more information or follow links to other pages by hovering or clicking on most
widgets.
Among the widgets on the dashboard are:
• Support for multiple dashboards.
• Global dashboards and VDOM
• Control over widget resizing.
• Notifications are displayed in the top header bar.
3.14.2 Monitor menus
The Monitor options allow you to view session and policy information as well as other FortiGate unit
activity. To illustrate live activity, the monitors provide details of user activity, traffic, and policy
usage. DHCP, routing, security policies, traffic shaping, load balancing, security features, VPN,
users, and WiFi all have monitors.
3.14.3 Logging
FortiOS has a sophisticated logging environment that allows you to track, store, and report traffic
data and FortiGate events, such as attempted log ins and hardware status. You can log in to a variety
of different servers depending on your needs.
Go to Log & Report > Log Settings in the GUI to set up logging.
Use the CLI commands config log log location> to set up logging.

54
3.14.4 Alert email
As an administrator, you want to know that you'll be able to respond promptly to problems on your
network or with the FortiGate unit. Alert emails are a quick and easy way to notify an administrator
of important happenings. You may set the threshold for when a problem becomes critical and
requires attention by configuring alert messages. When this limit is reached, the FortiGate unit will
send an email to one or more people informing them of the problem.
To configure alert email - GUI
1. Go to Log & Report > Email Alert Settings.
2. Enter the information:
Email fortigate@example.com
from
Email to admin1@example.com
admin2@example.com
Table 3.1

3. For the Interval Time, enter 2.

4. Select Intrusion Detected.
5. Select Apply.
3.14.5 Simple Network Management Protocol
The Simple Network Management Protocol (SNMP) allows you to keep track of your network's
hardware. You can setup hardware, such as the FortiGate SNMP agent, to transmit traps (alarms or
event messages) to SNMP managers and report system information. An SNMP manager, also known
as a host, is a computer that can read incoming trap and event messages from the agent and send out
SNMP queries to the SNMP agents.

3.15 Administration for schools

55
Maintaining a network and Internet connectivity in a school system is difficult for a system
administrator. If content is not properly controlled and pupils acquire access to pornography and
other nonproductive and potentially dangerous content, there may be legal ramifications. This section
outlines some fundamental procedures that administrators can use.

3.15.1 Security policies

All traffic on all ports and IP addresses is allowed by default in FortiOS security policies. While
using security profiles can help block viruses, identify assaults, and prevent spam, it isn't a complete
security solution. The optimal method is a layered one, with the security policy as the initial layer.
You can research the software utilised and the ports the applications use after you know what the
pupils need to do. If the pupils merely need to access the web, for example, only two ports (80 -
HTTP and 443 - HTTPS) are required to perform their work.
3.15.2 DNS
You should limit the use of DNS by your students. We recommend pointing to an internal DNS
server and allowing only those devices to access port 53.
3.15.3 Encrypted traffic (HTTPS)
Students should not be allowed to visit websites that are encrypted. Because encrypted traffic cannot
be sniffed, it cannot be monitored. Only allow HTTPS traffic when absolutely essential. The majority
of websites that a student needs to visit are HTTP, not HTTPS.
3.15.4 FTP
FTP should not be used by students. Because FTP isn't HTTP or HTTPS, you won't be able to use
URL filtering to control where they travel. This can be regulated by the security policy's destination
IPs. All other FTP addresses will be prohibited if you have a policy that specifies which ones are
allowed.

Figure 3.21: Simple security policy setup

56
 Chapter 4
Quality Assurance

57
4.1 Traffic shaping
Prioritizing higher priority traffic over lower priority traffic is a basic way to traffic shaping. This
means that lower priority traffic's performance and stability may be reduced in order to increase the
performance and stability of higher priority traffic. The optimal traffic shaping configuration
balances the needs of each traffic flow by taking into account not just your organization's
requirements, but also the robustness and other features of each service.

The ability to modify the quality of your overall network traffic, including techniques like priority-
based queuing and traffic policing, is known as Quality of Service (QoS). Because bandwidth is
limited and some forms of traffic are slow, jitter or packet loss sensitive, bandwidth intensive, or
mission important, QoS can help you optimise the performance of your network's diverse
applications.
The following strategies can be used to build QoS on FortiGate devices:

Technique Description
Traffic The FortiGate drops packets that don't conform to the configured bandwidth
policing limitations.
Note that excessive traffic policing can degrade network performance rather than
improve it.
Traffic The FortiGate ensures that traffic consumes bandwidth at least at the guaranteed
shaping rate by assigning a greater priority queue to the traffic if the guaranteed rate isn't
being met.
The FortiGate ensures that traffic doesn't consume more bandwidth than the
configured maximum bandwidth. Traffic that exceeds the maximum rate is subject
to traffic policing.
Queuing Transmits packets in the order of their assigned priority queue for that physical
interface. All traffic in a higher priority traffic queue must be completely
transmitted before traffic in lower priority queues is transmitted.
Table 4.1

4.1.1 Configuring traffic shaping

When you configure traffic shaping for your network, you manage the flow of network traffic to
ensure that the traffic you want gets through while simultaneously reducing bandwidth for less
important or bandwidth-hungry activity.
Setting the traffic priority, bandwidth, and DSCP parameters in traffic shapers allows you to control
how traffic flows.

The FortiGate supports the traffic shaping settings listed below. All traffic shaping types can be
combined in various configurations.

58
 Traffic shaping type
Shared policy
Per-IP
Application control
Description
 Bandwidth management of security policies
 Applies a total bandwidth to all traffic using the shaper
 Scope can be per- policy or for all policies referencing the
shaper
 Bandwidth management of user IP addresses
 Allows you to apply traffic shaping to all source IP addresses in
the security policy
 Bandwidth is equally divided among the group
 Bandwidth managed by application

Table 4.2

4.1.3 Monitoring traffic shaping

You may use FortiView's traffic shaping information to keep track of traffic shaping on your
network. FortiView will only contain traffic that passes via forward traffic shapers.
1. Go to FortiView > Traffic Shaping in the ForitGate GUI.

2. Select Table View to get statistics data on traffic shapers. You may see data like the
amount of bytes transferred and received, as well as the number of sessions.

3. Select Bubble Chart to see which resources use the most bandwidth. To see additional
information about a traffic shaper, double-click it. Examine the bandwidth utilisation by sources,
destinations, apps, rules, and sessions to see whether more granular traffic shaping is necessary.
4.1.4 Troubleshooting traffic shaping
Use the troubleshooting techniques below to diagnose traffic shapers and see if they're working
properly.
• Network interface Ethernet statistics are being validated.
• There is a lot of information about traffic shapers.
• Examining packets that were discarded due to diagnostic constraints.
• The specifics for dual traffic shapers can be seen in the session list.

4.2 Logging and reporting

59
FortiOS logging and reporting can help you figure out what's going on in your network and alert you
to particular network behaviour, such as the detection of a virus or IPsec VPN tunnel issues. Logging
and reporting go hand in hand, and can be a useful tool for gathering information as well as
demonstrating network activities to others.
How the FortiGate unit records log messages
The FortiGate unit keeps track of log messages and stores them on a log device in a certain order.
The FortiGate unit records log messages in the following order:
1. The inbound traffic is examined.
2. The FortiGate device executes essential steps during the scanning process while concurrently
recording the activities and results.
3. The log device receives the log messages.
4.2.1 FortiOS features available for logging
4.2.1.A Traffic
The traffic that passes through your FortiGate equipment is recorded in traffic logs. This sort of
logging is also known as firewall policy logging since traffic needs firewall policies to flow
effectively through the unit.
The following is how traffic logging works:

• packet enters an inbound interface with logging enabled (Log Allowed Traffic)
• a possible log packet is sent indicating a match in the firewall policy, such as a URL filter
• traffic log packet is sent, per firewall policy
• packet passes and is routed out an interface

4.2.1.B Sniffer

The Sniffer log records all traffic that flows via a specific interface that has been configured to
operate as a One-Armed Sniffer, allowing it to be inspected independently from the other Traffic
logs.

4.2.1.C Event
Event logs help you in the following ways:
• keeping track of changes to configuration settings

• IPsec negotiation, SSL VPN, and tunnelling operations

60
 • occurrences that require quarantine, such as banned users

• efficiency of the system

• HA notifications and events

• Authentication events on the firewall

• wireless events on models equipped with WiFi

• activities involving the L2TP, PPP, and PPPoE internet protocols and modems

• Activities for VIPs

• Bypass mode on AMC discs

• SIP and SCCP protocols are used in VoIP activities.

4.2.1.D Traffic shaping
A firewall policy's traffic shaping, per-IP traffic shaping, and reverse direction traffic shaping
settings can all be found in the traffic log messages.

You may observe what traffic shaping, per-IP traffic shaping, and reverse direction traffic shaping
parameters are being applied by enabling this feature.

4.2.1.E Data Leak Prevention

DLP logs, or Data Leak Prevention logs, contain critical information about sensitive data attempting
to enter your network, as well as any undesired data attempting to enter your network. A DLP
sensor's DLP rules can log the following sorts of traffic:

• electronic mail (SMTP, POP3 or IMAP; if SSL content SMTPS, POP3S, and IMAPS)

• HTTP

61
• HTTPS

• FTP

• NNTP

• Instant Messaging

4.2.1.F Media Access Control (MAC) address

MAC address logs keep track of the MAC addresses that the FortiGate device sees on the network as well as
those that have been removed. These log messages are saved in the event log (as subtype network; you can see
them under Log & Report > System Events) and are deactivated in the CLI by default.

4.2.1.G Web filter

Web filter logs keep track of HTTP traffic. These log entries provide useful and thorough
information about this specific network traffic activity.

Web filtering activity should be logged because it can tell you: • what types of websites employees
are visiting

• how often users attempt to access banned websites

• network congestion caused by multiple employees accessing the Internet at the same time
• web-based threats caused by users visiting non-business-related websites

4.2.1.H Email filter

Email filter logs, also known as spam filter logs, save information on the content of email messages.
In an email filter profile, for example, a match is detected that classifies the email message as spam.

When the FortiGate unit detects a match inside the email filter profile and the logging parameters are
enabled within the profile, email filter logs are created.

4.3 Bug Issues

62
4.3.1 Device Manager

4.3.2 FortiView

4.3.3 Log View

63
4.3.4 Others

4.3.5 Reports

64
4.3.6 System Settings

65