Professional Documents
Culture Documents
Secure SD Wan
Secure SD Wan
Secure SD Wan
Submitted By
1
Final Year Project Report
Secure sd wan
MCs Computer Science, Batch 2020
Project Advisor
Submitted By:
2
Preface
3
ACKNOWLEDGMENTS
First and foremost, I would like to thank our Almighty Allah, for providing me the strength, courage
of conviction and the strong sense of dedication to my project that enabled me to take it to the level
that it has achieved today. Undoubtedly, I wouldn't have been now here, if it weren't for His Mercy
and Blessings.
This Work would have been impossible without the copious amounts of help, patience, and
encouragement from my kind supervisor Dr. Muhammad Saeed. I would like to thank to him for
teaching me so much and for inspiring me with the example of hard work, providing great help and
key information throughout the time required for the completion of this project report. I would also
very special thanks to Mr. Nadeem for his valuable support in the requirement analysis of this
project. I would also like to thanks the entire faculty member's for their able support and
encouragement which enable me able to complete my project report
To my family, thank you for letting me do what I want to do, supporting my decisions as crazy as
they may be. You are always there for me. My deepest love and gratitude goes to my father and
mother who played such a vital role all through my life by always placing my interests ahead of
theirs. This project work is dedicated to my parents, thank you for seeing me through every step of
the way, for praying for me and with me during times of trouble, and for rejoicing with me over
every little triumph. During my studies my family constantly provided me the hope that I needed to
complete my higher education. Also thanks to all other member of my family and friends whose love
and prayers are with me all the time.
4
DECLARATION
We hereby declare that this project report is based on our original work except for citations and
quotations which have been duly acknowledged. We also declare that it has not been previously and
concurrently submitted for any other degree or award at University of Karachi or other institutions.
5
CERTIFICATE
I certify that this project report entitled "Secure SD Wan" was prepared by Safia Shabbir, Hina
Jameel, Hina Saeed and Erum Saleem has met the required standard for submission in partial
fulfillment of the requirements for the award of Masters in Computer Science at University of
Karachi.
Approved by,
Signature: _________________________
Date: ___________________________
6
COPYRIGHT
The copyright of this report belongs to the author under the terms of the copyright Act 1987 as
qualified by Intellectual Property Policy of Sir Syed University of Engineering and Technology. Due
acknowledgement shall always be made of the use of any material contained in, or derived from, this
report.
7
DEDICATION
All thanks and gratitude is due only to ALLAH, the most gracious, the most merciful and the most
beneficial, who bestowed upon me enlightenment, courage and energy to undertake and complete
this project
Dedicated to My
I thank, pray for and promise them to do whatever is possible in our powers to comfort them and
promote their good mission for the noble cause of spreading education and development of human
beings. They have served me with their best efforts and have brought me up to be the person I am
today, may Almighty Allah bless them
8
ABSTRACT
Over the past several years, Software Defined Networking (SDN) has emerged as a new and promising
paradigm for the management of computer networks. While we have seen many use-cases and deployments
of SDN in data center networks, wide-area networks still heavily rely on legacy routing and traffic
engineering technologies. Rapidly increasing traffic demands (mainly due to increasing usage of video
streaming and voice over LTE deployments), however, motivate the development of novel routing and more
efficient traffic engineering mechanisms.
New approaches leveraging an SDN paradigm in wide-area networks promise to mitigate many of today’s
limitations, inefficiencies, and scalability issues. In this paper, we give an overview of the current state of the
art in Software Defined wide-area networking research and technologies and give directions and discuss
ideas for future work.
9
Table of Content
Statement of Submission………………………………………………………………………. ii
ACKNOWLEDGMENTS……………………………………………………………………....iii
CERTIFICATE………………………………………………………………………………… iv
DEDICATION…………………………………………………………………………………. v
ABSTRACT…………………………………………………………………………………….vi
Table of Content………………………………………………………………………………...vii
Chapter 1: Introduction………………………………………………………………………….1
1.1 OVERVIEW…………………………………………………………………………2
1.2 AIM AND OBJECTIVES…………………………………………………………...2
1.2.1 Enhanced safety……………………………………………………………………2
1.2.2 A more enjoyable application experience…………………………………………2
1.2.3 Provisioning from a central location………………………………………………2
1.2.4 Greater adaptability and flexibility………………………………………………...2
1.3 SCOPE AND LIMITATION………………………………………………………...3
1.3.2 The Architecture of the SD-WAN…………………………………………………3
Chapter 2: Requirements…………………………………………………………………….......6
2.SD-WAN Requirements………………………………………………………………7
Chapter 3: Design and Implementation……………………………………………………….....8
3.1 Configuring SD-WAN………………………………………………………………9
3.1.1 SD-WAN specifications…………………………………………………………..9
3.1.2 SD-WAN setup in its most basic form……………………………………………9
3.1.3 Setting up a simple SD-WAN deployment……………………………………….9
3.1.4 Removing existing configuration references to interfaces……………………….10
3.1.5 Creating SD-WAN interfaces…………………………………………………….10
3.1.6 Configuring SD-WAN load balancing……………………………………………12
3.1.7 Creating a static route for the SD-WAN interface………………………………..14
3.1.8 Configuring security policies for SD-WAN………………………………………15
3.1.9 Configuring SD-WAN rules……………………………………………………....15
3.2 Monitoring SD-WAN……………………………………………………………….16
3.2.1 Monitoring SD-WAN link usage………………………………………………….17
3.2.2 Monitoring SD-WAN traffic routing……………………………………………...17
3.2.3 Monitoring SD-WAN link quality status………………………………………….17
3.2.4 Monitoring system event logs……………………………………………………..18
3.2.5 Verifying SD-WAN traffic routing………………………………………………..18
10
3.2.6 Applying traffic shaping to SD-WAN traffic……………………………………..18
3.3 Viewing SD-WAN information in the Fortinet Security Fabric……………………18
3.4 High availability…………………………………………………………………….19
3.5 Firewall concepts……………………………………………………………………20
3.5.1 What is a firewall? ………………………………………………………………..21
3.7 Security Profiles……………………………………………………………………..22
3.7.1 Authentication……………………………………………………………………..22
3.7.1.A What is Authentication?..........................................................................................22
3.7.1.B Methods of authentication………………………………………………………….….22
3.7.1.C Types of authentication………………………………………………………………...23
3.7.1.D Administrator’s view of authentication ……………………………………………..23
3.8 IPsec VPN…………………………………………………………………………...24
3.8.1 IPsec VPN concepts……………………………………………………………….24
3.8.2 VPN tunnels……………………………………………………………………….25
3.9 SSL VPN…………………………………………………………………………….26
3.9.1 SSL VPN modes of operation……………………………………………………..26
3.9.1. A Tunnel mode…………………………………………………………………………….26
3.9.1.B Port forwarding mode………………………………………………………………….26
3.9.2 SSL VPN best practices…………………………………………………………...26
3.9.2.A Tunnel mode……………………………………………………………………………..27
3.9.2.B Web mode………………………………………………………………………………...27
3.9.3 Basic configuration………………………………………………………...27
3.9.4 SSL VPN web portal……………………………………………………….27
3.10 Networking…………………………………………………………………28
3.10.1 Interface……………………………………………………………………28
3.10.1.A Aggregate interfaces………………………………………………………….28
3.10.1.B On an interface, the DHCP addressing mode…………………………..29
3.10.1.C Interface configuration and settings……………………………………..30
3.10.1.D Routing………………………………………………………………………….30
3.11 DNS (Domain Name System)………………………………………………31
3.11.1 DNS servers……………………………………………………………….31
3.11.2 Dynamic Routing………………………………………………………….32
3.11.3 Multicast Forwarding……………………………………………………..32
3.11.3 Multicast Forwarding……………………………………………………..32
3.11.4 Modems…………………………………………………………………….33
3.12 Managing devices……………………………………………………………33
3.12.1 Managing “bring your own device”……………………………………...33
3.12.2 Device monitoring…………………………………………………………33
3.12.3 Device groups………………………………………………………………35
3.12.4 Controlling access with a MAC ACL…………………………………….35
3.12.5 Security policies for devices………………………………………………36
3.13 System Administration……………………………………………………….38
3.13.1 Administrators………………………………………………………………38
3.13.1.A Administrator profiles…………………………………………………………38
11
3.13.1.B LDAP authentication for administrators…………………………………..38
3.13.1.C Monitoring Administrators……………………………………………………39
3.13.2 Management access…………………………………………………………39
3.13.3 Security precautions………………………………………………………..39
3.14 Monitoring……………………………………………………………………..40
3.14.1 Dashboard……………………………………………………………………40
3.14.2 Monitor menus………………………………………………………………40
3.14.3 Logging………………………………………………………………………40
3.14.4 Alert email…………………………………………………………………...41
3.14.5 Simple Network Management Protocol……………………………………41
3.15 Administration for schools……………………………………………………42
3.15.1 Security policies……………………………………………………………..42
3.15.2 DNS…………………………………………………………………………...42
3.15.3 Encrypted traffic (HTTPS)………………………………………………….42
3.15.4 FTP…………………………………………………………………………….42
12
13
14
Chapter 1
Introduction
15
1. INTRODUCTION
1.1. OVERVIEW
SD-WAN is a virtual interface made up of a collection of member interfaces that can be
connected to a variety of link types. The SD-WAN interface combines all physical member
interfaces into a single virtual interface. SDWAN makes network configuration easier by
allowing you to set up a single set of routes and firewall settings that are applied to all member
interfaces. You can also set up numerous parameters for selecting the optimal links for your
network traffic.
Effective WAN use with multiple WAN links, where you may utilize various load balancing
methods, such as bandwidth usage, sessions, and application-aware routing, to ensure high
availability for your business-critical apps, is one of the key motivators for installing SD-WAN.
16
1.3 SCOPE AND LIMITATION
Despite the fact that network virtualization and SDN are relatively new technologies, International
Data Corporation (IDC) predicts that the SDN market will grow at a rate of 25% year over year until
2021, and that SDN is now moving from the early adopter to the early mainstream stage of
development.
Organizations should expect these benefits in today's more competitive climate, when flexibility and
agility are key. However, they rely on the organization's administrative control over the underlying
infrastructure. So what happens when they aren't, as is the situation with current Wide Area
Networks (WANs) that are managed by the service providers?
17
conventions.
The architecture of SD-WAN can be divided into two types:
(1) On premises: An "on-prem-just" SD-WAN design is actually similar to it sounds. Any
organization/endeavor/association has a SD-WAN box (basically an attachment and play
switch), performing continuous traffic forming at each site as appeared in Figure 5.
Benefits:
• Lower or zero month to month SD-WAN cloud-enablement transmission capacity
costs.
• Multi-circuit/ISP load-adjusting.
• Real-Time traffic forming, improving the presentation of all WAN applications.
• Improved fiasco recuperation (DR), by having better network reinforcement.
(2) Cloud Enabled: This is another kind of SD-WAN design in a cloud- empowered SDWAN
engineering, the arrangement offers an on location SD- WAN box associating with
a cloud (virtual) portal as appeared in Figure 6. With this engineering, an organization
gets the advantages of an on-prem-just design (for example continuous traffic forming
18
and multi-circuit burden adjusting/failover), in addition to expanded execution and
unwavering quality of any cloud applications. The cloud passage is arranged
legitimately to the real cloud suppliers (for example Office 365, AWS, Salesforce, and so
forth.), which results in a general improvement in the exhibition of the cloud applications. What's
more, if an organization's Internet circuit comes up short while utilizing a
cloud application, the door can keep a cloud session dynamic (while the circuit folds). In
the event that any organization has another Internet circuit, the SD-WAN can re-course
any cloud application promptly to any organization's other Internet circuit, averting
interference of a solitary session.
Benefits:
• Cloud gateways, improving the performance and reliability of cloud applications.
• Multi-circuit/ISP load-balancing.
• Real-Time traffic molding, improving the exhibition of all WAN applications.
• Improved DR by having better network reinforcement.
Figure 1.2
19
Chapter 2
Requirements
20
2. SD-WAN Requirements
The key components of an SD-WAN solution center around application awareness, visibility, and
performance. An SD-WAN solution must generally provide the following types of functionality:
In addition, modern SD-WAN solutions have evolved to offer even broader capabilities, including:
Dynamic path selection, and ability to load balance across multiple WAN connections
21
Chapter 3
Design
22
3.1 Configuring SD-WAN
Secure SD-WAN can be deployed in a variety of ways, depending on your organization's network
and the technology you wish to use.
3.1.1 SD-WAN specifications
The following are the prerequisites for a secure SD-WAN solution:
Allows only one SD-WAN interface for each VDOM
Supports SD-WAN configuration for IPv6 in the CLI
Supports up to 4000 link health monitors, both globally and per VDOM
Supports up to 4000 SD-WAN rules, both globally and per VDOM
3.1.2 SD-WAN setup in its most basic form
What are the most important prerequisites for a successful SD-WAN implementation?
A successful SD-WAN implementation is built on four pillars that must be fully understood at the
start of the project:
• Business-critical applications, their requirements, and their interrelationships
• The need for security.
• Site connectivity and each location's proportional priority.
• The price and availability of circuits.
23
3.1.4 Removing existing configuration references to interfaces
Any current configuration references to interfaces that you want to use as SD-WAN members should
be removed or redirected. The default Internet access policy offered with various FortiGate models is
an example of this. This must be done before the interfaces may be configured as SD-WAN
members.
You won't have to establish the routes and policies again if you redirect them to other interfaces.
After you've set up SD-WAN, you'll need to change the routes and policies to point to the SD-WAN
interface.
24
Figure 3.1: Interfaces
25
3.1.6 Configuring SD-WAN load balancing
Specify the SD-WAN load balancing method that you want the FortiGate to use for all Internet
traffic between SD-WAN interface members.
Specify the SD-WAN load balancing method – GUI
1. Go to Network > SD-WAN Rules.
2. Select the rule named sd-wan and select Edit.
The load balancing options are displayed.
3. In the Load Balancing Algorithm field, select one of the following options:
3. Click OK.
26
Figure
Figure 3.3 SD-WAN
The FortiGate adds a virtual SD-WAN interface to the interface list once you build an SD-WAN interface.
This SD-WAN interface allows you to build routes.
For the SD-WAN interface, you must set a default route. Because the FortiGate forwards packets to the
appropriate gateway based on the SD-WAN member interface gateway information, you don't need to
establish a gateway address for the default route that uses the SD-WAN interface.
28
The FortiGate adds a virtual SD-WAN interface to the interface list once you build an SD-WAN
interface. This SD-WAN interface allows you to set security policies.
A security policy that allows traffic from your organization's internal network to reach the SD-WAN
interface must be configured. Because security policies configured with the SD-WAN interface apply
to all SD-WAN member interfaces, you don't need to create numerous security policies for specific
SD-WAN member interfaces.
Configure security policies for SD-WAN – GUI
1. Go to Policy & Objects > IPv4 Policy.
2. Select Create New.
3. In the Name field, enter a name for the policy.
4. Set Incoming Interface to the interface that connects to your organization’s internal network.
5. In the Outgoing Interface field, select the SD-WAN interface from the drop-down menu.
6. In the Source field, select +. In the Select Entries window, select all. Select Close.
7. In the Destination field, select +. In the Select Entries window, select all. Select Close.
8. In the Schedule field, select always from the drop-down menu.
9. In the Service field, select +. In the Select Entries window, select ALL. Select Close.
10. In the Action field, select ACCEPT.
11. In the Firewall/Network Options section, set the following:
Enable NAT.
In the IP Pool Configuration field, select Use Outgoing Interface Address.
12. In the Security Profiles section, apply AntiVirus, Web Filter, DNS Filter, Application
Control, and SSL
Inspection profiles, as required.
13. In the Logging Options section, set the following:
Enable Log Allowed Traffic and select All Sessions. This allows you to verify the results
later.
Enable the Enable this policy option.
14. Select OK.
If you previously removed or redirected existing references in security policies to interfaces that you
wanted to add as
SD-WAN interface members, you can now reconfigure those policies to reference the SD-WAN
interface
where:
SD-WAN rules allow you to specify which traffic should be routed through which interface (ISP). This gives
you a lot of options when it comes to configuring the FortiGate's traffic routing. You can, for example,
29
transport Netflix traffic from specified authenticated users through one ISP while the rest of your Internet
traffic is routed through a different ISP.
You may set up the rules to match traffic based on a variety of characteristics, such as source and destination
IP addresses.
When traffic is matched to a rule, the rule specifies which egress interface the traffic will use.
To identify the egress interface, SD-WAN rules can be configured to employ one of the following strategies:
Highest quality
Lowest quality (SLA)
The FortiGate uses the first match to assess SD-WAN rules from top to bottom. SD-WAN rules are treated as
policy routes in the routing table, and they take precedence over other routes.
If none of the prerequisites for the SD-WAN rules are met, the FortiGate falls back on the implicit rule sd-
wan, which is generated automatically when SD-WAN is enabled. The sd-wan rule balances traffic based on
how SDWAN load balancing is implemented.
30
The SD-WAN usage monitor shows traffic distribution between SD-WAN member interfaces in real
time. You can view
traffic distribution by bandwidth, volume, and sessions.
Monitor SD-WAN link usage – GUI
Volume: Shows traffic distribution percentage of the volume of sessions for each interface
Sessions: Shows traffic distribution percentage of the number of sessions for each interface
3. Select Apply.
3.2.2 Monitoring SD-WAN traffic routing
You can see which applications are going through which destination interface in FortiView.
Monitor SD-WAN traffic routing – GUI
1. Go to FortiView > All Sessions.
2. View the information in the Destination Interface column.
You should monitor the link quality status of SD-WAN member interfaces, since link quality plays a
significant role in link
selection for SD-WAN. Investigate any prolonged issues with packet loss, latency, and jitter to
ensure that your network
doesn’t experience degraded performance or an outage.
31
3.2.4 Monitoring system event logs
A FortiGate generates system event logs when an SD-WAN member interface route is added to or
removed from the
routing table. You can use system events to investigate any route failovers.
Monitor system event logs – GUI
1. Go to Log & Report > System Events.
2. Use information in system event logs related to SD-WAN to investigate issues.
3.2.5 Verifying SD-WAN traffic routing
You can verify that traffic is exiting the FortiGate through the SD-WAN member interfaces as
configured.
Verify SD-WAN traffic routing - GUI
1. Go to Log & Report > Forward Traffic.
2. Use information in the Destination Interface column to verify that traffic is routing correctly
3.2.6 Applying traffic shaping to SD-WAN traffic
SD-WAN traffic can be subjected to traffic shaping.
If a programme is required but you don't want it to consume too much bandwidth, you can set a
bandwidth limit for it rather than disabling it totally. You can, for example, limit storage and backup
apps while leaving enough bandwidth for more critical activities like video conferencing.
32
Because all traffic travels through it, the security gateway is an essential component of most
networks. A solitary network security gateway is a single point of failure that can be harmed by a
variety of software or hardware issues, causing the device to become inoperable and halting all
network traffic.
An FGCP cluster appears to your network as a single FortiGate operating in NAT or transparent
mode, and configuration synchronisation allows you to configure a cluster in the same way as a
standalone FortiGate. If a failover happens, the cluster recovers quickly and automatically, while also
notifying administrators so that the fault that caused the failure can be fixed and any failed equipment
can be restored.
33
Figure 3.8
Session failover happens when one of the FortiGates fails, and active sessions are transferred to the
unit that is still operational. There is no data loss as a result of this failover. External load balancers
or routers also notice the failover and redistribute all sessions to the still-running unit.
External routers or load balancers handle load balancing and session failover, not the FGSP. The
FortiGates only execute session synchronisation, which allows for packet loss-free session failover.
Before getting into the mechanics of how the FortiGate firewall works, there are a few core ideas that
must be understood. Some of these ideas are common across the firewall market, while others are
unique to more complex firewalls like the FortiGate. Having a firm grip of these concepts and words
might help you make better decisions.
You'll have a better understanding of what your FortiGate firewall can do and how it will fit into
your network's design.
34
Figure 3.9
3.6.1 What is a firewall?
A firewall, which can be software- or hardware-based, is used to assist secure a network. Its main
goal is to manage incoming and outgoing network traffic by examining data packets and deciding
whether or not they should be allowed through based on a set of rules. A firewall connects an internal
network, which is presumed to be secure and trustworthy, to another network, usually an external
(inter)network, such as the Internet, which is not presumed to be secure and trustworthy.
There can also be a number of instructions associated with a FortiGate firewall in addition to the
ACCEPT or DENY
actions, some of which are optional. Instructions on how to process the traffic can also include such
things as:
Logging Traffic
Authentication
Network Address Translation or Port Address Translation
Use Virtual IPs or IP Pools
Caching
Whether the source of the traffic is based on address, user, device or a combination
Whether to treat as regular traffic or IPsec traffic
What certificates to use
Security profiles to apply
Proxy Options
Traffic Shaping
Types of firewalls
Next-generation firewalls (NGFW)
Proxy firewalls
Network address translation (NAT) firewalls
Stateful multilayer inspection (SMLI) firewalls
35
3.7 Security Profiles
FortiGate provide security features to protect your network from threats. As a whole, these features,
when included in a single Fortinet security appliance, are referred to as Security Profiles.
Security converse the areas as follow:
Traffic inspection, Contention and filtering Security profile components Security
profiles/lists/sensors Content inspection, traffic inspection, and cloud file sharing services.
3.7.1 Authentication
Identifying users and other computers—authentication—is a key part of network security. This
section describes some basic elements and concepts of authentication.
The following topics are included in this section:
What is authentication?
Methods of authentication
Certificate-based authentication
Two-factor authentication
37
a database that contains the password and username of each person who is permitted access The
process of setting up authentication is as:
1. If remote or external authentication is needed, configure the required servers.
2. Configure local and peer (PKI) user identities. For local user, you can choose whether the
FortiGate unit or a remote authentication server verifies the password.
3. Create user groups.
4. Addlocal/peer user members to each user group as appropriate. You can also add an authentication
server to a user group. In this case, all users in the server’s database can authenticate. You can only
configure peer user groups through the CLI.
5. Configure security policies and VPN tunnels that require authenticated access.
38
The data path between a user’s computer and a private network through a VPN is referred to as a
tunnel. Like a physical tunnel, the data path is accessible only at both ends.
Figure 3.11
39
Figure 3.13
40
3.9.2.A Tunnel mode:
In tunnel mode, the SSL VPN client encrypts all traffic from the remote client computer and sends it
to the FortiGate through an SSL VPN tunnel over the HTTPS link between the user and the
FortiGate.
3.9.2.B Web mode:
Web-only mode provides clientless network access using a web browser with built-in SSL
encryption. Users authenticate to FortiGate's SSL VPN Web Portal, which provides access to
network services and resources, including HTTP/HTTPS, Telnet, FTP, SMB/CIFS, VNC, RDP, and
SSH.
3.9.3 Basic configuration:
Configuring SSL VPN involves a number of configurations within FortiOS that you need to
complete to make it all come together. This chapter describes the components required, and how and
where to configure them to set up the FortiGate unit as an SSL VPN server.
3.9.4 SSL VPN web portal:
Figure 3.14
41
Figure 3.15
3.10 Networking
3.10.1 Interface:
Configure protocols for administrative access to interfaces using a graphical user interface
1. Select Network > Interfaces from the menu bar.
2. Select Edit for the interface you wish to configure administrative access for.
3. Select the protocols you want an administrator to be able to access in the Administrative Access
section.
The FortiGate is a security system.
4. Click OK.
3.10.1.A Aggregate interfaces:
To design a graphical user interface (GUI):
1. Select Create New, then Interface from Network > Interfaces.
2. Select Aggregate as the name.
42
3. Select 802.3ad Aggregate as the Type.
The FortiGate does not allow aggregate interfaces if this option does not present.
4. To add interfaces, click Add in the Interface Members column. Choose from ports 4, 5, and 6.
5. Select Manual in the Addressing mode field.
6. Type in the IP address for the 10.13.101.100/24 port.
7. Choose HTTPS and SSH for Administrative Access.
8. Click OK.
3.10.1.B On an interface, the DHCP addressing mode :
When Dynamic Host Configuration Protocol (DHCP) is enabled on a Fortigate interface, the
FortiGate broadcasts a DHCP request from the interface.
DHCP server configuration
Go to Network > Interfaces to add a DHCP server. Select DHCP in the addressing mode while
editing the interface.
43
3.10.1.C Interface configuration and settings:
To configure an interface, go to Network > Interfaces, and select Create New and then Interface.
3.10.1.D Routing:
You must configure a default route for each interface and indicate which route is preferred by specifying the
distance. The lower distance is declared active and placed higher in the routing table.
44
3.11 DNS (Domain Name System):
A DNS(Domain Name System) server is a service that converts symbolic names to IP addresses.
45
3.11.2 Dynamic Routing:
Figure 3.16
46
3.11.4 Modems
Used to give access to internet.
47
Figure 3.17
48
Figure 3.18
49
3. Select Create New in MAC Reservation + Access Control and input the MAC Address of a
permitted device.
• Assign IP – an IP address is allocated to the device from the DHCP server address range.
5. Perform Steps Controlling access with a MAC ACL on page 1981 and Controlling access with a
MAC ACL on page 1981 again.
50
• Gaming consoles, for example, are unable to connect to the workplace network or the
Internet.
• Although personal tablets and phones can connect to the Internet, they cannot connect to
company servers.
• Laptop computers provided by the company can connect to the Internet and company
servers.
• Antivirus and web filtering are used.
• Employee laptop computers have Internet access, although web blocking is in place. They
can also connect to company networks, but only if virus protection software like FortiClient
Endpoint Security is installed.
These policies have been applied for Wi-Fi access to the company network and the Internet, as seen
in the photos below.
Figure 3.19: Device policies for company laptop access to the company network
51
3.13 System Administration
3.13.1 Administrators
The admin account on the FortiGate is a super administrator account that cannot be deactivated. For certain
functions, more administrators can be added, each with their own user name, password, and set of
access privileges.
The parts that follow will walk you through adding and securing administrator access to a FortiGate:
• Profiles of administrators
• Adding a local administrator
• LDAP authentication for administrators
• Administrator monitoring
• Management access
• Security measures
3.13.1.A Administrator profiles
Administrator profiles specify what a FortiGate administrator can accomplish while signed in. When
you create an administrator account, you must also create an administrator profile that specifies what
the administrator may see. You can give an administrator as much or as little access and
configuration as they need, depending on the nature of their job, their access level, and their
seniority.
Adding a local administrator
To add an administrator - GUI
1. Select System > Administrators from the drop-down menu.
2. Go to File > New > Administrator.
3. Give the administrator a username.
4. Select Local User as the user type.
5. Type in the user's password. It's possible that this is a temporary password that the administrator can alter at
a later time.
The length of a password can be up to 256 characters.
6. Determine if security settings such as SMS, Two-factor Authentication, Restrict login to trusted hosts, and
Restrict admin to guest account provisioning only are required.
7. Click OK.
52
• add the LDAP server to a user group
• configure the administrator account
• configure the LDAP server
To configure the LDAP server – GUI
1. Select Create New from User & Device > LDAP Servers.
2. Give your server a name.
3. Type in the IP address or name of the server.
4. Fill in the Distinguished Name and Common Name Identifier.
5. Select Regular as the Bind Type and provide the Username and Password.
6. Click the OK button.
3.13.1.C Monitoring Administrators
The System Information widget on the Dashboard can be used to see who is logged in as an
administrator. The Current Administrator row displays the currently logged-in administrator as well
as the total number of administrators.
You can also use event logging to keep track of what the administrators are doing on the FortiGate.
There are several techniques for tracking configuration changes in event logs.
To set logging – GUI
1. Select Log & Report > Log Settings from the Log & Report menu.
2. Select Customize from the Event Logging menu and make sure System activity event is chosen.
3. Click the Apply button.
3.13.2 Management access
The management access setting determines how administrators can access the FortiGate. In NAT
mode, access is configured for each of the FortiGate's interfaces, and connections are made using the
IP address of the interface. A single management IP address is established to provide access in
transparent mode.
3.13.3 Security precautions
The management computer is one possible point of a security compromise. Administrators who keep
their workstations logged into the GUI or CLI for an extended period of time leave the firewall
vulnerable to malevolent intent.
53
3.14 Monitoring
The initial step in network administration is to install and configure the FortiGate as the internal
network's defender. The next step is to monitor the system and network traffic after it is up and
running. You can make configuration modifications as needed when a danger or vulnerability is
found.
The following topics are covered in this section:
• Dashboard
• Monitor menus
• Logging
• Alert email
• SNMP
3.14.1 Dashboard
The FortiOS dashboard displays real-time system data in a network operations centre (NOC) view,
with an emphasis on alerts. The dashboard by default shows critical FortiGate information such as
memory and CPU usage, port health, whether they are up or down, and throughput. Widgets allow
you to interact with them.
You may receive more information or follow links to other pages by hovering or clicking on most
widgets.
Among the widgets on the dashboard are:
• Support for multiple dashboards.
• Global dashboards and VDOM
• Control over widget resizing.
• Notifications are displayed in the top header bar.
3.14.2 Monitor menus
The Monitor options allow you to view session and policy information as well as other FortiGate unit
activity. To illustrate live activity, the monitors provide details of user activity, traffic, and policy
usage. DHCP, routing, security policies, traffic shaping, load balancing, security features, VPN,
users, and WiFi all have monitors.
3.14.3 Logging
FortiOS has a sophisticated logging environment that allows you to track, store, and report traffic
data and FortiGate events, such as attempted log ins and hardware status. You can log in to a variety
of different servers depending on your needs.
Go to Log & Report > Log Settings in the GUI to set up logging.
Use the CLI commands config log log location> to set up logging.
54
3.14.4 Alert email
As an administrator, you want to know that you'll be able to respond promptly to problems on your
network or with the FortiGate unit. Alert emails are a quick and easy way to notify an administrator
of important happenings. You may set the threshold for when a problem becomes critical and
requires attention by configuring alert messages. When this limit is reached, the FortiGate unit will
send an email to one or more people informing them of the problem.
To configure alert email - GUI
1. Go to Log & Report > Email Alert Settings.
2. Enter the information:
Email fortigate@example.com
from
Email to admin1@example.com
admin2@example.com
Table 3.1
56
Chapter 4
Quality Assurance
57
4.1 Traffic shaping
Prioritizing higher priority traffic over lower priority traffic is a basic way to traffic shaping. This
means that lower priority traffic's performance and stability may be reduced in order to increase the
performance and stability of higher priority traffic. The optimal traffic shaping configuration
balances the needs of each traffic flow by taking into account not just your organization's
requirements, but also the robustness and other features of each service.
The ability to modify the quality of your overall network traffic, including techniques like priority-
based queuing and traffic policing, is known as Quality of Service (QoS). Because bandwidth is
limited and some forms of traffic are slow, jitter or packet loss sensitive, bandwidth intensive, or
mission important, QoS can help you optimise the performance of your network's diverse
applications.
The following strategies can be used to build QoS on FortiGate devices:
Technique Description
Traffic The FortiGate drops packets that don't conform to the configured bandwidth
policing limitations.
Note that excessive traffic policing can degrade network performance rather than
improve it.
Traffic The FortiGate ensures that traffic consumes bandwidth at least at the guaranteed
shaping rate by assigning a greater priority queue to the traffic if the guaranteed rate isn't
being met.
The FortiGate ensures that traffic doesn't consume more bandwidth than the
configured maximum bandwidth. Traffic that exceeds the maximum rate is subject
to traffic policing.
Queuing Transmits packets in the order of their assigned priority queue for that physical
interface. All traffic in a higher priority traffic queue must be completely
transmitted before traffic in lower priority queues is transmitted.
Table 4.1
The FortiGate supports the traffic shaping settings listed below. All traffic shaping types can be
combined in various configurations.
58
Traffic shaping type Description
Shared policy Bandwidth management of security policies
Applies a total bandwidth to all traffic using the shaper
Scope can be per- policy or for all policies referencing the
shaper
Per-IP Bandwidth management of user IP addresses
Allows you to apply traffic shaping to all source IP addresses in
the security policy
Bandwidth is equally divided among the group
Application control Bandwidth managed by application
Table 4.2
2. Select Table View to get statistics data on traffic shapers. You may see data like the
amount of bytes transferred and received, as well as the number of sessions.
3. Select Bubble Chart to see which resources use the most bandwidth. To see additional
information about a traffic shaper, double-click it. Examine the bandwidth utilisation by sources,
destinations, apps, rules, and sessions to see whether more granular traffic shaping is necessary.
4.1.4 Troubleshooting traffic shaping
Use the troubleshooting techniques below to diagnose traffic shapers and see if they're working
properly.
• Network interface Ethernet statistics are being validated.
• There is a lot of information about traffic shapers.
• Examining packets that were discarded due to diagnostic constraints.
• The specifics for dual traffic shapers can be seen in the session list.
• packet enters an inbound interface with logging enabled (Log Allowed Traffic)
• a possible log packet is sent indicating a match in the firewall policy, such as a URL filter
• traffic log packet is sent, per firewall policy
• packet passes and is routed out an interface
4.2.1.B Sniffer
The Sniffer log records all traffic that flows via a specific interface that has been configured to
operate as a One-Armed Sniffer, allowing it to be inspected independently from the other Traffic
logs.
4.2.1.C Event
Event logs help you in the following ways:
• keeping track of changes to configuration settings
60
• occurrences that require quarantine, such as banned users
• activities involving the L2TP, PPP, and PPPoE internet protocols and modems
You may observe what traffic shaping, per-IP traffic shaping, and reverse direction traffic shaping
parameters are being applied by enabling this feature.
DLP logs, or Data Leak Prevention logs, contain critical information about sensitive data attempting
to enter your network, as well as any undesired data attempting to enter your network. A DLP
sensor's DLP rules can log the following sorts of traffic:
• electronic mail (SMTP, POP3 or IMAP; if SSL content SMTPS, POP3S, and IMAPS)
• HTTP
61
• HTTPS
• FTP
• NNTP
• Instant Messaging
MAC address logs keep track of the MAC addresses that the FortiGate device sees on the network as well as
those that have been removed. These log messages are saved in the event log (as subtype network; you can see
them under Log & Report > System Events) and are deactivated in the CLI by default.
Web filter logs keep track of HTTP traffic. These log entries provide useful and thorough
information about this specific network traffic activity.
Web filtering activity should be logged because it can tell you: • what types of websites employees
are visiting
Email filter logs, also known as spam filter logs, save information on the content of email messages.
In an email filter profile, for example, a match is detected that classifies the email message as spam.
When the FortiGate unit detects a match inside the email filter profile and the logging parameters are
enabled within the profile, email filter logs are created.
62
4.3.1 Device Manager
4.3.2 FortiView
63
4.3.4 Others
4.3.5 Reports
64
4.3.6 System Settings
65