FortiGate I

Introduction to FortiGate

FortiGate 5.4.1
© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 December 2019
1
Objectives
• Identify major features of FortiGate
• Differentiate between FortiGuard queries and packages
• Choose an operation mode
• Restrict administration to access via management networks
• Create administrator accounts with specific permissions
• Reset a lost admin password
• Run the built-in DNS server on an interface
• Run the built-in DHCP server on an interface
• Back up and restore configuration files
• Install new FortiGate firmware

2
What Makes FortiGate Different?
 Platform Design

FortiGuard Subscription Services

Threat Intelligence • Centralized Management

Next Gen. Web

FortiClient Firewall
Antivirus
Filter
IPS … FortiWeb

FortiSandbox FortiMail
FortiOS

FortiASIC Optimized Hardware / Hypervisor

Integration

4
Topology in the Cloud
• Deploy FortiGate in FortiGate VM Specifications
virtualized networks
Max. 1 / 2 / 4 / 8
o FortiGate VM – Same Licenses
vCPU
FortiGate
features as physical Connector FortiGate VMware, Hyper-V,
appliance except FortiASIC KVM, Citrix Xen
deployment VMX or VM
Server,
Hypervisor
o FortiGate VMX – Subset of Open Source Xen,
features for VMware NSX Azure, Amazon AWS
BYOL & on-demand
(East-West) data flows
Memory Max. 1/4/8/12 GB
o FortiGate Connector for
Cisco ACI – Subset for 10/100/1000
2-4 virtual NICs
Cisco ACI (North-South) Interfaces

data flows… Integrates Storage Capacity 40+ GB

physical or virtual appliance

• Faster setup & teardown:

SDN + VMs

5
FortiGuard Subscription Services
• Internet connection and contract required
• Provided by FortiGuard Distribution Network (FDN)
o Major data centers in North America, Asia, and Europe
• Or, from FDN through your FortiManager
o FortiGate prefers data center in nearest time zone,
but will adjust by server load
• Package updates: FortiGuard Antivirus and IPS
o update.fortiguard.net
o TCP port 443 (SSL)
• Live queries: FortiGuard Web Filtering and Antispam
o service.fortiguard.net
o Proprietary protocol on UDP port 53 or 8888

6
Modes of Operation
NAT Transparent

• FortiGate is an OSI Layer 3 • FortiGate is an OSI Layer 2

router switch or bridge
• Interfaces have IP addresses • Interfaces do not have IPs
• Packets are routed by IP • Cannot route packets, only
forward or not

7
Operation Modes & the OSI Model

NAT

NAT

Transparent

8
Factory Default Settings
• port1 / internal interface IP: 192.168.1.99/24
• PING, HTTP, HTTPS, and SSH protocol management enabled
• Built-in DHCP server is enabled on port1 / internal interface
o Only on low-end models that support DHCP server
• Default login:
User: admin
Password: (blank)
o Both are case sensitive
o Modify the default (blank)
root password!

9
Resetting a Lost admin Password
User: maintainer
Password: bcpb<serial-number>
All letters in <serial-number> must be upper case: “FGT60…” etc.

• All FortiGate models and some other Fortinet device types

• Only after hard power cycle
o Soft cycle (reboot) does not work for security reasons
• Only during first 30 seconds after boot (varies by model)
o Tip: Copy serial number into terminal buffer, then paste
• Only through hardware console port
o Requires physical access for security reasons
o If compliance/risk of physical access requires, maintainer can be disabled
config sys global
set admin-maintainer disable
end

10
Console Port
• Each FortiGate ships with a console cable
• Console connection requires a terminal emulator
o PuTTY
o Tera Term
• Type varies by model
o Oldermodels: serial port with null modem cable
o Newer models
• RJ-45 port with RJ-45-to-serial cable, or
• USB 2 port to FortiExplorer

11
Administration Methods

GUI
FortiExplorer, Web Browser (HTTP, HTTPS)

CLI
Console, SSH, Telnet, GUI Widget

12
Administrator Profiles
• System > Administrator

13
Administrator Profiles: Permissions

None Read Read-Write

System Configuration
Network Configuration
Firewall Configuration
VPN Configuration
WiFi Controller
Log & Report

14
Administrator Profiles: Hierarchy

super_admin custom_profile1 prof_admin

Full global access Partial global access Full access in virtual domain

Partial access in VDOM

custom_profile2

15
Two-Factor Authentication

Password (one factor)

+
FortiToken (two factor)

16
Other Two-Factor Authentication

17
 Administrative Access: Trusted Sources
•Administrative access is
denied for connections
coming from IP addresses
that are not in any of the
trusted host subnets

18
Administrative Access: Ports and Password
• Port numbers are
customizable
• Only using secure
access (SSH, HTTPS)
is recommended

19
Administrative Access: Protocols
• Enable acceptable
management protocols on each
interface independently
o Separate IPv4 and IPv6
o IPv6 options hidden by default
• Also protocols where FortiGate
is the destination IP
o FortiTelemetry

o CAPWAP

o FortiManager

20
Features Hidden by Default
• By default, some features
like IPv6 are hidden in GUI
o Hidden features are not disabled
• Hide/show via System >
Feature Select
o In Feature Select, select to
hide/show groups of features
commonly used together

21
Link Aggregation
•Bundles several
physical ports to
form a single point-
to-point logical
channel with
greater bandwidth
o Increases
redundancy for
higher availability

22
Interface IPs
• In NAT mode,
interfaces can’t be
used until they have an
IP address
o Manually assigned
o Automatic
• DHCP
• PPPoE

Exceptions: One-Arm
Sniffer or FortiSwitch

23
Interface Role Compared to Alias
• Role defines groups of interface Network > Interfaces
settings typically together
o Avoids accidental misconfiguration
o Four types:
• WAN
• LAN
• DMZ
• Undefined (show all settings)
o Not in list of policies Alias
Alias Role

Policy &Objects > IPv4 Policy

• Alias is nickname for interface
o Used in list of policies to
label interfaces by purpose

24
FortiGate as a DHCP Server

25
DHCP Server: IP Reservation
• Reservations re-assign IP
address to the same host
o To reserve, select IP address or
choose existing DHCP lease
o Identify reservation as either:
• Regular (over Ethernet)
• Over IPSec
• FortiGate uses host’s MAC
address to look up its IP
address in reservation table
• Actions if MAC is unknown

26
FortiGate as a DNS Server
• Resolves DNS lookups from internal network
o Enabled per interface
o Not appropriate for Internet service due to load

• One DNS database can be shared by all FortiGate interfaces

o Can be separate per VDOM
• Resolution methods:
o Forward — Relay requests to the next server (in DNS settings)
o Non-recursive — Use FortiGate DNS database only; drop unresolvable
queries
o Recursive — Use FortiGate DNS database first; relay unresolvable queries
to next server (in DNS settings)

27
DNS Forwarding
• Forwarding allows DNS control without local FQDN database
• Sends query to external DNS server

28
DNS Database: Configuration
• Add DNS zones
o Eachzone has its own domain name
o RFC 1034 and1035

• Add DNS entries to each zone

o Host name
o IP address it resolves to
o Types supported:
• IPv4 address (A) or IPv6 address (AAAA)
• Name server (NS)
• Canonical name (CNAME)
• Mail exchange (MX) server
• IPv4 (PTR) or IPv6 (PTR)

29
Static Gateway
• Must be at least one
default gateway
• If the interface is DHCP
or PPPoE, the gateway
can be added
dynamically

30
Configuration Files

• Configuration can be saved to an external device

o Optionalencryption
o Can back up automatically
• Upon logout
• Not available on all models
• To restore a previous configuration, upload file
o Reboots FortiGate

31
Configuration File Format
Plain Text Encrypted
Build Number
#config-version=FWF60D-5.04-FW-build1064-
131031:opmode=0:vdom=0:user=admin#conf_file_ver=10488 #FGBK|3|FWF60D|5|04|1064|
925954160275734#buildno=1064#global_vdom=1
Model
Firmware Major Version

• Only non-default and important settings (smaller file size)

• Header shows device model and firmware
• After the header, the encrypted file is not readable
• Restoring configuration
o Encrypted?Same device/model + build + password required
o Unencrypted? Same model required
• Different build OK if upgrade path is supported

32
Upgrade

1. Back up configuration (full config backup from CLI).

2. Download copy of current firmware in case reversion is needed.
3. Have physical access, or terminal server connected to local console,
in case reversion is needed.
4. READ RELEASE NOTES (upgrade path, other useful information).
5. Upgrade.

33
Downgrade

1. Get the pre-upgrade configuration file.

2. Download a copy of current firmware in case reversion is needed.
3. Have physical access, or terminal server connected to local console, in
case reversion is needed.
4. READ RELEASE NOTES (Does downgrade preserve config?).
5. Downgrade.
6. If required, upload configuration that matches firmware version.
34
Review
 Key FortiGate features
 FortiGuard services
 Administrators and permissions
 Operating mode differences
 Basic network settings
 Console ports
 How to show and hide features in the GUI
 Built-in DHCP and DNS servers
 Configuration backup and restoration
 Upgrade and downgrade

35