Professional Documents
Culture Documents
FortiGate I 01 Introduction
FortiGate I 01 Introduction
FortiGate I 01 Introduction
Introduction to FortiGate
FortiGate 5.4.1
© Copyright Fortinet Inc. All rights reserved. Last Modified: 24 December 2019
1
Objectives
• Identify major features of FortiGate
• Differentiate between FortiGuard queries and packages
• Choose an operation mode
• Restrict administration to access via management networks
• Create administrator accounts with specific permissions
• Reset a lost admin password
• Run the built-in DNS server on an interface
• Run the built-in DHCP server on an interface
• Back up and restore configuration files
• Install new FortiGate firmware
2
What Makes FortiGate Different?
Platform Design
FortiSandbox FortiMail
FortiOS
Integration
4
Topology in the Cloud
• Deploy FortiGate in FortiGate VM Specifications
virtualized networks
Max. 1 / 2 / 4 / 8
o FortiGate VM – Same Licenses
vCPU
FortiGate
features as physical Connector FortiGate VMware, Hyper-V,
appliance except FortiASIC KVM, Citrix Xen
deployment VMX or VM
Server,
Hypervisor
o FortiGate VMX – Subset of Open Source Xen,
features for VMware NSX Azure, Amazon AWS
BYOL & on-demand
(East-West) data flows
Memory Max. 1/4/8/12 GB
o FortiGate Connector for
Cisco ACI – Subset for 10/100/1000
2-4 virtual NICs
Cisco ACI (North-South) Interfaces
5
FortiGuard Subscription Services
• Internet connection and contract required
• Provided by FortiGuard Distribution Network (FDN)
o Major data centers in North America, Asia, and Europe
• Or, from FDN through your FortiManager
o FortiGate prefers data center in nearest time zone,
but will adjust by server load
• Package updates: FortiGuard Antivirus and IPS
o update.fortiguard.net
o TCP port 443 (SSL)
• Live queries: FortiGuard Web Filtering and Antispam
o service.fortiguard.net
o Proprietary protocol on UDP port 53 or 8888
6
Modes of Operation
NAT Transparent
7
Operation Modes & the OSI Model
NAT
NAT
Transparent
8
Factory Default Settings
• port1 / internal interface IP: 192.168.1.99/24
• PING, HTTP, HTTPS, and SSH protocol management enabled
• Built-in DHCP server is enabled on port1 / internal interface
o Only on low-end models that support DHCP server
• Default login:
User: admin
Password: (blank)
o Both are case sensitive
o Modify the default (blank)
root password!
9
Resetting a Lost admin Password
User: maintainer
Password: bcpb<serial-number>
All letters in <serial-number> must be upper case: “FGT60…” etc.
10
Console Port
• Each FortiGate ships with a console cable
• Console connection requires a terminal emulator
o PuTTY
o Tera Term
• Type varies by model
o Oldermodels: serial port with null modem cable
o Newer models
• RJ-45 port with RJ-45-to-serial cable, or
• USB 2 port to FortiExplorer
11
Administration Methods
GUI
FortiExplorer, Web Browser (HTTP, HTTPS)
CLI
Console, SSH, Telnet, GUI Widget
12
Administrator Profiles
• System > Administrator
13
Administrator Profiles: Permissions
14
Administrator Profiles: Hierarchy
15
Two-Factor Authentication
16
Other Two-Factor Authentication
17
Administrative Access: Trusted Sources
•Administrative access is
denied for connections
coming from IP addresses
that are not in any of the
trusted host subnets
18
Administrative Access: Ports and Password
• Port numbers are
customizable
• Only using secure
access (SSH, HTTPS)
is recommended
19
Administrative Access: Protocols
• Enable acceptable
management protocols on each
interface independently
o Separate IPv4 and IPv6
o IPv6 options hidden by default
• Also protocols where FortiGate
is the destination IP
o FortiTelemetry
o CAPWAP
o FortiManager
20
Features Hidden by Default
• By default, some features
like IPv6 are hidden in GUI
o Hidden features are not disabled
• Hide/show via System >
Feature Select
o In Feature Select, select to
hide/show groups of features
commonly used together
21
Link Aggregation
•Bundles several
physical ports to
form a single point-
to-point logical
channel with
greater bandwidth
o Increases
redundancy for
higher availability
22
Interface IPs
• In NAT mode,
interfaces can’t be
used until they have an
IP address
o Manually assigned
o Automatic
• DHCP
• PPPoE
Exceptions: One-Arm
Sniffer or FortiSwitch
23
Interface Role Compared to Alias
• Role defines groups of interface Network > Interfaces
settings typically together
o Avoids accidental misconfiguration
o Four types:
• WAN
• LAN
• DMZ
• Undefined (show all settings)
o Not in list of policies Alias
Alias Role
24
FortiGate as a DHCP Server
25
DHCP Server: IP Reservation
• Reservations re-assign IP
address to the same host
o To reserve, select IP address or
choose existing DHCP lease
o Identify reservation as either:
• Regular (over Ethernet)
• Over IPSec
• FortiGate uses host’s MAC
address to look up its IP
address in reservation table
• Actions if MAC is unknown
26
FortiGate as a DNS Server
• Resolves DNS lookups from internal network
o Enabled per interface
o Not appropriate for Internet service due to load
27
DNS Forwarding
• Forwarding allows DNS control without local FQDN database
• Sends query to external DNS server
28
DNS Database: Configuration
• Add DNS zones
o Eachzone has its own domain name
o RFC 1034 and1035
29
Static Gateway
• Must be at least one
default gateway
• If the interface is DHCP
or PPPoE, the gateway
can be added
dynamically
30
Configuration Files
31
Configuration File Format
Plain Text Encrypted
Build Number
#config-version=FWF60D-5.04-FW-build1064-
131031:opmode=0:vdom=0:user=admin#conf_file_ver=10488 #FGBK|3|FWF60D|5|04|1064|
925954160275734#buildno=1064#global_vdom=1
Model
Firmware Major Version
32
Upgrade
33
Downgrade
35