You are on page 1of 39

DO NOT REPRINT

FORTINET

Introduction to Fortinet UTM

In this lesson, we will show FortiGate administration basics. This includes how and where FortiGate
fits into your existing network architecture.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

After completing this lesson, you should have these practical skills in FortiGate administration
fundamentals, such as how to log in, make administrator accounts, do basic network settings, and how
to use your FortiGates GUI or CLI.
Youll also be able to set up FortiGate to act as your local networks DNS or DHCP server.
Lab exercises can help you to test and reinforce your skills.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

(slide contains animation)


A FortiGate is a Unified Threat Management device, but what exactly does this mean? Well, if we look
at a typical network security solution, multiple single-purpose devices are used. Each performs a specific
task. There is:
(click)
One device acting as the firewall
Another device that scans for viruses
Another device filtering email
One device to optimize WAN usage
Another device to filter web sites
One device for application control
One device for intrusion prevention
Another device to provide VPN access
That is a lot of different devices. Most likely, they all have different vendors. All of this can introduce
unwanted complexity, and many potential points of failure.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

So how is FortiGate different?


FortiGate provides a comprehensive approach to security. It even includes some basic accessory
network services such as authentication and DHCP. All this and more is combined into a single device.
That way, you can reconfigure your network and security deployment by simply accessing one device.
Cabling and interfaces between 10 devices? Gone. And its all from a single vendor. Per-module
licensing? Gone.
If youre familiar with Cisco ASA, you may even expect multiple management interfaces. This, too, is
simpler on FortiGate. Regardless of whether you are building a VPN or applying antivirus, you can
configure it all from one unified GUI or CLI.
How can FortiGate do so many things? Shouldnt separate functions be divided among different devices
for performance reasons?
In some cases, yes. High load of one specific workload may be worth a dedicated device. And Fortinet
offers several. But now you have the choice you can specialize if your network requires it.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

In this architecture diagram, you can see how FortiGate UTM platforms add strength without
compromising on flexibility they are still internally modular. Plus:

Devices add duplication. Sometimes, dedication doesnt mean efficiency. If its overloaded, can 1
device borrow free RAM on 9 others? Do you want to configure policies, logging, and routing on 10
separate devices? Does 10 times the duplication bring you 10 times the benefit? Or is it a hassle?
FortiGate hardware isnt just off-the-shelf. Its carrier-grade. Underneath, most FortiGate models
have 1 or more specialized circuits called ASICs that are engineered by Fortinet. For example, a CP
or NP chip handles cryptography and packet forwarding more efficiently. Compared to a singlepurpose device with only a CPU, FortiGate can have dramatically better performance.
(The exception? Virtualization platforms VMware, Citrix Xen, Microsoft, or Oracle Virtual Box have
general-purpose vCPUs. But virtualization might be worthwhile due to other benefits, such as
distributed computing and cloud-based security.)
FortiGate is flexible. If all you need is firewalling and antivirus, FortiGate wont require you to waste
CPU, RAM, and electricity on others. In each firewall policy, UTM modules can be enabled or
disabled. You wont pay more to add VPN seat licenses later, either. What requires a subscription?
Only FortiGuard subscription services.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

FortiGuard subscription services give your FortiGate access to 24 x7 security updates powered by
Fortinets researchers. Your FortiGate uses FortiGuard in 2 ways:

By periodically requesting packages that contain a new engine and many signatures, or
By querying the FDN on an individual URL or host name

Queries are real-time that is, FortiGate asks the FDN every time it scans for spam or filtered web sites.
Also, queries use UDP for transport they are connectionless and the protocol is not designed for fault
tolerance, but speed. So they require that your FortiGate have a reliable Internet connection.
Downloaded packages like antivirus and IPS, however, arent that frequent. They use TCP for reliable
transport. And their associated FortiGate features continue to function even if FortiGate does not have
reliable Internet connectivity. Keep in mind, though, that you should still avoid interruptions. If your
FortiGate must try repeatedly to download updates, it cant detect new threats during that time.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

So now weve seen a simplified overview of the software architecture. What about the network
architecture? Where does FortiGate fit in?
When you deploy a FortiGate, you can choose on the dashboard between two modes: NAT or
transparent.

In NAT mode, FortiGate forwards packets based on Layer 3, like a router. Each of its logical network
interfaces have an IP address.
In transparent mode, FortiGate forwards packets at Layer 2, like a switch. So except for the
management interface, its interfaces have no IP address.

Interfaces can be exceptions to the router vs. switch operation mode on an individual basis, however.
Well show these later.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

What does that mean for your traffic, in terms of the 7-layer OSI model? Which operation mode should
you choose?
NAT mode is the most common choice. In NAT mode, the destination address is the FortiGates
address. Typically FortiGate will rewrite the destination address, and/or port number and source
address in the IP network layer, into the servers private network address before forwarding the packet
in other words, it will apply NAT and port forwarding. Depending on your presentation and application
layer protocols, it might also:
Terminate SSL or TLS sessions so back-end servers dont need to decrypt
Modify the addresses in the application layer headers, such as the Host: and X-Forwarded-For: in
the HTTP header
So NAT mode works well for edge or gateway security, where you divide your private IPv4 network from
an external network such as guest Wi-Fi or the Internet.
In transparent mode, the destination address is the servers address not a FortiGates interface.
As a result, it usually doesnt need to rewrite encapsulated layers with the exception of TCP SYNrelated analysis. Only the MAC address in the frame is rewritten. So in complex IP environments such as
MSSP or mobile phone carriers, this simplifies deployment. Only the management interface needs an IP
address. But because network-facing interfaces dont have an IP address, you must verify that your
topology doesnt have any loops at Layer 2 Ethernet.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

NAT mode is the default operation mode. What are the other default settings? Once youve removed
your FortiGate from its box, what do you do next?
Lets see how to set up a FortiGate.
Attach your computers network cable to port1 or the internal switch ports (depending on your model) to
begin setup. There is a DHCP server on that interface, so if your computers network settings have
DHCP enabled, your computer should automatically get an IP, and you can begin setup quickly. Every
FortiGate or FortiWifi device has these same default settings. (Note that FortiAP is not the same. Its
covered in a separate lesson.)
To access the GUI on FortiGate or FortiWifi, open a web browser and go to http://192.168.1.99.
Remember: The default login is publicly available knowledge. Never leave its default password
blank! Your network is only as secure as your FortiGates admin account. Before you connect your
FortiGate to your overall network, you should set a complex password. You should also restrict it so that
FortiGate allows administrative connections only from your local console or management subnet.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

What happens if you forget the password for your admin account, or a hostile employee changes it?
This recovery method is on all FortiGate devices, and even some non-FortiGate devices like FortiMail.
Its a temporary account, only available through the local console port, and only after a hard reboot
disrupting power by unplugging or switching off the power, then restoring it. FortiGate must be physically
shut off, then turned back on not simply rebooted through the CLI. Thats the difference between a
hard boot and a soft boot.
Even then, the maintainer login will only be available for login for about 30 seconds after boot
completes.
If you cant ensure physical security, or have compliance requirements, you can disable the maintainer
account. Use caution: if you disable maintainer and then lose your admin password, you
cannot recover access to your FortiGate.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

All FortiGate models have a console port. This provides CLI access without a network.

On older models, its a serial port. A standard null modem cable can be used to connect the serial
port to your computers serial port.
On newer models, its an RJ-45 port. Access by connecting an RJ-45-to-serial cable from your
computers serial port to the RJ-45 port on the FortiGate.
In some newer models, the console port is a USB2 port. In that case, youll plug in the USB cable,
then open FortiExplorer.

Each device ships with its appropriate cable.


Serial ports on computers are becoming less common. If your computer have one, you can purchase a
USB-to-serial adapter.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Most features are available in both the GUI and CLI. There are a few exceptions. Reports cant be
viewed in the CLI, for example, and diagnostic commands for power users are usually not in the GUI.
What if you dont want to use the GUI?
There is also a CLI. As you become more familiar with FortiGate, and especially if you want to script its
configuration, you may want to use it in addition. You can access the CLI via either the JavaScript widget
in the GUI named CLI Console, or via a terminal emulator such as Tera Term
(http://ttssh2.sourceforge.jp/index.html.en) or PuTTY
(http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). Your terminal emulator can connect
via the network SSH or telnet or the local console port.
SNMP and some other administrative protocols are also supported, but they are not used for basic
setup. Lets focus on setup now.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

As an alternative GUI during setup, you can plug in your smart phone, and use FortiExplorer.
FortiExplorer isnt a complete configuration tool for all devices. Its focus is deployment configuring
network addresses and routing. After that, your FortiGate can be integrated into the network, and you
can continue by configuring firewall policies, security profiles and other features.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

There are a few supported platforms for the FortiExplorer software. This is what FortiExplorer looks like
when you are running it on a Windows laptop.
On the left side, you can see that FortiExplorer can fully update device firmware and configure its
network settings so that FortiGate is prepared for you to plug it into your network.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Whichever method you use, start by logging in as admin. Begin by creating accounts for other
administrators.
Its not shown here, but alternatively, instead of creating accounts on FortiGate itself, you could configure
FortiGate to query a remote authentication server. You could also require personal certificates,
authenticated via your PKI certificate authority, instead of passwords.
Choose strong, complex passwords. For example, you could use multiple interleaved words with varying
capitalization, and randomly insert numbers and punctuation. Do not use short passwords, nor
passwords that contain names, dates, or words that exist in any dictionary. These will be very
weak against brute force attacks. To audit the strength of your passwords, use tools such as l0phtcrack
(http://www.l0phtcrack.com/) or John the Ripper (http://www.openwall.com/john/). Risk of attackers brute
forcing your firewall is especially high if you connect the management port to the Internet.
In order to restrict access to specific features, you can assign permissions.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

When assigning permissions in an access profile, you can specify read-and-write, read-only, or no
access to each area.
By default, there is a special profile named super_admin, which is used by the account named admin.
It cannot be changed. It provides full access to everything, making the admin account similar to a root
superuser account.
prof_admin is another default profile. It also provides full access, but unlike super_admin, it only
applies to its virtual domain not the global settings of the FortiGate. Also, its permissions can be
changed.
You arent required to use a default profile. You could, for example, create a profile named
auditor_access with read-only permissions. Restricting a persons permissions to those necessary for
his or her job is a good best practice, because even if that account is compromised, the compromise is
not complete. To do this, create administrative access profiles, then select the appropriate profile when
configuring an account.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

What are the effects of access profiles?


Its actually more than just read or write access.
Depending on the type of access profile that you assign, each administrator may not be able to access
the entire FortiGate. For example, you could configure an account that can only view log messages.
Administrators may not be able to access global settings outside their assigned virtual domain, either.
(Virtual domains, by the way, are a way of subdividing the resources and configurations on a single
FortiGate. VDOMs are shown in another lesson.)
Administrators with a smaller scope of permissions cannot create, or even view, accounts with
more permissions. So, for example, an administrator using the prof_admin or a custom profile cannot
see nor reset the password of accounts that use the super_admin profile.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

To further secure access to your network security, use two-factor authentication.


Two factor authentication just means that instead of only using one way to verify your identity typically
a password or personal certificate you verify identity in two ways. In the example shown here, twofactor would mean a password plus an RSA randomly generated number from a FortiToken that is
synchronized with FortiGate.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

FortiToken is not the only option if you want to use two-factor authentication. Remember, two-factor
authentication literally only means that you use two methods to verify the persons identity.
Alternatively, FortiGate can send an email to the administrators address, or send a text message.
To be able to do this, you must first configure FortiGate with the settings of a mail server that it can use
to send email, or an SMS server. The mail server can be configured under System > Config >
Messaging Servers in the GUI, or the CLI. SMS settings however are CLI-only.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Another way to secure your FortiGate is to define which hosts or subnets are trusted sources of login
attempts.
Define all three, for all accounts. (If you leave any IPv4 address as 0.0.0.0/0, this means to allow
connections from any source IP obviously not what you want.) Notice that each account can define its
management host or subnet differently. This is especially useful if you will be setting up virtual domains
on your FortiGate, where the VDOMs administrators may not even belong to the same organization..
Now try to access FortiGates GUI or CLI from an external IP. Does it work? No. Your web browser or
terminal emulator wont receive a response. Not even to a ping.
Unless you connect from the network administrators subnet, FortiGate wont allow you to even try to log
in. So external brute force is impossible. So is discovery by ICMP.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

You may also want to customize the administrative protocols port numbers.
You can also choose whether to allow concurrent sessions. This can be used to prevent accidentally
overwriting settings if you usually keep multiple browser tabs open, or accidentally leave a CLI session
open without saving the settings, then begin a GUI session and accidentally edit the same settings, for
example.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Weve defined the management subnet that is, the trusted hosts for each administrator account. How
do you enable or disable management protocols?
This is specific to each interface. For example, if your administrators connect to FortiGate only from
port1, you should disable all administrative access on all other ports. This prevents brute force attempts,
and also insecure access.
For better security, it always best to only use secure, encrypted methods of access. Some protocols
such as telnet, ICMP, HTTP, and SNMP version 1 dont have encryption or even authentication. So
they should never be enabled on public, untrusted networks.
IPv4 and IPv6 protocols are separate. Its possible, for example, to have both IPv4 and IPv6 addresses
on an interface, but only respond to pings on IPv6. However, IPv6 is hidden in the GUI by default. How
do you show IPv6 settings?

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

FortiGate has hundreds of features. If you dont use all of them, hiding features that you dont use makes
it easier to focus on your work.
Hiding a feature in the GUI does not disable it. It is still functional, and still can be configured via CLI.
(In fact, many diagnostic features are only available in the CLI.)
Some advanced or less commonly used features, such as IPv6, are hidden by default.
There are 2 ways to show hidden features:
Use the Features widget on the dashboard, or
Go to System > Config > Features

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

The Features widget shows and hides features by bulk presets.

NGFW shows features for line speed inspection, with no added latency. This hides all UTM options
that can potentially slow down traffic.
ATP shows features for advanced threat protection that focus on protecting endpoint computers.
WF shows features for web filtering.
Full UTM is a present that shows almost all UTM features.

Load balancing and a few others arent enabled here, though. So if the Features widget does not
show the feature youre looking for, go to System > Config > Features instead.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Once you have administrator accounts, they can configure the network interfaces.
Remember: When the FortiGate device is in NAT/route mode, every interface that handles traffic usually
must have an IP address. This is so that packets with this interface will have a source and destination at
the IP layer. There are 3 ways to do this:
assign a static IP, or
automatically retrieve one, via either DHCP or PPPoE
As we mentioned earlier, there are 2 exceptions. Other, less commonly used are One-Arm Sniffer and
Dedicate to FortiAP. Unlike how interfaces are usually in NAT mode, these arent assigned an address.
One-Arm Sniffer is an interface in promiscuous mode. As a result, regardless of each packets
destination address, FortiGate can inspect all traffic that arrives. So although the overall FortiGate is
in NAT mode, acting as a router, this specific interface does not. It receives traffic, but cannot send.
There are more considerations, which are in the IPS lesson.
Dedicate to FortiAP creates both an access point controller and DHCP server. Clients
connecting to SSIDs managed through this interface receive an IP address from the pool on this
interface.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Wireless clients arent the only ones that can use FortiGate as their DHCP server.
Select the Manual option, enter a static IP, then enable the DHCP server option. Options for the builtin DHCP server will appear.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

For the built-in DHCP server, you can reserve specific IP addresses for devices with specific MAC
addresses. Those devices will always receive the same lease, unless the number of devices exceeds
the size of the IP pool.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

For detailed information about the MAC addresses and the corresponding IPs, you can look in the router
subsection of the event log, or in the DHCP Monitor, which you can find in the System menu.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Like with DHCP, you can also configure FortiGate to act as your local DNS server.
A local DNS server can improve performance for your FortiMail or other devices that use DNS queries
frequently. If your FortiGate offers DHCP to your local network, DHCP can be used configure those
hosts to use FortiGate itself as both the gateway and DNS server.
FortiGate can answer DNS queries in one of 3 ways:
by relaying all queries that is, acting as a DNS relay instead of a DNS server
by relaying queries only the queries it cant resolve to your ISPs DNS server,
by returning a null response if it cant resolve queries itself.
You can enable and configure DNS separately on each interface.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

If you choose the DNS forwarding option, you can control DNS queries within your own network without
having to setup a separate DNS server.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

If you choose to have your DNS server resolve queries, or you choose a split DNS, you must set up a
DNS database on your FortiGate.
This defines the host names that FortiGate will resolve queries for. Use zone file syntax outlined by
RFCs 1034 and 1035.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Lastly, before you can integrate FortiGate in your network, FortiGate must have a default gateway.
If FortiGate gets its IP address through a dynamic method such as DHCP or PPPoE, then it will also
retrieve the default gateway.
Otherwise you must configure a static route. Without this, the FortiGate will not be able to respond to
packets outside the subnets directly attached to its own interfaces. It probably also wont be able to
connect to FortiGuard for updates, and may not properly route traffic.
Routing details are covered in another lesson. For now, you should usually make sure that FortiGate has
a route that matches all packets (destination is 0.0.0.0/0), and forwards them through the network
interface that is connected to the Internet, to the IP address of the next router.
Routing completes the basic network settings that are required before you can configure firewall policies.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Now that FortiGate has basic network settings and administrative accounts, lets show how to back up
the configuration.
You can encrypt configuration files with a password, if necessary. Besides securing the privacy of your
configuration, it also has some effects you may not expect. Once encrypted, the configuration file cannot
be decrypted without the password and a FortiGate of the same model and firmware. This means that if
you send an encrypted configuration file to Fortinet Technical Support, even if you give them the
password, they still cannot load your configuration until they get access to the same model of FortiGate.
This can cause unnecessary delays when resolving your ticket.
Even if the configuration is not encrypted as a whole, each passwords is encrypted individually. So in
many cases, encrypting the entire configuration file may not be necessary.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

If you open the configuration file in a text editor, youll see that both encrypted and unencrypted
configuration files contain a clear text header that contains some basic information about the device. The
diagram here shows what information it includes.
To restore an encrypted configuration, you must upload it to the same model of FortiGate, with the same
firmware version, then provide the password.
To restore an unencrypted configuration file, you are only required to match the model. If the firmware is
different, FortiGate will attempt to upgrade the configuration, similar to how it uses upgrade scripts on the
existing configuration when upgrading firmware.
Usually, the configuration file only contains non-default settings, plus a few default yet crucial settings.
This minimizes the size of the backup, which could otherwise be several MB in size.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

If you enable virtual domains, subdividing the resources and configuration of your FortiGate, each VDOM
administrator can back up and restore their own configurations. You dont have to back up the entire
FortiGate configuration.
VDOM details are discussed in a separate lesson.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Upgrading the firmware on a FortiGate is simple. The easiest method is to click the Update link on the
System Information widget on the dashboard, then choose a firmware file that you have downloaded
from support.fortinet.com.
If you want to make a clean install by overwriting both the existing firmware and its current
configuration, you can do this via the local console CLI, within the boot loader menu, while FortiGate is
rebooting. However, this is not the usual method.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

You can also downgrade firmware. Since settings change in each firmware version, you should have a
configuration file in the syntax that is compatible with the firmware.
Remember to read the release notes. Sometimes a downgrade between firmware versions that
preserves the configuration is not possible, such as when the OS changed from 32-bit to 64-bit. In that
situation, the only way to downgrade is to format the disk, then reinstall.
Once youve determined the downgrade is possible, verify everything again, then start the downgrade.
After it completes, restore a configuration backup that is compatible with that version.
Why should you keep emergency firmware and physical access?
Old firmware versions dont know how to convert future configurations. Also, when upgrading via a path
that is not supported by the configuration translation scripts, you might lose all settings except basic
access settings such as administrator accounts and network interface IP addresses. Another rare but
possible scenario is that the firmware could be corrupted when you are uploading it. For all of those
reasons, you should always have local console access during an upgrade, in case of emergency.
However, in practice, if you read the Release Notes and have a reliable connection to the GUI or CLI, it
should not usually be necessary.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

Remember your initial setup via FortiExplorer? You can also use it to download firmware, then install it
on your FortiGate.

DO NOT REPRINT
FORTINET

Introduction to Fortinet UTM

To review, these are the topics that we just talked about.


We showed how FortiGate can replace multiple single-purpose devices yet increase power efficiency
and throughput. We explained the differences between FortiGuard services, and how those are part of
the UTM architecture. We showed how to configure administrator accounts, permissions, and how to
harden administrative access. We also explained how to choose the operation mode based upon the
behavior you need for each network interface, how to configure the network settings, and finally how to
back up the configuration and install firmware.