Professional Documents
Culture Documents
Step #1 Ingress
1.Denial of Service Sensor
2.IP integrity header checking
3.IPSec connection check
4.Destination NAT
5.Routing
Step #2 Stateful Inspection Engine
1.Session Helpers
2.Management Traffic
3.SSL VPN
4.User Authentication
5.Traffic Shaping
6.Session Tracking
7.Policy lookup
the IPsec packet and sends the unencrypted packet to the next step.
IPsec is bypassed when for non-IPsec traffic and for IPsec traffic that
cannot be decrypted by the FortiGate unit.
Destination NAT (DNAT)
The FortiGate unit checks the NAT table and determines the
destination IP address for the traffic. This step determines whether a
route to the destination address actually exists. For example, if a
users browser on the internal network at IP address 192.168.1.1
visited the web site www.example.com using NAT, after passing
through the FortiGate unit the source IP address becomes NATed to
the FortiGate unit external interface IP address. The destination
address of the reply back from www.example.com is the IP address
of the FortiGate unit internal interface. For this reply packet to be
returned to the user, the destination IP address must be destination
NATed to 192.168.1.1. DNAT must take place before routing so that
the FortiGate unit can route packets to the correct destination.
Routing
The routing step determines the outgoing interface to be used by
the packet as it leaves the FortiGate unit. In the previous step, the
FortiGate unit determined the real destination address, so it can now
refer to its routing table and decide where the packet must go next.
Routing also distinguishes between local traffic and forwarded traffic
and selects the source and destination interfaces used by the
security policy engine to accept or deny the packet.
Policy lookup
The policy look up is where the FortiGate unit reviews the list of
security policies which govern the flow of network traffic, from the
first entry to the last, to find a match for the source and destination
IP addresses and port numbers. The decision to accept or deny a
packet, after being verified as a valid request within the stateful
inspection, occurs here. A denied packet is discarded. An accepted
packet will have further actions taken. If IPS is enabled, the packet
will go to Flow-based inspection engine, otherwise it will go to the
Proxy-based inspection engine.If no other security options are
enabled, then the session was only subject to stateful inspection. If
the action is accept, the packet will go to Source NAT to be ready to
leave the FortiGate unit.
Session tracking
Part of the stateful inspection engine, session tracking maintains
session tables that maintain information about sessions that the
stateful inspection module uses for maintaining sessions, NAT, and
other session related functions.
User authentication
To verify
#diagnose log test // Test logging
Configuring splunkstorm
Splunk Storm is a great free tool for managing logs. Its stored in the
cloud and provides valuable insight.
using Splunk Storm.
Prerequisites
1.
Admin access to the Fortigate CLI
2.
Splunk Storm Account
3.
Server & Port Information from your Splunk Storm Project
4.
Authorized public IP address configured in Splunk Storm
Fortigate Configuration
Step 1 Login to the CLI to enable Syslog
config log syslogd setting
set status enable
Step 2 Configure Server (we will use Splunk Storm, retrieve your
account specific settings from your Splunk Project)
set server tcp-ngu5-hmng.data.splunkstorm.com
set port 35469
Step 3 Verify the filters you want to log are turned on. These are
on by default.
config log syslogd filter
get (shows all filters and its current status)
Step 4 Verifying Configuration
Login to your SysLog system and verify logs are being processed
Additional measures can be taken to format the unit and install the
OS without an upgrade.
It is highly recommended to always have a configuration backup &
firmware image backup prior to every upgrade.