Packet flow:

Step #1 Ingress
1.Denial of Service Sensor
2.IP integrity header checking
3.IPSec connection check
4.Destination NAT
5.Routing
Step #2 Stateful Inspection Engine
1.Session Helpers
2.Management Traffic
3.SSL VPN
4.User Authentication
5.Traffic Shaping
6.Session Tracking
7.Policy lookup

Step #3 Security Profiles scanning process

1.Flow-based Inspection Engine
2.IPS
3.Application Control
4.Data Leak Prevention
5.Email Filter
6.Web Filter
7.Anti-virus
8.Proxy-based Inspection Engine
9.VoIP Inspection
10.Data Leak Prevention
11.Email Filter
12.Web Filter
13.Anti-virus
14.ICAP
Step #4 Egress
1.IPSec
2.Source NAT
3.Routing
Interface
Ingress packets are received by a FortiGate interface.The packet
enters the system, and the interface network device driver passes
the packet to the Denial of Service (DoS) sensors, if enabled, to
determine whether this is a valid information request or not.
DoS sensor
DoS scans are handled very early in the life of the packet to
determine whether the traffic is valid or is part of a DoS attack.
Unlike signature-based IPS which inspects all the packets within a
certain traffic flow, the DoS module inspects all traffic flows but only
tracks packets that can be used for DoS attacks (for example TCP
SYN packets), to ensure they are within the permitted parameters.
Suspected DoS attacks are blocked, other packets are allowed.
IP integrity header checking
The FortiGate unit reads the packet headers to verify if the packet is
a valid TCP, UDP, ICMP, SCTP or GRE packet. The only verification
that is done at this step to ensure that the protocol header is the
correct length. If it is, the packet is allowed to carry on to the next
step. If not, the packet is dropped.
IPsec
If the packet is an IPsec packet, the IPsec engine attempts to
decrypt it. The IPsec engine applies the correct encryption keys to

the IPsec packet and sends the unencrypted packet to the next step.
IPsec is bypassed when for non-IPsec traffic and for IPsec traffic that
cannot be decrypted by the FortiGate unit.
Destination NAT (DNAT)
The FortiGate unit checks the NAT table and determines the
destination IP address for the traffic. This step determines whether a
route to the destination address actually exists. For example, if a
users browser on the internal network at IP address 192.168.1.1
visited the web site www.example.com using NAT, after passing
through the FortiGate unit the source IP address becomes NATed to
the FortiGate unit external interface IP address. The destination
address of the reply back from www.example.com is the IP address
of the FortiGate unit internal interface. For this reply packet to be
returned to the user, the destination IP address must be destination
NATed to 192.168.1.1. DNAT must take place before routing so that
the FortiGate unit can route packets to the correct destination.
Routing
The routing step determines the outgoing interface to be used by
the packet as it leaves the FortiGate unit. In the previous step, the
FortiGate unit determined the real destination address, so it can now
refer to its routing table and decide where the packet must go next.
Routing also distinguishes between local traffic and forwarded traffic
and selects the source and destination interfaces used by the
security policy engine to accept or deny the packet.
Policy lookup
The policy look up is where the FortiGate unit reviews the list of
security policies which govern the flow of network traffic, from the
first entry to the last, to find a match for the source and destination
IP addresses and port numbers. The decision to accept or deny a
packet, after being verified as a valid request within the stateful
inspection, occurs here. A denied packet is discarded. An accepted
packet will have further actions taken. If IPS is enabled, the packet
will go to Flow-based inspection engine, otherwise it will go to the
Proxy-based inspection engine.If no other security options are
enabled, then the session was only subject to stateful inspection. If
the action is accept, the packet will go to Source NAT to be ready to
leave the FortiGate unit.
Session tracking
Part of the stateful inspection engine, session tracking maintains
session tables that maintain information about sessions that the
stateful inspection module uses for maintaining sessions, NAT, and
other session related functions.
User authentication

The stateful inspection engine handles user authentication added to

security policies, which is why Firewall authentication is based on IP
address. Authentication takes place after policy lookup selects a
security policy that includes authentication. This is also known as
identify-based policies. Authentication also takes place before
security features are applied to the packet.
Management traffic
This local traffic is delivered to the FortiGate unit TCP/IP stack and
includes communication with the web-based manager, the CLI, the
FortiGuard network, log messages sent to FortiAnalyzer or a remote
syslog server, and so on. Management traffic is processed by
applications such as the web server which displays the FortiOS webbased manager, the SSH server for the CLI or the FortiGuard server
to handle local FortiGuard database updates or FortiGuard Web
Filtering URL lookups.
SSL VPN traffic
For local SSL VPN traffic, the internal packets are decrypted and are
routed to a special interface. This interface is typically called ssl.root
for decryption. Once decrypted, the packets go to policy lookup.
ICAP traffic
If you enable ICAP in a security policy, HTTP (and optionally HTTPS)
traffic intercepted by the policy is transferred to ICAP servers in the
ICAP profile added to the policy. The FortiGate unit is the surrogate,
or middle-man, and carries the ICAP responses from the ICAP
server to the ICAP client; the ICAP client then responds back, and
the FortiGate unit determines the action that should be taken with
these ICAP responses and requests.
Session helpers
Some protocols include information in the packet body (or payload)
that must be analyzed to successfully process sessions for this
protocol. For example, the SIP VoIP protocol uses TCP control
packets with a standard destination port to set up SIP calls. To
successfully process SIP VoIP calls, FortiOS must be able to extract
information from the body of the SIP packet and use this information
to allow the voice-carrying packets through the firewall.
FortiOS uses session helpers to analyze the data in the packet
bodies of some protocols and adjust the firewall to allow those
protocols to send packets through the firewall.
Flow-based inspection engine
Flow-based inspection is responsible for IPS, application control,
flow-based antivirus scanning and VoIP inspection. Packets are sent

to flow-based inspection if the security policy that accepts the

packets includes one or more of these security features. Once the
packet has passed the flow-based engine, it can be sent to the proxy
inspection engine or egress.
Proxy-based inspection engine
The proxy inspection engine is responsible for carrying out antivirus
protection, email filtering (antispam), web filtering and data leak
prevention. The proxy engine will process multiple packets to
generate content before it is able to make a decision for a specific
packet.
IPsec
If the packet is transmitted through an IPsec tunnel, it is at this
stage the encryption and required encapsulation is performed. For
non-IPsec traffic (TCP/UDP) this step is bypassed.
Source NAT (SNAT)
When preparing the packet to leave the FortiGate unit, it needs to
NAT the source address of the packet to the external interface IP
address of the FortiGate unit. For example, a packet from a user at
192.168.1.1 accessing www.example.com is now using a valid
external IP address as its source address.
Routing
The final routing step determines the outgoing interface to be used
by the packet as it leaves the FortiGate unit.
Egress
Upon completion of the scanning at the IP level, the packet exits the
FortiGate unit.
Example 1: client/server connection
The following example illustrates the flow of a packet of a client/web
server connection with authentication and FortiGuard URL and
antivirus filtering.
This example includes the following steps:
Initiating connection from client to web server
1. Client sends packet to web server.
2. Packet intercepted by FortiGate unit interface.
2.1 Link level CRC and packet size checking. If the size is correct,
the packet continues,
otherwise it is dropped.
3. DoS sensor - checks are done to ensure the sender is valid and
not attempting a denial of
service attack.

4. IP integrity header checking, verifying the IP header length,

version and checksums.
5. Next hop route
6. Policy lookup
7. User authentication
8. Proxy inspection
8.1 Web Filtering
8.2 FortiGuard Web Filtering URL lookup
8.3 Antivirus scanning
9. Source NAT
10.Routing
11.Interface transmission to network
12.Packet forwarded to web server
Response from web server
1. Web Server sends response packet to client.
2. Packet intercepted by FortiGate unit interface
2.1 Link level CRC and packet size checking.
3. IP integrity header checking.
4. DoS sensor.
5. Proxy inspection
5.1 Antivirus scanning.
6. Source NAT.
7. Stateful Policy Engine
7.1 Session Tracking
8. Next hop route
9. Interface transmission to network
10.Packet returns to client

Module-1 : initial Configuration

1) Check the system status
to see the actual software version, operational mode, HA, etc
and the system time:
# get sys status
3) Check the hardware performance
to see what is the state of the cpu and the uptime:
#get system performance status
4) to see the high cpu eaters, in case of high cpu usage:
#get system performance top
5) show

#sh system interface

show router policy

Show Policy Routing rules

Configure Interface
Fortiget-60 # config system interface
edit internal
set ip 192.168.2.1 255.255.255.0
set mode static
set dhcp-server-mode none
next
edit wan1
set ip 192.168.3.1 255.255.255.0
end
To verify:
#show system interface (Check interface configuration)
Configure DNS
# config system dns
set primary 165.21.83.88
set secondary 165.21.100.88
end
Configure Internal Allowaccess (ping, https)
# config system interface
edit internal
set allowaccess ping https
end
Configure Wan1 Allowaccess (ping)
# config system interface
edit wan1
set allowaccess ping
end
Configure Static Route
# config router static
edit 1
set device wan1
set dst 0.0.0.0 0.0.0.0
set gateway 192.168.1.1
set distance 10

Change System Hostname

# config system global
set hostname hyd-gw
end
Change Admin Password
# config system admin
edit admin
set password
end
Firmware Upgrade
To upgrade the FortiGate firmware from the CLI:
1 Make sure that the TFTP server is running.
2 Copy the new firmware image file to the root directory of your
TFTP server.
3 Log into the CLI as the admin administrative user.
# execute restore image
Check the state, speed and duplexity an IP of the interfaces
# get system interface physical
Check the MAC and the state of the interfaces.
#diagnose hardware deviceinfo nic internal
you can see following in the output
Interface name
MAC
Link state
Speed
Duplex
MTU
Packet and Byte counters
Errors
Check the ARP Table
# get system arp address
Check the Routing Table
#get router info routing-table all
Check the matching route

#get router info routing-table details 10.20.100.10

Displays a list of addresses (only names, not the configuration)
Configure System DHCP Server on Interface "lan"
# config system dhcp server
config system dhcp server
edit 1
set default-gateway 192.168.100.1
set dns-service default
set interface "lan"
config ip-range
edit 1
set end-ip 192.168.100.200
set start-ip 192.168.100.80
next
set netmask 255.255.255.0
next
end
show current list on DHCP lease
# exec dhcp lease-list
clear the DHCP lease of a specific ip
# execute dhcp lease-clear <ip_addres>
clear all the DHCP leases
# execute dhcp lease-clear all
Configuring DDNS
Dynamic DNS is very helpful if your Internet Service Provider
provides you with a DHCP address. Fortinet hosts their own Dynamic
DNS servers that is configurable in the GUI. Utilizing their servers
will allow you to access your Fortigate via a DNS name that updates
automatically when your IP address changes.
Follow the below steps to enable Dynamic DNS in a FortiGate:
1) Open System > Network > DNS
2) Select Enable FortiGuard DDNS
3) Select the interface youd like to enable for DDNS. This must be a
externally facing interface.

4) Select your Fortinet server: fortiddns.com, fortidyndns.com or

float-zone.com
5) Choose a Unique Location. This will be specific to your Fortigate:
Example: itexperiment.fortiddns.com
6) Verify access is enabled on your external interface: HTTPS, SSH or
both. Changing these ports from the default 443 & 22 will help keep
your unit secure.
Note: Weigh all risks associated with enabling external access to
your Firewall. Changing default ports and restricting access to
specific addresses are a few changes you can make to secure
yourself.

Displays the static routes

# get router info routing-table static
Displays the directly connected routes
# get router info routing-table connected
Shows the static IP-to-MAC configuration
# show system arp-table
Shows the global firewall settings like management port
# show system global
Shows the SNMP settings
#show system snmp community
To view system settings
# get system setting
Ping an IP
# execute ping 1.1.1.1
Set Ping Source
# execute ping-options source 192.168.1.1
Trace route to an IP

# execute traceroute 1.1.1.1

shutdown device
#execute shutdown
Reboot device
#execute reboot
Create System Users
#config system admin
edit admin
set password <psswrd>
config system admin
edit "admin"
set accprofile "super_admin"
set password ENC
AK1TDEt3tvzlnXWgK7ZjkFDgEisgltyWyK2/lnOYtvcl28=
next
edit "superadmin1"
set accprofile "super_admin"
set password ENC
AK1eDVLPbT+qARqmQ5r0ituEhnmu9xVwdAbo2puf9TZofo=
next
edit "testadmin"
set accprofile "prof_admin"
set password ENC AK1JB0gM4GKvhld20nMmfFbhnictGo/
+oUIqAaGTGlb+vg=
next
end
Show logged in users
# get system info admin status
Detailed hardware model information
#get hardware status
Configure Syslog Settings
#config log syslogd(2|3) setting
set status enable
set server 10.99.1.1
set port 514
set facility user
end

To verify
#diagnose log test // Test logging
Configuring splunkstorm
Splunk Storm is a great free tool for managing logs. Its stored in the
cloud and provides valuable insight.
using Splunk Storm.
Prerequisites
1.
Admin access to the Fortigate CLI
2.
Splunk Storm Account
3.
Server & Port Information from your Splunk Storm Project
4.
Authorized public IP address configured in Splunk Storm
Fortigate Configuration
Step 1 Login to the CLI to enable Syslog
config log syslogd setting
set status enable
Step 2 Configure Server (we will use Splunk Storm, retrieve your
account specific settings from your Splunk Project)
set server tcp-ngu5-hmng.data.splunkstorm.com
set port 35469
Step 3 Verify the filters you want to log are turned on. These are
on by default.
config log syslogd filter
get (shows all filters and its current status)
Step 4 Verifying Configuration
Login to your SysLog system and verify logs are being processed

Backup/Restore Configuration to Flash

# execute backup config flash
To see ur config backups
#execute revision list config
To Restore
#execute restore config flash<no.of config u want to restore>

Change Switch Mode to Interface Mode in Fortigate

Prerequisites to change switch mode to interface mode.
1) You must disable DHCP service on the Fortigate device and
remove the any policies related to internal interface
2) Remove any policies which are related to internal port, normally
you will find only one policy ( all to all in firewall policies)
changing switch mode to interface mode
config system global
set internal-switch-mode interface
end
now ur device will reboot.
Restoring factory default settings:
Login into fortigate Cli
# load factorydefault
reboot

FortiGate Unable to Boot Image after Firmware Upgrade

A FortiGate Firewall may not boot after a firmware upgrade.
Follow the below steps to return your device to the previous
firmware version:
1) Console into the FortiGate Unit
2) Power cycle the unit and monitor the boot process until you see a
prompt stating Press any key to display configuration menu
3) Press any key within 5 seconds to launch the menu.
4) From the menu select option B as shown below, Boot with
backup firmware and set as default.
6) The unit will restart and boot with its previously installed
firmware.
Retry the firmware upgrade after the unit is back online. Be sure to
follow the upgrade procedure in the FortiOS release notes.

Additional measures can be taken to format the unit and install the
OS without an upgrade.
It is highly recommended to always have a configuration backup &
firmware image backup prior to every upgrade.

Module-2 Firewall Policies

2) To check firewall statistics

# get system performance firewall statistics
show firewall policy 6

show firewall rule number 6

# get firewall address

Displays a list of address groups (only names, not the configuration)
# get firewall addrgrp
Displays a list of policies (only names)
# get firewall policy
Displays the IP Pool configuration
# show firewall ippool
Displays all the configured policies
# show firewall policy
Displays all the user-defined services
# show firewall service custom
4. Configuring a firewall policy
#config firewall policy
edit 1
set srcintf "lan"

set dstintf "wan"

set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
Module-3: NAT Commands
Configure Static nat to an internal server 10.1.1.10 from external ip
200.1.1.10
config firewall vip
edit "NAT_200.1.1.10"
set extip 200.1.1.10
set extintf "port1"
set mappedip 10.1.1.10
next
end