You are on page 1of 478

DO NOT REPRINT

FORTINET

FortiGate I
Student Guide
for FortiGate 5.2.1
DO NOT REPRINT
FORTINET
FortiGate I Student Guide
for FortiGate 5.2.1
Last Updated: 9 June 2015

Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc., and other Fortinet
names herein may also be trademarks, registered or otherwise, of Fortinet. All other product or
company names may be trademarks of their respective owners. Copyright 2002 - 2015 Fortinet, Inc.
All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part
of this publication may be reproduced in any form or by any means or used to make any derivative
such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated
by the United States Copyright Act of 1976.
DO NOT REPRINT
FORTINET
Table of Contents

VIRTUAL LAB BASICS................................................................................ 7

Topology ............................................................................................................................8

Logging In...........................................................................................................................8
Disconnections/Timeouts............................................................................................................................................13

Transferring Files to the VM ................................................................................................13

Using HTML5 Instead of Java .............................................................................................13

Screen Resolution ..............................................................................................................14

International Keyboards......................................................................................................14

Troubleshooting Tips..........................................................................................................15

INTRODUCTION TO FORTINET UTM ............................................................. 17

Lab 1: Initial Setup and Configuration .................................................................................17


Objectives ......................................................................................................................................................................17
Time to Complete .........................................................................................................................................................17
Exercise 1 (Optional) Configuring Network Interfaces on the Student & Remote FortiGate ..........................18
Exercise 2 Exploring the Command Line Interface ...............................................................................................20
Exercise 3 Restoring a Configuration from Backup...............................................................................................22
Exercise 4 Making Configuration Backups .............................................................................................................24

Lab 2: Administrative Access ..............................................................................................25


Objectives ......................................................................................................................................................................25
Time to Complete .........................................................................................................................................................25
Exercise 1 Administrators, Passwords, and Permissions ....................................................................................26
Exercise 2 Restricting Administrator Access ..........................................................................................................28

LOGGING & MONITORING........................................................................... 29

Lab 1: Status Monitor and Event Log ..................................................................................29


Objectives ......................................................................................................................................................................29
Time to Complete .........................................................................................................................................................29
Exercise 1 Using the GUI's Status Monitor..............................................................................................................30
Exercise 2 Event Log & Logging Options ................................................................................................................33

Lab 2: Remote Monitoring ..................................................................................................35


DO NOT REPRINT
FORTINET
Objectives ......................................................................................................................................................................35
Time to Complete .........................................................................................................................................................35
Exercise 1 Remote Logging & SNMP Monitoring ..................................................................................................36

FIREWALL POLICIES .................................................................................. 38

Lab 1: Firewall Policy ..........................................................................................................38


Objectives ......................................................................................................................................................................38
Time to Complete .........................................................................................................................................................38
Exercise 1 Creating Firewall Objects & Rules ........................................................................................................39
Exercise 2 Policy Actions ...........................................................................................................................................41
Exercise 3 Access through Virtual IPs .....................................................................................................................43
Exercise 4 Dynamic NAT with IP Pools ...................................................................................................................46
Exercise 5 Device Identification ................................................................................................................................48

FIREWALL AUTHENTICATION....................................................................... 50

Lab 1: User Authentication .................................................................................................50


Objectives ......................................................................................................................................................................50
Time to Complete .........................................................................................................................................................50
Exercise 1 Authentication via a Firewall Policy.......................................................................................................51
Exercise 2 Captive Portals .........................................................................................................................................53

SSL VPN ................................................................................................ 55

Lab 1: SSL VPN..................................................................................................................55


Objectives ......................................................................................................................................................................55
Time to Complete .........................................................................................................................................................55
Exercise 1 SSL VPN for Web Access ......................................................................................................................56
Exercise 2 Testing Authentication ............................................................................................................................58
Exercise 3 Accessing Resources Beyond Different Interfaces ............................................................................60

BASIC IPSEC VPN .................................................................................... 61

Lab 1: IPsec VPN................................................................................................................61


Objectives ......................................................................................................................................................................61
Time to Complete .........................................................................................................................................................61
Exercise 1 Site-to-Site IPsec VPN ............................................................................................................................62

EXPLICIT W EB PROXY ............................................................................... 64

Lab 1: Explicit Web Proxy ...................................................................................................64


Objectives ......................................................................................................................................................................64
Time to Complete .........................................................................................................................................................64
Exercise 1 Configuring the Explicit Web Proxy .......................................................................................................65
Exercise 2 Using a PAC File......................................................................................................................................68
DO NOT REPRINT
FORTINET
ANTIVIRUS................................................................................................ 71

Lab 1: Antivirus Scanning ...................................................................................................71


Objectives ......................................................................................................................................................................71
Time to Complete .........................................................................................................................................................71
Exercise 1 Antivirus & Block pages ..........................................................................................................................72
Exercise 2 Flow vs Proxy scanning .........................................................................................................................74

W EB FILTERING ........................................................................................ 75

Lab 1: Web Filtering ...........................................................................................................75


Lab Objectives ...............................................................................................................................................................75
Time to Complete .........................................................................................................................................................75
Exercise 1 FortiGuard Web Filtering ........................................................................................................................76
Exercise 2 Web Profile Overrides .............................................................................................................................80

APPLICATION CONTROL ............................................................................ 81

Lab 1: Application Identification ..........................................................................................81


Objectives ......................................................................................................................................................................81
Time to Complete .........................................................................................................................................................81
Exercise 1 Creating an Application Control List .....................................................................................................82
Exercise 2 Limiting YouTube Traffic .........................................................................................................................83
Exercise 3 Fine Tuning Web Site Access ...............................................................................................................84

APPENDIX A: ADDITIONAL RESOURCES ..................................................... 85

APPENDIX B: PRESENTATION SLIDES ......................................................... 86

Module 1: Introduction to Fortinet Unified Threat Management ...........................................87

Module 2: Logging and Monitoring ......................................................................................125

Module 3: Firewall Policies .................................................................................................161

Module 4: Firewall Authentication .......................................................................................232

Module 5: SSL VPN ............................................................................................................272

Module 6: Basic IPsec VPN.................................................................................................304

Module 7: Antivirus .............................................................................................................336

Module 8: Explicit Proxy......................................................................................................368

Module 9: Web Filtering......................................................................................................406


DO NOT REPRINT
FORTINET
Module 10: Application Control ...........................................................................................432
DO NOT REPRINT Virtual Lab Basics Topology

FORTINET
Virtual Lab Basics
In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to
the lab and its virtual machines. It also shows the topology of the virtual machines in the lab.

Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.

FortiGate I Student Guide 7


DO NOT REPRINT Virtual Lab Basics Topology

FORTINET

Topology

port2
10.200.1.241

FortiManager FortiAnalyzer
W IN-LOCAL port1 port1
10.0.1.10 10.0.1.241 10.0.1.210

10.0.1.254/24 port3
port3 10.200.1.210

LOCAL
port2 port1
10.200.2.1/24 10.200.1.1/24
LINUX
10.200.2.254 10.200.1.254
eth2 eth1
eth0

eth4 eth3
10.200.4.254 10.200.3.254

REMOTE
10.200.4.1/24 10.200.3.1/24
port5 port4

W IN-REMOTE
10.0.2.10 port6
10.0.2.254/24

Logging In
1. Run the System Checker. This will fully verify both:
compatibility with the virtual lab environment's software, and
that your computer can connect
It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy.
Use the URL for your location.
North America/South America:
https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM -West

FortiGate I Student Guide 8


DO NOT REPRINT Virtual Lab Basics Logging In

FORTINET
Europe/Middle East/Africa:
https://remotelabs.training.fortinet.com/training/syscheck /?location=Europe
Asia/Pacific:
https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC
If a security confirmation dialog appears, click Run.

If your computer successfully connects to the virtual lab, the result messages for the browser and
network checks will each display a check mark icon. Continue to the next step.
If a browser test fails, this will affect your ability to access the virtual lab environment. If a network
test fails, this will affect the usability of the virtual lab environment. For solutions, either click the
Support Knowledge Base link or ask your trainer.
2. With the user name and password from your trainer, log into the URL for the virtual lab. Either:

FortiGate I Student Guide 9


DO NOT REPRINT Virtual Lab Basics Logging In

FORTINET
https://remotelabs.training.fortinet.com/

https://virtual.mclabs.com/

3. If prompted, select the time zone for your location, then click Update.
This ensures that your class schedule is accurate.

4. Click Enter Lab.

A list of virtual machines that exist in your virtual lab should appear.

FortiGate I Student Guide 10


DO NOT REPRINT Virtual Lab Basics Logging In

FORTINET
From this page, you can access the console of any of your virtual devices by either:
clicking on the devices square, or
selecting System > Open.

FortiGate I Student Guide 11


DO NOT REPRINT Virtual Lab Basics Logging In

FORTINET
5. Click K2-Win-Student to open a connection to that server.

A new window should open within a few seconds. (Depending on your accounts preferences, the
window may be a Java applet. If this fails, you may need change browser settings to allow Java to
run on this web site. You also may need to review and accept an SSL certificate.)

Depending on the virtual machine, the applet provides access to either the GUI or a text-based
CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet
should automatically log in, then display the Windows desktop. For most lab exercises, you will
connect to this VM.

FortiGate I Student Guide 12


DO NOT REPRINT Virtual Lab Basics Transferring Files to the VM

FORTINET
Disconnections/Timeouts
If your computers connection with the virtual mac hine times out or if you are accidentally disconnected,
to regain access, return to the initial window/tab that contains your sessions list of VMs and open the
VM again.
If your session frequently times out or does not connect, ask your instructor.

Transferring Files to the VM


When using the Java applet to connect to a VM, you can drag-and-drop files from your computer to
the VM. For example, if you have a FortiGate configuration file that you want to upload to your lab VM,
you could create it on your computer, then drag it into the Java application window that is connected to
the Windows VM. Usually the destination folder is C:\Uploads.
Alternatively, if you store files in a cloud service such as Dropbox or SugarSy nc, you can use the web
browser to download them to your VM instead.

Using HTML5 Instead of Java


When you open a VM, your browser may download and use a Java application to connect to the
virtual labs VM. This means that Java must be installed, updated, and enabled in your browser.
Alternatively, you can use HTML5 instead. Click the Settings button, then select Use Java Client. Click
Save & Disconnect, then log in again. (To use this preference, your browser must allow cookies.)

FortiGate I Student Guide 13


DO NOT REPRINT Virtual Lab Basics Screen Resolution

FORTINET
When connecting to a VM, your browser should then open a display in a new window or tab.

Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
In the Java client, to configure the screen resolution, click the arrow at the top of the window.

In the HTML 5 client, to configure screen resolution, open the System menu.

International Keyboards
If characters in your language dont display correctly, keyboard mappings may not be correct.

FortiGate I Student Guide 14


DO NOT REPRINT Virtual Lab Basics Troubleshooting Tips

FORTINET
To solve this in the HTML 5 client, open the Keyboard menu at the top of the window. Choose to either
display an on-screen keyboard, or send text from your computer to the VM's clipboard.

To solve this in the Java client, copy and paste between your computer and the Java applet. This
sends special characters or combinations using the keyboard icon at the top of the applet window.

Troubleshooting Tips
If the HTML 5 client does not work, try the Java client instead. Remembering this preference
requires that your browser allow cookies.
Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection,
including VPN tunnels or wireless such as 3G or Wi-Fi. For best performance, use a stable
broadband connection such as a LAN.
Do not disable or block Java applets. On Mac OS X since early 2014, to improve security, Java
has been disabled by default. In your browser, you must allow Java for this web site. On
Windows, if the Java applet is allowed and successfully downloads, but does not appear to
launch, you can open the Java console while troubleshooting. To do this, open the Control
Panel, click Java, and change the Java console setting to be Show console.
Network firewalls can also block Java executables.
Note: JavaScript is not the same as Java.

FortiGate I Student Guide 15


DO NOT REPRINT Virtual Lab Basics Troubleshooting Tips

FORTINET

Prepare your computer's settings:


o Disable screen savers
o Change the power saving scheme so that your computer is always on, and does not go to
sleep or hibernate
If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.
If during the labs, particularly when reloading configuration files, you see a message similar to the
one shown below, the VM is waiting for a response to the authentication server.

To retry immediately, go to the console and enter the CLI command:

exec update-now

FortiGate I Student Guide 16


DO NOT REPRINT Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

FORTINET
Introduction to Fortinet UTM
Lab 1: Initial Setup and Configuration
This lab will provide an initial orientation to FortiGate's administrative GUI and CLI, and (if necessary)
will guide you through basic setup. Additionally, this lab will guide you through how to properly backup
and restore a configuration file.
If you see this:

it indicates that FortiGate VM is waiting for a response from the license authentication server. Typically
this happens after reboot, after you upload a new FortiGate configuration file. If that server was
rebooting or connectivity was interrupted, for example, at the same time that FortiGate VM was
rebooting and sending the request, then the server may not have received the request. FortiGate VM
will periodically retry, but you can manually initiate an immediate retry. To force an immediate license
authentication retry, go to FortiGate's CLI and enter:

execute update-now

Objectives
Configure FortiGate network interfaces and a default route for administrative access via your
lab network, such as with web browser, Telnet or SSH client
Distinguish between encrypted vs. non-encrypted configuration backups
Back up and restore configuration files
Find the FortiGate model and FortiOS firmware build information inside a configuration file

Time to Complete
Estimated: 15 minutes

FortiGate I Student Guide 17


DO NOT REPRINT Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

FORTINET
Exercise 1 (Optional) Configuring Network Interfaces on the Student &
Remote FortiGate
Before proceeding, please ask your instructor if these steps are required for your specific classroom.
You must do this exercise only if your lab environment was initialized with blank FortiGate images.
1. Open the console of the FortiGate that is named Student.
2. At the login prompt, enter the username admin (all lower case). Leave the password blank.
3. To be able to access the Student FortiGate's GUI, you must first configure the port3 interface.
Assign its IP address, and specifically allow HTTP connections to the GUI:

conf system interface

edit port3

set ip 10.0.1.254/24

set allowaccess http

end
After you enter the "end" command, FortiGate saves its running configuration in RAM, and also
saves it to the flash disk.
HTTPS or SSH are recommended for administrative access to FortiGate because t hose protocols
provide authentication and encryption. Other available protocols include SSH, PING, SNMP,
HTTP and Telnet.
4. Verify that you've entered your configuration correctly by entering this command:

show system interface


Alternatively, you can enter a shorter form:

show sys int


5. On the Windows server, open Firefox. Go to the URL that is the FortiGate's IP address on port3:
http://10.0.1.254
6. If a security warning appears, accept the FortiGates self-signed certificate.
The login page should appear. If it does not, ask your instructor before continuing.

Note: To access the FortiGate GUI, your web browser must support cookies and
JavaScript. These are required for correct behavior and display.

7. Open the console of the FortiGate that is named Remote.


8. At the login prompt, enter the username admin (all lower case). Leave the password blank.
9. Enter the following CLI commands to set the port4 IP address and access control settings for
your device.

conf system interface

FortiGate I Student Guide 18


DO NOT REPRINT Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

FORTINET
edit port4

set ip 10.200.3.1/24

set allowaccess http ping

end
10. Verify that a valid default gateway route exists:

show router static


If there is no static route for port4, enter the commands below to set it. (Routing will be explained
in more detail in a later lesson.)

conf route static

edit 0

set device port4

set gateway 10.200.3.254

end
11. Verify that you have entered your configuration correctly.

show system interface

show router static


You can't connect to the Remote FortiGate's GUI yet. Before you can do that, you must first
configure the FortiGate named Student with a route and a firewall policy that allows and routes
that management traffic to the FortiGate named Remote. You will add this configuration in a later
lab exercise.

FortiGate I Student Guide 19


DO NOT REPRINT Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

FORTINET
Exercise 2 Exploring the Command Line Interface
1. Open the console of the FortiGate that is named Student.
2. At the login prompt, enter the username admin (all lower case). Leave the password blank.
3. Enter the command to display basic status information about that FortiGate:

get system status


Output shows the FortiGate's serial number, firmware version, operation mode, and other
information.
4. Verify that the firmware version is the correct one for this class.
5. Enter the following, then press the Return key:

get ?

Note: The ? character is not displayed on the screen.

This shows all words that the CLI will accept next after the get command. When the --More
prompt appears in the CLI, either press the spacebar key to continue scrolling, press the Enter key
to scroll one line at a time, or press the Q key to exit.
Depending on the command, you may need to enter additional words to completely specify a
configuration object.
6. Press the up arrow key. This displays the previous get system status command. Try some
of the other control key sequences that are summarized below.

Previous command up arrow, or CTRL+P


Next command down arrow, or CTRL+N
Beginning of line CTRL+A
End of line CTRL+E
Back one word CTRL+B
Forward one word CTRL+F
Delete current character CTRL+D
Clear screen CTRL+L
Abort command and exit CTRL+C
CTRL+C is context sensitive, but usually, it aborts the current command. If you were in a sub-
command, it returns you to the parent command. Otherwise, it will terminate your current
administrative session. To continue, you must log in again.
7. Enter the command:

execute ?
This lists all words that the CLI will accept next after the execute command.

FortiGate I Student Guide 20


DO NOT REPRINT Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

FORTINET
8. Type:

execute
then press the Tab key 3 times.
The first time you press the Tab key, notice that the CLI adds the next word in the command. It is
the first word in the list from the previous step. Each time that you press the Tab key after that,
notice that the CLI replaces that word with the next possible word in the list, in alphabetical order,
until you press the spacebar key. This indicates that you have selected that word, and are ready to
enter the next word (if any).
9. Enter the following CLI commands.

config ?

show ?
Compare the list of valid next words for each one. Notice that there are some differences in the
CLI structure for each command, including show full-configuration.
config enters settings. show displays configuration differences from the firmwares default
settings only, unless you enter show full-configuration.
10. Enter the CLI commands to display the FortiGates port3 interface configuration. Compare the
output for each.
Only the characters shown in bold typeface must be typed. If you want to auto-complete each
word in the command (in order to verify that it is unambiguous, for example), press the Tab key
after the characters in bold.

show system interface port3

show full-configuration system interface port3

Note: Almost all commands can be abbreviated. In presentations and labs, many of the
commands that you see will be in abbreviated form.
Use this technique to reduce the number of keystrokes that are required to enter a
command. In this way, experts can often configure a FortiGate faster via CLI than GUI.
If there are other commands that start with the same characters, your abbreviation must
be long enough to be specific, so that FortiGate can distinguish them. Otherwise, the CLI
will display an error message about ambiguous commands.

FortiGate I Student Guide 21


DO NOT REPRINT Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

FORTINET
Exercise 3 Restoring a Configuration from Backup
1. On the Win-Student server, open Firefox. Connect to the Student FortiGate's GUI, and log in as
admin.
http://10.0.1.254/

Note: All the lab exercises were fully tested running Mozilla Firefox in Win-Student
and Win-Remote servers. For this reason, and to get consistent results, we
recommend it as the browser to access the Internet and the FortiGate GUIs from this
virtual environment.

2. Go to System > Dashboard > Status. In the System Information row, click the Restore link.
A dialog should appear where you can select which configuration backup file to restore.
(If your lab started with blank FortiGate images whose IP address you needed to configure in
Exercise 1, then this FortiGate is not yet configured with the host name STUDENT as shown in
the image. This should appear after you upload a configuration in the next step.)

3. Click the button that enables you to select which backup file to restore. (The name of this button
varies by browser.)

Select the file named Resources\Introduction\student-initial.conf, then click Restore. This file is
the prerequisite configuration for the next lab.
After your browser uploads the configuration, the FortiGate will automatically reboot. The
length of the restoration process varies by how complex the configuration is. More complex

FortiGate I Student Guide 22


DO NOT REPRINT Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

FORTINET
configurations take more time to parse and validate. Most configurations take FortiGate less than
1 minute to validate and then reboot.
4. Refresh the web page and log in again to the GUI on the Student FortiGate.
Go to System > Network > Interface and then Router > Static > Static Route. Verify that the
network interface settings and default route were restored.
5. Go to System > Network > DNS Server. Review the student and remote DNS zones.
In the Student DNS zone, verify the IPv4 Address (A) records for the student FortiGate device
(10.0.1.254) and the Windows server (10.0.1.10).
In the Remote DNS zone, check the IPv4 Address (A) records for the Remote FortiGate
device (10.200.3.1) and the Windows host (10.0.2.10).
By providing a DNS server to your management network, FortiGate enables you acces s these
devices in your lab by using a domain name instead of their IP address. To do this, the Windows
server should be configured to use the Student FortiGate's port3 IP address as its DNS server.
6. On the Windows server, open a command prompt. Use the following commands to verify the DNS
lookup results.

nslookup server.student.lab 10.0.1.254

nslookup fgt.student.lab 10.0.1.254

nslookup pc.remote.lab 10.0.1.254

nslookup fgt.remote.lab 10.0.1.254

Note: The parameters of the nslookup command are:

nslookup [-option] [hostname] [server]

7. Open a web browser. Go to these URLs to verify that you can use domain names to reach the
GUI of both the Student and Remote FortiGate:
http://fgt.student.lab
http://fgt.remote.lab

FortiGate I Student Guide 23


DO NOT REPRINT Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration

FORTINET
Exercise 4 Making Configuration Backups
1. On the Win-Student server, open a browser and log in to the Student FortiGate's GUI:
https://fgt.student.lab
2. Go to System > Dashboard > Status. In the System Information widget, click the Back up link.

3. Select Encrypt configuration file, enter the password fortinet, then click the Back up button to
save the encrypted configuration file to the desktop with the filename student-initial-enc.conf.
(You may need to modify the web browsers settings to prompt you for the location to save files.
For Firefox, go to Tools > Options > General then select Always ask me where to save files.)

Caution: Always back up the configuration file before changing your device (even if the
change seems minor or unimportant). There is no undo. Restoring a backup will allow you to
quickly revert changes if you discover problems.
To distinguish between files from multiple FortiGates, use a naming convention such as their
host names.

4. In the System Information widget, click Restore. Select the file that you downloaded in the
previous step (student-initial-enc.conf), then click the Restore button.
Notice that this time, you must enter the password fortinet because this file is password-
encrypted.
5. Using Notepad or Notepad++, open the file student-initial.conf. In another instance of
Notepad, open the file student-initial-enc.conf and compare the details in both.

Note: In both the normal and encrypted configuration the top of the file acts as
a header, describing the firmware and model information this configuration
belongs to.

FortiGate I Student Guide 24


DO NOT REPRINT Introduction to Fortinet UTM Lab 2: Administrative Access

FORTINET
Lab 2: Administrative Access
In this lab, you will create and modify administrative access permissions.

Objectives
Create a new administrative user
Restrict administrative access

Time to Complete
Estimated: 10 minutes

FortiGate I Student Guide 25


DO NOT REPRINT Introduction to Fortinet UTM Lab 2: Administrative Access

FORTINET
Exercise 1 Administrators, Passwords, and Permissions
1. On the Win-Student server, open a browser and log in to the Student FortiGate's GUI:
https://fgt.student.lab
2. Go to System > Admin > Settings and select Enable Password Policy.
Configure these settings:

Minimum Length: 8

Must Contain: Enable


1 Upper Case Letter
1 Numerical Digit
Enable Password Expiration: Enable
90 days
Click Apply to save the changes.
3. Log out of the GUI.
4. Log in again.
Due to the password policy that you just configured, FortiGate should prompt you to enter a new
administrator password. Enter a new password that meets the requirements.
5. Go to System > Admin > Admin Profile. Create a new profile called Security_Admin_Profile. Set
Security Profile Configuration to Read-Write, but set all other permissions to Read Only.
Click OK to save the changes.
6. Go to System > Admin > Administrators. Click Create New to add a new administrator account
that is named Security_Admin.
In Admin Profile, select the profile created in the previous step. This limits that administrators
access. They will only able to modify and create security profiles.

Note: Administrator names and passwords are case-sensitive. You cannot include
characters such as < > ( ) # " in an administrator account name or password. Spaces are
allowed, but not as the first or last character. To enter spaces in a name or password via
the CLI, you must enclose each in straight quotes ( ' ).

Caution: For convenience in the lab, you will not set the password of the account named
admin. However, in real networks, you should always set administrator passwords, make
them strong, and change them often.

Click OK to save the changes.


7. Go to System > Dashboard > Status. In the CLI Console widget, to view the configuration for
administrator accounts and profiles, enter:

show system admin

show system accprofile

FortiGate I Student Guide 26


DO NOT REPRINT Introduction to Fortinet UTM Lab 2: Administrative Access

FORTINET
8. Log out of the admin account's GUI session.
9. Log in as Security_Admin with its password.
10. Test this administrators access: try to create or modify settings on the Student FortiGate that are
not allowed by that account's profile.
You should see that this account can only configure security profiles.

FortiGate I Student Guide 27


DO NOT REPRINT Introduction to Fortinet UTM Lab 2: Administrative Access

FORTINET
Exercise 2 Restricting Administrator Access
1. On the Win-Student server, open a browser and go to the Remote FortiGate's GUI:
http://fgt.remote.lab
Log in as the admin account (all lower case) with no password.
2. Go to System > Admin > Administrators. Edit the admin account and enable the setting Restrict
this Admin Login from Trusted Hosts Only. Set Trusted Host #1 to the address 10.0.2.0/24.
Click OK to save the changes.
3. Try connecting to the GUI of the Remote FortiGate again. What is the result this time?
Because you are connecting from the 10.200.1.1 address (because of NAT on the Student
FortiGate) you should notice that you can't connect any more since you restricted logins to specific
source IP addresses in Trusted Hosts.
4. Attempt to ping 10.200.3.1. You should notice that FortiGate also doesn't respond to ping
anymore. This is also blocked by the restriction on source IP.
5. Open the console of the Remote FortiGate device. Enter the following CLI commands to add
10.200.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin account:

conf sys admin

edit admin

set trusthost2 10.200.0.0/16

end
6. Try to ping the Remote FortiGate and access its GUI again. Access should be restored.
7. Go to System > Dashboard > Status. In the System Information widget, in the Current
Administrator row, click the Details link.
The GUI should display a list of administrators currently logged in to the FortiGate.
8. By default, each source IP address can attempt to log in up to 3 times. If they fail 3 times, they are
locked out for 60 seconds.
To help improve the overall password security, use the CLI to decrease the maximum number of
attempts and increase the lockout timer:

config system global

set admin-lockout-threshold 2

set admin-lockout-duration 100

end

FortiGate I Student Guide 28


DO NOT REPRINT Logging & Monitoring Lab 1: Status Monitor and Event Log

FORTINET
Logging & Monitoring
Lab 1: Status Monitor and Event Log
In this lab, you will work with FortiGate's event log and monitoring.

Objectives
Enable logging of system events
Locate event logs for specific information

Time to Complete
Estimated: 10 minutes

FortiGate I Student Guide 29


DO NOT REPRINT Logging & Monitoring Lab 1: Status Monitor and Event Log

FORTINET
Exercise 1 Using the GUI's Status Monitor
1. On the Windows server, open a web browser. Go to the URL that is port3's IP address on the
FortiGate named Student, and log in as admin.
http://10.0.1.254/
2. Go to System > Dashboard > Status and locate the System Resources widget.
This widget provides a snapshot overview of the overall resource utilization on the FortiGate
3. Some widgets are not displayed on the dashboard by default. Click Widget to display the list of
widgets available to add to the dashboard.

If not already added, click the Interface History widget from the pop-up window to add it to the
dashboard. (Depending on the screen resolution, the default Status dashboard will use a two-
column layout. In this case, the All Sessions widget cannot be added because it requires a one-
column layout.)
Close the widget list window. Widgets can be removed from the page simply by click the X in the
upper left corner of each one.
4. Hover the mouse over the title bar of the System Resources widget and click Edit to create a
custom widget.

Configure these settings:

Custom Widget Name: System Resource History

View Type: Historical

FortiGate I Student Guide 30


DO NOT REPRINT Logging & Monitoring Lab 1: Status Monitor and Event Log

FORTINET
Time Period: Last 60 minutes

A line chart appears in a new custom System Resource History widget showing a trace of CPU,
memory and sessions over the past hour.
The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured.
5. The Alert Message Console widget displays recent system events, such as system restart and
firmware upgrade.
Hover the mouse over the title bar of the Alert Message Console widget and click History to view
the entire message list.

Note: If there are no alerts, you can reboot the FortiGate in order to see
one. To do this, connect to the CLI and use the command exec reboot.

6. At the top of the dashboard, click Dashboard and select Add Dashboard.

Enter any name of your choice for the new dashboard and select the single column display.

FortiGate I Student Guide 31


DO NOT REPRINT Logging & Monitoring Lab 1: Status Monitor and Event Log

FORTINET

The new dashboard will show up as a selectable menu option on the right hand side

7. Next add the All Sessions widget on your new dashboard. Click the edit icon in the title bar of the
All Sessions widget and observe the different ways in which sessions can be reported. For
example, by top Destination Address, top Applications etc. You can also select to display the top
sessions by Source and Destination interfaces. Create your own customized Top Sessions widget
and examine the sessions that are listed.
Some widgets are only allowed to appear on 1 dashboard at a time. For example, System
Information cannot be added to this new dashboard until the widget is removed from the Status
dashboard.
8. Test the functionality of the refresh, page forward, and page back icons in this window. You may
need to generate some additional traffic in order to properly test these functions.
9. Click Dashboard and select Reset Dashboards to reset all the dashboards to the default.

FortiGate I Student Guide 32


DO NOT REPRINT Logging & Monitoring Lab 1: Status Monitor and Event Log

FORTINET
Exercise 2 Event Log & Logging Options
1. From the Student FortiGate CLI, check the overall status of the FortiGate:

get system status


2. Verify the Log hard disk status. If it is set to Available proceed to Step 3. If the status appears as
Need Format, enter the following command to format the drive.

execute formatlogdisk
When prompted to continue, type y and wait for the system to reboot.
Once the system has restarted, check the log disk settings by executing the following command:

config log disk setting

get
You should observe that the status is enabled.
3. Repeat the previous steps on the Remote FortiGate device.
4. Return to the Student FortiGate device and log out of the GUI. When logging back in, use an
incorrect password once and then use the correct password to log back in again.
Go to Log & Report > Event Log > System and examine the log to find the invalid password event.
5. Go to Policy & Objects > Objects > Address, and create a new firewall address using the following
settings:

Name: fortinet
Type: FQDN
FQDN: www.fortinet.com
Leave the remaining settings at their defaults and click OK to save the changes.
6. Next go to Log & Report > Event Log > System and review the log entries.
7. Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.

FortiGate I Student Guide 33


DO NOT REPRINT Logging & Monitoring Lab 1: Status Monitor and Event Log

FORTINET

Click Apply to save the changes.


Different types of log entries fall into different categories. Only enable logging for the activity(s)
that you need to monitor. This avoids filling the logs with information you do not need, and
consuming unnecessary system resources.
8. Go to Policy & Objects > Objects > Address and create another firewall address entry. Go to Log
& Report > Event Log > System and review the log entries again.
Note that the entries are no longer visible for this activity. With this option deselected in the Event
Logging settings, you will no longer see entries in the log for administrators logging on/off or
making changes to the units configuration. Other types of log entries will still appear.
9. Go to Log & Report > Log Config > Log Settings and re-enable System activity event.
When changes are made to your firewall, it best to have a log event for that in case it is necessary
to find out when something was changed, and by whom.

FortiGate I Student Guide 34


DO NOT REPRINT Logging & Monitoring Lab 2: Remote Monitoring

FORTINET
Lab 2: Remote Monitoring
The aim of this lab is for students to set up logging to a remote device and monitoring of the FortiGate
units behavior. It can be advantageous to use remote monitoring instead of local monitoring in order
to reduce resource usage. For example, while the GUI widgets provide useful displays of your system
information, they also carry a significant resource cost and should be used sparingly.

Objectives
Enabling monitoring by Syslog and SNMP servers

Time to Complete
Estimated: 10 minutes

FortiGate I Student Guide 35


DO NOT REPRINT Logging & Monitoring Lab 2: Remote Monitoring

FORTINET
Exercise 1 Remote Logging & SNMP Monitoring
The Linux server in your lab environment has been pre-configured to accept syslog messages.
1. From the CLI on the Student FortiGate, enter the following commands to set up logging to the
syslog server:

conf log syslogd setting

set status enable

set facility local6

set server 10.200.1.254

end
2. Repeat the above step from the CLI on the remote FortiGate device.
3. On the Win-Student server, open the putty.exe application. Open an SSH session to the Linux
server (10.200.1.254).

Log in as root and with the password password.


4. Run the following command to monitor the FortiGate syslog messages which are mapped to
their own file by the local6 facility.

tail f /var/log/fortinet
5. Leave the SSH window open and return to the student FortiGate device and generate some
log entries:

FortiGate I Student Guide 36


DO NOT REPRINT Logging & Monitoring Lab 2: Remote Monitoring

FORTINET
Attempt to log in with invalid credentials
Make a minor configuration change
6. From the GUI on the Student FortiGate, go System > Config > SNMP to enable SNMP monitoring.
Select Enable for the SNMP Agent at the top, then click Apply.

7. Create a new SNMP v3 security name using the settings displayed below. Set the Auth password
to fortinet. Set the Notification host to 10.200.1.254.

Click OK.
8. Go to System > Network > Interfaces and edit port1. Confirm that SNMP is enabled under the
Administrative Access settings. If it is not enabled you will need to enable it first, then click OK to
save the changes.
9. Leave the SSH window open that is currently running the tail command and run putty again to
open a new SSH connection to the LINUX host (10.200.1.254).
Next, execute the following snmpwalk command to find and display all of the monitoring options
that a device presents through SNMP:

snmpwalk -v 3 -a sha -A fortinet -u training -l authNoPriv 10.200.1.1


A tree listing of all the options available to monitor this FortiGate VM device will be displayed.
To make it easier to view the information available, you may also append >snmp.test to the
command entered above. This will save the output to a file named snmp.test. Enter the
command view snmp.test to view the output file.

FortiGate I Student Guide 37


DO NOT REPRINT Firewall Policies Lab 1: Firewall Policy

FORTINET
Firewall Policies
Lab 1: Firewall Policy

Objectives
Configure firewall policies configurable in FortiOS
Configure source match options available in FortiOS firewall policies
Apply different firewall object types of Address, Service and Schedule
Configure firewall policy logging options
Configure NAT
Configure Source NAT settings using Overload IP Pools
Configure Destination NAT settings using Virtual IPs
Configure firewall policies based on device types
Reorder firewall policies
Use CLI commands to review your configuration and perform status checks

Time to Complete
Estimated: 40 minutes

FortiGate I Student Guide 38


DO NOT REPRINT Firewall Policies Lab 1: Firewall Policy

FORTINET
Exercise 1 Creating Firewall Objects & Rules
1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\Firewall-Policies\Student\student-polic y.conf
FortiGate will reboot.
3. From the GUI on the Student FortiGate device, go to Policy & Objects > Objects > Addresses and
create the following address object:

Name: STUDENT_INTERNAL
Type: Subnet
Subnet/IP Range: 10.0.1.0/24
Interface: Any
Once the settings have been entered, click OK to save the changes.
4. Temporarily disable the unrestricted port3port1 policy. To do this, go to Policy & Objects >
Policy > IPv4, right-click the unrestricted port3port1 policy in its Status column, then mark the
Disable check box
5. Click Create New to add a new firewall policy to provide general Internet access from the internal
network. Configure these settings:

Incoming Interface: port3


Source Address: STUDENT_INTERNAL
Outgoing Interface: port1
Destination Address: all
Schedule: always
Service: HTTP, HTTPS, DNS, ALL_ICMP, SSH
(Hold down the CTRL-key to select multiple services.)
Action: ACCEPT
NAT: On
Use Outgoing Interface Address: Enabled
Log Options: Enable Log all Sessions and select Generate Logs
when Session Starts
Comments: General Internet access
When creating firewall policies, remember that FortiGate is a stateful firewall. As a result, you
only need to create one firewall policy that matches the direction of the traffic that initiates the
session.
Once the policy settings have been entered, click OK to save the changes.

FortiGate I Student Guide 39


DO NOT REPRINT Firewall Policies Lab 1: Firewall Policy

FORTINET
6. On the Windows server, open a web browser and connect to various external web sites.
7. On the Student FortiGate's GUI, go to Log & Report > Traffic Log > Forward Traffic and identify
the log entries for your Internet browsing traffic.
With the current settings you should have many 0 byte log messages with action start. These are
the session start logs.
When sessions close you will have a separate log entry for the amount of data sent and received
Logging session starts generates twice the amount of log messages. This option should only be
used when this level of detail is absolutely necessary.
8. From the CLI, enter the following command to see the source NAT action.

#get system session list


Sample output:

STUDENT # get sys session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION


DESTINATION-NAT

tcp 3600 10.0.1.10:3677 - 10.0.1.254:22 -

tcp 3587 10.0.1.10:3717 10.200.1.1:64133 72.30.38.140:80 -

tcp 3570 10.0.1.10:3681 10.200.1.1:64097 69.171.228.70:80 -

tcp 3577 10.0.1.10:3710 10.200.1.1:64126 74.125.228.92:80 -

tcp 3587 10.0.1.10:3708 10.200.1.1:64124 74.125.228.92:80 -

tcp 3587 10.0.1.10:3706 10.200.1.1:64122 66.94.245.1:80 -

tcp 2274 10.0.1.10:3608 10.200.1.1:64024 10.200.1.254:22 -

tcp 3587 10.0.1.10:3712 10.200.1.1:64128 80.239.217.66:80 -

tcp 3566 10.0.1.10:3679 10.200.1.1:64095 74.125.227.24:80 -


Note that FortiGate is applying a new source address: that of the destination interface port1
(10.200.1.1).

FortiGate I Student Guide 40


DO NOT REPRINT Firewall Policies Lab 1: Firewall Policy

FORTINET
Exercise 2 Policy Actions
1. Use the same steps you performed earlier to create a second firewall policy. Use Create New and
leave the policy in its default position. Configure these settings:

Incoming Interface: port3


Source Address: STUDENT_INTERNAL
Outgoing Interface: port1
Destination Address: Click Create and configure the following:
Name: LINUX_E TH1
Type: Subnet
Subnet / IP Range: 10.200.1.254/32
Click OK.
Schedule: always
Service: PING (Tip: Type the name in the search box.)
Action: DENY
Log Violation Traffic: Enabled
Click OK to save the changes.
2. From the Windows server, open a command prompt. Ping the port1 gateway.

ping t 10.200.1.254
If you have not changed the rule ordering, the ping should still work because it matches the
ACCEPT policy and not the DENY policy that you just created. This demonstrates the behavior of
policy ordering. The second policy was never checked because the traffic matched the first policy.
Leave this window open and perform the next step.
3. Click the Seq.# for the DENY policy created previously and drag it up to position it before the
General Internet Access policy.
4. Return to the Windows server and examine the DOS command prompt window still running the
continuous ping. You should observe that this traffic is now blocked and the replies appear as
Request timed out. Enter CTRL-C to end the ping command.
5. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic
and identify the log entries for your Ping traffic.
With the current settings you should have one entry for the Ping traffic which was allowed
followed by many 0 byte log messages for the violation traffic.
6. To stop your logs from filling up with 0 byte log messages, you may enable the following setting
from the CLI to create a session table entry for denied traffic and blocking packets belonging to
this session.

config system settings

set ses-denied-traffic enable

end

FortiGate I Student Guide 41


DO NOT REPRINT Firewall Policies Lab 1: Firewall Policy

FORTINET
This setting will reduce the amount of logging entries c aused by the violation traffic. Notice how
the time between log entries increases.

FortiGate I Student Guide 42


DO NOT REPRINT Firewall Policies Lab 1: Firewall Policy

FORTINET
Exercise 3 Access through Virtual IPs
In this lab, you will configure a virtual IP address to allow Internet connections to the Windows server
located at 10.0.1.10.
1. On the Student FortiGate's GUI, go to Policy & Objects > Objects > Virtual IPs. Click Create New
to add a new virtual IP mapping:

Name: VIP_INTERNAL_HOS T
External Interface: port1
Type: Static NAT
External IP Address/Range: 10.200.1.200 - 10.200.1.200
Mapped IP Address/Range: 10.0.1.10
Click OK to save the changes.
2. Create a new firewall policy to provide access to the web server. Configure these settings:

Incoming Interface: port1


Source Address: all
Outgoing Interface: port3
Destination Address: VIP_INTERNAL_HOS T
Schedule: always
Service: HTTP, HTTPS
Action: ACCEPT
Log Options: Enable Log all Sessions and select Generate Logs
when Session Starts
Enable NAT: Disabled (default)
Comments: Public access to web server
Click OK to save the changes.
3. The firewall is stateful so any existing sessions will not use this new firewall policy until they time
out or are cleared. The sessions can be cleared individually from the session widget on the Status
page or from the CLI by executing the following:

diag sys session clear


4. Connect to the console of the remote host, open a web browser and access the following URL:
http://10.200.1.200
If the virtual IP operation is successful a simple web page appears.

FortiGate I Student Guide 43


DO NOT REPRINT Firewall Policies Lab 1: Firewall Policy

FORTINET
5. From the CLI on the Student FortiGate, check the destination NAT entries in the session table:

#get system session list


Sample output:

STUDENT # get sys session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION


DESTINATION-NAT

tcp 3537 10.200.3.1:62426 10.200.1.200:80 10.0.1.10:80


6. On the Windows server, open a web browser and connect to a few external web sites. Now return
to the CLI on the FortiGate named Student, and examine the session information again:

#get system session list


Sample output:

STUDENT # get sys session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION


DESTINATION-NAT

tcp 3591 10.0.1.10:3995 10.200.1.200:3995 66.94.241.1:80 -

tcp 3590 10.0.1.10:3977 10.200.1.200:3977 72.30.38.140:80 -

tcp 3553 10.0.1.10:3965 10.200.1.200:3965 184.150.187.83:80 -

tcp 3592 10.0.1.10:3998 10.200.1.200:3998 74.125.228.92:80 -

tcp 3584 10.0.1.10:3969 10.200.1.200:3969 69.171.237.16:80 -

tcp 3596 10.0.1.10:4001 10.200.1.200:4001 208.91.113.80:80 -

tcp 3590 10.0.1.10:3983 10.200.1.200:3983 216.115.100.102:80


-

tcp 3590 10.0.1.10:3979 10.200.1.200:3979 216.115.100.103:80


-

tcp 3590 10.0.1.10:3987 10.200.1.200:3987 216.115.100.102:80


-

tcp 3590 10.0.1.10:3981 10.200.1.200:3981


216.115.100.103:80 -

tcp 3590 10.0.1.10:3985 10.200.1.200:3985


216.115.100.102:80 -

tcp 1013 10.0.1.10:3608 10.200.1.1:64024 10.200.1.254:22 -

tcp 3589 10.0.1.10:3976 10.200.1.200:3976 72.30.38.140:80


-

FortiGate I Student Guide 44


DO NOT REPRINT Firewall Policies Lab 1: Firewall Policy

FORTINET
tcp 3591 10.0.1.10:3996 10.200.1.200:3996 184.150.187.99:80 -

tcp 3554 10.0.1.10:3967 10.200.1.200:3967 74.125.228.65:80 -

tcp 3590 10.0.1.10:3990 10.200.1.200:3990 216.115.100.103:80


-

tcp 3591 10.0.1.10:3978 10.200.1.200:3978 216.115.100.103:80


-

tcp 3590 10.0.1.10:3980 10.200.1.200:3980 216.115.100.103:80


-
Note that the outgoing connections from the Windows server are now being NATed with the VIP
address as opposed to the firewall address. This is a behavior of the source NAT (SNAT) VIP.
That is, when you enable SNAT on a policy, a VIP static NAT takes priority over the destination
interface IP address.

FortiGate I Student Guide 45


DO NOT REPRINT Firewall Policies Lab 1: Firewall Policy

FORTINET
Exercise 4 Dynamic NAT with IP Pools
Currently, the Student FortiGate translates the source IP address of all traffic generated from the
Windows server 10.200.1.200 because of the source NAT translation in the VIP.
Now you will apply an IP address pool to change the behavior from static NAT to dynamic NAT.
1. On the Student FortiGate's GUI, go to Policy & Objects > Objects > IP Pools. Create a new IP
pool:

Name: INTERNAL_HOS T_E XT_IP


Type Overload
External IP Range/Subnet: 10.200.1.100-10.200.1.100
Once the policy settings have been entered click OK to save the changes.
2. Go to Policy & Objects > Policy > IPv4, and right-click the port3 port1policy. Select Copy Policy,
then right-click the same policy again and select Paste Before.
3. Select the new copy of the General Internet Access policy and configure these settings:

Incoming Interface: port3


Source Address: STUDENT_INTERNAL
Outgoing Interface: port1
Destination Address: all
Schedule: always
Service: ALL
Action: ACCEPT
Log Options: Enable Log all Sessions and select Generate Logs
when Session Starts
Enable NAT: Enabled
Use Dynamic IP Pool: INTERNAL_HOS T_E XT_IP
Comments: Windows Server source NAT override
Click OK to save the changes. Verify that you have enabled it.
4. FortiGate does stateful inspection, so any existing sessions will not use this new firewall policy
until they time out or you manually clear the session table. You can do this either individually from
the session widget on the dashboard, or clear the entire list from the CLI:

diag sys session filter src 10.0.1.10

diag sys session clear


5. Connect to a few web sites such as http://yahoo.com/. From the CLI on the Student FortiGate,
verify the source NAT IP address that those sessions are using:

# get system session list

FortiGate I Student Guide 46


DO NOT REPRINT Firewall Policies Lab 1: Firewall Policy

FORTINET
Sample output:

STUDENT # get system session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION


DESTINATION-NAT

tcp 3599 10.0.1.10:3963 10.200.1.100:64379 74.125.225.126:443


-

tcp 3599 10.0.1.10:3961 10.200.1.100:64377 74.125.225.111:443


-

tcp 3552 10.0.1.10:3953 10.200.1.100:64369 76.74.133.167:80 -

tcp 3597 10.0.1.10:3956 10.200.1.100:64372 74.125.225.118:80


-

tcp 3597 10.0.1.10:3954 10.200.1.100:64370 74.125.225.117:80


-

tcp 3598 10.0.1.10:3959 10.200.1.100:64375 199.7.57.72:80 -

tcp 16 10.0.1.10:3948 10.200.1.100:64364 66.36.238.121:22 -

tcp 3598 10.0.1.10:3958 10.200.1.100:64374 209.85.225.84:443


-

tcp 3599 10.0.1.10:3962 10.200.1.100:64378 74.125.225.99:443


-

tcp 0 10.0.1.10:3960 10.200.1.100:64376 98.139.200.238:80


-

tcp 3597 10.0.1.10:3955 10.200.1.100:64371 74.125.225.118:80


-
Notice that the source NAT address is now 10.200.1.100 as configured in the VIP pool, and the IP
pool has overridden the static NAT VIP.

FortiGate I Student Guide 47


DO NOT REPRINT Firewall Policies Lab 1: Firewall Policy

FORTINET
Exercise 5 Device Identification
1. Disable all outgoing policies except for the General Internet Access policy.
2. From the Windows server, run a continuous ping to 10.200.1.254.
3. Edit the outgoing general Internet access policy. Select Source Device Type and choose a type
that will not match your Windows server, such as Linux PC. Click OK.
FortiGate will notify you that this action enables device identification on the source interface. Click
OK to accept this change.
Return to the continuous ping. You should observer this traffic is blocked. Try browsing the
Internet and confirm the firewall blocks this traffic.
4. Go to your Forward Traffic log. You should observer that there are no logging entries. This is
because the traffic matches the implicit deny policy and logging is not enabled by default.
Edit the implicit deny policy and enable log violation traffic. Return to the Forward Traffic log and
confirm there are logging entries for the denied traffic.
5. Edit the outgoing general Internet access policy and change the Source Device Type to Windows
PC to match your Windows server host.
Return to the continuous ping, started earlier. You should observer this traffic is allowed. Try
browsing the Internet and confirm that the firewall allows this traffic.
6. Go to User & Device > Device > Device Definition and review the details of your detected host
device.
This is a dynamic device list. FortiGate may update its list of devices and cache them to the flash
disk to speed up detection.

diag user device list


7. Clear the device from the CLI and then verify that it's removed:

diag user device clear

diag user device list


8. From the Windows server, visit a few web sites. This will generate traffic so that device
identification can detect the host. Usually, it will use the HTTP User-Agent: header.
9. Display the device list again, and look for the internal host.

diag user device list


10. Perform a show from the CLI to confirm there are no devices in the configuration file.

show user device


11. From the GUI, go to User & Device > Device > Device Definition. Edit your device from the
device list. Add an alias called myDevice. This creates a static device in the configuration file.
Click OK to save the change.
Perform the following show command to confirm that the device now appears in the
configuration file as a permanent device.

show user device

FortiGate I Student Guide 48


DO NOT REPRINT Firewall Policies Lab 1: Firewall Policy

FORTINET
12. Go to User & Device > Device > Device Group. Note that your device is already a member of
several predefined device groups.
Click Create New and add a new device group called myDevGroup.
Add myDevice to the Members list and click OK.
Note that your device is still a member of the predefined groups and is now a member of the
custom group myDevGroup.
13. Return to the outgoing general internet access policy and configure it to use your permanent
device or static device group. Check that your traffic is unaffected by this change.

FortiGate I Student Guide 49


DO NOT REPRINT Firewall Authentication Lab 1: User Authentication

FORTINET
Firewall Authentication
Lab 1: User Authentication
In this lab, you will learn how to authenticate users with FortiGate.

Objectives
Create an authentication policy
Manage user authentication
Track user login events
Monitor active users
Enable the captive portal
Exempt some users from the captive portal

Time to Complete
Estimated: 20 minutes

FortiGate I Student Guide 50


DO NOT REPRINT Firewall Authentication Lab 1: User Authentication

FORTINET
Exercise 1 Authentication via a Firewall Policy
1. On the Win-Student computer, open the Windows CLI and type the following command

Use_External_DNS
You should see output similar to the following image.

2. Open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin.
http://10.0.1.254/
3. Restore the configuration file that is required by this lab:
Resources\Firewall-Authentication\Student\student-auth.conf
FortiGate will reboot.
4. Log in again. Review the user configuration for this lab.
Go to User & Device > User > User Definition to review the local user settings
Go to User & Device > User Group > User Groups to review the user group configuration. You
should see that there are 2 users (Student & Guest), 3 Groups (Guest-group, SSO_Guest_Users,
& training) and 2 firewall policies for port3 port1.
5. Go to the System > Network > DNS Server and delete the entry for port3.
6. Confirm that the user is properly configured by using the CLI command

diag test auth local training Student F0rtinet


The command should return a successful result if the proper configuration has been loaded.

Note: The second character in Fortinet (the password) is a number zero, and
not a letter O. Both the user name and password are case-sensitive.

7. On the Win-Student server, open a web browser and connect to a new web site.
You should observe that the website does not display and you receive a timeout.
8. Open a command prompt and try to ping a website by its domain name. For example:
http://www.hotmail.com/
You should find that the computer is unable to resolve the hostname to an IP address.
9. On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4. Review the outgoing
port3 port1 firewall policy with authentication configured as Source User(s): training.
Add DNS as an allowed service and apply the change to that policy.

FortiGate I Student Guide 51


DO NOT REPRINT Firewall Authentication Lab 1: User Authentication

FORTINET
Return to the Windows command prompt and attempt to ping by name again. Now the behavior
should be that the hostname can be resolved via DNS, but the ping still times out because the
policy does not allow ICMP.

Note: FortiGate allows DNS to pass through the policy even though
authentication has not succeeded yet.

10. On the Win-Student server, open a web browser. Connect to a new web site.
At the login prompt, enter the following credentials:

Username: Student
Password: F0rtinet
You should observe that after successful authentication, FortiGate redirects your browser to the
web site that you requested.
11. On the Student FortiGate, go to User & Device > Monitor > Firewall to view the details of the
authenticated user along with some details about their IP address, how much traffic they have
sent, what method of authentication was used and so on.
If you right-click the columns at the top, you can find more information that can be added to the
display.
12. Go to System > Network > DNS Server. Add a new DNS service entry for port3 that is set to
Forward to System DNS.
13. On the Win-Student computer, open the Windows CLI and type the following command

Use_Internal_DNS
You should see output similar to this:

14. From the CLI, view the IP addresses and users which have successfully authenticated to the
FortiGate unit with the following command:

diag firewall auth list


Clear all authenticated sessions with the following command:

diag firewall auth clear

Caution: Be careful when using this command on a FortiGate in a real


network. It will clear all authenticated users.

FortiGate I Student Guide 52


DO NOT REPRINT Firewall Authentication Lab 1: User Authentication

FORTINET
Exercise 2 Captive Portals

Note: Verify that you are not authenticated through the FortiGate before you begin.
Use either the User Monitor in the GUI or the CLI command from the previous exercise
in order to de-authenticate.
1. On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4.
Edit the second policy (which does not have authentication enabled and is slightly greyed out
currently) and enable it.
You can go into the policy select Enable this policy at the bottom and then apply the change, or
right click the Seq # and select Enable.
2. On the Windows desktop, open a web browser and connect to a new web site
You should observe that, unlike before, FortiGate doesn't ask you to authenticate. However, you
can still access the website even though the first policy has authentication enabled.
This illustrates the behavior of authentication and how it interacts with the Firewall polic ies. The
source for the first policy is your IP AND all users in the training group. You have not
authenticated yet, so your traffic does not match the source for that policy. The second policy will
match all IPs and has no authentication options enabled, so it matches your traffic and allows the
connection through.
Since FortiGate found a policy match with just the source IP, it does not force a login.
3. On the Student FortiGate's GUI, go to System > Network > Interfaces and edit the port 3 interface.
Set the Security Mode to Captive Portal and click OK to save the change
4. Open a web browser and connect to a new web site
FortiGate should prompt you to log in. Use the same credentials as the previous exercise.

Note: If you are not prompted to login, refer to step 1

5. On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4. Edit the first firewall policy.
Change the source to STUDENT_FALSE and the group to training.

Note: STUDNT_FALSE has the IP 10.0.1.100 so it does not match the IP of


the Win-Student computer.

6. On the Student FortiGate's GUI, go to User & Device > Monitor > Firewall. De-authenticate
your user session.

FortiGate I Student Guide 53


DO NOT REPRINT Firewall Authentication Lab 1: User Authentication

FORTINET
7. Open a web browser and connect to a new web site.
FortiGate should not prompt you to login, but show a disclaimer instead.
Look at the firewall policies in the CLI. You should find that the second policy with the captive
portal is suppressed.

config firewall policy

show

end
This means that even though port3 has captive portal enabled for all traffic that is behind it, any
traffic that matches the second firewall policy will not receive the captive portal to authenticate.

FortiGate I Student Guide 54


DO NOT REPRINT SSL VPN Lab 1: SSL VPN

FORTINET
SSL VPN
Lab 1: SSL VPN
In this lab, you will manage user groups and portals for the SSL VPN.

Objectives
Configure and connect to an SSL VPN
Enable authentication security
Configure a firewall policies for access to private network resources

Time to Complete
Estimated: 30 minutes

FortiGate I Student Guide 55


DO NOT REPRINT SSL VPN Lab 1: SSL VPN

FORTINET
Exercise 1 SSL VPN for Web Access
1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\SSL-VPN\Student\student-ssl.conf.
FortiGate will reboot.
3. When the device has rebooted, review the SSL VPN configuration access for this lab. Go to Policy
& Objects > Policy > IPv4 and examine the ssl.rootport1 firewall policy.
4. Edit this policy to view its components. Configure these settings:

Incoming Interface: ssl.root


Source Address: all
Source User(s): Training_One
Outgoing Interface: Port1
5. Under VPN > SSL > Settings, review the authentication rules at the bottom. This allows all users
that authorized to login, access to the web-acess portal.

6. To observe the effect of this policy you will now access the SSL VPN. On the Win-Remote
computer, open a web browser and access the SSL VPN by browsing to:
https://10.200.1.1/
Accept the security warnings for the self-signed certificate and log in using the following
credentials:

Username: Student
Password: F0rtinet
You should notice that you are successfully able to log in, but the web portal is currently in
default settings. You will now configure the web-access portal which is selected in the SSL
VPN policy.
7. Log out and return to the Win-Student computer.
8. In the GUI of the Student FortiGate, go to VPN > SSL > Portals and select web-access and
Edit to modify the settings for this portal. Create the following bookmarks for the internal server.
First Bookmark:

FortiGate I Student Guide 56


DO NOT REPRINT SSL VPN Lab 1: SSL VPN

FORTINET
Category: Test
Name: Linux Website
Type: HTTP/HTTPS
URL: 10.200.1.254
Click OK.
Second Bookmark:

Category: Test
Name: Student Computer Website
Type: RDP
Host: 10.0.1.10
Click OK.
Click OK at the bottom of the page to save the bookmarks on this portal.
9. Test the SSL VPN access again from the Win-Remote computer by browsing to:
https://10.200.1.1
You should now observe that you have two bookmarks listed.
10. Select the Linux Website bookmark and examine the items listed below to understand how the
web access functions.

Note: Do not use the Student computer website yet. It will be tested in the next exercise.

Note the URL of the web site in the browser address bar:
https://10.200.1.1/proxy/http/10.200.1.254/
The first part of the address is the encrypted link to the FortiGate SSL VPN gateway:
https://10.200.1.1/
The second part of the address is the instruction to use the SSL VPN HTTP proxy:

.../proxy/http...
The final part of the address is the destination of the connection from the HTTP proxy:

.../ 10.200.1.254/
In this example, the connection is encrypted up to the SSL VPN gateway. The connection to
the final destination from the HTTP proxy is in clear text.
11. Return to the Win-Student computer and from the GUI on the Student FortiGate, go to VPN >
Monitor > SSL-VPN Monitor. Locate the details of the SSL VPN connection.
Note the User, Source IP and Begin Time.
Log the user out by selecting their name and clicking Delete.

FortiGate I Student Guide 57


DO NOT REPRINT SSL VPN Lab 1: SSL VPN

FORTINET
Exercise 2 Testing Authentication
1. On the Win-Remote computer, open a web browser. Start the SSL VPN by going to:
https://10.200.1.1
When prompted, log in to the SSL VPN using the following credentials:

Username: Student2
Password: F0rtinet
You should receive a permission denied failure message.
2. Go to the CLI of the Student FortiGate. Locally test user authentication.

diag test auth local Training_Two Student2 F0rtinet


This user should successfully authenticate.
Together with the behavior you observed in the previous step, t his means that while FortiGate can
confirm the user and group information, that user is not authorized to login to the SSL VPN portal.
3. To allow those users to login, go to the firewall policies. Edit the ssl.rootport1 policy by adding
Training_Two as an additional source user group.

4. To observe the effect of these changes, access the SSL VPN again. Login with both the Student
and Student2 users.
What do you see when you login? You should see the same portal as in the previous exercise.
Why?
The portal mapping rules have all users accessing the web-access portal.
5. Under VPN > SSL > Settings create a new mapping for a user group and portal:

Users/Group: Training_Two
Portal full-access

After adding the mapping rule, click OK to go back to the settings page, then click APPLY to
save the changes.

FortiGate I Student Guide 58


DO NOT REPRINT SSL VPN Lab 1: SSL VPN

FORTINET
Note: If you click OK but do not click APPLY, then FortiGate will not save the changes
you make to the portal mapping rules.

6. Logout out of the SSL VPN portal (if you havent already) and login again. Be sure to use the
Student2 user credentials from step 1.
You should now observe that the portal established is the full-access portal, which has different
widgets and options enabled then the web-access portal.

FortiGate I Student Guide 59


DO NOT REPRINT SSL VPN Lab 1: SSL VPN

FORTINET
Exercise 3 Accessing Resources Beyond Different Interfaces
1. Log out of the SSL VPN portal (if you havent already) and login again as Student.
2. Now click the Student Computer Website bookmark, created in Exercise 1.
FortiGate should display an access error. Why?
All traffic generated by users of the SSL VPN on this FortiGate will originate from the ssl.root
interface. This includes both Web and Tunnel mode traffic. The host IP, 10.0.1.10, is behind port3
and there is no firewall policy that allows traffic ssl.rootport3.
3. Next go to Policy & Objects > Policy > IPv4 and create a firewall policy with the following settings:

Incoming Interface: ssl.root


Source Address: all
Source User(s): Training_One, Training_Two
Outgoing Interface: port3
Destination Address STUDENT_INTERNAL
Schedule always
Service ALL
Action Accept
4. Go back to the SSL VPN portal and select the Student Computer Website again.
FortiGate should now allow the web site to display because traffic is now allowed to pass from
ssl.root to port3.
5. Log out of the SSL VPN portal.
6. In your browser, go to:
http://10.0.1.10/
The connection should time out because there is no access from the Win-Remote computer to the
Win-Student computer.
7. Log into the SSL VPN portal again, this time as Student2.
Scroll down to the SSL VPN tunnel area. If you have not yet installed the SSL VPN adapter, a
message will appear. Click the link to download and install the adapter, then log in again. Three
buttons should now appear instead of the error message: Connect, Disconnect, and Refresh. Click
Connect.
8. In your browser, go again to:
http://10.0.1.10/
Now the connection should succeed, and the web page should display. This is because
FortiGate is now sending traffic through the SSL VPN tunnel, rather than sending it to the
default gateway.

FortiGate I Student Guide 60


DO NOT REPRINT Basic IPsec VPN Lab 1: IPsec VPN

FORTINET
Basic IPsec VPN
Lab 1: IPsec VPN
In this lab, you will configure an IPsec VPN on the FortiGate using both interface-based and policy-
based modes.

Objectives
Demonstrate the differences between interface and policy -based VPNs
Explain IPsec VPN configuration options

Time to Complete
Estimated: 30 minutes

FortiGate I Student Guide 61


DO NOT REPRINT Basic IPsec VPN Lab 1: IPsec VPN

FORTINET
Exercise 1 Site-to-Site IPsec VPN
1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\Basic-IPsec-VPN\Student\student-ipsec.conf.
The Student FortiGate will reboot.
3. Go to the GUI for the FortiGate named Remote, and log in as admin.
http://10.200.3.1/
4. Restore the configuration file that is required by this lab:
Resources\Basic-IPsec-VPN\Remote\remote-ipsec.conf.
The Remote FortiGate will reboot.
5. When the Student FortiGate has rebooted, on the Windows server, open a command prompt. Run
a continuous ping to the Win-Remote computer:

ping -t 10.0.2.10
6. From the GUI on the Student FortiGate, go to VPN > Monitor > IPsec Monitor and examine the
tunnel status.
You should observe a tunnel named remote with the destination 10.200.3.1 and the status is
currently up. This is the tunnel that the Student FortiGate established with the Remote FortiGate.
7. Review the firewall policy port3 remote. View the Count column so that you can see the
packets and bytes per policy.
Observe that the counter is incrementing for the port3remote policy.
What is the interface remote?
Go to System > Network > Interfaces and note the plus (+) associated with port1. If you expand
this, you will be able to see the remote interface and the type for this interface which is set to
Tunnel Interface.
8. Go to VPN > IPsec > Tunnels. Select the remote tunnel, then click edit to review the IPsec
configuration. You can click on Edit next to each section to review the details and make
configuration changes. Click the check mark to save your changes or the X to discard your
changes.
9. Go to Router > Monitor > Routing Monitor and view the current routing table. You will observe
a static route to the destination 10.0.2.0/24 pointing to the remote interface.
This is an example of the route-based VPN configuration. The alternative is the policy -based
VPN which we will review next.
Usually, route-based VPNs are preferred, but there are a few exceptions where you would
need to use a policy-based VPN. These will be discussed later.
10. Open a web browser on the Windows server. Connect to the GUI on the Remote FortiGate
device.
11. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote

FortiGate I Student Guide 62


DO NOT REPRINT Basic IPsec VPN Lab 1: IPsec VPN

FORTINET
FortiGate device. You should observe a tunnel named student with the destination 10.200.1.1
and the Status is up.
This is the tunnel that this FortiGate established with the Student FortiGate.
12. Go to System > Network > Interface. Notice there is no tunnel sub-interface for port4.
13. Go to Router > Monitor > Routing Monitor and view the current routing table. Notice that there is
no specific route for 10.0.2.0/24; there is only a default route.
How is the traffic entering the tunnel then?
14. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a policy
from port6 to port4 for address 10.0.2.0/24 (REMOTE_INTE RNA L) to address 10.0.1.0/24
(STUDENT INTERNAL) with action IPsec.
Edit this policy to view its settings.
The policy subtype is IPsec, and it uses the VPN Tunnel called student. It also has permissions to
allow traffic inbound as well as outbound. We will look at these settings later.
How is the traffic matching this policy?
On the Student FortiGate, a static route was sending traffic to the IPsec virtual interface. Here
there is no static route. Instead, the policy setting is sending traffic to the VPN.
The IPsec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the tunnel
named student.
15. On the Remote FortiGate's GUI, go to VPN > IPsec > Tunnels. Select the student tunnel, then
click edit to review the IPsec configuration. You can click on Edit next to each section to review the
details and make configuration changes. Click the check mark to save your changes or the X to
discard your changes.
16. Edit the Phase1 IKE object remote and select Advanced to view all the settings. Note that IPsec
Interface Mode is not selected.
The Phase1 IKE object is the IPsec tunnel referenced in the IPsec firewall policy. Here we are
using policy-based on the Remote FortiGate device and interface-based on the Student FortiGate
device. The type we use is of local significance therefore we can mix them, as is the case in this
example.
17. From the Win-Remote desktop, attempt to run a continuous ping to 10.0.1.10.
You should observe this ping fails. Can you identify why?
If the VPN is in tunnel mode, then FortiGate uses only 1 firewall policy to allow both incoming and
outgoing traffic. But if the policy is in interface mode, then you must have 2 separate VPN firewall
policies: one to allow inbound, and one to allow outbound communication.
On the Student FortiGate, we have only configured the outgoing policy. The VPN is in interface
mode. So FortiGate drops the new incoming connection: there is no firewall policy to allow it.
18. Return to the Student FortiGate. Add the missing firewall policy that allows traffic to travel in
the opposite direction.
You should observe that the ping now succeeds.

FortiGate I Student Guide 63


DO NOT REPRINT Explicit Web Proxy Lab 1: Explicit Web Proxy

FORTINET
Explicit Web Proxy
Lab 1: Explicit Web Proxy
In this lab, you will learn how to configure FortiGate to be an explicit web proxy.

Objectives
Configure a FortiGate as an explicit web proxy
Use a PAC file to configure the Internet browser to use the web proxy
Exempt some servers from the proxy
Display the list of current web proxy users

Time to Complete
Estimated: 30 minutes

FortiGate I Student Guide 64


DO NOT REPRINT Explicit Web Proxy Lab 1: Explicit Web Proxy

FORTINET
Exercise 1 Configuring the Explicit Web Proxy
1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\Explicit-Web-Proxy\Student\student-wp.conf
3. Go to System > Dashboard > Status. In the Features widget, enable Explicit Proxy. Click Apply.
4. Go to System > Network > Explicit Proxy and enable HTTP / HTTPS web proxy.
5. Go to System > Network > Interfaces and edit port3. Enable the option Enable Explicit Web Proxy.
Click OK.
6. Go to Policy & Objects > Policy > Explicit Proxy. Click Create New. Add this explicit proxy policy:

Explicit Proxy Type Web


Source Address STUDENT_INTERNAL
Outgoing Interface port1
Destination Address all
Action AUTHENTICA TE
Add this authentication rule:

Source User(s) Student


Schedule always
Click OK to save it.
7. Open Mozilla Firefox. Click the Open menu icon on the top right corner. Select Options:

8. Go to the Advanced > Network tab and click Settings:

FortiGate I Student Guide 65


DO NOT REPRINT Explicit Web Proxy Lab 1: Explicit Web Proxy

FORTINET

9. Select manual proxy configuration and enter:

HTTP Proxy 10.0.1.254


Port 8080
Enable the option Use this proxy server for all protocols.
Additionally, add the subnet 10.0.1.0/24 to the No Proxy for list. This list contains the names, IP
addresses and subnet of web sites that will be exempted from using the proxy:

Click OK.

FortiGate I Student Guide 66


DO NOT REPRINT Explicit Web Proxy Lab 1: Explicit Web Proxy

FORTINET
10. Try to browse any web site. FortiGate will ask you for authentication. Use these credentials:

User Name Student


Password F0rtinet
After that, you should have Internet access through the explicit web proxy.

Note: The second character in Fortinet (the password) is a zero 0, and not a letter.
Both the username and password are always case sensitive.

11. While browsing different web sites, type the following CLI command to check t he list of active web
proxy users:

# diagnose wad user list


You can also check this list from the GUI, by going to User & Device > Monitor > Firewall.
12. Type these CLI commands to list some web proxy sessions:

diagnose sys session filter clear

diagnose sys session filter dport 8080

diagnose sys session list


You can also use the grep command to display only the source and destination IP addresses and
ports for each session:

diagnose sys session list | grep hook=pre


Why is the source IP address of all those sessions 10.0.1.10?
Why is the destination IP address of all those sessions 10.0.1.254?
Why dont we see any public IP address listed in those sessions?
13. While browsing a HTTP site, type these other commands to list another set of proxy sessions:

diagnose sys session filter clear

diagnose sys session filter dport 80

diagnose sys session list | grep hook=out


Why is the source IP address of all these sessions 10.200.1.1?
Why dont we see the IP address of Windows server (10.0.1.10)?
In the case of explicit web proxy, for each connection to a web site, two sessions are created
with the FortiGate: one from the client to the proxy, and another one from the proxy to the
server.

FortiGate I Student Guide 67


DO NOT REPRINT Explicit Web Proxy Lab 1: Explicit Web Proxy

FORTINET
Exercise 2 Using a PAC File
1. Log in to the Student FortiGate's GUI.
2. Go to System > Network > Explicit Proxy. Enable the option PAC, then click the pencil icon to edit
the PAC file:

Select the file proxy.pac in the folder Resources\Explicit-Web-Proxy. Click Import, then Apply.
3. Click the pencil icon again to look at the imported PAC file:

Click Apply to save all the changes in the explicit proxy configuration.

Note: The second line in the PAC file specifies that the browser will not use a proxy to
reach the servers in the subnet 10.0.0.0/8. The next line configures the browser to use
the FortiGate proxy for any other subnet or URL.

FortiGate I Student Guide 68


DO NOT REPRINT Explicit Web Proxy Lab 1: Explicit Web Proxy

FORTINET
4. Open Mozilla Firefox options again. Select the Advanced > Network tab and click Settings.
Select the option Automatic proxy configuration URL then type:

http://10.0.1.254:8080/proxy.pac

Click OK.
5. Close Firefox and open it again. Try to browse any web site in the Internet. The traffic will go
through the FortiGate proxy. If FortiGate asks you to authenticate, use the same Student account.
6. Connect now a web site in the network 10.0.0.0/8. The browser will not use the proxy and will
send the HTTP request directly to the server. Try with this server:
http://10.200.1.254
It is not working. There is something missing in the FortiGate configuration. Do you know what it
is?
7. Go to Policy & Objects > Policy > IPv4 add the following firewall policy:

Incoming Interface port3


Source Address STUDENT_INTERNAL
Outgoing Interface port1
Destination Address All
Schedule Always
Service ALL
Action ACCEPT
NAT Enabled

FortiGate I Student Guide 69


DO NOT REPRINT Explicit Web Proxy Lab 1: Explicit Web Proxy

FORTINET
8. Try to access http://10.200.1.254 one more time. It should work now.
9. To finish the lab exercise, disable the proxy in Mozilla. Go to Options one more time, select
Advanced > Network , click Settings, and select No proxy.

Click OK to save the change.

FortiGate I Student Guide 70


DO NOT REPRINT Antivirus Lab 1: Antivirus Scanning

FORTINET
Antivirus
Lab 1: Antivirus Scanning
In this lab, you will work with both flow-based and proxy-based antivirus scanning.

Objectives
Configure flow-based and proxy-based antivirus scanning
Understand FortiGate antivirus scanning behavior
Scan multiple protocols
Insert replacement messages in multiple protocols

Time to Complete
Estimated: 30 minutes

FortiGate I Student Guide 71


DO NOT REPRINT Antivirus Lab 1: Antivirus Scanning

FORTINET
Exercise 1 Antivirus & Block pages
1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\Antivirus\Student\student-av.conf
FortiGate will reboot.
3. When the FortiGate has rebooted, go to Policy& Objects > Policy > IPv4 and edit the port3port1
policy.
Notice that an antivirus profile, Protocol Options and SSL/SSH Inspection are selected. You
cannot disable those last 2 profiles, only change them.
4. Go to Security Policies > AntiVirus. Examine the antivirus profile that is referenced by the firewall
policy (default). This profile defines the behavior for virus scanning on the traffic that matches
policies using that profile.
Verify that the inspection mode is Proxy, to block viruses, and that HTTP scanning is enabled.
5. Verify the proxy options. This profile determines how FortiGates proxies pick up protocols. Go to
Policy & Objects > Policy > Proxy Options. The HTTP listening port should be set to port 80
6. Configure the SSL/SSH profile referenced by the firewall policy. This profile determines how
encrypted traffic, like HTTPS will be handled. Go to Policy & Objects > Policy > SSL/SSH
Inspection, and edit the profile named default.
Configure the profile to inspect certificate details by selecting Full SSL Inspection.
7. Go to System > Config > Replacement Message. From the top right-hand corner select Extended
View and under Security modify the Virus Block Page.
The HTML editor that is displayed allows you to see the changes as you are making them. If you
do not want to use the standard block pages, you can modify them.
Click Save shown above the editor window to apply any changes.
8. From the virtual WIN-Student host, launch a web browser and access the following web site:
http://eicar.org
9. On the EICAR web page, click Download ANTI MALWARE TESTFILE (located in the top right-
hand corner of the page) and then click the Download link that appears on the left.
Download the any of the EICAR sample files from the section Download area using the standard
HTTP protocol.
FortiGate should block the download attempt, and instead insert a replacement message
similar to the following (should also include any customization you made earlier):

FortiGate I Student Guide 72


DO NOT REPRINT Antivirus Lab 1: Antivirus Scanning

FORTINET

The EICAR file is an industry-standard used to test antivirus detection with an undamaging test
file. The file contains the following characters:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
10. FortiGate shows the HTTP virus message when it blocks or quarantines infected files. In the
message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information
about the detected virus.
11. From the GUI on Student FortiGate, go to Log & Report > Traffic Log > Forward Traffic and locate
the antivirus event messages.
In order to view summary information of the antivirus activity, add the Advanced Threat Protection
Statistics widget to the dashboard.
12. On the EICAR web page, click Download ANTI MALWARE TESTFILE and then click the
Download link that appears on the left. This time, select the eicar.com file from the Download area
using the secure SSL enabled protocol HTTPS section.
Your download should succeed. FortiGate should not block the file, because we have not enabled
full SSL inspection.
13. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy &
Objects > Policy > SSL/SSH Inspection, edit the default profile, set the Inspection Mode to Full
SSL Inspection and make sure that HTTPS is enabled and set to port 443.
Click Apply.
14. To ensure that there are no existing sessions prior to deep scanning the communication
exchange, connect to the CLI of the Student FortiGate and enter the following command:

diag sys session filter dport 443

diag sys session clear


This will clear out all the HTTPS(port 443) sessions on the firewall, in case the webserver did not
properly close down the communications.
15. Return to the EICAR web page and attempt to download the eicar.com file from the Download
area using the secure SSL enabled protocol HTTPS section.
This time, FortiGate should block the download and replace it with a message. If it doesn't, you
may need to clear your cache. In Firefox, select History > Clear Recent History > Everything.
16. In order to see the block page you will need to allow the certificate warning. Encrypted
protocols are designed to prevent eavesdropping.

FortiGate I Student Guide 73


DO NOT REPRINT Antivirus Lab 1: Antivirus Scanning

FORTINET
Exercise 2 Flow vs Proxy scanning
1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Edit the default Antivirus profile, and set the inspection mode to Flow,
3. On the Win-Student computer, open the FileZilla FTP client software.
4. Connect to 10.200.1.254. Leave the username and password blank to use anonymous FTP.
5. On the Remote side, open the pub folder and download the file named eicar.com.
The client should display an error message that the server aborted the connection.

6. On the GUI of the Student FortiGate, locate the logs for the detection of this file.
With Flow based virus scanning, data from the file has already been sent to the client so no
immediate block message/page may be possible, depending on the protocol being scanned.

FortiGate I Student Guide 74


DO NOT REPRINT Web Filtering Lab 1: Web Filtering

FORTINET
Web Filtering
Lab 1: Web Filtering
In this lab, you will configure web filtering to block specific categories of content. The interaction of
local categories and overrides will also be demonstrated.

Lab Objectives
Enable and use web filtering on a FortiGate device
Troubleshoot and configure FortiGuard Category filtering
Read and interpret web filter log entries
Work with proxy and flow-based web filtering
Monitor blocked categories
Work with and configure Web Rating Overrides
Configure Web Profile Overrides

Time to Complete
Estimated: 30 minutes

FortiGate I Student Guide 75


DO NOT REPRINT Web Filtering Lab 1: Web Filtering

FORTINET
Exercise 1 FortiGuard Web Filtering
1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\Web-Filtering\Student\student-wf.conf.
FortiGate will reboot.
2. When the FortiGate device has rebooted go to System > Status and under License information
check the FortiGuard Services Web Filtering status to ensure that the license has been validated.
A green check mark should be displayed.
3. In the GUI on the Student FortiGate device, go to Security Profiles > Web Filter and review the
settings of the default web filter profile.
Verify that the Inspection Mode is set to Proxy.
Under FortiGuard Categories right-click and expand the web category Potentially Liable. The
category and all the sub categories inside should have the action set to Authenticate.
Expand Adult/Mature Content. You should find that Other Adult Material and Pornography are
blocked while all other sub-categories are set to Monitor.
Expand Bandwidth Consuming. The category and all sub categories inside should have the action
set to Warning.
Expand Security Risk . The category and all sub categories inside should have the action set to
Block .
All of the General Interest categories and sub-categories should be set to Monitor.
4. Go to Policy & Objects > Policy > IPv4 and edit the outing port3port1 policy.
In addition to a web filter profile, Proxy options and SSL/SSH Inspection profile have also been
enabled.
Review the settings in the assigned Proxy options and SSL/SSH Profiles.
5. From the CLI on the Student FortiGate device, check the low-level status information of the web
filtering service by entering the following command:

diag debug rating


The command diag debug rating shows the list of FDS servers for web filtering that the
FortiGate is using to send requests. FortiGate normally sends rating requests to the server on the
top of the list. Each server is probed for RTT every 2 minutes.

Note: Your lab environment uses a FortiManager as a local FDS server. It contains a
local copy of the FDS web rating database. The FortiGate devices have been
configured to send the rating requests to the FortiManager instead of the public FDS
servers. For this reason, the output of the above command lists only the FortiManager
IP address.

6. On the Win-Student computer, open a web browser, and go to:


http://www.bing.com

FortiGate I Student Guide 76


DO NOT REPRINT Web Filtering Lab 1: Web Filtering

FORTINET
You should receive a block page.

7. Verify that the rating of the website www.bing.com is NOT pornography by going to the URL
http://www.fortiguard.com/static/webfiltering.html and checking.
You will find that Bing is not rated as pornography and that the category it belongs to has a
monitor action rather than block.
8. From the CLI on the Student FortiGate, examine the FortiGate's behavior:

diag debug application url 255

diag debug enable


Access the website www.bing.com again. The diagnostic output will indicates that the URL
matches a local rating.
9. In the GUI on the Student FortiGate device, go to Security Profiles > Advanced > Web Rating
override
You will find and entry for www.bing.com which assigned the category of Pornography.
10. Go to Security Profiles > Advanced > Web Rating Overrides. Edit the Rating override for
www.bing.com and set the category to Potentially Liable and the sub-category to Proxy
Avoidance.
11. Access the website http://www.bing.com again
This time, the block page will give you the option to Proceed. Click Proceed and enter the
following user credentials

User: Student
Password: F0rtinet

Note: If you receive a certificate warning, be sure to allow it.

FortiGate I Student Guide 77


DO NOT REPRINT Web Filtering Lab 1: Web Filtering

FORTINET
12. In the GUI on the Student FortiGate device, go to Log & Report > Security Log > Web Filter.
If you do not see the Security Log menu, log out and then log in again to start a new GUI session.
If you examine the actions taken in the logs you will find that initially a Block action shows up.
However, more recent logs show a different action.
13. Go to Security Profiles > Web Filter. Edit the web filter profile and select Flow-based. A
notification is displayed as follows:

Click OK on this pop-up and then click Apply at the bottom of the profile.
14. Test the behavior of the flow based inspection by connecting to www.bing.com again.
15. Go to Security Profiles > Advanced > Web Rating override and delete the entry for:
http://www.bing.com
Access www.bing.com again.
16. In the GUI on the Student FortiGate device, go to Security profiles > Monitor > Web Monitor.
Review the output. You can click on the charts in order to get additional information on what is
being displayed.

FortiGate I Student Guide 78


DO NOT REPRINT Web Filtering Lab 1: Web Filtering

FORTINET
Note: If you do not see the Monitor menu, then it is hidden. You can enable it via the CLI:

config system global

set gui-utm-monitors enable

end
Log out, then log in again for the Monitor menu to appear. It will not appear for existing GUI
sessions.

FortiGate I Student Guide 79


DO NOT REPRINT Web Filtering Lab 1: Web Filtering

FORTINET
Exercise 2 Web Profile Overrides
1. On the Win-Student computer, open a new browser windows and visit:
www.youtube.com
FortiGate should block this.
2. In the GUI on the Student FortiGate, go to Security Profiles > Web Filter
Set the inspection mode to Proxy.
3. Enable Allow block ed Override and configure the following options
Apply to Group(s): Override_Permissions
Assign to Profile: monitor_all
Scope: IP
Duration Mode: Constant
Duration: 0 days, 0 hours, 15 minutes
Click Apply to save the changes
4. Visit the website www.youtube.com again. You will find that at the bottom of the page there is an
override link.

5. Click Override and enter the following user credentials


User: Student2
Password: F0rtinet
FortiGate should now allow you to access the web site.
6. In the GUI on the Student FortiGate device, go to Log & Report > Security Logs > Web Filter
Compare the current pass-through entries for YouTube with the older block entries.
Notice that the web profile that is reported as being used is different.

FortiGate I Student Guide 80


DO NOT REPRINT Application Control Lab 1: Application Identification

FORTINET
Application Control
Lab 1: Application Identification
In this lab, you will use the application control feature to properly identify an application.

Objectives
Configure Application Control in the student lab environment
Read and understand application control logs
Enable and Monitor traffic shaping through Application Control
Use Application control to Fine tune Internet Access

Time to Complete
Estimated: 30 minutes

FortiGate I Student Guide 81


DO NOT REPRINT Application Control Lab 1: Application Identification

FORTINET
Exercise 1 Creating an Application Control List
1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student,
and log in as admin.
http://10.0.1.254/
2. Restore the configuration file that is required by this lab:
Resources\Application-Control\Student\student-app.conf
FortiGate will reboot.
3. Log in again. Go to Security Profiles > Application Control. Review the default application control
sensor. (Verify that you are selecting the sensor named default.)
On the Edit Application Sensor page, check the settings for the following rules:

Application Signature MySpace


Category Social.Media
The action for this should show as being Block .
4. Go to Policy & Objects > Policy > IPv4 and edit the port3port1 policy. Verify that Application
Control is turned on and that the default application control sensor is selected.
5. Enable the Security Profiles monitors:

config sys global

set gui-utm-monitor enable

end
Go to http://www/.youtube.com. On the YouTube web site, try to play a video.
While the video is playing, go the GUI of the FortiGate and check the application monitor in
Security Profiles > Monitor > Application Monitor. If your browser does not show the application
monitor, you may need to refresh the page or log in to the FortiGate again.
6. On the Win-Student computer, open a new web browser window. Go to http://www.myspace.com/.
You should observe that you cannot connect to this site. It times out.
7. Go to Security Profiles > Application Control. Edit the default sensor again. At the bottom of the
profile, enable Replacement messages for HTTP-based application.
8. Go to the MySpace web site again. Now FortiGate should display a block message.
9. Go to Log & Report > Traffic Log > Forward Traffic and view the log information to confirm that
this action was correctly logged.
10. From the web browser, try to go to:
http://proxite.us
On the proxy web page, scroll down to the bottom and enter the URL of MySpace.com. Click
Go.
You should observe FortiGate does allow some connectivity to the site. How can you stop this?
Create a new rule in the sensor to block the Proxy category.

FortiGate I Student Guide 82


DO NOT REPRINT Application Control Lab 1: Application Identification

FORTINET
Exercise 2 Limiting YouTube Traffic
1. On the Student FortiGate's GUI, go to Policy & Objects > Objects > Traffic Shapers and look at the
YouTube_Shaper traffic shaper.
Look closely at the maximum amount of allowed bandwidth.
2. Go to Security Profiles > Application Control. Edit the default profile.
Add an Application Override for Youtube, set the action to Traffic Shaping and have it use
YouTube_Shaper.
3. Clear the web browser cache and re-open it. Connect to the YouTube web site again and stream
the same video that you did before.
This will probably result in much different experience.

Note: If your classroom is using a virtual lab, the underlying hardware is shared, and
so the amount of available bandwidth for Internet access varies by usage by other
simultaneous use. The traffic shaper is set to a very low value in order to make sure
that the difference in behavior is easily noticeable. In real networks, this setting
would be greater.

4. Check the traffic shaper monitor in Policy & Objects > Monitor > Traffic Shaper Monitor. In the
upper right corn, change Report by to Current Bandwidth.

Note: Monitor statistics are current as of the time that you requested the GUI page, so
make sure to view them while a video is downloading. The page does not constantly
refresh, so in order to do this, click Refresh in the upper right.

FortiGate I Student Guide 83


DO NOT REPRINT Application Control Lab 1: Application Identification

FORTINET
Exercise 3 Fine Tuning Web Site Access
1. On the Win-Student computer, open a browser window. Go to:
http://translate.google.com
2. Go to Security Profiles > Application Control . Edit the default profile.
Add an application override for Google.Translate. Set the action to Reset.

3. Refresh the Google Translate page. FortiGate should insert a replacement message from
application control about the application being blocked.
4. Go to Security Profiles > Application Control . Edit the default profile.
Disable replacement messages for HTTP-based applications, then click OK.
5. Refresh the Google Translate page. The browser should display an error message, telling you that
the connection was reset.

Note: Depending on which browser you use for the test, the wording and nature of the
error will vary. If you do not receive a connection reset message, clear the browser's
cache and on FortiGate, use the CLI command:

diag sys session clear

6. Open a browser window. Go to:


http://www.myspace.com
Since there is no longer an HTTP-based block message enabled, the 2 signatures will behave
differently based on the configured action.
7. Go to Security Profiles > Application Control. Edit the default profile.
Enable replacement messages for HTTP-based applications, then click OK.
8. Refresh both websites. This time, the browser should display a block message.
9. Access Google Translate over HTTPS:
https://translate.google.com
This connection should succeed. In order for this signature to detect access over encrypted
communications (HTTPS), SSL inspection must be enabled.

FortiGate I Student Guide 84


DO NOT REPRINT Appendix A: Additional Resources

FORTINET
Appendix A: Additional Resources

Training Services http://training.fortinet.com

Technical Documentation http://help.fortinet.com

Knowledge Base http://kb.fortinet.com

Forums https://support.fortinet.com/forum

Customer Service & Support https://support.fortinet.com

FortiGuard Threat Research & Response http://www.fortiguard.com

FortiGate I Student Guide 85


DO NOT REPRINT Appendix B: Presentation Slides

FORTINET
Appendix B: Presentation Slides

FortiGate I Student Guide 86


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

In this lesson, we will show FortiGate administration basics. This includes how and where FortiGate
fits into your existing network architecture.

FortiGate I Student Guide 87


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

After completing this lesson, you should have these practical skills in FortiGate administration
fundamentals, such as how to log in, make administrator accounts, do basic network settings, and how
to use your FortiGates GUI or CLI.

Youll also be able to set up FortiGate to act as your local networks DNS or DHCP server.

Lab exercises can help you to test and reinforce your skills.

FortiGate I Student Guide 88


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

(slide contains animation)


A FortiGate is a Unified Threat Management device, but what exactly does this mean? Well, if we look
at a typical network security solution, multiple single-purpose devices are used. Each performs a specific
task. There is:
(click)
One device acting as the firewall
Another device that scans for viruses
Another device filtering email
One device to optimize WAN usage
Another device to filter web sites
One device for application control
One device for intrusion prevention
Another device to provide VPN access

That is a lot of different devices. Most likely, they all have different vendors. All of this can introduce
unwanted complexity, and many potential points of failure.

FortiGate I Student Guide 89


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

So how is FortiGate different?

FortiGate provides a comprehensive approach to security. It even includes some basic accessory
network services such as authentication and DHCP. All this and more is combined into a single device.
That way, you can reconfigure your network and security deployment by simply accessing one device.
Cabling and interfaces between 10 devices? Gone. And its all from a single vendor. Per-module
licensing? Gone.

If youre familiar with Cisco ASA, you may even expect multiple management interfaces. This, too, is
simpler on FortiGate. Regardless of whether you are building a VPN or applying antivirus, you can
configure it all from one unified GUI or CLI.

How can FortiGate do so many things? Shouldnt separate functions be divided among different devices
for performance reasons?

In some cases, yes. High load of one specific workload may be worth a dedicated device. And Fortinet
offers several. But now you have the choice you can specialize if your network requires it.

FortiGate I Student Guide 90


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

In this architecture diagram, you can see how FortiGate UTM platforms add strength without
compromising on flexibility they are still internally modular. Plus:

Devices add duplication. Sometimes, dedication doesnt mean efficiency. If its overloaded, can 1
device borrow free RAM on 9 others? Do you want to configure policies, logging, and routing on 10
separate devices? Does 10 times the duplication bring you 10 times the benefit? Or is it a hassle?
FortiGate hardware isnt just off-the-shelf. Its carrier-grade. Underneath, most FortiGate models
have 1 or more specialized circuits called ASICs that are engineered by Fortinet. For example, a CP
or NP chip handles cryptography and packet forwarding more efficiently. Compared to a single-
purpose device with only a CPU, FortiGate can have dramatically better performance.
(The exception? Virtualization platforms VMware, Citrix Xen, Microsoft, or Oracle Virtual Box have
general-purpose vCPUs. But virtualization might be worthwhile due to other benefits, such as
distributed computing and cloud-based security.)
FortiGate is flexible. If all you need is firewalling and antivirus, FortiGate wont require you to waste
CPU, RAM, and electricity on others. In each firewall policy, UTM modules can be enabled or
disabled. You wont pay more to add VPN seat licenses later, either. What requires a subscription?
Only FortiGuard subscription services.

FortiGate I Student Guide 91


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

FortiGuard subscription services give your FortiGate access to 24 x7 security updates powered by
Fortinets researchers. Your FortiGate uses FortiGuard in 2 ways:

By periodically requesting packages that contain a new engine and many signatures, or
By querying the FDN on an individual URL or host name

Queries are real-time that is, FortiGate asks the FDN every time it scans for spam or filtered web sites.
Also, queries use UDP for transport they are connectionless and the protocol is not designed for fault
tolerance, but speed. So they require that your FortiGate have a reliable Internet connection.

Downloaded packages like antivirus and IPS, however, arent that frequent. They use TCP for reliable
transport. And their associated FortiGate features continue to function even if FortiGate does not have
reliable Internet connectivity. Keep in mind, though, that you should still avoid interruptions. If your
FortiGate must try repeatedly to download updates, it cant detect new threats during that time.

FortiGate I Student Guide 92


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

So now weve seen a simplified overview of the software architecture. What about the network
architecture? Where does FortiGate fit in?

When you deploy a FortiGate, you can choose on the dashboard between two modes: NAT or
transparent.

In NAT mode, FortiGate forwards packets based on Layer 3, like a router. Each of its logical network
interfaces have an IP address.
In transparent mode, FortiGate forwards packets at Layer 2, like a switch. So except for the
management interface, its interfaces have no IP address.

Interfaces can be exceptions to the router vs. switch operation mode on an individual basis, however.
Well show these later.

FortiGate I Student Guide 93


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

What does that mean for your traffic, in terms of the 7-layer OSI model? Which operation mode should
you choose?

NAT mode is the most common choice. In NAT mode, the destination address is the FortiGates
address. Typically FortiGate will rewrite the destination address, and/or port number and source
address in the IP network layer, into the servers private network address before forwarding the packet
in other words, it will apply NAT and port forwarding. Depending on your presentation and application
layer protocols, it might also:
Terminate SSL or TLS sessions so back-end servers dont need to decrypt
Modify the addresses in the application layer headers, such as the Host: and X-Forwarded-For: in
the HTTP header
So NAT mode works well for edge or gateway security, where you divide your private IPv4 network from
an external network such as guest Wi-Fi or the Internet.

In transparent mode, the destination address is the servers address not a FortiGates interface.
As a result, it usually doesnt need to rewrite encapsulated layers with the exception of TCP SYN-
related analysis. Only the MAC address in the frame is rewritten. So in complex IP environments such as
MSSP or mobile phone carriers, this simplifies deployment. Only the management interface needs an IP
address. But because network-facing interfaces dont have an IP address, you must verify that your
topology doesnt have any loops at Layer 2 Ethernet.

FortiGate I Student Guide 94


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

NAT mode is the default operation mode. What are the other default settings? Once youve removed
your FortiGate from its box, what do you do next?

Lets see how to set up a FortiGate.

Attach your computers network cable to port1 or the internal switch ports (depending on your model) to
begin setup. There is a DHCP server on that interface, so if your computers network settings have
DHCP enabled, your computer should automatically get an IP, and you can begin setup quickly. Every
FortiGate or FortiWifi device has these same default settings. (Note that FortiAP is not the same. Its
covered in a separate lesson.)

To access the GUI on FortiGate or FortiWifi, open a web browser and go to http://192.168.1.99.

Remember: The default login is publicly available knowledge. Never leave its default password
blank! Your network is only as secure as your FortiGates admin account. Before you connect your
FortiGate to your overall network, you should set a complex password. You should also restrict it so that
FortiGate allows administrative connections only from your local console or management subnet.

FortiGate I Student Guide 95


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

What happens if you forget the password for your admin account, or a hostile employee changes it?

This recovery method is on all FortiGate devices, and even some non-FortiGate devices like FortiMail.
Its a temporary account, only available through the local console port, and only after a hard reboot
disrupting power by unplugging or switching off the power, then restoring it. FortiGate must be physically
shut off, then turned back on not simply rebooted through the CLI. Thats the difference between a
hard boot and a soft boot.

Even then, the maintainer login will only be available for login for about 30 seconds after boot
completes.

If you cant ensure physical security, or have compliance requirements, you can disable the maintainer
account. Use caution: if you disable maintainer and then lose your admin password, you
cannot recover access to your FortiGate.

FortiGate I Student Guide 96


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

All FortiGate models have a console port. This provides CLI access without a network.

On older models, its a serial port. A standard null modem cable can be used to connect the serial
port to your computers serial port.
On newer models, its an RJ-45 port. Access by connecting an RJ-45-to-serial cable from your
computers serial port to the RJ-45 port on the FortiGate.
In some newer models, the console port is a USB2 port. In that case, youll plug in the USB cable,
then open FortiExplorer.

Each device ships with its appropriate cable.

Serial ports on computers are becoming less common. If your computer have one, you can purchase a
USB-to-serial adapter.

FortiGate I Student Guide 97


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

Most features are available in both the GUI and CLI. There are a few exceptions. Reports cant be
viewed in the CLI, for example, and diagnostic commands for power users are usually not in the GUI.

What if you dont want to use the GUI?

There is also a CLI. As you become more familiar with FortiGate, and especially if you want to script its
configuration, you may want to use it in addition. You can access the CLI via either the JavaScript widget
in the GUI named CLI Console, or via a terminal emulator such as Tera Term
(http://ttssh2.sourceforge.jp/index.html.en) or PuTTY
(http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). Your terminal emulator can connect
via the network SSH or telnet or the local console port.

SNMP and some other administrative protocols are also supported, but they are not used for basic
setup. Lets focus on setup now.

FortiGate I Student Guide 98


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

As an alternative GUI during setup, you can plug in your smart phone, and use FortiExplorer.

FortiExplorer isnt a complete configuration tool for all devices. Its focus is deployment configuring
network addresses and routing. After that, your FortiGate can be integrated into the network, and you
can continue by configuring firewall policies, security profiles and other features.

FortiGate I Student Guide 99


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

There are a few supported platforms for the FortiExplorer software. This is what FortiExplorer looks like
when you are running it on a Windows laptop.

On the left side, you can see that FortiExplorer can fully update device firmware and configure its
network settings so that FortiGate is prepared for you to plug it into your network.

FortiGate I Student Guide 100


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

Whichever method you use, start by logging in as admin. Begin by creating accounts for other
administrators.

Its not shown here, but alternatively, instead of creating accounts on FortiGate itself, you could configure
FortiGate to query a remote authentication server. You could also require personal certificates,
authenticated via your PKI certificate authority, instead of passwords.

Choose strong, complex passwords. For example, you could use multiple interleaved words with varying
capitalization, and randomly insert numbers and punctuation. Do not use short passwords, nor
passwords that contain names, dates, or words that exist in any dictionary. These will be very
weak against brute force attacks. To audit the strength of your passwords, use tools such as l0phtcrack
(http://www.l0phtcrack.com/) or John the Ripper (http://www.openwall.com/john/). Risk of attackers brute
forcing your firewall is especially high if you connect the management port to the Internet.

In order to restrict access to specific features, you can assign permissions.

FortiGate I Student Guide 101


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

When assigning permissions in an access profile, you can specify read-and-write, read-only, or no
access to each area.

By default, there is a special profile named super_admin, which is used by the account named admin.
It cannot be changed. It provides full access to everything, making the admin account similar to a root
superuser account.

prof_admin is another default profile. It also provides full access, but unlike super_admin, it only
applies to its virtual domain not the global settings of the FortiGate. Also, its permissions can be
changed.

You arent required to use a default profile. You could, for example, create a profile named
auditor_access with read-only permissions. Restricting a persons permissions to those necessary for
his or her job is a good best practice, because even if that account is compromised, the compromise is
not complete. To do this, create administrative access profiles, then select the appropriate profile when
configuring an account.

FortiGate I Student Guide 102


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

What are the effects of access profiles?

Its actually more than just read or write access.

Depending on the type of access profile that you assign, each administrator may not be able to access
the entire FortiGate. For example, you could configure an account that can only view log messages.
Administrators may not be able to access global settings outside their assigned virtual domain, either.
(Virtual domains, by the way, are a way of subdividing the resources and configurations on a single
FortiGate. VDOMs are shown in another lesson.)

Administrators with a smaller scope of permissions cannot create, or even view, accounts with
more permissions. So, for example, an administrator using the prof_admin or a custom profile cannot
see nor reset the password of accounts that use the super_admin profile.

FortiGate I Student Guide 103


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

To further secure access to your network security, use two-factor authentication.

Two factor authentication just means that instead of only using one way to verify your identity typically
a password or personal certificate you verify identity in two ways. In the example shown here, two-
factor would mean a password plus an RSA randomly generated number from a FortiToken that is
synchronized with FortiGate.

FortiGate I Student Guide 104


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

FortiToken is not the only option if you want to use two-factor authentication. Remember, two-factor
authentication literally only means that you use two methods to verify the persons identity.

Alternatively, FortiGate can send an email to the administrators address, or send a text message.

To be able to do this, you must first configure FortiGate with the settings of a mail server that it can use
to send email, or an SMS server. The mail server can be configured under System > Config >
Messaging Servers in the GUI, or the CLI. SMS settings however are CLI-only.

FortiGate I Student Guide 105


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

Another way to secure your FortiGate is to define which hosts or subnets are trusted sources of login
attempts.

Define all three, for all accounts. (If you leave any IPv4 address as 0.0.0.0/0, this means to allow
connections from any source IP obviously not what you want.) Notice that each account can define its
management host or subnet differently. This is especially useful if you will be setting up virtual domains
on your FortiGate, where the VDOMs administrators may not even belong to the same organization..

Now try to access FortiGates GUI or CLI from an external IP. Does it work? No. Your web browser or
terminal emulator wont receive a response. Not even to a ping.

Unless you connect from the network administrators subnet, FortiGate wont allow you to even try to log
in. So external brute force is impossible. So is discovery by ICMP.

FortiGate I Student Guide 106


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

You may also want to customize the administrative protocols port numbers.

You can also choose whether to allow concurrent sessions. This can be used to prevent accidentally
overwriting settings if you usually keep multiple browser tabs open, or accidentally leave a CLI session
open without saving the settings, then begin a GUI session and accidentally edit the same settings, for
example.

FortiGate I Student Guide 107


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

Weve defined the management subnet that is, the trusted hosts for each administrator account. How
do you enable or disable management protocols?

This is specific to each interface. For example, if your administrators connect to FortiGate only from
port1, you should disable all administrative access on all other ports. This prevents brute force attempts,
and also insecure access.

For better security, it always best to only use secure, encrypted methods of access. Some protocols
such as telnet, ICMP, HTTP, and SNMP version 1 dont have encryption or even authentication. So
they should never be enabled on public, untrusted networks.

IPv4 and IPv6 protocols are separate. Its possible, for example, to have both IPv4 and IPv6 addresses
on an interface, but only respond to pings on IPv6. However, IPv6 is hidden in the GUI by default. How
do you show IPv6 settings?

FortiGate I Student Guide 108


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

FortiGate has hundreds of features. If you dont use all of them, hiding features that you dont use makes
it easier to focus on your work.

Hiding a feature in the GUI does not disable it. It is still functional, and still can be configured via CLI.
(In fact, many diagnostic features are only available in the CLI.)

Some advanced or less commonly used features, such as IPv6, are hidden by default.

There are 2 ways to show hidden features:


Use the Features widget on the dashboard, or
Go to System > Config > Features

FortiGate I Student Guide 109


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

The Features widget shows and hides features by bulk presets.

NGFW shows features for line speed inspection, with no added latency. This hides all UTM options
that can potentially slow down traffic.
ATP shows features for advanced threat protection that focus on protecting endpoint computers.
WF shows features for web filtering.
Full UTM is a present that shows almost all UTM features.

Load balancing and a few others arent enabled here, though. So if the Features widget does not
show the feature youre looking for, go to System > Config > Features instead.

FortiGate I Student Guide 110


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

Once you have administrator accounts, they can configure the network interfaces.

Remember: When the FortiGate device is in NAT/route mode, every interface that handles traffic usually
must have an IP address. This is so that packets with this interface will have a source and destination at
the IP layer. There are 3 ways to do this:
assign a static IP, or
automatically retrieve one, via either DHCP or PPPoE

As we mentioned earlier, there are 2 exceptions. Other, less commonly used are One-Arm Sniffer and
Dedicate to FortiAP. Unlike how interfaces are usually in NAT mode, these arent assigned an address.
One-Arm Sniffer is an interface in promiscuous mode. As a result, regardless of each packets
destination address, FortiGate can inspect all traffic that arrives. So although the overall FortiGate is
in NAT mode, acting as a router, this specific interface does not. It receives traffic, but cannot send.
There are more considerations, which are in the IPS lesson.
Dedicate to FortiAP creates both an access point controller and DHCP server. Clients
connecting to SSIDs managed through this interface receive an IP address from the pool on this
interface.

FortiGate I Student Guide 111


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

Wireless clients arent the only ones that can use FortiGate as their DHCP server.

Select the Manual option, enter a static IP, then enable the DHCP server option. Options for the built-
in DHCP server will appear.

FortiGate I Student Guide 112


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

For the built-in DHCP server, you can reserve specific IP addresses for devices with specific MAC
addresses. Those devices will always receive the same lease, unless the number of devices exceeds
the size of the IP pool.

FortiGate I Student Guide 113


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

For detailed information about the MAC addresses and the corresponding IPs, you can look in the router
subsection of the event log, or in the DHCP Monitor, which you can find in the System menu.

FortiGate I Student Guide 114


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

Like with DHCP, you can also configure FortiGate to act as your local DNS server.

A local DNS server can improve performance for your FortiMail or other devices that use DNS queries
frequently. If your FortiGate offers DHCP to your local network, DHCP can be used configure those
hosts to use FortiGate itself as both the gateway and DNS server.

FortiGate can answer DNS queries in one of 3 ways:


by relaying all queries that is, acting as a DNS relay instead of a DNS server
by relaying queries only the queries it cant resolve to your ISPs DNS server,
by returning a null response if it cant resolve queries itself.

You can enable and configure DNS separately on each interface.

FortiGate I Student Guide 115


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

If you choose the DNS forwarding option, you can control DNS queries within your own network without
having to setup a separate DNS server.

FortiGate I Student Guide 116


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

If you choose to have your DNS server resolve queries, or you choose a split DNS, you must set up a
DNS database on your FortiGate.

This defines the host names that FortiGate will resolve queries for. Use zone file syntax outlined by
RFCs 1034 and 1035.

FortiGate I Student Guide 117


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

Lastly, before you can integrate FortiGate in your network, FortiGate must have a default gateway.

If FortiGate gets its IP address through a dynamic method such as DHCP or PPPoE, then it will also
retrieve the default gateway.

Otherwise you must configure a static route. Without this, the FortiGate will not be able to respond to
packets outside the subnets directly attached to its own interfaces. It probably also wont be able to
connect to FortiGuard for updates, and may not properly route traffic.

Routing details are covered in another lesson. For now, you should usually make sure that FortiGate has
a route that matches all packets (destination is 0.0.0.0/0), and forwards them through the network
interface that is connected to the Internet, to the IP address of the next router.

Routing completes the basic network settings that are required before you can configure firewall policies.

FortiGate I Student Guide 118


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

Now that FortiGate has basic network settings and administrative accounts, lets show how to back up
the configuration.

You can encrypt configuration files with a password, if necessary. Besides securing the privacy of your
configuration, it also has some effects you may not expect. Once encrypted, the configuration file cannot
be decrypted without the password and a FortiGate of the same model and firmware. This means that if
you send an encrypted configuration file to Fortinet Technical Support, even if you give them the
password, they still cannot load your configuration until they get access to the same model of FortiGate.
This can cause unnecessary delays when resolving your ticket.

Even if the configuration is not encrypted as a whole, each passwords is encrypted individually. So in
many cases, encrypting the entire configuration file may not be necessary.

FortiGate I Student Guide 119


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

If you open the configuration file in a text editor, youll see that both encrypted and unencrypted
configuration files contain a clear text header that contains some basic information about the device. The
diagram here shows what information it includes.

To restore an encrypted configuration, you must upload it to the same model of FortiGate, with the same
firmware version, then provide the password.

To restore an unencrypted configuration file, you are only required to match the model. If the firmware is
different, FortiGate will attempt to upgrade the configuration, similar to how it uses upgrade scripts on the
existing configuration when upgrading firmware.

Usually, the configuration file only contains non-default settings, plus a few default yet crucial settings.
This minimizes the size of the backup, which could otherwise be several MB in size.

FortiGate I Student Guide 120


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

If you enable virtual domains, subdividing the resources and configuration of your FortiGate, each VDOM
administrator can back up and restore their own configurations. You dont have to back up the entire
FortiGate configuration.

VDOM details are discussed in a separate lesson.

FortiGate I Student Guide 121


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

Upgrading the firmware on a FortiGate is simple. The easiest method is to click the Update link on the
System Information widget on the dashboard, then choose a firmware file that you have downloaded
from support.fortinet.com.

If you want to make a clean install by overwriting both the existing firmware and its current
configuration, you can do this via the local console CLI, within the boot loader menu, while FortiGate is
rebooting. However, this is not the usual method.

FortiGate I Student Guide 122


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

You can also downgrade firmware. Since settings change in each firmware version, you should have a
configuration file in the syntax that is compatible with the firmware.

Remember to read the release notes. Sometimes a downgrade between firmware versions that
preserves the configuration is not possible, such as when the OS changed from 32-bit to 64-bit. In that
situation, the only way to downgrade is to format the disk, then reinstall.

Once youve determined the downgrade is possible, verify everything again, then start the downgrade.
After it completes, restore a configuration backup that is compatible with that version.

Why should you keep emergency firmware and physical access?

Old firmware versions dont know how to convert future configurations. Also, when upgrading via a path
that is not supported by the configuration translation scripts, you might lose all settings except basic
access settings such as administrator accounts and network interface IP addresses. Another rare but
possible scenario is that the firmware could be corrupted when you are uploading it. For all of those
reasons, you should always have local console access during an upgrade, in case of emergency.
However, in practice, if you read the Release Notes and have a reliable connection to the GUI or CLI, it
should not usually be necessary.

FortiGate I Student Guide 123


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

Remember your initial setup via FortiExplorer? You can also use it to download firmware, then install it
on your FortiGate.

FortiGate I Student Guide 124


DO NOT REPRINT Introduction to Fortinet UTM

FORTINET

To review, these are the topics that we just talked about.

We showed how FortiGate can replace multiple single-purpose devices yet increase power efficiency
and throughput. We explained the differences between FortiGuard services, and how those are part of
the UTM architecture. We showed how to configure administrator accounts, permissions, and how to
harden administrative access. We also explained how to choose the operation mode based upon the
behavior you need for each network interface, how to configure the network settings, and finally how to
back up the configuration and install firmware.

FortiGate I Student Guide 125


DO NOT REPRINT Logging & Monitoring

FORTINET

In this lesson, we will look at how to monitor your FortiGate, and how to log its system events and
network traffic. Since you are implementing a security solution, it is important to know how to
appropriately monitor the devices operation. It is vital to have logging and monitoring configured
properly and to know how to read the output. Otherwise if you encounter issues, you wont have any
messages from FortiGate to help you find out what is happening in your network.

FortiGate I Student Guide 126


DO NOT REPRINT Logging & Monitoring

FORTINET

By the end of this lesson, youll be able to:


Describe log severity levels
Identify where logs are stored
Describe the different types of logs
Understand log structure and behavior
Configure log settings
Understand the impact of logs on resources
Describe how to view log messages, and finally
Describe how to search and interpret log message

FortiGate I Student Guide 127


DO NOT REPRINT Logging & Monitoring

FORTINET

The basic purpose of logs is to help you monitor your network traffic levels, track down problems,
establish baselines and a lot more.

Think of your own internal organization, where it is highly probable that more than one administrator
has access to your FortiGate device. Since it is not practical to block other administrators from making
changes to your FortiGate configuration, you can simply view the log files to find out what is
happening on the deviceincluding any changes that were made. Logs help provide you with the big
picture so you can make adjustments to your network security, if necessary.

Keep in mind that some organizations have legal requirements when it comes to logging, so it is
important to be aware of your organizations policies during configuration.

FortiGate I Student Guide 128


DO NOT REPRINT Logging & Monitoring

FORTINET

Each log entry includes a log level that ranges in order of importance from Debug to Emergency. In
total there are eight levels. Debug, the lowest level, puts additional information into the event log and
is worthless unless you are actively investigating something. Debug is only needed to log diagnostic
data, puts more strain on the CPU resources, and requires additional resources to create. Generally
the lowest level you want to use is Information.

You and your organizations policies dictate what needs to be logged.

FortiGate I Student Guide 129


DO NOT REPRINT Logging & Monitoring

FORTINET

You can choose to store logs in a variety of places both on and off the device. Locally, the FortiGate
device has memory and many devices have a built-in hard drive. Externally, you can store logs on
Syslog Servers, FortiCloud, SNMP, or a FortiAnanlyzer device.

FortiGate I Student Guide 130


DO NOT REPRINT Logging & Monitoring

FORTINET

As an external logging device for FortiGate, a FortiAnalyzer or FortiManager is simply viewed as an IP


with which the FortiGate can communicate. As a result, you can place a FortiAnalyzer or
FortiManager within the same network as a FortiGate, or outside of it. However, a Fortigate can
communicate with a FortiAnalyzer or FortiManager only if it is registered device. So long as the
FortiGate is properly registered with the FortiAnalyzer or FortiManager, it accepts incoming logs.
Communication between the Fortigate and FortiAnalyzer or FortiManager is done via SSL encrypted
OFTP traffic, so when a log message is generated, it can be safely transmitted across an unsecure
network.

FortiGate I Student Guide 131


DO NOT REPRINT Logging & Monitoring

FORTINET

So far, weve discussed FortiAnalyzer and FortiManager as interchangeable external logging devices
for the FortiGate. While configuring the FortiGate to send logs to a FortiAnalyzer or FortiGate is
identicalthey share a common hardware and software platformthe FortiAnalyzer and
FortiManager actually have different capabilities that are worth noting. Both take log entries, but a
FortiManagers primary purpose is to centrally manage multiple FortiGate devices. As such, it has a
flat limit imposed on the amount of logs it can receive in a day, regardless of the model. On the other
hand, the FortiAnalyzers primary purpose is to store and analyze logs, so the log limit is much higher
(though the limit is model-dependent). Even the smallest FortiAnalyzer can handle more logs per day
than any FortiManager.

But at the most basic level, what you can do with the logs received on a FortiManager is no different
than what you can do with logs received on a FortiAnalyzer.

The FortiGate has 2 methods for transmitting the log events. There is the store-and-upload option, as
well as real time.

FortiGate I Student Guide 132


DO NOT REPRINT Logging & Monitoring

FORTINET

You can configure logging to either a FortiAnalyzer or FortiManager through the GUI or CLI.

In the GUI, it is done under Log & Report > Log Config > Log Settings. Here, each device must be set
up separately, one at a time.

In the CLI, you can configure up to three separate FortiAnalyzer or FortiManager devices at the same
time. The options in the GUI only relate to the config log fortianalyzer setting, not fortianalyzer2 or
fortianalyzer3. You may need a setup like this for redundancy or for some other requirement. Keep in
mind that generating logs requires resources, so the impact of sending logs to multiple locations
ultimately depends on how many logs you are creating.

FortiGate I Student Guide 133


DO NOT REPRINT Logging & Monitoring

FORTINET

Another external logging option you can use is FortiCloud. FortiCloud is a subscription-based service,
offered by Fortinet, that offers long term storage of logs as well as provides reporting functionality. Its
a similar idea to FortiAnalyzer, but more advantageous for smaller setups, where purchasing a
dedicated logging appliance isnt feasible. Every FortiGate comes with a free one month trial. You can
activate your free trial from the GUI and link it to your FortiCare user and start sending logs. Be sure to
read any documentation on the website if you are considering the subscription-based option.

FortiGate I Student Guide 134


DO NOT REPRINT Logging & Monitoring

FORTINET

On the FortiGate, all logs are split up into three different log types. These are traffic logs, event logs, and
security logs.

Each log type is further split up into sub-types. Traffic logs contain Forward, Local, Invalid and Multicast.
The Forward log contains information about traffic either accepted or rejected by a firewall policy. Local
traffic is traffic directly to/from the FortiGate, and includes logging into the GUI, as well as FortiGuard
queries. Invalid packets are the logs thrown away before they even get to a firewall policy.

Event logs contain System, User, and Router/VPN/WanOpt &Cache/Wifi sub-types. System events are
related to system operations, such as automatic updates of the AV/IPS definitions and people logging
into the GUI. User contains logon/off events for users hitting firewall policies. Router/VPN/WanOpt
&Cache/Wifi contain log entries related to the specific feature. For example, Router contains BGP or
RIP log entries and VPN contains IPSec and SSLVPN log entries.

Finally, Security logs contain log entries based on the security profile type. For example, Antivirus, Web
Filter, and Intrusion Protection to name a few. Security logs only show specific sub-types if logs are
created within it.

FortiGate I Student Guide 135


DO NOT REPRINT Logging & Monitoring

FORTINET

The Log & Report section of the FortiGate GUI includes the three log types: Traffic, Event, and (if
configured), Security. The Traffic Log contains events about packets. The Event Log contains admin or
system activity events. The Security Log contains messages related to security profiles activated on
firewall policies. By default, most of the events related to security appear in the Forward Traffic loga
sub-type of the Traffic Log. This is for performance: fewer log files is less CPU intensive. The exception
to this is DLP and Intrusion Scanning. Events such as these always appear in the Security Log section.

FortiGate I Student Guide 136


DO NOT REPRINT Logging & Monitoring

FORTINET

To inspect your logs through the GUI, go to the Log & Report section and select the log type to view.
In the upper right corner of the window, you can switch between viewing the logs from different
locations if the FortiGate is set up to log to multiple locations.

It is not recommended to configure your firewall to actively inspect traffic without creating a log entry
about it.

FortiGate I Student Guide 137


DO NOT REPRINT Logging & Monitoring

FORTINET

This chart illustrates the expected behavior when you enable different logging options.

The first column, Policy Log Setting, shows the log setting on the Firewall policy: No Log, Log Security
Events, or Log all Sessions.

The second column shows whether an Antivirus, Web Filter, or Email security profile is enabled or
disabled. Remember, DLP and IPS profiles always generate logs in the Security Log section.

The last column shows the behavior. If you enable any profiles on your policy and logging is not enabled,
you will not get logs of any kindeven if the profile is configured to block the traffic. So if you apply a
security profile, its important to remember to consider the logging setting.

FortiGate I Student Guide 138


DO NOT REPRINT Logging & Monitoring

FORTINET

When viewing the logs, you might encounter a high volume of log messages, depending on your
configuration. This makes it difficult to locate a specific log or log type, especially during an
investigation. In order to negotiate the logs more efficiently, you can set up various filters. The more
information you specify in the filter, the easier it is to find the precise log entry. Filters are configured
for each column of data you choose to display. By default only a subset of the information appears in
the log table. Make sure to configure the table columns for your own requirements.

FortiGate I Student Guide 139


DO NOT REPRINT Logging & Monitoring

FORTINET

Every log message you view has a standard layout comprised of two sections: a header and a body.
The header contains the same information regardless of the log. The body, however, changes from
one type of log message to another. This is because there is some data common to all logs, like a
date and time, while other data is event dependent.

FortiGate I Student Guide 140


DO NOT REPRINT Logging & Monitoring

FORTINET

Lets take a closer look at the header in this is an example of a raw log entry. While the output is not
as structured as it appears in the GUI, the information contained in a raw log file is the same. As you
can see in the header, aside from the date, time, and log ID attributes, you can see the that log type is
UTM, the sub-type is DLP, and the severity level is Warning. The attributes in the header (such as log
type and sub-type) are common to every log, but the data aligned to it can be different. For example,
the header can contain a log type of Event and sub-type of System instead of what you see in the
example above. Accordingly, the information in the header of the log directly effects the data
contained in the associated body of the log.

Note that if you log to a 3rd party device, such as a Syslog server, you need to know how to set up
your filters in order to find what you need in your log messages. You can find a document that
contains all the logs and their layouts from the Fortinet docs web site at http://docs.fortinet.com .

FortiGate I Student Guide 141


DO NOT REPRINT Logging & Monitoring

FORTINET

Now lets take a closer look at the body of a log. The body provides the specifics of the log message
and helps you understand what actually happened. In the above log, we can see the action taken by
the FortiGate device when it encountered the traffic through the status attribute. Here, the status is
Deny, which means the FortiGate prevented this particular piece of traffic from passing. The value
indicated by policyid field provides useful information about the policy this traffic passed through
(which firewall rule was used).

FortiGate I Student Guide 142


DO NOT REPRINT Logging & Monitoring

FORTINET

Rather than look at raw logs or logs through the GUI, you can also display log messages from the CLI.
This allows you to set up a number of filters on the logs that display and capture the output to a file
and send it via the options you specify, such as FTP.

FortiGate I Student Guide 143


DO NOT REPRINT Logging & Monitoring

FORTINET

Monitoring your logs is critical, as it allows you to review the progress of an attack, whether afterwards
or
while in progress, and address the issue quickly. How the attack unfolds may reveal weaknesses in
your preparations.

There are three ways you can monitor logs: Alert Emails, Alert Message Console, and SNMP.

FortiGate I Student Guide 144


DO NOT REPRINT Logging & Monitoring

FORTINET

Since you cant always be physically at the device, you can monitor logs by setting up Alert emails.
Alert emails are set up similar to any log device. First you decide what is going in to them (a filter)
and then where it is going.

FortiGate I Student Guide 145


DO NOT REPRINT Logging & Monitoring

FORTINET

In order to set up an alert email, the first thing you need to do is configure an SMTP server to allow for
communication between the server and the FortiGate device. This can only be done in the CLI.
This allows you to configure your alert email settings in the GUI through the Log & Report > Log
Config > Alert E-mail menu. Without configuring an SMTP server that will receive the email, the alert
email option does not appear in the GUI.

FortiGate I Student Guide 146


DO NOT REPRINT Logging & Monitoring

FORTINET

Another log monitoring option is the alert message console. The Alert Message Console is a GUI
widget that you can enable on the System dashboard. Here, instead of the alerts being emailed to
administrators like in Alert emails, they appear directly in the widget on the System page when you log
in to the FortiGate. You can configure the widget to set up the events you want to appear as alerts, the
number of alerts, and even the name of the widget itself. For example, you can have multiple alert
widgets on the dashboard with different names all displaying different types of alerts.

Once an alert appears in the Alert Message Console it remains until acknowledged. Once you confirm
the event did not impact anything, you acknowledge it, and it is removed from your list it no longer
appears as something that requires further attention.

FortiGate I Student Guide 147


DO NOT REPRINT Logging & Monitoring

FORTINET

Another method of monitoring logs is through an SNMP manager. In order to use this method, you
require the Management Information Base (MIB) file. A MIB is a text file that describes a list of SNMP
data objects that are used by the SNMP manager. These MIBs provide information the SNMP
manager needs to interpret the SNMP trap, event, and query messages sent by the FortiGate device
SNMP agent. They can be loaded into any SNMP software so that you can set up automatic queries
to the device in order to discover operational status. You can obtain CPU, memory levels, the cause
for the last spam detection, and more. A FortiGate device can support SNMP v1, v2 and v3.

You can obtain the MIB files either on the Support website or directly from the FortiGate GUI through
the System > Config > SNMP menu.

FortiGate I Student Guide 148


DO NOT REPRINT Logging & Monitoring

FORTINET

Setting up the necessary SNMP options is fairly straight forward from the GUI. Simply enable and
define the service as you would any other SNMP monitored device and then enable your protocol
options and methods of monitoring. What can be monitored with the different options is exactly the
same. SNMP v3 offers some additional security over the previous two versions of the protocol, like
traffic encryption and authentication.

FortiGate I Student Guide 149


DO NOT REPRINT Logging & Monitoring

FORTINET

In the GUI, under Log & Report > Log Config > Log Settings, you can enable different locations for log
storage. You can also configure the different kind of traffic you want to appear in the Local traffic log.
Finally, you can configure the GUI preferences. Resolving IPs to host names requires the FortiGate to
perform DNS lookups for all the IPs. If your DNS is not working or running slowly, this can impact your
ability to look through the logs as the requests will timeout.

FortiGate I Student Guide 150


DO NOT REPRINT Logging & Monitoring

FORTINET

Using the CLI to configure log settings provides you with more flexibility and options than the GUI.
From the CLI, you can configure up to three separate FortiAnalyzers and Syslog servers, options not
available in the GUI. There is also the ability to set up logging to Webtrends, a 3rd party service. The
information you require for configuring the log settings is dependent on the logging option you
configure: disk, FortiAnalyzer, FortiGuard, memory, Syslog, or Webtrends.

FortiGate I Student Guide 151


DO NOT REPRINT Logging & Monitoring

FORTINET

Firewall policies also have logging options you can configure. The policy setting determines if and
when a log message is generated for traffic passing through a particular firewall policy. The settings
under Log Settings in the GUI and the config log command in the CLI determine where the FortiGate
stores the log messages it creates.

FortiGate I Student Guide 152


DO NOT REPRINT Logging & Monitoring

FORTINET

Its important to remember that creating logs is not freeit does weigh on your system. The more
logs that get generated, the heavier the toll on your CPU and memory resources. Storing logs for a
period of time also requires disk space, as does accessing them. So before configuring logging, make
sure its worth the extra resources and that your system can handle the influx.

Also important to note is logging behavior with UTM profiles. UTM profiles create log events when
traffic is detected. Depending on the amount of traffic you have and logging settings that are enabled,
your traffic logs can easily become a problem that will ultimately impact the performance of your
firewall.

There is an option in the CLI that removes some of the information stored in the traffic log: set brief-
traffic-format enabled. By executing this command, you can free up resources on the firewall.

FortiGate I Student Guide 153


DO NOT REPRINT Logging & Monitoring

FORTINET

In configuring the Event log settings, remember that Event logs are not caused by traffic passing
through firewall policies. For example, VPNs going up and down or routing protocol activity are not
caused by traffic passing through a firewall policy. One exception might be the user log. This does not
record information about traffic through firewall policies directly, but it does record user logon/logoff
events on traffic that passes through policies.

Event logs provide all of the system information generated by the FortiGate device, such as
administrator logins, configuration changes made by administrators, user activity, and daily operations
of the device. So what you enable depends on what features you are implementing and what
information you need to get out of the logs. You can enable what events you want to log through the
Log & Report > Log Config > Log Settings menu.

FortiGate I Student Guide 154


DO NOT REPRINT Logging & Monitoring

FORTINET

There is also a daily log monitor section. This displays the number of logs generated over time as well
as the log type. This allows you to see where your FortiGate device is using most of its resources and
if any trends are occurring. You can drill down through these logs and obtain further information by
clicking any of the days.

FortiGate I Student Guide 155


DO NOT REPRINT Logging & Monitoring

FORTINET

Each function of the FortiGate device has an equivalent Monitor menu item in the GUI. This allows
you to take a view, at any given moment, how the feature is performing. The Security functions have a
monitor option like the rest, but you need to enable it from the CLI before it appears. With a lot of
security activity this could impact your CPU, so its disabled by default.

FortiGate I Student Guide 156


DO NOT REPRINT Logging & Monitoring

FORTINET

One example of a GUI monitor is the Security Profiles monitor, found in the GUI under Security
Profiles > Monitor. It has sub-sections for each security feature to highlight recent activity, such as AV
Monitor, Web Monitor, and Application Monitor to name a few. This gives you a snapshot of what is
happening with that particular option. Almost every menu has this option.

FortiGate I Student Guide 157


DO NOT REPRINT Logging & Monitoring

FORTINET

Another means of monitoring is through the widgets on the status page. Many can be customized to
show the same type of information in multiple ways. If you click the pencil icon in the upper right
corner of the widget, you can configure any of the available settings for that widget. You can add some
widgets to the same dashboard multiple times, with each instance displaying different information.

FortiGate I Student Guide 158


DO NOT REPRINT Logging & Monitoring

FORTINET

By default, there are a number of different dashboards available. Each one has a different name with a
different collection of widgets to provide different types of information. Each user has their own
dashboard setup and layout, so if one user deletes a dashboard and rearranges the widgets on the
Status page, it will not impact any of the other users. You can alter a users permissions to not allow
them to make changes to their dashboard and use this to restrict their access.

FortiGate I Student Guide 159


DO NOT REPRINT Logging & Monitoring

FORTINET

One other area you may want to monitor, purely for diagnostics, is the crash logs, available through
the CLI. The FortiGate is like a computer, with different processes that handle different things, like
DHCP or web filtering for example. Any time a process is closed for any reason, the crash log records
this as a crash. If there is an abnormal termination of a process, you can look at the crash logs and
find out the conditions that caused it. A normal and fairly common thing to see in the crash log are
entries for Scanunitd, which is the process responsible for virus scanning. Any time the definitions
package is updated, that process needs to close down in order to apply the new package. This is a
normal shutdown and appears with a status of zero, which indicates a normal shut down with no
abnormalities.

FortiGate I Student Guide 160


DO NOT REPRINT Logging & Monitoring

FORTINET

In this lesson, we covered log severity levels; storage locations; log types and subtypes; log structure
and behavior; log settings; viewing logs messages; and monitoring, reading, and interpreting log
messages.

FortiGate I Student Guide 161


DO NOT REPRINT Firewall Policies

FORTINET

In this lesson, we will show you how to pass traffic through FortiGate, and explain how that works. At its
core, FortiGate is a firewall, so almost everything that it does to your traffic is linked into your firewall rules.

FortiGate I Student Guide 162


DO NOT REPRINT Firewall Policies

FORTINET

After this lesson, you should be able to properly identify the different components used in a firewall policy.
Youll be able to configure firewall policies and arrange them to correctly match traffic.

FortiGate I Student Guide 163


DO NOT REPRINT Firewall Policies

FORTINET

Youll also be able to apply UTM and other features through the firewall policy, test your policies, and
monitor traffic passing through them.

FortiGate I Student Guide 164


DO NOT REPRINT Firewall Policies

FORTINET

To begin, lets talk about what firewall policies are.

Firewall policies define which traffic matches, and what FortiGate will do if it does.

Should the traffic be allowed? This is decided first based on simple criteria such as the source. Then, if the
policy itself does not block the traffic, FortiGate begins more computationally expensive UTM inspection,
such as application control and web-filtering, if youve chosen it in the policy. Those scans could block the
traffic if, for example, it contains a virus. Otherwise, the traffic is allowed.

Will NAT be applied? Authentication required? Firewall policies also determine that. Once processing is
finished, FortiGate forwards the packet towards its destination.

FortiGate I Student Guide 165


DO NOT REPRINT Firewall Policies

FORTINET

When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which
you can define using objects:
Ingress and egress interfaces
Source and destination, by IP address, device ID, or user
Network service(s) (that is, IP protocol and port number)
Schedule

Once FortiGate finds a matching policy, it applies its settings for packet processing. Is antivirus scanning
applied? Will source NAT be applied?

For example, if you want to block incoming FTP to all but a few FTP servers, you would define the
addresses of your FTP servers, and select those as the destination, and select FTP as the service. You
probably wouldnt specify a source (often any location on the Internet is allowed) nor schedule (usually
FTP servers are always available, day or night). Finally, you would set the Action setting to Accept.

This might be enough, but often, youll want more thorough security. Here, the policy also authenticates
the user, scans for viruses, limits the bandwidth consumption, and logs blocked connection attempts.

FortiGate I Student Guide 166


DO NOT REPRINT Firewall Policies

FORTINET

Firewall policies appear in an organized list. Its either organized into a section view, or global view.

Usually, it will appear in section view. Each section contains policies for that ingress-egress pair.

Alternatively, you can choose to view your policies as a single comprehensive list, by selecting Global
View at the top of the page.

Policy sequence numbers define the order in which rules are processed. Policy IDs are identifiers. By
default sequence numbers are displayed on the GUI. CLI commands, however, use policy ID: edit <ID>.
This may confuse the administrator in to modifying the wrong policy. To avoid such errors add the policy ID
to the GUI using the column settings.

FortiGate I Student Guide 167


DO NOT REPRINT Firewall Policies

FORTINET

In some cases, you wont have a choice of which view, though.

If you use multiple source/destination interfaces or the any interface, policies cannot be separated into
sections by interface pairs some would be triplets or more. So instead, policies are then always
displayed in a single list. It is ordered primarily by the policy sequence number.

To help you remember the use of each interface, you can give them aliases. For example, you could call
port1 WAN. This can help to make your list of policies easier to comprehend.

FortiGate I Student Guide 168


DO NOT REPRINT Firewall Policies

FORTINET

Remember that we mentioned that only the first matching policy applies?

Moving your policies into the correct position is important. It affects which traffic is blocked or allowed.

In the applicable interface pairs section, FortiGate will look for a matching policy, beginning at the top. So
usually, you should put more specific policies at the top. Otherwise, more general policies will match the
traffic first, and your more granular policies will never be applied.

Here, were moving a policy that only matches Windows SMB traffic above the more general accept
everything from everywhere policy. Otherwise, FortiGate would always apply the first matching policy
the accept everything policy and never reach the block SMB policy.

How does FortiGate determine if a packet matches a policy? Lets look at that next.

FortiGate I Student Guide 169


DO NOT REPRINT Firewall Policies

FORTINET

Each policy matches traffic and applies security by referring to objects such as addresses and profiles that
youve defined.

What about other firewall policy types? Do IPv6 policies exist? Yes. And they use slightly different objects
that are relevant to their type. In this lesson, were discussing IPv4 firewall policies and SSL/SSH
inspection. They are the most common use case.

FortiGate I Student Guide 170


DO NOT REPRINT Firewall Policies

FORTINET

To begin describing how FortiGate finds a policy for each packet, lets start with the interface pairs. We
showed them in section view.

Packets arrive on an ingress interface; routing determines the egress. Both interfaces must match the
policys interface criteria in order for it to be a successful match. In each policy, you must select both a
source and destination interface, even it is any.

So if a packet arrives on port4, but you only have policies for between port1 WAN ingress and port2 DMZ,
for example, the packet would not match your policies and therefore be dropped due to the implicit deny
policy at the end of the list, even if the packet did match the egress port of any.

Interfaces may be grouped into logical zones. For example, you could group port7 to port10 as a LAN
zone. This generally simplifies policy configuration, except that an interface in a zone cannot be referenced
individually. So if you must subdivide a zone, dont. Instead, select multiple source and destination
interfaces in the firewall policy.

FortiGate I Student Guide 171


DO NOT REPRINT Firewall Policies

FORTINET

The next match criteria that FortiGate will consider is the packets source.

In each firewall policy, you therefore must select a source address object. Optionally, you can refine your
definition of the source by also selecting a user, group and/or a specific device. If you organization allows
BYOD (that is, Bring Your Own Device), then a combination of all three provides a much more granular
match.

In earlier releases of FortiOS 5, sub-policies were used for authentication (also called identity) and device
identification. Also, it was either-or: you could not use both types in the same rule. In 5.2, you can now
use both user and device definitions together, in the same firewall policy.

FortiGate I Student Guide 172


DO NOT REPRINT Firewall Policies

FORTINET

Using Source Device Type causes the FortiGate to enable device identification on the source interface(s)
of that policy.

FortiGate I Student Guide 173


DO NOT REPRINT Firewall Policies

FORTINET

There are two device identification techniques: agentless and agent-based.


Agentless uses traffic from the device: the MAC address OUI, TCP fingerprint, and HTTP User-Agent:
header. Devices are indexed by their MAC address.
Agent-based uses FortiClient. FortiClient sends information to FortiGate, and the device tracked by its
FortiClient UID.

FortiGate I Student Guide 174


DO NOT REPRINT Firewall Policies

FORTINET

Device Definitions shows the list of detected devices. You can also define static entries.

Detected devices are saved to the FortiGates flash. Therefore on restart, the FortiGate knows devices
already identified, and does not have to re-categorize each device.

The user displayed in the device information is just a tag, it cannot be used as a means of identity for an
authentication policy.

FortiGate I Student Guide 175


DO NOT REPRINT Firewall Policies

FORTINET

The CLI command diag user device list shows a more detailed listing than User & Devices > Device >
Device Definitions, including the detection method.

FortiGate I Student Guide 176


DO NOT REPRINT Firewall Policies

FORTINET

FortiClient devices have a unique id which can be used as an index for the device. This is instead of the
MAC address, which may be problematic when a device has multiple MAC addresses (such as servers or
virtual machines), or where there is no Layer 2 visibility of that device.

FortiGate I Student Guide 177


DO NOT REPRINT Firewall Policies

FORTINET

FortiGate can control FortiClient settings via the profile and registration.

FortiGate I Student Guide 178


DO NOT REPRINT Firewall Policies

FORTINET

License Information on the FortiGate GUI dashboard shows the registered devices. Windows and Mac
FortiClient installers are also available from this dashboard widget.

FortiGate I Student Guide 179


DO NOT REPRINT Firewall Policies

FORTINET

Once a FortiClient registers itself with a FortiGate, youll be able to see its UID on the endpoint control
device list.

FortiGate I Student Guide 180


DO NOT REPRINT Firewall Policies

FORTINET

You may configure the default FortiClient profile or add additional profiles. New profiles applied to devices
or users override the default.

FortiGate I Student Guide 181


DO NOT REPRINT Firewall Policies

FORTINET

Once youve configured the settings, FortiGate will send them back to FortiClient.

FortiGate I Student Guide 182


DO NOT REPRINT Firewall Policies

FORTINET

FortiClient is the agent-based approach for source device type.

FortiGate I Student Guide 183


DO NOT REPRINT Firewall Policies

FORTINET

To reduce the total number of firewall policies in RAM, and simplify administration, you can group service
and address objects, then reference that group in the firewall policy, instead of selecting multiple objects
each time or making multiple policies.

You can also group virtual IPs.

FortiGate I Student Guide 184


DO NOT REPRINT Firewall Policies

FORTINET

Here, all three source selectors identify the user group, device type, and specific subnet. This would not
have been possible in previous firmware versions.

Remember, user and device are optional objects. They are used here so that the policy is more specific. If
you wanted the policy to match more traffic, you could leave them undefined.

FortiGate I Student Guide 185


DO NOT REPRINT Firewall Policies

FORTINET

In earlier releases of FortiOS 5, if traffic matched an identity sub-policy, by default, FortiGate simply
blocked traffic that failed authentication. It would not fall through to try the next authentication rule unless
you had explicitly enabled the option fall-through-unauthenticated.

But in this release, FortiGate uses the fall-through behavior by default.

FortiGate I Student Guide 186


DO NOT REPRINT Firewall Policies

FORTINET

Like the packets source, FortiGate also checks the destination address for a match.

Address objects may be a host name, IP subnet or range. If you enter an FQDN as the address object,
make sure that youve configured your FortiGate with DNS settings. FortiGate uses DNS to resolve those
host names to IP addresses, which are what actually appear in the IP header.

Geographic addresses, which are groups or ranges of addresses allocated to a country, may be selected
instead. These objects are updated via FortiGuard.

FortiGate I Student Guide 187


DO NOT REPRINT Firewall Policies

FORTINET

Schedules add a time element to the policy. For example, a policy allowing backup software may activate
at night, or a remote address may be allowed for testing purposes and a schedule provides a test window.

FortiGate I Student Guide 188


DO NOT REPRINT Firewall Policies

FORTINET

Another criterion that FortiGate uses to match policies is the packets service.

At the IP layer, protocol numbers (for TCP, UDP, SCTP, etc.) and source and destination ports together
define each network service. Generally, only a destination port (that is, the servers listening port) is
defined. Some legacy applications may use a specific source port, but in most modern applications, the
source port is randomly determined at transmission time, and therefore is not a reliable way to define the
service.

For example, the predefined service object named HTTP is TCP destination port 80; HTTPS is TCP
destination port 443. However, the source ports are ephemeral, and therefore not defined.

FortiGate I Student Guide 189


DO NOT REPRINT Firewall Policies

FORTINET

Weve just shown several component objects that can be re-used as you make policies. What if you want
to delete an object?

If its being used, you cant. First, you must reconfigure the objects that are currently using it. The GUI
provides a simple way to find out where in the FortiGates configuration an object is being referenced. See
the numbers in the Ref. column? They are the number of places where that object is being used. The
number is actually a link, so if you click it, you can see which objects use it.

FortiGate I Student Guide 190


DO NOT REPRINT Firewall Policies

FORTINET

Weve just shown how policies are matched. Lets look a little beyond that now, to slightly before policies,
and to the scans they can use, as well as packet egress.

What happens when a packet first arrives on a FortiGate network interface?

Step 1 is packet ingress.


If a Denial of Service sensor is selected in the policy, it takes effect. Because its applied so early, DoS
packets dont receive other scans, and therefore dont consume unnecessary CPU or RAM.
At the IP layer, the packets CRC is checked for a match with the CRC in the header to make sure that
the packet wasnt corrupted in transmission.
IPSec session-related packets are sent to either the kernel or hardware for payload decryption.
Destination NAT is applied before routing.
If this is a new session, or routing information has changed, FortiGate will make a routing lookup.

FortiGate I Student Guide 191


DO NOT REPRINT Firewall Policies

FORTINET

Step 2 is stateful inspection.


Is this traffic destined for the FortiGate itself, such as the administrative GUI, SSL VPN, authentication,
DNS quers, or FortiGuard?
Is this traffic that should be forwarded by a policys established session, or that should be checked for a
policy match?
Does the traffic require a session helper to open dynamic ports, rewrite addresses in application layer
headers, etc.?

FortiGate I Student Guide 192


DO NOT REPRINT Firewall Policies

FORTINET

Step 3 is content inspection. FortiGate applies the security profiles that you selected in the policy here.
There are two mains types of content inspection:
Flow-based
Proxy-based
The order of inspection is important. The next step applies only if traffic is not blocked by the previous step.

FortiGate I Student Guide 193


DO NOT REPRINT Firewall Policies

FORTINET

Step 4 is packet egress.


Should FortiGate route the packet to an IPsec VPN virtual interface, before it is rerouted to a physical
interface?
Should FortiGate apply source NAT?
Which interface should the packet depart from?

FortiGate I Student Guide 194


DO NOT REPRINT Firewall Policies

FORTINET

If you enable session starts, FortiGate will create a traffic log when the session begins. But remember that
increasing logging decreases performance. So use it only where necessary.

Once a firewall policy closes an IP session, if you have enabled logging in the policy, FortiGate will
generate traffic logs.

During the session, if a security profile detects a violation, FortiGate will record the attack log immediately.
To reduce the amount of log messages generated and improve performance, you can enable a session
table entry of dropped traffic. This option is in the CLI, and is called ses-denied-traffic.

If the GUI option session starts is not displayed, your FortiGate device does not have internal storage. This
option is in the CLI, regardless of internal storage, and is called set logtraffic-start enable.

FortiGate I Student Guide 195


DO NOT REPRINT Firewall Policies

FORTINET

Once the first packet assuming it is not dropped establishes an IP session, FortiGate enters it in its
session table. If subsequent packets are received before the session times out, hashing function lookups
up the applicable policy for scans or NAT that it should apply to incoming packets.

You can use the monitor section in order to determine how much traffic is matching each firewall policy.

FortiGate I Student Guide 196


DO NOT REPRINT Firewall Policies

FORTINET

The session table can also be viewed from the CLI.

Firewall performance of connections per session and maximum number of connections are indicated by
the session table. But keep in mind that if your FortiGate contains FortiASIC NP chips designed to
accelerate processing, without loading the CPU, this may not be completely accurate. The session table
reflects what is known to and processed by the CPU.

FortiGate I Student Guide 197


DO NOT REPRINT Firewall Policies

FORTINET

Since the session table has a finite amount of RAM that it can use on your FortiGate, adjusting the session
time to live (TTL) can improve performance. There are global default timers, session state timers, and
timers configurable in firewall objects.

FortiGate I Student Guide 198


DO NOT REPRINT Firewall Policies

FORTINET

In this example, you can see the session TTL, which reflects how long FortiGate can receive no packets
until it will remove the session from its table.

Proto_state for TCP is taken from its state machine, which well talk about next.

Traffic shaping manages your bandwidth. Traffic counters are the overall counters for the session, and
determine how much data was sent and received.

NAT actions are also tracked.

FortiGate I Student Guide 199


DO NOT REPRINT Firewall Policies

FORTINET

In the previous slide, remember that the session table contained a number that indicated the connections
current TCP state. These are the states of the TCP state machine. They are single digit values, but
proto_state is always shown as two digits. This is because when proxy based inspection is used, which is
discussed later, two connections are establish with the proxy: one to the client, and one to the server. If
there are too many connections in the SYN state for long periods of time, this indicates a SYN flood, which
you can mitigate with DoS policies.

UDP is a stateless protocol. So it doesnt technically have states like TCP. However, the session table
does use the state column to track unidirectional UDP as state 0, and bidirectional USP as state 1.

FortiGate I Student Guide 200


DO NOT REPRINT Firewall Policies

FORTINET

Before looking at the session table, first build a filter. To look at our test connection you can filter on dst
10.200.1.254 and dport 80.

FortiGate I Student Guide 201


DO NOT REPRINT Firewall Policies

FORTINET

Here we see the corresponding session table entry. Here you can see the routing and NAT actions that
apply to the traffic.

FortiGate I Student Guide 202


DO NOT REPRINT Firewall Policies

FORTINET

In addition to security scans, firewall policies also determine what network address (NAT) or port address
translation (PAT) to apply to each packet.

NAT and PAT, also known as NAPT, translate internal, typically private, IP addresses, to external, typically
public or Internet, IP addresses.

In FortiOS, NAT and traffic forwarding are configured in the same firewall policy. However, diagnostics
clearly show NAT and forwarding as separate actions. The NAT option in a firewall policy, and IP Pools,
are source NAT settings and objects. Virtual IPs are destination NAT objects.

FortiGate I Student Guide 203


DO NOT REPRINT Firewall Policies

FORTINET

The default source NAT option uses the egress interface address. This is a many-to-one NAT. In other
words, port address translation is used and connections are tracked using the original source address and
source port combinations, and allocated source port. This is the same behavior as the overload IP Pool
type, discussed later.

Optionally, you may select fixed port in which case the source port translation is disabled. With fixed port,
if two or more connections require the same source port for a single IP address, only one connection can
establish.

FortiGate I Student Guide 204


DO NOT REPRINT Firewall Policies

FORTINET

If you use an IP pool, the source address is translated to an address from that pool rather than the egress
interface address. The larger the number of addresses in the pool, the greater the number of connections
can be supported.

The default IP pool type is overload, here there is a many-to-one/few relationship and port translation is
used.

FortiGate I Student Guide 205


DO NOT REPRINT Firewall Policies

FORTINET

One-to-one differs in the sense that there is a single mapping of an internal address to external address.

Port address translation is not required in this case. See the circled example showing the same source
ports on ingress and egress?

Mappings are not fixed. They are allocated on a first-come first-serve basis. If there are no more
addresses available, a connection will be refused as shown in the debug flow.

FortiGate I Student Guide 206


DO NOT REPRINT Firewall Policies

FORTINET

This example uses a fixed port range IP pool.

The internal address range 10.0.1.10-10.0.1.11 maps to the external address range 10.200.1.7-10.200.1.8.
This configuration provides an explicit relationship between internal and external ranges, and disables port
address translation.

FortiGate I Student Guide 207


DO NOT REPRINT Firewall Policies

FORTINET

These two CLI outputs illustrate the behavior difference between the port block allocation type, and the
default overload type.

Using hping, a rogue client generates many SYN packets per second. In the first example, the port block
allocation type limits the client to 64 connections for that IP pool. Other users will not be impacted by the
rogue client.

In the second example, the overload type imposes no limits, and the rogue client uses many more
connections in the session table. Other users will now be impacted.

FortiGate I Student Guide 208


DO NOT REPRINT Firewall Policies

FORTINET

Virtual IPs (VIPs) are destination NAT objects. For sessions matching a VIP, the destination address is
translated: usually a public Internet address is translated to a servers private network address. Select
VIPs in the firewall policys destination address field.

The default VIP type is static NAT. This is a one-to-one mapping which applies for incoming and outgoing
connections. That is, an outgoing policy with NAT enabled would use the VIP address instead of the
egress interface address. This behavior, however, can be overridden by use of an IP pool.

The static NAT VIP can be restricted to forward only certain ports. For example, connections to the
external IP on port 8080 map to the internal IP on port 80.

From the CLI, you can select the NAT type to load-balance and server-load-balance. Plain load balancing
distributes connections from an external IP address to multiple internal addresses. The later builds on that
mechanism, using a virtual server and real servers, and provides session persistence and server
availability check mechanisms.

VIPs should be routable to the external facing (ingress) interface. FortiOS responds to ARP requests for
VIP, and IP Pool, objects. ARP responses are configurable.

FortiGate I Student Guide 209


DO NOT REPRINT Firewall Policies

FORTINET

In this example, connections to the VIP 200.200.200.222 are NATed to the internal host 10.10.10.10.
Because this is static NAT, all NATed outgoing connections from 10.10.10.10 will use the VIP address in
the packets destination field, not the egress interfaces address.

FortiGate I Student Guide 210


DO NOT REPRINT Firewall Policies

FORTINET

For feature completeness, you can use a central NAT table. This is disabled by default. To enable it from
the GUI, go to System > Config > Features. In the CLI, use:
conf sys global
set gui-central-nat-table enable
end
In this case, the source NAT action is defined in a central table. If no central NAT rule exists, then the
default action of destination interface address is used.

Central NAT rules also allow control over source port usage.

FortiGate I Student Guide 211


DO NOT REPRINT Firewall Policies

FORTINET

Some application layer protocols are not fully independent of the lower layers such as the network or
transport layer. If the session helper detects a such a pattern, it may make changes to the application
headers or create expected secondary connections.

A good example is where an application has both a control and a data/media channel, such as with FTP.
Firewalls will typically allow the control channel and rely on the session helpers to handle the dynamic
data/media transmission connections.

When more advanced application tracking and control is required, an Application Layer Gateway (ALG)
can be used. The VoIP profile is an example of an ALG.

FortiGate I Student Guide 212


DO NOT REPRINT Firewall Policies

FORTINET

In this example, the media recipient address in the SIP SDP payload is modified to reflected the NATed IP
address.

FortiGate I Student Guide 213


DO NOT REPRINT Firewall Policies

FORTINET

Traffic shaping (also called quality of service (QoS)) can be applied in firewall policy and used to manage
the bandwidth used by each service or application. FortiGate can count the packet rates of ingress and
egress to police traffic. Note that these apply equally to TCP and UDP, and UDP protocols may not
recover as gracefully from packet loss.

ToS/DSCP flags, if used, can map packets to a specific transmission queue. For additional information,
see the Traffic Shaping FortiOS Handbook.

FortiGate I Student Guide 214


DO NOT REPRINT Firewall Policies

FORTINET

Two types of traffic shapers can be configured: Shared and Per-IP.

A shared shaper applies a total bandwidth to all traffic using that shaper: The scope can be per-policy or
for all policies referencing that shaper.

FortiGate I Student Guide 215


DO NOT REPRINT Firewall Policies

FORTINET

FortiGates equipped with Network Processors (NP) offload packet handling from the CPU. For each new
IP session, the first packet always goes to the CPU. If the session can be offloaded to an available NP,
the kernel sends session information to the NP. All subsequent packets in that session are forwarded by
the NP and not the CPU, so their transmission is accelerated. When the last packet is sent or received,
such as a TCP FIN or TCP RST signal, the NP returns this session to the CPU, which handles tear down.
Non-eligible sessions remain on the CPU. Typically, this includes policies that have a security profile
enabled. IP fragments are also non-eligible.

diagnose CLI commands, such as diag packet sniff and diag debug flow, run on the CPU. They will
not show packets handled by an NP. To ensure accurate output for these commands, you can temporarily
disable NPU offload in each firewall policy so that the packets are handled by the CPU and therefore
received by the troubleshooting command.

FortiGate I Student Guide 216


DO NOT REPRINT Firewall Policies

FORTINET

As a UTM, one of the most important features that a firewall policy can apply is security profiles such as
IPS and antivirus. These profiles inspect each packet in traffic flows where the session has already been
conditionally accepted by the firewall policy.

When inspecting traffic, FortiGate can use one of two methods: flow- or proxy-based. Different security
features are supported by each type.

FortiGate I Student Guide 217


DO NOT REPRINT Firewall Policies

FORTINET

In proxy-based scans, were typically meaning a transparent proxy. Its called transparent because at the
IP layer, FortiGate is not the destination address, yet FortiGate intercepts the traffic anyway.

In TCP connections, FortiGates proxy generates the SYN ACK to the client and completes the three-way
handshake with the client before creating a second, new connection to the server. If the payload is less
than the oversize limit, the proxy buffers transmitted files/email for inspection before continuing
transmission. The proxy analyzes and may change headers such as HTTP Host: and URI for web
filtering. If a security profile decides to block the connection, the proxy can send a replacement message to
the client.

This adds latency to the overall transmission speed.

FortiGate I Student Guide 218


DO NOT REPRINT Firewall Policies

FORTINET

Proxy options affect the content inspection proxy. Settings include port numbers, oversize file action and
threshold, and client comforting (where the proxy transmits packets slowly while it continues to buffer and
scan).

FortiGate I Student Guide 219


DO NOT REPRINT Firewall Policies

FORTINET

How are flow-based scans different?

There is no proxy. If you are familiar with the TCP flow analysis of Wireshark, then that is essentially what
the flow engine sees. Packets are buffered, analyzed, and forwarded as they are received. The same
signatures used for proxy-based techniques apply to flow-based, therefore the detection rate is potentially
the same. Original traffic is unaltered consequently advanced features which modify content, such as safe
search enforcement, are not supported.

FortiGate I Student Guide 220


DO NOT REPRINT Firewall Policies

FORTINET

A SSL/SSH inspection profile contains settings for decrypting these protocols, which is required in order to
scan their content. Otherwise, viruses could be transmitted via HTTPS or SMTPS, for example, without
detection.

For SSH, inspection allows the FortiGate to intercept connections and control protocol commands. For
example, using an SSH tunnel, a client could port forward any other protocol across an SSH connection.
Using an SSH profile, FortiGate can block the Port-Forward command.

FortiGate I Student Guide 221


DO NOT REPRINT Firewall Policies

FORTINET

When troubleshooting firewall policies, you need to understand how the traffic should flow.

Typically there are many firewall policies. What is the ingress/egress interface? What is actually happening
to the traffic/application? Is it slow? Is it failing to connect? These can help to define which
troubleshooting steps you need to take.

FortiGate I Student Guide 222


DO NOT REPRINT Firewall Policies

FORTINET

One of the most fundamental network debugging tools is packet capture, or sniffing.

The syntax of the CLI command is diag sniff packet interface filter level. The interface is the name of the
physical or logical interface; if your account has the access profile super_admin, you can specify the any
interface. The filters are similar to tcpdump on Linux. For level, you can choose from 1 to 6 depending
on your requirements.

The only output options are the payloads in ASCII and Hexadecimal format. To completely decode the
packet and view its content, save the output to a plain text file, convert it to .pcap format, then open it with
Wireshark.

FortiGate I Student Guide 223


DO NOT REPRINT Firewall Policies

FORTINET

Here are some general examples. Much more can be learnt by reading the man page for tcpdump.

FortiGate I Student Guide 224


DO NOT REPRINT Firewall Policies

FORTINET

If your model of FortiGate has internal storage, you can capture packets from the GUI. Looking at the
content of the packets can help you to see what is abnormal. The options in the GUI are the same as
those from the CLI. To run a trace, specify a source interface and a filter.

What is the main advantage over the CLI? You can download the output in a file format which can be read
by Wireshark, without having to use a conversion script.

Any packet capture filter should be very specific in order to avoid writing large amounts of data to disk
which will affect performance.

FortiGate I Student Guide 225


DO NOT REPRINT Firewall Policies

FORTINET

Before, we mentioned that a packet capture does not show why FortiGate may have dropped a packet.
This is the purpose of the packet flow.

This is an example of diag debug flow. The first lines enable it, and enable it to print to console. Next,
the filters define which IP address and port numbers to trace the flow fow; addr implies both source and
destination, and port 80 typically captures HTTP.

FortiGate I Student Guide 226


DO NOT REPRINT Firewall Policies

FORTINET

Here is output for the previous example, for the three way handshake.
Virtual domain root receives a packet: the protocol is TCP; destination port 80; source IP 10.0.1.10;
destination IP 10.200.1.1. The packet is received on interface port3.
FortiOS identifies this a new session because it does not match any entries in its current session table.
FortiOS performs a routing lookup, as this the first packet of the connection; gateway 10.200.1.254 (in
this case the destination) is found on interface port1.
For the firewall policy match, the interfaces are port3 to port1. The hashing function is used for the
policy lookup.
The connection matches policy ID 1 with source NAT enabled. The source address and port for all
packets in this connection will NAT to 10.200.1.1:39738.
The packet is sent to IPS module. In this case, the IPS security profile is enabled on the firewall policy.
Next, the reply (SYN/ACK) is received. This is identified as reply traffic for an existing connection. For
the first reply packet, a routing lookup occurs.
Next, the client send the ACK. This is identified as belonging to an existing connection.

FortiGate I Student Guide 227


DO NOT REPRINT Firewall Policies

FORTINET

The retransmission of SYN packets is a good indicator of the firewall blocking a connection. However, we
dont know for sure. We could look at the traffic logs, if logging was enabled for the deny policy. What else
could we use, though? The packet flow.

FortiGate I Student Guide 228


DO NOT REPRINT Firewall Policies

FORTINET

Combining debug flow and packet sniffer, we now see which firewall action is blocking this traffic.

FortiGate I Student Guide 229


DO NOT REPRINT Firewall Policies

FORTINET

To review, heres all the topics we covered in this lesson.

FortiGate I Student Guide 230


DO NOT REPRINT Firewall Authentication

FORTINET

In this lesson, we will show you how to use authentication on the firewall policies of a FortiGate.

Normal firewall policies involve separating devices based on the IP address or subnet involved.
Adding authentication to firewall policies, however, provides a mechanism to make decisions on not
just where the device is, but who is using the device.

FortiGate I Student Guide 231


DO NOT REPRINT Firewall Authentication

FORTINET

After completing this lesson, you should have a solid understanding of the mechanics of authentication
on a FortiGate as well as some practical skills configuring firewall authentication.

FortiGate I Student Guide 232


DO NOT REPRINT Firewall Authentication

FORTINET

Traditional firewalling grants network access by authenticating the source IP address only. This is
inadequate, as the firewall cannot determine who is using the device to which it is granting access.
This can pose a security risk.

Authentication allows action based on the user, not just the IP address. In this way, inspection rules
follow individuals across multiple devices.

FortiGate I Student Guide 233


DO NOT REPRINT Firewall Authentication

FORTINET

Not all available methods of authentication can be used for firewall authentication (for example,
certificate-based authentication cannot be used). You can, however, use local password
authentication, remote password authentication, and two-factor authentication. Two-factor
authentication is slightly different from the others, as it is enabled on top of an existing methodit
cannot be enabled without first configuring one of the other methods.

In this lesson, we will discuss all three available methods.

FortiGate I Student Guide 234


DO NOT REPRINT Firewall Authentication

FORTINET

The first and simplest method of authentication is Local Password Authentication. User account
information (user name and password) is stored locally on the FortiGate device, so there is no lookup
to an external server for user validation.

Local Password Authentication is the simplest method of authentication to configure, since you only
need access to the FortiGate. Other methods of authentication are more complex, as they involve
configuring the exchange of information between the FortiGate and a remote server as well as
configuring the various users and user groups on the server itself. Troubleshooting in those situations
becomes more complicated, as you need to examine both the FortiGate and external server. With
Local Password Authentication, you need only examine the FortiGate.

FortiGate I Student Guide 235


DO NOT REPRINT Firewall Authentication

FORTINET

The second method of authentication is remote server authentication (or server-based password
authentication). This includes any form of authentication where the final decision on user credentials is
made by an external servernot the FortiGate. This method is desirable when multiple FortiGate
devices need to authenticate the same users or user groups.

With remote server authentication, user information is sent from the FortiGate to a remote server. The
remote server then evaluates the information it receives and sends a response. The server response
is examined by FortiGate and consults its configuration to deal with the traffic. However, it is the
server not the FortiGate that has final authority over evaluating the user credentials.

With Remote Server Authentication, the FortiGate does not store all (or, in the case of some
configurations, any) of the user information locally.

FortiGate I Student Guide 236


DO NOT REPRINT Firewall Authentication

FORTINET

Multiple protocols are supported for remote user authentication, including POP3, RADIUS (includes
server authentication and the single sign on method, RSSO), LDAP, and TACACS+.

Single sign on (SSO) methods, such as FSSO, NTML, and RSSO, are also supported for remote user
authentication.

FortiGate I Student Guide 237


DO NOT REPRINT Firewall Authentication

FORTINET

With a FortiGate, you can implement Single Sign On (SSO) using FSSO and RSSO.

SSO allows a single login event to be used for all authentication and access situations. Without SSO,
if a user logs in to a Wi-Fi network, they will need to log in through a firewall policy separately when
they try to pass traffic. SSO links multiple authentication events to a single event.

FortiGate I Student Guide 238


DO NOT REPRINT Firewall Authentication

FORTINET

One remote server authentication protocol worth mentioning is POP3, as the login credentials the
remote server accepts is different from most other authentication protocols. Most other authentication
protocols user the user name. POP3 servers, however, authenticate users based on email address.
Some POP3 servers require the full email with domain (user@example.com), others require the suffix
only, while still others accept both formats. This is determined by the configuration of the server itself
and is not a setting on the FortiGate. You can only configure POP3 authentication though the CLI.

You can also use LDAP to validate with email, rather than the user name.

FortiGate I Student Guide 239


DO NOT REPRINT Firewall Authentication

FORTINET

The third, and final, method of authentication for firewalls which is really just an extension of an
existing authentication method is two-factor authentication.

Traditional user authentication requires your user name plus something you know, such as a
password. The weakness with this traditional method of authentication is that if someone obtains your
user name, they only need your password to compromise your account. Furthermore, since people
tend to use the same password across multiple accounts (some sites with more security vulnerabilities
than others), accounts are vulnerable to attack, regardless of password strength.

Two-factor authentication, on the other hand, requires something you know, such as a password, and
something you have, such as a token. This increases the complexity for an attacker to compromise an
account, as it puts less importance on often-vulnerable passwords. With this authentication method,
security is split between two different options: both a password and a key of some kind.

FortiGate I Student Guide 240


DO NOT REPRINT Firewall Authentication

FORTINET

One-time passwords are one such method you can use with Two-Factor Authentication as something
you have. FortiToken and FortiToken Mobile (hardware and software respectively) both generate
one-time passwords. The passwords for both FortiToken and FortiToken Mobile generate every 60
seconds.

You can deliver OTP through alternative methods, other than providing the end user with a token or
mobile app. For example, you can send an OTP through email or through an SMS phone message.

It is very important that FortiTokens are synchronized with the FortiGate. Otherwise FortiGate cannot
predict the correct string to use.

FortiGate I Student Guide 241


DO NOT REPRINT Firewall Authentication

FORTINET

Tokens use a specific algorithm to generate a one-time password. The algorithm consists of:

a seed, which is a randomly-generated number that does not change in time, and
the time, which is obtained from an internal, accurate, clock

Both seed and time go through an algorithm that generates a one-time password on the token. The
OTP has a short life span, usually measured in seconds (60 seconds for a FortiToken, possibly
more/less for other RSA key generators). Once the life span ends, for example after 60 seconds, a
new one generates.

With two-factor authentication using a token, the user must first log in with a static password followed
by the OTP (or code) generated by the token. A validation server (a FortiGate) receives the users
credentials and validates the static password first. The validation server then proceeds to validate the
OTP. It does so by re-generating the same OTP using the seed and system time (which is
synchronized with the one on the token) and comparing it with the one received from the user. If the
static password is valid, and the one-time password matches, the user is successfully authenticated.
Again, both the token and the validation server must use the same seed and have synchronized
system clocks. As such, it is crucial that you configure your FortiGates date/time properly or link it to
an NTP server.

FortiGate I Student Guide 242


DO NOT REPRINT Firewall Authentication

FORTINET

To use a FortiToken, you must first register it on a FortiGate device. Whether its a hardware or
software token, a serial number is used to provide the FortiGate with details on the initial seed value.
If you are using FortiToken Mobile, each FortiGate (and FortiGate VM) allows for two free activations.
More than this requires the purchase of activations codes for additional mobile tokens from Fortinet.

You cannot register FortiTokens on more than one FortiGate. A deployment like that requires the use
of a central FortiAuthenticator. In that case, the FortiTokens are registered on the FortiAuthenticator
and not the FortiGate. FortiGate uses FortiAuthenticator as its validation server, which allows the
same FortiToken to be used for access on multiple FortiGate devices.

FortiGate I Student Guide 243


DO NOT REPRINT Firewall Authentication

FORTINET

Not all types of authentication involve prompting the user to enter their login credentials. While active
authentication (used with LDAP, RADIUS, Local Password Authentication, and TACACS+) prompts
the user to manually enter credentials, passive authentication (used with FSSO, RSSO, and NTLM)
determines user information without ever asking the user to log in. Passive authentication, therefore,
occurs transparently for the user.

FortiGate I Student Guide 244


DO NOT REPRINT Firewall Authentication

FORTINET

Active authentication prompts the user based on:

the protocol of the traffic they use to try and pass through a firewall, and
the firewall policy itself

The policy must specify the authentication protocols allowed, such as HTTP/S, FTP, and Telnet. If the
policy that has authentication enabled does not allow at least one of the supported protocols for
obtaining user credentials, the user will not be able to authenticate.

Passive authentication determines the user identity behind the scenes and does not require any
specific services to be allowed within the policy.

FortiGate I Student Guide 245


DO NOT REPRINT Firewall Authentication

FORTINET

You can enable both active and passive authentication. If both active and passive authentication are
enabled and a users credentials can be determined through passive means, then the user will never
receive a login prompt, regardless of the order of any firewall policies. This is because there is no
need to prompt the user for active authentication credentials when passive authentication can
determine who they are. When active and passive authentication methods are combined, active
authentication is intended to be used as a backup only for when passive authentication fails.

No one method of authentication is considered more important than another. The first method that can
determine a user name for any traffic is the deciding factor. Ultimately that determines how the traffic
is handled.

FortiGate I Student Guide 246


DO NOT REPRINT Firewall Authentication

FORTINET

A firewall policy defines and matches traffic going from the source to the destination.

An IP address is required as part of the policy configuration for the source and destination. User, user
group, and device information can be enabled as well. If enabled, they become part of the source
definition for that policy. Accordingly, a source is comprised of source address(es)+source
user(s)/group(s)+source device(s).

FortiGate I Student Guide 247


DO NOT REPRINT Firewall Authentication

FORTINET

No service (with the exception of DNS) is allowed through the firewall policy prior to successful user
authentication. DNS is allowed because it is a base protocol and will most likely be required to initially
see proper authentication protocol traffic. Hostname resolution is almost always a requirement for any
protocol. However, the DNS service must still be defined as allowed within the policy in order for it to
pass.

In the following example, Policy #1 allows users to use external DNS servers on the other side of
port2 in order to resolve host names, prior to successful authentication. Therefore, the DNS traffic is
allowed through even before authentication happens. It is also allowed if authentication is
unsuccessful, as users need to be able to try to authenticate again. Any service that includes DNS
would function the same way, like the default ALL service.

Policy #2, on the other hand, never allows DNS traffic, even after successful authentication. The
HTTP service is TCP port 80 and does not include DNS (UDP port 53).

FortiGate I Student Guide 248


DO NOT REPRINT Firewall Authentication

FORTINET

In this example, assuming active authentication is used, any initial traffic from the 10.10.1.0/24 subnet
will not match policy #1. Policy 1 looks at the IP as well as the user information, and since the user
has not authenticated there is no match.

Next, a check is made against policy #2. There is a match and traffic is allowed with no need to
authenticate.

When only active authentication is used, if all possible policies that could match the source IP have
authentication enabled, then the user will receive a login prompt (assuming they use an acceptable
login protocol). In other words, if policy #2 also had authentication enabled, the users would receive
login prompts.

If passive authentication is used and it can successfully obtain user details, then traffic form
10.10.1.0/24 with users that belong to the guest-group will apply to policy #1 even though policy #2
does not have authentication enabled.

FortiGate I Student Guide 249


DO NOT REPRINT Firewall Authentication

FORTINET

If you want all users connecting to the network to authenticate through active authentication, you can
enable the captive portal. With captive portal, network interfaces perform authentication at the
interface levelregardless of the firewall policy that allows it or the port that it ultimately leaves by
(authentication being enabled or disabled on the policy is not a factor). Essentially, a captive portal is a
convenient way to authenticate web users on wired or Wi-Fi networks through an HTML form that
requests the users name and password. You can host a captive portal on a FortiGate device or an
external authentication server.

The captive portal setting must be enabled on the Ingress interface of the traffic. Captive portals are
not compatible with interfaces in DHCP mode.

FortiGate I Student Guide 250


DO NOT REPRINT Firewall Authentication

FORTINET

Using the previous example, with captive portal enabled on port 1 all traffic from behind port 1 would
receive a login prompt, not just the users in the 10.10.1.0/24 subnet or traffic that may be going
somewhere other then port 2.

Passive authentication never requires a captive portal, since it obtains user details differently. Only
active authentication methods can use the captive portal feature (depending on the configuration).

FortiGate I Student Guide 251


DO NOT REPRINT Firewall Authentication

FORTINET

A firewall policy can have the captive portal suppressed. When suppressed, traffic that matches the
source and destination are not presented with the captive portal page. The captive-portal-exempt
setting must be enabled in the CLI for each firewall policy and only applies to traffic that matches that
policy. The security-exempt-list CLI setting, however, applies those sources at all times, regardless of
the firewall policy settings.

Depending on the configuration, one option or the other usually results in simplifying your
configuration more. Use the option that best fits the requirements of the situation and results in less
confusion or ongoing maintenance.

You can create and configure security exempt lists only from the CLI. However, you can enable them
through the GUI settings.

FortiGate I Student Guide 252


DO NOT REPRINT Firewall Authentication

FORTINET

You can enable disclaimers to be used in conjunction with captive portal, if desired. Disclaimers are
not considered authentication or a captive portal, but the two tend to go hand-in-hand. With the
authentication and disclaimer setting, the disclaimer appears before the user authenticates and acts
as a reminder of the rules for the network. Under this setting, users must accept the terms in the
disclaimer in order to proceed with the authentication process.

Neither a security exemption list nor a captive portal exemption on a firewall can bypass a disclaimer.

FortiGate I Student Guide 253


DO NOT REPRINT Firewall Authentication

FORTINET

Any time FortiGate is required to jump into the traffic stream (with authentication pages or disclaimers
for example), you can modify the particulars of the block page through the GUI.

Editing HTML-related block message requires knowledge of HTML, to ensure proper positioning and
look of the page. The default layout is the Simple View, which hides most of the replacement
messages. Use Extended View to show all editable replacement messages.

FortiGate I Student Guide 254


DO NOT REPRINT Firewall Authentication

FORTINET

An authentication timeout ensures users do not authenticate and then stay in memory indefinitely. If
users stay in memory forever, it would eventually lead to memory exhaustion.

There are three options for timeout behavior:

IDLE Looks at the packets from the hosts IP. If there are no packets generated by the host device
in the configured timeframe then the user is logged out.
HARD Time is an absolute value. Regardless of the users behavior, the timer starts as soon as
the user authenticates and expires after the configured value.
NEW SESSION Even if traffic is being generated on existing communications channels, the
authentication expires if no new sessions are created through the firewall from the host device,
within the configured timeout.

Choose the type of timeout that best suits the needs of authentication in your environment.

FortiGate I Student Guide 255


DO NOT REPRINT Firewall Authentication

FORTINET

Weve mentioned users and user groups several times in this lesson. Now, well take a closer look at
how both users and user groups are used by FortiGate for firewall authentication. Before that,
however, well give a short refresher on how you create users and groups on an external server, which
is useful if Remote Password Authentication is used as a method of authentication.

FortiGate I Student Guide 256


DO NOT REPRINT Firewall Authentication

FORTINET

LDAP is a standard remote authentication protocol currently supported by the FortiGate device. The
behavior of LDAP is defined through multiple RFCs.

LDAP is an application protocol for distributed directory information services. It can also be viewed as
a database that contains user accounts, among other things. The structure of this database is similar
to a tree that contains entries (or objects) in each branch. Each of these objects has a unique
identifier, which is called the distinguished name (or DN). The objects also have attributes, and each
attribute has a name and one or more values. This structure is defined in what is called a directory
schema.

FortiGate I Student Guide 257


DO NOT REPRINT Firewall Authentication

FORTINET

The hierarchy of an LDAP schema is not required to hold any resemblance to the organization.
However, generally the name conventions used and the group structure match with the name of the
company and corporate hierarchy very closely.

FortiGate I Student Guide 258


DO NOT REPRINT Firewall Authentication

FORTINET

On the top, we have the root or DC. This is where an LDAP tree always starts, with any schema.

After that the groups are defined using C, OU, and/or O. The exact behavior and options used depend
on the schema and what exactly is being defined. At the end of the tree is the UID, which contains
specific details about a particular user.

The full path to find a user contains all of the information necessary in order to locate a user within the
tree structure. This means you will need the DN (somewhere to start), the group information (C, OU,
O), and the UID.

FortiGate I Student Guide 259


DO NOT REPRINT Firewall Authentication

FORTINET

What you enter for the LDAP configuration depends heavily on the servers schema and security
settings. Windows Active Directory is very common.

Common Name Identifier is the attribute name to look up in order to find the user name. Some
schemas will call this UID, Active Directory calls it sAMAccountName or sometimes cn.

Distinguished Name identifies the top of the tree to look in. Generally this will be a DC value.

The Bind Type setting will vary, depending on the security settings of the LDAP server. Normally,
this will need to be Regular, with the credentials being for a user, that is authorized perform LDAP
queries.

FortiGate I Student Guide 260


DO NOT REPRINT Firewall Authentication

FORTINET

To see if a users credentials can successfully authenticate or not, you must use the CLI or enable to
authentication on a firewall policy. The GUI will only test if the initial LDAP connection to the server is
successful or not.

Because the GUI only tests success/failure, either look at the server logs or run a packet sniff to see
both sides of the LDAP communications so you can find out exactly what is happening. Exact output
will vary depending the Hierarchy of the LDAP server that was queried.

diagnose test authserver can be used to test most (not all) methods of authentication.

FortiGate I Student Guide 261


DO NOT REPRINT Firewall Authentication

FORTINET

RADIUS doesnt have the same kind of behavior as LDAP, as there is no tree structure to consider.

Normal authentication queries with the RADIUS protocol begin with an Access-Request being sent
from the FortiGate to the RADIUS server. Valid responses to this are Access-Accept and Access-
Reject (yes and no effectively).

If Two-Factor Authentication is enabled on the server, it will come back with an Access-Challenge
message, where it is essentially looking for more information. Any other response from the server is
not considered to be a valid response.

FortiGate I Student Guide 262


DO NOT REPRINT Firewall Authentication

FORTINET

RADIUS configuration on a FortiGate is straightforward.

The servers location needs to be defined along with the secret that was set up in order for the server
to allow remote queries. Backup servers (with separate secrets) can be defined in case the primary
server fails.

FortiGate I Student Guide 263


DO NOT REPRINT Firewall Authentication

FORTINET

Testing RADIUS is much the same as LDAP. The GUI can test the connection to the server, but not a
user login. Make sure that authentication is operational prior to implementing it on any of your firewall
policies.

Like LDAP, it reports success, failure, and group membership details depending on the servers
response. Deeper troubleshooting requires server access.

FortiGate I Student Guide 264


DO NOT REPRINT Firewall Authentication

FORTINET

Now that weve examined how to create users on the LDAP or RADIUS server, lets look at how to
create the firewall users and groups on the FortiGate. This is the first step to authentication: creating
firewall users and groups.

You can create firewall authentication users through the Users & Devices > User > User Definition
page of the FortiGate GUI. A wizards walks you through the creation process.

You are required to define the type of user (Local or Remote) and the user credentials. For remote
authentication, you must select the server to authenticate as well. There are other optional settings
available, such as adding contact information , enabling Two-Factor Authentication, or adding the user
to a User Group.

FortiGate I Student Guide 265


DO NOT REPRINT Firewall Authentication

FORTINET

Once youve made user accounts, you can assign firewall policies to them. But rather than assign
firewall policies to act on individual users, you can put users into groups with policies making
decisions based on the group itself. These groups are known as user groups. By assigning individual
users to the appropriate user groups, you can control access to network resources. You can define
both local and remote user groups on a FortiGate device. There are four user group types:

Firewall
Fortinet Single Sign On (FSSO)
Guest, and
RADIUS Single Sign On (RSSO)

The firewall user groups do not need to match any sort of group that may already exist on a server.
The firewall user groups exist solely to make configuration of firewall policies easier.

Note that most authentication types have the option to make decisions based on the individual user,
rather than just user groups.

FortiGate I Student Guide 266


DO NOT REPRINT Firewall Authentication

FORTINET

As mentioned, one of the four user group types is Guest. Guest groups are user groups that
exclusively contain temporary user accounts (the whole account, not just the password), and are most
commonly used in wireless networks. Guest accounts expire after a predetermined amount of time.

You can automatically create guest users on the fly, or manual create them through an admin user.
You can create special admin users that only have access to create and manage guest user accounts.

FortiGate I Student Guide 267


DO NOT REPRINT Firewall Authentication

FORTINET

You can configure user groups through the FortiGate GUI under User & Device > User > User Group.
You must specify the user group type, the local users that belong to the group, and the remote
authentication server(s) that contain the users that belong to the user group.

User groups simplify your configuration if you want to treat specific users in the same way. For
example, if you want to provide all Accountants with access to the same network resources. If you
want to treat all users differently, you would need to add all users to firewall policies separately.

FortiGate I Student Guide 268


DO NOT REPRINT Firewall Authentication

FORTINET

Once youve created firewall users and groups, you can move on to configuring the policies.

IP information is part of the source definition for a policy in combination with any configured user and
groups specified. Just because a user is in a group does not mean they can only be referenced by
using the group.

FortiGate I Student Guide 269


DO NOT REPRINT Firewall Authentication

FORTINET

After creating firewall policies, you can monitor access of your firewall users. To keep track of who is
authenticated through the firewall policies there is a User Monitor section in the GUI located under
User & Device > Monitor > Firewall.

The User Monitor screen displays who has authenticated through the firewall policies of your
FortiGate device at any given moment. It does not include administrators, because they are not
authenticating through firewall policies that allow traffic they are logging directly into the FortiGate.
This feature also allows you to de-authenticate a user or multiple users simultaneously.

FortiGate I Student Guide 270


DO NOT REPRINT Firewall Authentication

FORTINET

There are no events logged for successful or failed login attempts through a firewall policy.

Users that log in successfully show up in the monitor. Those that do not are prevented from passing
through the firewall.

Once a user is successfully logged in, all further logs generated from the host automatically begin to
contain their user information. Default reports and charts are set up so that the source adjusts to be
the user or the IP if there is no authentication.

You can find the list of possible log events that can show up in the Log & Report > Event Log > User
section in the Log Message Reference Guide on the doc.fortinet.com website.

FortiGate I Student Guide 271


DO NOT REPRINT Firewall Authentication

FORTINET

In this lesson, we discussed:

Authentication, what it is and how it works


Three methods of authentication, specifically Local Password Authentication, Remote Password
Authentication, and Two-Factor Authentication
The different authentication protocols
One-time passwords and tokens
Authentication types (active and passive)
Authentication policies
Captive Portal and disclaimers
Authentication timeout
Users/user groups, both in regards to an external LDAP or RADIUS server and through the
FortiGate, and
How to monitor firewall users

FortiGate I Student Guide 272


DO NOT REPRINT SSL VPN

FORTINET

In this lesson, we will show you how to use and configure SSL VPN. SSL VPNs are an easy way of
providing access to your private network for remote users.

FortiGate I Student Guide 273


DO NOT REPRINT SSL VPN

FORTINET

After completing this lesson, you should have these practical skills that you can use to configure an
SSL VPN for your organization.

FortiGate I Student Guide 274


DO NOT REPRINT SSL VPN

FORTINET

A virtual private network enables users to remotely and securely access private resources as if they
were locally connected.
It is generally used to transmit private information safely between LANs separated by an untrusted
public network such as the Internet, so it is not only implemented for providing access to mobile users,
but also for interconnecting geographically disperse networks across the Internet. The user data
travelling inside a VPN tunnel is encrypted, so it cannot be intercepted by unauthorized users. VPNs
also use security methods to ensure that only authorized users can establish the VPN and access the
private networks resources.

FortiGate I Student Guide 275


DO NOT REPRINT SSL VPN

FORTINET

The most common type of VPNs are SSL VPN and IPsec VPN.

SSL VPNs are commonly used to secure web transactions. Clients connect to a web portal and log in.
It is essentially meant to connect a PC to a private network. This approach is simple in that users only
need a regular web browser to connect and are not usually required to install any kind of special
software or go through a complex setup. They simply need to access an HTTPS web site and log in.
This makes SSL VPN an ideal solution for users who are either not technically skilled, or who need to
connect from public computers.

IPsec is also used to connect a PC to a private network. However, there are some important
differences. Firstly, SSL VPN access is through a web portal, whereas IPsec is not. Finally, IPsec is a
standard protocol supported by most vendors, so a VPN session can be established not only between
two FortiGate devices, but also between different vendor devices. By comparison, SSL VPN can only
be established between a client PC and an end device.

In this lesson, we are going to focus on SSL VPN.

FortiGate I Student Guide 276


DO NOT REPRINT SSL VPN

FORTINET

Web-only mode is used to connect using HTTPS to the FortiGate device from any browser. Once
connected, users need credentials in order to pass an authentication check. Once authenticated,
users are presented with a portal that contains possible resources for them to access. Different users
can have different portals with different resources and access permissions.

One of the widgets contains links to all or some of the resources available for the user to access.
Another widget allows users to type the URL or IP address of the server they want to reach. A Web-
only SSL VPN user makes use of these two widgets to access the internal network. The main
advantage of Web-only mode is that it is clientless. This means the user is not required to install any
client VPN software to obtain access. However, Web-only mode has two main disadvantages: First,
all interaction with the internal network must be done from the browser exclusively (through the web
portal). External network applications running on the users PC cannot send data across the VPN.
Second, a limited number of protocols are supported, such as HTTP/HTTPS, FTP, RDP, SMB/CIFS,
SSH, Telnet, VNC, Ping.

FortiGate I Student Guide 277


DO NOT REPRINT SSL VPN

FORTINET

Tunnel mode access begins in much the same way as Web-only mode. Users must connect to the
FortiGate through HTTPS and successfully authenticate. They are then presented with a web page
that has various options, including a widget to activate tunnel mode.

By clicking Connect, a tunnel is established between the PC and the FortiGate device. Inside the
tunnel, IP traffic is encapsulated over HTTPS and sent to the other side. The FortiGate device
receives the traffic and de-encapsulates the IP packets, forwarding them to the private network as if
they originated from the inside. The main advantage of Tunnel mode over Web-only mode is that,
once the VPN is established, any IP network application running on the client can send traffic across
the tunnel. The main disadvantage is that this requires the installation of a VPN software client, which
requires administrative privileges. If the VPN client is not installed when the user accesses the SSL
VPN web portal, the Tunnel Mode widget offers the option to download and install it.

FortiGate I Student Guide 278


DO NOT REPRINT SSL VPN

FORTINET

Tunnel mode can operate in two different ways: with and without Split Tunneling enabled.

When Split Tunneling is disabled, all IP traffic generated by the clients PC (including Internet traffic) is
routed across the SSL tunnel to the FortiGate. This sets up the FortiGate as the default gateway for
the host. You can use this method in order to apply UTM features to the traffic on those SSL VPN
clients or to monitor or restrict internet access. This adds more latency and bandwidth usage.

When Split Tunneling is enabled, only traffic destined for the private network(s) behind the FortiGate
gets routed across the tunnel.

FortiGate I Student Guide 279


DO NOT REPRINT SSL VPN

FORTINET

There are two methods to connect to an SSL VPN tunnel. The first method is through a browser. The
limitation is that the browser window or tab with the SSL VPN portal must remain open in order to
keep the tunnel up. The second method is through a standalone SSL VPN client. Using an SSL VPN
client means the browser is not necessary to maintain the tunnel, but it also means you have to install
an SSL VPN client.

When the SSL VPN client is installed, a virtual network adapter called fortissl is added to the users
PC. This virtual adapter dynamically receives an IP address from the FortiGate device each time a
new VPN is established. All packets sent by the client use this virtual IP address as the source
address.

FortiGate I Student Guide 280


DO NOT REPRINT SSL VPN

FORTINET

Because tunnel mode requires installing a virtual network adapter, which requires administrative level
access to accomplish, it is not always a feasible method to use. For those situations where tunnel
mode isnt practical and web-only mode isnt flexible enough, there is a web-only extension called port
forward mode.

Rather than use a virtual adapter to create a tunnel with an IP separate from the local IP, port forward
uses a Java applet to set up a local proxy that is accessed by connecting to the loopback address.

FortiGate I Student Guide 281


DO NOT REPRINT SSL VPN

FORTINET

Between web-only and tunnel mode, tunnel mode is the most versatile, as it supports any IP
application. However, it requires admin/root privileges to install a VPN client. You can get a direct
tunnel connection either through a browser or by using the standalone VPN client.

Web-only, on the other hand, is clientless, but does not support all the IP applications like tunnel
mode. You can connect only through a browserand only through one connected to the SSL VPN
portal. Port Forward (an extension of Web-only) supports some additional IP applications, but it
requires users to change the application configuration to send the IP traffic to a Java applet acting as
a local proxy.

The final decision about which mode to use depends on many factors, such as technical knowledge of
the users, type of network applications, and if admin access to the users PCs is possible or not.

FortiGate I Student Guide 282


DO NOT REPRINT SSL VPN

FORTINET

When users log into to their individual portal, there is an option that allows them to create their own
bookmarks (known as frequently used connections). An administrator must enable the user bookmark
option, and once enabled, users can create and modify their own bookmarks from the portal.

Administrators have the ability to view and delete bookmarks the remote user has added to their SSL
VPN login in the GUI under VPN > SSL > Personal Bookmarks. This allows administrators to monitor
and remove any unwanted bookmarks that do not meet with corporate policy

From the CLI of the FortiGate, administrators can create bookmarks for different users. These
bookmarks appear even if the user bookmark option is disabled in the portal, as that option only
effects the users ability to create and modify their own bookmarks.

FortiGate I Student Guide 283


DO NOT REPRINT SSL VPN

FORTINET

Depending on the type of bookmark an administrator wants to create, they may need to enter
additional information during configuration, such as URLs for websites, and folders for FTP sites to
name a few.

Only three types of bookmarks can be used if employing the Port Forwarding method (an extension
for web-only mode): citrix, portforward, and rdpnative. Citrix and RDP native are specific for that kind
of traffic. Portforward is a generic type of bookmark that you can customize to suit the traffic.

FortiGate I Student Guide 284


DO NOT REPRINT SSL VPN

FORTINET

Instead of just adding bookmarks on a per-user basis, administrators can also add bookmarks on a
per-portal basis. This allows bookmarks to appear for all users who log in to that particular portal.
These bookmarks use the exact same configuration options that personal bookmarks do, but can be
configured from the GUI, rather than the CLI. Users cannot modify administrator-added bookmarks,
whether they are created on a per-user or per-portal basis.

FortiGate I Student Guide 285


DO NOT REPRINT SSL VPN

FORTINET

To add flexibility to your SSL VPN deployment, you may consider configuring Realms. Realms are
custom login pages, usually for user groups, such as your Accounting team and your Sales team, but
can be for individual users as well. With realms, users and user groups can access different portals
based on the URL they enter. This is unlike a default deployment, where SSL VPN login is handled by
going directly to the FortiGates IP address. With different portals, you can customize each login page
separately as well as limit concurrent user logins separately.

Example of Realms on a FortiGate:


HTTPS://192.168.1.1
HTTPS://192.168.1.1/Accounting
HTTPS://192.168.1.1/TechnicalSupport
HTTPS://192.168.1.1/Sales

FortiGate I Student Guide 286


DO NOT REPRINT SSL VPN

FORTINET

Since SSL VPNs are methods for people outside your network to connect to resources inside your
network, you must take appropriate measures to ensure the safety and security of the information in
your network. There are multiple options and settings available to help secure SSL VPN access. In
this lesson, well cover client integrity checking and restricting host connection addresses.

FortiGate I Student Guide 287


DO NOT REPRINT SSL VPN

FORTINET

When a user connects to your network through SSL VPN, a portal is established between your
network and the user PC. The VPN session is secured natively in two ways: the connection is
encrypted and the user must log in with their credentials, such as a user name and password.
However, you can configure additional security checks to increase the security of the connection.

One method of increasing your security is through client integrity checking. Client integrity ensures, to
some extent, that the connecting computer is secure by checking whether specific security software,
such as antivirus or firewall software, is installed and running. This feature only supports Microsoft
Windows clients, as it accesses the Windows Security Center to perform its checks. Alternatively, you
can customize this feature to check the status of other applications by using their Globally Unique
Identifier (GUID). The GUID is a unique ID in the Windows Configuration Registry that identifies each
Windows application. Client Integrity can also check the current software and signature versions for
the antivirus and firewall applications.

FortiGate I Student Guide 288


DO NOT REPRINT SSL VPN

FORTINET

The Client Integrity check is performed when the VPN is still establishingjust after user
authentication has finished. If the required software is not running on the clients PC, the VPN
connection attempt is rejected even with valid user credentials.

Client Integrity is enabled per web portal and only by using CLI commands.

The list of recognized software along with the associated registry key value is available through the
CLI. Software is split into three categories: AntiVirus (av), Firewall(fw), and Custom. Custom is used
for customized or proprietary software that an organization may require. Administrators can only
configure these settings through the CLI.

The disadvantage of enabling Client Integrity checking is that it can result in a lot of administrative
overhead. First, all users must have their security software updated in order to successfully establish a
connection. Second, software updates can result in a change to the registry key values, which can
also prevent a user from successfully connecting. As such, administrators must have in depth
knowledge of the Windows operating system and subsequent registry behavior in order to properly
make extended use of, as well as maintain, this feature.

FortiGate I Student Guide 289


DO NOT REPRINT SSL VPN

FORTINET

The second method you can use to help secure SSL VPN access is restricting host connection
addresses. Setting up IP restriction rules can be very useful when considering proper security
configuration. Not all IPs need, or should be allowed, access to the login page. This method allows
you to set up rules to restrict access from specific IPs. One simple rule is to allow or disallow traffic
based on Geographic IP addresses.

The default logic allows all IPs to connect. From the CLI, you can configure the VPN SSL setting to
disallow specific IPs.

FortiGate I Student Guide 290


DO NOT REPRINT SSL VPN

FORTINET

To monitor remote user connections, you can view the SSL VPN Monitor table, accessible through the
GUI under VPN > Monitor > SSL VPN Monitor. This table shows all the SSL VPN users currently
connected to the FortiGate device. It displays the user names, IP addresses, and connection times.

In the table, a subsession row below a user means the user has brought up an SSL VPN tunnel. No
subsession row below the user means the user is only connected to the web portal page. Whether the
VPN tunnel is activated with the Web Portal widget or the standalone client, they appear the same
way in the SSL VPN Monitor table.

FortiGate I Student Guide 291


DO NOT REPRINT SSL VPN

FORTINET

When an SSL VPN is disconnected, either by the user or through the SSL VPN idle setting, all
associated sessions in the FortiGate session table are deleted. This prevents reuse of
authenticated SSL VPN sessions (not yet expired) after the initial user terminates the tunnel.

The SSL VPN user idle setting is not associated with the firewall authentication timeout
setting. It is a separate idle option specifically for SSL VPN users. A remote user is
considered idle when the FortiGate does not see any packets or activity from the user within
the configured timeout period.

FortiGate I Student Guide 292


DO NOT REPRINT SSL VPN

FORTINET

There are four mandatory steps that must be followed in order to configure SSL VPN. The fifth step is
optional and only necessary to allow access to internal resources.

Configuration does not need to be done strictly in this order. However there are several places where,
if certain options are not configured ahead of time, you are prevented from making further
configurations.

FortiGate I Student Guide 293


DO NOT REPRINT SSL VPN

FORTINET

The first step is to create the accounts and user groups for the SSL VPN clients. User and group
creation was previously covered in the Firewall Authentication module.

All the FortiGate authentications methods, with the exception of the Remote Password Authentication
using the FSSO protocol, can be used for SSL VPN authentication. This includes Local Password
Authentication and Remote Password Authentication (using the LDAP, RADIUS, TACACS+, and
POP3 protocols). Two-Factor Authentication, with or without FortiToken, is also supported.

FortiGate I Student Guide 294


DO NOT REPRINT SSL VPN

FORTINET

The second step is to configure the portal. A portal is simply a webpage that contains tools and
resource links for the users to access.

Options on the portal can be enabled or disabled to allow or deny access. Options such as tunnel
mode, links for downloading FortiClient, predefined bookmarks, and more. You can individually
configure and link each portal to a specific user group and/or user so they only have access to
required resources.

There are several different theme options that provide different color coding to the portals as well.

FortiGate I Student Guide 295


DO NOT REPRINT SSL VPN

FORTINET

This is a sample of an SSL VPN portal page after the user logs in.

It contains various widgets, based on the configuration of the portal. The Bookmarks and
Connection Tool widgets are for web-only mode. The Tunnel Mode widget activates tunnel mode
through the browser. The standalone client can link into that directly, though the user must have
access to a portal that contains the client.

FortiGate I Student Guide 296


DO NOT REPRINT SSL VPN

FORTINET

The third step to configuring SSL VPN is to configure the general settings. First, well talk about the
connection settings specifically, and then later, the tunnel mode client settings, and the authentication
portal mapping settings.

As with any other HTTPS web site, the SSL VPN portal presents a digital certificate when users are
connecting. By default, the presented certificated is self-signed, which triggers the browser to show a
certificate warning. To avoid the warning, you should use a digital certificate signed by a Certificate
Authority (CA) known to the browser. Alternatively, you can load the digital certificate into the browser
as a trusted authority. Certificates are covered in more detail in the Certificate Operations lesson.

By default, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can
change this timeout through Idle Logout settings in the GUI. Note that it is separate from the
authentication idle timeout discussed in the firewall authentication lesson.

Also by default, the port for the SSL VPN portal is 443, which means that users need to connect using
HTTPS to the IP address of the FortiGate device and to port 443 (which is also the standard port for
the administration HTTPS protocol).

FortiGate I Student Guide 297


DO NOT REPRINT SSL VPN

FORTINET

In a default configuration, the SSL VPN login portal and the administrator login for HTTPS both use
port 443.

This is convenient because users do not need to specify the port in their browser. For example,
https://www.example.com/ automatically uses port 443 in any browser. This is considered a valid
setup on the FortiGate because you generally dont access the SSL VPN login through every
interface. Likewise you generally dont enable administrative access on every interface of your
FortiGate. So even though the ports may overlap, the interfaces that each one uses to access may
not.

If SSL VPN and HTTPS admin access both use the same port, and are both enabled on the same
interface, only the SSL VPN login portal will appear. In order to have access to both on the same
interface, you need to change the port number for one of the services. This will effect the port number
for that service on all interfaces.

FortiGate I Student Guide 298


DO NOT REPRINT SSL VPN

FORTINET

Once you set up your SSL VPN connection settings, you can define your Tunnel Mode settings. When
users connect, the tunnel is assigned an IP address. You can choose to use the default range or
create your own range. The IP range determines how many users can connect concurrently.

DNS Servers will only be effective if DNS traffic is sent over the VPN tunnel. Generally this will only
be the case when split tunnel mode is disabled and all traffic is being sent from the client PC across
the tunnel.

FortiGate I Student Guide 299


DO NOT REPRINT SSL VPN

FORTINET

The last part of step three is to set up the authentication rules that map users to the appropriate portal
and realm. These settings allow different groups of users to access different portals and/or realms.

The default rule applies to the root realm and must be present, otherwise an error message appears
that prevents any setting changes from being saved.

In the above example, accountants and teachers only have access to their own realms. If they need
access to the root realm to see the student portal, you would need to add an additional authentication
rule.

FortiGate I Student Guide 300


DO NOT REPRINT SSL VPN

FORTINET

The fourth, and last, mandatory step to configure SSL VPN involves creating firewall policies for login.

SSL VPN traffic on the FortiGate uses a virtual interface called SSL.<vdom>. Each VDOM contains a
different virtual interface based on its name. By default, if VDOMs are not enabled then the device
operates with a single VDOM called root. VDOMs are covered in more detail in the FCNSP module on
Virtual Networking.

In order to activate and successfully log in to the SSL VPN portal, there must be a firewall policy that
goes from the SSL VPN interface to the interface that is listening for the SSL VPN login, that includes
all of the users/groups that can log in as the source.
If there are multiple interfaces listening for a login than all of them must be specified, either with
different policies or in the same policy. Without a policy like this, no login portal is presented to users.

FortiGate I Student Guide 301


DO NOT REPRINT SSL VPN

FORTINET

In this example, there are three different user groups that log in remotely: Teachers, Accountants, and
Students.

In order to enable authentication, you must create a firewall policy with the source interface as ssl.root
that includes those three groups for the source. That firewall policy will enable the login portal and
allow those groups to authenticate. It will also allow those groups to access resources and bookmarks
that are beyond the wan1 interface. Without a firewall policy that is SSL.<vdom> to the interface that
the user is trying to connect from, no login portal will be presented.

If there are resources behind other interfaces that tunnel mode users need access to, then you need
to create additional policies that allow traffic from ssl.root to exit those interfaces. If resources inside
are allowed to initiate traffic to hosts on the other side of the SSL Tunnel, then policies need to be in
place to allow that.

FortiGate I Student Guide 302


DO NOT REPRINT SSL VPN

FORTINET

As an optional step, you can create firewall policies for traffic to the internal network. Any traffic that
gets generated by the users of the SSL VPN exits from the ssl.<vdom> interface. This includes not
only tunnel mode traffic, but traffic generated by the widgets on the web portal page.

The firewall policy discussed in step four allows login and access to external resources. As such,
policies should be created to allow users access to resources inside the network.

FortiGate I Student Guide 303


DO NOT REPRINT SSL VPN

FORTINET

In this lesson, we discussed:

What SSL VPN is and how it operates


Differences of SSL VPN vs. IPsec VPN
Web-only mode, tunnel mode (including split tunneling), and port forwarding
Methods of connecting to SSL VPN tunnels
Portals, bookmarks and realms
Securing SSL VPN access through client integrity checking and restricting host connection access
Monitoring SSL VPN users
Configuring SSL VPN

FortiGate I Student Guide 304


DO NOT REPRINT Basic IPsec VPN

FORTINET

In this lesson, we will show you how to set up site-to-site IPsec VPN.

VPNs are heavily used in todays IT infrastructure to join private corporate networks across the Internet.
IPsec is an RFC standard. Whether you have FortiGate devices only or mix in another vendors devices,
the principles are essentially the same.

FortiGate I Student Guide 305


DO NOT REPRINT Basic IPsec VPN

FORTINET

After completing this lesson, you should have these practical skills that you can use to set up a simple
IPsec tunnel for a site-to-site VPN.

During this, we will explain how to choose between configuring a policy-based or route-based VPN. You
will also learn how to verify the status of each tunnel.

FortiGate I Student Guide 306


DO NOT REPRINT Basic IPsec VPN

FORTINET

A Virtual Private Network (VPN) allows people in remote places separated by the Internet to securely
access resources on your local network. For example, if workers are traveling or working from home,
you can use a VPN to give LAN access to them. You can also use a VPN to interconnect multiple
campuses.

There are multiple types of VPN: PPTP, L2TP, SSL VPN, and IPsec are popular choices.
PPTP is fast, but security is weak, and easily defeated.
IPsec requires a gateway or installation of client software. So it is more complicated to set up for
mobile users than SSL VPN, where they can simply utilize their web browser instead.
SSL VPN is designed for tunnels between a single client and a LAN, not between entire offices.
Because of this, many networks now use a combination of SSL VPN for mobile user access
and Ipsec or L2TP for tunnels between offices.

Often, tunnel is used as a synonym for VPN, although not all VPNs technically are tunnels, as we will
see in a minute.

FortiGate I Student Guide 307


DO NOT REPRINT Basic IPsec VPN

FORTINET

When should you use IPsec? What is it?

It is a vendor-neutral standard set of protocols used to join two physically distinct LANs, as if they were a
single logical LAN, despite being separated by the Internet.

In theory, RFC 2409 and 4305 do support null encryption that is, you can make VPNs which not
encrypt traffic. The RFCs also support null data integrity. But does that provide any advantages over
plain traffic? No. No one can trust traffic that may have had an attack injected by an attacker. Rarely do
people want data sent by an unknown person. Most people also want private network data, such as
credit card transactions and medical records, to remain private.

So in reality, regardless of vendor, IPsec VPNs almost always have settings for 3 important benefits:
Authentication, to verify the identity of at least the initiator (and sometimes also the
responder);
Data integrity, or HMAC, to prove that encapsulated data has not been tampered with as it
traverses a potentially hostile network;
Confidentiality, or encryption, to ensure that only the intended recipient can read the message.
And, of course VPNs have virtual routing and network settings to use when joined to the remote LAN.

FortiGate I Student Guide 308


DO NOT REPRINT Basic IPsec VPN

FORTINET

When we say the IPsec protocol, what layers & protocols are we talking about?

IPsec injects itself above the third layer: IP. Whats encapsulated? It depends on the mode. IPsec
can operate in two modes: transport mode, or tunnel mode.
Transport mode directly encapsulates what would usually be the fourth layer (TCP transport, for
example) and above.
Once the IPsec encapsulation is removed, there is no additional routing layer left. Thats why its also
called direct peer-to-peer or client-to-client. So this mode is not technically a tunnel, even though
many people use the word VPN and tunnel interchangeably. (Tunneling technically means
encapsulating an IP packet inside another IP packet.) Transport mode does not traverse NAT well
especially carrier-grade symmetric NAT and depending on the case, may require NAT Traversal,
ALG or hole punching, or may not work. This is because port numbers are inside the encrypted ESP
payload.
Tunnel mode is a true tunnel. Encapsulation first adds a second IP layer, then the original transport
layer (TCP, UDP, etc.). The second IP layer contains a private network that is routable on the remote
network. Once the IPsec packet reaches the remote LAN, and is unwrapped, the packet can
continue on its journey.

To fit an IPsec packet into the frame, when FortiGate applies ESP, one payload may be split in order to
fit into two packets. So you dont need to adjust frame MTU. But this does mean that you might need
more bandwidth for VPN traffic.

FortiGate I Student Guide 309


DO NOT REPRINT Basic IPsec VPN

FORTINET

Lets look at the 2 methods of encapsulation: Which should you choose? Why might some extra
bandwidth be needed? Why is NAT traversal necessary?

Blue underlined parts of each packet are additional bits that are required by ESP. It varies by transport
vs. tunnel mode.

Relative to a non-IPsec packet, notice that the green Layer 4 transport area of the frame is now shorter.
Remember, the 1500 byte default frame MTU has not changed. Payload length is variable, and filled with
padding. So this doesnt always matter. But if the additional ESP bits cause the packet payload to not fit,
then FortiGate must split the payload into multiple frames. IKE is in separate packets, too, and also
requires additional bits to be transmitted.

You are trading some bandwidth for:


Security and,
Routability (in the case of tunnel mode)

Notice that after you remove the VPN-related headers, a transport mode packet cant be transmitted any
further it has no second IP header inside. So its not routable.

Thats OK if the packet is decrypted at an endpoint such as the FortiGate itself (think of encrypted Syslog
tunnels, and some special cases such as multicast, GRE-IPSec and L2TP-IPSec for Windows/Android
clients), but not usually if there are more router hops until the packet reaches its destination. For those
purposes, youll need tunnel mode instead.

Notice, too, that TCP or UDP port numbers are inside the ESP payload. They will be encrypted. So NAT
cant rewrite them for port forwarding or port overloading.

FortiGate I Student Guide 310


DO NOT REPRINT Basic IPsec VPN

FORTINET

Because encapsulation styles and other settings vary, and any mismatches cause VPNs to fail, starting
with FortiOS 5.2, there are VPN templates.

You can use these to simplify VPN setup reducing the guesswork about what settings are compatible
between devices.

But sometimes you may need to create a tunnel manually, or pass it though a NAT device. So lets show
you how.

FortiGate I Student Guide 311


DO NOT REPRINT Basic IPsec VPN

FORTINET

If youre passing your VPN through NAT devices such as firewalls, it helps to know which protocols to
allow.

Really, IPsec means three separate protocols.


IKE, which is used to authenticate peers, exchange keys, and negotiate the encryption and
checksums that will be used; essentially, it is the control channel,
AH, which is the authentication header the checksums that verify the integrity of the data
ESP, which is the encapsulated security payload the encrypted payload, essentially, the data
channel
So if you need to pass IPsec traffic through another firewall, remember: allowing just 1 protocol or port
number is not enough.

Note that although the IPsec RFC mentions AH, it does not offer encryption, an important benefit. So it is
not used by FortiGate. As a result, you dont need to allow IP protocol 51.

To make a VPN, configure matching settings on both ends whether the VPN is between 2 FortiGates,
or between a FortiGate and FortiClient, or between a 3rd party device and a FortiGate. If the settings
dont match, tunnel setup will fail.

FortiGate I Student Guide 312


DO NOT REPRINT Basic IPsec VPN

FORTINET

Lets talk about how FortiGate starts an IPsec tunnel.

If youre creating a custom VPN tunnel, it will help you to understand which settings to use, and how
tunnels work.

FortiGate I Student Guide 313


DO NOT REPRINT Basic IPsec VPN

FORTINET

On FortiGate, there are two ways a packet can initiate an IPsec VPN: by matching a route, or by
matching a policy. (In our old documentation, route-based used to be called interface-based, and
policy-based used to be called tunnel-based.)

How do you know when to use policy-based or routed-based?

Generally, try to use route-based. It offers more flexibility and control. We can implement very complex
routing scenarios, such as where tunneled traffic is required to be routed with policy-based routing, or if
you require GRE-over-IPsec.

In comparison, policy-based VPNs must be used when the FortiGate is in transparent mode, or if the
other peer requires L2TP-over-IPsec.

FortiGate I Student Guide 314


DO NOT REPRINT Basic IPsec VPN

FORTINET

In addition to different limitations, how to configure them is different.


In a route-based VPN, FortiGate automatically adds a virtual interface with that name. Two firewall
policies with the action ACCEPT are usually required: one for sessions originating on the local
network, and another for sessions from the remote network. You also need to route the VPN traffic to
the virtual network interface. (Usually, youll use a static route.)
In a policy-based VPN, only one firewall policy with the action IPSEC is required. The policy is
bidirectional. By default, the GUI hides policy-based VPNs. To show policy-based VPN settings, use
the CLI setting set gui-policy-based-ipsec enable.

Both sides of your VPN dont need to be configured in the same route-based or policy-based
mode. You can configure one peer as routed-based, and the other as policy-based. But the Phase 1 and
2 settings must match.

FortiGate I Student Guide 315


DO NOT REPRINT Basic IPsec VPN

FORTINET

If you have a simple case like the site-to-site scenario in this lesson use the VPN wizard.

But if you need to tailor your VPN settings, you can still make a custom VPN.

When making a route-based VPN, one additional step is usually required: you must also create a route
to direct VPN traffic to the new virtual interface for IPsec. (If you use the wizard, though, this is done
automatically.)

FortiGate I Student Guide 316


DO NOT REPRINT Basic IPsec VPN

FORTINET

When the VPN wizard is completed, FortiGate automatically creates many of the required objects:
Addresses and address groups
Static routes
Policies
Phase 1 and Phase 2 settings
To immediately check the status of your tunnel, click Show Tunnel List. This can be your first test of
whether your VPN is working.

FortiGate I Student Guide 317


DO NOT REPRINT Basic IPsec VPN

FORTINET

How does FortiGate bring up a VPN?

Lets begin by talking about Internet Key Exchange also called IKE Phase I.

This is when each endpoint of the tunnel the initiator and the responder connect and begin to set up
the VPN.

When they first connect, the channel is not secure yet. An attacker in the middle could intercept
unencrypted keys. And both ends have no strong guarantee of each others identity, either. So how can
they exchange sensitive private keys?

They cant. First, both ends have to create a temporary secure channel. Theyll use this to protect strong
authentication, and negotiate the real keys for the real tunnel later. Lets show how this works.

FortiGate I Student Guide 318


DO NOT REPRINT Basic IPsec VPN

FORTINET

(slide uses animation)


This is Phase 1, where peers say hello and create an IKE SA that defines a temporary secure channel.
(click)
What is an SA?

A security association is simply the algorithms and parameters used to encrypt and authenticate data
between 2 points. Settings must agree. Otherwise the Phase 1 will fail. (Each side wouldnt be able to
decrypt or authenticate traffic from the other.) As you can see, which settings are used can be inflexible
what we call aggressive mode or somewhat flexible what we call main mode. Details are in the
advanced IPsec lesson.
(click)
In Phase 1, FortiGate IKE SAs are a secure channel that are used for:
The Diffie-Hellman keys that will be used by Phase 2, and
To build the final ESP tunnels.

FortiGate I Student Guide 319


DO NOT REPRINT Basic IPsec VPN

FORTINET

At the end of Phase I, FortiGate uses the Diffie-Hellman method. It uses the public key (that both
ends know) plus a mathematical factor called a nonce in order to generate a common private key.

This is crucial. With Diffie-Hellman, even if an attacker can listen in to the messages containing
the public keys, they cannot determine the secret key. This is why it works even with a weakly
authenticated IKE channel, where a user name and password and FortiToken have not been
exchanged, for example.

The new private key is used to calculate additional keys: for symmetric encryption and authentication.

FortiGate I Student Guide 320


DO NOT REPRINT Basic IPsec VPN

FORTINET

If your VPN must pass through a NAT device, as we mentioned, ESP encryption would normally prevent
the NAT device from being able to read and remap the port numbers inside.

To solve this, Phase I was extended. It added NAT traversal, also called NAT-T. When NAT-T is
enabled in both ends, peers can detect any NAT device along the path. If NAT is found, then:
Both Phase 2 and remaining Phase 1 packets change to UDP port 4500
FortiGate and client encapsulate ESP within UDP port 4500

So if you have two FortiGates that are behind, for example, an ISP modem that has NAT, you will
probably need to enable this setting.

FortiGate I Student Guide 321


DO NOT REPRINT Basic IPsec VPN

FORTINET

Once details such as dead peer detection, NAT, and symmetric keys have been determined, your
FortiGate is ready to establish the real SA that is, IPsec SA which defines the ESP channel that will
be used to encapsulate and transmit data through the VPN.

It does this via IKE Phase II.

There can be 1 tunnel for Phase I, but 2 or more tunnels for Phase II. Lets see how.

FortiGate I Student Guide 322


DO NOT REPRINT Basic IPsec VPN

FORTINET

Once Phase 1 has established a somewhat secure channel and private keys, Phase 2 begins.

Phase 2 negotiates security parameters for the IPsec SA not to be confused with the IKE SA. It is this
IPsec SA not IKE that ESP will use to transmit data between LANs.

IKE Phase 2 does not end once ESP begins. Phase 2 periodically renegotiates cryptography. This
maintains security. Also, if you enable Perfect Forward Secrecy, each time the Phase 2 session
key expires, FortiGate will use Diffie-Hellman to recalculate a new common secret key. So even if
the same encryption algorithms are selected each time, the ESP tunnel will be changing to use a
different private key, making it much harder for an attacker to crack the tunnel.

Each Phase 1 can have multiple Phase 2. When would this happen?

For example, you may want to use different encryption keys for each subnet whose traffic is crossing the
tunnel. How does FortiGate select which Phase 2 to use? The Quick Mode setting.

Additionally, most traffic is two-way traffic. So this means there are usually two tunnels, and two ESP
SAs: one for each direction.

FortiGate I Student Guide 323


DO NOT REPRINT Basic IPsec VPN

FORTINET

During Phase 2, we must configure a pair of settings called Quick Mode Selectors. They identify and
direct traffic to the appropriate Phase 2 if there are multiple.

In other words, it allows granular SAs.

Selectors behave similarly to a firewall policy. VPN traffic must match selectors in one of the Phase 2
SAs. If it does not, the traffic is dropped.

When configuring selectors, specify the source and destination IP subnet that will match each Phase
2. You can also specify the protocol number, and source and destination ports for the allowed traffic.
In point-to-point VPNs, such as when connecting a branch office FortiGate to headquarters
FortiGate, both sides configuration must mirror each other.

Quick mode selectors for dial-up VPNs are different, and details are in the advanced IPsec lesson.

FortiGate I Student Guide 324


DO NOT REPRINT Basic IPsec VPN

FORTINET

Once all settings are configured, each time that a host on your local LAN sends a packet where the
destination is on the remote LAN, FortiGate should automatically bring up the VPN tunnel. It should
remain available for some time, as long as the tunnel is being used.

FortiGate I Student Guide 325


DO NOT REPRINT Basic IPsec VPN

FORTINET

If you need detailed control of your VPN, such as for IKE version 2, you can still configure it manually.

FortiGate I Student Guide 326


DO NOT REPRINT Basic IPsec VPN

FORTINET

If you are configuring a custom VPN, you can start from the wizard. Click Custom VPN Tunnel (No
Template).

Configure the remote FortiGates WAN IP address, and indicate which network interface on this local
FortiGate is the gateway that leads to it. FortiGate will use this to connect to the other end.

If your peers use pre-shared keys for the initial (IKE) authentication, both peers must be configured with
the same pre-shared key. For Phase 1, choose which encryption and authentication to propose, and so
on. They should match, too. If peers cant agree on IKE security, even Phase 1 wont be established. So
if in doubt, make sure Phase 1 and Phase 2 settings on both FortiGates match.

FortiGate I Student Guide 327


DO NOT REPRINT Basic IPsec VPN

FORTINET

You already identified the other FortiGates WAN IP (the Remote Gateway), so now also indicate your
local FortiGates WAN IP. Remember: during IKE, each side must have some way to identify its peer so
that it can label the IKE SA.

Once Phase 1 completes, Phase 2 begins. This sets up the ESP tunnels that will be used for actual data
transfer. For each subnet on each end of the VPN, you can specify different levels of ESP security. For
example, connections to the Finance LAN might need larger key sizes and stronger authentication. To
do this, configure multiple Phase 2 entries. For simplicity, here, we show only one Phase 2: the Local
Address is our LAN, and the Remote Address is the remote LAN.

Remember that if traffic doesnt match an IPsec SA, the IPsec engine will drop the packet. Usually,
its more intuitive to filter traffic with firewall policies. So if you dont want to use SA filtering, you can just
set the quick mode selectors to be 0.0.0.0/0.

FortiGate I Student Guide 328


DO NOT REPRINT Basic IPsec VPN

FORTINET

If you used the wizard for everything, it would have created routes and policies suitable for a route-based
VPN. What if you, for example, have a FortiGate in transparent mode?

Remember, first, you must enable the GUI to show policy-based IPsec options. Configure your phases
as before, then create a policy. When policy-based VPN settings are visible, an additional Action
setting is available when you configure a policy. Choose IPsec. Then choose the policy-mode tunnel
settings.

If you enable Allow traffic to be initiated from the remote site, you only need to make one policy. It will
govern both directions.

FortiGate I Student Guide 329


DO NOT REPRINT Basic IPsec VPN

FORTINET

With a route-based VPN, firewall policies are different.


There are two policies usually, not one.
The interface doesnt match wan1; it matches the virtual interface, which in this example is named
HQ-to-Branch.

The VPN wizard is the easiest way to make these. If you did that, you can skip this step.

But if you want to manually set up a VPN, use these as examples.

FortiGate I Student Guide 330


DO NOT REPRINT Basic IPsec VPN

FORTINET

In route-based VPN, you need to route VPN traffic destined for the remote LAN to the IPsec interface. If
you used the wizard, this was created for you, automatically.

(In a policy-based VPN, traffic is routed to wan1 or another external interface instead. Since there is
usually a default route, which routes all non-local packets towards the Internet, thats why policy-based
VPNs can usually skip this step.)

To do this, usually youll add a static route.

FortiGate I Student Guide 331


DO NOT REPRINT Basic IPsec VPN

FORTINET

In the GUI, there is a tool to monitor the status of your IPsec VPNs. Through this tool, you can see how
much traffic has passed through each tunnel. You can also start and stop individual tunnels, and get
additional details.

If the tunnel is up, there will be a green arrow appearing next to its name. If it is down or not in use, then
a red arrow is displayed.

For example, here, simply by looking at the remote Gateway column, you can find a misconfiguration
problem: the IP should be an interface on the remote FortiGate, not a subnet IP. So it is impossible to
bring up.

FortiGate I Student Guide 332


DO NOT REPRINT Basic IPsec VPN

FORTINET

This example shows 3 different VPN tunnels: Client_VPN, Home_VPN, and Office_VPN.

The phase 1 Office_VPN appears twice because it has two separate phase 2 associated with the same
phase 1. The other VPNs have one Phase 2 per Phase 1.

For each phase 2, we can see the phase 1 name, key life remaining time, status and the quick mode
selectors.

FortiGate I Student Guide 333


DO NOT REPRINT Basic IPsec VPN

FORTINET

If your tunnel is not starting, it helps to know the expected behavior. This varies by type.

This outlines the steps. Depending on whether you are creating a route (interface-based) or policy-based
VPN, FortiGate will use a different mechanism.

One common mistake is to configure a policy-based VPN, but to set the action to ACCEPT and this
causes FortiGate to egress clear text packets, not encrypted ones.

Another common mistake is to route eggressing packets to the wrong port. Remember, route-based
VPNs must egress through the virtual interface, not the WAN.

FortiGate I Student Guide 334


DO NOT REPRINT Basic IPsec VPN

FORTINET

Like with any feature, IPsec uses some system resources. Requirements vary by the number of VPNs.

Strong cryptography involving large key sizes can increase resource usage noticeably. Many models of
FortiGate have specialized FortiASIC chips to increase IPsec cryptographic performance, so especially if
you have many tunnels simultaneously, check that your configuration offloads cryptography to these
chips where possible. In some cases, you may be able to offload incoming traffic to one ASIC, and
outgoing traffic to another ASIC.

Details are in the hardware acceleration lesson.

FortiGate I Student Guide 335


DO NOT REPRINT Basic IPsec VPN

FORTINET

To review, these are the topics weve talked about. We presented an overview of the IPsec technology,
which includes Internet Key Exchange, phase 1, phase 2, Diffie-Hellman and Quick Mode Selectors. We
also showed the difference between policy-based and route-based VPNs, and how to use the VPN
monitor.

FortiGate I Student Guide 336


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

In this lesson, we will show you how to use antivirus scanning on a FortiGate.

Since antivirus scanning is one of the features that, depending on your configuration
and chosen signature database, can use significant RAM, we will also show you how
to resolve conserve mode.

FortiGate I Student Guide 337


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

After completing this lesson, you should have these practical skills. Not only will you
be able to configure antivirus, but you should have a better understanding of how
virus scanning works, along with knowledge of some tools to help you optimize
memory usage on your FortiGate.

FortiGate I Student Guide 338


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

How old are viruses? In 1949, John Von Neumann gave lectures at the University of
Illinois about what he called self-replicating automata. On ARPANET, the precursor
to the Internet, the first virus, named Creeper, was detected in 1971.

Since then, malicious software has evolved into many types. Technically, although
we often refer to all malware as viruses, not every piece of unwanted software
behaves like a virus malware is not always self-replicating, and sometimes users
willingly install it. To include viruses, worms, Trojans, spyware and all others, we now
use the term malware.

Malware can be divided into 2 major types:


viruses, which infect the computer and spread on their own (generally via an exploit),
such as Flash ad banners whose binaries contain buffer overflow code
grayware which requires some kind of user interaction but convinces them that the
benefit outweighs the cost, such as browser toolbars that also track the users
activity and insert its own ads into web pages

FortiGate I Student Guide 339


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Within the category of viruses, there are 2 important subtypes:


Trojans such as Zeus, like the literary Trojan horse, trick users into letting down their
defenses and installing them, and then often use the network to spread via email or
instant message.
Worms, such as Conficker and Code Red, spread by connecting to open ports on
the network and exploiting misconfigurations or other vulnerabilities in those
daemons

A Trojan can infect the same host multiple times, but that happens when another
copy arrives from an external source. The local copy of the software does not try to
re-infect the computer.

Are all viruses malicious? By definition, yes. But some white hat hackers and
academics have written beneficial worm-like software. It spreads via the same
exploits, but then cleans infections and/or patches the host. For example, Creeper
was followed by Reaper, which removed Creeper from infected systems.

FortiGate I Student Guide 340


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Regardless of how the virus spreads, once installed, a virus is somehow malicious.

What makes it malicious? Its behavior. (This is one of the reasons, by the way, that
security analysts use sandboxing such as FortiSandbox to discover new viruses.
Looking at which C functions a virus contains, for example, cannot find all viruses.
Forensics lab must see which functions actually execute, and what the effects are.)

Most people are familiar with spyware, adware, and rootkits. Malware could also be:
Ransomware such as the CryptoLocker worm is fairly new. The software holds the
computer hostage, often encrypting critical user data with a password or secret key,
until the victim pays the extortionist.
Key loggers record key strokes and return them to a remote location including
sending administrator logins and personal email addresses for executives.
Mass mailers transform computers into open relay mail servers for the botnet, often
managed via a remote command and control, sending spam for hire. These are often
operated by organized crime syndicates.

FortiGate I Student Guide 341


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Just as viruses have evolved many vectors for spreading, they also have evolved
many techniques for evading antivirus engines and manual analysis.

Viruses can encrypt their payloads, or change the exact code. As a result, when
comparing a signature to the binary sample, the two therefore arent an exact, bit-by-
bit match. So in order to detect the virus, the engine must be able to either:
match flexibly, or
ignore the changeable parts of the code, and match only based on the polymorphic
or metamorphic engine.

FortiGate I Student Guide 342


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Now that you know some different ways that viruses spread and evade detection,
what are some methods that FortiGate uses to find and block them?

FortiGate I Student Guide 343


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

At the host level, a host-based antivirus software such as FortiClient helps. But host-
based antivirus cant be installed on routers. Guest Wi-Fi networks and ISP
customers also might not have antivirus software installed. So how can you protect
them? And how can you protect your own network from these botnets?

The solution is to implement antivirus in your network security on your FortiGate.

Just like viruses have many ways that they try to avoid detection, FortiGate has
many techniques that it can use to detect them. Lets explain each method.

FortiGate I Student Guide 344


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

The first, fastest, simplest way to detect malware is if it exactly matches a signature.
Grayware is not technically a virus; remember, it is often bundled with innocuous
software, but it does have unwanted side effects, so it is categorized as malware.
Often, grayware can be detected this way, with a simple FortiGuard Antivirus
signature.

But for the reasons we just described, viruses usually cannot be detected this way.

FortiGate I Student Guide 345


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

What is another way that FortiGate can use to detect viruses? It can look for
attributes that viruses usually have in other words, it can apply heuristics.

Heuristics are based on probability, so they increase the possibility of false positives,
but they also can detect zero-day viruses viruses that are new and unknown, and
therefore no signature exists yet. That is the tradeoff. If your network is a frequent
target for virus-writers, enabling heuristics may be worth the performance cost
because it can help you to detect a virus before the outbreak begins.

By default, when the antivirus scans heuristic engine detects a virus-like


characteristic, it will log the file as Suspicious but will not block it. Suspicious files
can be treated differently from a positive match with a virus or grayware signature:
you can choose whether to block or allow suspicious files.

When should you disable heuristic blocking vs. configure the antivirus scan to only
log detections?

Windows operating system updates often modify the registry. Viruses often do this,
too, however. So, for example, you might apply heuristics scans to Windows
updates, but block suspicious behavior in all other connections.

FortiGate I Student Guide 346


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Remember, if the antivirus scans heuristic engine finds a suspicious file, it may not
always be a virus. So you might want to configure a separate action for it, or a
separate policy where heuristics is disabled for connections that you know will trigger
false positives.

To configure the action that FortiGate will take if the scan finds a suspicious file, use
these CLI commands.

FortiGate I Student Guide 347


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

What if heuristics is too uncertain? What if you need a more sophisticated, more
certain way to detect malware, and to find zero-day viruses?

You can integrate your antivirus scans with FortiSandbox. For environments that
require more iron-clad certainty, FortiSandbox executes the file within a protected
environment, then examines the effects of the software to see if it is dangerous.

For example, lets say you have 2 files. Both alter the system registry, and are
therefore suspicious. One is a driver installation its behavior is normal but the
second file installs a virus that connects to a botnet command and control server.
Sandboxing would reveal the difference. Then, you can submit a sample of the new
virus to FortiGuard security researchers, and quickly receive and deploy a
FortiGuard Antivirus or IPS update to defend your network against this new threat.

FortiGate I Student Guide 348


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

In order for FortiGate to sandbox files, it must be able to send them to either a
FortiSandbox device or a FortiCloud sandboxing account.

What is the primary difference between the two?


FortiCloud has limits imposed on the amount of data that can be transmitted. Each
account has a quota.
FortiSandbox limitations vary by the models capabilities.

On FortiSandbox, you also must configure it to accept input from your FortiGate or
FortiMail.

FortiGate I Student Guide 349


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Whether you use FortiSandbox to discover new viruses, or one is discovered by your
own security team, the next step is to develop a signature to detect it so that your
FortiGates can begin to block it.

New viruses can be submitted to FortiGuards security research team manually or


automatically, via FortiSandbox or FortiCloud Sandbox.

If you want to submit a new virus manually, go to the FortiGuard web site. Upload the
file for scanning. If the virus does not currently exist in any of the FortiGuard
Antivirus databases, the web site will report it as being clean. You will then have
the option to submit the sample to FortiGuard analysts. They will develop a signature
for it, as well as engine modifications (if necessary), and this will be in the next
update that your FortiGate and FortiMail devices download from FortiGuard.

In addition to protecting your own network, this obviously also helps to ensure that
others networks wont be infected either. By being part of a united security
community, you can help to stop botnets from growing into large threats. This has
benefits for you, and not just your neighbors. If your neighbors arent infected, your
network wont need to spend as much CPU, RAM, and bandwidth on fighting spam,
worms, DDoS attacks, and other threats.

FortiGate I Student Guide 350


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Now that weve discussed the types of scans, lets talk about the engines that use
them. They dont behave the same way.

FortiGate has traditional proxies, which break up each session into particular states
which it analyzes, but it can also analyze traffic as a more continuous packet flow.

Lets discuss how to choose between those two types of engine.

FortiGate I Student Guide 351


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

One of the factors when choosing an antivirus engine is speed. Software that is
installed on endpoints such as FortiClient can usually schedule scans for later, pause
the current scan, or scan only with spare CPU cycles when the computer is idle. In
other words, time is not a factor.

But on a network device, this is not possible.

FortiGate must scan quickly to avoid a session or connection timeout. FortiGate will
allow up to 30 seconds for a scan to complete. If it takes longer then that, then a
process called a watchdog terminates the scan, and allows the traffic to pass. Also,
FortiGate creates an event log saying that scanunit crashed with a Signal 14. Its
not a real crash its not abnormal behavior exactly but because the scan is
terminated before completing. From the softwares perspective, thats technically a
crash, so the event log records it as one.

As you can see, speed is an important factor in network antivirus scans. With that in
mind, lets consider the two engines.

FortiGate I Student Guide 352


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Depending on the protocol, FortiGate may be able to use either:


an implicit proxy, or
an explicit proxy that is, a proxy that clients must indicate that they want to use.
Usually, youll use an implicit proxy. Clients to connect through the proxys IP, not to
it. As long traffic is routed through FortiGate, the proxy transparently intercepts that
traffic, without configuring the clients.

Each proxy parses that protocols commands. Traffic usually must arrive on the
expected port, and conform to the specification. (A proxy cannot scan a protocol that
it does not listen for, or understand.) For example, in an SMTP session, an SMTP
proxy knows each valid stage: the client uses the MAIL FROM: command to specify
the sender, RCPT TO: for the recipient, DATA for the message, etc. When scanning
for viruses, the SMTP proxy known the DATA command which is the part that may
contain a virus payload before it passes that data to a scanunitd child process.

Especially for larger files, this can add noticeable latency: FortiGate must buffer the
entire file (or wait until the oversize limit is reached) first before scanning. So if your
file limit is large, consider the setting Comfort Clients. While buffering the file, the
proxy will slowly retransmit some data until it can complete the buffer, and finish the
scan. This prevents a connection or session timeout. Whats the disadvantage? Very
small viruses in the first bytes could infect the client before the scan result is
available. Disable client comforting if very high security is required.

FortiGate I Student Guide 353


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

What is another way to reduce latency? Use the flow-based engine instead.

It doesnt analyze sessions in discrete protocol stages. The flow-based engine scans
the packets as a continuous stream, looking for viral payloads regardless of
surrounding protocol details. Depending on your model, some flow-based operations
may be performed by a specialized FortiASIC chip, further improving performance.

But flow-based scans cant support all features that proxy-based scans can.
The flow-based engine doesnt operate according to the rules of the protocol. This
means that even if the scan later detects a virus, the flow-based engine may have
already forwarded packets where it should have inserted a block message. So the
client may think it is a network error, and try again. Also, much like a proxy with client
comforting enabled, the flow-based engine forwards packets at the same time as
scanning the payload. The result? The client may already have received most of a
virus by the time that the scan drops the connection. Like with client comforting, if
your environment requires very high security, you may want to avoid this option.

Regardless of which engine you use, the scan techniques will give similar detection
rates. How can you choose between the scan engines? If performance is your top
priority, then flow-based is more appropriate. If security is your priority, proxy-based
with client comforting disabled is more appropriate.

FortiGate I Student Guide 354


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Both engines buffer up to your specified file size limit. The default is 10 MB. Its large
enough for most files except movies. If your FortiGate model has more RAM,
though, you may be able to increase this threshold.

Without a limit, very large files could exhaust scan memory. So this threshold
balances risk vs. performance. Is this tradeoff unique to FortiGate, or to a specific
model? No. Regardless of vendor or model, you must make a choice. This is due to
the difference between scans in theory, that have no limits, and scans on real-world
devices that have finite RAM. In order to detect 100% of malware regardless of file
size, a firewall would need infinitely large RAM something that no device has in the
real world.

Most viruses are very small. So percentage-wise unless many viruses are Trojans
appended to the very end of a large file changing this value doesnt impact security
very much. This table shows a typical tradeoff. You can see that even with a 5 MB
threshold, only 0.14% of spyware passes through. But after billions of packets,
several hosts may require disinfection.

FortiGate I Student Guide 355


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

So what is the recommended buffer limit? It varies by model and configuration.


Adjust oversize for your unique network for optimal performance. A smaller buffer
minimizes proxy latency and (for both engines) RAM usage, but that may allow
viruses may pass through undetected. With a buffer thats too large, clients may
notice transmission timeouts. Balance the two.

If you arent sure how large of a buffer you need, temporarily enable oversize-log to
see if this is frequent, and whether the large files are important to allow.

Files that are too large for the maximum buffer size cannot be completely scanned.
And the default is to allow files to pass. This is because large files are often
harmless, and many networks have antivirus software installed on endpoints, so this
minimizes unnecessary help desk calls. But if you require a very secure
environment, or if your endpoints have no antivirus software, you can change this
setting on a per-protocol basis so that FortiGate blocks oversized files.

If oversized files are blocked, then your endpoints are safe. You wont need the logs
about oversize files for forensics. So you may be able to improve performance
slightly by disabling oversize-log.

FortiGate I Student Guide 356


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Relatedly, large files are often compressed. From the scans perspective, this is light
encryption. It wont match signatures. So FortiGate must decompress the file in order
to scan it.

When decompressing, FortiGate must first identify the compression algorithm. Some
archive types can be correctly identified using only the header. Also, FortiGate must
check whether the file is password-protected. If the archive is protected with a
password, FortiGate cant decompress it, and therefore cant scan it.

FortiGate then decompresses files into RAM. Just like other large files, this buffer
has a maximum size: uncompress-oversize-limit. Increasing this limit may decrease
performance, but allows you to scan larger compressed files.

If an archive is nested for example, if an attacker is trying to circumvent your scans


by putting a ZIP file inside the ZIP file FortiGate will try to undo all layers of
compression. By default, FortiGate will attempt to uncompress and scan up to 12
layers deep, but you can configure it to scan up to 100 layers deep. Often, you
shouldnt increase this setting, though. It increases RAM usage, and if a file is
repeatedly compressed more than 12 times, it is almost always a virus anyway.

FortiGate I Student Guide 357


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Lets review briefly.

If the buffer is full, the antivirus scan has a simple behavior. FortiGate will, depending
on your setting, either block or pass the file.

Since FortiGate doesnt have the entire file, it would be impossible to determine
whether or not the file contains a virus.

FortiGate I Student Guide 358


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

If the file has been completely transmitted that is, FortiGate reaches the byte that
marks the end of the file (EoF) then FortiGate decompresses the file (if applicable)
and uses these scans, in this order.

The virus scan is first, because the results have high certainty and the computations
are fast. Heuristics, which are less certain, are applied last.

FortiGate I Student Guide 359


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

If you consider all of the settings together, this is the complete decision tree that
FortiGate uses for antivirus scans.

FortiGate I Student Guide 360


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

When an attacker releases a new virus into the wild, like with all antivirus software,
your FortiGate must be updated with a matching signature so that it can detect it.

Most organizations dont have the personnel to dedicate to writing antivirus


signatures, 24 hours a day, 7 days a week. Even if you do, it is usually beneficial to
share security knowledge and workload. A FortiGuard Antivirus service contract
provides your FortiGate with access to the latest signatures and detection engines
from Fortinets security research team.

FortiGate I Student Guide 361


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

You can update your FortiGates antivirus signatures and engines via either push,
pull, or both methods. (If temporary packet loss, for example, interferes with the push
method, also enabling pull as a backup method helps to ensure that your FortiGate
will not miss any updates.)

Regardless of which method you select, virus scanning must be enabled in at least
one firewall policy. Otherwise, FortiGate will not download any updates.

Alternatively, you can download packages from the Fortinet Technical Support web
site, and then manually upload them to your FortiGate.

FortiGate I Student Guide 362


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

diagnose autoupdate status shows your automatic update options, just like
System > Config > FortiGuard does on the GUI.

FortiGate I Student Guide 363


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Its worth noting that there is an additional feature to the FortiGuard Antivirus service:
when FortiGate detects connections of infected computers to a botnets command
and control servers sometimes this is an IRC channel, or sometimes this is a
darknet web server FortiGate can block those connections. The setting is in the
antivirus profile.

The FortiGuard security research team compiles and maintains a list of known botnet
command and control server IP addresses. FortiGate downloads this via FortiGuard
Antivirus and IPS updates.

FortiGate I Student Guide 364


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Multiple FortiGuard Antivirus databases exist. Support varies by FortiGate model.

All FortiGate devices have the regular database, which only contains signatures for
viruses that are in the wild that is, viruses detected in recent months or submitted
by Fortinet users and partners. It is the smallest database, and therefore results in
the fastest scans, but does not detect all known viruses.

Some models support the extended database, which detects viruses that have not
been detected for some time. Vulnerable platforms are still common, and/or these
viruses could be an issue later due to portable hard disks, periodic connectivity, and
other reasons.

The most powerful models and FortiClient support the extreme database. It is
intended for high security environments, and detects all known viruses, including for
legacy operating systems such as DOS, Windows3.x, Win95, Windows 98, and so
on.

FortiGate I Student Guide 365


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Via the CLI, you can choose which database your FortiGate will use.

FortiGate I Student Guide 366


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Once you have chosen an antivirus database, in order to use antivirus scans, youll
also need to configure an antivirus profile. These profiles contain settings for the
inspection mode (that is, the proxy or flow-based engines), and define what
FortiGate should do if it detects an infected file.

Proxy options also specify the proxies listening port numbers for various
unencrypted protocols. You can scan HTTP, for example, even if the connection
doesnt occur on the IANA standard TCP port 80.

But what about encrypted protocols? Encryption is a popular method for attackers to
circumvent security. So as you would expect, FortiGate can scan encrypted
protocols. But that isnt configured here.

FortiGate I Student Guide 367


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

For secure protocols (HTTPS, FTPS, etc.), the proxies are configured in a different
profile type: the so-called SSL inspection profiles.

Encrypted protocols can be inspected to a greater or lesser extent, depending on


what you select.
SSL Certificate inspection only validates certificate information, such as the issuing
CA. This type cannot inspect the contents of the traffic, which are inside the
encrypted payload.
Full SSL Inspection validates the certificate, but also decrypts the payloads for
antivirus scanning. Because this method uses an authorized man-in-the-middle
(MITM) attack, clients will detect the inspection. Users may need to either override
the SSL validation failure, or install your CA certificate.

Certificate-based inspection is described in detail in another lesson.

FortiGate I Student Guide 368


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Virus scanning statics can be found on the FortiGate dashboard, on the Advanced
Threat Protection Statistics widget.

If your FortiGate is submitting files for sandboxing, then it keeps statistics about the
number of files submitted, and the results of those scans. These statistics are
separate from files that are scanned locally on the FortiGate.

FortiGate I Student Guide 369


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

When the antivirus scan detects a virus, by default, it creates a log about what virus
was detected, and by which method. It also provides a link to more information on
the FortiGuard web site.

FortiGate I Student Guide 370


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

If the antivirus logs are empty, this doesnt mean your network has no outbreak.

Before, we showed how to pass a file if it is too large for scan buffers, is password-
encrypted, or has too many layers of nested compression. Logging can be disabled
for those. We also explained the flow-based engine, and client comforting by the
proxy-based engine. Even if FortiGate detected a virus and reset the connection,
some or all of the virus could have been transmitted before then. And when choosing
an antivirus database, we said that if you trade some security for better performance,
some viruses may pass through. We also explained zero-day exploits.

If any of that happens, how can you submit a sample of a suspected virus, or get
information on how to disinfect those hosts?

Visit the FortiGuard web site, http://www.fortiguard.com.

In the example here, this antivirus signature is only in the extended database for
FortiClient. What does this mean? Unless you have a FortiGate model that can use
the extreme database, and you have enabled it, your firewall would not have been
able to detect that specific virus. If you have vulnerable Android hosts, and
FortiClient was installed, they would have been safe. But if they were not protected,
you would need to apply the recommended action to disinfect them.

FortiGate I Student Guide 371


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

If your antivirus scans are not functioning as you expect, where should you begin
troubleshooting?

Verify that FortiGuard updates are enabled, and that you have selected antivirus
profiles in your firewall policies. Updates wont occur if there is no firewall policy that
uses them, and antivirus scans wont occur unless a firewall policy applies them.

If automatic updates are enabled, the next thing to examine is whether those
scheduled update requests are succeeding. For that, use the command diagnose
autoupdate version.

It shows details about the antivirus engine and databases, IPS engine and
definitions, geography-to-IP mappings database, and other features.
It also shows your FortiGuard contract status FortiGate wont be able to download
updates if its not authorized and when the last update was attempted, and
succeeded.

FortiGate I Student Guide 372


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Both manual and automatic updates to FortiGuard packages trigger FortiGate to


check if the version is newer. If the version available is equal to or less than the
version installed, then to prevent accidental downgrades, it will not apply the update.

To turn off the version check, you can use this command with the enable flag. If a
specific signature is causing false positives, you can use this command to
temporarily disable the version check, and revert the database. After you have
resolved the issue with Fortinet Technical Support, make sure to run this command
again but with the disable flag instead.

FortiGate I Student Guide 373


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

If your FortiGates RAM usage is high, the next thing to examine is the event log.
Look for messages about conserve mode. Conserve mode occurs when FortiGate
does not have enough RAM available to properly handle traffic.

UTM such as antivirus is not required to be enabled for conserve mode to occur, but
UTM inspection does increase memory usage beyond simple firewall policies. In
other words, conserve mode is more possible when antivirus or IPS is enabled. You
can determine whether antivirus is using much of the memory by running the
command diagnose sys top.

There are a few categories of RAM conservation. Lets show the difference.

FortiGate I Student Guide 374


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Kernel conservation mode is when FortiOS specifically does not have enough
memory available. Theres no single cause, but it could be processes
simultaneously opening too many files, too much information on the stack, etc.

System conservation mode indicates a lack of RAM for processes and daemons
such as miglogd. The threshold is whenever the overall memory usage reaches
about 80%. Once triggered, FortiGate will not exit this mode until memory has
dropped by 10% to approximately 70%.

Proxy conservation mode is when the transparent UTM proxy runs out of available
sockets. The maximum number of proxied connections varies by model.

In kernel conservation, the behavior is not configurable. It is a critical lack of RAM.


But behavior for system and proxy RAM conservation is configurable. Lets see the
settings that you can use.

FortiGate I Student Guide 375


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

av-fail-open is the CLI setting that controls FortiGates behavior while it is in system
conserve mode.

Depending on your configuration and traffic types, each option may be more or less
effective at freeing RAM.

FortiGate I Student Guide 376


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

If av-failopen-session is enabled, then FortiGate will act according to the av-


failopen setting. Otherwise, by default, it will block new sessions until RAM becomes
available.

FortiGate I Student Guide 377


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

During kernel conservation mode, FortiGate attempts to reclaim memory that is not
in use.

In an operating system, when a process releases memory, it is not immediately


reclaimed. There is a garbage collector memory daemon that periodically finds
unused pointers. As part of this process, FortiGate drops any sessions that the proxy
considers idle.

While FortiGate is in this type of conserve mode, all new sessions will pass through
the FortiGate without any UTM inspection, because the operating system does not
have enough memory to do so.

FortiGate I Student Guide 378


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

Because logging itself requires some RAM, depending on the type of conserve
mode, log messages may not always immediately appear. Kernel conserve mode
especially may not appear easily.

Creating a log entry takes up memory. While in conserve mode, your FortiGates
operating system is doing everything possible to prevent RAM usage from
increasing. Trying to create a log entry while conserve mode is active would be
counterproductive.

If your FortiGate is in one of the three conserve modes, how can you correct it?

FortiGate I Student Guide 379


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

This shows the shared memory diagnostic. It indicates what type of conserve mode
(if any) your FortiGate is in. It also provides a quick summary of how much shared
memory is being used on your FortiGate.

The antivirus database is one of the things on your FortiGate that uses shared
memory, so if this is very high, you can try to solve the problem by switching from the
extended signature database to the regular database, for example.

Notice that this command doesnt show kernel conserve mode, however. How can
you determine how much kernel memory is used?

FortiGate I Student Guide 380


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

diagnose firewall iprope state has a section right at the beginning with an entry for
av_break.

Normally, the av_break option will be pass/off. But if FortiGate is currently in kernel
conserve mode, this command will show av_break=pass/pass. If this is very
common, and youve checked your configuration, you may need to examine the
traffic levels and protocol types. Your network may have grown or changed in
important ways, and need a more powerful model capable of supporting the added
or changed traffic.

Much of the other output of this command is dictated by the settings for av-failopen
and av-failopen-session and will change based on the configured options.

FortiGate I Student Guide 381


DO NOT REPRINT Antivirus & Conserve Mode

FORTINET

To review what we discussed, here is a list. We showed:


Some different Malware terminology and what they meant
The different types of scanning that can be enabled on a FortiGate
Sandboxing and how that can be used.
Blocking botnet connection
The difference between proxy and flow based virus scanning
The different Antivirus databases
The behavior of oversized files
The order of operations within the virus scanning engine
How to handle an undetected piece of malware
Some details about virus scanning encrypted traffic
How to read virus detection logs
What conserve mode is
Some of the memory diagnostics that are available on a FortiGate

FortiGate I Student Guide 382


DO NOT REPRINT Explicit Proxy

FORTINET

In this lesson, we will show you how your web browsers can use FortiGate as an explicit proxy.

FortiGate I Student Guide 383


DO NOT REPRINT Explicit Proxy

FORTINET

After completing this lesson, you should have these practical skills.

You will learn how to configure both FortiGate and the web browsers that will use it as an explicit proxy.
Since you can alternatively use an implicit proxy, we will also explain why in some cases you might want
an explicit proxy instead.

FortiGate I Student Guide 384


DO NOT REPRINT Explicit Proxy

FORTINET

A proxy receives or intercepts requests from a client to a server. If allowed, and if no cache is available,
it forwards the request to the server on behalf of the client.

Two sessions are created: one from the client to the proxy, and another one from the proxy to the server.

How is this different from an implicit proxy, sometimes called a transparent proxy?

FortiGate I Student Guide 385


DO NOT REPRINT Explicit Proxy

FORTINET

An implicit proxy server does not require any configuration change on the clients. Clients continue to use
the web just like they would without a proxy.

Clients send requests to the web servers IP address and port number. The proxy intercepts the clients
requests transparently that is, at the IP layer, the destination address doesnt change.

Does this mean that implicit proxies dont require any configuration changes, anywhere? Not
necessarily.

Usually, both incoming and outgoing traffic is routed through FortiGate. As a result, web browsing is
already being routed through FortiGate, where it can be intercepted by the transparent proxy. But if
clients traffic isnt currently routed through FortiGate, then you must reconfigure routing so that the
packets will be routed through FortiGate, where the implicit proxy can intercept.

FortiGate I Student Guide 386


DO NOT REPRINT Explicit Proxy

FORTINET

How is an explicit proxy different?

With explicit proxy servers, you must configure clients to send the requests to the proxys IP address, not
the web sites servers. But because clients are specifically sending web traffic to your FortiGate, though,
you shouldnt need to reconfigure any routers.

Methods vary by web browser or other HTTP client.

FortiGate I Student Guide 387


DO NOT REPRINT Explicit Proxy

FORTINET

How do you configure users web browsers to use an explicit web proxy?

In large networks, you wont configure the browser settings individually, on each computer; instead, for
example, you may use an Active Directory login script or roaming profile.

Alternatively, you can configure browsers to use an explicit proxy by installing PAC file, or using the web
proxy autodiscovery protocol (WAPD).

Lets look at each.

FortiGate I Student Guide 388


DO NOT REPRINT Explicit Proxy

FORTINET

With manual configuration, you must provide one proxys FQDN or IP address. It is limited to only one
proxy.

If you want to exempt specific IP addresses, subnets and FQDNs from using the proxy, you can add
them to a list. For those destinations, the browser will send requests directly to the web servers.

FortiGate I Student Guide 389


DO NOT REPRINT Explicit Proxy

FORTINET

The second possible method is a standard explicit auto-configuration file, called a PAC file. A PAC file
contains instructions that tell the browser when to use a proxy, and which proxy to use, depending on the
destination.

This method supports use of multiple proxy servers.

To deploy the PAC file, first you must install it on an HTTP server that the clients can reach. (Your
FortiGate can act as the HTTP server for the PAC file.) Then you must configure all browsers with the
PAC files URL. Again, in larger networks, you usually wont do this individually; instead, you will use
your domain to define the PAC files URL.

FortiGate I Student Guide 390


DO NOT REPRINT Explicit Proxy

FORTINET

What does a PAC file contain?

A PAC file is a JavaScript. When browsers run it, determines whether the request will be proxied, and
what the addresses should be in packets, including in the URL and Host: header at the Layer 7 HTTP
layer.

In this example:
The PAC file allows any connection to example.com to bypass the proxy.
Connections to servers in the 10.0.0.0/24 subnet use the proxy named fastproxy.example.com
whose FQDN is resolved to an IP address by a DNS query at the time of the request, so it could be
separate for clients on the private vs. public network.
All other requests are made through proxy.example.com.

FortiGate I Student Guide 391


DO NOT REPRINT Explicit Proxy

FORTINET

Browsers can automatically discover the URL where the PAC files is located via the web proxy auto-
discovery protocol.

There are two methods you can use to do this. One is to use a DNS server; the other is to use a DHCP
server.

Most browsers try the DHCP method first. If it fails, they try the DNS method.

FortiGate I Student Guide 392


DO NOT REPRINT Explicit Proxy

FORTINET

(slide contains animation)

With the DHCP method, the browser sends a DHCPINFORM request to the DHCP server. The DHCP
server replies with PAC files URL.

(click)

The browser downloads the PAC file.

FortiGate I Student Guide 393


DO NOT REPRINT Explicit Proxy

FORTINET

(slide contains animation)

The DNS method is very similar; differences are in the required PAC URL.

First, the browser queries the DNS server to resolve the FQDN wpad.<local-domain>.

(click)

The DNS server replies with the IP address of the web server (in this case, a FortiGate) where the
browser can download the PAC file. This method always uses TCP port 80 and the PAC file name
wpad.dat.

(click)

The browser downloads the PAC file, then accesses the web through the proxies indicated in the PAC
file.

FortiGate I Student Guide 394


DO NOT REPRINT Explicit Proxy

FORTINET

Usually, you will enable the proxy to cache responses from web servers.

A web cache stores responses from web servers so that the next time a client requests the same thing,
FortiGate can quickly send the cached content, instead of forwarding the request and waiting for the
response. This reduces WAN bandwidth usage, server load, and delay. We will review how web caching
works in the next slides.

FortiGate I Student Guide 395


DO NOT REPRINT Explicit Proxy

FORTINET

(slide contains animation)

If youve enabled caching, when the client makes a request, the proxy checks first if the URL that the
client requested is already in memory.

(click)

If it is not, the proxy forwards the request to the server. When it responds, FortiGate stores the response
in memory that is, it adds content to its cache.

(click)

The proxy also forwards a copy of the content to the client.

FortiGate I Student Guide 396


DO NOT REPRINT Explicit Proxy

FORTINET

(slide contains animation)

If any client using FortiGates proxy requests the exact same URL

(click)

FortiGate will recognize it, and immediately forward a copy of that content from the cache to the client.
Unless the content on the server has changed, the proxy does not need to request content from the
server again, so from the clients perspective, each response after the initial request is faster.

Notice that because dynamic URLs are not exactly the same, and their content may be personalized for
each client, dynamic URLs are usually not cached.

FortiGate I Student Guide 397


DO NOT REPRINT Explicit Proxy

FORTINET

Given that cache consumes system resources, do you want all users to be able to use the cache?

You can configure FortiGates HTTP proxy to allow access only to authenticated users that belong to
specific user groups. Authentication can be either based on either source IP address or HTTP session
cookies.

How should you decide which to use?

IP-based authentication requires less RAM to remember the authenticated sessions. However, it should
only be used when each user has a different IP address from the perspective of the source address in
the IP header.

If your users are behind source NAT, such as with a remote office that uses Internet sharing, use HTTP
session-based authentication instead. In this mode, each browser inserts an HTTP cookie in its
requests. The cookie identifies the users sessions. This method requires slightly more RAM because
FortiGate must remember all session cookies. However, it can even differentiate the same person using
multiple accounts multiple tabs in multiple browsers.

FortiGate I Student Guide 398


DO NOT REPRINT Explicit Proxy

FORTINET

What does the traffic flow look like when a user authenticates with the explicit proxy, using HTTP
session-based authentication?

If a user connects and the request doesnt have any associated authentication session, first FortiGate
replies to the browser, requesting login credentials. The browser prompts the user to authenticate, and
remembers the authenticated state by storing a cookie.

If the same user makes more requests later, the browser automatically sends the same cookie again.
FortiGate identifies the user via a lookup in its table of current session cookies, so the user does not
need to authenticate for every request only the first time.

FortiGate I Student Guide 399


DO NOT REPRINT Explicit Proxy

FORTINET

These are the steps for configuring a FortiGate as an explicit web proxy. We will show the details of
each step next.

FortiGate I Student Guide 400


DO NOT REPRINT Explicit Proxy

FORTINET

By default, the explicit web proxy settings are hidden in the GUI. To show them, in the dashboards
Features widget, enable explicit proxy.

FortiGate I Student Guide 401


DO NOT REPRINT Explicit Proxy

FORTINET

Once explicit proxy settings are visible in the GUI, you can enable and configure them.

You can configure the TCP port where the proxy is listening, edit and upload the PAC file, and choose
the default action that FortiGate will take if there is any traffic that doesnt match a proxy policy.

We will talk about the proxy policies later.

FortiGate I Student Guide 402


DO NOT REPRINT Explicit Proxy

FORTINET

After enabling the explicit web proxy globally, you must specify which on which interfaces the proxy will
listen for connections.

FortiGate I Student Guide 403


DO NOT REPRINT Explicit Proxy

FORTINET

The next step is to create explicit proxy policies to specify which traffic and users are allow to use the
proxy. Starting from FortiOS 5.2, policies for explicit proxy are configured in a different configuration
section than the regular firewall policies.

Proxy traffic can be inspected. We can do antivirus, web filtering, application control and IPS inspection.
Additionally, the use of web caching can be enabled or disabled per policy.

When the proxy traffic matches a proxy policy, the FortiGate take one of three possible actions: Accept
the traffic, deny it, or request authentication before accepting it.

FortiGate I Student Guide 404


DO NOT REPRINT Explicit Proxy

FORTINET

If you select authentication as the action, you will be presented with the option to add authentication
rules. These rules specify which users and users groups are allowed, and what kind of inspection is
going to be done over each of them.

FortiGate I Student Guide 405


DO NOT REPRINT Explicit Proxy

FORTINET

Authentication for the explicit proxy behaves differently than it usually does for firewall policies.

With the explicit proxy, FortiGate will not fall through to try the next authentication rule.
FortiGate always applies the first policy that matches all criteria: the source IP address, the destination
IP address, and the outgoing interface. It doesnt evaluate any policy after the first match, even if the
user failed to authenticate with the first rule.

Lets look at an example next.

FortiGate I Student Guide 406


DO NOT REPRINT Explicit Proxy

FORTINET

In this example, the first proxy policy matches traffic from 10.0.1.0/24. It only allows the user named
Student.

The second policy allows traffic without authentication only if the source address matches 10.0.0.0/8.

With this configuration, if traffic arrives from the 10.0.1.0/24 subnet, and that user has not authenticated
yet, then FortiGate prompts the user to authenticate. Traffic from that source IP address always matches
the first policy, and FortiGate does not continue to evaluate other policies in the list after it finds a match.
So FortiGate never applies the second policy for that subnet only for the rest of 10.0.0.0/8.

FortiGate I Student Guide 407


DO NOT REPRINT Explicit Proxy

FORTINET

In the CLI, if you disable the setting strict-guest, then all users that do not belong to any user
group in the proxy policy will be treated as if they belong to a group named SSO_guest_user. In this
way, you can control their access even if the users cannot authenticate.

FortiGate I Student Guide 408


DO NOT REPRINT Explicit Proxy

FORTINET

Like with firewall policies, when creating proxy policies, you use firewall address objects to specify the
source and destination.

With HTTP, the destination may appear in both the IP headers destination field, and the HTTP headers
Host: field. They arent always the same. Usually, the Host: header is a FQDN, indicating possibly
an Apache virtual host; it is not usually an IP address. But at the IP layer, the destination field always
contains an IP address. So if you are matching by using the IP Range object, keep in mind which layer
you are matching, and the effects of NAT at both layers.

Are IP addresses and domain names the only way you can use to match traffic with a proxy rule? No.

One type of firewall address object can only be used in proxy policies: the URL pattern object type. The
proxy can match policies based on the requested URL (not only the destination IP address). URL
address objects are used for that purpose.

FortiGate I Student Guide 409


DO NOT REPRINT Explicit Proxy

FORTINET

In this example of the use of an URL Address object, the first proxy policy allows unrestricted access to
the URL update.microsoft.com. No authentication is required.

All other traffic would match the second policy, which enforces authentication when accessing any other
URL.

FortiGate I Student Guide 410


DO NOT REPRINT Explicit Proxy

FORTINET

If you are using the WPAD DNS method to configure the browser, you may need to edit the PAC file to
indicate the file name and listening port number.

As we explained before, the DNS method always assumes that the PAC file is located at:

http://<FortiGate_IP_Address>:80/wpad.dat

So if your clients use the DNS method, you must configure FortiGate to offer the PAC file named
wpad.dat, and to listen for requests for it on port 80.

FortiGate I Student Guide 411


DO NOT REPRINT Explicit Proxy

FORTINET

Also, you must check that the Local Domain Name setting is properly configured.

This indicates which requests that FortiGate will reply to; FortiGate will only reply if clients requests for
the WPAD file match the FortiGates own HTTP Host: header.

FortiGate I Student Guide 412


DO NOT REPRINT Explicit Proxy

FORTINET

Once the web proxy is working, you can monitor which users that are connected to it that is, the
proxys session table. You can do this from the GUI, or from the CLI by using the command:

diagnose wad user list

You can also remove all entries from the list of users that are currently
authenticated with the proxy.

FortiGate I Student Guide 413


DO NOT REPRINT Explicit Proxy

FORTINET

Here is a review of what we discussed.

We reviewed some explicit web proxy concepts. We also showed how to configure and monitor a
FortiGate that is acting as an explicit web proxy, and how to configure web browsers to use the proxy.
Depending on your situation, we explained that some configuration choices require more RAM, and
require specific FortiGate port numbers. Finally, we showed how to see which users are currently
authenticated with the explicit proxy.

FortiGate I Student Guide 414


DO NOT REPRINT Web Filtering

FORTINET

In this lesson, we will show you how to filter users access to web sites, which is one of the most
commonly used features employed by network administrators.

FortiGate I Student Guide 415


DO NOT REPRINT Web Filtering

FORTINET

After completing this lesson, you should have these practical skills. This will give you an understanding
of the various options that are available to manage and track web content.
Familiarity with website design and behavior, as well as the HTTP protocol are useful to understanding
this module.

FortiGate I Student Guide 416


DO NOT REPRINT Web Filtering

FORTINET

Web filtering is simply a means of controlling, or tracking, the websites people visit. There are many
reasons why a network administrator would want to do this: preserve employee productivity; prevent
network congestion where valuable bandwidth is used for non-business purposes; prevent loss or
exposure of confidential information; decrease exposure to web-based threats; limit legal liability when
employees access or download inappropriate or offensive material; prevent copyright infringement
caused by employees downloading or distributing copyrighted materials; prevent children from viewing
inappropriate material.

FortiGate I Student Guide 417


DO NOT REPRINT Web Filtering

FORTINET

Proxy-based web filtering is achieved using a transparent proxy intercepting traffic between the client
and server, and setting up a man-in-the-middle. Proxy-based provides he the most flexibility and
configuration options for inspecting web traffic because it intercepts at Layer 7, as such some features
are only available to you when using proxy-based inspection. Greater control comes at a cost, it is also
the most resource intensive in terms of memory and CPU usage, resulting in the slowest throughput.
That said, it is widely used and is a very strong solution on appropriately scaled systems.

FortiGate I Student Guide 418


DO NOT REPRINT Web Filtering

FORTINET

Flow-based web filtering is achieved by caching traffic intercepted traffic between the client and server,
analyzing the TCP flow: hence flow-based. It provides less flexibility and configuration options for
inspecting web traffic, when compared to proxy-based, because it intercepts at Layer 3 and works with
the Layer 4 data. It does not recover actual files, as the proxy does, so content cannot be sent to
scanunit.

FortiGate I Student Guide 419


DO NOT REPRINT Web Filtering

FORTINET

Rather than looking at the HTTP protocol, another option is to filter the DNS request that occur prior to
an HTTP Get request. This has the advantage of being very lightweight, but at a cost because it lacks
the precision of HTTP filtering. Every protocol will generate DNS requests in order to resolve a
hostname, therefore this kind of filtering will impact all of the higher level protocols that depend on DNS,
not just web traffic. For example, it could apply FortiGuard categories to DNS requests for FTP servers.
Very few web filtering features are possible beyond hostname filtering, due to the amount of data
available at the point of inspection.

FortiGate I Student Guide 420


DO NOT REPRINT Web Filtering

FORTINET

Inspection mode is set in the web filter profile. When changing mode, the options displayed will change
because they are dependent on the inspection mode. When a web filter profile using proxy inspection
mode is selected in your firewall policy, a proxy options profile must also be defined. The proxy options
profile defines proxy behaviors as well as the ports to be inspected for web or DNS traffic. HTTPS
inspection port numbers, and other settings related to the handling of SSL, are defined separately in the
SSL/SSH inspection profile.

FortiGate I Student Guide 421


DO NOT REPRINT Web Filtering

FORTINET

Lets summarize the different modes. Proxy-based caches traffic, so it can cause a noticeable delay
depending on the file size, oversize limit and connection speed. It does, however, support a greater
number of web filtering features. Flow-based has a much higher throughput rate, compared to proxy-
based, because it does not cache data so there is no transmission delay. DNS-based is very lightweight
because it handles only the nameserver lookup, but suffers from accuracy issues because it does not
see the full URL.

FortiGate I Student Guide 422


DO NOT REPRINT Web Filtering

FORTINET

DNS web filtering looks at the nameserver response which typically occurs when you connect to a
website. Proxy and flow-based web filtering booth look for the HTTP 200 response returned when you
successfully access the website. Handling the response, as opposed to the DNS request or HTTP Get,
confirms the site is present.

FortiGate I Student Guide 423


DO NOT REPRINT Web Filtering

FORTINET

Static URL filtering is enabled in the web filter profile. Entries in the URL filter list are checked against
the website that is visited. If a match is found, then the configured action is taken. If there is no match,
then the FortiGate will move on to the next check enabled.
Patterns set to the type Simple are exact text matches. Patterns set to the type Wildcard allow for
some flexibility in the text pattern by allowing wildcard characters and partial matching to occur. Patterns
set to the type Reg. Expression allows for the use of PCRE regular expressions to be used.

FortiGate I Student Guide 424


DO NOT REPRINT Web Filtering

FORTINET

When a user visits a website, the FortiGate looks at the URL list for a matching entry. In this example,
the website matches the 3rd entry (using same list as the previous slide). This entry is a simple type, so
the match must be an exact one. There is no option for a partial match with a simple pattern. In this
case the action is to block the website so the user is presented with a block page, rather than the
website they were expecting to see.

FortiGate I Student Guide 425


DO NOT REPRINT Web Filtering

FORTINET

Rather than block or allow websites individually like Static URL filtering, FortiGuard Category filtering
looks at the category that a website has been rated with. Action is taken based on that category, not the
URL itself.

FortiGuard Category filtering is a live service that requires a connection to the FortiGuard network and
active contract in order to operate. If the contract expires, there is a 7 day grace period to renew the
contract before services will be cut off. Rather than communicating to the FortiGuard network to receive
a websites category, larger FortiManager models can be used instead.

FortiGuard Category filtering and Static URL filtering have different lists of possible actions that can be
configured. The impact of selecting different actions will be covered later on.

FortiGate I Student Guide 426


DO NOT REPRINT Web Filtering

FORTINET

When a user visits a web site, you can use the FortiGuard live service to find out the category for the
URL and allow or block access by category. This is a great way to perform bulk URL filtering without
having to individually define each web site.

After the 7 day grace period the FortiGate will not be able to rate websites and every visit will be treated
as a rating error. In the event of a rating error for a website there are only 2 options, block or allow.

FortiGate I Student Guide 427


DO NOT REPRINT Web Filtering

FORTINET

FortiGuard category filtering is enabled in the GUI, through the Web Filter profile. Categories and sub-
categories are listed and can have the action to take defined individually. Actions are assigned through
right clicking the mouse and selecting from a menu.

If the feature is enabled and the unit does not have a valid contract then a warning will be displayed in
the GUI.

FortiGate I Student Guide 428


DO NOT REPRINT Web Filtering

FORTINET

The FortiGate can maintain a list of recent web site rating responses in memory, so if the URL is one
that the device already knows about it will not have to send back a rating request. Two ports are
available for the unit to query FortiGuard with, port 53 and port 8888. Port 53 is the default since this is
also the port number used for DNS which is almost guaranteed to be open. However, any kind of
inspection will reveal that this traffic is not DNS and prevent the service from working. In this case, you
can switch to the alternate port 8888, but this port is not guaranteed to be open in all networks so you
will need to check this before setting this up. Port 80 is an option for FortiGuard communications, but
only if you are using a FortiManager, rather than the FortiGuard network.

FortiGate I Student Guide 429


DO NOT REPRINT Web Filtering

FORTINET

Caching responses reduces the amount of time it takes to establish a rating for a website. Packets
operate on the scale of milliseconds at the fastest with Seconds, not being unusual. Memory checking is
orders of magnitude faster (nanoseconds).

This timeout defaults to 15 seconds but can be adjusted as high as 30 seconds if necessary.

FortiGate I Student Guide 430


DO NOT REPRINT Web Filtering

FORTINET

Web site categories are determined by both automatic and human methods. The FortiGuard team has
automatic web crawlers that look at various aspects of the website in order to come up with a rating.
There are also people who examine websites and look into rating requests in order to determine
categories.

FortiGate I Student Guide 431


DO NOT REPRINT Web Filtering

FORTINET

There is always the possibility for errors in rating, or a scenario where you simply do not agree with the
rating a site has been given. In this case, you can use the web portal to contact the FortiGuard filtering
team to submit a web site for a new rating, or to get it rated if it is not already in the database.

FortiGate I Student Guide 432


DO NOT REPRINT Web Filtering

FORTINET

The Warning action is only an option when using FortiGuard Category filtering and only with Proxy-
mode inspection. It is not available with Static URL filtering.

When someone visits a website that is in a Category with an action of warning, they are presented with a
page that warns them they may not wish to visit this website. They are given a choice to go to the
website anyway, or go back to the previous website.

FortiGate I Student Guide 433


DO NOT REPRINT Web Filtering

FORTINET

The Authenticate action is only an option when using FortiGuard Category filtering and only with Proxy-
mode inspection. It is not available with Static URL filtering.

The authentication action blocks all websites that are in that category, unless a successful passcode is
entered. This is not user authentication and putting in proper credential will not result in any kind of
login. The username/password pair is used in the same way a key is used to open a locked door.
Once this has been done successfully, access is allowed to that category for the amount of time that has
been configured. This will allow the user to visit any other websites that are in the same category for
however long has been configured. They will not be prompted again when visiting a second (or third)
website in the same category, so long as the timer has not expired.

FortiGate I Student Guide 434


DO NOT REPRINT Web Filtering

FORTINET

The Exempt action is only an option when using Static URL filtering. It is not available with FortiGuard
category filtering.

The exempt action is used in order to bypass issues that may be caused by other checks. Sometimes
FortiGuard category filtering is not granular enough, sometimes a file you need is being caught by virus
scanning. Exempt gives the ability to bypass one or more checks or all further checks.

FortiGate I Student Guide 435


DO NOT REPRINT Web Filtering

FORTINET

These actions are possible with FortiGuard Category filtering and Static URL filtering. Regardless of
which feature they are used with, the resulting action will be the same.

Allow Effectively defines the website as being trusted. Access to the site is permitted and no log
message is generated to record this.
Monitor Access to the website is permitted and a log message is generated to record the event
Block Prevents access to the website and displays a block page to the user instead.

Log message generation is subject to firewall policy, specifically the Logging Option setting.

FortiGate I Student Guide 436


DO NOT REPRINT Web Filtering

FORTINET

When using FortiGuard category filtering, one option to allow or block access to a website is to make a
web rating override and define the website to be in a category other then what FortiGuard puts it into.
Web ratings are only for hostnames, no URLs or wildcard characters are allowed.

Category filtering is not granular, like static URL filtering. If you have a category that is blocked (or
allowed) and you need to make an exception for a particular website, this is one option that is available
to you.

If the contract expires, and the 7 day grace period passes, web rating overrides will be not be effective.
All website categories will be still be considered rating errors.

FortiGate I Student Guide 437


DO NOT REPRINT Web Filtering

FORTINET

Since FortiGuard category filtering is not granular and performs actions based on the category the
websites are in there may be times when an exception needs to be made for a single website.

Rather than unblock a potentially unwanted category access can be provided an a site-by-site basis.
The reverse can also be true, with the majority of websites in a category being fine, but a single one
needs blocking.
Changing the category does not automatically result in a different action for the website. This will
depend on the settings within the Web Filter profile at the time the user is accessing that web site.

FortiGate I Student Guide 438


DO NOT REPRINT Web Filtering

FORTINET

Custom categories can be created and used in conjunction with web rating overrides. If the predefined
categories within FortiGuard are not suitable for the situation, additional customized categories can be
added.

These custom categories can be added and deleted as needed, so long as they are not in use. A
category is considered to be used if there are any Web rating overrides that have been configured to us
it. It will also be considered in use if there is an action associated with that category other than Allow in
any web filter profile.

FortiGate I Student Guide 439


DO NOT REPRINT Web Filtering

FORTINET

FortiGuard quota can be used to limit the time users spend on web sites, based on the categorization.
Quota cannot redirect you once the web site is loaded in the browser. For example, if you had 45
seconds left on your quota and you visited a web site, it would likely finish loading before 45 seconds
was done. You could then spend 20 minutes browsing the information you received. You could not get
blocked or notified until the next attempt to access another one of these web sites. The reason for this is
that the connection to the web site is not generally a live stream. Once you receive the information, the
connection is closed.

FortiGate I Student Guide 440


DO NOT REPRINT Web Filtering

FORTINET

Quotas are configured just below where you configure the Category actions in the Web filter profile.

There can be multiple quotas (timers) configured within this section. Each one can either be linked to a
single category, or multiple. If the quota applies to multiple categories then it is not that amount for each
individual category, the timer applies to all of the categories that are specified.

FortiGate I Student Guide 441


DO NOT REPRINT Web Filtering

FORTINET

Some Features on the FortiGate cant provide direct user feedback. FortiGuard quota wont provide any
feedback to the user until they exceed the quota they have been given, unless the Fortinet bar is
enabled.

The Fortinet Bar injects a Java applet which uses a communications port to talk to the FortiGate and get
additional information from features that would otherwise provide no direct user feedback.
FortiGuard quota provides a count down.
Other features that cant do block pages (IE: application control) will show block events in the top bar.

HTTPS pages are a lot more sensitive to injected data, so its not possible to reliably insert data, so the
Fortinet Bar is only available for HTTP websites.

FortiGate I Student Guide 442


DO NOT REPRINT Web Filtering

FORTINET

Enforcing safe search can be done for Google, Bing and Yahoo. Safe search is an option that some
search engines have in order to apply their filters to the search results that are displayed. This way even
if Safe Search is disabled in the browser, the FortiGate will make sure the query is subject to whatever
settings the service decides. All the FortiGate can do is ensure that it is enabled. It cannot dictate the
behavior of this, as this task is up to the search engine providers. It works by looking for the Safe
Search string when you submit a search. If it is not there, the FortiGate unit will modify the request to
include it. This way, even if it is not enabled locally in the browser, it gets applied to the request as it
passes through the FortiGate.

YouTube EDU filtering is also available. This is a service offered by YouTube to educational institutions.
When you create an account with them they provide you with an identifier. Unlike normal Safe Search,
this does not append the URL, but adds an HTTP header into the packets. This identifies your school to
YouTube when people visit. Within your YouTube EDU account, you can configure the filters and
settings in order to limit video access.

FortiGate I Student Guide 443


DO NOT REPRINT Web Filtering

FORTINET

There are several different components to web filtering, and when they are enabled, the inspection order
follows these steps.

The local static URL filter occurs first.

Second, FortiGuard category filtering determines a rating.

Finally advanced filters take place, like Safe search or removing Active X components.
After all the checks are done the information is handed off internally for virus scanning.

FortiGate I Student Guide 444


DO NOT REPRINT Web Filtering

FORTINET

Heres a look at the web filter profile. Up at the top you can enable FortiGuard and assign the actions to
the various web site categories.

If you scroll down towards the bottom you will find the more advanced options that can be enabled, like
Safe Search and Static URL filtering. Once you have enabled and saved the settings you require, you
will need to apply the profile to your firewall policy to activate the options.

FortiGate I Student Guide 445


DO NOT REPRINT Web Filtering

FORTINET

Web profile overrides change the rules that will be used to inspect traffic. Enabling them allows
authorized users to enter a passcode that will change the Web filter profile that inspects there traffic to
another profile. Proper configuration would mean this new profile had elevated access permissions and
allow additional websites. The new profile will be used to inspect ALL of their web traffic from that point
on, until the timer expires. Authentication must be enabled in order to use this. Once web profile
overrides are enabled, the FortiGuard block page will show an override link that users can select in order
to active this override.

Apply to Groups Select the user credentials that allow overrides.


Assign to Profile Which Web profile will be used, after a successful override.
Scope Who will be effected by the override.
Duration How long the override will last.

FortiGate I Student Guide 446


DO NOT REPRINT Web Filtering

FORTINET

How the FortiGate handles HTTPS traffic is decided based on the settings of the SSL Inspection profile
that is applied to the Firewall Policy. SSL Certificate Inspection reads only unencrypted data from the
hello message, whereas Full SSL Inspection will proxy SSL, allowing for full content inspection.

SSL and Certificates are covered in more detail in the Certificate Operations module.

FortiGate I Student Guide 447


DO NOT REPRINT Web Filtering

FORTINET

This is an example of the log message generated as a result of applying a web filter profile on a firewall
policy. Access details include information about the FortiGuard quota and category (if those are
enabled), which web filter profile was used to inspect the traffic, the URL and more details about the
event.

FortiGate I Student Guide 448


DO NOT REPRINT Web Filtering

FORTINET

You can also view the raw log data by selecting the Download Raw Log button at the top right of the
GUI. When the downloaded file is opened, it will be a plain text file in a syslog format.

FortiGate I Student Guide 449


DO NOT REPRINT Web Filtering

FORTINET

List of IPs to use for FortiGuard comes back from update server (FortiGuard Distribution Network or
FortiManager).

Weight Based on the difference in timezone between the FortiGate and this server (modified by
traffic)
RTT Return Trip Time
Flags D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
TZ Server timezone
Curr Lost current number of consecutive lost packets (in a row, resets to 0 when 1 packet
succeeds)
Total Lost total number of lost packets

List is a variable length, depending on the FortiGuard Distribution Network, but approximately 10 total
IPs is the average.

FortiGate I Student Guide 450


DO NOT REPRINT Web Filtering

FORTINET

Logs can be used to determine the decision made by the FortiGate but this depends on the configured
settings. The firewall policy may not be set to log or the action could be set to accept. In both of those
cases no log event will be generated to record the decision.

This diagnostic shows the full URL in the output. In order to have it fit some of the output was chopped
off from this page. The source of the request, the hostname, URL, user (if authentication is enabled), the
profile used to examine the URL can all be determined by reading the output.

FortiGate I Student Guide 451


DO NOT REPRINT Web Filtering

FORTINET

Here is a review of what we discussed. We showed:


An overview of web filtering functionality
Explained the different types and modes for web filtering
How static URL filtering works
How FortiGuard category filtering works
How to submit a website for rating
Different actions that can be associated with accessing a website
How to do a rating override and create a custom category
Applying a quota to a category
Introduced the Fortinet Bar
Showed how its possible to force safe search with some common websites
Explained the order of the checks involved with inspecting websites
Explained how to configure a web profile override
Finally we covered the basics of inspecting HTTPS traffic

FortiGate I Student Guide 452


DO NOT REPRINT Application Control

FORTINET

In this lesson, you will learn about how to control network applications beyond simply
blocking or allowing a port number.

FortiGate I Student Guide 453


DO NOT REPRINT Application Control

FORTINET

After completing this lesson, you should have these practical skills to apply application
control, keep it up-to-date, and monitor what applications are being used on your
network.

Lab exercises can help you to reinforce what youve learned.

FortiGate I Student Guide 454


DO NOT REPRINT Application Control

FORTINET

Application control detects applications often, ones that waste bandwidth and
allows you to monitor and/or block the traffic. Like other UTM inspection, to use
application control, you must first set it up.

Unlike other forms of UTM, such as web filtering or antivirus, application control isnt
applied by a proxy. It uses IPSEngine. So it doesnt operate by built-in protocol states.
It matches patterns in the entire byte stream of the packet.

By comparison, when applying web filtering and antivirus via HTTP proxy, the proxy
first parses HTTP and removes the protocol, and then scans only the payload inside.

Why does FortiGate use a flow-based scan for application control?

FortiGate I Student Guide 455


DO NOT REPRINT Application Control

FORTINET

Because proxies cant easily detect peer-to-peer applications.

When HTTP and other protocols were designed, they were designed to be easy to
trace. In that way, administrators could easily give access to single servers behind NAT
devices such as routers and, later, firewalls.

But when peer-to-peer applications were designed, they had to be able to work without
assistance or cooperation from the network administrators. In order to achieve this,
the designers made them skilled at bypassing firewalls, and incredibly hard to detect.
Port randomization, pinholes, and changing encryption patterns are some of the
techniques that P2P protocols use.

These techniques make them difficult to bock via firewall policy, and also make them difficult to proxy.

FortiGate I Student Guide 456


DO NOT REPRINT Application Control

FORTINET

Lets show how this works.

Here is a traditional, client-server architecture. There may be many clients of popular


sites, but often, such as with an office file server, its just between one client and one
server.

Traditional downloads use a defined protocol over a standard port number. Whether its
from a web or FTP site, the download is from a single IP address, to a single IP
address. So blocking this kind of traffic is easy: you only need one firewall policy.

But its more difficult for peer-to-peer downloads. Why?

FortiGate I Student Guide 457


DO NOT REPRINT Application Control

FORTINET

Peer-to-peer downloads divide each file among multiple (theoretically unlimited) peers.
Each peer delivers part of the file. Interestingly, where many clients is a disadvantage
for client-server architectures, it is an advantage for peer-to-peer: as the number of
peers increases to n, the file is delivered n times faster.

Because popularity increases the speed of delivery unlike traditional client-server


architecture, where popularity could effectively cause a denial of service attack on the
server some software, such as BitTorrent distributions of Linux, and games
distributing new patches, leverage this advantage. Even if each client has little
bandwidth, together, they can offer more bandwidth for the download than many
powerful servers.

Conversely, in order to download the file, this also means that the requesting peer can
consume much more bandwidth per second than it could from only a single server.
Even if there is only one peer on your network, it can consume unusually large
amounts. And because the protocols are usually evasive, and there will be many
sessions to many peers, they are difficult to completely block. In a DHCP LAN or guest
Wi-Fi, where the inside peer doesnt have a static IP address or even predictable
physical location, it can be extremely difficult to find and stop.

FortiGate I Student Guide 458


DO NOT REPRINT Application Control

FORTINET

So how does application control block these applications, and more? It scans packets
passing through the FortiGate, and looks for patterns.

A particular application, such as Google Talk, is identified by matching known patterns


to its transmission patterns. So obviously it can only be accurately identified if this
stream is unique somehow. Not every application behaves in a unique way. Many re-
use pre-existing, standard protocols and communications methods. For example,
many video games such as World of Warcraft now use the BitTorrent protocol to
distribute game patches.

Application control only scans the network traffic. Application control doesnt scan
software installed on the client; this would require software to be installed on the
endpoint, such as a FortiScan agent. So it wont detect software until it starts and
connects to the network.

Application control does not use FortiGates proxies. So unlike some other UTM profiles, you cant
switch between proxy- and flow-based inspection.

FortiGate I Student Guide 459


DO NOT REPRINT Application Control

FORTINET

Before you try to control applications, its important to understand how that works.

How does application control detect the newest applications, and changes to those application
protocols?

To do this, you can configure your FortiGate to automatically update its application control signature
database, in the same way that it polls FortiGuard for new IPS signatures.

The extended IPS signature package includes more application control signatures. So if you dont find
the ones you need initially, you can enable that option to download more.

FortiGate I Student Guide 460


DO NOT REPRINT Application Control

FORTINET

To view the signatures that your FortiGate has downloaded, click the View Application
Signatures link in the application control profile.

Remember, if you did not enable download of the extended IPS database, FortiGuard
may have more signatures available that you do not see in the GUI. To see those, visit
the FortiGuard web site.

FortiGate I Student Guide 461


DO NOT REPRINT Application Control

FORTINET

On the FortiGuard web site, you can read details about each signatures related
application. Lets look at an example.

This is the article for Google Talk. It is an instant messenger, so Fortinet has put it in
the Collaboration category. The article mentions that Google Talk, like many instant
messengers now, uses the Jabber protocol. So if you block the application, the logs
may show the Jabber protocol, even though the application that the user has installed
is named Google Talk.

If there are any special requirements in order to scan or block the application, the
article provides some advice. But its always wise to search the Internet for more
information, and to make test policies and observe the behavior.

At the top of the page, youll also notice a risk rating

FortiGate I Student Guide 462


DO NOT REPRINT Application Control

FORTINET

When building an application control signature, FortiGuards security research team evaluates the
application and assigns a risk level. It is based on the types of security risk. The rating is Fortinet-
specific, and not related to CVSS or other external systems.

If you arent aware of specific software, this information can help you to decide if it would be wise to
block the software or not.

FortiGate I Student Guide 463


DO NOT REPRINT Application Control

FORTINET

If there are new applications that you need to control, and the latest update doesnt
have any definitions for them, you can ask FortiGuard to add them.

Remember, though, that not all applications can be uniquely defined. That is to say,
there must be something about the traffic that can be used to differentiate it from other
similar traffic: traffic that occurs on the same port, or via the same protocol.

FortiGate I Student Guide 464


DO NOT REPRINT Application Control

FORTINET

Once you have a signature, the next step is to define your settings to control it. Do this in an application
sensor.

Then, to apply your application control settings, select the profile in the firewall policy .

Like any other security profile, these settings are not global. FortiGate will only apply them to traffic
governed by the firewall policy where youve selected an application control profile. This allows granular
control.

FortiGate I Student Guide 465


DO NOT REPRINT Application Control

FORTINET

Did you see these two at the end of the list of categories? They are catch-all
categories:
All Other Known Applications
All Other Unknown Applications

All Other Known Applications matches traffic that can be identified, but that, in the
profile, you did not explicitly enable. This is because some categories are only directly
configurable through the CLI: the ones that are in the extended IPS database.

All Other Unknown Applications matches traffic that could not be identified. Application
control will create a log entry that says the traffic is an Unknown Application.
Depending on:
how many rare applications your users have
which IPS database you are using (remember, the default IPS database can identify
fewer rare applications than the extended one)
this might cause many log entries. Frequent log entries decrease performance.

FortiGate I Student Guide 466


DO NOT REPRINT Application Control

FORTINET

Once youve applied application control, FortiGate will start to scan packets for
matches. It will do this in a specific order.

There are two major sections to the application control profile:


Categories is at the top
Application Overrides below Categories

First, IPSEngine examines the traffic stream for a signature match. If youve configured
any overrides, application control considers those first. It looks for a matching override
starting at the top of the list, like firewall policies. If no matching override exists, then
application control applies the action that youve configured for applications in your
selected categories.

Multiple overrides for the same signature cannot be created.

FortiGate I Student Guide 467


DO NOT REPRINT Application Control

FORTINET

Both categories and overrides actions are configurable.

Allow Simply passes the traffic


Monitor Passes the traffic, but also records a log message
Block Drops the detected traffic without notifying the client, and records a log message
Reset Resets the TCP connection, and records a log message
Traffic Shaping Rate limits the application so that it doesnt deprive more important traffic of
bandwidth, and also record a log message

Which is the correct action to select? It depends on the application. If an application requires feedback to
prevent instability or other unwanted behavior, then you might use Reset instead of Block. If you need
to allow the application but prevent it from starving other applications of bandwidth, then traffic shaping
might be a good choice. Otherwise, the most efficient use of FortiGate resources to simply block.

FortiGate I Student Guide 468


DO NOT REPRINT Application Control

FORTINET

Order of scans is introduced in the firewall policies lesson. But here is a review of the third phase: where
application control occurs.

Application control is later than many of FortiGates other scans and actions, such as for VPN ingress
and DoS.

But within UTM, it is one of the first scans. So if traffic is blocked by application control, FortiGate never
does later scans like web filtering or antivirus, even if those profiles use flow-based inspection from
IPSEngine, just like application control. But if you have configured application control to allow the traffic
not block it or reset the TCP connection then FortiGate will proceed to the next scans: email filtering,
web filtering, and antivirus. Because each scan can have exemptions, this has some interesting effects.

FortiGate I Student Guide 469


DO NOT REPRINT Application Control

FORTINET

Here is an example of how several UTM features could work together, overlap, or as substitutes, on the
same traffic.

In this profile, application control (in general) blocks the categories Social.Media and Video/Audio. For
those applications, FortiGate responds with application controls HTTP block message. (Its slightly
different than web filterings HTTP block message.) But at the bottom of this profile, there are some
exceptions. Instead of blocking, application control applies traffic shaping to Facebook and YouTube.

After the application control scan is done, FortiGate begins other scans, such as web filtering. This, too,
could block Facebook and YouTube, but it would use its own message. Also, web filtering doesnt check
the list of application control overrides. So even if an application control override allows and rate
limits an app, web filtering could still block it.

Similarly, static URL filtering has its own Exempt action, which bypasses all subsequent security
checks. However, application control occurs before web filtering, so that web filtering exemption cant
bypass application control.

FortiGate I Student Guide 470


DO NOT REPRINT Application Control

FORTINET

For HTTP-based applications, application control can provide some feedback to the user about why their
application was blocked. This is called a block page, and its similar to the one you can configure for
URLs that you block via FortiGuard Web Filtering.

The block page says:


which signature detected the application (in this case, HTTP.Browser_Firefox)
the signatures category (Web.Others)
the URL that was specifically blocked (in this case, the index page of msn.com), since a web page
can be assembled from multiple URLs
the clients source IP (10.0.1.10)
the servers destination IP (23.101.196.141)
user name (if authentication is enabled)
the UUID of the policy governing the traffic
and the FortiGates host name

The last two pieces of information can help you to find which FortiGate blocked the page, even if you
have a large network with many FortiGates securing different segments.

FortiGate I Student Guide 471


DO NOT REPRINT Application Control

FORTINET

If an application is necessary, but you do need to prevent it from impacting bandwidth


for more sensitive streaming applications such as video conferencing, then instead of
blocking it entirely you can rate limit the application.

Shaping traffic via application control is very useful when you are trying to limit traffic
that uses the same TCP or UDP port numbers as a mission-critical application. Some
high-traffic web sites such as YouTube can be throttled in this way.

FortiGate I Student Guide 472


DO NOT REPRINT Application Control

FORTINET

Lets say that you have enabled application control because users have been
complaining that the network is slow. During peak times, you notice that there is no
bandwidth remaining. Application control with the Monitor action selected showed
that many users were using YouTube, and it correlated to periods of bandwidth
saturation.

How could you solve this?

With web filtering, you can see that www.youtube.com is often accessed, but it doesnt
analyze the function of each URL. And it cant apply traffic shaping.

Alternatively, since YouTube generates large volumes of traffic, you could use
application control signatures with a traffic shaping action. Lets examine the details of
how that could work.

FortiGate I Student Guide 21 473


DO NOT REPRINT Application Control

FORTINET

Not all URL requests to www.youtube.com are for video. Your browser makes several HTTP
requests for:
the web page itself
Images
Scripts and style sheets
Video
and all of them have separate URLs. If you analyze a site like YouTube, the web pages themselves
doesnt use much bandwidth. Mostly, the culprit is the video.

But since it is all transported via the same protocol (HTTPS), and the URLs contain dynamically
generated alphanumeric strings:
traditional firewall policies cant block or throttle it by port number/protocol, which are all the same
web filtering cannot apply traffic shaping

With application control, you can rate limit only the videos. This prevents users from saturating your
network bandwidth while still allowing them to access the other content on the site, such as for
comments or sharing links.

FortiGate I Student Guide 474


DO NOT REPRINT Application Control

FORTINET

At the bottom of the application sensor, there are more options that affect how application control
functions.

Deep Inspection of Cloud Applications does not enable SSL Inspection. Many applications are
switching to HTTPS-only, so remember that for those, you will also need an SSL/SSH inspection
profile. This includes many popular ones, such as Twitter. If the application is encrypted, and you
havent enabled SSL/SSH inspection, then application control wont be able to recognize the application.

If you choose to enable Allow and Log DNS Traffic, be aware that you should only do it for short
periods, such as during an investigation. Leaving this option enabled for long periods can impact
performance and cause premature disk failure. One log is created per packet. So depending on the
application, and how often it queries DNS servers, this can use significant system resources.

Replacement Messages for HTTP-based Applications allows you to replace blocked content with an
explanation for the users benefit. Application control can also link into the Fortinet Bar, if that has been
enabled. With non-HTTP applications, however, you can only drop the packets or reset the TCP
connection.

FortiGate I Student Guide 475


DO NOT REPRINT Application Control

FORTINET

If you have logging enabled, you can use it to discover which applications are being used on your
network, and details about them. Look in Log & Report > Security Log > Application Control.

In this example, application control detected a client attempting to access Facebook. The configured
action was to monitor the traffic. We know this because the Action indicates pass, so we know
FortiGate didnt block the traffic. But the action wasnt to simply allow the traffic without logging, either,
which we know because the log message exists.

To view details about the log message, click its entry. The application name is a link to the FortiGuard
encyclopedia web site. If you were unaware of the application, and dont know what type of risks it
presents, you could click the link to read more.

FortiGate I Student Guide 476


DO NOT REPRINT Application Control

FORTINET

If you look in the forward traffic log, where firewall policies record activity, youll also find a summary of
traffic where FortiGate applied application control. Again, this is because application control is applied by
a firewall policy.

To find which policy applied application control, you can use either the Policy ID or the Policy UUID
fields of this log message.

FortiGate I Student Guide 477


DO NOT REPRINT Application Control

FORTINET

To review, here is what we discussed. We discussed:


How application control identifies traffic
Why some traffic, especially peer-to-peer, is hard to block without application control
FortiGuards 5-point rating system for application control signatures
How to submit requests for additional applications
How to configure an application control sensor
When to shape traffic
Order of operations for the application control and IPSEngine processes
How to read logs to discover which applications have been detected, and which
action FortiGate applied

FortiGate I Student Guide 478