Professional Documents
Culture Documents
Fortigate Student Guide PDF
Fortigate Student Guide PDF
Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc., and other Fortinet names
herein may also be trademarks, registered or otherwise, of Fortinet. All other product or company names
may be trademarks of their respective owners. Copyright © 2002 - 2014 Fortinet, Inc. All rights reserved.
Contents and terms are subject to change by Fortinet without prior notice. No part of this publication may
be reproduced in any form or by any means or used to make any derivative such as translation,
transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States
Copyright Act of 1976.
Table of Contents
MODULE 1 ................................................................................................... 16
Objectives .................................................................................................................................................... 16
Time to Complete......................................................................................................................................... 16
Exercise 1 (Optional) Configuring Network Interfaces on Student and Remote FortiGate Devices ........... 17
Exercise 2 Exploring the Command Line Interface ..................................................................................... 19
Exercise 3 Restoring Configuration Devices ............................................................................................... 21
Exercise 4 Performing Configuration Backups ............................................................................................ 23
Lab 2: Administrative Access ............................................................................................... 24
Objectives .................................................................................................................................................... 24
Time to Complete......................................................................................................................................... 24
Exercise 1 Profiles and Administrators ....................................................................................................... 25
Exercise 2 Restricting Administrator Access ............................................................................................... 27
MODULE 2 ................................................................................................... 28
Objectives .................................................................................................................................................... 28
Time to Complete......................................................................................................................................... 28
Exercise 1 Exploring the GUI Status Monitor .............................................................................................. 29
Exercise 2 Event Log and Logging Options ................................................................................................ 31
Lab 2: Remote Monitoring ................................................................................................... 33
Objectives .................................................................................................................................................... 33
Time to Complete......................................................................................................................................... 33
Exercise 1 Remote Syslog Logging and SNMP Monitoring ........................................................................ 34
MODULE 3 ................................................................................................... 36
Lab 1: Firewall Policy ........................................................................................................... 36
Objectives .................................................................................................................................................... 36
Time to Complete......................................................................................................................................... 36
Exercise 1 Creating Firewall Objects and Rules ......................................................................................... 37
Exercise 2 Policy Action .............................................................................................................................. 39
Exercise 3 Configuring Virtual IP Access .................................................................................................... 40
Exercise 4 Configuring IP Pools.................................................................................................................. 43
Lab 2: Traffic Log ................................................................................................................. 45
Objectives .................................................................................................................................................... 45
Time to Complete......................................................................................................................................... 45
Exercise 1 Enabling Traffic Logging ............................................................................................................ 46
Lab 3: Device Policies ......................................................................................................... 47
Objectives .................................................................................................................................................... 47
Time to Complete......................................................................................................................................... 47
Exercise 1 Enabling Device Identification ................................................................................................... 48
MODULE 4 ................................................................................................... 52
Objectives .................................................................................................................................................... 52
Time to Complete......................................................................................................................................... 52
Exercise 1 Identity-based Firewall Policy .................................................................................................... 53
MODULE 5 ................................................................................................... 55
Objectives .................................................................................................................................................... 55
Time to Complete......................................................................................................................................... 55
Exercise 1 Configuring SSL VPN for Web Access ...................................................................................... 56
Exercise 2 Configuring SSL VPN for Tunnel Mode ..................................................................................... 59
MODULE 6 ................................................................................................... 62
Objectives .................................................................................................................................................... 62
Time to Complete......................................................................................................................................... 62
Exercise 1 Site to Site IPsec VPN............................................................................................................... 63
MODULE 7 ................................................................................................... 66
Objectives .................................................................................................................................................... 66
Time to Complete......................................................................................................................................... 66
Exercise 1 Antivirus Testing ........................................................................................................................ 67
MODULE 8 ................................................................................................... 70
Objectives .................................................................................................................................................... 70
Time to Complete......................................................................................................................................... 70
Exercise 1 Configuring FortiGuard AntiSpam ............................................................................................. 71
MODULE 9 ................................................................................................... 73
Lab 1: Web Filtering............................................................................................................. 73
MODULE 10 ................................................................................................. 78
Objectives .................................................................................................................................................... 78
Time to Complete......................................................................................................................................... 78
Exercise 1 Creating an Application Control List .......................................................................................... 79
Lab 2: Traffic Shaping .......................................................................................................... 81
Objectives .................................................................................................................................................... 81
Time to Complete......................................................................................................................................... 81
Exercise 1 Limiting YouTube Traffic ........................................................................................................... 82
Lab 3: Selective Application Control .................................................................................... 83
Objectives .................................................................................................................................................... 83
Time to Complete......................................................................................................................................... 83
Exercise 1 Block Wikipedia Editing ............................................................................................................. 84
Europe/Middle East/Africa:
http://truelab.hatsize.com/syscheck/frankfurt/
Asia/Pacific:
http://truelab.hatsize.com/syscheck/singapore/
If your computer successfully connects to the virtual lab, the "Status" field will display "SUCCESS".
Continue to the next step.
If "FAILED" appears, read the messages to identify the problem. For help fixing problems, either click
the link for the troubleshooter or ask your trainer.
2. With the user name and password that your trainer provides, log into the URL for the virtual lab.
Either:
https://remotelabs.training.fortinet.com/
https://virtual.mclabs.com/
3. Select the time zone for your location, then click Update.
This ensures that your class schedule is accurate.
4. Select a screen resolution for the virtual lab's Java applet, then click Open.
A list of virtual machines that exist in the virtual lab will appear. Your trainer can describe each of the
virtual machines in the lab.
From this page, you can access the console of any of your virtual devices by either clicking on the
device’s square, or selecting System > Open.
A new Java applet window should open within a few seconds. (By default, the web page uses Java to
connect to each VM’s console. If this fails, you may need change browser settings to allow Java to run
on this web site.) Depending on the virtual machine, the applet provides access to either the GUI or a
text-based CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet
should automatically log in, then display the Windows desktop. For most lab exercises, you will connect
to this VM.
Note: If your computer’s connection with the virtual Windows server times out or if you are
accidentally disconnected, you can regain access by returning to your browser and
opening the Java applet again.
When connecting to a VM, your browser will then open a display in a new window or tab.
International keyboards
If special characters in your preferred language don’t display correctly, keyboard mappings may not be
correct. To solve this, you can copy and paste between your computer and the Java applet. Alternatively,
you can use an on-screen keyboard. To do this, click the keyboard icon at the top of the applet window.
Topology
The network diagram below shows the configuration of your virtual environment.
Troubleshooting Tips
Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection,
including VPN tunnels or wireless such as 3G or WiFi. For best performance, use a stable
broadband connection such as a LAN.
Do not disable or block Java applets. On Mac OS X, since early 2014, to improve security, Java
has been disabled by default. In your browser, you must allow Java for this web site. On Windows,
if the Java applet is allowed and successfully downloads, but does not appear to launch, you can
open the Java console while troubleshooting. To do this, open the Control Panel, click Java, and
change the Java console setting to be Show console.
Network firewalls can also block Java executables.
Note: JavaScript is not the same as Java.
Prepare your computer's settings:
o Disable screen savers
o Change the power saving scheme so that your computer is always on, and does not go
to sleep or hibernate
If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.
If during the labs, particularly when reloading configuration files, you see a message similar to
the one shown below, the VM is waiting for a response to the authentication server.
exec update-now
Module 1
Lab 1: Initial Setup and Configuration
This first lab will provide an initial orientation to the CLI and administrative GUI and will guide the student
through the basic setup of a FortiGate. This lab will demonstrate how to properly backup and restore a
configuration file, as well as manipulate administrative access to a FortiGate unit.
If during the labs, particularly when reloading configuration files, you see a message similar to the one
shown below, go to the console and enter the CLI command execute update-now.
This message indicates that the FortiGate VM is waiting for a response from the authentication server.
The execute update-now command will resend the request and force a response.
Objectives
Distinguish between an encrypted and non-encrypted configuration file
Describe how to back up and restore configuration files
Recognize model and build information inside a configuration file
Time to Complete
Estimated: 15 minutes
edit port3
set ip 10.0.1.254/24
end
You have now configured the port3 interface with an IP address and device access settings.
4. Accept the FortiGate unit’s self-signed certificate or security exemption if a security warning appears.
HTTPS is the recommended protocol for administrative access to the FortiGate unit. Other available
protocols include SSH, PING, SNMP, HTTP and Telnet.
Note: To access the FortiGate GUI using a standard web browser, cookies and
JavaScript must be enabled for proper rendering and display of the graphical user
interface.
The login page of the Student FortiGate device should now be displayed. Please do not log in at this
point. You will have the opportunity to explore the FortiGate unit’s GUI in a later exercise.
If you are not presented with a login page, check with your Instructor before proceeding.
5. Connect to the console of the Remote FortiGate device and at the login screen, enter the default
username of admin (all lowercase) and leave the password blank.
6. Enter the following CLI commands to set the port4 IP address and access control settings for your
device.
edit port4
set ip 10.200.3.1/24
end
7. Next, check the route configuration by executing the following command:
edit 0
end
8. You can enter the following commands to check your configuration:
3. Confirm that the firmware build is the correct version for this class.
4. Type the following command to see a full list of accepted objects for the get command:
get ?
Note: The ? character is not displayed on the screen.
At the --More-- prompt in the CLI, press the spacebar to continue scrolling or <enter> to scroll one
line at a time. Press <q> to exit.
Depending on objects and branches used with this command, there may be other sub-keywords and
additional parameters to enter.
5. Press the up arrow key to display the previous get system status command and try some of the
control key sequences that are summarized below.
Previous command up arrow, or CTRL+P
Next command down arrow, or CTRL+N
Beginning of line CTRL+A
End of line CTRL+E
Back one word CTRL+B
Forward one word CTRL+F
Delete current character CTRL+D
Clear screen CTRL+L
Abort command and exit branch CTRL+C
CTRL+C is context sensitive and in general aborts the current command and moves up to the previous
command branch level. If already at the root branch level, CTRL+C will force a logout of the current
session and another login will be required.
6. Type the following command and press the Tab key 2 or 3 times.
execute <tab>
The command displays the list of available system utility commands one at a time each time the Tab
key is pressed.
7. Type the following command to see the entire list of execute commands:
execute ?
8. Enter the following CLI commands and compare the available keywords for each one:
config ?
show ?
config begins the configuration mode while show displays the configuration. The only difference is
show full-configuration. The default behavior of the show command is to only display the
differences from the factory-default configuration.
9. Enter the CLI commands shown below to display the FortiGate unit’s internal interface configuration
settings and compare the output for each of them.
Only the characters shown in bold type face need to be typed, optionally followed by <tab>, to
complete the command key word. Use this technique to reduce the number of keystrokes to enter
information. CLI commands can be entered in an abbreviated form as long as enough characters are
entered to ensure the uniqueness of the command keyword.
2. Go to System > Dashboard > Status. Under System Information, click Restore.
3. Browse the Desktop and navigate to the Resources > Module1 > Student folder.
After restoring the configuration, the FortiGate will automatically reboot. The length of the boot
process is affected by how complex the configuration is. The more complicated the configuration,
the longer it will take to parse it and complete the boot process.
Most configurations take less than 1 minute to complete the reboot process.
4. Reconnect to the GUI on the student FortiGate device and verify the restored configuration.
Go to System > Network > Interface and check your network interfaces.
Go to Router > Static > Static Route and check your default route.
5. Next, perform the following steps on the student FortiGate to verify the DNS configuration settings for
the student and remote FortiGate devices. These DNS settings have been added to simplify access to
the lab devices.
Go to System > Network > DNS Server and review the student and remote DNS zones.
In the student DNS zone, verify the IPv4 Address (A) records and Pointer (PTR) records for the student
FortiGate device (10.0.1.254) and the Windows Server (10.0.1.10).
In the Remote DNS zone, check the IPv4 Address (A) records and Pointer (PTR) records for the
Remote FortiGate device (10.200.3.1) and the Windows host (10.0.2.10).
6. From a DOS command prompt on the virtual Windows Server, execute the following commands to
verify the DNS lookup functionality. DNS requests are being sent to port3, and recursive DNS requests
are allowed on this interface.
http://fgt.remote.lab
2. Go to System > Dashboard > Status and under System Information, click Backup.
3. Select Encrypt configuration file and enter the password: fortinet. Click Backup and save the
encrypted configuration file to the Desktop with the filename student-initial-enc.conf. (You may need to
modify the web browser’s settings to prompt for the location to save files. For Firefox, go to Tools >
Options > General and select Always ask me where to save files.)
Caution: When backing up the FortiGate unit’s configuration, be sure to use a
naming convention that you understand and which identifies both the date and the
device information. Every time that you log in and make changes to your device
(even if the change seems minor or insignificant), you should ALWAYS make a
backup of the configuration file. This will always be the best form of protection
against problems.
4. Next try restoring the encrypted configuration file. Browse the Desktop and navigate to the file student-
initial-enc.conf and click Restore.
This time you will need to enter the password fortinet as this file is encrypted.
5. Using WordPad or Notepad++, open the file student-initial.conf. In another instance of WordPad,
open the file student-initial-enc.conf and compare the details in both.
Note: In both the normal and encrypted configuration the top of the file
acts as a header, describing the firmware and model information this
configuration belongs to.
Objectives
Identify the steps to create a new administrative user
Recognize the options to restrict administrative access
Time to Complete
Estimated: 10 minutes
Minimum Length:
8
Must Contain: Enable
1 Upper Case Letter
1 Numerical Digit
Enable Password Expiration: Enable
90 days
Once the settings have been modified, click Apply to save the changes.
2. Log out of the GUI, then log in again and you will be prompted to enter a new administrator password.
Enter a new password that meets the requirements configured above.
3. Next, go to System > Admin > Admin Profile and create a new Admin profile called
Security_Admin_Profile. Set Security Profile Configuration to Read-Write and set all other permissions
to Read Only.
Once the profile settings have been modified, click OK to save the changes.
4. Go to System > Admin > Administrators and click Create New to add a new Admin user called
Security_Admin. Set Admin Profile to the new profile you created in the previous step.
By doing this, you are limiting this administrator’s access so that they will only able to modify and create
security profiles.
5. To view the configuration for administrative users and profiles, type the following CLI commands:
For convenience in the labs, the admin password will not be set in the configuration files used in the
subsequent modules.
Log in with the default username of admin (all lowercase) and no password.
2. Edit the admin account and enable the setting Restrict this Admin Login from Trusted Hosts Only. Set
Trusted Host #1 to the address 10.0.2.0/24. Click OK to save the changes.
Now, try connecting to the GUI of the Remote FortiGate device again. What is the result this time?
Because you are connecting from the 10.200.1.1 address (because of NAT on the Student FortiGate
device) you should notice that you are no longer able to connect to the device since restricting the
connecting source IP using Trusted Hosts.
3. Attempt to ping the IP address 10.200.3.1. You should note that the ping no longer responds. This
type of access is also affected by the restriction on source IP which we have configured above.
4. Go to the console of the Remote FortiGate device and enter the following CLI commands to add
10.200.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin account:
edit admin
end
5. Test the GUI and ping access again to the IP address 10.200.3.1. You should now be able to
connect to the GUI of the Remote device and ping it as well.
6. Go to System > Dashboard > Status and under System Information, click Details for Current
Administrator.
The administrators currently logged in to the FortiGate unit are displayed.
7. By default, an administrator has a maximum of three attempts to log in to their account before they are
locked out for 60 seconds. The source IP address is taken into account by the attempt counter.
The number of login attempts and the lockout period can be configured through the CLI.
To help improve the overall password security, the maximum number of attempts can be decreased
and the lockout timer can be increased using the following CLI commands:
set admin-lockout-threshold 2
end
Module 2
Lab 1: Status Monitor and Event Log
The aim of this lab is for students to work with the event log and monitoring on a FortiGate unit.
Objectives
Identify and properly enable logging of system events
Locate event logs for specific information
Time to Complete
Estimated: 10 minutes
If not already added, click the Sessions History widget from the pop-up window to add it to the
dashboard.
3. Hover the mouse over the title bar of the System Resources widget and click Edit to create a custom
widget.
The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured.
4. The Alert Message Console widget displays recent system events, such as system restart and firmware
upgrade.
Hover the mouse over the title bar of the Alert Message Console widget and click History to view the
entire message list.
5. Go to System > Dashboard and select Add Dashboard. Enter any name of your choice for the new
dashboard and select the single column display.
6. Next add the Top Sessions widget on your new dashboard. Click the edit icon in the title bar of the Top
Sessions widget and observe the different ways in which top sessions can be reported. For example,
by top Destination Address, top Applications etc. You can also select to display the top sessions by
Source and Destination interfaces. Create your own customized Top Sessions widget and examine the
sessions that are listed.
7. Test the functionality of the refresh, page forward, and page back icons in this window. You may need
to generate some additional traffic in order to properly test these functions.
8. Click Dashboard and select Reset Dashboards to re-display the default dashboard.
execute formatlogdisk
When prompted to continue, type “y” and wait for the system to reboot.
Once the system has restarted, check the log disk settings by executing the following command:
get
You should observe that the status is enabled.
5. Go to Firewall Objects > Address > Address, and create a new firewall address using the following
settings:
Name: fortinet
Type: FQDN
FQDN: www.fortinet.com
Leave the remaining settings at their defaults and click OK to save the changes.
6. Next go to Log & Report > Event Log > System and review the log entries.
7. Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.
Different types of log entries fall into different categories. Only enable logging for the activity(s) that you
need to monitor. This avoids filling the logs with information you do not need, and consuming
unnecessary system resources.
8. Go to Firewall Objects > Address > Address and create another firewall address entry. Go to Log &
Report > Event Log > System and review the log entries again.
Note that the entries are no longer visible for this activity. With this option deselected in the Event
Logging settings, you will no longer see entries in the log for Admin users logging on/off or making
changes to the unit’s configuration. Other types of log entries will still appear.
9. Go to Log & Report > Log Config > Log Settings and re-enable System activity event.
Objectives
Enabling monitoring from a syslog and SNMP device
Time to Complete
Estimated: 10 minutes
end
2. Repeat the above step from the CLI on the remote FortiGate device.
3. From the virtual Windows Server desktop launch the putty.exe application and open an SSH session to
the Linux host (10.200.1.254).
4. Run the following command to monitor the FortiGate syslog messages which are mapped to their
own file by the local6 facility.
tail –f /var/log/fortinet
5. Leave the SSH window open and return to the student FortiGate device and generate some log entries
by doing the following:
Attempt to log in with invalid credentials
Make a minor configuration change
6. From the GUI on the Student FortiGate device, go System > Config > SNMP to enable SNMP
monitoring. Select Enable for the SNMP Agent then click Apply.
7. Create a new SNMP v3 security name using the settings displayed below. Set the Auth password to
fortinet.
Click OK.
8. Go to System > Network > Interface and edit port1. Confirm that SNMP is enabled under the
Administrative Access settings. If it is not enabled you will need to enable it first then click OK to save
the changes.
9. Leave the SSH window open that is currently running the tail command and run putty again to open
a new SSH connection to the LINUX host (10.200.1.254).
Next, execute the following snmpwalk command to find and display all of the monitoring options that a
device presents through SNMP:
To make it easier to view the information available, you may also append >snmp.test to the command
entered above. This will save the output to a file named ‘snmp.test’. Enter the command view
snmp.test to view the output file.
Module 3
Lab 1: Firewall Policy
The aim of this lab is for students to work with firewall policies and examine the FortiGate unit behavior
when policies are re-ordered.
Objectives
Describe the various actions that can be set in a firewall policy
Demonstrate policy order
Time to Complete
Estimated: 20 minutes
3. The unrestricted port3port1 policy will need to be temporarily disabled in the policy list. To do this, go
to Policy > Policy > Policy, right-click the unrestricted port3port1 policy and select Status > Disable.
4. Next click Create New to add a new firewall policy to provide general Internet access from the internal
network. Configure the following settings:
Policy Type: Firewall
Policy Subtype: Address
Incoming Interface: port3
Source Address: STUDENT_INTERNAL
Outgoing Interface: port1
Destination Address: all
Schedule: always
Service: HTTP, HTTPS, DNS, ALL_ICMP, SSH
(Hold down the CTRL-key to select multiple services.)
Action: ACCEPT
Enable NAT: Enabled
Use Destination Interface Address: Enabled
Log Options: Enable Log all Sessions and select Generate Logs
when Session Starts
Comments: General Internet access
When creating firewall policies, keep in mind that the FortiGate device is a stateful firewall, therefore, a
firewall policy only needs to be created for the direction of the originating traffic.
Once the policy settings have been entered, click OK to save the changes.
5. From the virtual Windows Server desktop, open a web browser and connect to various external web
servers.
6. From the CLI, enter the following command to see the source NAT action.
2. From the Windows Server, open a DOS command prompt and ping the port1 gateway as follows.
ping –t 10.200.1.254
Provided you have not changed the rule ordering, the ping should still work as it matches the ACCEPT
policy and not the DENY policy just created. This demonstrates the behavior of policy ordering. The
second policy was never checked because the traffic matched the first policy. Leave this window open
and perform the next step.
3. From the GUI on the Student FortiGate device, go to Policy > Policy > Policy and right-click any of the
column headings. Select Column Settings > ID. Move this column accordingly for easier viewing. By
default only the sequence number of the firewall policy is displayed in the GUI.
4. Next, click the Seq.# for the DENY policy created previously and drag this policy upwards to position it
before the General Internet access policy.
5. Return to the Windows Server and examine the DOS command prompt window still running the
continuous ping. You should observe that this traffic is now blocked and the replies appear as
“Request timed out”. Enter CTRL-C to end the ping command.
1. Go to Firewall Objects > Virtual IP > Virtual IP and click Create New to add a new virtual IP mapping
with the following details:
Name: VIP_WIN2K3
External Interface: port1
Type: Static NAT
External IP Address/Range: 10.200.1.200
Mapped IP Address/Range: 10.0.1.10
Once the virtual IP settings have been entered click OK to save the changes.
2. Next, create a new firewall policy to provide access to the web server. Configure the following settings:
Policy Type: Firewall
Policy Subtype: Address
Incoming Interface: port1
Source Address: all
Outgoing Interface: port3
Destination Address: VIP_WIN2K3
Schedule: always
Service: HTTP
Action: ACCEPT
Log Options: Enable Log all Sessions and select Generate Logs
when Session Starts
Enable NAT: Disabled (default)
Comments: Public access to web server
Once the policy settings have been entered click OK to save the changes.
3. The firewall is stateful so any existing sessions will not use this new firewall policy until they time out or
are cleared. The sessions can be cleared individually from the session widget on the Status page or
from the CLI by executing the following:
http://10.200.1.200
If the virtual IP operation is successful a simple web page appears displaying the message “It
works!”.
5. From the CLI on the Student FortiGate device, check the destination NAT entries in the session
table by using the following command:
In this exercise, an IP address pool will be applied to a new rule which will override this behavior.
1. From the GUI on the Student FortiGate device, go to Firewall Objects > Virtual IP > IP Pool and create
a new IP pool using the following settings:
Name: WIN2K3_EXT_IP
External IP Range/Subnet: 10.200.1.100
Once the policy settings have been entered click OK to save the changes.
2. Go to Policy > Policy > Policy, and right-click the outgoing General Internet access policy. Select Copy
Policy then right-click the same policy again and select Paste > Above.
3. Select the new copy of the General Internet access policy and configure the following settings:
Policy Type: Firewall
Policy Subtype: Address
Incoming Interface: port3
Source Address: WIN2K3
Outgoing Interface: port1
Destination Address: all
Schedule: always
Service: ALL
Action: ACCEPT
Log Options: Enable Log all Sessions and select Generate Logs
when Session Starts
Enable NAT: Enabled
Use Dynamic IP Pool: WIN2K3_EXT_IP
Comments: Windows Server source NAT override
Once the Policy settings have been entered click OK to save the changes and verify that you have
enabled it.
4. The firewall does stateful inspection so any existing sessions will not use this new firewall policy until
they time out or are cleared. The sessions can be cleared individually from the session widget on the
status page or from the CLI by executing the following:
Objectives
Demonstrate how to enable traffic logging
Read and understand traffic log entries
Time to Complete
Estimated: 5 minutes
ping –t 10.200.1.254
Provided you have positioned the rule correctly this traffic should be blocked, and timeout.
4. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic to
examine the log entries. You should observe violation traffic entries. These entries appear with red X
symbols under the column Security Action.
5. Edit the DENY policy. Change the Action setting to ACCEPT, and enable NAT by selecting the Enable
NAT checkbox. Once these policy settings have been entered click OK to save the changes.
From the Windows Server, you should observe that the ping now succeeds.
6. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic.
The log entries will no longer show violation traffic, but summaries of the ping traffic that passed.
Objectives
Demonstrate how to enable Device Identification
Configure Device Identification policies
Time to Complete
Estimated: 10 minutes
2. Edit the outgoing port3 to port2 firewall policy using the following settings:
Policy Type: Firewall
Policy Subtype: Device Identity
Incoming Interface: port3
Source Address: STUDENT_INTERNAL
Outgoing Interface: port2
Enable NAT: Enabled. Select Use Destination Interface Address
3. Next click Create New under Configure Authentication Rules and create the following sub-policies:
Sub-policy 1:
Sub-policy 2:
Click OK.
4. Under Device Policy Options enable Prompt E-mail Collection Portal for all devices as follows:
Once you have configured all the above policy settings, click OK to save the changes.
5. Use drag-and-drop to reorder the sub-policies. The captive portal policy should be last in the sub-policy
list because this rule should only be matched if the device has not already been identified.
In this example, the first web traffic from the client matches the email captive portal rule. The
subsequent traffic matches the collected email device object as we now have this information.
Click OK.
7. Test the device policy on the Student FortiGate device. First execute the following CLI commands to
disable the email DNS check for the captive portal. (This step is required for the purposes of this lab.)
end
8. From your web browser, connect to: http://10.200.1.254
The portal should appear. Accept the conditions and enter your email address when prompted.
detection.
Perform the following show command to confirm that the device now appears in the configuration file.
Note that your device is still a member of the predefined groups and is now a member of the custom
group myDevGroup.
16. From a command prompt on the virtual Windows host, open an FTP connection to: 10.200.1.254
Once you have connected, close the FTP connection.
17. Now add a sub-policy to your firewall device policy blocking FTP.
Edit the device policy and create the following sub-policy:
Sub-policy 3:
Destination: LINUX_ETH1
Device: myDevGroup
Schedule: always
Service: FTP
Action: Deny
Log Violation Traffic: Enable
Click OK.
18. Use drag-and-drop to reorder the sub-policies so that this policy is first in the list.
19. From your PC test that you can open an FTP connection to ftp://10.200.1.254
Module 4
Lab 1: User Authentication
The aim of this lab is to introduce students to user authentication management on the FortiGate unit.
Objectives
Create an identity-based policy
Manage user authentication
Time to Complete
Estimated: 20 minutes
3. When the device has rebooted review the user configuration for this lab.
Go to User & Device > User > User Definition to review the local user settings
Go to User & Device > User Group > User to review the user group configuration.
4. On the virtual Windows Server desktop, open a web browser and connect to a new web site.
At the login prompt, enter the following credentials:
Username: student
Password: F0rtinet
You should observe that after successful authentication, you are redirected to your destination web site.
5. From the GUI on the student FortiGate, go to Policy > Policy > Policy and review the outgoing port3
port1 firewall policy with authentication configured.
6. Next, open a putty.exe session and try to ping or connect via SSH to 10.200.1.254. You should
observe that using either of these tests will fail.
Even though there is an accept rule for this traffic, it is not being allowed. This highlights an important
behavior of identity policies. The service becomes a permission and not a selector, therefore, in our
example the identity policy matches all outgoing traffic regardless of service. The service is then
allowed if it is set for the user.
Since the Authentication policy matches the source IP and SSH is not an allowed service, the FortiGate
will not look for another matching firewall policy. A policy has already been found and the traffic is not
allowed through it.
There are two ways that you can use to correct this. You can either add ALL_ICMP and SSH to the
identify policy rule for the training user group, or move the regular policy before the identity policy.
Using either one of these options, make your configuration change and retest using ping or by
connecting through SSH. If using SSH, log in as root with the password: password.
7. Go to User & Device > Monitor > Firewall to view the details of the authenticated user along with the
policy used to authenticate this user.
8. Next go to Log & Report > Event Log > User and locate the log messages for the firewall policy
authentication events. The details for the entry are displayed in the lower pane of the Event Log
window.
Notice that the user’s name “student” is now included in the log messages.
9. From the CLI, view the IP addresses and users which have successfully authenticated to the FortiGate
unit with the following command:
Module 5
Lab 1: SSL VPN
The aim of this lab is for students to work with and manage user groups and portals for the SSL VPN.
Objectives
Configure and connect to an SSL VPN
Enable various authentication security options
Time to Complete
Estimated: 30 minutes
2. When the device has rebooted, review the SSL VPN configuration access for this lab. Go to Policy >
Policy > Policy and examine the port1port3 policy for SSL VPN. Note from the policy list that this
policy has a sub-policy.
Edit this policy to view its components. The settings are configured as follows:
The policy subtype is SSL VPN which indicates further processing besides only accepting the traffic.
Under Configure SSL-VPN Authentication Rules, edit the first rule to view its contents. Notice that this
allows users in the training group to access the web-access SSL-VPN portal.
You will notice that this rule contains many settings including Groups(s), User(s), Schedule, Service
and SSL-VPN Portal. Select Cancel to close the edit window for this sub-policy.
3. To observe the effect of this policy you will now access the SSL VPN. On the virtual external Windows
XP host desktop, open a web browser and access the SSL VPN by browsing to the following URL:
https://10.200.1.1.
Accept the security warnings for the self-signed certificate and log in using the following credentials:
Username: student
Password: F0rtinet
You should notice that you are successfully able to log in however, the web portal is currently in
default settings. We will now configure the web-access portal which is selected in the SSL VPN
policy. Log out and return to the virtual Windows Server host.
4. Go to VPN > SSL > Portal and from the drop-down list displayed in the top right hand corner, select
web-access to edit this portal. Verify that Include Bookmarks is selected and then in the table
shown, create the following bookmarks for the internal server.
Bookmark for HTTP:
Category: Test
Name: HTTP/HTTPS
Type: HTTP/HTTPS
Location: 10.0.1.10
Click OK.
Category: Test
Name: RDP
Type: RDP
Location: 10.0.1.10
Click OK.
Modify the Portal Message with a message of your choice then click Apply to save all the changes.
5. Test the SSL VPN access again from the external Windows host (WINXP) by browsing to:
https://10.200.1.1
You should now observe that you have two book marks listed.
6. Select the HTTP/HTTPS bookmark and examine the items listed below to understand how the web
access functions.
Note the URL of the web site in the browser address bar:
https://10.200.1.1/proxy/http/10.0.1.10/
The first part of the address is the encrypted link to the FortiGate SSL
VPN gateway: https://10.200.1.1/
The second part of the address is the instruction to use the SSL VPN
HTTP proxy: .../proxy/http...
The final part of the address is the destination of the connection from
the HTTP proxy: .../10.0.1.10/
In this example, the connection is encrypted up to the SSL VPN gateway. The connection to the final
destination from the HTTP proxy is in clear text.
7. Return to the virtual Windows Server device and from the GUI on the Student FortiGate device, go
to VPN > Monitor > SSL-VPN Monitor. Locate the details of the SSL VPN connection.
Note the User, Source IP and Begin Time.
8. Go to Log & Report > Event Log > VPN and view the corresponding log entry. Look for the “SSL
tunnel established” message.
9. From the external Windows XP host, log out of the SSL VPN connection. Return to the log and look
for the “SSL tunnel shutdown” message.
Group(s): training
Schedule: always
2. To observe the effect of this sub-policy you will now access the SSL VPN again. From the virtual
external Windows XP host desktop, open a web browser and access the SSL VPN by browsing to the
following URL:
https://10.200.1.1
When prompted, log in to the SSL VPN using the following credentials:
Username: student
Password: F0rtinet
3. What do you see when you login?
You should see the same portal as in the previous exercise. Why?
The training user group is associated with both sub-policies therefore the first one matching the web-
access portal is applied.
You could move the rule so that the rule for the full-access portal is first in the list however, this will end
up affecting all users in that group. Instead, edit the sub-rule created in step 1 above and set the user
group to training2.
Click OK to save the rule settings, then click OK again to save the policy changes.
4. In the web browser on the virtual remote Windows XP host, connect to the SSL VPN portal once again
using the URL: https://10.200.1.1. Note that you may need to clear the web browser’s cache if the
login window is not displayed.
This time, log in to the SSL VPN using the following credentials:
Username: student2
Password: F0rtinet2
You should now observe that the portal established is the full-access portal.
Note: If using the SSL VPN client available with FortiClient, you do not
need to log in via the portal.
5. In the Tunnel Mode panel, click Connect. You should see a link status of UP and the bytes sent and
received incrementing.
6. On the virtual remote Windows host, open a DOS command prompt and perform the following:
ipconfig
Note down your assigned IP address for reference.
Note that the ‘fortissl’ adapter has an IP address. Where does this IP address come from? Display
the routing information by entering the following command:
route print
Note the low metric routes and observe that there is a route to 10.0.1.10. Where did this come from?
ping –t 10.0.1.10
7. From the GUI on the Student FortiGate device go to VPN > Monitor > SSL-VPN Monitor. The SSL-
VPN Monitor displays the client connections and the IP allocated to the tunnel connection.
8. In the firewall policy list, examine the Count field to see the packets and bytes per policy. You may
need to reposition this column accordingly for easier viewing.
Notice that there is traffic associated with the incoming rule from the ssl.<vdom name> interface. This
rule is created automatically. This traffic is the incoming traffic from your SSL VPN client.
9. Go VPN > SSL > Portal to access the SSL VPN portal configuration. Edit the full-access portal.
Within the Enable Tunnel Mode options, note the IP Pool used which refers to a firewall address object.
10. Go to Firewall Objects to look up that firewall address object. What are the values of that object?
The object defines an address range that matches your assigned address, so this is how IP addresses
are configured and assigned to SSL VPN clients.
HINT: In the policy list, look at the Destination address of the SSL VPN policy.
You will observe that the address object values for WIN2K3 are 10.0.1.10/32, so this is where
the SSL VPN client route came from.
With this present configuration, the SSL VPN client is split tunneling. This means that only traffic to
the specific destination behind the firewall is tunneled, and all other traffic goes to the default
gateway.
What configuration change would you need to make to give the client a default route into the tunnel?
Disable split tunneling in the full-access portal which means a default route is pushed to the client
Module 6
Lab 1: IPSec VPN
The aim of this lab is for students to configure an IPSec VPN on the FortiGate device using both interface-
based and policy-based modes.
Objectives
Configure and implement interface and policy-based IPSec VPNs
Demonstrate the differences between interface and policy-based VPNs
Explain IPSec VPN configuration options
Time to Complete
Estimated: 30 minutes
2. Connect to the GUI on the Remote FortiGate device (10.200.3.1) and restore the following
configuration file: Resources\Module6\Remote\remote-ipsec.conf.
The Remote FortiGate device will reboot.
3. When the Student FortiGate device has rebooted, open a DOS command prompt from the virtual
Windows Server and run a continuous ping to the remote Windows XP host as follows:
ping -t 10.0.2.10
4. From the GUI on the Student FortiGate device, go to VPN > Monitor > IPsec Monitor and examine the
tunnel status.
You should observe a tunnel named remote with the destination 10.200.3.1 and the status is
currently up. This is the tunnel that is established to the Remote FortiGate device.
5. From the Student FortiGate device review the firewall policy port3remote. View the Count column so
that you can see the packets and bytes per policy.
Observe that the counter is incrementing for the port3remote policy.
Go to System > Network > Interface and note the blue arrow head associated with port1. If you expand
this you will be able to see the remote interface and the type for this interface which is set to Tunnel
Interface.
6. Go to VPN > IPsec > Auto Key (IKE) and review the IPsec configuration. Note the Phase 1 and Phase
2 IKE objects.
Edit the Phase1 IKE object remote. Select Advanced to view all the settings. Note that IPsec Interface
Mode is selected.
show
The Phase1 IKE object is the IPsec interface referenced in the interface list and firewall policy. How
is the traffic getting to this policy?
Traffic arrives at the FortiGate unit on the ingress interface. For new connections, a routing lookup is
performed to select the egress interface and gateway, and then there is a lookup in the firewall policy to
find a matching rule. It is the routing lookup that selects the egress, and therefore, the remote interface
is selected in this case. So a route is driving the traffic to the IPsec interface.
7. Go to Router > Monitor and view the current routing table. You will observe a static route to the
destination 10.0.2.0/24 pointing to the remote interface.
This is an example of the route-based VPN configuration. The alternative is the policy base VPN which
we will review next.
Generally, the route-based VPN is the preferred approach however there are a few exceptions where
you would need to use the policy-based VPN. These will be discussed later.
8. Open a web browser on the Windows Server and connect to the GUI on the Remote FortiGate device.
9. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote FortiGate device.
You should observe a tunnel named student with the destination 10.200.1.1 and the Status is up.
This is the tunnel that is established to the Student FortiGate device.
10. Still on the Remote FortiGate device, go to System > Network > Interface and note there is no tunnel
sub-interface for port4.
11. Go to Route > Monitor and view the current routing table. You will observe that there is no route to the
10.0.2.0/24 destination, there is only a default route.
How is the traffic entering the tunnel then?
12. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a policy from
port6 to port4 for address 10.0.2.0/24 (REMOTE_INTERNAL) to address 10.0.1.0/24
(STUDENT INTERNAL) with action IPsec.
Edit this policy to view its settings.
The policy subtype is IPsec, and it uses the VPN Tunnel called student. It also has permissions to
allow traffic inbound as well as outbound. We will look at these settings later.
On the Student FortiGate device, a static route was sending traffic to the IPSec interface. Here there is
no static route and the traffic is being sent to the tunnel using the policy subtype setting, hence policy-
based.
The IPSec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the tunnel
student.
13. From the Remote FortiGate device, go to VPN > IPsec > Auto Key (IKE) and review the IPSec
configuration. Note the Phase 1 and Phase 2 IKE objects.
These settings can also be viewed through the CLI:
15. From the remote Windows XP host, attempt to run a continuous ping to: 10.0.1.10.
You should observe this ping fails. Can you Identify why?
If the VPN is in Tunnel mode then only a single Firewall policy is used in order to allow and regulate
incoming and outgoing traffic. However if the policy is in Interface mode then a VPN Firewall policy is
separately needed to allow inbound and outbound communication.
In the Student FortiGate device we have only configured the outgoing policy and the VPN is in Interface
mode. This is why the new incoming connection is dropped, there is no firewall policy to allow it.
16. Return to the Student FortiGate device and add the missing firewall policy.
You should observe the ping now succeeds.
Module 7
Lab 1: Antivirus Scanning
The aim of this lab is to work with both flow-based and proxy-based Antivirus scanning.
Objectives
Configure flow-based and proxy-based antivirus scanning
Test FortiGate antivirus scanning behavior
Time to Complete
Estimated: 30 minutes
2. When the FortiGate device has rebooted go to Security Profiles > AntiVirus > Profile and configure the
default profile as follows to enable AV scanning on HTTP:
Inspection Mode: Proxy
Virus Scan and Removal: Select HTTP and deselect all other settings
Once the inspection settings have been entered click Apply to save the changes.
3. Go to Policy > Policy > Policy and edit the port3port1 policy. Turn ON AntiVirus and ensure that the
default antivirus profile is selected.
Once the profile is enabled on the policy click OK to apply the changes.
4. Next go to Policy > Policy > Proxy Options and examine the default proxy options that are shown.
These settings determine how FortiOS handles each protocol. For example, which port numbers to use,
whether to use client comforting, block oversized emails and so on.
5. Go to System > Config > Replacement Message. From the top right-hand corner select Extended View
and under Security modify the Virus Block Page.
The HTML editor that is displayed allows you to see the changes as you are making them. If you do
not wish to use the standard block pages they can be edited and modified as the situation requires.
Click Save shown above the editor window to apply any changes.
6. From the virtual Windows Server host, launch a web browser and access the following web site:
http://eicar.org
7. On the Eicar web page, click Download ANTI MALWARE TESTFILE (located in the top right-hand
corner of the page) and then click the Download link that appears on the left.
Download the any of the eicar sample files from the section Download area using the standard
HTTP protocol.
The download attempt will be blocked by the FortiGate unit and a replacement message will be
displayed similar to the following (should also include any customization you made earlier):
The EICAR file is an industry-standard used to test antivirus detection. The file contains the following
characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
8. The HTTP virus message is shown when infected files are blocked or have been quarantined. In the
message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information about the
detected virus.
9. From the GUI on Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic and
locate the antivirus event messages.
In order to view summary information of the AV activity, add the Advanced Threat Protection Statistics
widget to the Dashboard.
10. On the Eicar web page, click Download ANTI MALWARE TESTFILE and then click the Download link
that appears on the left. This time, select the eicar.com file from the Download area using the secure
SSL enabled protocol HTTPS section.
The download should be successful because we have not enabled SSL inspection.
11. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy > Policy >
SSL/SSH Inspection and under SSL Inspection Options, ensure the protocol HTTPS on port 443 is
enabled.
Click Apply.
12. Next, go to Policy > Policy > Policy and edit the policy: port3port1. Under Security Profiles enable
SSL/SSH Inspection by setting this to ON. Click OK.
13. To ensure that there are no existing sessions prior to deep scanning the communication exchange,
connect to the CLI of the Student FortiGate unit and enter the following command:
15. Go to Security Profiles > Antivirus > Profile and change the Inspection Mode for the default Antivirus
Profile to Flow-based. Click Apply.
Try downloading the eicar.com file again. What happens now when the virus is detected?
Module 8
Lab 1: Email Filtering
The aim of this lab is for students to work with email filtering.
Objectives
Enable and use email filtering on a FortiGate unit
Modify inspection rules to black or white list emails (using banned word, IP, email etc.)
Read and interpret email log entries
Time to Complete
Estimated: 30 minutes
2. Once the FortiGate has rebooted, go to System > Config > Features. Under Security Features turn ON
Email Filtering. This step is required to enable the Email filtering feature on the FortiGate device. By
default, this is a hidden security feature. Click Apply to save the changes.
3. Next, go to Security Profiles > Email Filter > Profile and edit the default email filtering profile. Select
Enable Spam Detection and Filtering to enable it then click Apply. Configure the following settings:
SMTP Spam Action: Tagged
FortiGuard Spam Filtering: Enable IP Address Check
Enable URL Check
Once the changes to the email profile have been entered, click Apply to save the changes.
4. By default FortiGuard services are enabled. Go to System > Config > FortiGuard and check the status
of the service. (If you are using the hosted virtual lab environment you will need to change the service
port to UDP 8888).
5. Go to Policy > Policy > Policy and edit the port3port1 outgoing policy. Under Security Profiles, turn
ON Email Filter and ensure that the default email filter profile is selected.
In the steps that follow, you will generate and send test spam emails to your Microsoft Outlook
user@internal.lab inbox. In the classroom lab environment, you will initiate the spam generation using
a script called smtpmboxgen.pl which is provided in the Resources\Module8 folder. Details for using
this script will be provided in the steps that follow.
6. From the Windows server, open a command prompt and change directory to the C:\Documents and
Settings\Administrator\Desktop\Resources\Module8 folder as follows:
smtpmboxgen.pl
7. From your Microsoft Outlook mail client, check the email inbox to review the tagged spam. To view the
corresponding logging events, go to Log & Report > Traffic Log > Forward Log.
8. From the CLI on the Student FortiGate device, execute the following commands to enable Banned
Word Check in the default email filter profile:
edit "default"
set spam-bword-table 1
end
9. Next, run the commands below to review the banned words that have already been configured for you
in the configuration file being used for this lab.
show
Notice the use of both regular expression and wild cards in that list.
10. Go to Security Profiles > Email Filter > Profile again and this time modify the default email filtering
profile to set the SMTP Spam Action to Discard.
11. From your Microsoft Outlook mail client, generate a message to: test@gmail.com that will be caught by
the banned words that have been configured. For example, add the word “training” to the subject or
message body of your test email and attempt to send the message.
When you send the email the following message displays indicating the message was blocked:
Remember that some banned words apply only to the subject line, others apply only to the body and
others apply to both.
A banned word is only scored once, for example if a banned word has a score 10 and yet the word
occurs four times in the message body, it will only still be assigned a count of 10.
12. Go to Log & Report > Security Log > Email Filter and check the email filtering log entries for this
event as well. To make it easier to view all email activity, add the column Dst Port and filter on port
25.
Module 9
Lab 1: Web Filtering
The aim of this lab is for students to configure web filtering to block specific categories of web content. The
interaction of local categories and overrides will also be demonstrated.
Lab Objectives
Enable and use web filtering on a FortiGate device
Select the most effective method for blocking or allowing a web site
Read and interpret web filter log entries
Time to Complete
Estimated: 30 minutes
2. When the FortiGate device has rebooted go to System > Status and under License information check
the FortiGuard Services Web Filtering status to ensure that the license has been validated. A green
check mark should be displayed.
3. In the GUI on the Student FortiGate device, go to Security Profiles > Web Filter > Profile and review the
settings of the default web filter profile.
4. Verify that the Inspection Mode is set to Proxy and enable FortiGuard Categories.
Under FortiGuard Categories right-click the web category Potentially Liable and select the action:
Authenticate.
Next, set Selected User Groups to the training user group and accept the default Warning Interval value
of 5 minutes.
8. Go to Policy > Policy > Policy and edit the outing port3port1 policy. Under Security Profiles, turn
on Web Filter and ensure that the default profile is selected.
Next, turn ON SSL/SSH Inspection under Proxy Options and ensure the default profile is selected.
9. From the CLI on the Student FortiGate device, check the low-level status information of the web
filtering service by entering the following command:
The command diag debug rating shows the list of FDS servers for web filtering that the FortiGate
unit is using to send requests. Rating requests are only sent to the server on the top of the list in normal
operation. Each server is probed for RTT every 2 minutes.
The diag debug rating flags indicate the server status as explained below:
D indicates the server was found via the DNS lookup of the hostname. If the hostname
returns more than one IP address, all of them will be flagged with 'D' and will be used first for
INIT requests before falling back to the other servers.
I indicates the server to which the last INIT request was sent.
F signifies the server has not responded to requests and is considered to have failed.
T signifies server is currently being timed.
10. From a web browser on the virtual Windows Server, connect to a web site that is usually blocked by the
training policy and verify that the blocked message is displayed.
A FortiGuard replacement message should be displayed.
11. Go to System > Config > Replacement Message and under Security select FortiGuard Block Page and
change the text of the block message to customize it. Click Save located in the upper-right hand corner
of the edit pane to apply your changes.
12. Revisit the same web site and ensure that the customized FortiGuard Block Page Blocked message is
displayed.
You may need to clear your browsers cache or refresh the block page as the browser might take the
information from its local cache.
13. Next, in the web browser, attempt to connect to a web site category with an Authenticate action. For
example:
A Web Page Blocked message is displayed again, this time with a Proceed button.
14. Click Proceed to view the Web Filter Block Override page. Enter the username student and the
password F0rtinet and click Continue.
The web page should now be displayed.
15. From the GUI on the Student FortiGate device, go Log & Report > Traffic Log > Forward Traffic and
locate the log messages related to the web filtering activity.
In the following step, you will configure an access quota for a couple of categories. Quotas allow
access to web resources for a specified length of time.
16. Go to Security Profiles > Web Filter > Profile and edit the default web filter profile.
17. Expand Quota on Categories with Monitor, Warning and Authenticate Actions and click Create New to
create new quotas. Select the categories (same as in Step 4) to be assigned quotas and set the quota
time value to 5 minutes.
Once you have altered the web filter profile, click OK then click Apply to save the profile settings.
18. From a web browser on the Windows Server, attempt to visit a blocked category web site again.
19. Click Proceed on the Web Page Blocked page. Authenticate on the Web Filter Block Override page
using the username student and the password F0rtinet and click Continue.
Once authenticated properly, the quota timer is initiated.
20. To view the quota timer value, enable the Security Profiles monitors through the CLI as follows:
end
then, go to Security Profiles > Monitor > FortiGuard Quota. If the FortiGuard Monitor is not displayed,
you may need to clear the web browser’s cache or refresh the page.
When the daily quota value is reached, the FortiGuard replacement message will be displayed again.
21. From the GUI on the Student FortiGate device go Log & Report > Traffic Log > Forward Traffic and
locate the log messages related to the web filtering activity.
22. Edit the default web filter profile, expand Quota on Categories with Monitor, Warning and Authenticate
Actions and delete the quotas on the selected categories. Click OK then click Apply to save the profile
settings.
23. Still in the web filter profile and select flow-based. A notification is displayed as follows:
24. Test the behavior of the flow based inspection by connecting to a web site that is usually blocked.
Check the log entry for this blocked request.
Module 10
Lab 1: Application Identification
The aim of this lab is for students to use the application control feature to properly identify a given
application.
Objectives
Configure application control in the student lab environment
Read and understand application control logs
Time to Complete
Estimated: 30 minutes
2. From the GUI on the Student FortiGate device, go to Security Profiles > Application Control >
Application Sensor and review the default application control sensor.(Ensure you are selecting the
sensor named default.)
3. On the Edit Application Sensor page, check the settings for the following rules:
Application: Youtube
Application: Myspace
Check the Action setting for each filter. What are the expected actions of these sensors?
Traffic shaping is enabled for Youtube and these applications use a shared traffic shaper which is
capped at 1 Mbps. Connections to Myspace are blocked.
Before proceeding ensure both of these signatures are located at the top of the list. Click Apply to save
changes to the profile.
4. Go to Policy > Policy > Policy and edit the port3port1 policy. Ensure that Application Control is
turned ON and that the default Application Control sensor is selected. Click OK.
You will now test the application control configuration. From the virtual Windows Server, open a web
browser and connect to YouTube.com.
6. Next, enable the Security Profiles monitors through the CLI as follows:
end
then, check the Application monitor in Security Profiles > Monitor > Application Monitor. If the
Application Monitor is not displayed, you may need to clear the web browser’s cache or refresh the
page.
7. From the virtual Windows Server host, open a web browser and connect to Myspace.com.
You should observe that you cannot connect to this site.
8. Go to Security Profiles > Application Control > Application Sensor and edit the default sensor again.
Click Create New to add a new application filter and select Specify Applications.
9. In the search field shown above the Application Name column enter Facebook. From the results that
display, select Facebook from the Application Name column. A window displays with a description of
the application including popularity, and a reference link that you can click to obtain more rating
information from the FortiGuard Center.
Set Action to block and ensure that this new signature is place at the top of the list.
Once you have added the filter to the profile, click Apply to save the changes.
Test that this site is now blocked. Go to Log & Report > Traffic Log > Forward Traffic and view the log
information to confirm that this action was correctly logged. The status of the connection should be
displayed as deny.
10. From the web browser, and attempt to access the following web site:
http://proxite.us
On the proxy web page, scroll down to the bottom and enter the URL of MySpace.com. Click Go.
You should observe this does allow some connectivity to the site. What action can be taken to stop
this?
You can create a new rule in the sensor to block the Proxy category.
Objectives
Students will complete the following tasks:
Restrict YouTube video bandwidth
Time to Complete
Estimated: 10 minutes
2. Go to Policy > Policy > Policy and edit the outbound port3 > port1 firewall policy. Set Application
Control to ON and from the drop-down list select the monitor-p2p-and-media profile.
Click OK to save the policy settings.
3. From a web browser on the virtual Windows Server host, connect to a Youtube web site and stream a
random video. Go to Log & Report > Traffic Log > Forward Traffic and view the application control log
entries that are generated.
4. From the GUI on the Student FortiGate device go to Firewall Objects > Traffic Shaper > Shared and
create a new traffic shaper with the following details:
Name : YouTube
Maximum Bandwidth: 100
Note: The units are in kilobits per second. Take this into consideration
when setting values, as typically bandwidth measurements are done in
kilo bytes, or even larger units.
5. Go to Security Profiles > Application Control > Application Sensor and select the monitor-p2p-and-
media application control profile from the drop-down list shown in the upper right-hand corner of the
window.
6. Next, edit the sensor: ID2 (Video/Audio). If the ID column is not visible, modify the column settings to
add it.
Scroll to the bottom of the window, and set Action to Traffic Shaping. Enable both Forward and
Reverse Direction Traffic Shaping and from the drop-down list, select the YouTube traffic shaper you
created in the previous.
Once you have applied the YouTube shaper to both the normal and reverse direction for this signature,
click OK then click Apply.
7. Clear the web browser cache and re-open it. Connect to the YouTube web site again and stream
the same video. If you set the Shaper levels low enough the experience of playing the video will be
very different.
Note: Only shared shapers are allowed, so the maximum value here
would apply to everyone inside the network that was using the application
(YouTube videos in this case). Keep this in mind when using this option.
Objectives
Students will complete the following tasks:
Block user attempts to edit any Wikipedia article, while allowing read-only access to that website.
Time to Complete
Estimated: 10 minutes
1. Click on the Edit tab on the top of the page. This should open the Wikipedia editor feature that allows
any user to modify articles.
2. From GUI on the Student FortiGate device, go to Security Profiles > Application Control > Application
Sensor and select the monitor-p2p-and-media application control profile from the drop-down list shown
in the upper right-hand corner of the window.
3. Click Create New to add a new application filter and select Specify Applications.
4. In the search field shown above the Application Name column enter Wikipedia. From the results
displayed, select Wikipedia_Edit from the Application Name column.
Set Action to block and ensure that this new signature is placed at the top of the list.
Once you have added the filter to the profile, click Apply to save the changes
2. Clear the web browser’s cache and access a different Wikipedia article. You should still have access to
the Wikipedia document. Try to edit any article again. You should notice that this time you are not able
to edit the article.
Module Overview
Module Objectives
VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall
VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
FortiGate Appliance Firewall
and more…
Unit Design
Web
Firewall AV
Filter
IPS …
FortiOS
Hardware
Security
Automated
and network-level
Specialized update
operating
Purpose-driven service
services
system
hardware
1
1
Application
WAN
Intrusion
DataAntivirus
Secure
Email
High
Endpoint
1
1 Dynamic
Logging and
Traffic
Virtual
Web control
optimization
leak prevention
prevention
VPN
filtering
availability
Firewall
compliance
Wireless routing
Authentication
reporting
shaping
filtering
domains
Fortinet Products
Modes of Operation
NAT Transparent
10
OSI Model
11
12
Device Administration
Web GUI
HTTP, HTTPS
CLI
Console,SSH,Telnet, GUI Widget
13
Administrator Profiles
14
15
Administrative Users
16
• If logging in from the source IP is not possible, FortiGate will not respond to requests
for management traffic to it’s interfaces
17
18
19
Configuration Files
20
Model
Firmware Major Version
22
Interface IPs
23
24
25
• NGFW
» Next Generation Firewall
» Line Speed Inspection
• ATP
» Advanced Threat Protection
» Focuses on protecting PCs
• WF
» Web Filtering
• Full UTM
» All Inspection profile options are available in the GUI
26
27
Static Gateway
28
29
30
DHCP Logs
31
32
DNS Forwarding
• FortiGate units can forward (or not) DNS requests sent to its
interfaces
» Behavior on each interface is configured separately
• Allows direct control of the DNS
» GUI allows setting to Forward only
» CLI allows Forward, Recursive and Non-recursive behavior
33
34
• Step 1: Backup and store old configuration (Full config backup from CLI)
• Step 2: Have copy of old firmware available
• Step 3: Have disaster recovery option on standby (especially if remote)
• Step 4: READ THE RELEASE NOTES (upgrade path, bug information)
• Step 5: Double check everything
• Step 6: Upgrade
35
36
Maintainer Access
Console Port
38
FortiExplorer
39
Labs
(OPTIONAL)
• Lab 2: Administrative Access
» Ex 1: Profiles and Administrators
» Ex 2: Restricting Administrator Access
40
41
Module Overview
Module Objectives
FortiCloud
Syslog SNMP
Hard drive
Memory FortiAnalyzer
FortiManager
Local logging
Remote logging
FortiGate
FortiAnalyzer/FortiManager
Register
FortiAnalyzer/FortiManager: Comparison
FortiAnalyzer/FortiManager: Configuration
• Subscription service
» Long term log storage & reporting
» FortiGates include 1 month free trial
» Links to FortiCare user
» Read any documentation on the Website!!
10
• Traffic Log
» Forward (Traffic passed/blocked by Firewall policies)
» Local (Traffic aimed directly at, or created by the FortiGate device)
» Invalid (Log messages about packets considered invalid/malformed and dropped)
» Multicast (Log messages about Multicast traffic)
• Event Log
» System (System related events)
» User (Firewall authentication events)
» Router, VPN, WanOpt & Cache, Wifi
• Security Log
» By Security profile type (Antivirus, Web Filter, Intrusion Protection, etc.)
» Section is not created by default
11
• Logging is divided into 3 sections: Traffic Log, Event Log, Security Log
» Traffic logs relate to packets to and through the device
» Event logs relate to any admin and system activity events on the device
» Security logs contain log messages related to profiles acting on traffic passing
through the device
• Most Security events consolidated into Forward Traffic log
» Less CPU intensive this way
» Exceptions: DLP, Intrusion Scanning (Security Log only)
• Additional log information can be obtained in some security profiles via
the CLI (Antivirus, Web Filter, Email)
» extended-utm-log [disable (default) | enabled]
• New log options show up (CLI only, varies depending on profile type)
• Security event logs show up in Security Logs with more details
12
Log Generation
FW Policy
AV,Web Filter, Email extended-utm-log Behavior
Log Setting
No Log Disabled N/A No Forward Traffic or Security Logs
No Log Enabled Disabled No Forward Traffic or Security Logs
Log Security Events Enabled Disabled Security log events appear in Forward Traffic Log.
Forward Traffic Log generated for packets causing a
security event.
Log Security Events Enabled Enabled Security log events appear in Security Log.
Forward Traffic Log generated for packets causing a
security event.
Log all Sessions Disabled N/A Forward Traffic Log generated for every single packet.
Log all Sessions Enabled Disabled Security log events appear in Forward Traffic Log
Forward Traffic log generated for every single packet
Log all Sessions Enabled Enabled Security log events appear in Security Logs.
Forward Traffic Log generated for every single packet.
13
14
15
16
• Log severity level indicated in the level field of the log message
17
» Log header
date=2013-09-10 time=12:55:06 log_id=32001 type=utm
subtype=dlp eventtype=dlp level=warning vd=“root”
filteridx=0
» Log body
policyid=12345 identidx=67890 sessionid=312 epoch=0
eventid=0 user="user" group="group" srcip=1.1.1.1
srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120
dstintf="port1" service=mm1 …….
18
» Log body
srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
hostname="host" url="www.abcd.com" msg="Data Leak
Prevention Testing Message" action=block severity=0
infection="carrier end point filter"
19
» Log body
srcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0
dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0
status=deny user="test user" group="test group" policyid=0
dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat
tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0
service=other proto=0 appid=1 app="AIM" appcat="IM"
applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name"
shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name"
shaperdroprcvdbyte=16843009 shaperperipname="perip name"
shaperperipdropbyte=16843009 devtype="iPad" osname="linux"
osversion="ver" unauthuser="user" unauthusersource="none"
collectedemail="mail" mastersrcmac=02:02:02:02:02:02
srcmac=01:01:01:01:01:01
21
Alert Email
22
• Configuring Alert email is not possible until an SMTP server has been
setup.
23
24
SNMP Monitoring
25
26
27
28
• Firewall Policy
setting decides if a
log message is
generated or not
• ‘Log Settings’
options decide
if/where any log
messages get
stored
29
Logging Monitor
31
Monitor
32
GUI Monitors
33
34
35
36
Labs
(OPTIONAL)
• Lab 2: Remote Monitoring
» Ex 1: Remote Syslog and SNMP Monitoring
37
38
Firewall Policies
Module Overview
Module Objectives
Step #1 - Ingress
1. Denial of Service Sensor
2. IP integrity header checking
3. IPSec connection check
4. Destination NAT
5. Routing
Step #1 - Ingress
1. Denial of Service Sensor
2. IP integrity header checking
3. IPSec connection check
4. Destination NAT
5. Routing
Firewall Policies
• Address
» Policy match based on IPs
• User Identity
» Policy match based on authentication information (user)
• Device Identity
» Policy match based on OS/Type
10
• Match is based on IP
and port information
in the packets
11
12
14
15
• FortiGate uses Services to determine the port number of accepted or denied traffic
• Default of ALL services available, applies to all ports and protocols
• Select a Service from predefined list on FortiGate unit or create a custom service
• Web Proxy Service also available if Incoming Interface is set to web-proxy
• Group Services and Web Proxy Service Group to simplify administration
16
• One-time
» happens only once
17
Groups
18
Accept Deny
19
Source IP address
Source port
20
11.12.13.14
Firewall policy
with NAT enabled
wan1 IP address: 200.200.200.200
wan1
200.200.200.200
Source IP address:
internal 200.200.200.200
Source port: 30912
10.10.10.10
Destination IP address:
11.12.13.14
Source IP address:
10.10.10.1 Destination Port: 80
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
21
11.12.13.14
Firewall policy
with NAT + IP pool enabled
wan1 IP pool: 200.200.200.2-200.200.200.10
wan1
200.200.200.200
Source IP address:
internal 200.200.200.?
Source port: 30957
10.10.10.10
Destination IP address:
11.12.13.14
Source IP address: Destination Port: 80
10.10.10.1
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
22
11.12.13.14
Firewall policy
with NAT + IP pool enabled + fixed port
wan1 IP pool: 200.200.200.201
wan1
200.200.200.200
Source IP address:
200.200.200.201
internal
10.10.10.10 Source port: 1025
Destination IP address:
Source IP address: 11.12.13.14
10.10.10.1 Destination Port: 80
Source port: 1025
Destination IP address:
11.12.13.14
Destination Port: 80
23
wan1
Source IP address:
internal
11.12.13.14
10.10.10.10
Destination IP address:
200.200.200.222
Destination Port: 80
24
wan1
Source IP address:
internal 11.12.13.14
10.10.10.10
• Used to allow connections through a
FortiGate using NAT firewall
Destination IP address:policies
200.200.200.200
» FortiGate unit can respond to ARP
Destination requests
Port: 80 on a
network for a server that is installed on another network
» Used for (1) Server Redundancy and Load Balancing;
(2) IPSec VPN site-to-site with identical subnets at both
VIP translates destination sites; etc.
200.200.200.200 -> 10.10.10.10 » VIP Group: A group of Virtual IPs for ease-of-use
25
26
Session Helpers
27
172.16.1.1 201.11.1.3
172.16.1.2
Media traffic to Media traffic to
172.16.1.2, port 12546 201.11.1.3, port 12546
28
Traffic Shaping
HTTP
FTP
IM
29
Traffic Shapers
Guaranteed Bandwidth
Maximum Bandwidth
Guaranteed Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth Maximum Bandwidth
Guaranteed Bandwidth
Maximum Bandwidth
30
Traffic Shapers
Guaranteed Bandwidth
Maximum Bandwidth
31
Threat Management
32
• Tracks the “Score” for all devices within that VDOM by assigning
a value to various UTM events
• Hard drive required to monitor “Score” (FortiAnalyzer, FortiManager or FortiCloud)
33
34
• Done via the ‘Threat History’ widget (or FortiAnalyzer, FortiCloud, Reports)
» Requires SSD on a non SOHO model (SOHO=2 digit model number, Med=3, Ent=4) or VM
» Widget Monitors Top N hosts (configurable in options, max 100)
» 3 configurable time periods, separate refresh options
» Drill down
35
36
37
38
39
40
Endpoint Control
Up to date ?
Disallowed software
installed ?
41
with Agent
FC
FC
DMZ INTERNET
Agentless
Identification Techniques
• Agentless • Agent Based
» TCP Fingerprinting » Uses FortiClient
» MAC address vendor codes » Location & Infrastructure Independent
» HTTP user agent
» Requires “direct” connectivity to FortiGate
43
44
45
46
• Email Collection
» Used in conjunction with device type Collected Emails
» Collects an email to be associated with the device
» Email are not verified, domain is checked for DNS resolution
47
48
Object Usage
49
• Drag and drop policy order from GUI (must click on Seq. #)
50
Monitor
51
52
53
54
55
56
• “diag debug flow” is used to look at all the decisions the firewall is
making
» Advanced, Multi-step process to setup command
57
• “diag debug flow” is used to look at all the decisions the firewall is
making
diag deb flow show function enable
diag deb flow filter addr 4.2.2.2
diag deb flow filter proto 1
diag deb flow trace start 10
diag deb enable
58
Level 4
# diag sniff packet any 'host 4.2.2.2' 4
interfaces=[any]
filters=[host 4.2.2.2]
8.013631 lan in 192.168.100.110 -> 4.2.2.2: icmp: echo request
8.014093 dmz out 192.168.3.99 -> 4.2.2.2: icmp: echo request
8.036665 dmz in 4.2.2.2 -> 192.168.3.99: icmp: echo reply
8.036790 lan out 4.2.2.2 -> 192.168.100.110: icmp: echo reply
Level 6
# diag sniff packet lan 'host 4.2.2.2' 6
interfaces=[lan]
filters=[host 4.2.2.2]
3.258531 lan -- 192.168.100.110 -> 4.2.2.2: icmp: echo request
0x0000 0009 0f4d ebdb 1803 737b cc34 0800 4500 ...M....s{.4..E.
0x0010 003c 4711 0000 8001 c895 c0a8 646e 0402 .<G.........dn..
0x0020 0202 0800 4cef 0001 006c 6162 6364 6566 ....L....labcdef
0x0030 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x0040 7761 6263 6465 6667 6869 wabcdefghi
59
60
Labs
(OPTIONAL)
• Lab 2: Traffic Log
» Ex 1: Enabling Traffic Logging
61
62
Firewall Authentication
Module Overview
Module Objectives
Authentication
?
A
person or other entity A
A
• Once the person or entity have been A
identified, the network device applies the
right firewall policies and profiles to allow or
deny the access to each network resource
Username Fortigate
2
and
password
1
OK
4
Username Username
Fortigate 3 and Remote Server
2 and
password password
Single Sign On
Directory RADIUS
RADIUS LDAP TACACS+ Services
Active Radius
Paris Visitors Directory Server
• User groups are assigned one of four group types: Firewall, Fortinet Single Sign On
(FSSO), Guest and Radius Single Sign On (RSSO)
• Firewall user groups provide access to firewall policies that require authentication
• FSSO and RSSO are used for Single Sign On Authentication
Authentication Rules
?
authenticate Authentication Rule
» They also define other aspects of
authentication, including services, Destination Address
schedules, destination address,
profiles, logging and traffic Users/ Groups
shaping
Services
Schedules
Logging
Security Profiles
Traffic Shaping
10
11
Disclaimers
12
Authentication Timeout
13
14
15
OTP Generator Static Password + OTP Validation Server Time sync with accurate NTP
Source
Algorithm Algorithm
Same Seed
Same Time
16
Adding a FortiToken
17
LDAP Review
18
• The LDAP tree usually tends to match the hierarchy of the customer’s
organization
• The root represents the organization itself, as it is defined as Domain
Components (dc), such as:
» dc=example, dc=com
• Additional levels can include:
» c (country)
» ou (organizational unit)
» o (organization)
• User accounts or groups usually have element names such as ‘uid’
(user ID) or ‘cn’ (common name)
19
dc=example,dc=com
ou= hr ou= it
uid= abush
uid= apiquet uid: jsmith
email:
jsmith@example.com
objectClass:
inetOrgPerson
DN: uid= jsmith, ou=it, c=france, dc=example, dc=com
20
LDAP Configuration
Name of the
attribute that
identify each user
Parent branch
where all users
are located
Credentials for a
LDAP
administrator
21
Radius Overview
Access-Request
Access-Accept
or
Access-Reject
User FortiGate or Radius server
unit
Access-
Challenge
22
Radius Configuration
23
Users
Select an external
authentication
server if the
password is not
stored locally
Enable two-factor
authentication
24
User Groups
25
Policy Configuration
26
User Monitor
27
• Output sample
Fortigate# diagnose test authserver ldap Lab jsmith fortinet
authenticate 'jsmith' against 'Lab' succeeded!
Group membership(s) -
CN=SSLVPN,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com
CN=TAC,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com
28
29
Labs
30
31
SSL VPN
Module Overview
• VPN definition
• SSL VPN vs. IPSec VPN
• Web-only mode
• Tunnel mode
• Port Forward mode
• Split-Tunneling
• Client Integrity Checking
• SSL VPN portal
• SSL VPN configuration
• Access modes comparison
• SSL VPN monitor
2
Module Objectives
FortiGate VPN
Internet Internal
Tunnel mode network
• Using a browser:
» The SSL VPN web portal will display the status of the SSL VPN ActiveX control
» The SSL VPN portal must remain open for the tunnel to function
• Using the standalone FortiClient SSL VPN client:
» The client must remain running for the tunnel to function
• Either way, a new virtual network adapter called fortissl is created in
the client PC:
» The FortiGate assigns the adepter a virtual IP address from a pool of reserved
addresses
10
11
12
Configuration Steps
13
14
15
+
Token Code (two factor)
16
• Web page displayed after the client has logged into the SSL VPN
• Includes widgets to access different SSL VPN functionalities (such
as bookmarks and connection tools)
• Software download option for Tunnel mode
17
Virtual IP addresses to be
assigned to Tunnel mode
users
18
19
• All the three SSL VPN modes require a firewall policy for
authentication
»Tunnel mode requires additional policies to allow traffic to/from the
SSL VPN interface
20
21
22
23
Web-only user
24
25
Labs
26
27
IPSec VPN
Module Overview
Module Objectives
IPSec VPN
Data
confidential
• Solves requirements for:
» Authentication
Data has
» Data Integrity integrity
» Data Confidentiality
Sender
authenticated
Diffie-Hellman
• The shared secret key is then used to calculate keys for symmetric
encryption algorithms (such as 3DES, AES) and symmetric
authentication (HMACs)
Phase 1
Phase 2
10
11
12
13
Configuration
14
15
16
17
18
IP address
at the
remote site
IPSec
Interface
19
20
Key life
Status
remaining time
21
Labs
22
23
Antivirus
Module Overview
• Terminology
• Heuristic Scanning
• Sandboxing
• Botnet Connections
• Proxy-Based scanning
• Flow-Based scanning
• Conserve mode
• Memory Diagnostics
and more…
2
Module Objectives
• Malware
» Umbrella term for software that makes unauthorized changes to a
computer
• Virus
» Infects the computer and spreads on its own
» User interaction is not required
o Behavior is modeled after a biological virus
o Size: very small
• Grayware
» User interaction is required for installation
» Often comes bundled with installation of free software
o Size: highly variable (usually small)
4
• Trojan
» Spread to other hosts
» Does not replicate on the same host (multiple infections still possible)
• Worm
» Spread to other hosts
» Replicates on the same host, repeatedly
• Encrypted
» Payload is encrypted
• Polymorphic
» Payload uses changing encryption with each infection
» Requires polymorphic engine as part of payload
• Metamorphic
» Rewrites payload with each infection
» Requires metamorphic engine as part of payload
• Spyware
» Tracks user website behavior
• Adware
» Automatically injects advertisements in order to generate revenue
• Ransomware
» Restricts user access and demands payment to remove
• Rootkit
» Obtains root admin access
• Keylogger
» Capture keystrokes
• Mass Mailer
» Sends out large volumes of emails
Antivirus
Heuristics scanning
Virus-like attribute
+ Virus-like attribute
+ Virus-like attribute
• Pass
» Enable Heuristic scanning and pass detected files
• Block
» Enable Heuristic scanning and block detected files
• Disable
» Turn off Heuristic scanning
10
Grayware scanning
11
Sandboxing
• Helps detect Zero day vulnerabilities and provide data for the
FortiGuard AV analysts
12
Botnet Connections
13
Proxy-Based scanning
1mb 2mb 3mb 4mb 5mb 6mb 7mb 8mb 9mb 10mb ∞
exploit 99.83% 99.95% 99.97% 99.97% 99.98% 99.98% 99.99% 100% 100% 100% 100%
mass-mailer 99.62% 99.87% 100% 100% 100% 100% 100% 100% 100% 100% 100%
phish 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
spyware 95.08% 97.97% 98.88% 99.47% 99.76% 99.83% 99.89% 99.91% 99.94% 99.95% 100%
trojan 97.52% 99.24% 99.62% 99.80% 99.88% 99.93% 99.95% 99.97% 99.98% 99.98% 100%
virus 98.27% 99.37% 99.63% 99.80% 99.88% 99.93% 99.95% 99.97% 99.98% 99.99% 100%
worm 99.02% 99.65% 99.74% 99.86% 99.89% 99.92% 99.94% 99.94% 99.95% 99.96% 100%
15
Larger then
oversize?
No
Infected
Virus Scan
Clean
16
Block the
file/Email
Pass the
file/Email
17
Infected
Virus Scan
Clean
18
Flow-Based Scanning
• File is scanned on a
packet-by-packet
basis as it passes
through the FortiGate
unit
• Faster scanning, but
lower accuracy rate
» Difficulty in catching
virus variants
• Only available on
certain models
• Non-proxy scanning
19
Block the
file/Email
20
• Identification of archive types can usually be done with just file header
information
• Proper decompression takes entire file
• Password protected archives cannot be decompressed
• Archive is unpacked and the contents are scanned
• Scanning inside nested archives is supported (default 12 layers)
21
22
Regular
Extended
Extreme
23
• Automatically
24
25
26
27
Antivirus Profiles
28
29
30
31
32
33
34
35
36
37
38
39
# diag hard sys slab Google ‘unix slab’ for more information
slabinfo - version: 1.1 (SMP)
kmem_cache 108 108 216 6 6 1 0 : 252 126
tcp6_session 0 0 928 0 0 1 0 : 124 62
ip6_session 0 0 864 0 0 2 0 : 124 62
sctp_session 0 0 992 0 0 1 0 : 124 62
tcp_session 380 628 960 122 157 1 35 : 124 62
ip_session 414 600 928 130 150 1 20 : 124 62
ip6_mrt_cache 0 0 384 0 0 1 0 : 124 62
fib6_nodes 118 118 64 2 2 1 0 : 252 126
ip6_dst_cache 60 60 320 5 5 1 0 : 124 62
ndisc_cache 34 34 224 2 2 1 0 : 252 126
ip_mrt_cache 0 0 352 0 0 1 0 : 124 62
tcp_tw_bucket 384 510 224 30 30 1 0 : 252 126
tcp_bind_bucket 672 672 32 6 6 1 0 : 252 126
tcp_open_request 624 624 160 26 26 1 0 : 252 126
…
…
40
41
Labs
42
43
Email Filtering
Module Overview
Module Objectives
3 5
4
2
1
6
;; ANSWER SECTION:
example3.com 3600 IN MX 50 relay.example2.net
example3.com 3600 IN MX 100 mail.example3.com
;; ANSWER SECTION:
example3.com 3600 IN MX 50 mail.example3.com
example3.com 3600 IN MX 100 relay.example2.net
Spam Actions
Email Filtering
Email filtering
SPAM?
10
11
12
13
Our online
pharmacy offers
great prices on hash
all your
prescription
• The FortiGate unit medications.
sends a hash of
the email message
to the FortiGuard
Antispam Service
• FortiGuard
Antispam Service
compares the hash
received to hashes
of known spam
messages
14
15
16
17
• Confirms that sending email domain from the reply-to field resolves to
an IP Address
» Domain the email gets sent to, should resolve to an IP
• Does NOT perform any kind of comparison to sender’s IP
18
Banned words
• FortiGate unit blocks Let us fill all your prescription
Drugs
email based on words or drugs. Visit our online pharmacy
Score=10
for great prices on prescription
patterns in the message medications. We offer the widest
Pharmacy
• A weight is assigned to selection of popular drugs.
Score=5
any banned words in the
message Prescription
Score=5
• If threshold is exceeded,
the message is marked
Threshold=18
as spam
10 +5 +5 =20
• Define using Wildcards
and regular expressions
• Patterns only count
towards total score once
19
20
21
22
23
24
25
Cache
• Caching reduces IP address:
FortiGuard requests; 10.10.10.1
can improve
URL:
performance www.acme.com
• Small % of system
memory dedicated to Message
checksum:
cache x65Fsd34c
• Query results cached
until TTL setting is
reached
• Alternate port 8888 for
access to FortiGuard # config system fortiguard
servers #
#
set antispam-cache [enable|disable]
set antispam-cache-ttl (300 - 86400)
# set antispam-cache-mpercent (1-15%)
# end
26
FortiGuard: Connectivity
Locale : english
License : Contract
Expiration : Mon Apr 28 16:00:00 2014
27
28
29
SSL Options
30
• If virus scan is enabled the scan happens as the last email filter check
» Clear actions associated with the email DO NOT BYPASS the virus scan
• White listed senders can still get infected with a virus
» Spam actions associated with the email DO NOT BYPASS the virus scan
• Unless the action is DISCARD
• Spam email passing through could also have a virus
• If a virus is found, the email is considered spam (even with a clear
action)
» Spam Action – Tag: Infection is removed and replaced with TXT file containing the
AV block message
» Spam Action – Discard: SMTP connection is blocked with 5x response
31
• Email Filter log entries appear in Traffic Log > Forward Traffic log by
default
» Intended to be brief/summary only
32
33
34
35
Labs
36
37
Web Filtering
Module Overview
Module Objectives
Web Filtering
10
www.acme.com
DNS Request
DNS Response
!
TCP 3-Way Handshake
HTTP GET
! HTTP 200
11
• Proxy-Based
» Highly secure
» Traffic is cached
• Flow-Based
» High throughput
» No caching
» Not as secure
• DNS-Based
» Very lightweight
» Hostname and IP address filtering
» No advanced options, URL, and FortiGuard only
12
13
14
www.mypage.com/index.html
Block
Allow
Monitor
Exempt
www.mypage.com
15
16
Allow
Block
Monitor
Warning
Authenticate
www.mypage.com
17
18
19
20
Category:
“Games” Quota Games
21
Rating Submissions
22
Rating Override (1 of 2)
www.acme.com
Sub-Category: Information and Computer Security
23
Rating Override (2 of 2)
24
Local Categories
25
26
Authenticate Action
Marketing
www.hackthissite.org
27
• Web filtering,
FortiGuard web filtering
and Advanced Filter
options enabled
through web filtering
profiles
28
Exempt Block
URL
Web URL Allow FortiGuard
Filter Filter
Block Allow
Block Page
Allow
Block Advanced Content
Block Page
Filter Filter
Allow Block
Block Page
Allow
Block
Block Page Virus Scan Display Page
29
30
31
Labs
32
33
Application Control
Module Objectives
Application Control
Order of Operations
Implicit Rules
• Implicit 1
» Matches traffic against every possible application control signature
• Implicit 2
» Matches traffic that does not conform to any application control signature
• Logging for the implicit rules can be disabled from the CLI:
10
11
12
Behavior Identification
13
Instant Messenger (1 of 3)
14
Instant Messenger (2 of 3)
15
Instant Messenger (3 of 3)
16
17
18
Monitor
19
Traffic Shaping
• Allows for traffic shaping to apply to only SOME of the traffic passing
through a profile/policy
• Only traffic matching application control signature is shaped
• Can track application bandwidth usage and use traffic shaping to
control heavy traffic applications
• Can use all normal traffic shaping options: Shared, Per-IP, Reverse
20
21
? ?
?
?
22
How it Works
23
Peer-to-Peer Detection (1 of 3)
24
Peer-to-Peer Detection (2 of 3)
• Peer-to-peer transfer
» 1 Client
» N Servers
25
Peer-to-Peer Detection (3 of 3)
26
Labs
27
28