Fortigate Lab Setup Guide1

FortiGate
Lab Setup Guide

for FortiGate 5.4.1
FortiGate Lab Setup Guide
for FortiGate 5.4.1
Last Updated: 27 October 2016
® ® ®
Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fort inet names herein may also be tradem arks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents
INTRODUCTION ........................
.....................................
..........................
..........................
..........................
.........................
.................4
.....4
MATERIALS .........................
......................................
..........................
.........................
.........................
..........................
......................5
.........5
System Requirements....................... .......................... .......................... .......................... ........6
Network Topology ...................................................................................................................6
LOADING THE VMS ........................

......................................
..........................
.........................
..........................
........................8
...........8
CONFIGURING VMWARE VIRTUAL NETWORKING .........................

......................................
...................10
......10
CONFIGURING THE VMS .........................

......................................
..........................
..........................
..........................
...............13
..13
Linux ........................................................................................................................................13
Local-FortiGate .......................................................................................................................19
Local-Windows ........................................................................................................................21
FortiManager ...........................................................................................................................31
FortiAnalyzer ...........................................................................................................................33
Restoring the Local-FortiGate License and Initial Configuration ............................................33
Remote-FortiGate ...................................................................................................................33
Remote-Windows ....................................................................................................................34
TESTING ........................
......................................
..........................
.........................
..........................
..........................
..........................
.............36
36
CREATING SNAPSHOTS .........................

......................................
..........................
..........................
.........................
.................37
.....37
APPENDIX A: ADDITIONAL RESOURCES ..........................

.......................................
.........................
.................38
.....38
 Introduction
Introduction
This guide explains how to configure the lab for the following Fortinet training courses:
 FortiGate I 5.4.1 (NSE4 preparation)
 FortiGate II 5.4.1 (NSE4 preparation)
In this environment, the FortiManager is acting as a local FortiGuard server. It validates the FortiGate
licenses and replies to FortiGuard Web Filtering rating requests from FortiGate VMs. The
FortiManager is configured in closed network mode, providing FortiGuard services to local FortiGate
VMs, without requiring Internet access.
To administer this lab as designed, you will:
1. Load, configure, and test the VM images required for this lab.
2. Save a VMware snapshot of the VM images.
3. Each time there is a class, deploy a copy of all VMs for each student.
FortiGate Lab Setup Guide 4

 Materials
Materials
To build the virtual lab required for this class, you must purchase or download:
 1 VMware workstation installation per student
For hardware system requirements, see System
see System Requirements.
 2 FortiGate VM licenses
 1 FortiAnalyzer VM license (registered with the IP address 10.0.1.210)
 1 FortiManager VM license (registered with the IP address 10.0.1.241)
 4 FortiCare contracts (one for each VM)
 1 FortiGuard Web Filtering and IPS contract,
contract, bound to the first FortiGate VM
Note:
Note: One of the FortiGate VMs requires a valid FortiGuard Web Filtering and IPS
contract. This license will be installed on the Local-FortiGate. The other VMs do not
require a FortiGuard service contract.
 2 Windows Server 2012 VM

 1 Linux VM image (prebuilt image is provided by Fortinet Training)
 VM firmware image files (provided by Fortinet Training, or Fortinet Technical Support's web site):
o FortiGate 5.4.1
o FortiAnalyzer 5.4.0
o FortiManager 5.4.0
 1 Resources folder (prebuilt files are provided by Fortinet Training):
o Initial configuration files for each lab
o Solution configuration files for each lab
o Additional files required for the labs
 Software to install on the Windows VM:
o Mozilla Firefox 46.0.1 (https://www.mozilla.org/en-US/firefox/new/ )
o Mozilla Thunderbird 45.1.0 (https://www.mozilla.org/en-US/thunderbird/
https://www.mozilla.org/en-US/thunderbird/))
o PuTTY 0.67 (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html )
o ActivePerl 5.22.1.2201 (http://www.activestate.com/activeperl/downloads )
o Perl script for converting FortiGate sniffer output to Wireshark PCAP (packet capture)
capture)
format. File name: fgt2eth.pl
(http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=1
1186))
1186
o Windows Server
Server 2012 patch KB9089134
KB9089134 (installation file provided inside the Lab Setup
Guide ZIP package)
o Wireshark 2.0.3 (https://www.wireshark.org/download.html )

 Materials
o nikto 2.1.5 (http://www.cirt.net/nikto2

http://www.cirt.net/nikto2))
o Notepad++ 6.9.1 (https://notepad-plus-plus.org/download/v6.9.html )
o FileZilla Client 3.17.0.1 (https://filezilla-project.org/download.php
https://filezilla-project.org/download.php))
o Adobe Reader (https://get.adobe.com/reader/
https://get.adobe.com/reader/))
o Adobe Flash Player 17.0.0 (http://get.adobe.com/flashplayer/
http://get.adobe.com/flashplayer/))
o FortiClient 5.4.0 build 0780 (https://support.fortinet.com
https://support.fortinet.com)).
o Java 8 update 91
o GNU Wget 1.11.4 (http://gnuwin32.sourceforge.net/packages/wget.htm )
Some of these files are provided in the Lab Setup Guide ZIP package.
System Requirements
Each workstation running VMware Workstation requires:

 1 Ethernet interface
 8 GB RAM
 300 GB storage (hard disk, SAN, etc.)
Network Topology

 Materials
port2
10.200.1.241
FortiManager FortiAnalyzer
LOCAL-WINDOWS port1 port1
10.0.1.10 10.0.1.241 10.0.1.210
10.0.1.254/24 port3
port3 10.200.1.210
LOCAL-FORTIG ATE
port2 port1
10.200.2.1/24 10.200.1.1/24
LINUX
10.200.2.254 10.200.1.254
eth2 eth1
eth0
eth4 eth3
10.200.4.254 10.200.3.254
REMOTE-FORTIGATE
10.200.4.1/24 10.200.3.1/24
port5 port4
REMOTE-WINDOWS
10.0.2.10 port6
10.0.2.254/24

 Loading the VMs
Loading the VMs
The Lab Setup Guide ZIP package provides a prebuilt image of the Linux VM, which does not require
additional configuration; you only need to load it and deploy it. This guide provides the steps for
building the Linux image from scratch, in case you do not want to use the prebuilt image.
For the other VMs (Windows, FortiGates, and so on), you must load, configure, and save the OVF files
before you deploy them. Use standard VMware steps for the installation media, an ISO file, or Fortinet
OVF file.
Create Windows VMs
To create a Windows VMs on VMware Workstation 11:

1. Go to File > New Virtual Machine.
Machine.
2. Click Custom,
Custom, then click Next
3. Select Workstation 11 hardware compatibility.
compatibility.
4. Click Next, then
Next, then select Installer disk image file (ISO).
5. Click Next,
Next, then specify the VM name.
6. Accept all other default settings.
7. Click Finish to
Finish to build the VM.
Name the VM according to the diagram (Local-Windows and Remote-Windows).
Create FortiGate, FortiManager, and FortiAnalyzer VMs
To create FortiGate, FortiManager, and FortiAnalyzer VMs on VMware Workstation 11:

1. Go to File > Open.
Open.
2. Select the Open Virtualization Format file
Format file format.
3. Select the file name, such as FortiGate-VM.ovf .
Name the VM according to the diagram (Local-FortiGate, Remote-FortiGate, FortiAnalyzer,
FortiManager).
Install the prebuilt Linux image
To install the prebuilt Linux image on VMware Workstation 11:

4. Go to File > Open.
Open.
5. Select the Open Virtualization Format file
Format file format.
6. Select prebuild image: Linux.ovf .
Name the VM Linux.
Linux.

 Loading the VMs

 Configuring VMware Virtual Networking
Configuring VMware Virtual Networking
Once you've loaded the VMs, you must configure their virtual network adapters to make the lab's
required virtual network topology.
Inside each student’s virtual lab, t here are seven VMs.
The topology supports both HA and non-HA topology, which the students will switch between during
the labs by reconfiguring their VMs; no VMware reconfiguration is required.
The key to this flexible networking is the six LAN segments used in the current setup, plus the
predefined interfaces: vmnet0 and vmnet1.
 vmnet0 bridges the physical NIC which provides the default route to the Internet.
 vmnet1 is a host-only private network shared between the host and the guest systems.
By mapping the guest VM s’ virtual NICs to virtual LAN segments, you create the topology.
Configure VMWare Virtual Networking
1. Create one additional virtual NIC on each of your Windows VMs:

 Local-Windows: Add 1 more NIC (2 NICs total).
 Remote-Windows: Add 1 more NIC (2 NICs total).
2. Ensure that the prebuilt Linux VM has five NICs. If not, add the as many as needed to have five.
3. Create the LAN segments:
 Right-click the Local-Windows VM
Local-Windows VM and select Settings.
Settings.
 Select any of the two Network Adapters.
Adapters.
 Click LAN Segments.
Segments.
 Click Add as
Add as many times as needed to create the six LAN segments:


 Click OK twice to close the windows.
4. Map the LAN segments to each vNIC:

 For Local-Windows,
Local-Windows, edit the first network adapter, choose LAN Segment 3, then click OK. This
maps this interface to that LAN segment. Also edit the second network adapter and map this
to the default host-only network (VMnet1.
(VMnet1.)
 For the Remote-Windows, map the first network adapter to LAN Segment 6, and the second
second
to VMnet1.
 For both FortiGates (Local-FortiGate and Remote-FortiGate) map the first seven network
adapters in the following way:
Network Adapter LAN Segment
1 1
2 2
3 3
4 4
5 5
6 6
7 3

 For FortiManager VM,
VM, map these network adapters:
1 3

2 1
 For FortiAnalyzer, map these network adapters:
2 3
4 1
This actually maps FortiAnalyzer port1 to LAN3, as VMWare port2 corresponds to FortiAnalyzer port1.
It also maps port3 to LAN1, as VMWare port4 corresponds to FortiAnalyzer port3.
 For the Linux VM, map these network adapter:
1 VMnet0
2 1
3 2
4 4
5 5

 Configuring the VMs
Configuring the VMs
Before you deploy the VMs, you must first install the required software and files on your Windows VM.
You must also configure some initial settings on your Fortinet VMs so that they have network
connectivity, and load their VM license.
Note:
Note: The prebuilt VM is already configured. However, if you need to modify or
understand the configuration of the prebuilt VM, this section provides the necessary
details. The root password for the prebuilt VM is: password.
password .
Linux
Configure networking
1. From the network configuration tools, configure the interface IP addressing.

eth0 = LAN0 = Management network
eth1 = LAN1 = 10.200.1.254/24
eth2 = LAN2 = 10.200.2.254/24
eth3 = LAN4 = 10.200.3.254/24
eth4 = LAN5 = 10.200.4.254/24
2. Activate the network adaptors.
3. Enable routing and add iptables NAT policy:
vi /etc/sysctl.conf and set net.ipv4.ip_forward = 1

4. Enter the following command to reload the sysctl configuration:
sysctl -p /etc/sysctl.conf
5. Clear the existing iptables rules:
iptables –F
iptables –t nat –F
6. Add a single NAT rule to NAT all outing packets with the a ddress obtained by DHCP on eth0:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

7. Check that the NAT rule is there:
iptables –t nat –L
service iptables save

(or # /sbin/service iptables save.)

8. In order to be able to clone the image, edit the following files:
/etc/sysconfig/network-scripts/ifcfg-eth0
In each of these files, find a line that says HWADDR=mac-address-here and delete the whole
HWADDR line.
Install HTTP and FTP services
1. Enter the following commands:
yum install httpd
chkconfig --levels 345 httpd on
yum install vsftpd
chkconfig --levels 345 vsftpd on
touch /var/ftp/pub/test.text
Configure FTP service
1. Disable security-enhanced Linux (SELinux):
setenforce 0
2. Edit the file:
/etc/selinux/config
and change the SELINUX setting to disabled:
SELINUX=disabled
3. Create two VSFTPd configuration files based on the default one:
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd-222.conf
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd-21.conf

4. Delete the default configuration file:
rm /etc/vsftpd/vsftpd.conf
5. Edit the configuration file vsftpd-222.conf and add the following lines at the end of the file:
port_enable=YES
port_promiscuous=YES
pasv_enable=NO
listen_port=222
listen_address=10.200.3.254
6. Edit the configuration file vsftpd-21.conf and add the following line at the end of the file:
listen_address=10.200.1.254
7. Restart the FTP server:
/sbin/service vsftpd restart
Configure Syslog
1. The syslog package should already be installed. Enable remote logging on the service:
vi /etc/sysconfig/syslog and add ‘-r’ to the SYSLOG OPTIONS
2. Add the following line to the syslog.conf :
local6.* /var/log/fortinet
3. Restart syslog:
/sbin/service syslog restart

4. Check the service is listening:
netstat –anp | grep 514

5. Configure SNMP-Utils:
yum install net-snmp-utils
Configuring email
1. Enter the following commands:
yum install dovecot postfix
yum remove sendmail

2. Edit /etc/dovecot.conf to have the line:

protocols = imap imaps pop3 pop3s

3. Make that change operational for the current session by running the command:
/sbin/service dovecot restart

4. Make that change operational after the next reboot by running the command:
chkconfig dovecot on
5. Edit the /etc/postfix/main.cf file using vi.
 Uncomment :
mydomain = domain.tld
and replace domain.tld with the domain training.lab:
mydomain = training.lab
 Uncomment:
myorigin = $mydomain
 Uncomment:
myhostname = host.domain.tld
replace host.domain.tld with the hostname linux.training.lab :
myhostname = linux.training.lab
 Uncomment :
mydestination = $myhostname, localhost.$mydomain, localhost,

$mydomain
 Comment (add a # at the beginning):
# mydestination = $myhostname, localhost.$mydomain, localhost,

$mydomain
 Uncomment:
mynetworks = 168.100.189.0/28
replace 168.100.189.0/28 with 10.0.0.0/8, 127.0.0.0/8
mynetworks = 10.0.0.0/8, 127.0.0.0/8
 Uncomment:
inet_interfaces = all
 Comment:
inet_interfaces = localhost line.

6. Restart the postfix service:
/sbin/service postfix restart

Configuring OpenSSL
1. From the /root directory:
mkdir ssl
cd ssl
mkdir certs
mkdir newcerts
mkdir requests
mkdir keys
touch index.txt
touch serial
echo ‘01’ > serial
cp /etc/pki/tls/openssl.cnf
2. Edit file /root/ssl/openssl.cnf and set:
dir = /root/ssl,
search for the [ v3_ca ] section and uncomment:
keyUsage = cRLSign, keyCertSign
Configure accounts
1. Open a terminal and type:
system-config-users
2. In the User Manager dialog
dialog box, click Add User and
and add the following accounts:
User Password
admin fortinet1
student fortinet1
FortiGate fortinet1
Download the EICAR file
1. From the Linux GUI open Mozilla Firefox browser.

2. Navigate to http://eicar.org.

3. Download the eicar.com antivirus test file.

4. Store the file in /var/ftp/pub.
Configure a webpage to upload files
1. Go to /var/www/html
to /var/www/html..
2. Right click and click Create Document > Empty File.
File.
3. Name it result.html .
4. Right click and select Open with "Text Editor".
Editor".
5. Copy and paste the html syntax as below:
<html>
<head>
<title> Result from upload </title>
</head>
<body>
File Upload Processed!
</body>
</html>
6. Click Save.
Save.
7. Click Close.
Close.
8. Still in /var/www/html,
in /var/www/html, right-click and selec Create Document >
Document > Empty File.
File.
9. Name it fileupload.html.
fileupload.html .
10. Right click and click Open with "Text Editor".
Editor" .
11. Copy and paste the html syntax as below:
<html>
<head>
<title> Test for file upload DLP Lab </title>
</head>
<body>
<font face='Comic Sans MS'>
<h1> DLP Upload Test Page</h1>

<h2>In order to test the DLP Sensor either upload a file

or type in the text to be blocked into the text area and press
submit, if the post would have been successful you will see a upload
processed page</h2><br>
<h4>File Upload</h4>
<form action='result.html' method='post'

enctype='multipart/form-data'>
<input type='file' name='TestFile'/><br>
<input type='submit' value='Submit the file'><br>
</form>
<h4>Text Input</h4>
<form action='result.html' method='post'

enctype='multipart/form-data'>
<input type='textarea' name='TestArea'/><br>
<input type='submit' value='Submit the

TextArea'><br>
</form>
</font>
</body>
</html>
12. Click Save.
Save.
13. Click Close.
Close.
Local-FortiGate
1. Start the Local-FortiGate VM

Local-FortiGate VM and open the VM console.
2. Enter:
exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The
device will reboot after the format is complete.
3. Enter this configuration to configure the network interfaces:
config system interface
edit port1

set ip 10.200.1.1 255.255.255.0
set allowaccess http
next
edit port3
set ip 10.0.1.254 255.255.255.0
set allowaccess http
next
end
config router static
edit 1
set gateway 10.200.1.254
set device port1
next
end
config firewall policy
edit 1
set srcintf port3
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end

Local-Windows
The Local-Windows VM
Local-Windows VM is used as the student's network management computer in the lab. Students
will initiate most client network connections from it, and administer Fortinet VMs.
Perform Initial Setup
1. On this VM, verify that the correct local time and time zone is set, and that the screen has a
resolution of at least 1280x1024. (This ensures proper display of the FortiOS GUI.)
2. Change the administrator account password to password . (Disable password complexity check if
required.)
3. Configure the IPv4 network settings for LAN3:
 IP address: 10.0.1.10
 Netmask: 255.255.255.0
 Default gateway: 10.0.1.254
 DNS: 10.0.1.254
4. Configure the IPv6 network settings for LAN3:
 Obtain an IPv6 address automatically
 Obtain DNS server address automatically
5. Install the following software:
 Firefox
 PuTTY
 ActivePerl
 Nikto
 Thunderbird
 FileZilla
 Wireshark
 Adobe Reader
 Adobe Flash
 Notepad++
 Java
6. VMnet1 is your guest access network. When editing this network adapter, choose a unique
address. Do not configure a gateway.
7. Open Windows Firewall and disable Windows Firewall in all the network types.
Install AD, Web, and DNS Services
1. Open Server Manager and

and select Add roles and features.
features .
2. Click Next.
3. Select Role-based or feature-based installation.
4. Click Next.
5. Select the server with the IP address 10.0.1.10.
6. Click Next.

7. On the Server Roles screen,

Roles screen, select Active Directory Domain Services,
Services , DNS Server, and
Server, and Web
Server (ISS).
(ISS). Add all the features for those three roles.
8. Click Next.
9. Click Next until
Next until you get the Confirmation screen.
Confirmation screen.
10. Click Install.
Install. Wait until the installation finishes.
11. From the Server Manager, click
Manager, click the flag icon with the exclamation point and select Promote this
server to a domain controller :
12. Select Add a new forest.

forest .
13. Type trainingAD.training.lab
trainingAD.training.lab as
as the domain name.
14. Click Next.
15. Type any DSRM password and click Next.
16. Omit the DNS warning and click Next.
Next.
17. Accept all the remaining default val ues and click Next until
Next until you get the Prerequisites Check
screen.
18. Click Install.
Install. Wait until the installation finishes.
Create the Student User
1. Open Active Directory Users and Computer .

2. Expand the trainingAD.training.lab
trainingAD.training.lab tree.
tree.
3. Right click the Users container.
Users container. Select to New > User.
4. Create the user student for the class, with password password. Disable User must change
password at next logon and enable Password never expires.
Create the ADadmin User

trainingAD.training.lab tree.
tree.
3. Right click the Users container.
Users container. Select to New > User.
4. Create user ADadmin for the class, with password Training! . Disable User must change

password at next logon and enable Password never expires.
Create the Training Organizational Unit and

a nd Additional Users

2. Right-click trainingAD.training.lab
trainingAD.training.lab from
from the tree.
3. Select New >
New > Organizational Unit.
Unit.
4. Name the organizational unit Training.
Training.
5. Right-click Training from
Training from the tree and select New >
New > User .
6. Create the following user:
7. Type Training! as the password. Disable User must change password at next logon and
enable Password never expires.
expires .
8. Repeat the process to create another user in the Training organizational
Training organizational unit, but this time call the
user aduser2. Use the same password ( Training! ).
Create an Active Directory group

trainingAD.training.lab tree
tree and right click the Training container.
Training container.
3. Select New >
New > Group.
Group.
4. Create a new security group called AD-users.
5. Click OK.
OK.

6. Double-click the AD-user group

group from the right pane.
7. Select the Members tab
Members tab and add aduser1 and
aduser1 and aduser2.
aduser2.
8. Click OK.
OK.
Install Remote Desktop Services
1. Open the Server Manager.

2. Select Add roles and features.
3. Select Role-based or feature-based installation.
4. Select the server 10.0.1.10.
5. Select Remote Desktop Services. Click Next three times.
6. For the Role Service,
Service, select Remote Desktop Session Host. Click Next.
Next.

7. Confirm the installation and reboot the VM after the installation finishes.
Enable Remote Desktop Access to the Student User

2. Go to Active Directory Users and Computers > trainingAD.training.lab > Users.
3. Right-click the user student and
student and select Add to a group.
group .
4. Add the student user
student user to the Remote Desktop Users group.
Users group.
5. Go to the Start menu
Start menu and right-click This PC.
PC. Select Properties.
Properties.
6. Click Remote Settings.
7. Select Allow remote connections to this computer.
8. Clear the Allow connections only from computers running checkbox.
9. Click Apply.
Apply.
Configure Thunderbird
1. Open Mozilla Thunderbird and click the three bars icon in the upper right of the application.
2. Select Options >
Options > Account Settings.
Settings.
3. Select Outgoing Server (SMTP) and
(SMTP) and click Add. Configure
Add. Configure the following settings:
Setting Value
Server Name 10.200.1.254
Port 25

Connection security None
Authentication Method Password, transmitted insecurely
Username student
4. Click OK.
5. From the bottom of the left menu of the Account Settings dialog,
Settings dialog, click Account Actions >
Actions > Add
Mail Account.
Account.
6. Add the following account:
Your name admin
Email address admin@training.lab
Password fortinet1
7. Click Continue.
Continue.
8. Add the following incoming and outgoing server settings:
9. Click Done.
Done. Accept the certificate exception.
10. Select Account Actions >
Actions > Add Mail Account again
Account again to create a second user.
11. Add the second account:
Your name student
Email address student@training.lab
Password fortinet1
12. Click Continue.

Continue.
13. Add the following incoming and outgoi ng server settings:
14. Click Done.

Done.
Configure FileZilla
1. Open FileZilla.
2. Click on the upper left icon to open the site manager.

3. Add this site and name it F TPsite:

Host: 10.200.3.254
Port: 222
Protocol: FTP
Encryption: Use plain FTP
Logon type: Anonymous
Before saving the site, click on the Transfer Settings tab
Settings tab and select Active as
Active as the transfer
mode.
4. Add this second site and name it Linux:
Host: 10.200.1.254
Port: Leave it empty
Protocol: FTP
Encryption: Use plain FTP
Logon type: Anonymous
Before saving the site, click on the Transfer Settings tab
Settings tab and select Default as
Default as the transfer
mode.
Configure SMB file share
The Local-Window machine
Local-Window machine requires adding SMB file share.
To create share folder
1. Open File Explorer .

2. Go to C drive.
3. Create new folder with name of DLPshare.
DLPshare.
To add the file share
1. Go to Server Manager > File and Storage Services.

Services .
2. Click Shares.
Shares.
3. From the TASKS dropdown
TASKS dropdown menu, New Share.
Share.
A wizard opens.
4. Select SMB Share-Quick.
Share-Quick.
5. Click Next.
Next.
6. Select Type a custom path.
path .

7. Click Browse and
Browse and select dlpshare folder.
dlpshare folder.
8. Click Select Folder .
9. Click Next until
Next until you get to Permissions screen.
Permissions screen. On the Permissions screen,
Permissions screen, make sure
BUILTIN\Administrators have
BUILTIN\Administrators have full access.
10. Click Next.

Next.
11. Click Create.
Create.
12. Click Close on
Close on View Result screen.
screen.
Disable HSTS in Firefox
1. Open Firefox.
2. Open the about:config page.
3. Right click New -> Integer , add an item named test.currentTimeOffsetSeconds
test.currentTimeOffsetSeconds and
and value
11491200,
11491200, confirm.
4. Clear the cache.
Disable certificate pinning
1. Open Firefox.
2. Open the about:config page.
3. Search security.cert_pinning.enforcement_level
security.cert_pinning.enforcement_level..
4. Edit and change value to 0.
5. Clear the cache.
Create a Bookmark in PuTTY
1. Open PuTTY.
2. Complete the following:
Host Name (or IP address field) 10.0.1.254.

Saved Sessions LOCAL-FORTIGATE
3. Click Save.
Save.
4. Repeat steps 2 and 3 for the following VMs:
Host Name (or IP address field) 10.200.3.1
Saved Sessions REMOTE-FORTIGATE
Host Name (or IP address field) 10.0.1.210.
Saved Sessions FORTIANALYZER
Saved Sessions FORTIMANAGER
Saved Sessions LINUX
Install the CA certificates in Firefox
1. From Local-Windows,
Local-Windows, open Firefox and connect HTTP to Local-FortiGate.
Local-FortiGate .
2. Go to System > Certificates.
3. Select the certificate Fortinet_CA_SSL and click Download.
4. Click Open menu in
menu in Firefox and select Options.
Options.

5. Go to Advanced > Certificates and
Certificates and click View Certificates.
Certificates.
6. Select the Authorities tab
Authorities tab
7. Click Import and
Import and select the Fortinet_CA_SSL certificate.
8. Enable the three options:
 Trust this CA to identify websites.
 Trust this CA to identify email users.
 Trust this CA to identify software developers.
Click OK.
OK.
Install Additional Files
1. After that, copy the Resources folder

Resources folder that comes with the Lab Setup ZIP file to the desktop.
2. Copy the Perl script to convert FortiGate sniffer capture to PCAP to the Active Perl bin folder:
c:\Perl64\bin
3. Add shortcuts to the W indows task bar and desktop for the fol lowing applications: File Explorer,
Firefox, PuTTY, command prompt, Notepad++, Windows Remote Desktop Connection, and
FileZilla.
4. Add the following paths to t he Path System variable:
C:\Users\Administrator\Desktop\Resources\FortiGate-II\IPS\nikto-
2.1.5
C:\Program Files (x86)\GnuWin32\bin
C:\Users\Administrator\Desktop\Resources\FortiGate-I\Logging

C:\Users\Administrator\Desktop\Resources\FortiGate-II\IPv6
5. Open Mozilla and add the following four bookmarks to the bookmarks toolbar:
 Local-FortiGate: http://10.0.1.254
 Remote-FortiGate: http://10.200.3.1
 FortiManager: https://10.0.1.241
 FortiAnalyzer: https://10.0.1.210
FortiManager
Even though FortiManager is not the focus of FortiAnalyzer and FortiGate courses, it is required for
the lab setup due to the use of closed network mode. More information about the FortiManager closed
network mode can be found in this document:
http://docs.fortinet.com/uploaded/files/2153/LicensingIsolatedFortiGates.pdf
Request closed network entitlement files
After you have purchased VM licenses and register ed them on https://support.fortinet.com

https://support.fortinet.com,, you must
request closed network entitlement files. These files are required for manually uploading FortiGate
license validation information to FortiManager in close network mode:
1. On the Fortinet Technical Support web site (https://support.fortinet.com/ ) create a ticket with
Fortinet Technical Support by going to Assistance > Create Ticket > Customer Service >
Submit Ticket.
Ticket.
2. Enter the Serial Number . Under Category,
Category, select CS Contact/License.
Contact/License.
3. In the Comment field,
Comment field, ask for an entitlement file for
file for your FortiGate VMs. Provide the serial
number and license number. If you don't remember them, you can find them in Asset > Manage
View Products > <Select product>.
product> .
Example:
Serial Number: FGVM010000024628
License Number: FGVM0035444
Note:
Note: Alternatively, as with registration, you can attach a spreadsheet that contains serial
and license numbers if you want to ask for entitlement files for two or more FortiGate VMs
at the same time. Fortinet Technical Support will provide one entitlement file that contains
validation information for all of your FortiGate VMs. All FortiGate VMs must be registered
with the same account;devices registered under different accounts cannot be combined
into the same entitlement file.
Within a day or two, you should receive an entitlement file from customer service.
Configure initial settings
1. Start the FortiManager and open the VM console. From the console make the following
changes:

edit port1
set ip 10.0.1.241 255.255.255.0
set allowaccess http https ssh ping telnet
next
end
2. Connect to the GUI from the Local-Windows VM and restore the FortiManager-initial.dat
file from the folder Resources/FortiManager/ .
3. Upload a valid FortiManager VM license.
Configure FortiManager as a local FDN server
1. Log into the FortiManager GUI and click FortiGuard > Advanced Settings.
Settings.
2. Clear the Disable Communication with FortiGuard Servers checkbox
Servers checkbox and click Apply.
Apply.
3. Click on Enable AntiVirus and IPS Update Service
4. Click the Enable AntiVirus and IPS Update Service for FortiGate dropdown
FortiGate dropdown and select the
checkbox under Download for OS 5.0.
5.0.
5. Select the checkboxes for Enable Web Filter Service and
Service and Enable Email Filter Service.
6. Click Apply.
Apply.
7. Wait until FortiManager has downloaded and synchronized all the service packages and updates.
This could take several hours.
8. Under FortiGuard > Advanced Settings, check
Settings, check that the status of Enable AntiVirus and IPS
Service,
Service, Enable Web Filter Service,
Service , and Enable Email Filter Service show
Service show synchronized.
9. Check the status of the downloads under FortiGuard > Query Server Management > Receive
Status.
10. Check the status of downloads under FortiGuard
FortiGuard > Package Management > Receive Status.
Status.
11. If the status under FortiGuard > Advanced Settings is
Settings is stuck in the Connected state, and not
changing to the Syncronized state,
Syncronized state, even after waiting a few hours,
hours, you can manually trigger the
update:
diagnose fmupdate fds-updatenow
diagnose fmupdate fgd-updatenow

12. After the packages and updates are s ynchronized, click FortiGuard > Advanced Settings and
Settings and
check Disable Communication with FortiGuard Servers.
Servers .
13. Click Apply.
Apply.
14. Go to FortiGuard > Advanced Settings > Upload Options for
Options for FortiGate/FortiMail > Service
License and upload both FortiGate entitlement files.
15. To verify the configuration, once you've configured other Fortinet VMs with an override to use
FortiManager as their local FDN server, you can reboot them or use their CLI commands to

force them to send a new VM license validation request to FortiManager. If validation succeeds,
the license status indicated on the dashboard should say Valid.
Valid.
FortiAnalyzer
1. Start FortiAnalyzer and
and open the VM console. From the console make the following changes:
edit port1
set ip 10.0.1.210 255.255.255.0
set allowaccess http https ssh ping telnet
next
end
2. Connect to the GUI from the Local-Windows VM
Local-Windows VM and restore the file from the folder
Resources/FortiAnalyzer/FortiAnalyzer-initial.dat .
3. Upload the FortiAnalyzer VM license.
Restoring the Local-FortiGate License and Initial Configuration
1. On the Local-Windows VM, open a web browser and connect to the FortiGate VM's GUI.
2. Upload the initial configuration file that's located in Resources/FortiGate-I/Introduction/local-
initial.conf .
3. After that, upload the VM license.
FortiGate should query FortiManager to validate its VM license and FortiGuard service contracts.
Remote-FortiGate
1. Start the Remote-Windows FortiGate VM and open the VM console.

2. Enter exec formatlogdisk to format the virtual disk, which is required to store data such as
local reports or logs. The device will reboot after the format is complete.
3. From the console, enter these commands:
edit port4
set ip 10.200.3.1 255.255.255.0
set allowaccess ping https ssh http fgfm

next
end
config router static
edit 1
set device port4
set gateway 10.200.3.254
next
end
4. Connect to the GUI from the Local-Windows VM and upload the remote-initial.conf file
from the folder Resources/FortiGate-I/Introduction.
5. Upload the VM license for this unit.
FortiGate should validate the license against FortiManager. None of the FortiGuard services are
required in this FortiGate.
Remote-Windows
Configure Initial Settings
1. On this VM, verify that the correct local time and time zone is set, and that the screen has a
resolution of at least 1280x1024 (this ensures proper display of the FortiOS GUI).
2. Configure the network settings for LAN6:
 IP address: 10.0.2.10
 Netmask: 255.255.255.0
 Default gateway: 10.0.2.254
 DNS: 10.0.2.254
3. VMnet1 is your guest access network. When editing this network adapter, chose a unique
address and do not configure a gateway on this adapter.
4. Open Windows Firewall and disable Windows Firewall in all the network types.
Install Microsoft patch for SSL VPN
For SSL VPN tunnel mode to work properly, It is required the installation of a Microsoft hotfix that
solves a Microsoft problem with the FortiSSL adapter. Follow these steps:
1. Execute this command from the Remote-Windows command prompt:
bcdedit -set testsigning on

2. After that, install th e hotfix file named:

Windows8.1-KB9089134-x64.exe
This file can be found compressed in the Lab Setup ZIP file.
If you get an error indicating that the hotfix has expired, change the Local-Windows system date to
April 1, 2015 and try the ins tallation again. After the installation, you can change it back to the ri ght
date.
Install additional software
1. Install the following software:

 Firefox
 PuTTY
 Wireshark
 Java
 Adobe Flash
 Notepad++
 FortiClient (install only the VPN module)
2. Add shortcuts to the W indows task bar and desktop for the fol lowing applications: File Explorer,
Firefox, PuTTY, command prompt, and FortiClient.

 Testing
Testing
Once you have all VMs installed, and have configured all LAN segments, host IP settings and virtual
network connections, test connectivity.
From Local-Windows server,
Local-Windows server, test connectivity to:
10.0.1.254 LAN3 STUDENT_port3
10.0.1.241 FortiManager
10.0.1.210 FortiAnalyzer
From Local-FortiGate,
Local-FortiGate, test connectivity to:
10.0.1.10 LAN3 Local-Windows server
10.200.1.254 LAN1 LINUX_eth1
10.200.2.254 LAN2 LINUX_eth2
4.2.2.2 To test IP Forwarding and NAT on your Linux VM.
From the Linux host,

Linux host, test connectivity to:
10.200.3.1 LAN4 REMOTE_port4
4.2.2.2 LAN0
From Remote-FortiGate,
Remote-FortiGate, test connectivity to:
10.0.2.10 LAN6 Remote-Windows server
10.200.3.254 LAN4 LINUX_eth1
10.200.4.254 LAN5 LINUX_eth2
From Remote-Windows,
Remote-Windows, test connectivity to:

 Creating snapshots
Creating snapshots
Once you have completed and tested your configuration, save a snapshot of each VM. These
snapshots are what you will deploy for each student in the class.
You can also re-deploy these snapshots to revert a student's VM if their configuration is not working
and they need to quickly restore it to a functional state.

 Appendix A: Additional Resources
Appendix A: Additional Resources
Training Services http://training.fortinet.com
Technical Documentation http://help.fortinet.com
Knowledge Base http://kb.fortinet.com
Forums https://forum.fortinet.com/
Customer Service & Support https://support.fortinet.com
FortiGuard Threat Research & Response http://www.fortiguard.com

Fortigate Lab Setup Guide1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortigate Lab Setup Guide1

Uploaded by

Copyright:

Available Formats

FortiGate

Lab Setup Guide

System Requirements....................... .......................... .......................... .......................... ........6

Network Topology ...................................................................................................................6

LOADING THE VMS ........................

CONFIGURING VMWARE VIRTUAL NETWORKING .........................

CONFIGURING THE VMS .........................

Restoring the Local-FortiGate License and Initial Configuration ............................................33

CREATING SNAPSHOTS .........................

APPENDIX A: ADDITIONAL RESOURCES ..........................

FortiGate Lab Setup Guide 4

 2 Windows Server 2012 VM

FortiGate Lab Setup Guide 5

o nikto 2.1.5 (http://www.cirt.net/nikto2

Each workstation running VMware Workstation requires:

FortiGate Lab Setup Guide 6

FortiGate Lab Setup Guide 7

Loading the VMs

Create Windows VMs

To create a Windows VMs on VMware Workstation 11:

Create FortiGate, FortiManager, and FortiAnalyzer VMs

To create FortiGate, FortiManager, and FortiAnalyzer VMs on VMware Workstation 11:

Install the prebuilt Linux image

To install the prebuilt Linux image on VMware Workstation 11:

FortiGate Lab Setup Guide 8

FortiGate Lab Setup Guide 9

Configuring VMware Virtual Networking

Configure VMWare Virtual Networking

1. Create one additional virtual NIC on each of your Windows VMs:

FortiGate Lab Setup Guide 10

4. Map the LAN segments to each vNIC:

Network Adapter LAN Segment

Network Adapter LAN Segment

FortiGate Lab Setup Guide 11

 For FortiAnalyzer, map these network adapters:

Network Adapter LAN Segment

Network Adapter LAN Segment

FortiGate Lab Setup Guide 12

Configuring the VMs

1. From the network configuration tools, configure the interface IP addressing.

vi /etc/sysctl.conf and set net.ipv4.ip_forward = 1

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

service iptables save

FortiGate Lab Setup Guide 13

(or # /sbin/service iptables save.)

Install HTTP and FTP services

1. Enter the following commands:

yum install httpd

chkconfig --levels 345 httpd on

yum install vsftpd

chkconfig --levels 345 vsftpd on

Configure FTP service

1. Disable security-enhanced Linux (SELinux):

FortiGate Lab Setup Guide 14

4. Delete the default configuration file:

/sbin/service vsftpd restart

vi /etc/sysconfig/syslog and add ‘-r’ to the SYSLOG OPTIONS

2. Add the following line to the syslog.conf :

/sbin/service syslog restart

netstat –anp | grep 514

yum install net-snmp-utils

1. Enter the following commands:

yum install dovecot postfix