Professional Documents
Culture Documents
® ® ®
Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fort inet names herein may also be tradem arks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents
INTRODUCTION ........................
.....................................
..........................
..........................
..........................
.........................
.................4
.....4
MATERIALS .........................
......................................
..........................
.........................
.........................
..........................
......................5
.........5
Linux ........................................................................................................................................13
Local-FortiGate .......................................................................................................................19
Local-Windows ........................................................................................................................21
FortiManager ...........................................................................................................................31
FortiAnalyzer ...........................................................................................................................33
Remote-FortiGate ...................................................................................................................33
Remote-Windows ....................................................................................................................34
TESTING ........................
......................................
..........................
.........................
..........................
..........................
..........................
.............36
36
Introduction
This guide explains how to configure the lab for the following Fortinet training courses:
FortiGate I 5.4.1 (NSE4 preparation)
FortiGate II 5.4.1 (NSE4 preparation)
In this environment, the FortiManager is acting as a local FortiGuard server. It validates the FortiGate
licenses and replies to FortiGuard Web Filtering rating requests from FortiGate VMs. The
FortiManager is configured in closed network mode, providing FortiGuard services to local FortiGate
VMs, without requiring Internet access.
To administer this lab as designed, you will:
1. Load, configure, and test the VM images required for this lab.
2. Save a VMware snapshot of the VM images.
3. Each time there is a class, deploy a copy of all VMs for each student.
Materials
To build the virtual lab required for this class, you must purchase or download:
1 VMware workstation installation per student
For hardware system requirements, see System
see System Requirements.
2 FortiGate VM licenses
1 FortiAnalyzer VM license (registered with the IP address 10.0.1.210)
1 FortiManager VM license (registered with the IP address 10.0.1.241)
4 FortiCare contracts (one for each VM)
1 FortiGuard Web Filtering and IPS contract,
contract, bound to the first FortiGate VM
Note:
Note: One of the FortiGate VMs requires a valid FortiGuard Web Filtering and IPS
contract. This license will be installed on the Local-FortiGate. The other VMs do not
require a FortiGuard service contract.
System Requirements
Network Topology
port2
10.200.1.241
FortiManager FortiAnalyzer
LOCAL-WINDOWS port1 port1
10.0.1.10 10.0.1.241 10.0.1.210
10.0.1.254/24 port3
port3 10.200.1.210
LOCAL-FORTIG ATE
port2 port1
10.200.2.1/24 10.200.1.1/24
LINUX
10.200.2.254 10.200.1.254
eth2 eth1
eth0
eth4 eth3
10.200.4.254 10.200.3.254
REMOTE-FORTIGATE
10.200.4.1/24 10.200.3.1/24
port5 port4
REMOTE-WINDOWS
10.0.2.10 port6
10.0.2.254/24
The Lab Setup Guide ZIP package provides a prebuilt image of the Linux VM, which does not require
additional configuration; you only need to load it and deploy it. This guide provides the steps for
building the Linux image from scratch, in case you do not want to use the prebuilt image.
For the other VMs (Windows, FortiGates, and so on), you must load, configure, and save the OVF files
before you deploy them. Use standard VMware steps for the installation media, an ISO file, or Fortinet
OVF file.
Once you've loaded the VMs, you must configure their virtual network adapters to make the lab's
required virtual network topology.
Inside each student’s virtual lab, t here are seven VMs.
The topology supports both HA and non-HA topology, which the students will switch between during
the labs by reconfiguring their VMs; no VMware reconfiguration is required.
The key to this flexible networking is the six LAN segments used in the current setup, plus the
predefined interfaces: vmnet0 and vmnet1.
vmnet0 bridges the physical NIC which provides the default route to the Internet.
vmnet1 is a host-only private network shared between the host and the guest systems.
By mapping the guest VM s’ virtual NICs to virtual LAN segments, you create the topology.
Click Add as
Add as many times as needed to create the six LAN segments:
Click OK twice to close the windows.
1 1
2 2
3 3
4 4
5 5
6 6
7 3
For FortiManager VM,
VM, map these network adapters:
1 3
2 1
2 3
4 1
This actually maps FortiAnalyzer port1 to LAN3, as VMWare port2 corresponds to FortiAnalyzer port1.
It also maps port3 to LAN1, as VMWare port4 corresponds to FortiAnalyzer port3.
For the Linux VM, map these network adapter:
1 VMnet0
2 1
3 2
4 4
5 5
Before you deploy the VMs, you must first install the required software and files on your Windows VM.
You must also configure some initial settings on your Fortinet VMs so that they have network
connectivity, and load their VM license.
Note:
Note: The prebuilt VM is already configured. However, if you need to modify or
understand the configuration of the prebuilt VM, this section provides the necessary
details. The root password for the prebuilt VM is: password.
password .
Linux
Configure networking
sysctl -p /etc/sysctl.conf
5. Clear the existing iptables rules:
iptables –F
iptables –t nat –F
6. Add a single NAT rule to NAT all outing packets with the a ddress obtained by DHCP on eth0:
iptables –t nat –L
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-eth1
/etc/sysconfig/network-scripts/ifcfg-eth2
/etc/sysconfig/network-scripts/ifcfg-eth3
/etc/sysconfig/network-scripts/ifcfg-eth4
In each of these files, find a line that says HWADDR=mac-address-here and delete the whole
HWADDR line.
touch /var/ftp/pub/test.text
setenforce 0
2. Edit the file:
/etc/selinux/config
and change the SELINUX setting to disabled:
SELINUX=disabled
3. Create two VSFTPd configuration files based on the default one:
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd-222.conf
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd-21.conf
rm /etc/vsftpd/vsftpd.conf
5. Edit the configuration file vsftpd-222.conf and add the following lines at the end of the file:
port_enable=YES
port_promiscuous=YES
pasv_enable=NO
listen_port=222
listen_address=10.200.3.254
6. Edit the configuration file vsftpd-21.conf and add the following line at the end of the file:
listen_address=10.200.1.254
7. Restart the FTP server:
Configure Syslog
1. The syslog package should already be installed. Enable remote logging on the service:
local6.* /var/log/fortinet
3. Restart syslog:
Configuring email
chkconfig dovecot on
5. Edit the /etc/postfix/main.cf file using vi.
Uncomment :
mydomain = domain.tld
and replace domain.tld with the domain training.lab:
mydomain = training.lab
Uncomment:
myorigin = $mydomain
Uncomment:
myhostname = host.domain.tld
replace host.domain.tld with the hostname linux.training.lab :
myhostname = linux.training.lab
Uncomment :
mynetworks = 168.100.189.0/28
replace 168.100.189.0/28 with 10.0.0.0/8, 127.0.0.0/8
Uncomment:
inet_interfaces = all
Comment:
Configuring OpenSSL
mkdir ssl
cd ssl
mkdir certs
mkdir newcerts
mkdir requests
mkdir keys
touch index.txt
touch serial
cp /etc/pki/tls/openssl.cnf
dir = /root/ssl,
search for the [ v3_ca ] section and uncomment:
Configure accounts
system-config-users
2. In the User Manager dialog
dialog box, click Add User and
and add the following accounts:
User Password
admin fortinet1
student fortinet1
FortiGate fortinet1
1. Go to /var/www/html
to /var/www/html..
2. Right click and click Create Document > Empty File.
File.
3. Name it result.html .
4. Right click and select Open with "Text Editor".
Editor".
5. Copy and paste the html syntax as below:
<html>
<head>
</head>
<body>
</body>
</html>
6. Click Save.
Save.
7. Click Close.
Close.
8. Still in /var/www/html,
in /var/www/html, right-click and selec Create Document >
Document > Empty File.
File.
9. Name it fileupload.html.
fileupload.html .
10. Right click and click Open with "Text Editor".
Editor" .
11. Copy and paste the html syntax as below:
<html>
<head>
</head>
<body>
<h4>File Upload</h4>
</form>
<h4>Text Input</h4>
</form>
</font>
</body>
</html>
12. Click Save.
Save.
13. Click Close.
Close.
Local-FortiGate
exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The
device will reboot after the format is complete.
3. Enter this configuration to configure the network interfaces:
edit port1
next
edit port3
next
end
edit 1
next
end
edit 1
next
end
Local-Windows
The Local-Windows VM
Local-Windows VM is used as the student's network management computer in the lab. Students
will initiate most client network connections from it, and administer Fortinet VMs.
1. On this VM, verify that the correct local time and time zone is set, and that the screen has a
resolution of at least 1280x1024. (This ensures proper display of the FortiOS GUI.)
2. Change the administrator account password to password . (Disable password complexity check if
required.)
3. Configure the IPv4 network settings for LAN3:
IP address: 10.0.1.10
Netmask: 255.255.255.0
Default gateway: 10.0.1.254
DNS: 10.0.1.254
4. Configure the IPv6 network settings for LAN3:
Obtain an IPv6 address automatically
Obtain DNS server address automatically
5. Install the following software:
Firefox
PuTTY
ActivePerl
Nikto
Thunderbird
FileZilla
Wireshark
Adobe Reader
Adobe Flash
Notepad++
Java
6. VMnet1 is your guest access network. When editing this network adapter, choose a unique
address. Do not configure a gateway.
7. Open Windows Firewall and disable Windows Firewall in all the network types.
7. Type Training! as the password. Disable User must change password at next logon and
enable Password never expires.
expires .
8. Repeat the process to create another user in the Training organizational
Training organizational unit, but this time call the
user aduser2. Use the same password ( Training! ).
8. Click OK.
OK.
7. Confirm the installation and reboot the VM after the installation finishes.
Configure Thunderbird
1. Open Mozilla Thunderbird and click the three bars icon in the upper right of the application.
2. Select Options >
Options > Account Settings.
Settings.
3. Select Outgoing Server (SMTP) and
(SMTP) and click Add. Configure
Add. Configure the following settings:
Setting Value
Port 25
Username student
4. Click OK.
5. From the bottom of the left menu of the Account Settings dialog,
Settings dialog, click Account Actions >
Actions > Add
Mail Account.
Account.
6. Add the following account:
Password fortinet1
7. Click Continue.
Continue.
8. Add the following incoming and outgoing server settings:
9. Click Done.
Done. Accept the certificate exception.
10. Select Account Actions >
Actions > Add Mail Account again
Account again to create a second user.
11. Add the second account:
Password fortinet1
Configure FileZilla
1. Open FileZilla.
2. Click on the upper left icon to open the site manager.
The Local-Window machine
Local-Window machine requires adding SMB file share.
A wizard opens.
4. Select SMB Share-Quick.
Share-Quick.
5. Click Next.
Next.
6. Select Type a custom path.
path .
7. Click Browse and
Browse and select dlpshare folder.
dlpshare folder.
8. Click Select Folder .
9. Click Next until
Next until you get to Permissions screen.
Permissions screen. On the Permissions screen,
Permissions screen, make sure
BUILTIN\Administrators have
BUILTIN\Administrators have full access.
1. Open Firefox.
2. Open the about:config page.
3. Right click New -> Integer , add an item named test.currentTimeOffsetSeconds
test.currentTimeOffsetSeconds and
and value
11491200,
11491200, confirm.
4. Clear the cache.
1. Open Firefox.
2. Open the about:config page.
3. Search security.cert_pinning.enforcement_level
security.cert_pinning.enforcement_level..
4. Edit and change value to 0.
5. Clear the cache.
1. Open PuTTY.
2. Complete the following:
3. Click Save.
Save.
4. Repeat steps 2 and 3 for the following VMs:
1. From Local-Windows,
Local-Windows, open Firefox and connect HTTP to Local-FortiGate.
Local-FortiGate .
2. Go to System > Certificates.
3. Select the certificate Fortinet_CA_SSL and click Download.
4. Click Open menu in
menu in Firefox and select Options.
Options.
5. Go to Advanced > Certificates and
Certificates and click View Certificates.
Certificates.
6. Select the Authorities tab
Authorities tab
7. Click Import and
Import and select the Fortinet_CA_SSL certificate.
8. Enable the three options:
Trust this CA to identify websites.
Trust this CA to identify email users.
Trust this CA to identify software developers.
Click OK.
OK.
c:\Perl64\bin
3. Add shortcuts to the W indows task bar and desktop for the fol lowing applications: File Explorer,
Firefox, PuTTY, command prompt, Notepad++, Windows Remote Desktop Connection, and
FileZilla.
4. Add the following paths to t he Path System variable:
C:\Users\Administrator\Desktop\Resources\FortiGate-II\IPS\nikto-
2.1.5
C:\Users\Administrator\Desktop\Resources\FortiGate-I\Logging
C:\Users\Administrator\Desktop\Resources\FortiGate-II\IPv6
5. Open Mozilla and add the following four bookmarks to the bookmarks toolbar:
Local-FortiGate: http://10.0.1.254
Remote-FortiGate: http://10.200.3.1
FortiManager: https://10.0.1.241
FortiAnalyzer: https://10.0.1.210
FortiManager
Even though FortiManager is not the focus of FortiAnalyzer and FortiGate courses, it is required for
the lab setup due to the use of closed network mode. More information about the FortiManager closed
network mode can be found in this document:
http://docs.fortinet.com/uploaded/files/2153/LicensingIsolatedFortiGates.pdf
Note:
Note: Alternatively, as with registration, you can attach a spreadsheet that contains serial
and license numbers if you want to ask for entitlement files for two or more FortiGate VMs
at the same time. Fortinet Technical Support will provide one entitlement file that contains
validation information for all of your FortiGate VMs. All FortiGate VMs must be registered
with the same account;devices registered under different accounts cannot be combined
into the same entitlement file.
Within a day or two, you should receive an entitlement file from customer service.
1. Start the FortiManager and open the VM console. From the console make the following
changes:
edit port1
next
end
2. Connect to the GUI from the Local-Windows VM and restore the FortiManager-initial.dat
file from the folder Resources/FortiManager/ .
3. Upload a valid FortiManager VM license.
1. Log into the FortiManager GUI and click FortiGuard > Advanced Settings.
Settings.
2. Clear the Disable Communication with FortiGuard Servers checkbox
Servers checkbox and click Apply.
Apply.
3. Click on Enable AntiVirus and IPS Update Service
4. Click the Enable AntiVirus and IPS Update Service for FortiGate dropdown
FortiGate dropdown and select the
checkbox under Download for OS 5.0.
5.0.
5. Select the checkboxes for Enable Web Filter Service and
Service and Enable Email Filter Service.
6. Click Apply.
Apply.
7. Wait until FortiManager has downloaded and synchronized all the service packages and updates.
This could take several hours.
8. Under FortiGuard > Advanced Settings, check
Settings, check that the status of Enable AntiVirus and IPS
Service,
Service, Enable Web Filter Service,
Service , and Enable Email Filter Service show
Service show synchronized.
9. Check the status of the downloads under FortiGuard > Query Server Management > Receive
Status.
10. Check the status of downloads under FortiGuard
FortiGuard > Package Management > Receive Status.
Status.
11. If the status under FortiGuard > Advanced Settings is
Settings is stuck in the Connected state, and not
changing to the Syncronized state,
Syncronized state, even after waiting a few hours,
hours, you can manually trigger the
update:
force them to send a new VM license validation request to FortiManager. If validation succeeds,
the license status indicated on the dashboard should say Valid.
Valid.
FortiAnalyzer
1. Start FortiAnalyzer and
and open the VM console. From the console make the following changes:
edit port1
next
end
2. Connect to the GUI from the Local-Windows VM
Local-Windows VM and restore the file from the folder
Resources/FortiAnalyzer/FortiAnalyzer-initial.dat .
3. Upload the FortiAnalyzer VM license.
1. On the Local-Windows VM, open a web browser and connect to the FortiGate VM's GUI.
2. Upload the initial configuration file that's located in Resources/FortiGate-I/Introduction/local-
initial.conf .
3. After that, upload the VM license.
FortiGate should query FortiManager to validate its VM license and FortiGuard service contracts.
Remote-FortiGate
edit port4
next
end
edit 1
next
end
4. Connect to the GUI from the Local-Windows VM and upload the remote-initial.conf file
from the folder Resources/FortiGate-I/Introduction.
5. Upload the VM license for this unit.
FortiGate should validate the license against FortiManager. None of the FortiGuard services are
required in this FortiGate.
Remote-Windows
1. On this VM, verify that the correct local time and time zone is set, and that the screen has a
resolution of at least 1280x1024 (this ensures proper display of the FortiOS GUI).
2. Configure the network settings for LAN6:
IP address: 10.0.2.10
Netmask: 255.255.255.0
Default gateway: 10.0.2.254
DNS: 10.0.2.254
3. VMnet1 is your guest access network. When editing this network adapter, chose a unique
address and do not configure a gateway on this adapter.
4. Open Windows Firewall and disable Windows Firewall in all the network types.
For SSL VPN tunnel mode to work properly, It is required the installation of a Microsoft hotfix that
solves a Microsoft problem with the FortiSSL adapter. Follow these steps:
1. Execute this command from the Remote-Windows command prompt:
Windows8.1-KB9089134-x64.exe
This file can be found compressed in the Lab Setup ZIP file.
If you get an error indicating that the hotfix has expired, change the Local-Windows system date to
April 1, 2015 and try the ins tallation again. After the installation, you can change it back to the ri ght
date.
2. Add shortcuts to the W indows task bar and desktop for the fol lowing applications: File Explorer,
Firefox, PuTTY, command prompt, and FortiClient.
Testing
Once you have all VMs installed, and have configured all LAN segments, host IP settings and virtual
network connections, test connectivity.
From Local-Windows server,
Local-Windows server, test connectivity to:
10.0.1.254 LAN3 STUDENT_port3
10.0.1.241 FortiManager
10.0.1.210 FortiAnalyzer
From Local-FortiGate,
Local-FortiGate, test connectivity to:
10.0.1.10 LAN3 Local-Windows server
10.200.1.254 LAN1 LINUX_eth1
10.200.2.254 LAN2 LINUX_eth2
10.0.1.241 FortiManager
10.0.1.210 FortiAnalyzer
4.2.2.2 To test IP Forwarding and NAT on your Linux VM.
From Remote-FortiGate,
Remote-FortiGate, test connectivity to:
10.0.2.10 LAN6 Remote-Windows server
10.200.3.254 LAN4 LINUX_eth1
10.200.4.254 LAN5 LINUX_eth2
10.200.1.241 FortiManager
10.200.1.210 FortiAnalyzer
From Remote-Windows,
Remote-Windows, test connectivity to:
10.0.2.254 LAN6 REMOTE_port6
Creating snapshots
Once you have completed and tested your configuration, save a snapshot of each VM. These
snapshots are what you will deploy for each student in the class.
You can also re-deploy these snapshots to revert a student's VM if their configuration is not working
and they need to quickly restore it to a functional state.
Forums https://forum.fortinet.com/