NSE Institute

Lesson Overview
 High-Level Features
Objectives
• Identify platform design features of FortiGate
• Identify features of FortiGate in virtualized networks and the cloud

F-.:RYIMEY
The Modern Context of Network Security
• Firewalls are more than gatekeepers on the network perimeter.
• Today’s firewalls are designed in response to multi-faceted and multi-device
environments with no identifiable perimeter:
Mobile workforce
Panners accessing your network services
Public and private
clouds Internet of things
(IoT)
Bring your own device (BYOD)
• Firewalls are expected to perform diXerent functions within a network.
Different deployment modes:
• Distributed enterprise firewall
• Next-generation firewall
• Internal segmentation firewall
• Data center firewall
DNS. DHCP, web filter. intrusion prevention system (IPS), and so on
Platfr›rm Design
Topology in the Cloud
• Deploy FortiGao in FortîGaØ VM Specificaûons
virtualized networks
FortiGate VM — Same
fe&ures as physical

appliance except Fo¥@SIC

FortiGate VMX - Subset
of feaures for VMware
NSX (east-west) data
flows
FortiGate Connector for
Cisco ACI (no¥h-sou&)
data flows. Integrates
physical orvi¥ual
appliance.

• Faater aetup and "

teardown: SDH + VMa
Knowledge Check
1. What is a more accurate description of a modern firewall?
A A device that i nspects network tra&c at an entry point to the Internet and within a simple,
easily- defined network perimeter.
B. A multi-functional deyice that inspects network traFic from the perimeter or internally,
within a network that has many diRerent entry points.

2. What solution, specific to Fortinet, enhances performance and reduces latency for
specific features and traRic?
A Specialized circuits called ASICs
B. Increased RAM and CPU power
Setu Decisions
Objectives
• Identify the factory defaults
• Select an operation mode
• Understand FortiGate’s relationship with FortiGuard and distinguish between
live queries and package updates
Modes of Operation
NAT Transparent

• FoliGate is an OSI Layer 3 router • FoliGate is an OSI Layer 2 switch or

• Interfaces have IP addresses bridge
• Packets are routed by IP • lnte¥aces do not have IPs
• Cannot route packets, only forward or
block
Factory Default Seüings
• Poš1 or internal ínteńaœ IP: 192168 1. 99/24
• PING, HTTP, HTTPS, and SSH protocol management enabled
• Buik-ìn DHCP æwer is enabled on poll or internal ínteńaœ
« OnŞ on en5y-łevØ modøls Qat œppoit DHCP sævæ
• Defauß login:
User: adm1n
Password: fblank j
s 8ofżt ae case æns“”ave
n Modify &e defauR(b&nk)

‹ Can access FortiGate on the CLI

c CLI Consde widget and teftninal emuŒor, such as PuWY or Tern Tetm
 FočiGuard Subscription Services
• Internet connection and contract required
• Provided by FoliGuard Distńbution Network (FDN)
Major da@ œnters in Nońh Ameñca, Asia, and Europe
• Or, Ëom FDN Ğrough your FoõManager
. FoliGate prefers data center in nearest šme zone,
but will adjust by seœer load
› Package updates: FoliGuard Antivirus and IPS
uØate.fort@uard.net
o TCP po¥ 443 (SSL)
• Live queńes: FoliGuard Web Filteñng, DNS Fißeûng, and Antispam
sewiœ.fortiguard.net
Proprieary protocol on UDP poń 53 or 8888
Kno wledge Check
1. Which protocol does FoliGate use to download antivirus and IPS packages?
A UDP
B TCP

2. How does FoRiGate check content for spam or malicious websites?

A. Live queries to FoRiGuard over UDP
B Local verification ucing downloaded web filter database locally on FortiGate
Basic Administration
Objectives
• Manage administrator profiles
• Manage administrative users
• Define the configuration method for administrative users
• Control administrative access to the FortiGate GUI and CLI
• Manage specific aspects of the network interfaces
Administratioo Methods

CLI
Console SSH Telnet. GUI Wõget

FortiExplorer. Web Browser fHTTP. HTTPS)

 Basic CLI Crmman ds
• Use the following commands to check the system status and list all or only
non- default aRribute values for an interface.
• Use <r omrriand ąeŁ > * to list commands that you can use with it. For
example,
> And list sub-commands under .v «I > . For
examr ple, x«:-» t o 1› x c k u ti *

What is the current status of FopiGate? ąez sy=*.•= s*-czus

What are all the attribute values for the •- !› x I›: : : — : / i ji.. i ›. . 1 ‹. .-‹ ’-,- . . :. :‹t i ri -. ..' ? I:< •.:.. -' z
interface?
system - r. t.
What are the non<IefauIt aflribute values for sh cw ‹ y s1: em 'inż er fcre - yczŁ ‹°
the system inte¥ace?
F(-:RFtF]ET

Create an Administrative User

New Administrator

User Name

Match a user on aremo e server group

Match dll users in a femote server
grou p Use public key infrastructure
Password lxxi› group
OashboaxxJ
Confirm Password
Commen ts
Administrator Profile super
admin Email Address

CA SMS

Two-factor Authentication

Resirim login io trusted hosis

CA Restrict admin to guest account provisioning only

 Cancel

vi::-onnex
Administrator Prafiles: Permissians
System > Admin Profiles
Administrator Profiles: Hierarchy

n
Full global access Par'. a g oLa access I r. ar-?>ss n .'irk> «-en.tit

custom
Two-Fact«r Authentication

Password (one factor)

FońiToken (two factor)
 Resetting a Lost Admin Password
U er: ainLainer
Password: b yb<seriaI-number>
All letters in <seriaI-number> mcsf be upper case, for example, r:sT£ 0.

• All FortiGate models and some other Fortinet device types

• Only aRer hard pDwer cycle
SoR cycle (reboot) does not work for security reasons.
• Only during first 60 seconds after boot (varies by model)
Tip Copy serial number into the terminal buKer, then paste.
• Only through hardware console port
Requires physical access for security reasons.
If compliance/risk of physical access requires maintainer can be disabled.

F•:.RFI€ET
 Administrative Access: Trusted Sources

Z Two- factor Authentication factor Authentication

RE'Stf ict login to trusted hosts

Trusted Host 1 10 0 1. 0 32

Tr us ted Host 2

Trusted Host 3

If admln1 attempts to log in to &e FortiGate GUI from

any IP other than › o . o . i . i o, they receive this
message.
F.-.RTtF3ET
Administrative Access: Ports and Passw:rd
• Port numbers are customizable. System » Settings
• Using only secure access (SSH, Adm ini st ration b•t inks

HTTPS) is recommended.
• Default Idle timeout is 5
minutes.

22
Administrative Access: Protü›cols
Network » Inte6aces
• Enable acceptable management
protocols on each interface
independently:
Separate IPv4 and IPv6
IPv6 options hidden by default
• Also protocols where FoliGate is the
destination IP:
Fo¥iTelemetry
CAPWAP
FMG-Access
FTM
RADIUS Accounting
F(:ïRFtF]ET

Features Hidden Default F-..RWIE]EW

• By default, some features like

IPv6 are hidden on the GUI.
Hidden features are nat disabled.
• In Feature Visibility, select
to hide/show groups of
features commonly used
together.
System > Feature Visibility
InteJace Ps
• In NAT mode, interfaces cannot be Network » lnte6acas
used until they have an IP address:
Manually assigned
Automatic
• DHCP
• PPPoE

• Exceptions.Dedicated to FortiSwitch
and the One-Arm Snifier
F-:.RFlf]EY

InteJace Rz›le Compared to

Alias Network > Interfacee
[,dit I nte I e e

• Role defines interface settings

typically grouped together.
Avoids accidental misconfiguration
Four types:
• WAN
• LAN
• DMZ
• Undefined
Not in list of policies Alias
• Alias is a friendly descriptor for
the Policy 6 ObjecD » IPv4 Policy
interface. ”'-'r. i ” I -. › i i¡”i @

Used in list of policies to label

interfaces by purpose
Static Gateway
• Must be at least one default
gateway
• If the interface is DHCP or
PPPoE, the gateway can NJnied Atltlres s I heel net Se rvi‹e

000.00OOO
be added dynamically.

Ad n » e D ‹ «• e io

0 Disabl ed

Advanced Optiot›s
Link Aggregation
• Bundles several physical
po6s to form a single point-
to-point logical channel with
greater bandwidth.
« Increases redundancy for higher
avaiIabiI"ity

KOYAsMwiCo*n:X
Knowledge Check
1. How do you restrict logins to FortiGate to be only from specific IP addresses?
A Disable HTTPS access on
interface B Configure trusted host

2. As a best security practice when configuring administrative access to FoliGate,

which protocol should be disabled?
A Telnet
B. SSH

5. To access the maintainer account during a recovery, begin by:

A. Unplugging or turning off the device
B Typing -. x .. -.-i.. r -I . .. t on the CLI
Lesson Progress
Built-In Servers
Objectives
• Enable the DHCP service on FortiGate
• Enable the DNS service on FortiGate
• Understand the configuration possibilities and some of their implications
FofiiGate as a DHCP Sewer

M TELtKT
DHCP Sewer: IP Reservation
• Reservations reassign the IP address Network » Interfaces
to the same host. MACRese‹vatiu- + Access Cotitrul
To reserve, select IP address or choose + create New Edit
¿ a‹c «o= nH«P r.iie•t I ist
RXisting DNC P lease. MDC Address Actian or
1I* Description

Identify reservation as either: . ' .cO'00'0t \00 1.IO

• Regular (over Ethernet)
• Over lPSec
• FortiGate uses the host 1s MAC
address to look up its IP address Unk nown MAC Addresses Assign IP

in the reservation table. Type

• Actions if MAC is unknown

FoFiGate as a DNS Sewer
• Resolves DNS lookups from the internal network
Enabled per interface
Not appropriate for Internet service because of load. and therefore should not be public facing.
• One DNS database can be shared by all FortiGate interfaces.
› Can be separate per VDOM
• Resolution methods:
Forward: elay requests to the next sewer (in DNS se2ing9).
Non-recursive: use FopiGate DNS database only to try to resolve queries.
Recursive: use FortiGate DNS database first; relay unresolvable queries to ne4 sewer (in DNS
settings),
DNS Fomarding
• Forwarding allows DNS control without the local FQDN database
• Sends query to the external DNS sewer

T Interface T £lf'4S F8ter

Y T T View T TTL (éeoxd s)

 Database: Configuration
• Add DNS zones
Each zone has its own domain
name RFC 1034 and1035
• Add DNS entries to each zone
Host name
IP address it resolves
to Types supposed:
• IPv4 address (A) or IPv6 address (AAAA)
• Name server {NS)
• Canonical name (CNAME)
• Mail exchange (MX) server
• IPv4 (PTR) or lPv6 (PTR)
F-:.RFlf]EY
Knowledge Check
1. When configuring FortiGate as a DHCP server to restrict access by MAC
address, what does the Assign IP option do?
A Assign a specific IP address to a MAC
address B Dynamically assign an IP to a MAC
address

2. When configuring FoliGate as a DNS sewer, which resolution method uses

the FortiGate DNS database only to try to resolve queries?
A Non-recursive
B Recursive
Lesson Progress
Fundamental Maintenance
Objectives
• Back up and restore system configuration files
• Understand the restore requirements for plain text and encrypted configuration files
• Identify the current firmware version
• Upgrade firmware
• Downgrade firmware
Configuration F Backup and Restore
• Configuration can be saved to an external device admin@
Optional encryption
System •
Can back up automatically
• Upon logout B Backup Configuration •(
• Not available on all models ¿} Restore
change
• To restore a previous configuration, upload file. c Revisions Password
Reboots FortiGate
Logout
 Restore System Backup System Conf gura[ion
Configuration

Cancel

Configuration File
Format Build
number
Model Plain text
c ig ers on h i d0076 *global vdon-j
180329:opmode=0:vdom=0:user=admin

*:o uildno -0076

Firmwa
 re major version Build
num&r
• Only non-default and important settings (smaller file size)
• Header shows device model and firmware

Encrypted

# GBK 3 16 6 00 076
ARer the header the encrypted file is not readable.
Mcidel
• Restoring configuration
Encrypted? Same device/mDdRI + build + password requirRd. Firmware major version
Unencrypted? Same model required.
Upgrade Firmware
• The current firmware version can
be viewed on the Dashboard or in
System > Firmware (or on the
CLI:

• If there is an updated
firmware version, you will be F•:.RFI€ET
notified
• Firmware can be updated by clicking
Upload Firmware or selecting the
upgrade option in the notification icon
drop-down list.
• Make sure you read the Re/ease
Notes to verify the upgrade path and
other details.
FGVMO 1ZOO IO 7 t t ó

19U8
Upgrade Firmware Process
1 Back up the configuration (full confiq backup on GUI or CLI).
2. Download a copy of the current fimware, in case reversion is needed.
3. Have physical access, or a teminal sewer connected to local console, in
case reversion is needed.
4. Read the Re/ease Nates, they include the upgrade path and other useful
infomation. I •-•••••w•»a
5. Perfom the upgrade.

Fort dFirmware
Downgrade Firmwar e Process
1 Get the pre-upgrade configuration file.
2 Download a copy of the current firmware, in case reversion is needed.
3, Have physical access, or a terminal server connected to the local
console, in case reversion is needed.
4. Read the Release Notes, (Does downgrade preserve configuration?)
5. Downgrade the firmware.
6. If required, upload the configuration that matches the firmware version.
 Knowledge Check
1. When restoring an encrypted system configuration file, in addition to needing the
FortiGate model and firmware version from the time the configuration file was
produced you also must provide:
1

y/*A The passwo rd to decrypt the file

B The private decryption key to decryp t the file

2. Which document should you consult to increase the chances of success before
upgrading or downgrading firmware?
A. System Administration guide
<"8 Re/ease #ofes

F-:.RFtMET
Lesson Progress
FortiGate Within the Security Fabric
Objectives
• Define the Fortinet Security Fabric
• Identify why the Security Fabric is required
• Identify the Fortinet devices that participate in the Security Fabric, especially the
essential ones
• Understand how to configure the Security Fabric at a high level
What is the Fo1inet Security
Fabric?
FABRIC

• An enterprise solution that enables a

holistic approach to network security,
whereby the network landscape is
Management
visible through a single console and
all network devices are integrated
into
a centrally managed and • The API allows for third- Endpoini
o
automated party device
defence. integration.
SIEM
• The Security Fabric has Fa rtinet Sec url ty

these aKributes: Fabric

Broad
Powerful
AutDmated
 SDN

CIOMCI

Why a Security
Fabric?
• Many administrators lack visibility of The fa¢t that this company has deployed

their network defences, making their

networks more susceptible to security solutions from multiple vendors means that, in this example, the sa xrity admin has a limited l

undetected network infiltration.

• Network complexity and sophisticated Private
malware (soon to be augmented
by AI), necessitates a centralized
and holistic approach to security.
Devices That Comprise the Security Fabric
FORTfNET
wcueiw
FABRIC
• Core — must have:
Two or more FortiGate devices +
FortiAnalyzer

• Recommended — adds significant visibility or

control:
FoniManager, ForfiAP, FoniSwitch, FoniClient, FortiSandbox.
FortiMail

• Extended — integrates with fabric. but may

not apply to everyone:
Other Fortinet products and third-party products using the API
Service ntegration
Security Fabric » Settings
• Central Management integration

• FortiMail integration

• FortiCache And FortiWeb integration

• FortiClient EMS requirement option * O

• Wireless integration using REST API _

F.:RFAF]ET
 User Defined Autamation
AUTOMA1ON Security FabNc » Automation
STITCH • Automaton ¥&”ches help
an admin to easily
setup
auiomalionadion
through predefined
components.

QUARANTINE • AutomaäcalÇ quara4ine

comprirnised hosD
• see compomised and
quam4ined hosts in Security Fabric » PhysKal Topok›gy
the security fabric
topology

NO1FICA1ONS
• Output notifications in
various ways such
as iOS Push or on the
GUI dashboard.
• lntegrate with IFTTT
and other cloud
services
 Fabric Connectars
• Security fabric multi-cloud suppol adds security fabric connectors to the security
fabric configuration.
Allow you to integrate
• Application Centric Infrastructure Secuńty Fabric» Fabric Connectom
{ACI)
• Amazon Web Services (AWS)
• MicrosoR Azure
• VMware NSX
• Nuage Virtualized Services Platform

e‹.›Rrinev
How Do You Impiement the Security Fabric?
FortiAnalyzer

Accoun6ng wciorins«
netwo& Sa ne
Accou
10 39.0/24
nting
ISFW

Market
ing
Maaeang netwoa ISFW
1 "‹
 External

Port 11 PoN 12

Sales ISFW
 How Do You Implement the Security Fabric? (Cont’d)
Root Foi1iGøte Bmnch FortiGøte LgætæemFoitlGata IP
SecuńÇ Fabric > Security Fabf4c »
4etlîngø
Settings
FortłGate Telemetry
Group name
Cc›rporate
Fax tiGate Telemetr v

Corporate
Q•rDupp8ss; rd Connect to upstream Fo+”wate
Conr›e‹t o ps‹ream ro«iEa‹e ”X FortiGa e IP
192.îó8.I.1
Forti Ï•.łeme£ry •nabIed interfac.•sfi. portl0

For•”" ietry enabled interfaces Ÿ p‹>rtt

FortiAnafyzer Logg ng
tò8.4S.10 FortîAnalyzer Logging

IP address Test connectivity

!**!!+***¥+* !!* Root FodGi¥¥pmles D FortlAnaĘœr
œn xÆrs& &ldowœaæn Fa1¥šajo Eri¢ryp log transmission0
Security Fabric Rating

Some securiy issues.

The secudy score named Easy Apply, can
helps you to identify be resolved immediately
the security issues in
your neMoN and to
pnontize your tasks
Knowledge Check
1 What are the essential devices that are required by the Folinet Security Fabric?
A FortiAnalyzer, FortiManager and
FortiGates B FopiAnalyzer
and FortiGates

2. What was a strategy discussed in this section to contain networh breaches?

A Segment the netwark with multiple firewalls.
B Implement stricter policies on the edge firewall.
F.-.RFlF]ET
Lesson Progress
 • IdentiÇ key FoliGate features, services, and built-in servers
• Identify the diRerences between the two operating modes, and
the relationship between FortiGate and FortiGuard
> Identify the factory defaults, basic network settings, and console pots
Execute basic administration, such as creating administrative users and
permissions
> Execute backup and restore tasks and discuss the requirements
for restoring an encrypted configuration file
> Initiate an upgrade and downgrade of the firmware
Identify the characteristics of the Folinet Security Fabric, FoliGate's
role in it, and the high-level installation

F-.:RT)NEY