Professional Documents
Culture Documents
Virtual Lab Setup Guide FGT 62pdf PDF Free
Virtual Lab Setup Guide FGT 62pdf PDF Free
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Feedback
Email: courseware@fortinet.com
7/3/2019
TABLE OF CONTENTS
Disclaimer 4
Change Log 5
Introduction 6
Upgrading from 6.0.0 to 6.2.0 7
Resources folder 7
Upgrading FortiGate devices to FortiOS 6.2.0 7
Restoring the FortiGates initial configuration 8
Creating Snapshots 10
Materials 11
Additional Files Required for the Labs 11
System Requirements 13
Network Topology 13
Loading the VMs in VMware Workstation 14
Loading the Windows Server 2012 VMs on VMware Workstation 12 14
Loading the Fortinet VMs on VMware Workstation 12 14
Loading the Prebuilt Linux Image 15
Loading the FIT VM 15
Configuring VMware Virtual Networking 16
Configuring the VMs 19
Local-FortiGate 20
Local-Windows 21
FortiManager 37
FortiAnalyzer 40
Restoring the Local-FortiGate Initial Configuration and License 41
Remote-FortiGate 42
Remote-Windows 43
ISFW 45
Testing 47
Creating Snapshots 49
Disclaimer
Fortinet only supports lab environments that are built to the specifications outlined in this guide. Any
modifications to, or deviations from, the environment described in this guide can impact the outcome of the
student lab exercises. Lab exercises are used as a way to reenforce learning, and knowledge obtained from
successfully performing these labs is essential for NSE certification preparation.
This guide explains how to configure the lab for the following Fortinet training courses:
1. Load, configure, and test the VM images required for this lab.
2. Save a VMware snapshot of the VM images.
3. Deploy a copy of all VMs for each student every time there is a class.
If you have already built the environment for the FortiGate Security and FortiGate Infrastructure courses, based
on the 6.0.0 firmware version, you can follow the instructions below to update the environment to the 6.2
firmware version.
If you have not already built the environment for the FortiGate Security and FortiGate Infrastructure courses,
based on the 6.0.0 firmware version, follow the instructions that start at Materials on page 11.
Resources folder
The Resources folder on the Local-Windows VM includes the initial configurations for each lab, for both courses.
You need to replace the current Resources folder on the Local-Windows VM with the Resources folder that
contains the FortiOS 6.2 configurations.
You will now upgrade the Local-FortiGate and Remote-FortiGate to FortiOS version 6.2.0.
Upgrade path
To upgrade the FortiGate device to 6.2.0, you will need to follow the following upgrade path.
In NSE4-6.2 course, ISFW FGT-VM is also included. If you are teaching NSE5 FortiAnalyzer 6.2 class, which
includes ISFW FGT-VM, you can use the following instructions to upgrade FGT-VM as well.
If you are not teaching NSE5 FortiAnalyzer 6.0 class and does not have ISFW FGT-
VM, follow the instructions for ISFW:
1. Continuing on the Local-Windows VM, open a new browser tab and log in to the FortiGate GUI.
2. Click System > Firmware.
3. In the Upload Firmware section, click Browse.
4. Click Downloads and select the VM firmware image file for FortiGate 6.0.2.
5. Click Open.
6. Click Backup config and upgrade.
7. Click Continue.
8. Click Cancel.
9. Follow the steps 2 to 8 for each firmware, listed in the upgrade path, on FortiGate VMs to upgrade the FortiGates
to 6.2.0.
10. Once the firmware is upgraded, delete the VM firmware image file for FortiGate 6.2.0 from the Downloads folder
and the Recycle Bin.
At this stage, you are ready to restore the Local-FortiGate, Remote-FortiGate and ISFW initial configuration.
5. Click OK.
6. Click OK to reboot.
Creating Snapshots
Once you have completed and tested your configuration, save a snapshot of each VM. These snapshots are what
you will deploy for each student in the class.
You can also redeploy these snapshots to revert a student's VM, if their configuration is not working and they
need to quickly restore it to a functional state.
To build the virtual lab required for this class, you must purchase or download:
Resource Information
1 VMware Workstation For hardware system requirements, see System Requirements on page 13
installation per student
1 FIT VM image Prebuilt image is provided by Fortinet Training. The image is provided in the
Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute.
l FortiGate 6.2.0
After purchase, you can download the files from Fortinet Support
l FortiAnalyzer 6.2.0
(www.support.fortinet.com) by logging in with supplied credentials.
l FortiManager 6.2.0
1 Resources folder that Prebuilt files are provided by Fortinet Training. The files are provided in
includes: theVirtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute.
l Local-Window
PuTTY 0.70
l Remote-Windows
l Local-Window
Wireshark 2.4.2
l Remote-Windows
l Local-Window
Adobe Reader 11.0.10
l Remote-Windows
l Local-Window
Java 8 Update 151
l Remote-Windows
l 1 Ethernet interface
l 15 GB RAM
l 400 GB storage (hard disk, SAN, etc.)
Network Topology
This section outlines how to load the VMs in VMware Workstation, including the Windows VMs, Fortinet VMs
(FortiGate, FortiManager, and FortiAnalyzer), and the Linux VM.
The following procedure outlines how to create Windows VMs on VMware Workstation 12.
The following procedure outlines how to load the Fortinet VMs on VMware Workstation 12:
l Local-FortiGate
l Remote-FortiGate
l ISFW
l FortiManager
l FortiAnalyzer
l Remote-FortiGate
l ISFW
l FortiManager
l FortiAnalyzer
The following procedure outlines how to load the prebuilt Ubuntu 16.04 Linux image on VMware Workstation 12.
The FIT (Firewall Inspection Tester) VM includes a traffic generation tool. The VM generates web browsing
traffic, application control, botnet IP hits, malware URLs, and malware downloads.
The following procedure outlines how to load the FIT VM image on VMware Workstation 12.
Once you've loaded the VMs, you must configure their virtual network adapters to make the lab's required virtual
network topology.
The following VMs should be inside each student’s virtual lab environment:
l Local-Windows
l Remote-Windows
l ISFW
l Local-FortiGate
l Remote-FortiGate
l Linux
l FortiAnalyzer
l FortiManager
l FIT (traffic generator)
The topology supports both HA and non-HA topology, which the students will switch between during the labs by
reconfiguring their VMs; no VMware reconfiguration is required.
The key to this flexible networking is the six LAN segments used in the current setup, plus the predefined
interfaces: vmnet0 and vmnet1.
l vmnet0 bridges the physical NIC which provides the default route to the Internet.
l vmnet1 is a host-only private network shared between the host and the guest systems.
By mapping the guest VMs’ virtual NICs to virtual LAN segments, you create the topology.
1 (first) LAN3
1 LAN6
l For both FortiGate VMs (Local-FortiGate and Remote-FortiGate), map the first seven network adapters:
1 LAN1
2 LAN2
3 LAN3
4 LAN4
5 LAN5
6 LAN6
7 LAN3
1 LAN3
3 LAN7
1 LAN3
2 LAN1
1 LAN3
3 LAN1
1 VMnet0
2 LAN1
3 LAN2
4 LAN4
5 LAN5
1 LAN3
2 LAN7
Before you deploy the VMs, you must first install the required software and files on your Windows VM. You must
also configure some initial settings on your Fortinet VMs so that they have network connectivity, and load their
VM license.
The following procedure outlines how to configure the network interfaces on Local-FortiGate.
exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The device reboots
after the format is complete.
The Local-Windows VM is used as the student's network management computer in the lab. Students will
initiate most client network connections from it, and administer Fortinet VMs.
IP address 10.0.1.10
Netmask 255.255.255.0
DNS 10.0.1.254
l Firefox
l PuTTY
l ActivePerl
l Thunderbird
l FileZilla
l Wireshark
l Adobe Reader
l Adobe Flash
l Notepad++
l Java
6. VMnet1 is your guest access network. When editing this network adapter, choose a unique address. Do not
configure a gateway.
7. Open Windows Firewall and disable Windows Firewall in all the network types.
You may need to disable password complexity requirements for Active Directory users.
See In a Domain Environment, for an Active Directory Domain Server for the
procedure.
6. In the Password and Confirm password fields, type Training!as the password.
7. Disable User must change password at next logon and enable Password never expires.
8. Click Next.
9. Click Finish.
10. Repeat the process to create the following users in the Training organizational unit (same settings and
password):
l aduser2
Field Value
7. Click OK.
6. Click Apply.
7. Click OK.
The group policy successful updates. You can now switch users to test the access to aduser1 session within
the Local-Windows VM.
It is advised to personalize the desktop for the aduser1 and aduser2 with a different
color than the administrator session. This will help to confirm students are working in
the right session.
6. In the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, browse to the software folder,
and open webserver.pfx.
7. In the Password field, type fortinet.
8. From the Select Certificate Store drop-down menu, select Web Hosting:
9. Click OK.
The imported certificate appears in the Server Certificates list.
4. Click Next.
5. Click Place all certificates in the following storeand clickBrowse.
7. Click Next.
8. Click Finish.
A successful import notification is displayed:
9. Click OK.
To configure FileZilla
1. Open FileZilla.
2. Click on the upper left icon to open the site manager.
3. Click New Site to add a new site.
4. Name the new site FTPsite and configure as follows:
Field Value
Host 10.200.3.254
Port 222
5. Click the Transfer Settings tab, and select Active as the transfer mode.
6. Click OK.
7. Click New Site to create a new site and name it Linux.
Field Value
Host 10.200.1.254
8. Click the Transfer Settings tab, and select Default as the transfer mode.
9. Click OK.
Setting Value
Setting Value
Port 25
Username student
6. Click OK.
Password @fortinet1
4. Click Continue.
5. Add the following incoming and outgoing server settings:
6. Click Done.
7. If prompted, accept the certificate exception.
8. Select Account Actions > Add Mail Account again to create a second user:
Password password
9. Click Continue.
10. Add the following incoming and outgoing server settings:
To create a folder
1. Open File Explorer.
2. Go to C drive.
3. Create new folder with name of DLPshare.
A wizard opens.
3. Click Save.
4. Repeat steps 2 and 3 for the following VMs:
c:\Perl64\bin
2. Add shortcuts to the Windows task bar and desktop for the following applications: File Explorer, Firefox, PuTTY,
command prompt, Notepad++, Windows Remote Desktop Connection, and FileZilla.
3. Open Mozilla and add the following four bookmarks to the bookmarks toolbar:
l Local-FortiGate: http://10.0.1.254
l Remote-FortiGate: http://10.200.3.1
l ISFW: http://10.0.1.200
l FortiManager: https://10.0.1.241
l FortiAnalyzer: https://10.0.1.210
Even though FortiManager is not the focus of the FortiGate courses, it is required for the lab setup due to the use
of closed network mode. More information about the FortiManager closed network mode can be found in this
document:
https://docs.fortinet.com/
Example:
Alternatively, as with registration, you can attach a spreadsheet that contains serial
and license numbers if you want to ask for entitlement files for two or more FortiGate
VMs at the same time. Fortinet Technical Support will provide one entitlement file that
contains validation information for all of your FortiGate VMs. All FortiGate VMs must
be registered with the same account; devices registered under different accounts
cannot be combined into the same entitlement file.
Within a day or two, you should receive an entitlement file from customer service.
3. Connect to the GUI from the Local-Windows VM and restore the FMG-initial.dat file from the folder
Resources/Initial-Configuration.
4. Upload a valid FortiManager VM license.
6. Click Apply.
7. Wait until FortiManager has downloaded and synchronized all the service packages and updates. This could take
several hours.
8. Check the status of the updates through the following CLI commands:
# diagnose fmupdate update-status fds
# diagnose fmupdate update-status fgd
Once complete, the upullStat should say Synced. Note that it will sync after every package
FortiManager downloads, so you can run these commands multiple times to verify the status. It should take
several hours to complete.
If you do not see any progress in the downloads, for example, theUpullStat
remains in the Connected state, you can manually trigger the update through the
following commands:
# diagnose fmupdate updatenow fds
# diagnose fmupdate updatenow fgd
9. Once complete, the file size for web filtering (FURL) and email filter (SPAM00x) under Query Server
Management > Receive Status should be approximately as they appear in this screenshot:
10. After the FortiGuard packages and updates are synchronized, click Advanced Settings and turn off Enable
Communication with FortiGuard Server.
11. Click Apply.
The following procedure outlines how to configure the FortiAnalyzer system settings.
3. Connect to the GUI from the Local-Windows VM and restore the file from the folder
Resources/Initial-Configuration/FAZ-initial.dat
Field Value
Gateway 10.200.1.254
Interface port3
At this stage, you are ready to restore the Local-FortiGate initial configuration and license.
If the license status does not appear as Valid, run the following command:
# execute update-now
The following procedure outlines how to configure the network interfaces on Remotel-FortiGate.
This formats the virtual disk, which is required to store data such as local reports or logs. The device reboot
after the format is complete.
4. Connect to the GUI from the Local-Windows VM and upload the remote-initial.conf file from the folder
Resources/Initial-Configuration.
5. Upload the VM license for this device.
FortiGate should validate the license against FortiManager. None of the FortiGuard services are required in
this FortiGate.
If the license status does not appear as Valid, run the following command:
# execute update-now
Windows8.1-KB9089134-x64.exe
This file is in the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute (the software
folder).
If you get an error indicating that the hotfix has expired, change the Local-Windows system date to April 1,
2015 and try the installation again. After the installation, you can change it back to the right date.
l Firefox
l PuTTY
l Wireshark
l Java
l Adobe Flash
l Notepad++
l FortiClient (install only the VPN module)
Once installed, add shortcuts to the Windows task bar and desktop for the following applications:
l File Explorer
l Firefox
l PuTTY
l command prompt
l FortiClient
The following procedure outlines how to configure the network interfaces on ISFW.
exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The device reboots
after the format is complete.
5. Connect to the GUI from the Local-Windows VM and upload the ISFW-initial.conf file from the folder
Resources/Initial-Configuration.
6. Upload the VM license for this device.
FortiGate should validate the license against FortiManager. None of the FortiGuard services are required in
this FortiGate.
If the license status does not appear as Valid, run the following command:
# execute update-now
Once you have all VMs installed, and have configured all LAN segments, host IP settings and virtual network
connections, test connectivity.
10.0.1.241 FortiManager
10.0.1.200 ISFW
10.0.1.210 FortiAnalyzer
10.0.1.20 FIT
10.0.1.241 FortiManager
10.0.1.200 ISFW
10.0.1.210 FortiAnalyzer
4.2.2.2 LAN0
10.200.1.241 FortiManager
10.200.1.210 FortiAnalyzer
10.0.1.20 FIT
Once you have completed and tested your configuration, save a snapshot of each VM. These snapshots are what
you will deploy for each student in the class.
You can also re-deploy these snapshots to revert a student's VM if their configuration is not working and they
need to quickly restore it to a functional state.