Virtual Lab Setup Guide FGT 62pdf PDF Free

Virtual Lab Setup Guide
for FortiGate 6.2

Fortinet Training
http://www.fortinet.com/training
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: courseware@fortinet.com
7/3/2019
TABLE OF CONTENTS
Disclaimer 4
Change Log 5
Introduction 6
Upgrading from 6.0.0 to 6.2.0 7
Resources folder 7
Upgrading FortiGate devices to FortiOS 6.2.0 7
Restoring the FortiGates initial configuration 8
Creating Snapshots 10
Materials 11
Additional Files Required for the Labs 11
System Requirements 13
Network Topology 13
Loading the VMs in VMware Workstation 14
Loading the Windows Server 2012 VMs on VMware Workstation 12 14
Loading the Fortinet VMs on VMware Workstation 12 14
Loading the Prebuilt Linux Image 15
Loading the FIT VM 15
Configuring VMware Virtual Networking 16
Configuring the VMs 19
Local-FortiGate 20
Local-Windows 21
FortiManager 37
FortiAnalyzer 40
Restoring the Local-FortiGate Initial Configuration and License 41
Remote-FortiGate 42
Remote-Windows 43
ISFW 45
Testing 47
Creating Snapshots 49
Disclaimer
Fortinet only supports lab environments that are built to the specifications outlined in this guide. Any
modifications to, or deviations from, the environment described in this guide can impact the outcome of the
student lab exercises. Lab exercises are used as a way to reenforce learning, and knowledge obtained from
successfully performing these labs is essential for NSE certification preparation.
4 Virtual Lab Setup Guide for FortiGate 6.2

Fortinet Technologies Inc.
Change Log
This section includes updates to this guide.
At this time, there are no updates.
Virtual Lab Setup Guide for FortiGate 6.2 5

Introduction
This guide explains how to configure the lab for the following Fortinet training courses:
l FortiGate Security 6.2 (NSE 4 preparation)

l FortiGate Infrastructure 6.2 (NSE 4 preparation)
In this environment, FortiManager is acting as a local FortiGuard server. It validates the FortiGate licenses and
replies to FortiGuard Web Filtering rating requests from FortiGate VMs. The FortiManager is configured in
closed network mode, providing FortiGuard services to local FortiGate VMs, without requiring Internet access.
To administer this lab as designed, you will:
1. Load, configure, and test the VM images required for this lab.
2. Save a VMware snapshot of the VM images.
3. Deploy a copy of all VMs for each student every time there is a class.

Upgrading from 6.0.0 to 6.2.0
If you have already built the environment for the FortiGate Security and FortiGate Infrastructure courses, based
on the 6.0.0 firmware version, you can follow the instructions below to update the environment to the 6.2
firmware version.
If you have not already built the environment for the FortiGate Security and FortiGate Infrastructure courses,
based on the 6.0.0 firmware version, follow the instructions that start at Materials on page 11.
Resources folder
The Resources folder on the Local-Windows VM includes the initial configurations for each lab, for both courses.
You need to replace the current Resources folder on the Local-Windows VM with the Resources folder that
contains the FortiOS 6.2 configurations.
To replace Resources folder on Local-Windows

1. Log in to the Local-Windows VM.
2. Delete the Resources folder located on the desktop.
3. Delete the Resources folder from Recycle Bin.
4. From the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, copy the Resources folder to
the desktop.
Upgrading FortiGate devices to FortiOS 6.2.0
You will now upgrade the Local-FortiGate and Remote-FortiGate to FortiOS version 6.2.0.
Upgrade path
To upgrade the FortiGate device to 6.2.0, you will need to follow the following upgrade path.
6.0.0 > 6.0.2 > 6.0.4 > 6.2.0
To download the FortiGate VM firmware images

1. From the Local-Windows VM, open a new browser tab and log in to Fortinet Support site (www.
support.fortinet.com).
2. Download the VM firmware image file for all the firmware included in the upgrade path.
To upgrade FortiGate VMs to FortiOS 6.2.0

Use the following steps to upgrade Remote-FortiGate, and Local-FortiGate.
In NSE4-6.2 course, ISFW FGT-VM is also included. If you are teaching NSE5 FortiAnalyzer 6.2 class, which
includes ISFW FGT-VM, you can use the following instructions to upgrade FGT-VM as well.

Restoring the FortiGates initial configuration Upgrading from 6.0.0 to 6.2.0
If you are not teaching NSE5 FortiAnalyzer 6.0 class and does not have ISFW FGT-
VM, follow the instructions for ISFW:
l Licenses: Materials on page 11.

l Topology: Network Topology on page 13
l VMware Virtual Networking: Configuring VMware Virtual Networking on page 16
l Configuring ISFW: ISFW on page 45.
1. Continuing on the Local-Windows VM, open a new browser tab and log in to the FortiGate GUI.
2. Click System > Firmware.
3. In the Upload Firmware section, click Browse.
4. Click Downloads and select the VM firmware image file for FortiGate 6.0.2.
5. Click Open.
6. Click Backup config and upgrade.
7. Click Continue.
8. Click Cancel.
9. Follow the steps 2 to 8 for each firmware, listed in the upgrade path, on FortiGate VMs to upgrade the FortiGates
to 6.2.0.
10. Once the firmware is upgraded, delete the VM firmware image file for FortiGate 6.2.0 from the Downloads folder
and the Recycle Bin.
Restoring the FortiGates initial configuration
At this stage, you are ready to restore the Local-FortiGate, Remote-FortiGate and ISFW initial configuration.
To restore the Remote-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1 with the
user name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
3. Click Local PC,and then click Upload.

4. Click Desktop > Resources > Initial-Configuration > remote-intial.conf, and then click Open.

Upgrading from 6.0.0 to 6.2.0 Restoring the FortiGates initial configuration
5. Click OK.
6. Click OK to reboot.
To restore the Local-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.

4. Click Desktop > Resources > Initial-Configuration > local-intial.conf, and then click Open.
5. Click OK.
To restore the ISFW-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.200 with the user
name admin and password password.

4. Click Desktop > Resources > Initial-Configuration > ISFW-initial.conf, and then click Open.
5. Click OK.

Creating Snapshots Upgrading from 6.0.0 to 6.2.0
Creating Snapshots
Once you have completed and tested your configuration, save a snapshot of each VM. These snapshots are what
you will deploy for each student in the class.
You can also redeploy these snapshots to revert a student's VM, if their configuration is not working and they
need to quickly restore it to a functional state.

Materials
To build the virtual lab required for this class, you must purchase or download:
Resource Information
1 VMware Workstation For hardware system requirements, see System Requirements on page 13
installation per student
3 FortiGate VM licenses For Local-FortiGate, Remote-FortiGate, ISFW
1 FortiAnalyzer VM license Must be registered with the IP address 10.0.1.210
1 FortiManager VM license Must be registered with the IP address 10.0.1.241
3 FortiGuard Web Filtering, For Local-FortiGate, Remote-FortiGate, ISFW

antivirus, and IPS contract
3 Security Rating contracts For Local-FortiGate, Remote-FortiGate, and ISFW
2 Windows Server 2012 VMs For Local-Windows and Remote-Windows
Prebuilt image is provided by Fortinet Training. The image is provided in the

1 Ubuntu Linux VM image
Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute.
1 FIT VM image Prebuilt image is provided by Fortinet Training. The image is provided in the
Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute.
VM firmware image files for:
l FortiGate 6.2.0
After purchase, you can download the files from Fortinet Support
l FortiAnalyzer 6.2.0
(www.support.fortinet.com) by logging in with supplied credentials.
l FortiManager 6.2.0
1 Resources folder that Prebuilt files are provided by Fortinet Training. The files are provided in
includes: theVirtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute.
l Initial configuration for each lab
Additional Files Required for the Labs
The following software is also required on the Windows VMs.

Additional Files Required for the Labs Materials
The executables are provided in the software sub-folder in the Virtual-Lab-

Setup-Files-FGT-6.2 folder on the NSE Institute.
Virtual Machine Software
l Local-Window Mozilla Firefox 56.0.1

l Remote-Windows
l Local-Window
PuTTY 0.70
l Remote-Windows
l Local-Window ActivePerl 5.24.2

l Remote-Windows
l Local-Window fgt2eth.pl: Perl script for converting FortiGate sniffer output to

l Remote-Windows Wireshark PCAP (packet capture) format
l Local-Window Windows Server 2012 patch KB9089134

l Remote-Windows
l Local-Window
Wireshark 2.4.2
l Remote-Windows
l Local-Window Notepad++ 7.5.1

l Remote-Windows
l Local-Window
Adobe Reader 11.0.10
l Remote-Windows
l Local-Window Adobe Flash Player 27.0.0.170

l Remote-Windows
l Local-Window
Java 8 Update 151
l Remote-Windows
Local-Windows FileZilla Client 3.28.0
Local-Windows Mozilla Thunderbird 52.4.0
Remote-Windows FortiClient 6.0.5 build 0209

System Requirements
Each workstation running VMware Workstation requires:
l 1 Ethernet interface
l 15 GB RAM
l 400 GB storage (hard disk, SAN, etc.)
Network Topology

Loading the VMs in VMware Workstation
This section outlines how to load the VMs in VMware Workstation, including the Windows VMs, Fortinet VMs
(FortiGate, FortiManager, and FortiAnalyzer), and the Linux VM.
The Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute provides

prebuilt images of the Linux VM and FIT VM, which do not require additional
configuration. You only need to load them and deploy them.
Loading the Windows Server 2012 VMs on VMware Workstation 12
The following procedure outlines how to create Windows VMs on VMware Workstation 12.
To create a Windows VMs on VMware Workstation 12

1. Click File > New Virtual Machine.
2. Click Custom (advanced), and then click Next.
3. From the Hardware compatibility drop-down list, select Workstation 12.x, and click Next.
4. Select Installer disk image file (iso), browse to your Windows Server 2012 image file, and click Next.
5. In the Virtual machine name field, type the VM name according to the network topology diagram (i.e. Local-
Windows and Remote-Windows)
6. Accept all other default settings.
7. Click Finish to build the VM.
Loading the Fortinet VMs on VMware Workstation 12
The following procedure outlines how to load the Fortinet VMs on VMware Workstation 12:
l Local-FortiGate
l Remote-FortiGate
l ISFW
l FortiManager
l FortiAnalyzer
To create the Fortinet VMs on VMware Workstation 12

1. Go to File > Open.
2. Select the Open Virtualization Format file format.
3. Select the file name FortiGate-VM.ovf.
4. Name the VM Local-FortiGate.
5. Repeat for each VM, naming the VMs according to the network topology diagram.

Loading the VMs in VMware Workstation Loading the Prebuilt Linux Image
l Remote-FortiGate
l ISFW
l FortiManager
l FortiAnalyzer
Loading the Prebuilt Linux Image
The following procedure outlines how to load the prebuilt Ubuntu 16.04 Linux image on VMware Workstation 12.
To load the prebuilt Linux image

3. Select prebuilt image: Linux.ovf.
4. Name the VM Linux.
Loading the FIT VM
The FIT (Firewall Inspection Tester) VM includes a traffic generation tool. The VM generates web browsing
traffic, application control, botnet IP hits, malware URLs, and malware downloads.
The following procedure outlines how to load the FIT VM image on VMware Workstation 12.
To load the FIT VM image

3. Select prebuild image: FIT.ovf.
4. Name the VM FIT.

Configuring VMware Virtual Networking
Once you've loaded the VMs, you must configure their virtual network adapters to make the lab's required virtual
network topology.
The following VMs should be inside each student’s virtual lab environment:
l Local-Windows
l Remote-Windows
l ISFW
l Local-FortiGate
l Remote-FortiGate
l Linux
l FortiAnalyzer
l FortiManager
l FIT (traffic generator)
The topology supports both HA and non-HA topology, which the students will switch between during the labs by
reconfiguring their VMs; no VMware reconfiguration is required.
The key to this flexible networking is the six LAN segments used in the current setup, plus the predefined
interfaces: vmnet0 and vmnet1.
l vmnet0 bridges the physical NIC which provides the default route to the Internet.
l vmnet1 is a host-only private network shared between the host and the guest systems.
By mapping the guest VMs’ virtual NICs to virtual LAN segments, you create the topology.
To configure VMWare virtual networking

1. Create one additional virtual NIC on each of your Windows VMs:
l Local-Windows: Add 1 more NIC (2 NICs total).
l Remote-Windows: Add 1 more NIC (2 NICs total).
2. Ensure that the prebuilt Linux VM has five NICs. If not, add the as many as needed to have five.
3. Create the LAN segments:
a. Right-click the Local-Windows VM and select Settings.
b. Select any of the two Network Adapters.
c. Click LAN Segments.
d. Click Add as many times as needed to create the seven LAN segments:

e. Click OK twice to close the windows.

4. Map the LAN segments to each vNIC:
l For the Local-Windows VM, map these network adapters:
Network Adapter LAN Segment
1 (first) LAN3
2 Custom: VMnet1 (Host-only)
l For the Remote-Windows VM, map these network adapters:
1 LAN6
2 Custom: VMnet1 (Host-only)
l For both FortiGate VMs (Local-FortiGate and Remote-FortiGate), map the first seven network adapters:
1 LAN1
2 LAN2
3 LAN3
4 LAN4
5 LAN5
6 LAN6

7 LAN3
l For the ISFW VM, map these network adapters:
1 LAN3
3 LAN7
l For the FortiManager VM, map these network adapters:
1 LAN3
2 LAN1
l For the FortiAnalyzer VM, map these network adapters:
1 LAN3
3 LAN1
l For the Linux VM, map these network adapters:
1 VMnet0
2 LAN1
3 LAN2
4 LAN4
5 LAN5
l For the FIT VM, map these network adapters:
1 LAN3
2 LAN7

Configuring the VMs
Before you deploy the VMs, you must first install the required software and files on your Windows VM. You must
also configure some initial settings on your Fortinet VMs so that they have network connectivity, and load their
VM license.
The prebuilt Linux VM provided with the Virtual-Lab-Setup-Files-FGT-6.2

folder on the NSE Institute is already configured. The root password for the prebuilt
VM is: password.
The prebuild FIT VM provided in the Virtual-Lab-Setup-Files-FGT-6.2

folder on the NSE Institute is already configured.

Local-FortiGate
The following procedure outlines how to configure the network interfaces on Local-FortiGate.
To configure network interfaces on Local-FortiGate

1. Start the Local-FortiGate VM and open the VM console.
2. Log in as admin, and leave the password field empty.
3. Enter:
exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The device reboots
after the format is complete.
4. Enter this configuration to configure the network interfaces:
config system interface

edit port1
set ip 10.200.1.1 255.255.255.0
set allowaccess http
next
edit port2
set ip 10.200.2.1 255.255.255.0
next
edit port3
set ip 10.0.1.254 255.255.255.0
next
end
config router static
edit 1
set gateway 10.200.1.254
set device port1
next
end
config firewall policy
edit 1
set srcintf port3
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end

Local-Windows
The Local-Windows VM is used as the student's network management computer in the lab. Students will
initiate most client network connections from it, and administer Fortinet VMs.
To copy the Resources folder to Local-Windows

1. From the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, copy the Resources folder to
the desktop.
To perform initial setup

1. On this VM, verify that the correct local time and time zone is set, and that the screen has a resolution of at least
1280x1024. (This ensures proper display of the FortiOS GUI.)
2. Change the administrator account password to password. (Disable password complexity check if required.)
3. Configure the IPv4 network settings for LAN3:
IP address 10.0.1.10
Netmask 255.255.255.0
Default gateway 10.0.1.254
DNS 10.0.1.254
4. Configure the IPv6 network settings for LAN3:

l Obtain an IPv6 address automatically
l Obtain DNS server address automatically
5. Install the following software:
All software applications are located in the Virtual-Lab-Setup-Files-FGT-

6.2 folder on the NSE Institute (in the software folder).
l Firefox
l PuTTY
l ActivePerl
l Thunderbird
l FileZilla
l Wireshark
l Adobe Reader
l Adobe Flash
l Notepad++
l Java

Local-Windows
6. VMnet1 is your guest access network. When editing this network adapter, choose a unique address. Do not
configure a gateway.
7. Open Windows Firewall and disable Windows Firewall in all the network types.
To install AD, Web, and DNS Services

1. Open Server Manager and select Add roles and features.
2. Click Next.
3. Select Role-based or feature-based installation.
4. Click Next.
5. Select the server with the IP address 10.0.1.10.
6. Click Next.
7. On the Server Roles screen, select Active Directory Domain Services, DNS Server, and Web Server
(ISS).
8. Add all the features for those three roles.
9. Click Next.
10. Click Next until you get the Confirmation screen.
11. Click Install and wait until the installation finishes.
12. From the Server Manager, click the flag icon with the exclamation point and select Promote this server to a
domain controller:
13. Select Add a new forest.

14. Type trainingAD.training.lab as the domain name.
15. Click Next.
16. Type any DSRM password and click Next.
17. Omit the DNS warning and click Next.
18. Accept all the remaining default values and click Next until you get the Prerequisites Check screen.
19. Click Install, and wait until the installation finishes.
Creating users in Active Directory

The following procedure outlines how to create two active directory users in the Users container: Student and
ADadmin.

Local-Windows
You may need to disable password complexity requirements for Active Directory users.
See In a Domain Environment, for an Active Directory Domain Server for the
procedure.
To create the student user

1. Open Server Manager.
2. Click Tools.
3. Open Active Directory Users and Computer.
4. Expand the trainingAD.training.lab tree.
5. Right-click the Users container.
6. Select to New > User.
7. In the First name and User logon name fields, type student and then click Next.
8. In the Password and Confirm password fields, type password.
9. Disable User must change password at next logon and enable Password never expires.
10. Click Next.
11. Click Finish.
To create the ADadmin user

1. Continuing in Active Directory Users and Computerand the trainingAD.training.lab tree, right-click the
Users container.
2. Select to New > User.
3. In the First name and User logon name fields, type ADadmin and then click Next.
4. In the Password andConfirm password fields, type Training!
6. Click Next
7. Click Finish.
To create the Training Organizational Unit and additional users

1. Continuing in Active Directory Users and Computer, right-click trainingAD.training.lab from the tree.
2. Select New > Organizational Unit.
3. In the Name field, type Training.
4. Right-click Training from the tree and select New > User.
5. Create the following user and click Next.

Local-Windows
6. In the Password and Confirm password fields, type Training!as the password.
8. Click Next.
9. Click Finish.
10. Repeat the process to create the following users in the Training organizational unit (same settings and
password):
l aduser2
To create an Active Directory group

1. Open Active Directory Users and Computer.
2. Expand the trainingAD.training.lab tree, and right click the Training container.
3. Select New > Group.
4. Complete the following and click OK:
Field Value
Group name AD-users
Group scope Global
Group type Security
5. Double-click the AD-users group from the right pane.

6. Select the Members tab and add aduser1 and aduser2.

Local-Windows
7. Click OK.
To enable Remote Desktop access to the student user

1. On the Local-Windows desktop, click the Start menu.
2. Right-click This PC and select Properties.
3. Click Remote settings.
4. Select Allow remote connections to this computer.
5. Clear the Allow connections only from computers running Remote Desktop with Network Level
Authentication checkbox.

Local-Windows
6. Click Apply.
7. Click OK.
To allow AD users to locally log in the Win-Server

1. On the Local-Windows desktop, click the Start menu.
2. Search for gpmc.msc and open the Group Policy Management tool.
3. Expand Forest: trainingAD.training.lab > Domains > trainingAD.training.lab > Group Policy Objects.
4. Right-click Default Domain Controllers Policy, and then click Edit.

5. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local
Policies.
6. Click User Rights Assignments.

7. In the main pane, right-click Allow log on locally and then click Properties.
The Allow log on locally Properties dialog box appears.
8. In the Security Policy Setting tab, click Add User or Group.

9. Click Browse.
10. Enter aduser1, and then click Check Names.
aduser1 appears with it full AD domain description.
11. Click OK.
12. Click OK.
13. Click OK.
14. Repeat steps 7-13 for aduser2.

Local-Windows
To force the group policy update

1. In the Local-Windows VM, open the Command Prompt tool (cmd).
2. Enter the below command and press Enter:
gpupdate /force
The group policy successful updates. You can now switch users to test the access to aduser1 session within
the Local-Windows VM.
It is advised to personalize the desktop for the aduser1 and aduser2 with a different
color than the administrator session. This will help to confirm students are working in
the right session.
To configure Internet Information Services (IIS)

2. Click Tools > Internet Information Services (IIS) Manager.
3. In the Connections pane, select the root node and double-click Server Certificates.
4. In the Actions pane, click Import.

Local-Windows
The Import Certificate dialog box appears.
5. In theCertificate file (.pfx) field, click the ... icon:
6. In the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, browse to the software folder,
and open webserver.pfx.
7. In the Password field, type fortinet.
8. From the Select Certificate Store drop-down menu, select Web Hosting:
9. Click OK.
The imported certificate appears in the Server Certificates list.

Local-Windows
10. In the Connections pane, expand the root node.

11. Click Sites > Default Web Site.
12. In the Actions pane, click Bindings.
The Site Bindings dialog box appears.
13. Click Add.

14. From the Type drop-down menu, select https.
15. From the SSL certificate drop-down menu, select 10.200.1.200.
16. Click OK.
A caution prompt appears.
17. Click OK.

18. Click Close.
19. Close the Internet Information Services (IIS) Manager.
You will install the root certificate in the next procedure.
Install the Training CA certificate in Windows

1. In the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, browse to the software folder,
and double-click Training.crt to open the file.
The Certificate dialog box appears.
2. Click Install Certificate.

Local-Windows
3. Click Local Machine.
4. Click Next.
5. Click Place all certificates in the following storeand clickBrowse.

Local-Windows
6. Click Trusted Root Certification Authorities and click OK.
7. Click Next.
8. Click Finish.
A successful import notification is displayed:
9. Click OK.

Local-Windows
To configure FileZilla
1. Open FileZilla.
2. Click on the upper left icon to open the site manager.
3. Click New Site to add a new site.
4. Name the new site FTPsite and configure as follows:
Field Value
Host 10.200.3.254
Port 222
Protocol FTP - Fire Transfer Protocol
Encryption Only user plain FTP
Logon type Anonymous
5. Click the Transfer Settings tab, and select Active as the transfer mode.
6. Click OK.
7. Click New Site to create a new site and name it Linux.
Field Value
Host 10.200.1.254
Port <leave it empty>
Protocol FTP - Fire Transfer Protocol
Encryption Use explicit FTP over TLS if available
Logon type Anonymous
8. Click the Transfer Settings tab, and select Default as the transfer mode.
9. Click OK.
To configure Thunderbird outgoing server settings

1. From the Local-Windows desktop, open Mozilla Thunderbird.
2. Click the three bars icon in the upper right of the application.
3. Click Options > Account Settings.
4. Click Outgoing Server (SMTP) and click Add.
5. Configure the following settings:
Setting Value
Server Name 10.200.1.254

Local-Windows
Setting Value
Port 25
Connection security None
Authentication Method Password, transmitted insecurely
Username student
6. Click OK.
To configure Thunderbird mail accounts

1. Still in Mozilla Thunderbird, click Options > Account Settings.
2. From the bottom of the left menu, click Account Actions > Add Mail Account.
3. Add the following account:
Your name admin
Email address admin@training.lab
Password @fortinet1
4. Click Continue.
5. Add the following incoming and outgoing server settings:
6. Click Done.
7. If prompted, accept the certificate exception.
8. Select Account Actions > Add Mail Account again to create a second user:
Your name student
Email address student@training.lab
Password password
9. Click Continue.
10. Add the following incoming and outgoing server settings:

Local-Windows
11. Click Done.

12. Click OK.
Configuring SMB file share

The Local-Window machine requires adding SMB file share.
To create a folder
1. Open File Explorer.
2. Go to C drive.
3. Create new folder with name of DLPshare.
To add the file share

2. From the left pane, click File and Storage Services.
3. Click Shares.
4. From the TASKS drop-down menu, New Share.
A wizard opens.
5. Select SMB Share - Quick and click Next.

6. Select Type a custom path and click Browse.
7. Select the dlpshare folder you created in C drive and click Select Folder.
8. Click Next until you get to Permissions screen (see the left menu options).
9. On the Permissions screen, make sure BUILTIN\Administrators has full control.
10. Click Next.

11. Click Create.

Local-Windows
12. Click Close.
To disable HSTS in Firefox

1. Open Firefox.
2. In the URL field, type about:config.
3. Click I accept the risk! if prompted.
4. Right-click New > Integer.
5. Add an item named test.currentTimeOffsetSeconds and enter the value 11491200.
6. Confirm your time.
7. Clear the cache.
To disable certificate pinning

1. Open Firefox.
2. In the URL field, type about:config.
3. Click I accept the risk! if prompted.
4. In the Search field, type security.cert_pinning.enforcement_level.
5. Edit the setting and change value to 0.
6. Clear the cache.
To create bookmarks in PuTTY

1. Open PuTTY.
2. Complete the following:
Host Name (or IP address field) 10.0.1.254.
Saved Sessions LOCAL-FORTIGATE
3. Click Save.
4. Repeat steps 2 and 3 for the following VMs:
Host Name (or IP address field) 10.200.3.1
Saved Sessions REMOTE-FORTIGATE
Saved Sessions ISFW
Saved Sessions FORTIANALYZER

Local-Windows
Saved Sessions FORTIMANAGER
Saved Sessions LINUX
Saved Sessions FIT
To install additional files

1. From the Resources folder that you copied to your Local-Windows desktop, copy the Perl script fgt2eth.pl to
convert FortiGate sniffer capture to PCAP to the Active Perl bin folder:
c:\Perl64\bin
2. Add shortcuts to the Windows task bar and desktop for the following applications: File Explorer, Firefox, PuTTY,
command prompt, Notepad++, Windows Remote Desktop Connection, and FileZilla.
3. Open Mozilla and add the following four bookmarks to the bookmarks toolbar:
l Local-FortiGate: http://10.0.1.254
l Remote-FortiGate: http://10.200.3.1
l ISFW: http://10.0.1.200
l FortiManager: https://10.0.1.241
l FortiAnalyzer: https://10.0.1.210

FortiManager
Even though FortiManager is not the focus of the FortiGate courses, it is required for the lab setup due to the use
of closed network mode. More information about the FortiManager closed network mode can be found in this
document:
https://docs.fortinet.com/
Requesting Closed Network Entitlement Files

After you have purchased VM licenses and registered them on https://support.fortinet.com, you must request
closed network entitlement files. These files are required for manually uploading FortiGate license validation
information to FortiManager in close network mode.
To request closed network entitlement files

1. On the Fortinet Technical Support website (https://support.fortinet.com/), create a ticket with Fortinet Technical
Support by going to Assistance > Create Ticket > Customer Service > Submit Ticket.
2. Enter the Serial Number.
3. Under Category, select CS Contact/License.
4. In the Comment field, ask for an entitlement file for your FortiGate VMs and provide the serial numbers and
license numbers.
If you don't remember them, you can find them in Asset > Manage View Products > <Select product>.
Example:
Serial Number: FGVM010000024628
License Number: FGVM0035444
Alternatively, as with registration, you can attach a spreadsheet that contains serial
and license numbers if you want to ask for entitlement files for two or more FortiGate
VMs at the same time. Fortinet Technical Support will provide one entitlement file that
contains validation information for all of your FortiGate VMs. All FortiGate VMs must
be registered with the same account; devices registered under different accounts
cannot be combined into the same entitlement file.
Within a day or two, you should receive an entitlement file from customer service.
To configure the FortiManager initial settings

1. Start the FortiManager and open the VM console.
2. From the console make the following changes:

edit port1
set ip 10.0.1.241 255.255.255.0
set allowaccess http https ssh ping telnet
next
end

FortiManager
3. Connect to the GUI from the Local-Windows VM and restore the FMG-initial.dat file from the folder
Resources/Initial-Configuration.
4. Upload a valid FortiManager VM license.
To configure FortiManager as a local FDN server

1. Log into the FortiManager GUI and click FortiGuard.
2. From the left menu, click Settings.
3. Turn on Enable Communication with FortiGuard Server and click Apply.
4. Turn on Enable AntiVirus and IPS Serviceand enable FortiGate 6.2 .
5. Turn on the following services:

l Enable Web Filter Service
l Enable Email Filter Service
6. Click Apply.
7. Wait until FortiManager has downloaded and synchronized all the service packages and updates. This could take
several hours.
8. Check the status of the updates through the following CLI commands:
# diagnose fmupdate update-status fds
# diagnose fmupdate update-status fgd
Once complete, the upullStat should say Synced. Note that it will sync after every package
FortiManager downloads, so you can run these commands multiple times to verify the status. It should take
several hours to complete.
If you do not see any progress in the downloads, for example, theUpullStat
remains in the Connected state, you can manually trigger the update through the
following commands:
# diagnose fmupdate updatenow fds
# diagnose fmupdate updatenow fgd

FortiManager
9. Once complete, the file size for web filtering (FURL) and email filter (SPAM00x) under Query Server
Management > Receive Status should be approximately as they appear in this screenshot:
10. After the FortiGuard packages and updates are synchronized, click Advanced Settings and turn off Enable
Communication with FortiGuard Server.
11. Click Apply.
To upload the entitlement files to FortiManager

1. Log into the FortiManager GUI and click FortiGuard.
2. From the left menu, click Advanced Settings.
3. From the Upload Options for FortiGate/FortiMail section, click Upload for Service License.
4. Upload the following, one at a time:
Click Apply after each file upload.
l Both FortiGate entitlement files

FortiAnalyzer
The following procedure outlines how to configure the FortiAnalyzer system settings.
To configure the FortiAnalyzer initial settings

1. Start FortiAnalyzer and open the VM console.
2. From the console make the following changes:

edit port1
set ip 10.0.1.210 255.255.255.0
set allowaccess http https ssh ping telnet
next
end
3. Connect to the GUI from the Local-Windows VM and restore the file from the folder
Resources/Initial-Configuration/FAZ-initial.dat
4. Upload the FortiAnalyzer VM license.
Field Value
Destination IP/Mask 0.0.0.0/0.0.0.0
Gateway 10.200.1.254
Interface port3

Restoring the Local-FortiGate Initial Configuration and License
At this stage, you are ready to restore the Local-FortiGate initial configuration and license.
To restore the Local-FortiGate initial configuration and license

1. On the Local-Windows VM, open a web browser and connect to the FortiGate VM's GUI.
2. Upload local-initial.conf from Resources/Initial-Configuration.
3. After that, upload the VM license.
FortiGate should query FortiManager to validate its VM license and FortiGuard service contracts.
If the license status does not appear as Valid, run the following command:
# execute update-now

Remote-FortiGate
The following procedure outlines how to configure the network interfaces on Remotel-FortiGate.
To configure network interfaces on Remote-FortiGate

1. Start the Remote-FortiGate VM and open the VM console.
3. Enter:
exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The device reboot

edit port4
set ip 10.200.3.1 255.255.255.0
set allowaccess ping https ssh http fgfm
next
end
edit 1
set device port4
next
end
4. Connect to the GUI from the Local-Windows VM and upload the remote-initial.conf file from the folder
5. Upload the VM license for this device.
FortiGate should validate the license against FortiManager. None of the FortiGuard services are required in
this FortiGate.

Remote-Windows
To configure initial settings

1. On this VM, verify that the correct local time and time zone is set, and that the screen has a resolution of at least
1280x1024 (this ensures proper display of the FortiOS GUI).
2. Configure the network settings for LAN6:
l IP address: 10.0.2.10
l Netmask: 255.255.255.0
l Default gateway: 10.0.2.254
l DNS: 10.0.2.254
3. VMnet1 is your guest access network. When editing this network adapter, chose a unique address and do not
configure a gateway on this adapter.
4. Open Windows Firewall and disable Windows Firewall in all the network types.
Installing the Microsoft patch for SSL VPN

For SSL VPN tunnel mode to work properly, it is required the installation of a Microsoft hotfix that solves a
Microsoft problem with the FortiSSL adapter.
To install the Microsoft patch for SSL VPN

1. Execute this command from the Remote-Windows command prompt:
bcdedit -set testsigning on
2. After that, install the hotfix file named:
Windows8.1-KB9089134-x64.exe
This file is in the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute (the software
folder).
If you get an error indicating that the hotfix has expired, change the Local-Windows system date to April 1,
2015 and try the installation again. After the installation, you can change it back to the right date.
Installing Additional Software

You must install the following software:
All software applications are located in the Virtual-Lab-Setup-Files-FGT-

6.2 folder on the NSE Institute, in the software folder.

Remote-Windows
l Firefox
l PuTTY
l Wireshark
l Java
l Adobe Flash
l Notepad++
l FortiClient (install only the VPN module)
Once installed, add shortcuts to the Windows task bar and desktop for the following applications:
l File Explorer
l Firefox
l PuTTY
l command prompt
l FortiClient

ISFW
The following procedure outlines how to configure the network interfaces on ISFW.
To configure network interfaces on ISFW

1. Start the ISFW VM and open the VM console.
3. Enter:
exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The device reboots

edit port1
set ip 1.0.1.200 255.255.255.0
next
edit port3
set ip 10.0.3.254 255.255.255.0
next
end
edit 1
set device port1
next
end
config firewall policy
edit 1
set srcintf port3
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
5. Connect to the GUI from the Local-Windows VM and upload the ISFW-initial.conf file from the folder
6. Upload the VM license for this device.
FortiGate should validate the license against FortiManager. None of the FortiGuard services are required in
this FortiGate.

ISFW

Testing
Once you have all VMs installed, and have configured all LAN segments, host IP settings and virtual network
connections, test connectivity.
From Local-Windows server, test connectivity to:
10.0.1.254 LAN3 Local-FortiGate_port3
10.0.1.241 FortiManager
10.0.1.200 ISFW
10.0.1.210 FortiAnalyzer
10.0.1.20 FIT
From Local-FortiGate, test connectivity to:
10.0.1.10 LAN3 Local-Windows
10.200.1.254 LAN1 LINUX_eth1
10.200.2.254 LAN2 LINUX_eth2
10.0.1.200 ISFW
4.2.2.2 To test IP forwarding and NAT on your Linux VM
10.0.1.20 LAN3 FIT
From the ISFW , test connectivity to:
10.0.3.20 LAN7 FIT
From the Linux host, test connectivity to:
10.200.3.1 LAN4 Remote-FortiGate_port4
4.2.2.2 LAN0

Testing
From Remote-FortiGate, test connectivity to:
10.0.2.10 LAN6 Remote-Windows server
10.200.3.254 LAN4 LINUX_eth3
10.200.4.254 LAN5 LINUX_eth4
From Remote-Windows, test connectivity to:
From FortiAnalyzer, test connectivity to:
10.0.1.20 FIT
10.200.1.254 LAN1 LINUX_eth1

Creating Snapshots
Once you have completed and tested your configuration, save a snapshot of each VM. These snapshots are what
you will deploy for each student in the class.
You can also re-deploy these snapshots to revert a student's VM if their configuration is not working and they
need to quickly restore it to a functional state.

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Virtual Lab Setup Guide FGT 62pdf PDF Free

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Virtual Lab Setup Guide FGT 62pdf PDF Free

Uploaded by

Copyright:

Available Formats

Virtual Lab Setup Guide

for FortiGate 6.2

Fortinet Network Security Expert Program (NSE)

4 Virtual Lab Setup Guide for FortiGate 6.2

This section includes updates to this guide.

At this time, there are no updates.

Virtual Lab Setup Guide for FortiGate 6.2 5

l FortiGate Security 6.2 (NSE 4 preparation)

6 Virtual Lab Setup Guide for FortiGate 6.2

To replace Resources folder on Local-Windows

Upgrading FortiGate devices to FortiOS 6.2.0

6.0.0 > 6.0.2 > 6.0.4 > 6.2.0

To download the FortiGate VM firmware images

To upgrade FortiGate VMs to FortiOS 6.2.0

Virtual Lab Setup Guide for FortiGate 6.2 7

l Licenses: Materials on page 11.

Restoring the FortiGates initial configuration

To restore the Remote-FortiGate configuration file

3. Click Local PC,and then click Upload.

8 Virtual Lab Setup Guide for FortiGate 6.2

To restore the Local-FortiGate configuration file

3. Click Local PC,and then click Upload.

To restore the ISFW-FortiGate configuration file

3. Click Local PC,and then click Upload.

Virtual Lab Setup Guide for FortiGate 6.2 9

10 Virtual Lab Setup Guide for FortiGate 6.2

3 FortiGate VM licenses For Local-FortiGate, Remote-FortiGate, ISFW

1 FortiAnalyzer VM license Must be registered with the IP address 10.0.1.210

1 FortiManager VM license Must be registered with the IP address 10.0.1.241

3 FortiGuard Web Filtering, For Local-FortiGate, Remote-FortiGate, ISFW

3 Security Rating contracts For Local-FortiGate, Remote-FortiGate, and ISFW

2 Windows Server 2012 VMs For Local-Windows and Remote-Windows

Prebuilt image is provided by Fortinet Training. The image is provided in the

VM firmware image files for:

l Initial configuration for each lab

Additional Files Required for the Labs

The following software is also required on the Windows VMs.

Virtual Lab Setup Guide for FortiGate 6.2 11

The executables are provided in the software sub-folder in the Virtual-Lab-

Virtual Machine Software

l Local-Window Mozilla Firefox 56.0.1

l Local-Window ActivePerl 5.24.2

l Local-Window fgt2eth.pl: Perl script for converting FortiGate sniffer output to

l Local-Window Windows Server 2012 patch KB9089134

l Local-Window Notepad++ 7.5.1

l Local-Window Adobe Flash Player 27.0.0.170

Local-Windows FileZilla Client 3.28.0

Local-Windows Mozilla Thunderbird 52.4.0

Remote-Windows FortiClient 6.0.5 build 0209

12 Virtual Lab Setup Guide for FortiGate 6.2

Each workstation running VMware Workstation requires:

Virtual Lab Setup Guide for FortiGate 6.2 13

The Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute provides

Loading the Windows Server 2012 VMs on VMware Workstation 12

To create a Windows VMs on VMware Workstation 12

Loading the Fortinet VMs on VMware Workstation 12

To create the Fortinet VMs on VMware Workstation 12

14 Virtual Lab Setup Guide for FortiGate 6.2

Loading the Prebuilt Linux Image

To load the prebuilt Linux image

Loading the FIT VM

To load the FIT VM image

Virtual Lab Setup Guide for FortiGate 6.2 15