Consolidado Laboratorios Fortinet

Connecting to the Command Line lntetiace (CLI)
Lab 1 Initial Setup

Tasks
In this lab, you will complete the following tasks:
Exercise 1 Connecting to the Command Line Interface (CLI)
• Exercise 2 Connecting to the FortiGate Web Config
• Exercise 3 Configuring Network Connectivity
Exercise 4 Exploring the CL!
Exercise 5 Configuring Global System Settings
Exercise 6 Configuring Administrative Users
Exercise 1 Connecting to the Command Line Interface (CLI)

This exercise details the initial orientation of the CLI. When setting up a new
FortiGate unit, establishing the connection to the CLI is generally the first step,
even if most of the configuration changes are performed in Web Con fig.
With the CLI, verify correct administrator access, confirm the installed FortiOS
firmware version, and set some basic parameters to permit access to Web Config
for the rest of the system configuration.
Access the console command line interface (CLI) using the RS-232 serial port on
the FortiGate unit. Some models use a 089-F and others use a RJ45-style
connector. A serial cable is used to connect the PC to the FortiGate console port.
A CLI administrative session can also be accessed remotely using SSH, Telnet, or
through a Java console apple! during a Web Config administrative session.
1-=
Ill
c-
1-
0:
lL
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
01-4000-0201-20090501 55
Connecting to the Command Line Interface (CLI)
Check Device Connections

1 Plug the Internet connection into the wan1 port on the FortiGate unit. Verify
that the wan1 LED indicator on the front of the device is green.
pj.f' Note: In the classroom lab environment, all addresses used are private addresses as
'\ -'') outlined in RFC1918. The wan1 lntemet subnet is actually a private address subnet
1/ and cannot be used in a real-world situation.
2 Connect the PC's network cable into the internal interface (ports 1 through 6)
of the Forti Gate unit and make sure the corresponding internal LED indicator is
green.
The FortiGate unit's built-in DHCP server will assign addresses to t he devices
connected to these ports as required. The factory default subnet assignment of
192.168.1.0/24 will be used .
Note: The internal interface on a FortiGate unit is a multi-port switching hub port with
auto-MDX sensing so either a straight or cross-over cable can be used.
Log in to the CLI

3 Use a serial cable to connect the PC serial port to the FortiGate console port
that is located on the back of the device. If the PC is not equipped with a serial
port, you can use a USB to serial adapter to connect the PC to the FortiGate
device.
4 Start a terminal emulation program on the PC, such as Windows
HyperTerminal or TeraTerm. The serial connection settings required are:
• 9600 bps
• 8 bit data
no parity
1 stop bit
no flow control
5 At the FortiGate CLIIogin prompt, log in with username admin (all lowercase)
and an empty password.
6 Reset the FortiGate device to factory defaults by typing the following
command:
exec fact o ryrese t
When asked to continue, type Y, press enter, and wait for the reset to
1-! complete.
LLI 7 Log in to the CLI once again and type the following command to display status
c
.-...
information about the FortiGate unit:
g et system status
The output displays the FortiGate unit serial number, firmware build,
operational mode, and additional settings.
0:
(n:Jlll
!l 5
ij~ !Jif)
u.
Course 201-v4.0 Administration, Content Inspection and Basic VPN A ccess
56 0 1-4 000-0201 -2009050 1
8 Type the following command to see a full list of accepted keywords:

get ?
Depending on the keyword used with this command, there may be other sub-
keywords and additional parameters to enter.
~ Note: The? character is not displayed on the screen.
9 Press the Up arrow key to redisplay the previous get~ system stat us
command and try some of the control key sequences that are summarized
below.
Previous command Up arrow, CTRL+P

Next command Down arrow, CTRL+N
Beginning of line CTRL+A
End of line CTRL+E
Back one word CTRL+B
Forward one word CTRL+F
Delete current character CTRL+D
Abort command and exit branch CTRL+C
CTRL+C is context sensitive and in general, aborts the current command and
moves up to the previous command branch level. If you are already at the root
branch level, CTRL +C will force a logout of the current session and another
login will be required.
10 Type the following command and press the <tab> key 2 or 3 times.
execute <tab>
The command displays the list of available system utility commands one at a
time each time the <tab> key is pressed.
11 Type the following command to see the entire list of execute commands:
execut e ?
Similar to the get command, keywords may have sub-keywords or require
that additional parameters be entered. The FortiGate Cll is hierarchical and all
execu te commands can only be invoked when at the top level.
12 Enter the following CLI commands and compare the available keywords for
each one:
co nfig ?
show ?
I-=
These two commands are closely related.
11.1
con fig begins the configuration mode while show displays the configuration .
The only difference is show full -configura ti o n. The default behavior of
the show command is to only display the differences from the factory-default
c-
configuration. 1-
[[
IL
0 1-4000-0201-2009050 1 57
13 Enter the following CLI commands to display the FortiGate unit's internal
interface configuration settings and compare the output for each of them:
show system interface internal
show fu l l-con f iguration syst e m interface internal
Only the characters shown in bold type face need to be typed, optionally
followed by <tab>, to complete the command key word. Use this technique
when you use the CLI to reduce the number of keystrokes to enter information.
CLI commands can be entered in an abbreviated form as long as enough
characters are entered to ensure the uniqueness of the command keyword.
Parameters, however, must be fully typed out. For example, when specifying
the interface name internal , it cannot be abbreviated to int or inter.
Note: At the --More-- prompt in the CLI, press the spacebar to continue scrolling or the
[Enter] key to scroll one line at a time. Press q to exit.
14 Enter the CLI command below to display the factory set IP address of the
FortiGate's internal interface.
s h ow sys tem i nt erface i nte rnal
The internal interface's IP address is 192.168.1.99. You will use this address
later for HTTP administrative access to the FortiGate device.
Course 201-v4. 0 Administration, Content Inspection and Basic VPN Access

58 01-4000-0201-20090501
Connecting to the FortiGate Web Config
Exercise 2 Connecting to the FortiGate Web Config

This exercise introduces the FortiGate Web Config. To access Web Config using
a standard Web browser, such as Firefox (1.0 or later) or Microsoft Internet
Explorer (6.0 or later), enable Cookies and Javascript for proper rendering and
display of the graphical user interface.
fu"\-.., Caution: If you are using your own laptop or PC for the following exercise, make sure
~ to record your original PC network settings before proceeding.
1 Set the PC IP settings to DHCP. The FortiGate device will assign the PC an
address in the range of 192.168.1.110 to 192.168.1.210.
2 Verify the PC settings using the ipconfig command from the Windows
command prompt. The default gateway corresponds to the Internal Interface
IP address of the FortiGate unit (192.168.1.99).
3 Open a web browser and type the following address to access the FortiGate
Web Config interface.
https://192.168.1.99
Accept the self-signed certificate when the security alert appears.
HTTPS is the recommended protocol for administrative access to the
FortiGate UTM devices. Other available protocols include SSH, ping, SNMP,
HTTP, and Telnet.
4 At the login screen , enter the username of admin (all lowercase), leave the
password blank, and click Login.
5 The first window displayed after a successful login is the System Dashboard.
Before continuing with the rest of the initial configuration, explore the System
Dashboard page and find the following information:
Current Firmware Version

Date and Time
Serial Number
Operational Mode
Other system details found on the System Dashboard include the current CPU
and memory usage, number of active sessions, recent content inspection
statistics, administrative users, and FortiGuard Services status.
6 Before proceeding to the next exercise, ensure that the FortiGate unit is
running the correct version of FortiOS firmware required for this class (Forti OS ._:
4.0).
LLI
c
<"
D•···
~'· ·
I' Note: If you are not running the correct version, click Update for Firmware version and
browse to the firmware file available from the Fortine! Support site with a valid service
contract. -0:
1-
lL
Course 201-v4.0 Administration, Content Insp ection and Basic VPN Access
01-4000-0201-20090501 59
Configuring Network Connectivity
Exercise 3 Configuring Network Connectivity

In this exercise, the FortiGate unit's wan1 interface settings are configured using
one of the following addressing modes: DHCP, Manual (Static IP), or PPPoE.
Complete the steps for the configuration that applies only to your Internet setup.
If your network setup supports DHCP, complete the section Configuring the
wan 1 interface using DHCP.
If you are using static IP addresses, complete the section Configuring the
wan 1 interface using static assignments.
If your setup supports PPPoE, complete the section Configuring the want
interface using PPPoE.
Configuring the wan1 Interface Using DHCP

If your Internet setup (ISP or other) supports DHCP, perform the steps below to
configure the wan1 interface.
1 In the Web Config, go to System> Network. From the Interface tab, click Edit
( r:t.k· ) for the wan1 interface.
On the Edit Interface page, configure the following settings:
Addressing mode DHCP

Distance: 5
Retrieve default gateway from server: Enable
Administrative access HTTPS: Enable
Click Apply.
2 Wait a few seconds for the wan1 interface to acquire an address from the
ISP's DHCP server before continuing.
Note: Configuration changes get saved to the non-volatile flash memory when clicking
OK in Web Config or when nex t or e nd is entered on the CLI. No explicit save
command is required .
For CLI configuration only, this behavior can be changed to require an explicit save or
to revert after a set period if an explicit save is not performed.
con f i g system global
set c fg- save <automatic/manua l/reve r t>
set c fg- r evert- timeout <600> (in seconds, only when cfg-save is revert)
3 After a few seconds, click the Status: link to refresh and view the acquired
I-! DHCP address assignment details.
11.1
c
-0:
1-
11~1:1
~ l!l
Utll
11
60 01-4000-0201-20090501
Configuring the wan1 Interface Using Static Assignments

If you are using static IP assignments for your Internet setup, complete the steps
below for your wan1 network configuration.
1 In Web Config, go to System > Network. From the Interface tab, click Edit
( [.,.;_:t ) for the wan1 interface.
Addressing mode Manual

IPINetmask Enter the IP address and Netmask (given by a
network administrator) using the format:
IP/Netmask.
For example:
192 . 168 . 2 0 . 20/255 . 255 . 255 . 0
Administrative access HTIPS: Enable
Click Apply.
2 Click the Options tab to open Networking Options. In the Primary DNS Server
field, enter the IP address of the DNS Server given by a network administrator.
If a second DNS server is available, enter its IP address in the Secondary DNS
Server field.
Click Apply.
3 Go to the Router> Static> Static Route tab to configure a static route entry for
the default gateway.
Click Create New. The New Static Route window opens.
For the wan1 device, set Gateway to the IP address of the default gateway
device given by a network administrator.
Leave the Destination/IP Mask settings at the default setting
0 . 0 . 0 . 0/0 . 0 . 0 . 0 .
Click OK.
._:
IJ.I
c
-
1-
0:

01-4000-020 1-20090501 61
Configuring the wan1 interface using PPPoE

If your Internet setup supports PPPoE, perform the steps below to configure your
wan 1 interface.
1 In Web Config, go to System > Network. From the Interface tab, click Edit
( l~'" ) for the wan1 interface.
Addressing mode PPPoE

Username Enter your username (given to you by your
ISP).
Password Enter your password (given to you by you r
ISP).
Retrieve default gateway from Enable (only if your ISP supports this option)
server
Override internal DNS Enable (only if you r ISP supports this option)
Administrative access HTTPS: Enable
Click Apply.
2 Click the Options tab to open Networking Options. In the Primary DNS Server
field, enter the IP address of the DNS Server given by a network administrator.
If a second DNS server is available, enter its IP address in the Secondary DNS
Server field.
Click Apply.
3 Go to the Router> Static> Static Route tab to configure a static route entry for
the default gateway.
Click Create New. The New Static Route window opens.
For the wan1 device, set Gateway to the IP address of the default gate•Nay
device given by a network administrator.
Click OK.

62 01-4000-0201-20090501
All users, irrespective of the type of addressing used (DHCP, Static, or

PPPoE) should continue with the following steps.
Viewing System Settings For wan1

1 From the CLI, type the following commands to view the interface settings for
wan1:
Note: Depending on how long it has been since the last command has been entered in
the CLI, another log in may be required.
con fig system interface

e d it wan l
get
end
In the displayed output, note the same OHCP parameters that were viewed for
the wan1 interface in the previous step.
2 Type the nslookup command to verify the Fortinet web site address so it can
be successfully pinged. For example,
e xec ping 208 . 70 . 20 2 . 225
Configuring the wan2 Interface

To secure the wan2 interface from accidental usage, remove the IP address
and administratively disable this port. The IP address can only be unset from
the CLI.
3 In the CLI console, enter the commands below to disable and clear the IP
address of the wan2 interface:
config system interface
edit wan2
set status dmvn
e nd
4 In Web Config, go to System > Network. From the Interface tab, note that the
interface list will now display wan2 with an IP address of 0 . 0 . 0. 010 . 0 . 0 . o
and a disabled status icon (red dot with down-arrow). A display refresh may be
needed to see the new status information.
1-!
ld
c-
1-
0:
LL
Course 201 -v4.0 Administration, Content Inspection and Basic VPN Access
01-4000·0201-20090501 63
Viewing the Configuration of the Built-in DHCP Server

The FortiGate unit runs a DHCP server configured for the internal interface.
5 Go to System > OHCP From the Service tab, expand Internal, then expand
Servers.
Click the Edit icon and view the settings for internal_dhcp_server (pre-
defined).
0:1/ Note: The DHCP leases are preserved even when the FortiGate unit is re-booted. To
'\V":J
\/
clear all DHCP leases, disable and then re-enable the specific DHCP server.
Click Cancel to exit.
Viewing DHCP Address Leases

6 Click the Address Leases tab and locate the entry for the PC in the displayed
list.
As new PCs are connected to the trusted internal subnet, a list of the DHCP
add ress leases are displayed .

64 01-4000-0201-20090501
Exploring the CL/
Exercise 4 Exploring the CLI

In this exercise, you will review the network configuration from the CLI and be
introduced to some additional commands.
1 To view the equivalent CLI configuration of the FortiGate interfaces, type the
following command:
s h ow system interface
2 To see verbose settings, type the command:
show full-configuration
3 To view additional parameters for all interfaces, type the command:
get system interface
Compare the get command output with the output from the show command.
The information from each is similar: get displays all settings and values,
while show gives the syntax for the configuration.
The Forti Gate CLI is hierarchical, which means that some commands are only
applicable at a certain level or context. The next step demonstrates the
hierarchy when modifying the wan1 interface to add additional administrative
access to assist with troubleshooting during initial deployment. Once the
system is operational, ping access may be removed to avoid simple ICMP
scans.
Note: The set command is not additive. The existing parameters must be re-entered
and the new parameter must be added.
4 To add SSH access on the wan1 interface, enter the following CLI commands:
edit \vanl
set allowaccess https ping ssh
n ext
end
5 Verify the changes by typing the following command:

show system interface wanl
6 Display the configuration of the DHCP server that provides IP addresses to the
PCs connected to the internal interface with the following commands:
show system dhcp server -0~ s how full system dhcp server
get system dhcp server
-
I-
II
u.
01-4000-0201-20090501 65
Exploring the CL/
7 To inspect the DHCP leases in the CLI for the addresses distributed by the
internal interface DHCP server, type:
exec dh cp lease-l ist
Other available DHCP CLI commands are listed below. Please do not run
these commands at this time.
To clear all DHCP leases:
exec d hcp lease- clear
To refresh a DHCP lease:

exec interface dhcpclient -renew <in te rface name >
Course 20 1-v4.0 Administration, Content Inspection and Basic VPN Access

66 0 1-4000-0201-2009050 1
Configuring Global System Settings
Exercise 5 Configuring Global System Settings

In this exercise, you will set up the DNS server IP, system time, and a hostname.
You will also modify the global settings for administrative time-outs and Web
Admin port access.
Configuring DNS Settings

SOHO models, such as the FortiGate-1 OOA and lower, can be configured to
automatically use the acquired DNS server address, as well as perform local DNS
forwarding.
1 In Web Config, go to System > Network. On the Options tab, modify the DNS
settings:
Use the following DNS server address Primary DNS SeNer: 4.2.2.1
Leave the Secondary DNS SeNer setting
as is.
Enable DNS forwarding from internal (default)
Note: For FortiGate-200 models and higher, the Primary DNS and Secondary DNS
ser:'ers can only be configured manua_lly. The factory defaults are set to Fo~inet
malntamed DNS forwarders 65 _3 9 . 13 9 _53 and 65 . 3 9 . 13 9 . 6 3 respectively.
Click Apply.
2 Compare the output for the DNS CLI commands:
show s y stem dns
g et system dns
The output should correspond to the changes made in Step 1.
Configuring Time Settings

For logging purposes, as well as to optimize FortiGuard updates, the FortiGate
unit will be set to the correct timezone and NTP server synchronization will be
enabled. Use a local NTP server or the factory default NTP server
(pool . ntp . org).
3 Go to System > Status. On the Status tab, click the Change link for System
Time in the System Information pane.
In the Time Settings window, set the time zone and enable NTP server
synchronization. By default, the pool . ntp. o rg will be used. (The NTP server
IP address or FQDN can be used.) Enable Automatically adjust clock for 1-=
daylight savings if required in your area.
IJJ
Click OK.
4 Display the current system time from the CLI by typing the following command: c-
execute ti me 1-
Question: How can you set the system time manually?
Answer : Type e x ec ti me ? to view the syntax.
0:
5 Verify that the date setting is correct by typing the following CLI command:

0 1-4000-0 20 1-20090501 67
Configuring Global System Settings
e x e c dat e
Configuring the Hostname

Perform the following steps to configure the hostname for the FortiGate unit.
6 Go to System> Status. In the System Information pane, click the Change link
for Host Name and change the FortiGate hostname to a name of your choice.
Click OK.
At the next login, the new hostname will appear in the browser title bar.
7 View the CLI equivalent commands for all the system settings configured in the
above steps by typing the following command:
s h o w sys tem g lobal
Configuring Idle Timeout for Web Config

For the purpose of avoiding Web Config timeouts during the lab exercises,
increase the idle timeout to the maximum value.
8 Go to System > Admin and select the Settings tab. Increase the Idle Timeout
parameter listed under Timeout Settings to 480.
Leave all other settings unchanged.
Click Apply to save the changes.
68 0 1-4000-020 1-20090501
Configuring Administrative Users
Exercise 6 Configuring Administrative Users

In this exercise, you will configure administrative users with a new administration
profile and login.
1 Go to System> Admin. View the current administrator users from the

Administrators tab.
The factory default Trusted Hosts setting of o . o . 0 . 0 I 0 I 0 . 0 . 0 . 0I 0 I
0 . 0 . 0 . oI o allows connection from any host address.

2 The factory default password for the admin account is empty. Click Change
Password ( Ea )
so the admin user can access the Edit Password window and
set the new password to fortinet.
To save the changes, click OK.
3 Log out of Web Config by clicking the Logout icon or closing the we b browser.
4 Log back in to Web Config using the new admin password you just created.
5 To enhance administrative security, create a new administrator account that
will be used for day-to-day administration of the Forti Gate device and will
restrict the source IP connection with Trusted Hosts.
Go to System > Admin. From the Administrators tab, click Create New .
Create a new administrator with the following settings:
Administrator admin1
Type Regular
Password fortinet
Trusted Host #1 192.168 1.0/24
Admin Profile super_admin
Click OK to save the changes.
Note: Ping requests to this device are also restricted by the trusted host setting of the
administrator account.
-0:
1-
lL
Course 201 -v4 .0 Administration, Content Inspection and Basic VPN Access
01 -4000-020 1-20090501 69
6 Go to System >Admin. On the Admin Profile tab, click Create New to create a
new access profile with only read-write access to the content inspection
functions in the New Admin Profile window. Limiting access only to the areas
affecting content inspection helps to eliminate accidental errors that could
adversely affect connectivity.
Configure the new access profile using the following settings. You will have to
expand the sections to access all of the settings .
';.-A~us:~ Control \_
S}'6lt:lll C (HJfi9Ur C.l!<m
Netw~ rk C o nflg u r<:~ti on

~·
Admi n U sers 0 '='
FortiGuGrd Updotc 0 0
l'fa i ntenaucr 0 t...=:
Rout er Configuration 0 r..
.. Fl..-ewall C.onflguration Ci c
() , ..
0 •:!'
0 c
() c
0 ~~:
Click OK.
Note: You can customize the FortiGate interface to show, hide, and arrange widgets,
menus, and items according to your specific requ irements when you click the
Customize link at the bottom of the New Admin Profile window. This customizable
feature lets you present various graphical user interface configurations to fulfill different
administrator roles.

70 01-4000-0201-20090501
7 Go to System >Admin. On the Administrators tab, click Create New to create

a new administrative account that uses the new content-control access profile.
Configure the new administrator account using the following settings:
Administrator cad min

Type Regular
Password 123456
Trusted Host #1 192. 168.1.0/24
Admin Profile content-control
Click OK.
8 To view the CLI configuration for Administrative Users and Profiles, type the
following commands:
show system admin
show system accprofi le
9 Test the new administrative access login. Log out of the current Web Config
session and log in again with the cadmin (password: 123456}.
Try to access areas which you have set to Read Only. For example, go to
System> Network> Interface. You will only be able to view data and not edit or
save.
The Trusted Host setting configured for admin1 and cadmin will only allow
access to PCs connected to the internal 192.168.1 .0/24 subnet even if the
correct password is entered.
1-=
LLI
c-
1-
a:
0 1-4000-020 1-2009050 1 71

72 01-4000-0201-20090501
Enabling FortiGuard Services and Updates
Lab2 Fortinet Subscription

Services
Tasks
Exercise 1 Enabling FortiGuard Services and Updates
Exercise 1 Enabling FortiGuard Services and Updates

In this exercise, you will configure access to the FortiGuard Distribution Network
(FDN) along with which FortiGuard Services are available based on the
FortiGuard subscription entitlement.
Note: You can only complete this exercise if the Forti Gate unit has already been
registered on the Fortinet Support web site (ht tps : I I support . fort inet . com).
1 Log in to Web Config as admin (password: fortinet).

2 Go to System > Maintenance. On the ForliGuard tab, check the details about
the FortiGuard licensing entitlement for the Forti Gate unit.
Question: What is the antivirus definition version, expiry, and last update attempt
for your FortiGate unit?
If only the version field is showing, the FortiGate unit firmware was upgraded
recently and there have been no further update attempts.
Note: In the classroom environment. the FortiGate unit is behind a NAT device. Port
forwarding must be configured on the NAT device. otherwise the Push Update feature
will not work. See the on-line help for more information on how to configure Push
Updates.
3 On the ForliGuard tab, expand Web Filtering and AntiSpam Options and edit
the following FortiGuard services settings:
Enable Web Filter enable

Enable Cache TTL 1800 seconds (30 minutes)
Enable AntiSpam enable
Enable Cache TTL 900 seconds (15 minutes)
1-! Port Selection 53 (default)
Ill Click Test Availability to establish connectivity between the FortiGate unit and
c
-II
I-
the FDN server.
96 01-4000-0201 -20090501
The display will update to show the FortiGuard Web Filtering and AntiSpam
subscription information. Ensure that the FortiGate unit has a valid subscription
before proceeding.
Note: By default, FortiGuard uses UDP/53, because this port is almost always open for
DNS traffic. If there is another IPS device on the network that is decoding DNS data on
port 53, the FortiGuard request/response may trigger an alert, as the data is encrypted.
Change to UDP/8888 for FortiGuard communication and ensure upstream devices
permit this traffic to pass.
4 Expand AntiVirus and IPS Options and click Update Now to force the Forti Gate
unit to obtain the latest AV and IPS definitions. This action sends a request to
an FDN server. After 3 to 5 minutes, if properly entitled and depending on
Internet congestion, the FortiGate unit will receive and install updated
definitions.
Wait a few minutes and click the FortiGuard menu tab again and check for the
new updates. Today's date should appear next to the Update link for both AV
and IPS Definitions.
The AV and IPS signature databases can also be updated either individually or
together through the CLI using the following commands:
e xec upda te-av Update AV engine/definitions
exec update-ips Update IPS engine/definitions
exec update -now Update now
Note: Antivirus and IPS updates can also be set to be pushed automatically to the
FortiGate unit. To allow push updates, expand AntiVirus and IPS Options and enable
Allow Push Update and set the update schedule required , for example, every 4 hours.
f¢:;1( Note: The update-now functi~n is only for updating Antivirus and IPS definitions and
~.) not for upgrading the system firmware!
5 View the CLI settings by entering the following commands in a CLI session:
show system a ut oupdate schedule
show system fortiguard
Compare the output with:
get system autoupdate schedule
get system fortiguard
1-=
Ill
c-
1-
a:
01 -4000-0201-20090501 97
Note: The defined FortiGuard autoupdate inte rval was set to 4 hours through Web
Config but the CLI (shovl system autoupda te schedule ) shows 4:60. This means
that the additional minutes interval will be randomly picked from 0 to 59 minutes. This
helps to spread out the request load on the FortiGuard server. An exact hour and
minute interval can be set through the CLI as illustrated in this example:
userX # config system autoupdate s chedule
(schedule) # set time?
<hh : mm> h our and minute hh : 0-23 , mm : 0 -
59 or 60=random)
(schedul e)# set time 4:0
( schedule)# end
Verify the change with:
show sys tem autoupdat e s chedule
6 Before proceeding to the next lab, perform a complete backup of the FortiGate
configuration.
Go to System > Maintenance. On the Backup & Restore tab, click Backup.
Save the backup to your PC with the following name:
Lab2_f g t _ syst em . con f
Course 20 1-v4. 0 Administration, Content Inspection and Basic VPN Access

98 01-4000-0201-20090501
Exploring Web Config Monitoring
Lab 3 Logging and Monitoring

Tasks
Exercise 1 Exploring Web Config Monitoring
Exercise 2 Configuring System Event Logging
Exercise 3 Exploring the FortiAnalyzer Interface
Exercise 4 Configuring Email Alerts
Exercise 5 SNMP Set-up (Optional)
Exercise 1 Exploring Web Config Monitoring

You have already examined the System Information and License Information
sections of the System Dashboard.This exercise gives you a brief tour of the
status information presented in other areas of the Dashboard.
1 Log in to Web Config as ad min. Go to System> Status to view the System

Dashboard.
There are several areas that provide summary information and clickable icons
or links that provide additional information through a pop-up window or a new
information window.
2 Locate the System Resources pane on the System Dashboard. Check the
CPU Usage and Memory Usage status dials.
3 Hover the mouse pointer over the System Resources title bar and click History.
A pop-up window appears showing a trace of past CPU Usage, Memory

Usage, Session, Network Utilization, Virus, and Intrusion History.
._:
LLI
c
-
I-
II:
lL
Course 201 -v4.0 Administration, Content Inspection and Basic VPN A ccess
0 1-4000-020 1-20090501 127
In the System Resource History graph window, the time interval represented
by each horizontal grid square can be selected from the pull-down menu to the
right of Time Interval. The refresh rate of this window is automatically set to
1/20th of the time interval.
Click Close to return to the System> Status tab .

4 The Alert Message Console pane displays the five most recent critical system
events, such as system restart and firmware upgrade.
Hover over the Alert Message Console title bar and click the History icon to
view a pop-up window that displays the entire message list.
Alert r.lessage C!Jnsole •

·0"'''
·.
.
iE ·. •':-
... . .. ..
5 Session and content inspection statistics are shown in the Statistics pane.
1-! Since there will have been little or no traffic through the FortiGate unit and no
content inspection configured, the Content Archive and Attack Log statistics
LLI
c- will be uninteresting at this time.
1-
0:
~~~
Z] p
~2mw"
lL
128 01-4000-0201-20090501
The Reset link in the top-right of the Statistics box will clear the current
statistics counts.
'V' Statistics (Since 2009-03-03 09:41: 15)
Content Archive
HTTP 0 UP..Ls vi~ited [Detai!s1
HTTPS 0 URLs visited IDetai!sl ·
Email 0 emails sent roetoUi.l
0 emails received
FTP 0 URLs visited
0 files uploaded
0 files downloaded
If:l 0 file transfers
0 chat sessions
0 messages
Attack Log
Al.l 0 viruses caught [Details ] ·•
IPS 0 attad:s detect ed fDetaiis]•
Span-r 0 spams detec-ted !De taiW
·w eb o URLs blocked ID;;;JSlil.\!1
DLP 0 Data loss detec-ted LR.£l!..<i!.t!..~J -.
6 There will already be a number of sessions recorded by the FortiGate unit. The
Top Sessions pane is not displayed by default. Add it by clicking Add Content>
Top Sessions. Click the Details link to display more information about the
sessions.
Test the function of the various icons in this screen. There are icons for screen
refresh, page forward and back, column display filters, as well as clear
session.
Question: Can you identify the Web Admin sessions in the Session table display?
(Hint: Look for the TCP sessions from the PC IP address to the IP address of the
Internal interface of the FortiGate unit.)
Question: For what are the majority of port 53 sessions? (Hint Remember that
FortiGuard SeNices are enabled.) 1-=
I.&J
c
-lt
1-
Course 20 1-v4.0 Administration, Content Inspection and Basic VPN A ccess

01 -4000-020 1-20090501 129
Configuring System Event Logging
Exercise 2 Configuring System Event Logging

In this exercise, you will configure system event logging , as well as the destination
where the FortiGate unit will send the log messages.
You will enable logging to memory and to the FortiAnalyzer device which will
archive the log messages and later generate reports. If the FortiGate unit has a
hard disk, set local log message archiving.
1 Go to Log&Report >Log Config. From the Log Setting tab, expand Remote
Logging and enable FortiAnalyzer.
Apply the following settings:
Minimum log level Information

Static IP Address 209.87.230.134
For initial testing purposes, the log level is set to the lowest and most verbose
level, Information. In real deployments, the level would more likely be set to
Warning or Notification.
Automatic discovery of a FortiAnalyzer unit with FortiDiscovery Protocol (FOP)
is only applicable when the FortiGate unit and the FortiAnalyzer unit are on the
same broadcast domain (subnet). This would be a rare situation in an actual
netvvOik but appropriate for a FortiGate 5000 chassis when a FortiAnaiyzer
blade is used.
2 While still on the Log Settings tab, enable and expand the Memory option and
verify that the Minimum fog level is set to Information.
Click Apply.
3 In the Remote Logging section, click Test Connectivity to register with the
FortiAnalyzer device. A pop-up window displays to indicate a successful
connection and registration process.
The FortiAnalyzer unit being used is configured to automatically accept and
register all new FortiGate device connections. Alternate settings are to register
only (and ignore logging messages) or ignore (manual registration).
In an actual scenario, there would be additional configuration required at the
FortiAnalyzer end to permit the necessary connection for manual device
registration.
Click Close to exit from the FortiAnalyzer Connection Summary window.
4 On the Event Log tab, click Enable and select all events.
Click Apply to save the changes.
You can display the CLI settings for the logging destinations with the following
commands:
get log <destination> sett ing
get l og <d e st ination> filter
Substitute for ti analyze r or memory for the destination above.
r;@( Note: There are different logging capabilities, depending on the destination. The
"~
keywords may also differ.

130 0 1-4000-0201-2009050 1
Configuring System Event Logging
5 Test the logging setup with some simulated log messages sent to the logging
destinations using the following CLI command:
diagnose log test
6 Go to Log&Report >Log Access. On the Memory tab, select the Log Type pull-
down menu to view the different log message types. Select each log type one
at a time and check the Memory tab for the test messages.
t-=
IJJ
c
-
I-
I[
lL
01-4000-0201-20090501 131
Exploring the FortiAnalyzer Interface
Exercise 3 Exploring the FortiAnalyzer Interface
1 Connect to the FortiAnalyzer device Web Config by typing the following

address in a web browser:
ht tps : //209 . 87 . 230 . 1 34
Accept the self-signed certificate messages when they are displayed.
Log in with the username student and the password fortinet.
After a successful login , the FortiAnalyzer Dashboard displays.
2 From the FortiAnalyzer Web Config, go to Log> Browse. On the Log Browser
tab, expand No Group and expand the FortiGate device name to verify that log
messages are being received by the FortiAnalyzer unit. FortiGate device
names are configured as HostName_SeriaiNumber.
3 Expand a traffic category and the name of the log file will display. Click Display
( ~ ) to display the log file.
The log message view is pre-formatted to show selected items in columns. The
messages are color-coded according to severity level.
4 Explore the log message display features in the Log Browser. To show the
original unformatted log message that was sent by the FortiGate unit, click
Raw in the Log Browser window. To change the log type, click the change !ink
to modify the log view selection.
5 Go to Log> Log Viewer. Click the Historical tab.
Select the device name from the Devices drop-down menu. Select the log
type .
Click OK.
From this window you can specify the number of entries to display on a page,
manage column settings, and display information in its original unformatted
state.
6 Log out of the FortiAnalyzer device.
1-!
LIJ
c

132 01-4000-0201-20090501
Configuring Email Alerls
Exercise 4 Configuring Email Alerts

In this exercise, you will configure the FortiGate unit to send alert mail to a test
mail account. This exercise can only be completed if you have an online
email account with which you can test.
1 In Web Config on the FortiGate unit, go to Log&Report >Log Config. Select

the Alert E-mail tab and use the following settings to complete the Alert E-mail
configuration:
SMTP server <Your online email account server name or IP>

Email from <Your email address>
Email to <Your email address>
Authentication Set to enable if your server requires
authentication.
SMTP user <Your email address>
Password <Your email account password>
Interval Time 1 minute
Send alert mail for the following Intrusion and Virus detected
Click Apply to save the settings.

2 Click Test Connectivity. Test messages will be sent to the email account.
3 Open an email client application and confirm that the test messages have
been received.
Alert emails can be sent based on selected event categories or simply on a log
message threshold level. If a threshold level is used, the CLI contains
additional interval hold-off timers for log levels above the selected threshold
level.
Check the following CLI commands for the Alert E-mail configuration:
show system alertemail
show alertemai l setting
~ill){ Note: If the FortiGate unit collects more than one log message before an interval is
v reached , it combines the messages and sends out one alert email.
._:
bl
c-
1-
0:

01 -4000-0201-20090501 133
SNMP Set-up (Optional)
Exercise 5 SNMP Set-up (Optional)

You enable SNMPv1 and SNMPv2c on the FortiGate unit to permit monitoring and
statistics-gathering by a remote SNMP server. This is not used in the lab
scenario but this exercise provides the basic configuration steps for SNMP
setup on the FortiGate device.
1 Go to System > Config. On the SNMPv112c tab, enable SNMP Agent. Enter a
description and location. For contact, use your online email address. Click
Apply to save the changes.
2 Click Create New to add a new community called 201 training. Accept the
default settings and click OK.
• SNMP connections can be restricted to certain IP addresses with the Hosts
setting.
• Either SNMP v1 or v2c queries and traps can be enabled separately with
default or customized ports.
• SNMP trap selection can be selected.
3 Enable SNMP access on the interfaces facing the network management
station by typing the following commands in the CLI:
edit internal
set allowac cess ping http https ssh snmp
next
end
4 View the CLI configuration for the SNMP settings:
show {full - configuration) system snmp sysinfo
show {full-configuration) system snmp communit y 1
Note that the CPU, memory, and hard-disk trap thresholds can be set in the
CLI.
5 Locate the FortiGate MIB and Trap file and open the MIB file with a simple text
editor to view the contents.
Note: The FortiGate MIB file is available from the Fortine! Technical Support web site
at https : I I support . fo rtinet . com . A registered login 10 is required for access.
1-! Use of a SNMP MIB view application is beyond the scope of this course. If one
is available and configured, try to access the FortiGate unit with SNMP and
Ill view some MIB objects. You must enable SNMP administrative access on the
c- FortiGate interface.
The following applications can be downloaded for testing purposes:
1- Getif (http://www. wtcs .org/snmp4tpc/getif.htm)
a: AdRem SNMP Manager (http://www.adremsoft.com/snmpman)

134 0 1-4000-0201-2009050 1
Creating Firewall Policy Objects
Lab4 Firewall Policies

Tasks
Exercise 1 Creating Firewall Policy Objects
Exercise 2 Configuring Firewall Policies
Exercise 3 Testing Firewall Policies
Exercise 4 Configuring Virtual IP Access
Exercise 5 Debug Flow
Exercise 1 Creating Firewall Policy Objects

In this exercise, you will create the firewall policy objects needed to configure
firewall policies.
The general access scenario in this exercise requires the following:
Connectivity wan1 : Internet

Source Interface internal
Source Addresses 192.168.1.0/24
Service Types web application
Schedule 8 a.m.- 8 p.m. (Internet only)
Content Inspection std-pp
You will use these parameter objects when you create firewall policies to restrict
the source address to the Internal subnet and the traffic types to HTTP, HTTPS,
and DNS. You will configure a recurring schedule that enables a firewall policy
only during standard office hours.
Content Inspection will be configured in a protection profile. In this lab, the std-pp
protection profile will be used as a place holder. In subsequent labs, the protection
profile will be expanded to suit other scenarios.
I-=
LLI
c-
1-
0:
lL
Course 201 -v4.0 Administation, Content Inspection and Basic VPN Access
01-4000-0201-20090501 179
1 Create an address object for the internal subnet IP range.

In Web Config, go to Firewall> Address. On the Address tab, click Create
New. Use the settings below to configure the new address object:
Address Name all-dept

Type SubneUIP Range
Subnet/IP Range 192.168.1.0/24
Interface Any
Click OK to save.
2 Perform the step below to create a new service group. Service groups can be
used to simplify the firewall policy creation process.
Go to Firewall> Service. On the Group tab, click Create New and add a group
called web with the services shown below.
To select the services for the web group, use the arrows (-7or f-) to move
them between the Available Services and Members lists:
Group Name Members

web DNS, HTTP, HTTPS, PING
Click OK to save the change.
Note: By default, SOHO models provide a DNS forwarding seNer on the Internal
interface. You can view the DNS forwarder configuration in System > Network >
Options.
3 Go to Firewall> Schedule. On the Recurring tab, click Create New to create a

new recurring schedule.
Use the following parameters:
Name office_hours
Day Monday to Friday
Start Hour: 08
Minute: 00
Stop Hour: 20
Minute: 00
Click OK.
Note: When using schedules, make sure that the system time is at the correct local
setting. From the CLI type the e xe c ti me command or click System> Status in Web
._: Config and view the System Information area .
Ill
c
-....
[[
trntli ~
WE ~
~TI~f.J
11.
Course 201-v4.0 Administation, Content Inspection and Basic VPN Access
180 01-4000-0201-20090501
4 In this step you will create a new protection profile called std-pp for the
standard department access policies. This will be a placeholder for now; you
will create the new policy but will not modify the settings until a later lab.
Go to Firewall > Protection Profile. On the Protection Profile tab, click Create
New and enter std-pp as the profile name. Type an optional descriptive
comment and click OK.
5 To see the CLI configuration for previous steps, type the following CLI
commands:
Address objects show f irewall addr ess

. Service Groups show fi r ewall service group
Recurring Schedule show firewall schedu le recurring
office hou rs
Protection Profile show firewall profile std-pp
._:
Lll
c-
1-
a:
lL
01-4000-0201-2009050 1 181
Configuring Firewall Policies
Exercise 2 Configuring Firewall Policies

In this exercise, you will configure various firewall policies using the parameter
objects created in the previous exercise.
When creating firewall policies, keep in mind the FortiGate device is a stateful
firewall, therefore, a firewall policy only needs to be created for the direction of the
originating traffic.
1 Go to Firewall> Policy. On the Policy tab, expand the internal-7wan1
interface list. For the default policy, click Edit ( !£' )
to view the factory settings.
Click Cancel to return to the Policy tab.
2 Disable this unrestricted policy by unchecking the internal7wan1 policy in the
Status column.
Note: It is useful to keep the default internal-7wan1 policy available for testing
purposes since it will allow all traffic types from any address to any address to pass
through the FortiGate device.
3 Create a new firewall policy that will be used to provide general Internet
access.
On the Policy tab, click Create New and configure the following settings:
Source Interface I Zone internal

Source Address all-dept
Destination Interface I Zone wan1
Destination Address all
Schedule office_hours
Service web
Action ACCEPT
NAT Enable
Protection Profile Enable and select std-pp
Log Allowed Traffic Enable
Comments General Internet access
Click OK after entering all the parameters.

This new internal7wan1 policy will be identified on the Policy tab with the
values of all-dept I all/ office_hours I web I std-pp I ACCEPT.

182 01-4000-0201-20090501
4 Create a policy for an IP range used by a specific group of users, in this

scenario, the support department. You will create these new firewall objects
on-the-fly using the Web Config firewall policy helpers (see the objects that
have [Create New. ..] in the description).
On the Policy tab, click Create New to create the support department Internet
access policy using the following settings:

Source Address Select [Create New...]
Address Name: support-dept
Type: Subnet/IP Range
Subnet/IP Range: 192.168.1.110-192.168.1 .210
Interface: Any
Service web
Action ACCEPT
NAT Enable
Protection Profile Enable and select [Create New...]
Profile Name: support-pp
Comments Support Internet access
Click OK
This new internal-7wan1 policy will be identified on the Policy tab with the
values of support-dept I all I office_hours I web I support-pp I ACCEPT.
5 Click Move To ( ) to place this new internal7wan1 policy above the

general Internet access policy {all-dept I all I office_hours I web I std-pp I
ACCEPT).
In the Move Policy window, click Before and type the Policy 10 of the (all-dept
I all/ office_hours I web I std-pp I ACCEPT) policy and click OK.
._:
LIJ
-1c-
0:
01-4000-0201-20090501 183
6 Create a policy allowing Internet access during a specific time period using the
settings below:

Source Address support-dept
Schedule Under Recurring, click [Create New...)
Name: lunch_time
Day: Mon-Fri
Start Hour:11 Minute:45
Stop Hour:13 Minute:15
Service web
Action ACCEPT
NAT Enable
Protection Profile std-pp
Comments Support lunch-time Internet access
Click OK.
This new internal~wan1 policy will be identified on the Policy tab with the
values of support-dept I allllunch_time I web I std-pp I ACCEPT.
7 Use the Move To icon to insert this new internal~wan1 policy above the
previous policy that was created for office hours web access (support-dept I
all/ office_hours I web I support-ppl ACCEPT).
The firewall policy ordering should appear as follows:
.... _. ·.:\(C?f_lirr;~- ~T?_t.titig~ ) <~:~~_Ction.:V,.,W_()_Gio~!. View
~~n~~;~;~~r::c~~~~r~~;.;;@~~ •
E] 3 -~ s unnmt· d.,..nt " .till -. tl.ffj(_~- hour~-'~ ~ ~UJlPOrt•PD AcCE~i ''C'!J'[~ ~~~
2 ;' J!ll.:.ili:J!J; ·, ;ill <\d-pp ACCEPT ' 0 :.d' '8!,;1 '
._:
LIJ
c
-1-
0:

184 01-4000-0201-20090501
8 View the CLI configuration for the firewall policies created above:
sh o w fi rewal l pol icy
View the CLI configuration for a single firewall policy:
s how fi r ewa l l pol i cy <I D>
Obtain the 10 number of the policy from the s h ow f irewall pol i cy output
used above.
Important Points For Firewall Policy Configuration

Policies are organized according to the direction of traffic from the originator of
a request to the receiver of the request. Return traffic is automatically allowed
back through due to the stateful nature of the Forti Gate device.
Policies are matched to traffic in the order they appear in the policy list rather
than by ID number.
Policies should go from most exclusive to most inclusive so that the proper
policies are matched . Matching is done over Source, Destination , Schedule,
and Service settings.
._:
LLI
c-
~
a:
Course 201 -v4.0 A dministation, Content Inspection and Basic VPN Access
01-4000-020 1-20090501 185
Testing Firewall Policies
Exercise 3 Testing Firewall Policies

In this exercise, you will test some of the new fi rewall policies and track sessions.
To complete the firewall list, you will add an explicit DENY policy for auditing
purposes to periodically monitor unauthorized traffic that does not match the other
firewall policies.
1 In Web Config, create new DENY firewall policies that will be used to monitor
illegal traffic.
Go to Firewall > Policy. On the Policy tab, click Create New. Use the following
settings:
Source lnteriace I Zone internal
Source Address Name all
Destination Address Name all
Schedule always
Service ANY
Action DENY
Log Violation Traffic Enable
Comment Monitor illegal traffic
Click OK.
This new internal-7wan1 policy will be ide ntified on the Policy tab with the
values of all/ all/ always I ANY// DENY.
Ensure that the DENY policy appears at the bottom of the internal-7wan1
policy list.
Note: A firewall policy with traffic logging enabled for ANY (unrestricted} service types
must be used with caution as a significant number of logging messages can be
generated which can impose an unexpected processing load on the FortiGate unit. This
may in turn affect overall throughput and performance of the FortiGate device. Only use
this type of policy for auditing purposes for limited periods of lime.
Test the Web Access Policies

2 Open a web browser and browse to a valid web site.
3 Go to System > Status. In the Top Sessions pane, click the Details link to view
the session details to verify which firewall policy was used. If this pane is not
visible, click Add Content> Top Sessions. This time, look for the PC address
and HTTP port (TCP/80). You may need to click the Refresh icon. The higher
numbers in the list represent newer sessions.
Look for the PC address and HTTP port (T CP/80), then check the policy ID
column . Use the column filters to reduce the number of session entries
displayed to TCP only.
\ . ) ' Note: Be mindful of testing the firewall policy schedule outside of the specified hours.

186 0 1-4000-020 1-2009050 1
Testing Firewall Policies
Test the Firewall Policies to Log Unauthorized Traffic

4 Browse to the Fortinet web site on port 8080. For example:
h t t p : / /www.f o r t i ne t.com : 8 080
5 At a DOS command prompt, type the following Telnet command to attempt a
connection to a sample server:
telnet 1 92 .1 68 .11.99 1 23 4
~ Note: Microsoft Vista no longer has Telnet by default.
6 Check the traffic log at Log&Report > Log Access. Select the Remote tab and
set Log Type to Traffic Log to see evidence of the FortiGate action.
Look for 8080/TCP sessions with Sent and Received bytes equal to 0.
7 Click Column Settings. Add the Detailed Information column and note the
subtype, policyid, and status fields in the log messages.
Disable the DENY Policy

8 **IMPORTANT** Before proceeding to the next lab, go to Firewall> Policy and
disable the DENY policy by unchecking the policy in the Status column of the
firewall policy List.
Deny policies should only be used for periodic traffic auditing purposes .
._:
11.1
c
-
I-
I[
lL
01 -4000-020 1-20090501 187
Configuring Virtuai/P Access
Exercise 4 Configuring Virtual IP Access

In this exercise, you will create a virtual IP that uses port forwarding to make the
Fortinet web server appear as if it was on the local subnet and not on a non-
standard port.
1 Create a web server virtuaiiP with port mapping.

Go to Firewall > Virluai/P. On the Virlua//P tab, click Create New and
configure the virtual IP settings below.
Use nslookup to verify the address for \vww . fortinet . com.
Name special-web
External Interface internal
Type Static NAT
External IP Address 192.168.1.209
Mapped IP Address 208.70.202.225 (for example)
Port Forwarding Enable
Protocol TCP
External Service Port 8088
Map to Port 80

2 To view the vip settings through the CLI , enter the following command:
show firewall vip
3 Add a new firewall policy to provide a guest PC access to the web server with
the following settings in Web Config:

Source Address Name all-dept
Destination Address Name special-web
Service ANY
Action ACCEPT
NAT Enable
Protection Profile Enable and select support-pp
1-! Log Allowed Traffic

Comment
Enable
Guest PC access to web server
LLI
c
-
Note; The Service setting for this policy is ANY. Due to the VIP port mapping, only the
configured ports will be allowed so it is unnecessary to further restrict traffic with the
1- Service setting.
[[ Click OK.
This new internal~wan1 policy will be identified on the Policy tab as all-dept I
special-web I office_hours I ANY I support-pp I ACCEPT.

188 01-4000-0201-20090501
Configuring v;rtua/ IP Access
4 Position this policy at the top of the internal-7wan1 list as it has a narrower
scope compared to the other policies.
Note: This guest PC would need to be further secured by limiting the user
access to only the web browser and removing administrative access and the
ability to run other programs. These additional measures are operating-system
dependent.
5 In a new web browser window, access the following URL:

ht tp :!/192.168. 1 . 20 9:8 088
6 To ensure the special-web virtual IP operation is successful, open the Fortine!
web page and it will display.
7 Try to access the following URL using the regular http port of 80:
http:!/192. 168.1.209
There should be no response.
8 To view the source and destination NAT mappings, enter the following CLI
command:
g e t system sess i on li st
-
1-
[[
lL
01-4000-0201-20090501 189
Debug Flow
Exercise 5 Debug Flow

In this exercise, you will clear the session table and use debug flow commands
to trace the establishment of a new HTTP session.
1 From the CLI, execute the command diag sys se ss ion clear. If you are
connecting using SSH or Telnet, you will be required to log in again.
2 Execute the CLI commands shown below to configure the Debug Flow to trace
the route selection and session establishment for an HTTP connection to
\.YW~J . fortinet . com. Use nslookup to confirm the address for
www . for t inet . com.
Enter the following commands:

diag debug enable
diag debug flow filter addr 203 . 1 60 . 224 . 97
diag debug flow show console enable
diag d ebug flmv show function - name e nable
diag d e bug flow t r ace s ta rt 100
3 From a web browser connect to http : I /ww\v . forti net . com. Observe the
Debug Flow trace. Depending on the FortiGate model being used , the output
displayed may vary slightly.
SYN packet received.

id=20085 t race_id=209 fu n c =r eso1ve_ip_ tuple_fast line=27 00
msg= " vd- r oot received a packet(proto=6 ,
192 . 168 . 3 . 221 : 1487- >203.160.2 24 . 97 : 80 ) from portS ."
SYN sent and a new session is allocated.

id=20085 t rac e id= 2 09 func =resolve_ip t up l e li n e=2799
msg= " al l ocate a new sessi on- 00000e90 "
Lookup for next-hop gateway address.

id=20085 trace_id=209 func=vf_ip4_route_ input line=l543
msg= " fi nd a route : gw- 192 . 168 . 11.254 via port6 "
Source NAT, lookup next available port.

id=20085 trace_id=209 f unc =get_new_addr line= 1219
msg= " find SNAT : IP-192 . 168 . 11 . 59 , port - 31925 "
Matched firewall policy. Check to see which policy this session matches.
id=20085 t r ace id=209 f un c= fw forward handl e r line=317
-
msg= " All owed by Pol icy-3 : SNAT"

190 01-4000-0201 -20090501
Debug Flow
Apply source NAT.

id=20085 trace i d=209 func= i p session run_tuple
line=l502 msg ="S NAT 192 . 168 .3. 221-> 192 .16 8 .11. S9 : 3 1925"
SYN ACK received .

id=20085 trace i d =210 func=reso1ve ip tuple fast
l i ne=2700 msg= " vd - root re c eive d a pac ket(p r oto= 6,
203 .1 6 0. 224 . 97 : 8 0->19 2.168 . 11 . 59 : 31925) fr om port 6 ."
Found existing session JD. Identified as the reply direction.

id= 2008S trace id=210 func = re s o lve 1 p t up l e fast
l i n e=27 2 7 ms g =" Fi nd a n exi sting ses sion , id- 00000e90,
reply direc t ion"
Apply destination NAT to inverse source NAT action.

id=2008S trace id=210 func= i p _session run tuple
line=l516 msg= " DNAT 192 .1 68 . 11 . 59:3 1 92S -
>192 . 168 . 3 . 221: 1 48 7 "
Lookup for next·hop gateway address for reply traffic.

id=2 00 85 trac e id= 2 10 f unc=vf i p4 rou t e_1 nput l ine=1 54 3
ms g = " f ind a r o u t e : gw- 192 .1 68 . 3 . 2 2 1 v i a port S"
ACK received.
id= 200 85 trace_i d =211 fun c = reso1ve ip tuple f a st
line= 2 700 msg= "v d - r oot r eceiv e d a p acke t (prot o = 6 ,
192 . 1 68 . 3 . 2 2 1: 1487 - >2 0 3 . 160 . 2 2 4. 97 : 8 0) from portS ."
Match existing session in the original direction.

id= 2008 5 tra c e_id=2 11 f unc= r e sol ve_ip _ tup le_ f a st
li ne=2727 ms g = " Fi n d a n ex i sting se s sion, i d - 00 0 00e 9 0 ,
orig ina l di re cti o n"
Apply source NAT ._:

i d =2 0 0 85 t ra c e id=2 11 func = i p s es s1o n ru n_ t up l e LIJ
l ine= 1 5 0 2 msg= " SNAT 1 92 .1 68. 3 . 221 -> 1 92 . 168 . 11 . 59 : 31925 "
c-
Receive data from client. I-
id= 2 00 8S t race i d =2 12 f u n c =resol ve i p _ tuple_ fast
l i n e= 27 0 0 msg=" vd- root rece i ved a pac ket(proto= 6 ,
[[
1 92.168.3 . 221 :14 87 - >2 0 3 . 16 0 . 224 . 97 : 8 0 ) from portS ."
u.
Course 201 · V4. 0 Administation, Content Inspection and Basic VPN Access
01 · 4000·0201 ·20090501 191
Debug Flow
Match existing session in the original direction .

id=20085 trace id=212 func=resolve ip_tuple_fast line=2727
msg= " Find an existing session , id-00000e90 , origina l
direction "
Apply source NAT.

id=20085 t race id=212 func = ip session run_tuple
line=l502 msg= " SNAT 192 . 168 . 3 . 221->192 . 168 . 11 . 59 : 31925 "
Receive data from server.

id=20085 trace id=213 fun c=resolve_ip_ tuple_f ast line=2 700
msg=" vd-root received a packet(prot o=6 , 203 . 160.2 2 4 . 97 : 80 -
>192 . 168 . 11 . 59 : 31925) from port6 ."
Match existing session in reply direction .

id=20085 trace id=213 func =re solve ip_tuple_ fast line= 2727
msg= " Find an existing se ssi on , id- 00000e90 , r eply
direction "
Apply destination NAT to inverse source NAT action.

id=20085 trace_id=213 func= __ ip_session_run_tup1e
line=l516 msg= " DNAT 192 . 168 . 1 1 . 59 : 31925 -
>192 .168.3 . 221 : 1487 "

192 01-4000-020 1-20090501
Configuring SSL VPN for Full Access (Web Porlal and Tunnel Mode)
Lab 5 SSL and IPSec VPN

Tasks
Configuring SSL VPN for Full Access (Web Portal and Tunnel Mode)
Con figuring a Basic Gateway -to-Gateway VPN
Exercise 1 Configuring SSL VPN for Full Access (Web Portal

and Tunnel Mode)
In this exercise, you will configure an SSL VPN to allow both web portal access
and tunnel mode access to public web sites. You will create an SSL VPN on the
internal network interface and configure policies to allow traffic to the Internet from
the SSL VPN gateway.
Configuring the SSL VPN

1 Enable the SSL VPN service. Go to VPN > SSL. On the Config tab, configure
the following settings:
Enable SSL-VPN enable

TunneiiP Range 172.16.1 .1-1 72. 16. 1.1
Leave all the other settings at default.

Click Apply.
2 Configure authentication for an internal user to access the SSL VPN gateway
service. Go to User > Local and click Create New. Add a new user with the
User Name testssl and Password 123456.
Click OK.
1-!
LLI
c
-1-
0:
lL
Course 201-v4.0 Administration. Content Inspection and Basic VPN Access
01-4000-0201 -2009050 1 251
Configuring SSL VPN for Full Access (Web Portal and Tunnel Mode}
3 Create a new user group and include the new local user in it. Go to User>
User Group and click Create New. Configure the following settings:
Name sslvpn
Type SSL VPN
Members testssl
Portal full-access
Click OK.
4 Create a new firewall policy to allow access to the SSL VPN and authenticate
the user. Go to Firewall > Policy. Click Create New and configure the following
settings:
Source Interface internal

Source Address all
Destination Interface wan1
Service ANY
Action SSL-VPN
NAT enable
5 Click ADD and configure the following settings:
User Authentication Method Local

From Available User Groups to sslvpn
Selected User Groups
Schedule always
6 Click OK.
This new internal-7wan1 policy will be identified on the Policy tab with the
values of all/ all/ always I ANY II SSL-VPN .
7 Move this policy to the top of the internal-7wan1 policy list.
Testing the SSL VPN connection

8 Connect to the SSL VPN gateway on the internal interface by typing the
following address in the web browse:.
https://192 . 168 . 1 . 99 : 1 044 3/
Click Yes to the first-time Security Alert. The default address is the internal IP
~ address and port 10443.
lLI
c-
Note: By default, the SSL VPN gateway listens to port 10443. In an actual deployment,
use port 443 as this port is typically open on Firewalls allowing easy remote access
using SSL. This can be changed by going to System > Admin > Settings and changing
the Web Admin HTTPS service from 443 to a different port number (for example, 8443).
I- Then, change the SSL VPN login port from 10443 to 443.
II 9 When prompted, log in as the testssl user with the password 123456. On
successful authentication you are logged in to the SSL web portal.
u.
Course 201-v4 .0 Administration, Content Inspection and Basic VPN Access
252 01-4000-0201-20090501
If the connection fails, check the following:

• The user testssl is in the sslvpn user group.
• The sslvpn user group is associated with the internal-7wan1 SSL VPN policy.
• The SSL VPN policy is at the top of the policy list for internal-7wan1.
Re-enter the password in User > Local configuration if the connection still fails.
Creating Bookmarks
10 On the portal page, create a new bookmark to a public site on the Internet.
Click the Add button to add the following bookmark:
Name Fortinet
Type HTTP/HTTPS
Location h ttp ://www . for t i net . com
Description Optional
Click OK
11 Click the newly created bookmark in the Bookmarks widget. A new window
displays the selected web site.
Note the URL of the web site in the web browser address bar:
https:// 1 92 . 168 . 1 . 99 :1 0 443/pro xy/http/www.fortinet . com
The first part of the address, h ttps : I /192 . 168 . 1 . 99 : 10443, is the
encrypted link to the FortiGate SSL VPN gateway.
The second part of the address, / proxy/htt p is the instruction to use the
SSL VPN HTTP proxy.
The final part of the address, / www . fo rt ine t. com, is the destination of the
connection from the HTTP proxy.
In this example, the connection is encrypted up to the SSL VPN gateway. The
connection to the final destination from the HTTP proxy is unencrypted.
Testing the SSL VPN Tunnel

12 Examine the PC current routing table by typing the following command from a
DOS command prompt:
rout e pr i nt
Note that the current default gateway is 192 . 168 . 1 . 99 .
1-=
Active Routes :
Lt.l
Netwo rk Destinat i o n Netmask
0.0 .0.0 0 . 0 . 0. 0
Gateway
192 .1 68 .1. 99
Interface
1 92 . 168 . l.xxx
I'1etr i c
10
c-
~
0::
IL
01-4000-0201-20090 50 1 253
13 If this is the first time the SSL VPN tunnel is being used on the PC, install the
plug-in for the browser. Click the link that appears in the Tunnel Model widget
Make sure that the SSL VPN gateway address, https : 1/192 . 168 . 1 . 99, is
listed in the web browser as a trusted site for the installation of the plug-in.
14 Click the Connect button. When the tunnel is active, the local interface fortissl
will be listed as UP. Look again at the routing table through the DOS prompt
and note that the default gateway is now 1 7 2 . 16 . 1 . 1, which is the local
tunnel endpoint Because split tunnelling is not enabled, a default route is
displayed for the tunnel interface.
Note: Split tunneling is a computer networking concept which allows a VPN

user to access a public network, for example, the Internet, and a local LAN or
WAN at the same time, using the same physical network connection. This
connection service is usually facilitated through a program such as a VPN
client software application.
For example, suppose a user connected to a corporate network using a

remote access VPN software client and a hotel wireless network. The user
with split tunneling enabled is able to connect to file servers, database servers,
mail servers, and other servers on the corporate network through the VPN
connection. In contrast, when the user connects to Internet resources, for
example, web sites and FTP sites, the connection request doesn't go through
the VPN link but rather through the wireless connection and out the gateway
provided by the hotel network.
15 Connect to the www . fortiguardcenter . com web site in a new browser

window without being connected through Tunnel Mode.
Note that the connection fails when tunnel mode is active.
In addition to the SSL VPN policy, additional objects must be created to allow
access from the ssl.root interface which is the source of all SSL VPN tunnel
traffic.
16 Reconnect to the FortiGuard Center. You may need to clear the web browser's
cache.
17 To observe the cause of the configuration problem, connect to the CLI and run
a packet sniffer command with the following filter and observe the output while
trying to load the webpage.
diag sniffer packet any " port 80 " 4
If not using DNS forwarding on the FortiGate and DNS queries are forwarded
from the PC to external DNS servers, test using the servers IP address. Use
1-= the nslookup command to get the IP address of the server before testing in
11.1 this case.
c
-0:
1-
TCP SYN packets should be observed incoming to the ssl.root interface. The
ssl.root interface represents the clients from the SSL VPN tunnel. To allow
these packets, this session must be accepted by creating a policy from the
ss/.root interface to the wan1 interface. We also need to define a route back to
the SSL VPN client for both RPF criteria and new session establishment
d~lli
18 Logout of the SSL VPN by clicking Logout in the upper right corner of the
window.

254 01-4000-0201-20090501
19 Create a static route for the SSL VPN tunnel client IP. Go to Router> Static>
Static Route and click Create New. Configure the following settings:
Destination IP/Mask 172.16.1.0/24
Device ssl.root
Leave the remaining default settings and click OK.
20 Create a new firewall policy from the ss/.root interface, this time using a regular
Accept action.
Source Interface ssl.root

Source Address all
Destination Interface wan1
Schedule always
Service ANY
Action Accept
NAT enable
Click OK.
This new ssl.root-7wan1 policy will be identified on the Policy tab with the
values of all/ all/ always I ANY// ACCEPT.
21 Log back into the SSL VPN gateway and activate the SSL VPN tunnel by
clicking Connect. From the DOS prompt, confirm that the default route is now
the tunnel endpoint (172 .1 6 . 1 . 1 ).
22 Connect directly to www . f ortigu a rdce n te r . com through the web browser
once again. The connection should be successful.
23 Run the packet sniffer command again to verify that the traffic from the ssl.root
interface is now permitted.
24 Before continuing, disable the two policies created in this exercise:
internal-7wan1: all/ all/ always I ANY// SSL-VPN
• ssl.root-7wan1: all/ all/ always I ANY II ACCEPT
1-!
LLI
c-
1-
0:
lL
01-4000-0201-20090501 255
Configuring a Basic Gateway-to-Gateway VPN
Exercise 2 Configuring a Basic Gateway-to-Gateway VPN

In this exercise, you will set up a basic gateway-to-gateway IPSec VPN between
the local FortiGate and a FortiGate hosted in a Fortinet remote lab. This
connection will provide secured access for users connecting across the Internet to
a server in another location.
Student computer •192.1f:3.1.9Q/24 2m.87 .230.1:::ti ~fll eb s: eror er

·192.1E8 .1.110/24 192. ·u:s .3.1.•24
Internal sub net Extern al subnet
Creating Firewall Addresses

In the following steps , you will create address objects that are created for internal
interfaces and remote subnets. You will use the objects later to configure the
firewall policies.
1 Log in to Web Config as admin with the password fortinet.
2 Go to Firewall> Address. Click Create New and configure the following
address objects:
Name interna l_ subnet

Type Subnet!IP Range
Subnet 192.168.1.0/24
Interface internal
Click OK.
3 Click Create New again and create a second address object as follows:
Name remote_ subnet

Type Subnet!IP Range
Subnet 192.168.3.0/24
._: Interface wan1
LLI Click OK.
c
-0:
1-
tHiliJl
f:l lll
l&.JiiH!I
lL
256 01-4000-0201-2009050 1
Configuring Phase 1 Parameters

The phase 1 parameters define the ends of the IPSec tunnel and are used to
authenticate the parties involved in the IPSec transaction and to set up a secure
channel between the computers to enable the key exchange.
4 Go to VPN > IPsec > AutoKey (IKE). Click Create Phase 1 and configure the
following settings:
Name site2site_p1
Remote Gateway Static IP Address
IP Address 209.87.230.135
Local Interface wan1
Mode Aggressive
Authentication Preshared Key
Method
Preshared Key 123456
All Other Settings default
Click Advanced and check Enable IPsec Interface Mode. Click OK.
Configuring Phase 2 Parameters

The phase 2 parameters are used to negotiate the IPSec security associations to
set up the IPSec tunnel.
5 Click Create Phase 2 and configure the following settings:
Name site2site_p2
Phase 1 site2site_p1
Click Advanced and set the following under Quick Mode Selector.
Source Address 192.168.1.0/24

Destination Address 192 .168.3.0/24
Leave the defaults as is.

Click OK.
6 Create a new route by going to Router> Static> Static Route tab.
7 Click Create New to open the New Static Route window and set the following: 1-=
LLI
Destination IP/Mask
Device
192.168.3.0/24
site2site_p1
c-
Distance 10 (default) I-
Click OK. II

0 1-4000-020 1-20090501 257

8 Go to Firewall> Policy. Click Create New and configure the following settings:
Source Internal
Interface/Zone
Source Address internal_subnet
Destination site2site _p 1
Interface/Zone
Destination Address remote_ subnet
Service ANY
Action Accept
NAT enable
Protection Profile support-pp
Click OK.
This new intemalsite2site policy will be identified on the Policy tab with the
values of internal_subnet I remote_subnet I always I ANY I support-pp I
ENCRYPT.
9 Create another policy with these settings:
Source site2site_p1
Interface/Zone
Source Address remote_subnet
Destination internal
Interface/Zone
Destination Address internal_ subnet
Service ANY
Action Accept
NAT enable
Click OK.

258 01-4000-0201-20090501
Testing VPN Connectivity

The remote FortiGate is protecting a web server at an external location . This web
server is hosting a sample page that will help illustrate that a secure IPSec
connection has been made
10 In a web browser, type the following address to access the test page:
h t tp : ! / 192 .1 6 8. 3 . 1
The Training Test Server page should display if the secure IPSec connection to
the test server has been created.
Display Information About the IPSec VPN Connection

You can view basic information about the IPSec connection from the /Psec tab in
Web Config.
11 Go to User> Monitor> /Psec.
Note the information regarding the connection, such as:
Phase 1 name
• Type of IPSec connection
Remote gateway IP address
Remote port
Source and destination proxy IDs (if used)
• Tunnel status (The tunnel can be enabled or disabled from this field)
12 You can view additional information from the CLJ by typing the following
command:
diagnose vpn tunne l li st
.._:
LLI
-Ic-
II
01-4000-0201-20090501 259
Displayed information includes:

Phase1 name and remote gateway
IPSec traffic statistics in packets and bytes
Dead Peer Detection and NAT traversal status
Source and destination proxy IDs
Inbound and outbound SA information
Debug information, such as errors, can be viewed from the CLI by typing the
following command:
d i ag d ebug enabl e
d i ag debug app ike 1
To disable debugging once this exercise is complete, type the following CLI
command:
diag deb ug app ike 0
1-=
LLI
c
-1-
0:
u.
260 01-4000-0201-20090501
LESSON 6
1-= Authentication
LLI
c
1-
0: I
/
u.
-
!i
261
www.fortinet.com
Firewall Policy Authentication
Lab 6 Authentication
Tasks
• Exercise 1 Firewall Policy Authentication
• Exercise 2 Adding User Disclaimers and Redirecting URLs
Exercise 1 Firewall Policy Authentication

In this exercise, the current firewall policy for Internet web access is limited to
working hours between 8 a.m. to 8 p.m. For access outside of these hours. the
authorized employee will have to pass a login authentication.
You will add authorized users for after-hours Internet web access, as well as a
new policy with authentication enabled to implement this requirement.
1 In Web Config, go to User> Local. On the Local tab, click Create New. Enter
the User Name test with the Password 123456 for the authorized user.
Click OK.
2 Create a user group that includes the authorized user.
Go to User> User Group. On the User Group tab, click Create New and create
a group with the following settings:
Name night-access
Type Firewall
Members Select test from the Available Users/Groups list and use the right
arrow to move it to the Members list.

3 Create a new internal-7wan1 firewall policy for after-hours Internet web
access. Instead of making a new schedule object for the after-hours period,
you will appropriately position the policy in the firewall policy list.
Go to Firewall> Policy. From the internal-7wan1 policy list, click Insert Policy
before (\:8 )on the DENY policy. This will position the new policy before the
DENY policy at the end of the list.
1-!
LLI
c-
1-
[[

282 01-4000-0201 -20090501
Configure the new policy with the following settings. Remember to click Add
to enable settings in the New Authentication Rule window.

Source Address Name all-dept
Destination Address Name all
Schedule always
Service web
Action ACCEPT
NAT Enable
Protection Profile Enable, select std-pp
Enable identity-based policy Enable
Comments After-hours Internet web access
Click OK.
This new internal~wan1 policy is identified on the Policy tab with the values
of all-dept I all/ always I web /std-pp I ACCEPT.
Note: As an alternative, arrange the policy position using the move icon to specify its
position before or after another policy.
4 Next, enable Authentication Keepalive for the web traffic firewall policies using
the following CLI commands:
c onf ig system global
set au th-keepa li ve e nable
end
Note: Authentication Keepalive extends the time of the session when traffic is
present. In this mode, it acts as an idle timer rather than a hard timeout.
1!-!
IJJ
c
-II
I-
u.
01-4000-0201-20090501 283
Test the Authentication Policy for Web Traffic

Before proceeding with the testing, disable the following internal7wan1
policies by unchecking the Status box in the Firewall > Policy list:
• all-dept I all/ office_hours I web I std-pp I ACCEPT
• support-dept I alii office_hours I web I support-pp I ACCEPT
\3 Note: Be mindful of testing the firewall policy schedule outside of the specified hours.
5 In a new web browser window, attempt to access a new web site.

At the login prompt, enter the username test and the password 123456. Click
Continue.
6 Click the logout link in the Authentication Keepalive window and attempt to
browse to another web site.
7 When prompted to authenticate, enter an incorrect user name or password.
8 In Web Config, go to Log&Report >Log Access. Click the Memory tab and set
the Log Type to Event Log.
Locate event log messages for the firewall policy authentication events. Note
the log message level used for this type of event
9 Re-connect to the web site and this time enter the correct credentials.
10 From the CLI, view the IP addresses and users which have successfully
authenticated to the FortiGate unit with the following CLI command:
diag nose fir ewall i prope authuser
Clear all authenticated sessions (be careful with this command on a live
system!) with the following CLI command:
diagnose firewall iprope resetauth
Test Authentication on FTP Traffic

11 Modify the web service to include FTP.
Go to Firewall > Policy. Click any instance of the web link in the Service
column.
Select FTP from the Available Services list and click 7 to move it to the
Members list.
Click OK.
12 Clear all authenticated sessions using the following CLJ command:
di agn ose fire wall iprope resetauth
1-= 13 Use an FTP client and access any anonymous FTP site on the Internet. (For a
11.1 list of anonymous FTP sites, browse to h t t p : I / www . ftp-sites . org.)
c
-
The first login prompt that appears is from the FortiGate unit and is required for
firewall authentication. Enter the username test and the password 123456.
1- Once successfully authenticated, reconnect to the same FTP server and this
time, log in as anonymous since authentication to the FTP server has already
0: been completed.
Note: There is no authentication keepalive window for FTP or Telnet authenticated
u.. sessions. The idle timeout for authenticated sessions is the system global AUTH
timeout (System> Admin> Settings).

284 01-4000-0201-2009050 1
Adding User Disclaimers and Redirecting URLs
Exercise 2 Adding User Disclaimers and Redirecting URls

In this exercise, you will add user disclaimer messages to Internet-bound policies
and then redirect sessions to a specified URL
1 In Web Config go to Firewall > Policy. Re-enable and edit the internal-7wan1
office hours web policy (all-dept I all/ office_hours I web I std-pp I ACCEPT)
and modify the following settings:
User Authentication Disclaimer Enable

. Redirect URL http://1 92.168.3.1/test.html
Click OK.
2 Clear all authenticated sessions using the following CLI command:
d iagnose fir e wal l iprope r e s e t au th
3 In a new web browser window, access a web site. When the first user
disclaimer message appears, click Yes, I agree.
An authentication keep-alive page opens . Click the new window link. This
directs you to the redirect URL specified in the firewall policy created in Step 1,
http:/1192.168.3.1/test.html.
4 In Web Config, go to System> Config. On the Replacement Messages tab,
expand Authentication and click Edit to modify the Disclaimer Page. Replace
the text the network access provider with your name.
You can also change the Declined disclaimer page message.
Click OK.
5 Go to Firewall> Policy and edit the internal-7wan1 web access policy (all-
dept I all/ always I web II ACCEPT) to enable the User Authentication
Disclaimer.
6 Disable the policy you created in step 1.
7 Clear the authenticated sessions before each test with the following CLI
command:
d i a gno s e fir e wa ll i prope r e s e t au t h
8 When prompted by the authentication login page, log in as the user test with
the password 123456.
An authentication keep-alive page opens. Click the new window link. This
directs you to the redirect URL specified in the firewall policy created in Step 1,
http:/1192.168.3.1 /test.html.
9 Browse to a web page and make sure that authentication is required for the ._.:
disclaimer and the optional redirect URL.
LLI
10 Re-enabfe the policy you created in step 1.
c
rf:!V Note: When the system global auth-keepalive is enabled, the end user will
'\);) always see the keepalive window displayed.
-1-
0:
IL
01-4000-0201-20090501 285
Adding User Disclaimers and Redirecting URLs
11 Examine the following CLI commands for the Users, User Groups, and for one
of the authentication firewall policies:
show user local
show user group
s h ow firewall pol i c y <id>
._.:
11.1
c-
1-
0:

286 01-4000-0201-20090501
LESSON 7
1-= Antivirus
LLI -
C
1-
o: _ I
/
11
--
287
www .forti net. com
Configuring Global Antivirus Settings
Lab 7 Antivirus Scanning

Tasks
Exercise 1 Configuring Global Antivirus Settings
Exercise 2 Configuring a Protection Profile
Exercise 3 Testing Protection Profile Settings for HTTP/FTP AV Scanning
Exercise 1 Configuring Global Antivirus Settings

In this exercise, you will explore global antivirus settings which includes:
Ensuring that antivirus definitions are updated properly by the FortiGuard
Distribution Network
Enabling file pattern blocking
Enabling Grayware scanning
Setting up file quarantine with the FortiAnalyzer device
Enabling antivirus scanning for web proxy servers
Customizing antivirus replacement messages
FDN Updates
1 Confirm that the FortiGate AntiVirus Engine and Definition versions are up-to-
date. Go to the Forti net FortiGuard Center web page at the following URL:
www.fortiguardcenter . com
Click the Antivirus link located under FortiGuard Services and view the Current
AV Database version shown in the Update Center area. Note the current
update version.
2 From Web Config, go to System > Maintenance. Click the FortiGuard tab to
view the AV version information for the FortiGate Device.
You can also access this information from the License Information pane on the
System Dashboard by clicking System > Status.
The equivalent CLI commands are:
get sys tem sta tus ._:
diagnose autoupdate ve r s i ons
LLI
3 If required, update the AV definition versions.
c
Go to System> Maintenance. On the FortiGuard tab, expand Antivirus and
IPS Options. Click Update Now. -
I-
Note: The update may take several minutes to complete so in the meantime, continue
with the lab.
II
lL
01-4000-0201-20090501 311
Use the equivalent CLI commands to invoke an FDN check and AV/IPS
update:
exec update - av
e xec update-now
File Pattern
To help slow the spread of malicious viruses and unauthorized program
applications from being installed, in the classroom scenario all *.exe files will
be blocked from being downloaded from the web or an FTP site, as well as all
email attachments.
4 In Web Config, go to UTM >AntiVirus. On the File Filter tab, click Edit ( G)," )
for builtin-patterns. Expand File Patterns and enable blocking for the *.exe
file pattern.
Click OK.
~
LLI
c
-
1-
0:

312 01-4000-020 1-20090501
Grayware Scanning
Scanning for malicious grayware-type installers is turned off in factory-default
settings.
5 Go to UTM >AntiVirus > Grayware tab. Enable all category groups.
r()('' Note: When you enable any Grayware category, the change is applied immediately
\J) and the interface refreshes.
6 Expand the category groups to view the details.
Quarantine
File quarantine is available if the Forti Gate unit model has an internal hard disk or
if a FortiAnalyzer device is available.
7 Go to UTM >AntiVirus > Config. In the Quarantine Configuration window,
make sure the FortiAnalyzer is enabled.
8 Configure the quarantine settings as follows:
Quarantine Infected Files enable all protocols

Quarantine Suspicious Files enable all protocols
Quarantine Blocked Files none
Age Limit 168 hours (7 days)
Max Filesize to Quarantine 50MB
Click Apply.
Replacement Messages
Replacement messages are substituted for the infected file when the FortiGate
antivirus engine detects a virus.
9 Go to System > Config. On the Replacement Messages tab, expand HTTP,
then F TP Click Edit ( fJ' ) to vi ew the default virus and file block messages for
HTTP and FTP. -·-"
Alternately, display the same Replacement Messages in the CLI with the
following commands:
s how system r e pl a c ems g http [http- v i rus/ h ttp-b lock/ ... ]
s how s y stem replacemsg f t p [ftp- dl - infe ct ed/ ftp - d l -
blocked/ ... ]
Note: Some replacement messages are stored in raw HTML code. Make sure that the
correct syntax is used and preserve the existing HTML tags. An external HTML editor
can be used to create the replacement message and then copy and paste the resulting
HTML code into the FortiGate Replaceme nt Message configuration. -
I-
I[
IL
Course 201 -v4.0 Administration, Content Inspection and Basic VPN A ccess
01-4000-0201-20090501 313
Configuring a Protection Profile
Exercise 2 Configuring a Protection Profile

In this exercise, you will set the antivirus options in a protection profile and apply
them to firewall policies. In the lab "Firewall Policies'', you created an empty
placeholder protection profile called std-pp to use with the firewall policies.
In this exercise, you will configure the std-pp protection profile to:
Enable antivirus scanning of all supported protocols with file quarantine to
capture samples of the infected files.
Enable file pattern blocking to prevent certain file types from being
downloaded or emailed.
Prevent email fragmentation, as this opens a vulnerability for entry of
infected email attachments.
Enable client comforting to prevent client time-outs due to the slow Internet
connection in combination with the buffering by the FortiGate antivirus
scanner.
Enable Oversize file blocking to block large downloaded files that cannot be
scanned and to impose a size limit on email attachments to ease the load
on the mail server.
Use replacement messages for FTP and SMTP.
1 Go to Firewall> Protection Profile. On the Protection Profile tab, click Edit

( t.;;:.;P ) for the std-pp protection profile.
Expand the Anti-Virus options and apply the following settings:
Function Setting Protocol
Virus Scan enable all protocols
File Filter enable and select built-in all protocols
patterns from the Option
drop-down list.
Quarantine enable all protocols
Pass Fragmented Emails disable IMAP, POP3. SMTP
Comfort Clients enable HTTP,FTP
Interval: 2 s
Amount: 48 bytes
Oversized File/Email Action: block HTTP, FTP
Threshold: 12MB
Oversized File/Email Action: block !MAP, POP3, SMTP, IM
Threshold: 2MB
Add signature to outgoing enable SMTP
emails Type a message to appear on
outgoing email, for example
-
I-
[Student scanned]
I[

314 01-4000-0201-20090501
Configuring a Protection Profile
2 Expand the Data Leak Prevention Sensor options and configure the following
settings:
Display content meta-information on the system enable for all protocols

dashboard
Data Leak Prevention Sensor enable Content_Archive
Archive SPAMed emails to FortiAnalyzeriFortiGuard leave disabled
3 Expand the Logging options. Enable logging for all antivirus events for firewall
policies using the std-pp protection profile by setting the following:
Viruses enable
Blocked Files enable
Oversize Filesfemails enable
Click OK.
4 Repeat the steps to make the same changes to the support-pp profile.
5 To permit the use of replacement messages for FTP, you must disable the
splicing function. You can only do this through the CLI.
Type the following command and note the separate commands per protocol:
s how f irewall p r ofile std-pp
Type the following command to modify FTP settings to omit splice from the set
parameters . Omit splice from the parameter list as follows:
config f i r e wall p rof i l e
edit std- p p
set f tp b l o c k c l i entcomfo rt oversi z e quarant i ne s ca n
e nd
1-=
Ill
c
-
I-
II
-!£! fj ~~~
~j f1
r~~ r:i!iP'
~"-} ~-0.¥
lL
Course 201-v4.0 A dministra tion, Content Insp ection and Basic VPN Access
01-4000-0 201-20090501 315
Testing Protection Profile Settings for HTTPIFTP AV Scanning
Exercise 3 Testing Protection Profile Settings for HTTP/FTP AV

Scanning
In this exercise, you will test the std-pp protection profile settings by downloading
several virus samples (rendered inert} with HTTP and FTP downloads from the
classroom server.
Virus Scan
1 In a web browser, type the following address:
http : !/1 92 . 1 68 . 3 . 1
2 On the sample page displayed, click the AVtab. Click the Virus Samples link
and click the following files to attempt to download them:
• Adware/BDsr/bdsrhook.dl_
• Spywarellwonli1 srchas.dl_
• Toolbar/SBsoft.G/webdlg32.dl_
These files are not real viruses but they will trigger a virus or grayware
signature and will be stopped by the FortiGate unit.
Check that the HTTP Virus replacement message displays when the files that
are infected or blocked have been quarantined. In the message that is
displayed, there is a link to the Fortinet Virus Encyclopedia that provides
information about the detected virus.
3 Go to UTM >Antivirus > Quarantine Files tab. The files that have been
quarantined are listed.
Note: There may be policies in place from previous exercises that could allow the files
to be downloaded. If the above steps do not work, go to the firewall policies and ensure
that the following policies are disabled:
all-dept I special-web I office_hours I ANY I support-pp I ACCEPT
and
all/ alii always I ANY II ACCEPT
4 Use an FTP client and log into the following site:

192 . 16 8.3 .1 /pub/sampl es
When prompted, log in as anonymous with the password guest.
Set the file transfer to binary mode and download one of the files listed in Step
2.
.._.: The virus sample is detected over FTP and a custom replacement message is
displayed.
Lll
c Note: If you use Windows Explorer as an FTP client to copy a virus sample from the
class FTP server, the result will be an empty file of the same name. Right-click the
copied file to view its properties and check the file size. Windows Explorer created a
file with the name of the target file but with a size of 0 bytes because the actual file
transfer was blocked by the Forti Gate unit.

http : !/192 .1 68 . 3 . 1

316 01-4000-0201-20090501
6 Click the AVtab. Select Virus Samples and click Eicar_test_file. Try to
download the following EICAR samples:
• eicar.exe
• eicar1.exe.gz
• eicar1.exe.zip
• eicar2.exe.zip
• eicar3.exe.bz2
The HTTP File Block replacement message should display for the eicar.exe
file because all *. exe files are blocked with File Pattern Block.
The file eicar2.exe.zip will pass because it is password protected and the AV
engine cannot open the file.
d./'Note: Even if a compressed file is password protected and cannot be opened, the AV
'\;?''\
engine can still check the file checksums in the compression header against the worm
~ checksums in the signature file.
File Pattern
7 Go to UTM >AntiVirus> File Filter tab. Click Edit ( ) for the builtin-
patterns list.
Click Create New, set Filter type to File Name Pattern, and enter eicar.exe as
the Pattern . Select Allow from the Action drop-down list and verify that
Enable is selected. Click OK
8 Expand File Patterns and use the Move To icon to change the order in the list
so eicar.exe is above the existing *.exe entry. Click OK
9 From the browser, access the Virus Samples again and try to download the
eicar.exe file.
f~ Note: Even though a file ispermitted with file pattern matching, it will still be AV
V scanned to detect a virus.
File Oversize
http:/!192.168.3.1 / f i l e s
11 Attempt to download the file called big.file.
An HTTP File Oversize replacement message will display. 1-!
12 Download big.file.zip. LLI
c
This file download should be successful.
Question: Was this file scanned?
Answer: The big.file.zip file is smaller than the oversize limit. When the file is
extracted, however, it is greater than the uncompressed size limit so the file is
-0::
1-
passed unscanned.
IL
01-4000-0201-20090501 317
Logging and Alerts

13 Go to Log&Report > Log Access. On the Memory tab set the Log Type to
AntiVirus Log.
14 Click Column Settings. Select Service from the Available Fields list and click -7
to move it to the Show these fields in this order list. Click OK.
15 Click the Memory tab to view the Antivirus event messages.
16 Go to Log&Report > Content Archive to view the content archive messages.
Find the entries for the HTTP download attempts (on the Web tab) and FTP
download attempts (on the FTP tab). Click Raw to show the entire content
archive message.
Note: The content archive messages are actually from the FortiAnalyzer log.
There is a hidden connection between the Forti Gate unit and the FortiAnalyzer
device.
17 Check the email account for alert messages from the class mail server.
Several email alerts generated by virus detections in the previous steps should
be received. Compare the text of the alert emails with the log messages
viewed previously.
Quarantine
Now that AV scanning has been tested, check the quarantined file display.
18 Go to UTM >AntiVirus> Quarantine Files tab. View the list of quarantined files.
19 Connect to the FortiAnalyzer device by typing the following address in a web
browser:
http : !/209 . 8 7 . 230 . 1 34
Log in with the username student and the password fortinet.
20 Go to Quarantine > Repository.
Select the device name from the Show pull-down menu to only show files from
the FortiGate unit. Set the Timeframe to last 1 day.
Download one of the quarantined files from the FortiAnalyzer device by
selecting a file and clicking the download icon.
Question: Why was the download blocked by the FortiGate unit?
Answer: The HTTP session to the FortiAnalyzer from the PC is still being
scanned by the FortiGate so the download attempt of the virus sample from the
FortiAnalyzer quarantine repository is detected and blocked.
21 Re-connect to the FortiAnalyzer using HTTPS by typing the following address
~ in a web browser:
LLI https : //209 . 87 . 230 .1 3 4
c
-
1-
22 Try to download a quarantined file from the quarantine repository. Note that the
file has been downloaded.
23 Go to Quarantine > Repository. Delete the sample from quarantine after
0: downloading it by clicking Delete in the Repository list.

318 01-4000-0201-200905{)1
Configuring Local Web URL and Content Filtering
Lab 8 Web Filtering

Tasks
Exercise 1 Configuring Local Web URL and Content Filtering
Exercise 2 Testing Web Category Filtering
Exercise 1 Configuring Local Web URL and Content Filtering

In this exercise, you will configure web URL and content filtering for the support-
pp profile.
1 Log in to Web Config as the admin user. Go to Firewall> Protection Profile
and edit the support-pp protection profile. Expand Web Filtering and enable
the following for HTTP:
Web Content Block enable, Threshold= 10 (default)

Web Content Exempt enable
Web URL Filter enable for HTTP and HTTPS
Web Resume Download Block enable
Leave script filters such as ActiveX, Cookie, and Java Applet disabled.
2 Expand Logging and enable the following Web Filtering messages:
Content Block enable
URL Filter enable

3 To create a new URL filter list, go to UTM > Web Filter> URL Filter tab. Click
Create New and enter the name URL-Iist.
Click OK.
._:
LLI
c-
1-
[[
lL
378 01 -4000-020 1-2009050 1
4 Under the Comments box, click Create New and set the following:
URL ".*$
Type Regex
Action Block
Enable enable
Note: ".*$means "at the beginning of the line"(") match any single character(.)
r01( followed by the same preceding match (*) until the end of the line ($). There are many
Y references on the web for Regular Expressions or Perl compatible regular expressions,
for example, http:f/perldoc.perl.org or http://www.regexlib.com/CheatSheet.aspx.
Click OK.
5 Go to Firewall> Protection Profile. Edit the support~pp profile and expand
Web Filtering.
Select the new URL~Iist filter from the drop-down list.
Click OK
6 Go to Firewall> Policy. On the Policy tab, ensure that the internal-7wan1 web
policy all~dept I all/ office_hours I web /std·PP I ACCEPT is enabled. Click
Edit ( ) and set the following:

Authentication disable
User Authentication Disclaimer disable
Click OK.
Place this policy at the top of the internal-7wan1 list.
7 Open a new web browser window and test that all websites are now blocked.
The HTTP URL block replacement message is displayed.
G~
.\.: Note: Web browser cach.ing may interfere with web filtering. If the web site is not
\,:? blocked, clear the cache 1n the web browser and try aga1n.
8 Go to System> Config. On the Replacement Messages tab, expand HTTP

Edit the URL block message and add a custom message.
9 Go to UTM > Web Filter> URL Filter tab and edit the URL-Iist filter. Click
Create New and add the following filter:
URL www. fortine!. com

Type Simple
Action
Enable
Allow
enable
1-=
LLI
10 Position the www . fort inet. com entry above the global blocking URL entry
c
-
in the filter list. Test access to this site. 1-
0:
IL
01-4000-0201-20090501 379
11 Connecttothewww.fortinet.com webpage.
12 From the www. fo r tinet. com web page, pick three words to add to a Web
Content Block List. Identify the phrase in which one of the words occurs.
~ Note: Ensure that the words you select do not appear as part of the graphics or flash
'\,)J movies on this web page. For example, you can chose technology, program, or partner.
Word 1
Word2
Word3
Phrase
13 Go to UTM > Web Filter > Web Content Block tab. Click Create New. Enter the
name content-list for the new web content block list and click OK.
On the Web Content Block tab, click Create New and add Word 1 to the
content block list as follows:
Pattern Word 1 (from step 11)

Pattern Type Wildcard
Language Western
Score 5
Enable Checked
Click OK.
14 Go to Firewall> Protection Profile and edit the support-pp profile. Expand
Web Filtering and verify that Web Content Block for HTTP is enabled.
Select content-list from the drop-down list and set the Threshold to 5.
15 Reload the www. fortinet. c om web page to test that this page is blocked
and that the banned word block replacement message is displayed.
If the page appears, empty the cache on the browser and try again.
16 Go to Log&Report >Log Access. On the Memory tab , set Log Type to Web
Filter Log. Check the log messages for the web content block and note the
banned word that appears in the parentheses of the log message, for example,
(security).
17 Go to UTM > Web Filter > Web Content Block tab. Click Edit ( ;~· ) for
content-list and disable the Word 1 pattern before continuing. ··
1-= 18 Add Word 2 to the web content block list as follows:
LLI Pattern enter Word 2 using the form: /v,o r d/ i
c- Pattern Type
Language
Regular Expression
Western
I- Score 5
II Enable Checked
The regular expression 1 word/ i is used to accept any combination of upper-

and lowercase letters.
u.
Course 201-v4.0 Administration, Content Inspection and Basic VPN AccFSS
380 0 1-4000-0201-2009C:'>' i 1
19 Clear the cache in the web browser and reload the www. fortinet. com web
page to test that the page is blocked and the replacement message is
displayed. View the log messages again to determine which banned word
caused the web content block event.
20 Go to UTM > Web Filter> Web Content Exempt tab. Click Create New and
create a new exempt list named content-exempt.
On the Web Content Exempt tab, click Create new to add the phrase chosen
earlier as a wildcard pattern type and enable.
Click OK.
21 Go to Firewall> Protection Profile. Edit the support-pp profile and edit the
Web Filtering settings. Enable HTTP and select content-exempt from the
drop-down list.
Click OK.
22 Test the access to v;ww. fortin et . com.
:::::1/ Note: A URL cache replacement message may be displayed because of a side-effect
\_':;(•"\ of the Comfort Client feature. To clear the URL cache, add a random letter (a to z) or
v number (0 to 9) to the end of the URL in the browser address bar to get a "404" page
not found error. Then correct the URL and press CTRL-R to reload the browser.
You should not be able to access the web page because of the exempt phrase.
23 Add Word 3 to the web content block list with a score of 5 and test. The page
should still pass. Even if the threshold has been reached the page is passed
because the exempt phrase is tested first.
1-!
LLI
c
-1a:-
lL
01-4000-0201-20090501 381
Testing Web Category Filtering
Exercise 2 Testing Web Category Filtering

In this exercise, you will examine FortiGuard web category filtering and the
interaction of local categories and overrides.
1 Log in to the Web Config as admin. Go to System> Maintenance and ensure

that the FortiGuard Web Filtering service is still valid on the on the FortiGuard
tab.
2 Expand Web Filtering and Antispam Options and examine the cache settings
for web filter (1800 seconds).
3 Go to Firewall> Protection Profile and edit the std-pp protection profile.
Expand Web Filtering and set the following for HTTP and HTTPS:
Enable FortiGuard Web Filtering enable

Rate Images by URL enable
Strict Blocking enable
Rate URLs by domain and IP enable
address
Category
Potentially Liable Block and Log
Controversial Block and Log
Potentially Non-productive Block and Log
Potentially Bandwidth Block and Log
Consuming
Potential Security Violating Block and Log
General Interest Block and Log
Business Oriented Block and Log
Others Block and Log
Unrated Block and Log

4 Go to Firewall > Policy and edit the internal7wan1 (all-dept I all/
office_hours I web I support-pp I ACCEPT) policy. Set the Protection Profile
to std-pp to test the web category filtering.
Click OK.
5 Try to connect to a few different web sites. The Forti Guard web filtering URL
block message should be displayed.
1-! Note: Clicking the link next to To have the rating of this web page re-evaluated will
LLI redirect you to a URL Rating Request website.
c- 6 Go to System> Config to configure a custom replacement message. On the

I- Replacement Messages tab, expand FortiGuard Web Filtering and edit the
n: URL block message.

382 01-4000-0201-20090501
Local Categories
7 Go to UTM > Web Filter. On the Local Categories tab, add a new local
category called Local-1 and click Add.
8 On the Local Ratings tab, click Create New to create new website entries for
some of the web sites visited previously that were blocked .
Enter the URL. Expand Local Categories in the Category Rating table and
enable the rating box for Local-1.
Click OK.
9 Go to Firewall> Protection Profile. Edit the std-pp protection profile and
expand Web Filtering. Expand Local Categories in the category table. Enable
the Local-1 category and set to Allow. Enable Log.
10 Try to visit the URLs that are now in the local category. Verify that other web
sites not found in the local category are still blocked.
Note: Some parts of an allowed web page may be blocked if off-site URLs are used
that are not in the allowed category.
Override a Blocked URL

There are two ways to override a URL blocked by FortiGuard Web Filtering:
• Set Action =Exempt in the U RL Filter
• Set FortiGuard Web Filter Overrides
Set to Exempt in the URL Filter

11 Go to UTM >Web Filter> URL Filter tab and edit URL-Iist. Click Create New
and add a new filter with the following parameters:
URL Type the URL of a web site

Type Simple
Action Exempt
Enable Checked
Important: Disable all other URL filter entries except for this new entry.
Click OK.
12 Go to Firewall> Protection Profile . Edit the std-pp profile and expand Web
Filtering. Enable Web URL Filter for HTTP and HTTPS and select URL-Iist 1-=
from the drop-down menu.
111
Click OK.
c
13 Attempt to access one of the exempted URLs.
-
1-
0:
Cours e 201-v4.0 Administration, Content Inspection and Basic VPN Access

01-4000-0201-20090501 383
Set FortiGuard Web Filter Override

14 Go to User> User Group. Click Create New and configure a new user group
with the following settings:
Name web-override
Type Firewall
Members (Local users) test
15 Expand FortiGuard Web Filtering Override and enable Allow to create

FortiGuard Web Filtering overrides. Set the following:
Override Scope IP
Override Type Domain
Off-site URL Deny
Override Time Constant/15 minutes
Permission Granted For std-pp
Click OK.
16 Go to Firewall> Protection Profile. Edit the std-pp protection profile. Expand
Web Filtering and enable FortiGuard Web Filtering Overrides for HTTP and
HTTPS.
Enable Allow Override for all categories.
Click OK.
Note: Do not use a web proxy, otherwise the Web Category Override web page will not
work.
17 Try to visit a blocked category website. This time the blocked page
replacement message will have an Override link.
Click the Override link to view a Web Filter Block Override. Enter the User
name test and the password 123456.
Note that other fields are greyed out as they are set by the override user group.
After completing the required fields that will grant access to the desired
website, click Continue.
)
18 Go to UTM > Web Filter. Select the Override tab and click Edit ( L~~ to view
the User Overrides web filter override list. Note the Expiry Date column of the
dynamically added entries.
19 Go to Log&Report > Log Access. On the Memory tab, set the Log Type to Web
Filter Log.
Check the log messages related to category blocking. Scroll or page down to
locate the log messages from the URL and content filtering performed earlier in
this lab.
Course 201 -v4. 0 Administration, Content Inspection and Basic VPN Access
384 01-4000-0201 -20090501

Consolidado Laboratorios Fortinet

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Consolidado Laboratorios Fortinet

Uploaded by

Copyright:

Available Formats

Connecting to the Command Line lntetiace (CLI)

Lab 1 Initial Setup

Exercise 1 Connecting to the Command Line Interface (CLI)

Check Device Connections

Log in to the CLI

8 Type the following command to see a full list of accepted keywords:

~ Note: The? character is not displayed on the screen.

Previous command Up arrow, CTRL+P

s h ow sys tem i nt erface i nte rnal

Course 201-v4. 0 Administration, Content Inspection and Basic VPN Access

Exercise 2 Connecting to the FortiGate Web Config

Current Firmware Version

Exercise 3 Configuring Network Connectivity

Configuring the wan1 Interface Using DHCP

Addressing mode DHCP

Configuring the wan1 Interface Using Static Assignments

Addressing mode Manual

Course 201-v4.0 Administration, Content Inspection and Basic VPN Access

Configuring the wan1 interface using PPPoE

Addressing mode PPPoE

Course 201-v4.0 Administration, Content Inspection and Basic VPN Access

All users, irrespective of the type of addressing used (DHCP, Static, or

Viewing System Settings For wan1

con fig system interface

Configuring the wan2 Interface

Viewing the Configuration of the Built-in DHCP Server

Click Cancel to exit.

Viewing DHCP Address Leases

Course 201-v4.0 Administration, Content Inspection and Basic VPN Access

Exercise 4 Exploring the CLI

5 Verify the changes by typing the following command:

To refresh a DHCP lease:

Course 20 1-v4.0 Administration, Content Inspection and Basic VPN Access

Exercise 5 Configuring Global System Settings

Configuring DNS Settings

Configuring Time Settings

Course 201-v4.0 Administration, Content Inspection and Basic VPN Access

Configuring the Hostname

Configuring Idle Timeout for Web Config

Exercise 6 Configuring Administrative Users

1 Go to System> Admin. View the current administrator users from the

0 . 0 . 0 . oI o allows connection from any host address.

Click OK to save the changes.

S}'6lt:lll C (HJfi9Ur C.l!<m

Netw~ rk C o nflg u r<:~ti on

Course 20 1-v4.0 Administration, Content Inspection and Basic VPN Access

7 Go to System >Admin. On the Administrators tab, click Create New to create

Administrator cad min

Course 201-v4.0 Administration, Content Inspection and Basic VPN Access

Lab2 Fortinet Subscription

Exercise 1 Enabling FortiGuard Services and Updates

1 Log in to Web Config as admin (password: fortinet).

Enable Web Filter enable

Course 20 1-v4. 0 Administration, Content Inspection and Basic VPN Access

Lab 3 Logging and Monitoring

Exercise 1 Exploring Web Config Monitoring

1 Log in to Web Config as ad min. Go to System> Status to view the System

A pop-up window appears showing a trace of past CPU Usage, Memory

Click Close to return to the System> Status tab .

Alert r.lessage C!Jnsole •

'V' Statistics (Since 2009-03-03 09:41: 15)

Course 20 1-v4.0 Administration, Content Inspection and Basic VPN A ccess

Exercise 2 Configuring System Event Logging

Minimum log level Information