Professional Documents
Culture Documents
1-=
Ill
c-
1-
0:
lL
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
01-4000-0201-20090501 55
Connecting to the Command Line Interface (CLI)
pj.f' Note: In the classroom lab environment, all addresses used are private addresses as
'\ -'') outlined in RFC1918. The wan1 lntemet subnet is actually a private address subnet
1/ and cannot be used in a real-world situation.
2 Connect the PC's network cable into the internal interface (ports 1 through 6)
of the Forti Gate unit and make sure the corresponding internal LED indicator is
green.
The FortiGate unit's built-in DHCP server will assign addresses to t he devices
connected to these ports as required. The factory default subnet assignment of
192.168.1.0/24 will be used .
Note: The internal interface on a FortiGate unit is a multi-port switching hub port with
auto-MDX sensing so either a straight or cross-over cable can be used.
LLI 7 Log in to the CLI once again and type the following command to display status
c
.-...
information about the FortiGate unit:
g et system status
The output displays the FortiGate unit serial number, firmware build,
operational mode, and additional settings.
0:
(n:Jlll
!l 5
ij~ !Jif)
u.
Course 201-v4.0 Administration, Content Inspection and Basic VPN A ccess
56 0 1-4 000-0201 -2009050 1
Connecting to the Command Line Interface (CLI)
9 Press the Up arrow key to redisplay the previous get~ system stat us
command and try some of the control key sequences that are summarized
below.
CTRL+C is context sensitive and in general, aborts the current command and
moves up to the previous command branch level. If you are already at the root
branch level, CTRL +C will force a logout of the current session and another
login will be required.
10 Type the following command and press the <tab> key 2 or 3 times.
execute <tab>
The command displays the list of available system utility commands one at a
time each time the <tab> key is pressed.
11 Type the following command to see the entire list of execute commands:
execut e ?
Similar to the get command, keywords may have sub-keywords or require
that additional parameters be entered. The FortiGate Cll is hierarchical and all
execu te commands can only be invoked when at the top level.
12 Enter the following CLI commands and compare the available keywords for
each one:
co nfig ?
show ?
I-=
These two commands are closely related.
11.1
con fig begins the configuration mode while show displays the configuration .
The only difference is show full -configura ti o n. The default behavior of
the show command is to only display the differences from the factory-default
c-
configuration. 1-
[[
IL
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
0 1-4000-0201-2009050 1 57
Connecting to the Command Line Interface (CLI)
13 Enter the following CLI commands to display the FortiGate unit's internal
interface configuration settings and compare the output for each of them:
show system interface internal
show fu l l-con f iguration syst e m interface internal
Only the characters shown in bold type face need to be typed, optionally
followed by <tab>, to complete the command key word. Use this technique
when you use the CLI to reduce the number of keystrokes to enter information.
CLI commands can be entered in an abbreviated form as long as enough
characters are entered to ensure the uniqueness of the command keyword.
Parameters, however, must be fully typed out. For example, when specifying
the interface name internal , it cannot be abbreviated to int or inter.
Note: At the --More-- prompt in the CLI, press the spacebar to continue scrolling or the
[Enter] key to scroll one line at a time. Press q to exit.
14 Enter the CLI command below to display the factory set IP address of the
FortiGate's internal interface.
The internal interface's IP address is 192.168.1.99. You will use this address
later for HTTP administrative access to the FortiGate device.
fu"\-.., Caution: If you are using your own laptop or PC for the following exercise, make sure
~ to record your original PC network settings before proceeding.
1 Set the PC IP settings to DHCP. The FortiGate device will assign the PC an
address in the range of 192.168.1.110 to 192.168.1.210.
2 Verify the PC settings using the ipconfig command from the Windows
command prompt. The default gateway corresponds to the Internal Interface
IP address of the FortiGate unit (192.168.1.99).
3 Open a web browser and type the following address to access the FortiGate
Web Config interface.
https://192.168.1.99
Accept the self-signed certificate when the security alert appears.
HTTPS is the recommended protocol for administrative access to the
FortiGate UTM devices. Other available protocols include SSH, ping, SNMP,
HTTP, and Telnet.
4 At the login screen , enter the username of admin (all lowercase), leave the
password blank, and click Login.
5 The first window displayed after a successful login is the System Dashboard.
Before continuing with the rest of the initial configuration, explore the System
Dashboard page and find the following information:
Other system details found on the System Dashboard include the current CPU
and memory usage, number of active sessions, recent content inspection
statistics, administrative users, and FortiGuard Services status.
6 Before proceeding to the next exercise, ensure that the FortiGate unit is
running the correct version of FortiOS firmware required for this class (Forti OS ._:
4.0).
LLI
c
<"
D•···
~'· ·
I' Note: If you are not running the correct version, click Update for Firmware version and
browse to the firmware file available from the Fortine! Support site with a valid service
contract. -0:
1-
lL
Course 201-v4.0 Administration, Content Insp ection and Basic VPN Access
01-4000-0201-20090501 59
Configuring Network Connectivity
1 In the Web Config, go to System> Network. From the Interface tab, click Edit
( r:t.k· ) for the wan1 interface.
On the Edit Interface page, configure the following settings:
Click Apply.
2 Wait a few seconds for the wan1 interface to acquire an address from the
ISP's DHCP server before continuing.
Note: Configuration changes get saved to the non-volatile flash memory when clicking
OK in Web Config or when nex t or e nd is entered on the CLI. No explicit save
command is required .
For CLI configuration only, this behavior can be changed to require an explicit save or
to revert after a set period if an explicit save is not performed.
con f i g system global
set c fg- save <automatic/manua l/reve r t>
set c fg- r evert- timeout <600> (in seconds, only when cfg-save is revert)
3 After a few seconds, click the Status: link to refresh and view the acquired
I-! DHCP address assignment details.
11.1
c
-0:
1-
11~1:1
~ l!l
Utll
11
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
60 01-4000-0201-20090501
Configuring Network Connectivity
1 In Web Config, go to System > Network. From the Interface tab, click Edit
( [.,.;_:t ) for the wan1 interface.
On the Edit Interface page, configure the following settings:
Click Apply.
2 Click the Options tab to open Networking Options. In the Primary DNS Server
field, enter the IP address of the DNS Server given by a network administrator.
If a second DNS server is available, enter its IP address in the Secondary DNS
Server field.
Click Apply.
3 Go to the Router> Static> Static Route tab to configure a static route entry for
the default gateway.
Click Create New. The New Static Route window opens.
For the wan1 device, set Gateway to the IP address of the default gateway
device given by a network administrator.
Leave the Destination/IP Mask settings at the default setting
0 . 0 . 0 . 0/0 . 0 . 0 . 0 .
Click OK.
._:
IJ.I
c
-
1-
0:
1 In Web Config, go to System > Network. From the Interface tab, click Edit
( l~'" ) for the wan1 interface.
On the Edit Interface page, configure the following settings:
Click Apply.
2 Click the Options tab to open Networking Options. In the Primary DNS Server
field, enter the IP address of the DNS Server given by a network administrator.
If a second DNS server is available, enter its IP address in the Secondary DNS
Server field.
Click Apply.
3 Go to the Router> Static> Static Route tab to configure a static route entry for
the default gateway.
Click Create New. The New Static Route window opens.
For the wan1 device, set Gateway to the IP address of the default gate•Nay
device given by a network administrator.
Click OK.
Note: Depending on how long it has been since the last command has been entered in
the CLI, another log in may be required.
0:1/ Note: The DHCP leases are preserved even when the FortiGate unit is re-booted. To
'\V":J
\/
clear all DHCP leases, disable and then re-enable the specific DHCP server.
1 To view the equivalent CLI configuration of the FortiGate interfaces, type the
following command:
s h ow system interface
2 To see verbose settings, type the command:
show full-configuration
3 To view additional parameters for all interfaces, type the command:
get system interface
Compare the get command output with the output from the show command.
The information from each is similar: get displays all settings and values,
while show gives the syntax for the configuration.
The Forti Gate CLI is hierarchical, which means that some commands are only
applicable at a certain level or context. The next step demonstrates the
hierarchy when modifying the wan1 interface to add additional administrative
access to assist with troubleshooting during initial deployment. Once the
system is operational, ping access may be removed to avoid simple ICMP
scans.
Note: The set command is not additive. The existing parameters must be re-entered
and the new parameter must be added.
4 To add SSH access on the wan1 interface, enter the following CLI commands:
config system interface
edit \vanl
set allowaccess https ping ssh
n ext
end
-
I-
II
u.
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
01-4000-0201-20090501 65
Exploring the CL/
7 To inspect the DHCP leases in the CLI for the addresses distributed by the
internal interface DHCP server, type:
exec dh cp lease-l ist
Other available DHCP CLI commands are listed below. Please do not run
these commands at this time.
To clear all DHCP leases:
exec d hcp lease- clear
Use the following DNS server address Primary DNS SeNer: 4.2.2.1
Leave the Secondary DNS SeNer setting
as is.
Enable DNS forwarding from internal (default)
Note: For FortiGate-200 models and higher, the Primary DNS and Secondary DNS
ser:'ers can only be configured manua_lly. The factory defaults are set to Fo~inet
malntamed DNS forwarders 65 _3 9 . 13 9 _53 and 65 . 3 9 . 13 9 . 6 3 respectively.
Click Apply.
2 Compare the output for the DNS CLI commands:
show s y stem dns
g et system dns
The output should correspond to the changes made in Step 1.
e x e c dat e
Course 201 -v4.0 Administration, Content Inspection and Basic VPN Access
68 0 1-4000-020 1-20090501
Configuring Administrative Users
Administrator admin1
Type Regular
Password fortinet
Trusted Host #1 192.168 1.0/24
Admin Profile super_admin
Note: Ping requests to this device are also restricted by the trusted host setting of the
administrator account.
-0:
1-
lL
Course 201 -v4 .0 Administration, Content Inspection and Basic VPN Access
01 -4000-020 1-20090501 69
Configuring Administrative Users
6 Go to System >Admin. On the Admin Profile tab, click Create New to create a
new access profile with only read-write access to the content inspection
functions in the New Admin Profile window. Limiting access only to the areas
affecting content inspection helps to eliminate accidental errors that could
adversely affect connectivity.
Configure the new access profile using the following settings. You will have to
expand the sections to access all of the settings .
';.-A~us:~ Control \_
0 •:!'
0 c
() c
0 ~~:
Click OK.
Note: You can customize the FortiGate interface to show, hide, and arrange widgets,
menus, and items according to your specific requ irements when you click the
Customize link at the bottom of the New Admin Profile window. This customizable
feature lets you present various graphical user interface configurations to fulfill different
administrator roles.
Click OK.
8 To view the CLI configuration for Administrative Users and Profiles, type the
following commands:
show system admin
show system accprofi le
9 Test the new administrative access login. Log out of the current Web Config
session and log in again with the cadmin (password: 123456}.
Try to access areas which you have set to Read Only. For example, go to
System> Network> Interface. You will only be able to view data and not edit or
save.
The Trusted Host setting configured for admin1 and cadmin will only allow
access to PCs connected to the internal 192.168.1 .0/24 subnet even if the
correct password is entered.
1-=
LLI
c-
1-
a:
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
0 1-4000-020 1-2009050 1 71
Configuring Administrative Users
Note: You can only complete this exercise if the Forti Gate unit has already been
registered on the Fortinet Support web site (ht tps : I I support . fort inet . com).
3 On the ForliGuard tab, expand Web Filtering and AntiSpam Options and edit
the following FortiGuard services settings:
Ill Click Test Availability to establish connectivity between the FortiGate unit and
c
-II
I-
the FDN server.
Course 201 -v4.0 Administration, Content Inspection and Basic VPN Access
96 01-4000-0201 -20090501
Enabling FortiGuard Services and Updates
The display will update to show the FortiGuard Web Filtering and AntiSpam
subscription information. Ensure that the FortiGate unit has a valid subscription
before proceeding.
Note: By default, FortiGuard uses UDP/53, because this port is almost always open for
DNS traffic. If there is another IPS device on the network that is decoding DNS data on
port 53, the FortiGuard request/response may trigger an alert, as the data is encrypted.
Change to UDP/8888 for FortiGuard communication and ensure upstream devices
permit this traffic to pass.
4 Expand AntiVirus and IPS Options and click Update Now to force the Forti Gate
unit to obtain the latest AV and IPS definitions. This action sends a request to
an FDN server. After 3 to 5 minutes, if properly entitled and depending on
Internet congestion, the FortiGate unit will receive and install updated
definitions.
Wait a few minutes and click the FortiGuard menu tab again and check for the
new updates. Today's date should appear next to the Update link for both AV
and IPS Definitions.
The AV and IPS signature databases can also be updated either individually or
together through the CLI using the following commands:
e xec upda te-av Update AV engine/definitions
exec update-ips Update IPS engine/definitions
exec update -now Update now
Note: Antivirus and IPS updates can also be set to be pushed automatically to the
FortiGate unit. To allow push updates, expand AntiVirus and IPS Options and enable
Allow Push Update and set the update schedule required , for example, every 4 hours.
f¢:;1( Note: The update-now functi~n is only for updating Antivirus and IPS definitions and
~.) not for upgrading the system firmware!
5 View the CLI settings by entering the following commands in a CLI session:
show system a ut oupdate schedule
show system fortiguard
Compare the output with:
get system autoupdate schedule
get system fortiguard
1-=
Ill
c-
1-
a:
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
01 -4000-0201-20090501 97
Enabling FortiGuard Services and Updates
Note: The defined FortiGuard autoupdate inte rval was set to 4 hours through Web
Config but the CLI (shovl system autoupda te schedule ) shows 4:60. This means
that the additional minutes interval will be randomly picked from 0 to 59 minutes. This
helps to spread out the request load on the FortiGuard server. An exact hour and
minute interval can be set through the CLI as illustrated in this example:
userX # config system autoupdate s chedule
(schedule) # set time?
<hh : mm> h our and minute hh : 0-23 , mm : 0 -
59 or 60=random)
(schedul e)# set time 4:0
( schedule)# end
Verify the change with:
show sys tem autoupdat e s chedule
6 Before proceeding to the next lab, perform a complete backup of the FortiGate
configuration.
Go to System > Maintenance. On the Backup & Restore tab, click Backup.
Save the backup to your PC with the following name:
Lab2_f g t _ syst em . con f
._:
LLI
c
-
I-
II:
lL
Course 201 -v4.0 Administration, Content Inspection and Basic VPN A ccess
0 1-4000-020 1-20090501 127
Exploring Web Config Monitoring
In the System Resource History graph window, the time interval represented
by each horizontal grid square can be selected from the pull-down menu to the
right of Time Interval. The refresh rate of this window is automatically set to
1/20th of the time interval.
5 Session and content inspection statistics are shown in the Statistics pane.
1-! Since there will have been little or no traffic through the FortiGate unit and no
content inspection configured, the Content Archive and Attack Log statistics
LLI
c- will be uninteresting at this time.
1-
0:
~~~
Z] p
~2mw"
lL
Course 201-v4. 0 Administration, Content Inspection and Basic VPN Access
128 01-4000-0201-20090501
Exploring Web Config Monitoring
The Reset link in the top-right of the Statistics box will clear the current
statistics counts.
Content Archive
HTTP 0 UP..Ls vi~ited [Detai!s1
HTTPS 0 URLs visited IDetai!sl ·
Email 0 emails sent roetoUi.l
0 emails received
FTP 0 URLs visited
0 files uploaded
0 files downloaded
If:l 0 file transfers
0 chat sessions
0 messages
Attack Log
Al.l 0 viruses caught [Details ] ·•
IPS 0 attad:s detect ed fDetaiis]•
Span-r 0 spams detec-ted !De taiW
·w eb o URLs blocked ID;;;JSlil.\!1
DLP 0 Data loss detec-ted LR.£l!..<i!.t!..~J -.
6 There will already be a number of sessions recorded by the FortiGate unit. The
Top Sessions pane is not displayed by default. Add it by clicking Add Content>
Top Sessions. Click the Details link to display more information about the
sessions.
Test the function of the various icons in this screen. There are icons for screen
refresh, page forward and back, column display filters, as well as clear
session.
Question: Can you identify the Web Admin sessions in the Session table display?
(Hint: Look for the TCP sessions from the PC IP address to the IP address of the
Internal interface of the FortiGate unit.)
Question: For what are the majority of port 53 sessions? (Hint Remember that
FortiGuard SeNices are enabled.) 1-=
I.&J
c
-lt
1-
1 Go to Log&Report >Log Config. From the Log Setting tab, expand Remote
Logging and enable FortiAnalyzer.
Apply the following settings:
For initial testing purposes, the log level is set to the lowest and most verbose
level, Information. In real deployments, the level would more likely be set to
Warning or Notification.
Automatic discovery of a FortiAnalyzer unit with FortiDiscovery Protocol (FOP)
is only applicable when the FortiGate unit and the FortiAnalyzer unit are on the
same broadcast domain (subnet). This would be a rare situation in an actual
netvvOik but appropriate for a FortiGate 5000 chassis when a FortiAnaiyzer
blade is used.
2 While still on the Log Settings tab, enable and expand the Memory option and
verify that the Minimum fog level is set to Information.
Click Apply.
3 In the Remote Logging section, click Test Connectivity to register with the
FortiAnalyzer device. A pop-up window displays to indicate a successful
connection and registration process.
The FortiAnalyzer unit being used is configured to automatically accept and
register all new FortiGate device connections. Alternate settings are to register
only (and ignore logging messages) or ignore (manual registration).
In an actual scenario, there would be additional configuration required at the
FortiAnalyzer end to permit the necessary connection for manual device
registration.
Click Close to exit from the FortiAnalyzer Connection Summary window.
4 On the Event Log tab, click Enable and select all events.
Click Apply to save the changes.
You can display the CLI settings for the logging destinations with the following
commands:
get log <destination> sett ing
get l og <d e st ination> filter
Substitute for ti analyze r or memory for the destination above.
r;@( Note: There are different logging capabilities, depending on the destination. The
"~
keywords may also differ.
5 Test the logging setup with some simulated log messages sent to the logging
destinations using the following CLI command:
diagnose log test
6 Go to Log&Report >Log Access. On the Memory tab, select the Log Type pull-
down menu to view the different log message types. Select each log type one
at a time and check the Memory tab for the test messages.
t-=
IJJ
c
-
I-
I[
lL
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
01-4000-0201-20090501 131
Exploring the FortiAnalyzer Interface
1-!
LIJ
c
Alert emails can be sent based on selected event categories or simply on a log
message threshold level. If a threshold level is used, the CLI contains
additional interval hold-off timers for log levels above the selected threshold
level.
Check the following CLI commands for the Alert E-mail configuration:
show system alertemail
show alertemai l setting
~ill){ Note: If the FortiGate unit collects more than one log message before an interval is
v reached , it combines the messages and sends out one alert email.
._:
bl
c-
1-
0:
1 Go to System > Config. On the SNMPv112c tab, enable SNMP Agent. Enter a
description and location. For contact, use your online email address. Click
Apply to save the changes.
2 Click Create New to add a new community called 201 training. Accept the
default settings and click OK.
• SNMP connections can be restricted to certain IP addresses with the Hosts
setting.
• Either SNMP v1 or v2c queries and traps can be enabled separately with
default or customized ports.
• SNMP trap selection can be selected.
3 Enable SNMP access on the interfaces facing the network management
station by typing the following commands in the CLI:
config system interface
edit internal
set allowac cess ping http https ssh snmp
next
end
4 View the CLI configuration for the SNMP settings:
show {full - configuration) system snmp sysinfo
show {full-configuration) system snmp communit y 1
Note that the CPU, memory, and hard-disk trap thresholds can be set in the
CLI.
5 Locate the FortiGate MIB and Trap file and open the MIB file with a simple text
editor to view the contents.
Note: The FortiGate MIB file is available from the Fortine! Technical Support web site
at https : I I support . fo rtinet . com . A registered login 10 is required for access.
1-! Use of a SNMP MIB view application is beyond the scope of this course. If one
is available and configured, try to access the FortiGate unit with SNMP and
Ill view some MIB objects. You must enable SNMP administrative access on the
c- FortiGate interface.
The following applications can be downloaded for testing purposes:
1- Getif (http://www. wtcs .org/snmp4tpc/getif.htm)
You will use these parameter objects when you create firewall policies to restrict
the source address to the Internal subnet and the traffic types to HTTP, HTTPS,
and DNS. You will configure a recurring schedule that enables a firewall policy
only during standard office hours.
Content Inspection will be configured in a protection profile. In this lab, the std-pp
protection profile will be used as a place holder. In subsequent labs, the protection
profile will be expanded to suit other scenarios.
I-=
LLI
c-
1-
0:
lL
Course 201 -v4.0 Administation, Content Inspection and Basic VPN Access
01-4000-0201-20090501 179
Creating Firewall Policy Objects
Click OK to save.
2 Perform the step below to create a new service group. Service groups can be
used to simplify the firewall policy creation process.
Go to Firewall> Service. On the Group tab, click Create New and add a group
called web with the services shown below.
To select the services for the web group, use the arrows (-7or f-) to move
them between the Available Services and Members lists:
Note: By default, SOHO models provide a DNS forwarding seNer on the Internal
interface. You can view the DNS forwarder configuration in System > Network >
Options.
Name office_hours
Day Monday to Friday
Start Hour: 08
Minute: 00
Stop Hour: 20
Minute: 00
Click OK.
Note: When using schedules, make sure that the system time is at the correct local
setting. From the CLI type the e xe c ti me command or click System> Status in Web
Ill
c
-....
[[
trntli ~
WE ~
~TI~f.J
11.
Course 201-v4.0 Administation, Content Inspection and Basic VPN Access
180 01-4000-0201-20090501
Creating Firewall Policy Objects
4 In this step you will create a new protection profile called std-pp for the
standard department access policies. This will be a placeholder for now; you
will create the new policy but will not modify the settings until a later lab.
Go to Firewall > Protection Profile. On the Protection Profile tab, click Create
New and enter std-pp as the profile name. Type an optional descriptive
comment and click OK.
5 To see the CLI configuration for previous steps, type the following CLI
commands:
._:
Lll
c-
1-
a:
lL
Course 201 -v4.0 Administation, Content Inspection and Basic VPN Access
01-4000-0201-2009050 1 181
Configuring Firewall Policies
Note: It is useful to keep the default internal-7wan1 policy available for testing
purposes since it will allow all traffic types from any address to any address to pass
through the FortiGate device.
3 Create a new firewall policy that will be used to provide general Internet
access.
On the Policy tab, click Create New and configure the following settings:
Click OK
This new internal-7wan1 policy will be identified on the Policy tab with the
values of support-dept I all I office_hours I web I support-pp I ACCEPT.
._:
LIJ
-1c-
0:
Course 201 -v4.0 Administation, Content Inspection and Basic VPN Access
01-4000-0201-20090501 183
Configuring Firewall Policies
6 Create a policy allowing Internet access during a specific time period using the
settings below:
Click OK.
This new internal~wan1 policy will be identified on the Policy tab with the
values of support-dept I allllunch_time I web I std-pp I ACCEPT.
7 Use the Move To icon to insert this new internal~wan1 policy above the
previous policy that was created for office hours web access (support-dept I
all/ office_hours I web I support-ppl ACCEPT).
The firewall policy ordering should appear as follows:
~~n~~;~;~~r::c~~~~r~~;.;;@~~ •
E] 3 -~ s unnmt· d.,..nt " .till -. tl.ffj(_~- hour~-'~ ~ ~UJlPOrt•PD AcCE~i ''C'!J'[~ ~~~
2 ;' J!ll.:.ili:J!J; ·, ;ill <\d-pp ACCEPT ' 0 :.d' '8!,;1 '
._:
LIJ
c
-1-
0:
8 View the CLI configuration for the firewall policies created above:
sh o w fi rewal l pol icy
View the CLI configuration for a single firewall policy:
s how fi r ewa l l pol i cy <I D>
Obtain the 10 number of the policy from the s h ow f irewall pol i cy output
used above.
._:
LLI
c-
~
a:
Course 201 -v4.0 A dministation, Content Inspection and Basic VPN Access
01-4000-020 1-20090501 185
Testing Firewall Policies
1 In Web Config, create new DENY firewall policies that will be used to monitor
illegal traffic.
Go to Firewall > Policy. On the Policy tab, click Create New. Use the following
settings:
Source lnteriace I Zone internal
Source Address Name all
Destination Interface I Zone wan1
Destination Address Name all
Schedule always
Service ANY
Action DENY
Log Violation Traffic Enable
Comment Monitor illegal traffic
Click OK.
This new internal-7wan1 policy will be ide ntified on the Policy tab with the
values of all/ all/ always I ANY// DENY.
Ensure that the DENY policy appears at the bottom of the internal-7wan1
policy list.
Note: A firewall policy with traffic logging enabled for ANY (unrestricted} service types
must be used with caution as a significant number of logging messages can be
generated which can impose an unexpected processing load on the FortiGate unit. This
may in turn affect overall throughput and performance of the FortiGate device. Only use
this type of policy for auditing purposes for limited periods of lime.
\ . ) ' Note: Be mindful of testing the firewall policy schedule outside of the specified hours.
6 Check the traffic log at Log&Report > Log Access. Select the Remote tab and
set Log Type to Traffic Log to see evidence of the FortiGate action.
Look for 8080/TCP sessions with Sent and Received bytes equal to 0.
7 Click Column Settings. Add the Detailed Information column and note the
subtype, policyid, and status fields in the log messages.
._:
11.1
c
-
I-
I[
lL
Course 201-v4.0 Administation, Content Inspection and Basic VPN Access
01 -4000-020 1-20090501 187
Configuring Virtuai/P Access
Name special-web
External Interface internal
Type Static NAT
External IP Address 192.168.1.209
Mapped IP Address 208.70.202.225 (for example)
Port Forwarding Enable
Protocol TCP
External Service Port 8088
Map to Port 80
1- Service setting.
[[ Click OK.
This new internal~wan1 policy will be identified on the Policy tab as all-dept I
special-web I office_hours I ANY I support-pp I ACCEPT.
4 Position this policy at the top of the internal-7wan1 list as it has a narrower
scope compared to the other policies.
Note: This guest PC would need to be further secured by limiting the user
access to only the web browser and removing administrative access and the
ability to run other programs. These additional measures are operating-system
dependent.
-
1-
[[
lL
Course 201-v4.0 Administation, Content Inspection and Basic VPN Access
01-4000-0201-20090501 189
Debug Flow
1 From the CLI, execute the command diag sys se ss ion clear. If you are
connecting using SSH or Telnet, you will be required to log in again.
2 Execute the CLI commands shown below to configure the Debug Flow to trace
the route selection and session establishment for an HTTP connection to
\.YW~J . fortinet . com. Use nslookup to confirm the address for
www . for t inet . com.
3 From a web browser connect to http : I /ww\v . forti net . com. Observe the
Debug Flow trace. Depending on the FortiGate model being used , the output
displayed may vary slightly.
Matched firewall policy. Check to see which policy this session matches.
id=20085 t r ace id=209 f un c= fw forward handl e r line=317
-
msg= " All owed by Pol icy-3 : SNAT"
ACK received.
id= 200 85 trace_i d =211 fun c = reso1ve ip tuple f a st
line= 2 700 msg= "v d - r oot r eceiv e d a p acke t (prot o = 6 ,
192 . 1 68 . 3 . 2 2 1: 1487 - >2 0 3 . 160 . 2 2 4. 97 : 8 0) from portS ."
u.
Course 201 · V4. 0 Administation, Content Inspection and Basic VPN Access
01 · 4000·0201 ·20090501 191
Debug Flow
In this exercise, you will configure an SSL VPN to allow both web portal access
and tunnel mode access to public web sites. You will create an SSL VPN on the
internal network interface and configure policies to allow traffic to the Internet from
the SSL VPN gateway.
1-!
LLI
c
-1-
0:
lL
Course 201-v4.0 Administration. Content Inspection and Basic VPN Access
01-4000-0201 -2009050 1 251
Configuring SSL VPN for Full Access (Web Portal and Tunnel Mode}
3 Create a new user group and include the new local user in it. Go to User>
User Group and click Create New. Configure the following settings:
Name sslvpn
Type SSL VPN
Members testssl
Portal full-access
Click OK.
4 Create a new firewall policy to allow access to the SSL VPN and authenticate
the user. Go to Firewall > Policy. Click Create New and configure the following
settings:
6 Click OK.
This new internal-7wan1 policy will be identified on the Policy tab with the
values of all/ all/ always I ANY II SSL-VPN .
7 Move this policy to the top of the internal-7wan1 policy list.
II 9 When prompted, log in as the testssl user with the password 123456. On
successful authentication you are logged in to the SSL web portal.
u.
Course 201-v4 .0 Administration, Content Inspection and Basic VPN Access
252 01-4000-0201-20090501
Configuring SSL VPN for Full Access (Web Portal and Tunnel Mode)
Creating Bookmarks
10 On the portal page, create a new bookmark to a public site on the Internet.
Click the Add button to add the following bookmark:
Name Fortinet
Type HTTP/HTTPS
Location h ttp ://www . for t i net . com
Description Optional
Click OK
11 Click the newly created bookmark in the Bookmarks widget. A new window
displays the selected web site.
Note the URL of the web site in the web browser address bar:
https:// 1 92 . 168 . 1 . 99 :1 0 443/pro xy/http/www.fortinet . com
The first part of the address, h ttps : I /192 . 168 . 1 . 99 : 10443, is the
encrypted link to the FortiGate SSL VPN gateway.
The second part of the address, / proxy/htt p is the instruction to use the
SSL VPN HTTP proxy.
The final part of the address, / www . fo rt ine t. com, is the destination of the
connection from the HTTP proxy.
In this example, the connection is encrypted up to the SSL VPN gateway. The
connection to the final destination from the HTTP proxy is unencrypted.
13 If this is the first time the SSL VPN tunnel is being used on the PC, install the
plug-in for the browser. Click the link that appears in the Tunnel Model widget
Make sure that the SSL VPN gateway address, https : 1/192 . 168 . 1 . 99, is
listed in the web browser as a trusted site for the installation of the plug-in.
14 Click the Connect button. When the tunnel is active, the local interface fortissl
will be listed as UP. Look again at the routing table through the DOS prompt
and note that the default gateway is now 1 7 2 . 16 . 1 . 1, which is the local
tunnel endpoint Because split tunnelling is not enabled, a default route is
displayed for the tunnel interface.
c
-0:
1-
TCP SYN packets should be observed incoming to the ssl.root interface. The
ssl.root interface represents the clients from the SSL VPN tunnel. To allow
these packets, this session must be accepted by creating a policy from the
ss/.root interface to the wan1 interface. We also need to define a route back to
the SSL VPN client for both RPF criteria and new session establishment
d~lli
18 Logout of the SSL VPN by clicking Logout in the upper right corner of the
window.
19 Create a static route for the SSL VPN tunnel client IP. Go to Router> Static>
Static Route and click Create New. Configure the following settings:
Destination IP/Mask 172.16.1.0/24
Device ssl.root
Leave the remaining default settings and click OK.
20 Create a new firewall policy from the ss/.root interface, this time using a regular
Accept action.
Click OK.
This new ssl.root-7wan1 policy will be identified on the Policy tab with the
values of all/ all/ always I ANY// ACCEPT.
21 Log back into the SSL VPN gateway and activate the SSL VPN tunnel by
clicking Connect. From the DOS prompt, confirm that the default route is now
the tunnel endpoint (172 .1 6 . 1 . 1 ).
22 Connect directly to www . f ortigu a rdce n te r . com through the web browser
once again. The connection should be successful.
23 Run the packet sniffer command again to verify that the traffic from the ssl.root
interface is now permitted.
24 Before continuing, disable the two policies created in this exercise:
internal-7wan1: all/ all/ always I ANY// SSL-VPN
• ssl.root-7wan1: all/ all/ always I ANY II ACCEPT
1-!
LLI
c-
1-
0:
lL
Course 20 1-v4.0 Administration, Content Inspection and Basic VPN Access
01-4000-0201-20090501 255
Configuring a Basic Gateway-to-Gateway VPN
Click OK.
3 Click Create New again and create a second address object as follows:
c
-0:
1-
tHiliJl
f:l lll
l&.JiiH!I
lL
Course 201 -v4.0 Administration, Content Inspection and Basic VPN Access
256 01-4000-0201-2009050 1
Configuring a Basic Gateway-to-Gateway VPN
Name site2site_p1
Remote Gateway Static IP Address
IP Address 209.87.230.135
Local Interface wan1
Mode Aggressive
Authentication Preshared Key
Method
Preshared Key 123456
All Other Settings default
Click Advanced and check Enable IPsec Interface Mode. Click OK.
Name site2site_p2
Phase 1 site2site_p1
Click Advanced and set the following under Quick Mode Selector.
Source Internal
Interface/Zone
Source Address internal_subnet
Destination site2site _p 1
Interface/Zone
Destination Address remote_ subnet
Service ANY
Action Accept
NAT enable
Protection Profile support-pp
Click OK.
This new intemalsite2site policy will be identified on the Policy tab with the
values of internal_subnet I remote_subnet I always I ANY I support-pp I
ENCRYPT.
9 Create another policy with these settings:
Source site2site_p1
Interface/Zone
Source Address remote_subnet
Destination internal
Interface/Zone
Destination Address internal_ subnet
Service ANY
Action Accept
NAT enable
Protection Profile support-pp
Click OK.
.._:
LLI
-Ic-
II
Course 201 -v4.0 Administration, Content Inspection and Basic VPN Access
01-4000-0201-20090501 259
Configuring a Basic Gateway-to-Gateway VPN
To disable debugging once this exercise is complete, type the following CLI
command:
diag deb ug app ike 0
1-=
LLI
c
-1-
0:
u.
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
260 01-4000-0201-20090501
LESSON 6
1-= Authentication
LLI
c
1-
0: I
/
u.
-
!i
261
www.fortinet.com
Firewall Policy Authentication
Lab 6 Authentication
Tasks
In this lab, you will complete the following tasks:
• Exercise 1 Firewall Policy Authentication
• Exercise 2 Adding User Disclaimers and Redirecting URLs
1 In Web Config, go to User> Local. On the Local tab, click Create New. Enter
the User Name test with the Password 123456 for the authorized user.
Click OK.
2 Create a user group that includes the authorized user.
Go to User> User Group. On the User Group tab, click Create New and create
a group with the following settings:
Name night-access
Type Firewall
Members Select test from the Available Users/Groups list and use the right
arrow to move it to the Members list.
1-!
LLI
c-
1-
[[
Configure the new policy with the following settings. Remember to click Add
to enable settings in the New Authentication Rule window.
Click OK.
This new internal~wan1 policy is identified on the Policy tab with the values
of all-dept I all/ always I web /std-pp I ACCEPT.
Note: As an alternative, arrange the policy position using the move icon to specify its
position before or after another policy.
4 Next, enable Authentication Keepalive for the web traffic firewall policies using
the following CLI commands:
c onf ig system global
set au th-keepa li ve e nable
end
Note: Authentication Keepalive extends the time of the session when traffic is
present. In this mode, it acts as an idle timer rather than a hard timeout.
1!-!
IJJ
c
-II
I-
u.
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
01-4000-0201-20090501 283
Firewall Policy Authentication
\3 Note: Be mindful of testing the firewall policy schedule outside of the specified hours.
c
-
The first login prompt that appears is from the FortiGate unit and is required for
firewall authentication. Enter the username test and the password 123456.
1- Once successfully authenticated, reconnect to the same FTP server and this
time, log in as anonymous since authentication to the FTP server has already
0: been completed.
u.. sessions. The idle timeout for authenticated sessions is the system global AUTH
timeout (System> Admin> Settings).
1 In Web Config go to Firewall > Policy. Re-enable and edit the internal-7wan1
office hours web policy (all-dept I all/ office_hours I web I std-pp I ACCEPT)
and modify the following settings:
Click OK.
2 Clear all authenticated sessions using the following CLI command:
d iagnose fir e wal l iprope r e s e t au th
3 In a new web browser window, access a web site. When the first user
disclaimer message appears, click Yes, I agree.
An authentication keep-alive page opens . Click the new window link. This
directs you to the redirect URL specified in the firewall policy created in Step 1,
http:/1192.168.3.1/test.html.
4 In Web Config, go to System> Config. On the Replacement Messages tab,
expand Authentication and click Edit to modify the Disclaimer Page. Replace
the text the network access provider with your name.
You can also change the Declined disclaimer page message.
Click OK.
5 Go to Firewall> Policy and edit the internal-7wan1 web access policy (all-
dept I all/ always I web II ACCEPT) to enable the User Authentication
Disclaimer.
6 Disable the policy you created in step 1.
7 Clear the authenticated sessions before each test with the following CLI
command:
d i a gno s e fir e wa ll i prope r e s e t au t h
8 When prompted by the authentication login page, log in as the user test with
the password 123456.
An authentication keep-alive page opens. Click the new window link. This
directs you to the redirect URL specified in the firewall policy created in Step 1,
http:/1192.168.3.1 /test.html.
9 Browse to a web page and make sure that authentication is required for the ._.:
disclaimer and the optional redirect URL.
LLI
10 Re-enabfe the policy you created in step 1.
c
rf:!V Note: When the system global auth-keepalive is enabled, the end user will
'\);) always see the keepalive window displayed.
-1-
0:
IL
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
01-4000-0201-20090501 285
Adding User Disclaimers and Redirecting URLs
11 Examine the following CLI commands for the Users, User Groups, and for one
of the authentication firewall policies:
show user local
show user group
s h ow firewall pol i c y <id>
._.:
11.1
c-
1-
0:
LLI -
C
1-
o: _ I
/
11
--
287
www .forti net. com
Configuring Global Antivirus Settings
FDN Updates
1 Confirm that the FortiGate AntiVirus Engine and Definition versions are up-to-
date. Go to the Forti net FortiGuard Center web page at the following URL:
www.fortiguardcenter . com
Click the Antivirus link located under FortiGuard Services and view the Current
AV Database version shown in the Update Center area. Note the current
update version.
2 From Web Config, go to System > Maintenance. Click the FortiGuard tab to
view the AV version information for the FortiGate Device.
You can also access this information from the License Information pane on the
System Dashboard by clicking System > Status.
The equivalent CLI commands are:
get sys tem sta tus ._:
diagnose autoupdate ve r s i ons
LLI
3 If required, update the AV definition versions.
c
Go to System> Maintenance. On the FortiGuard tab, expand Antivirus and
IPS Options. Click Update Now. -
I-
Note: The update may take several minutes to complete so in the meantime, continue
with the lab.
II
lL
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
01-4000-0201-20090501 311
Configuring Global Antivirus Settings
Use the equivalent CLI commands to invoke an FDN check and AV/IPS
update:
exec update - av
e xec update-now
File Pattern
To help slow the spread of malicious viruses and unauthorized program
applications from being installed, in the classroom scenario all *.exe files will
be blocked from being downloaded from the web or an FTP site, as well as all
email attachments.
4 In Web Config, go to UTM >AntiVirus. On the File Filter tab, click Edit ( G)," )
for builtin-patterns. Expand File Patterns and enable blocking for the *.exe
file pattern.
Click OK.
~
LLI
c
-
1-
0:
Grayware Scanning
Scanning for malicious grayware-type installers is turned off in factory-default
settings.
5 Go to UTM >AntiVirus > Grayware tab. Enable all category groups.
r()('' Note: When you enable any Grayware category, the change is applied immediately
\J) and the interface refreshes.
Quarantine
File quarantine is available if the Forti Gate unit model has an internal hard disk or
if a FortiAnalyzer device is available.
7 Go to UTM >AntiVirus > Config. In the Quarantine Configuration window,
make sure the FortiAnalyzer is enabled.
8 Configure the quarantine settings as follows:
Click Apply.
Replacement Messages
Replacement messages are substituted for the infected file when the FortiGate
antivirus engine detects a virus.
9 Go to System > Config. On the Replacement Messages tab, expand HTTP,
then F TP Click Edit ( fJ' ) to vi ew the default virus and file block messages for
HTTP and FTP. -·-"
Alternately, display the same Replacement Messages in the CLI with the
following commands:
s how system r e pl a c ems g http [http- v i rus/ h ttp-b lock/ ... ]
s how s y stem replacemsg f t p [ftp- dl - infe ct ed/ ftp - d l -
blocked/ ... ]
Note: Some replacement messages are stored in raw HTML code. Make sure that the
correct syntax is used and preserve the existing HTML tags. An external HTML editor
can be used to create the replacement message and then copy and paste the resulting
HTML code into the FortiGate Replaceme nt Message configuration. -
I-
I[
IL
Course 201 -v4.0 Administration, Content Inspection and Basic VPN A ccess
01-4000-0201-20090501 313
Configuring a Protection Profile
In this exercise, you will configure the std-pp protection profile to:
Enable antivirus scanning of all supported protocols with file quarantine to
capture samples of the infected files.
Enable file pattern blocking to prevent certain file types from being
downloaded or emailed.
Prevent email fragmentation, as this opens a vulnerability for entry of
infected email attachments.
Enable client comforting to prevent client time-outs due to the slow Internet
connection in combination with the buffering by the FortiGate antivirus
scanner.
Enable Oversize file blocking to block large downloaded files that cannot be
scanned and to impose a size limit on email attachments to ease the load
on the mail server.
Use replacement messages for FTP and SMTP.
-
I-
[Student scanned]
I[
2 Expand the Data Leak Prevention Sensor options and configure the following
settings:
3 Expand the Logging options. Enable logging for all antivirus events for firewall
policies using the std-pp protection profile by setting the following:
Viruses enable
Blocked Files enable
Oversize Filesfemails enable
Click OK.
4 Repeat the steps to make the same changes to the support-pp profile.
5 To permit the use of replacement messages for FTP, you must disable the
splicing function. You can only do this through the CLI.
Type the following command and note the separate commands per protocol:
s how f irewall p r ofile std-pp
Type the following command to modify FTP settings to omit splice from the set
parameters . Omit splice from the parameter list as follows:
config f i r e wall p rof i l e
edit std- p p
set f tp b l o c k c l i entcomfo rt oversi z e quarant i ne s ca n
e nd
1-=
Ill
c
-
I-
II
-!£! fj ~~~
~j f1
r~~ r:i!iP'
~"-} ~-0.¥
lL
Course 201-v4.0 A dministra tion, Content Insp ection and Basic VPN Access
01-4000-0 201-20090501 315
Testing Protection Profile Settings for HTTPIFTP AV Scanning
Virus Scan
1 In a web browser, type the following address:
http : !/1 92 . 1 68 . 3 . 1
2 On the sample page displayed, click the AVtab. Click the Virus Samples link
and click the following files to attempt to download them:
• Adware/BDsr/bdsrhook.dl_
• Spywarellwonli1 srchas.dl_
• Toolbar/SBsoft.G/webdlg32.dl_
These files are not real viruses but they will trigger a virus or grayware
signature and will be stopped by the FortiGate unit.
Check that the HTTP Virus replacement message displays when the files that
are infected or blocked have been quarantined. In the message that is
displayed, there is a link to the Fortinet Virus Encyclopedia that provides
information about the detected virus.
3 Go to UTM >Antivirus > Quarantine Files tab. The files that have been
quarantined are listed.
Note: There may be policies in place from previous exercises that could allow the files
to be downloaded. If the above steps do not work, go to the firewall policies and ensure
that the following policies are disabled:
all-dept I special-web I office_hours I ANY I support-pp I ACCEPT
and
all/ alii always I ANY II ACCEPT
.._.: The virus sample is detected over FTP and a custom replacement message is
displayed.
Lll
c Note: If you use Windows Explorer as an FTP client to copy a virus sample from the
class FTP server, the result will be an empty file of the same name. Right-click the
copied file to view its properties and check the file size. Windows Explorer created a
file with the name of the target file but with a size of 0 bytes because the actual file
transfer was blocked by the Forti Gate unit.
6 Click the AVtab. Select Virus Samples and click Eicar_test_file. Try to
download the following EICAR samples:
• eicar.exe
• eicar1.exe.gz
• eicar1.exe.zip
• eicar2.exe.zip
• eicar3.exe.bz2
The HTTP File Block replacement message should display for the eicar.exe
file because all *. exe files are blocked with File Pattern Block.
The file eicar2.exe.zip will pass because it is password protected and the AV
engine cannot open the file.
d./'Note: Even if a compressed file is password protected and cannot be opened, the AV
'\;?''\
engine can still check the file checksums in the compression header against the worm
~ checksums in the signature file.
File Pattern
7 Go to UTM >AntiVirus> File Filter tab. Click Edit ( ) for the builtin-
patterns list.
Click Create New, set Filter type to File Name Pattern, and enter eicar.exe as
the Pattern . Select Allow from the Action drop-down list and verify that
Enable is selected. Click OK
8 Expand File Patterns and use the Move To icon to change the order in the list
so eicar.exe is above the existing *.exe entry. Click OK
9 From the browser, access the Virus Samples again and try to download the
eicar.exe file.
f~ Note: Even though a file ispermitted with file pattern matching, it will still be AV
V scanned to detect a virus.
File Oversize
10 In a web browser, type the following address:
http:/!192.168.3.1 / f i l e s
11 Attempt to download the file called big.file.
An HTTP File Oversize replacement message will display. 1-!
12 Download big.file.zip. LLI
c
This file download should be successful.
Question: Was this file scanned?
Answer: The big.file.zip file is smaller than the oversize limit. When the file is
extracted, however, it is greater than the uncompressed size limit so the file is
-0::
1-
passed unscanned.
IL
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
01-4000-0201-20090501 317
Testing Protection Profile Settings for HTTPIFTP AV Scanning
Note: The content archive messages are actually from the FortiAnalyzer log.
There is a hidden connection between the Forti Gate unit and the FortiAnalyzer
device.
17 Check the email account for alert messages from the class mail server.
Several email alerts generated by virus detections in the previous steps should
be received. Compare the text of the alert emails with the log messages
viewed previously.
Quarantine
Now that AV scanning has been tested, check the quarantined file display.
18 Go to UTM >AntiVirus> Quarantine Files tab. View the list of quarantined files.
19 Connect to the FortiAnalyzer device by typing the following address in a web
browser:
http : !/209 . 8 7 . 230 . 1 34
Log in with the username student and the password fortinet.
20 Go to Quarantine > Repository.
Select the device name from the Show pull-down menu to only show files from
the FortiGate unit. Set the Timeframe to last 1 day.
Download one of the quarantined files from the FortiAnalyzer device by
selecting a file and clicking the download icon.
Question: Why was the download blocked by the FortiGate unit?
Answer: The HTTP session to the FortiAnalyzer from the PC is still being
scanned by the FortiGate so the download attempt of the virus sample from the
FortiAnalyzer quarantine repository is detected and blocked.
21 Re-connect to the FortiAnalyzer using HTTPS by typing the following address
~ in a web browser:
LLI https : //209 . 87 . 230 .1 3 4
c
-
1-
22 Try to download a quarantined file from the quarantine repository. Note that the
file has been downloaded.
23 Go to Quarantine > Repository. Delete the sample from quarantine after
0: downloading it by clicking Delete in the Repository list.
Leave script filters such as ActiveX, Cookie, and Java Applet disabled.
2 Expand Logging and enable the following Web Filtering messages:
Content Block enable
URL Filter enable
._:
LLI
c-
1-
[[
lL
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
378 01 -4000-020 1-2009050 1
Configuring Local Web URL and Content Filtering
4 Under the Comments box, click Create New and set the following:
URL ".*$
Type Regex
Action Block
Enable enable
Note: ".*$means "at the beginning of the line"(") match any single character(.)
r01( followed by the same preceding match (*) until the end of the line ($). There are many
Y references on the web for Regular Expressions or Perl compatible regular expressions,
for example, http:f/perldoc.perl.org or http://www.regexlib.com/CheatSheet.aspx.
Click OK.
5 Go to Firewall> Protection Profile. Edit the support~pp profile and expand
Web Filtering.
Select the new URL~Iist filter from the drop-down list.
Click OK
6 Go to Firewall> Policy. On the Policy tab, ensure that the internal-7wan1 web
policy all~dept I all/ office_hours I web /std·PP I ACCEPT is enabled. Click
Edit ( ) and set the following:
Click OK.
Place this policy at the top of the internal-7wan1 list.
7 Open a new web browser window and test that all websites are now blocked.
The HTTP URL block replacement message is displayed.
G~
.\.: Note: Web browser cach.ing may interfere with web filtering. If the web site is not
\,:? blocked, clear the cache 1n the web browser and try aga1n.
11 Connecttothewww.fortinet.com webpage.
12 From the www. fo r tinet. com web page, pick three words to add to a Web
Content Block List. Identify the phrase in which one of the words occurs.
~ Note: Ensure that the words you select do not appear as part of the graphics or flash
'\,)J movies on this web page. For example, you can chose technology, program, or partner.
Word 1
Word2
Word3
Phrase
13 Go to UTM > Web Filter > Web Content Block tab. Click Create New. Enter the
name content-list for the new web content block list and click OK.
On the Web Content Block tab, click Create New and add Word 1 to the
content block list as follows:
Click OK.
14 Go to Firewall> Protection Profile and edit the support-pp profile. Expand
Web Filtering and verify that Web Content Block for HTTP is enabled.
Select content-list from the drop-down list and set the Threshold to 5.
Click OK to save the changes.
15 Reload the www. fortinet. c om web page to test that this page is blocked
and that the banned word block replacement message is displayed.
If the page appears, empty the cache on the browser and try again.
16 Go to Log&Report >Log Access. On the Memory tab , set Log Type to Web
Filter Log. Check the log messages for the web content block and note the
banned word that appears in the parentheses of the log message, for example,
(security).
17 Go to UTM > Web Filter > Web Content Block tab. Click Edit ( ;~· ) for
content-list and disable the Word 1 pattern before continuing. ··
c- Pattern Type
Language
Regular Expression
Western
I- Score 5
II Enable Checked
u.
Course 201-v4.0 Administration, Content Inspection and Basic VPN AccFSS
380 0 1-4000-0201-2009C:'>' i 1
Configuring Local Web URL and Content Filtering
19 Clear the cache in the web browser and reload the www. fortinet. com web
page to test that the page is blocked and the replacement message is
displayed. View the log messages again to determine which banned word
caused the web content block event.
20 Go to UTM > Web Filter> Web Content Exempt tab. Click Create New and
create a new exempt list named content-exempt.
On the Web Content Exempt tab, click Create new to add the phrase chosen
earlier as a wildcard pattern type and enable.
Click OK.
21 Go to Firewall> Protection Profile. Edit the support-pp profile and edit the
Web Filtering settings. Enable HTTP and select content-exempt from the
drop-down list.
Click OK.
22 Test the access to v;ww. fortin et . com.
:::::1/ Note: A URL cache replacement message may be displayed because of a side-effect
\_':;(•"\ of the Comfort Client feature. To clear the URL cache, add a random letter (a to z) or
v number (0 to 9) to the end of the URL in the browser address bar to get a "404" page
not found error. Then correct the URL and press CTRL-R to reload the browser.
You should not be able to access the web page because of the exempt phrase.
23 Add Word 3 to the web content block list with a score of 5 and test. The page
should still pass. Even if the threshold has been reached the page is passed
because the exempt phrase is tested first.
1-!
LLI
c
-1a:-
lL
Course 201-v4.0 Administration, Content Inspection and Basic VPN Access
01-4000-0201-20090501 381
Testing Web Category Filtering
1-! Note: Clicking the link next to To have the rating of this web page re-evaluated will
LLI redirect you to a URL Rating Request website.
Local Categories
7 Go to UTM > Web Filter. On the Local Categories tab, add a new local
category called Local-1 and click Add.
8 On the Local Ratings tab, click Create New to create new website entries for
some of the web sites visited previously that were blocked .
Enter the URL. Expand Local Categories in the Category Rating table and
enable the rating box for Local-1.
Click OK.
9 Go to Firewall> Protection Profile. Edit the std-pp protection profile and
expand Web Filtering. Expand Local Categories in the category table. Enable
the Local-1 category and set to Allow. Enable Log.
Click OK to save the changes.
10 Try to visit the URLs that are now in the local category. Verify that other web
sites not found in the local category are still blocked.
Note: Some parts of an allowed web page may be blocked if off-site URLs are used
that are not in the allowed category.
Important: Disable all other URL filter entries except for this new entry.
Click OK.
12 Go to Firewall> Protection Profile . Edit the std-pp profile and expand Web
Filtering. Enable Web URL Filter for HTTP and HTTPS and select URL-Iist 1-=
from the drop-down menu.
111
Click OK.
c
13 Attempt to access one of the exempted URLs.
-
1-
0:
Name web-override
Type Firewall
Members (Local users) test
Override Scope IP
Override Type Domain
Off-site URL Deny
Override Time Constant/15 minutes
Permission Granted For std-pp
Click OK.
16 Go to Firewall> Protection Profile. Edit the std-pp protection profile. Expand
Web Filtering and enable FortiGuard Web Filtering Overrides for HTTP and
HTTPS.
Enable Allow Override for all categories.
Click OK.
Note: Do not use a web proxy, otherwise the Web Category Override web page will not
work.
17 Try to visit a blocked category website. This time the blocked page
replacement message will have an Override link.
Click the Override link to view a Web Filter Block Override. Enter the User
name test and the password 123456.
Note that other fields are greyed out as they are set by the override user group.
After completing the required fields that will grant access to the desired
website, click Continue.
)
18 Go to UTM > Web Filter. Select the Override tab and click Edit ( L~~ to view
the User Overrides web filter override list. Note the Expiry Date column of the
dynamically added entries.
19 Go to Log&Report > Log Access. On the Memory tab, set the Log Type to Web
Filter Log.
Check the log messages related to category blocking. Scroll or page down to
locate the log messages from the URL and content filtering performed earlier in
this lab.
Course 201 -v4. 0 Administration, Content Inspection and Basic VPN Access
384 01-4000-0201 -20090501