FFT - Fortifying The Enterprise Network With NGFW Lab Guide r2.07

Index: 1.
0
Use Case: Fortifying the Enterprise Network (NGFW)
Objective Title: Description
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Fortifying the Enterprise Network (NGFW)

Digital innovation has transformed enterprise networks, adding breakthrough capabilities to
achieve business outcomes, while unintentionally exposing them to new vulnerabilities. With
the rapid proliferation of mobile computing, multi-cloud deployment, and shadow IT, attack
surfaces have dramatically expanded, adding complexity and making enterprise networks
vulnerable to sophisticated attacks.
FortiGate NGFWs enable security-driven networking and consolidate industry-leading security
capabilities such as intrusion prevention system (IPS), web filtering, secure sockets layer (SSL)
inspection, and automated threat protection. FortiGate NGFWs are powered by artificial
intelligence (AI)-driven FortiGuard Labs and deliver proactive threat protection with
high-performance inspection of both clear-text and encrypted traffic (including the industry’s
latest encryption standard TLS 1.3) to stay ahead of the rapidly expanding threat landscape.
FortiGate NGFWs inspect traffic as it enters and leaves the network. These inspections happen
at an unparalleled speed, scale, and performance and prevent everything from ransomware to
DDoS attacks, without degrading user experience or creating costly downtime. As an integral
part of the Fortinet Security Fabric, FortiGate NGFWs can communicate within the
comprehensive Fortinet security portfolio as well as third-party security solutions in a
multivendor environment. To increase the speed of operations and response, they share threat
intelligence, and improve security posture and automated workflow. Fortinet NGFWs meet the
performance needs of highly scalable, hybrid IT architectures, enabling organizations to reduce
complexity and manage security risks.
Index: 1.0 (a)
Objective Title: Topology
Points: 0
Objective Text:
Note: Unless otherwise indicated all username/passwords for the various web consoles are:
Username: admin Password: Fortinet1!

Index: 1.0 (b)
Objective Title: Agenda
Points: 0
Objective Text:
Agenda
Lab 1.0: Introduction

Lab 2.0: NGFW Profile-based Inspection
Lab 2.1: Intrusion Prevention System 10 minutes
Lab 2.2: Per Policy Inspection Modes 5 minutes
Lab 2.3: AntiVirus CDR & Threat Feeds 20 minutes
Lab 2.4: Automation Stitches 15 minutes
Lab 2.5: ADVPN 30 minutes
Lab 3.0: NFGW Policy-based Inspection
Lab 3.1: Blocking Specific Applications 10 minutes
Lab 4.0: Conclusion
Time to Complete: 90 minutes

Index: 2.0
Use Case: NGFW Profile-based Inspection
Objective Title: Introduction
Points: 0
Objective Text:
Introduction
The Fortinet FortiGate NGFW has two inspection modes; Profile-based and Policy-based.
Profile-based NGFW mode is the traditional mode where you create a security profile (antivirus,
web filter, and so on) and then apply the profile to a policy.
In the following set of exercises, we will explore a FortiGate (FGT-EDGE) configured in
Profile-based Inspection and configure various UTM security profiles to protect the network
against an attacker and their various attempts to breach the network.
Important
Upon clicking the Continue button, the FGT-EDGE device in the lab will receive a configuration
and reboot. It may take a minute before the device is ready.
Index: 2.1
Use Case: Intrusion Prevention System
Points: 0
Objective Text:
Introduction
Fortinet delivers IPS technology with the industry-validated and recognized FortiGate platform.
FortiGate Security Processor Units (SPU) provide unparalleled performance along with
FortiGuard Labs industry-leading threat intelligence creating an IPS solution with proven
success in protecting from known and zero-day threats.
In this lab exercise, you will configure a custom IPS sensor, enable IPS inspection on a firewall
policy, and verify its effectiveness against an RDP Brute Force attack.
Index: 2.1 (a)
Objective Title: Configure IPS Sensor
Points: 10
Objective Text:
Background
Acme Corp uses a Windows Server for Remote Desktop access to their network. While this is
not considered a best practice, it is vital to their business and needs to be open from the
internet.
Using the Malware Server, located on the internet, a hacker performs a random port scan and
discovers port TCP/3389 is open on the IP address 100.65.0.10 (FGT-EDGE external IP). Without
a valid set of credentials to the server, they will try to brute force an attack to gain access.
Goal
For this objective, we will be working on the root FortiGate (FGT-EDGE). To access the
FGT-EDGE, return to the Lab’s main page (Lab Activity Tab) and click FGT-EDGE from the sidebar
menu and then use the HTTPS option.
Use the following credentials:
Using the Security Profiles > Intrusion Prevention section, you will need to enable and
customize a rate-based IPS signature to block a Microsoft RDP brute force attack and
quarantine the attacker’s IP address.
Success
To successfully complete this objective, you will need to edit the IPS sensor profile named
‘default’ and enable the correct rate-based IPS signature.
The signature should initiate a block of the attacker's Source IP address for 10 minutes after
multiple RDP brute force requests are launched at a rate of 3 times in 120 seconds by the
attacker.
----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 2
Hint Text:
Hint
1. Go to Security Profiles > Intrusion Prevention
2. Edit the ‘default’ IPS sensor
----------------------- Hint 2 Section -----------------------
Hint: 2 Points: 2
Hint Text:
Hint
1. In the IPS profile ‘default’ click Create New in the IPS Signatures and Filters section.
2. Select the following settings:
• Type: Signature
• Action: Quarantine
• Quarantine Duration: 10 minutes
• Packet Logging: Disabled
• Status: Enable
• Rate-based settings: Specify
• Threshold: 3
• Duration (seconds): 120
• Track By: Source IP
3. In the search field, enter ‘RDP’ and click the search icon ( )
4. Find and select the ‘MS.RDP.Connection.Brute.Force’ signature from the list of results
and click the Add Selected button to the left of the search field.
5. Click OK to save the filter to the IPS profile

6. Drag the new ‘MS.RDP.Connection.Brute.Force’ filter to the top of the list
7. Click OK again to save the changes to the IPS profile

Index: 2.1 (b)
Objective Title: Apply IPS sensor to Firewall Policy
Points: 5
Objective Text:
Background
Now that you have configured the IPS sensor, it will need to be assigned to a Firewall Policy in
the FortiGate to take action against the attack.
Goal
Apply the configured IPS profile to the appropriate Firewall Policy.
Success
To successfully complete this objective, you will need to apply the IPS sensor profile ‘default’ to
the inbound traffic policy to the RDP server.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 1
Hint Text:
Hint
1. Go to Policy & Objects > Firewall Policy.
2. Edit the ‘RDP_Server’ policy.
3. Enable the IPS sensor and choose the ‘default’ IPS profile.
4. Click OK to save the policy.
Index: 2.1 (c)
Objective Title: Execute RDP Brute Force Attack
Points: 0
Objective Text:
Background
Intentionally repeating login attempts with different credentials in a short period of time is
considered a brute force attack. In this exercise, you will mimic a malicious actor by initiating a
brute force attack against the RDP service on the Acme Corp system. The tool used in this
exercise will connect to the external IP of FGT-EDGE on port TCP/3389 and use a random
username and password combination in an attempt to gain access to the system.
Tasks
1. Return to the Lab’s main page (Lab Activity Tab) and click Malware Server from the sidebar
menu and then use the RDP option.
Use the following credentials:

Username: david Password: Fortinet1!
2. Click on the Remmina icon located on the icon bar to the left.
3. Double-click the RDP_BruteForce_Attack to simulate the attack.

4. If asked for credentials, just click OK
5. When the connection has failed to connect to the RDP server, click Close.
Repeat the connection attempt two more times.
6. After 3 failed connections, the FGT-EDGE IPS sensor will trigger the
‘MS.RDP.Connection.Brute.Force’ rule and quarantine the Malware Server IP address
and reset any connections from this IP address for the next 10 minutes.
7. Close both the Brute_Force_Attack window and the Remmina Remote Desktop Client
window.
Index: 2.1 (d)
Objective Title: Verify Results
Points: 5
Objective Text:
Background
In this exercise, we will explore the FortiGate to verify the attacker was quarantined, learn how
to release a banned address and where find additional details for triggered IPS events.
Tasks
1. Return to the FGT-EDGE device

2. Go to Dashboard > Users & Devices
3. The Quarantine widget will show 1 Total for blocked users/devices with the Source of
IPS
4. Click anywhere in the Quarantine widget to expand the view to full screen
5. Expand the Banned IP section to find the IP of the Malware Server and the length of
time remaining for the ban.
Note: We have set the block duration to only 10 minutes. A firewall admin could
permanently block this IP address after further investigation.
6. Click on the Remove All button at the top to remove the IP address from the Banned IP
list as we need the Malware Server for our next lab exercise.
7. Click OK to remove the entry.
8. Go to Log & Report > Intrusion Prevention
9. Double-click the IPS log entry
10. Verify the log details carefully such as Source, Destination, Action and Attack Name
Stop and Think
From the following choices, select all the ways we could deny an attacker from gaining RDP
access to the Windows Server? (Select all that apply)
----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 1
Hint Text:
Hint
Application Control sensor set to block ‘Unknown’ applications will not block an RDP Brute
Force attack.
----------------------- Hint 2 Section -----------------------
Hint: 2 Points: 1
Hint Text:
Hint
FortiGuard AntiVirus protects against the latest viruses, spyware, malware, and other
content-level threats.
----------------------- Answer Section -----------------------
Answer: checkbox
Answer Text:
Correct Answer:
B, C
Answer Key:
✘ 1. App control profile set to block UNKNOWN applications only applied on the RDP server
firewall policy.
✔ 2. IPv4 Policy with action Deny and source address as the IP address of the Malware server
and destination address matching the RDP server virtual IP placed at the top of the firewall
policy list.
✔ 3. IPS sensor with rate-based MS.RDP.Connection.Brute.Force signature action set to
‘Block’ applied on the RDP server firewall policy
✘ 4. Antivirus profile set to block viruses applied on the RDP server firewall policy.
Index: 2.2
Use Case: Per Policy Inspection Modes
Points: 0
Objective Text:
Introduction
Most of the FortiGate NGFW UTM features (AV, web filtering, email filtering, etc.) can work in
either Flow mode or Proxy mode. FortiOS default inspection mode is Flow-based. All default
and newly created UTM profiles are configured in Flow-based inspection.
As of FortiOS 6.2, choosing the desired inspection mode (Flow vs Proxy) was made available per
IPv4 Policy (now called Firewall Policy in FortiOS 6.4). The default inspection mode for a new
Firewall Policy is Flow-based as well.
In FortiOS 6.4, you can set the inspection mode for each UTM profile where both Flow and
Proxy inspection modes are available. When creating or modifying Firewall Policies, only the
UTM profiles that match the inspection mode of the Firewall Policy will be visible.
Over the next few lab objectives (Objective 2.3 and 2.4), we will be working with UTM profiles
that require Proxy-based inspection features. In this lab exercise, you will change the
inspection mode for an existing Firewall Policy.
Index: 2.2 (a)
Use Case: Per Policy Inspection Modes
Objective Title: Change Inspection Mode on Firewall Policy
Points: 5
Objective Text:
Background
Most of the FortiGate NGFW UTM features (AV, web filtering, email filtering, etc.) can work in
either Flow mode or Proxy mode. FortiOS default inspection mode is Flow based.
Goal
Change the Inspection Mode from Flow-based to Proxy-based.
Success
To successfully complete this objective, you will need to apply Proxy-based inspection to
internet traffic outbound via the Internet policy, and inbound via the Mail_Server policy.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 1
Hint Text:
Hint
1. Navigate to Policy & Objects > Firewall Policy
2. Edit the ‘Internet’ policy
3. Change the Inspection Mode to Proxy-based
4. Click OK to save the policy.

5. Do the same for the Mail_Server policy
Index: 2.3
Use Case: AntiVirus CDR & Threat Feeds
Points: 0
Objective Text:
Introduction
Cybercriminals are relentless. Just because one method of attack fails doesn’t mean they’ll
simply give up. Since the brute force RDP method was unsuccessful, they may try a more
personal or direct approach.
It is often trivial to guess or acquire valid email addresses of corporate employees. Let’s assume
that an attacker has obtained the email address of Bob (bob@acmecorp.net) through one of his
personal contacts. If you remember, Bob is a client sitting at a Windows workstation. Let’s see
how you can defend Bob against another type of attack.
In this lab exercise, you’ll enable the Fortinet Content Disarm and Reconstruction (CDR) and
Virus Outbreak Prevention features on the FGT-EDGE device. Once enabled, you’ll simulate an
attack and verify the FortiGate is successful in stopping this type of targeted attack.
Index: 2.3 (a)
Objective Title: Verify Attacker Files
Points: 0
Objective Text:
Background
This exercise is optional and may be skipped.
Tasks
Let’s verify the malicious files that attacker will use in the next round of targeted attacks.
1. Return to the Malware Server tab
2. Open the ‘Malicious Files’ folder on the Desktop.
There are 2 files in this folder as follows:
• Registration Instructions PDF file:
Open this file to review the contents.
Move the mouse cursor over the link provided in the file. This is just to illustrate that
there is a phishing website link.
An attacker could send this file to bob@acmecorp.net (Windows Server 2012 R2)
attached to a phishing email and ask Bob to register on this link while providing his
personal information.
• ZHVO Application:
This MS-DOS application is a brand new zero-day malware sample that has not been
detected yet by the FortiGuard threat intelligence and is unknown to the FortiGate
Anti-Virus signature database.
Note: For the following lab exercises, focus only on the ‘Registration Instructions’ PDF file for
Objective 2.3a through 2.3e. In Objective 2.3f through 2.3i, you will use the ‘zhvo’ malware
sample.
Index: 2.3 (b)
Objective Title: Configure CDR AntiVirus
Points: 5
Objective Text:
Background
Advanced threats are constantly evolving to find ways around traditional signature-based and
reputation-based security prevention measures. The Fortinet Content Disarm & Reconstruction
(CDR) service processes all incoming files, disassembles them, and strips all active content from
the file in real-time to create a flat and sanitized file to provide to the end user. CDR can fortify
your zero-day file protection strategy by proactively removing any possible malicious content
from files passing through the FortiGate.
Goal
For this objective, we will be working on the FGT-EDGE to enable the Content Disarm and
Reconstruction (CDR) feature to sanitize and remove the phishing website link in the
‘Registration Instructions’ PDF file attachment before Bob receives it by email from the
attacker.
Success
To successfully complete this objective, you will need to enable Content Disarm and
Reconstruction in the ‘default’ antivirus profile.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 1
Hint Text:
Hint
1. On the FGT-EDGE, go to Security Profiles > AntiVirus

2. Edit the ‘default’ profile
3. Enable Content Disarm and Reconstruction
4. Click OK to save the profile.
Index: 2.3 (c)
Objective Title: Apply AntiVirus profile
Points: 5
Objective Text:
Background
Now that you have the Antivirus profile configured, it has to be assigned to the correct Firewall
Policy on FGT-Edge to take action against an attack.
Goal
Using the Policy & Objects > Firewall Policy section, apply the configured AntiVirus profile to
appropriate firewall policy.
Success
To successfully complete this objective, you will need to apply AntiVirus profile ‘default’ and
‘custom-deep-inspection’ SSL inspection profile to the ‘Mail_Server’ Firewall Policy.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 1
Hint Text:
Hint
1. Go to Policy & Objects > Firewall Policy
2. Edit ‘Mail_Server’ policy
3. Enable AntiVirus and select the profile ‘default’
4. Change the SSL Inspection profile to ‘custom-deep-inspection’
5. Click OK to save the policy
Index: 2.3 (d)
Objective Title: Send the Malicious File
Points: 0
Objective Text:
Background
Malicious actors use a social engineering technique called Phishing to disguise themselves as a
trustworthy entity with the hopes to lure their target to a fake but legitimate looking website
where they direct the user to provide personal information such as usernames, passwords,
credit card details, and other information.
In this exercise, we will mimic a malicious actor by sending an email to Bob with an attachment
that contains a link to a phishing website.
Tasks
1. Go to the Malware Server tab.
2. Open Mozilla Thunderbird email client using the icon.

3. Click the Write tab located at the top of the screen to compose a new email.
4. In the email To field, type Bob’s email address bob@acmecorp.net.
5. In the email Subject field, type the text ‘Register Now’.
6. Click the Attach icon in the top right corner and attach the ‘Registration
Instructions.pdf’ file by browsing to the Malicious Files folder on the desktop.
7. Send the email by clicking the Send button in the top left corner.
Index: 2.3 (e)
Points: 5
Objective Text:
Background
In this exercise, we will portray Bob downloading his email and verifying the phishing links have
been removed from the PDF attachment.
Tasks
1. Return to the Lab Activity tab and access Bob’s workstation by clicking on Bob link, and then use
the RDP option.
2. Open Mozilla Thunderbird email client with the icon on the desktop
3. If there are no messages already in the Inbox, click on the Get Messages tab location in
the top left corner.
4. Open the email with the subject you entered in the previous exercise, ‘Register Now’.
5. Click to open the ‘Registration Instructions.pdf’ file attached to the email.
6. Read it carefully and scroll down to the second page to view the sanitized/reconstructed
content.
7. Click on the hyperlink embedded under the word ‘here’ in the PDF. Originally, it resolve
to a phishing website.
You will find the malicious web link has been removed. The PDF has been successfully
sanitized and disarmed by the Fortinet CDR anti-virus feature on FGT-EDGE.
8. Close both Mozilla Thunderbird and the PDF file.
Stop and Think

From the following choices, what all can be successfully disarmed by the CDR feature of
FortiOS? (Select all that apply)
----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 1
Hint Text:
Hint
Verify the 'default' AntiVirus profile configuration as follows:
1. On the FGT-EDGE device.
2. Click on the CLI console (>_) symbol located at the top right.
3. Type the following commands:
config antivirus profile
edit default
3. Once in the ‘default’ AntiVirus profile, try to verify the CDR configuration and answer
----------------------- Hint 2 Section -----------------------
Hint: 2 Points: 1
Hint Text:
Hint
config antivirus profile
edit default
config content-disarm
show full
----------------------- Answer Section -----------------------
Answer: checkbox
Answer Text:
Correct Answer:
A, B, C, D, E
Answer Key:
✔ 1. Stripping of macros in Microsoft Office documents.
✔ 2. Stripping of hyperlinks in Microsoft Office documents.
✔ 3. Stripping of JavaScript code in PDF documents.
✔ 4. Stripping of actions that execute JavaScript code in PDF documents.
✔ 5. Stripping of embedded files in PDF documents.
Index: 2.3 (f)
Objective Title: Configure External Connector
Points: 10
Objective Text:
Background
External Block List (Threat Feed) – File Hashes
Threat feed connectors support a list of file hashes and can be used to strengthen the Virus
Outbreak Prevention service. This feature allows users to incorporate external third-party
dynamic Malware hash block lists into their FortiGate AntiVirus scanning by specifying a URI to
an external server.
Goal
For this objective, we will be working on the FGT-EDGE. Using the Security Fabric > External
Connectors section, create a Malware Hash Threat Feed to import a malware hash list from an
external server into the FGT-EDGE AntiVirus signature database.
Success
To successfully complete this objective, you will need to create a new Malware Hash Threat
Feed to import a list of malware hashes from ‘hashfile.txt’ which resides on an external web
server (HTTP) with IP address 100.65.0.254.
This web server does not require HTTP basic authentication and any changes made to the
external list should be imported every 1 minute.
Once the External Connector is configured, you will need to make sure that the connector is in
Up/Green state by clicking on the refresh icon.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 2
Hint Text:
Hint
1. Go to Security Fabric > External Connectors section
2. Click Create New
3. Scroll down to Threat Feeds section
4. Click on the Malware Hash icon
----------------------- Hint 2 Section -----------------------
Hint: 2 Points: 2
Hint Text:
Hint
1. Configure the connector settings as follows:
• Name: External Malware Threat Feed
• URI of external resource: http://100.65.0.254/hashfile.txt

Note: ‘hashfile.txt’ is a test file that contains the list of manually entered hash
values and is located on an external server. A network security admin can add
multiple hash entries to this list and it will automatically update the FortiGate
AntiVirus signature database after each refresh interval. For example, if a brand
new zero-day malware sample unknown to the FortiGate NGFW AntiVirus
signature database has been detected by a security expert, the file hash of that
zero-day malware can be easily incorporated into the FortiGate AntiVirus
signature database.
• HTTP basic authentication: Disable

• Refresh Rate: 1
• Status: Enable
2. Click OK to save the settings

3. Initially, the connector will be in a down status (red)
4. Click on the refresh button a few times until the status changes to green
5. Once the connector is up, right-click on the Fabric connector and choose View Entries to
see the list of hashes that have been successfully download from the external server
into the FortiGate AntiVirus database.
Index: 2.3 (g)
Objective Title: Configure AntiVirus profile
Points: 5
Objective Text:
Background
Now that you have successfully configured and connected the External Connector Malware
Hash Threat Feed, the FGT-EDGE AntiVirus engine needs to use it during the scanning of files.
Goal
Using the Security Profiles > AntiVirus section, enable the use of the External Malware Block
List.
Success
To successfully complete this objective, you will need to correctly edit the AntiVirus profile
named ‘default’ and apply the threat feed.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 1
Hint Text:
Hint
1. Go to Security Profiles > AntiVirus
2. Edit the ‘default’ profile
3. In the Virus Outbreak Prevention section, select the following:
• Use FortiGuard outbreak prevention database: Enable
• Use external malware block list: Enable

4. Click OK
Index: 2.3 (h)
Objective Title: Apply AntiVirus profile
Points: 0
Objective Text:
Background
Now that you have the Antivirus profile configured to use the threat feed, it has to be assigned
to the correct inbound Firewall Policy on FGT-Edge to take action against an attack.
Goal
Using the Policy & Objects > Firewall Policy section, apply the configured AntiVirus profile to
appropriate firewall policy.
Success
To successfully complete this objective, you will need to apply AntiVirus profile ‘default’ and
‘custom-deep-inspection’ SSL inspection profile to the ‘Internet’ Firewall Policy.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 0
Hint Text:
Hint
2. Edit ‘Internet ’ policy
3. Enable AntiVirus and select the profile ‘default’
4. Change the SSL Inspection profile to ‘custom-deep-inspection’
Index: 2.3 (i)
Objective Title: Download Malware Sample
Points: 0
Objective Text:
Background
The FortiOS Virus Outbreak Protection (VOB) service, a sub-service of the AntiVirus engine, can
use an external threat feeds to identify known file hashes and automate the process of
updating the signature databases to stop threats.
In this exercise, we will see the VOB service in action as it blocks a file matching a hash in your
Malware Hash threat feed.
Tasks
1. Go to Bob’s workstation tab.
2. Open a browser using the icon on the desktop.
3. Use the browser bookmark to download the ‘Malware Test’ file.
4. You will be presented with a High Security Alert block page and the download will fail.
5. The file has been successfully blocked because we incorporated the Malware has
matching the ‘ZHVO’ virus sample into the FGT-EDGE AntiVirus scanning service using
the Threat Feed connector.
6. Close the browser
Index: 2.4
Use Case: Automation Stitches
Points: 0
Objective Text:
Introduction
Administrators can define automated work flows, called an Automation Stitch, which use
if/then statements to cause FortiOS to automatically respond to an event in a pre-defined
fashion. In brief, an admin can create a 'stitch' defining which 'actions' to take when certain
events are 'triggered'. Because this workflow is part of the Security Fabric, automations stitches
are configured in the Security Fabric root FortiGate and replicated to all downstream FortiGate
devices.
Index: 2.4 (a)
Objective Title: Create Automation Stitch
Points: 10
Objective Text:
Background
So far, all the methods used by the attacker have failed and they have been unable to gain
access to Bob’s workstation. Let’s look at one last common attack vector to see how we can
continue to protect the Acme Corp employees and their assets.
Cybercriminals will often drop USB sticks containing malicious code, in the hope that employees
will insert these USB sticks into their corporate devices. In our case, the inserted USB stick
installed a malicious .BAT file which accesses a remote website and downloads content once its
been executed.
Goal
For this objective, we will be working on the FGT-EDGE. Use the Security Fabric > Automation
section to create an Automation Stitch that should ban a compromised host’s IP automatically
to stop it from further propagating the threat.
Success
To successfully complete this exercise, you will need to create a new Automation Stitch using
the necessary trigger and action according to the objective requirements.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 2
Hint Text:
Hint
1. Go to Security Fabric > Automation
2. Click Create New to create a new Automation Stitch
3. Make the following changes:
• Name: Compromised Host
• Status: Enabled
• FortiGate: All FortiGates
4. Click the Add Trigger card

5. In the slide out menu, click the Create button in the upper right corner.
6. Click the Compromised Host card
7. Make the following changes and click OK
• Name: Compromised Host
• Threat level threshold: High
8. Select the newly created entry and click Apply

9. Click the Add Action card
10. In the slide out menu, click the Create button in the upper right corner.
11. Click the IP Ban card
12. Make the following changes and click OK
• Name: IP Ban
13. Select the newly created entry and click Apply
14. Click OK to save the Automation Stitch
Index: 2.4 (b)
Objective Title: Configure Web Filter Profile
Points: 5
Objective Text:
Background
In the Fortinet Security Fabric, the FortiAnalyzer Indicators of Compromise (IOC) service can
identify a Compromised Host through a variety of methods. One of the most common causes
would be if the host visited a website blocked by the FortiGate Web Filter. When FortiAnalyzer
determines a host has been compromised, it sends a notice to the root FortiGate where the
Automation Stitch can take automated action.
Now that you have the Automation Stitch configured, we need to apply a Web Filter profile to
the correct firewall policy in order for the FortiGate to detect malicious web traffic.
Goal
Using the Policy & Objects > Firewall Policy section, apply a Web Filter profile to the
appropriate Firewall Policy.
Success
To successfully complete this objective, you will need to apply the Web Filter profile named
‘default’ to internet bound traffic.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 1
Hint Text:
Hint
2. Edit the ‘Internet’ policy
3. Enable the Web Filter and chose the ‘default’ profile
Index: 2.4 (c)
Objective Title: Execute Malicious BAT file
Points: 5
Objective Text:
Background
Bob was unaware of the malicious code installed on Bob’s workstation. One day, Bob
inadvertently executed the file.
In this exercise, we will mimic Bob executing the file.
Tasks
1. Go to Bob’s workstation tab.
2. Open the Command Prompt using the icon on the desktop.
3. Type hello and hit the Enter key in the Command Prompt window to execute the BAT
file.
The BAT file will attempt to connect to a number of websites that FortiGuard has
flagged as Malicious Websites which FGT-EDGE will block access to.
Stop and Think

How is a Compromised Host identified in the Security Fabric? (Select the best answer)
----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 1
Hint Text:
Hint
Compromised host detection is independent of FortiClient installation.
----------------------- Hint 2 Section -----------------------
Hint: 2 Points: 0
Hint Text:
Hint
This is a service offered by FortiAnalyzer. FortiAnalyzer identifies compromised hosts by checking the
logs of each end user against its threat database. When a threat match is found, a threat score is given
to the end user. When the check is complete, FortiAnalyzer aggregates all the threat scores of an end
user and gives its verdict.
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Correct Answer:
FortiAnalyzer analyzes the traffic logs, identifies the compromised host via the Indicator of
Compromise (IOC) license service, and sends the verdict to the root FortiGate in the Security
Fabric.
Answer Key:
✘ 1. The root FortiGate in the Security Fabric identifies the compromised host itself
✔ 2. FortiAnalyzer analyzes the traffic logs, identifies the compromised host via the Indicator
of Compromise (IOC) license service and sends the verdict to the root FortiGate in the Security
Fabric.
✘ 3. FortiClient installed on the host machine identifies and sends the Compromised Host
verdict to the root FortiGate in the Security Fabric.
✘ 4. Device Detection enabled on the local interface identifies the compromised host and
send the information to the root FortiGate.
Index: 2.4 (d)
Points: 0
Objective Text:
Background
Automation defies the need for manual intervention by a security admin to detect threats
inside the network. As a security admin, there’s nothing we to do other than wait
approximately 1-2 minutes while FGT-EDGE handles the threat via the Automation Stitch.
In this exercise, we will verify the action taken by the Automation Stitch configured on the
FGT-EDGE.
Tasks
1. On the FGT-EDGE, go to Log & Report > Web Filter
2. You will see 12 blocked events from Bob’s workstation with IP address 172.16.20.51
This validates the FortiGate blocked access to these web sites because they were
identified within the Malicious Websites and Phishing categories
3. Go to Log & Report > Events
4. Click the System Events card
5. You will find one recent event with the Log Description of ‘Automation stitch triggered’
and the Message of ‘stitch:Compromised Host is triggered.’
This event indicates the Web Filter logs were sent to the FortiAnalyzer which
determined the host to be compromised. FortiAnalyzer then sent the ‘Compromised
host detected’ alert back to the root FortiGate in the Security Fabric which triggered the
Automation Stitch you configured in the previous exercises.
Note: It may take a minute or two for the logs to be sent to FortiAnalyzer and the alert
to come back to FortiGate.
6. Go to the Dashboard > Users & Devices
7. In the Quarantine widget, one system will be listed.
8. Click anywhere in the Quarantine widget to expand the results to the full screen.
9. Go to Bob’s workstation tab
10. Open a browser and try browsing to any website (e.g. google.com) to verify the host has
been banned from accessing the internet.
11. Go back to the FGT-EDGE tab
12. In the Quarantine widget, click the Remove All button to remove the IP Ban for Bob’s
workstation.
Index: 2.5
Use Case: ADVPN
Points: 0
Objective Text:
Introduction
Introduced with FortiOS 5.4, Auto Discovery VPN (ADVPN) is an IPsec technology that allow
traditional hub-and-spoke VPN spokes to establish dynamic, on-demand, direct tunnels
between each other to avoid routing through the topology's hub device. The primary advantage
is that it provides full meshing capabilities to a standard hub-and-spoke topology. This greatly
reduces the provisioning effort for full spoke-to-spoke low delay reachability and addresses the
scalability issues associated with very large fully meshed VPN networks.
If a customer's head office and branch offices all have two or more internet connections, they
can build a dual-hub ADVPN network. Combined with SD-WAN technology, the customer can
load-balance traffic to other offices on multiple dynamic tunnels, control specific traffic using
specific connections, or choose better performance connections dynamically.
In the following objective, you will configure some basic BGP settings and then deploy a simple
one hub and two spoke IPsec VPN topology using the VPN Wizard which includes the necessary
ADVPN settings. Once the topology is built, you will establish the shortcut tunnel, learn how to
manually teardown the tunnels, and configure the required settings to auto-flush tunnels after
a period of inactivity.
Index: 2.5 (a)
Use Case: ADVPN
Objective Title: Configure BGP
Points: 10
Objective Text:
Background
ADVPN requires an internal routing protocol to establish peer connections and route traffic
between the two spokes without affecting routing for any other spoke. FortiGate ADVPN
supports BGP, OSPF and RIP as the routing protocol. In this lab, you will use BGP as the routing
protocol across the hub and spoke topology.
Before building the VPN topology, a few BGP settings must be configured. In particular, you will
need to assign a Local AS and Router ID for the hub and each spoke. To simplify expanding this
topology to many more sites, you will also use a Neighbor Group at the hub rather than
statically defining each spoke neighbor.
Tasks
Configure BGP Settings on FGT-EDGE:

1. On FGT-EDGE, go to Network > BGP
2. In the Local AS field, enter 65400
3. In the Router ID field, enter 0.0.0.101
4. Under Neighbor Groups, click Create New
5. Enter the following settings:

• Name: Branch-Peers
• Remote AS: 65400
• Activate IPv4: Enable
• Route reflector client: Enable
• Capability: route refresh: Enable
6. Click OK
7. Click Apply to save the BGP settings.
Configure BGP Settings on FGT-BR1:

1. On the Lab Activity Tab, access FGT-BR1, choose the HTTPS option and login with the
standard credentials:
2. Go to Network > BGP

Configure BGP Settings on FGT-BR2:

1. On the Lab Activity Tab, access FGT-BR2, choose the HTTPS option and login with the
standard credentials:
2. Go to Network > BGP
Stop and Think

When configuring BGP for ADVPN, why does the AS need to be the same for the hub and all
spokes?
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer Key:
✘ 1. There is no loopback interface to ensure neighbor adjacency
✘ 2. When using ADVPN with BGP, it must be configured as eBGP
✔ 3. When using ADVPN with BGP, it must be configured as iBGP
✘ 4. The lab is wrong. All AS assignments must be different.
Index: 2.5 (b)
Use Case: ADVPN
Objective Title: Build IPsec Hub & Spoke VPN
Points: 10
Objective Text:
Background
The IPsec VPN Wizard, by default, includes the necessary components to utilize ADVPN when
choosing the Hub-and-Spoke template type. In this exercise, you will use the VPN Wizard to
build the VPN topology on FGT-EDGE, FGT-BR1, and FGT-BR2.
Tasks
Configure VPN on FGT-EDGE with the IPsec Wizard:

1. On FGT-EDGE, navigate to VPN > IPsec Wizard.
2. On the VPN Setup page, use the following settings:

• Name: Branches
• Template type: Hub-and-Spoke
• Role: Hub
3. Click Next >
4. On the Authentication page, use the following settings:

• Incoming Interface: ISP1 (port6)
• Authentication Method: Pre-shared Key
• Pre-shared key: Fortinet1!
5. Click Next >
6. On the Tunnel Interface page, use the following settings:

• Tunnel IP: 10.10.1.101
• Remote IP/netmask: 10.10.1.1/24
7. Click Next >
8. On the Policy & Routing page, use the following settings:

• Local AS: 65400
• Local interface: LAN
• Local subnets. Click the + button to add more subnets:
i. 10.10.30.0/29
ii. 10.10.30.8/29
iii. 172.16.10.0/24
iv. 172.16.20.0/24
v. 172.16.99.0/24
vi. 172.16.100.0/24
• Spoke type: Range
• Spoke range prefix: 10.10.1.0/24
• Spoke neighbor group: Branch-Peers
9. Click Next >
10. Click Create
11. Under the Spoke Easy Configuration Key, click the Generate Easy Configuration Key
button.
12. Create two spoke entries:

• Spoke #1 tunnel IP: 10.10.1.111
• Spoke #2 tunnel IP: 10.10.1.112
13. Click the Generate Easy Configuration Key button

14. Copy the key from each device into a blank text file
15. Click Close
Configure VPN on FGT-BR1 with the IPsec Wizard:

1. On FGT-BR1, navigate to VPN > IPsec Wizard
2. On the VPN Setup page, enter the following settings:

• Name: Hub
• Role: Spoke
• Easy configuration key: Enter the key you copied in Step #12 on the previous
exercise for 10.10.1.111 and click Apply
3. Click Next >
4. On the Authentication page, enter the following settings:

5. Click Next >
6. On the Tunnel Interface page, verify the following settings:

• Tunnel IP: 10.10.1.111
7. Click Next >
8. On the Policy & Routing page, enter the following settings:

• Local AS: 65400
• Local interface: Branch 1 (port4)
• Local subnets: 172.20.1.0/24
9. Click Next >
10. On the Review Settings page, click Create.
Configure VPN on FGT-BR2 with the IPsec Wizard:

Note: No screenshots will be provided in these steps but the configuration for FGT-BR2 is
virtually identical to FGT-BR1 except a few IP addresses in steps 6 & 8 and the Local Interface in
step 8.
1. On FGT-BR2, navigate to VPN > IPsec Wizard
2. On the VPN Setup page, enter the following settings:

• Name: Hub
• Role: Spoke
• Easy configuration key: Enter the key you copied in Step #12 on the previous
exercise for 10.10.1.112 and click Apply
3. Click Next >
4. On the Authentication page, enter the following settings:

5. Click Next >
6. On the Tunnel Interface page, verify the following settings:

• Tunnel IP: 10.10.1.112
7. Click Next >
8. On the Policy & Routing page, enter the following settings:

• Local AS: 65400
• Local interface: Branch 2 (port4)
• Local subnets: 172.20.2.0/24
9. Click Next >
10. On the Review Settings page, click Create.
Stop and Think

True or False – You can add additional spoke entries to the Hub configuration and obtain their
Easy Configuration Key after completing the VPN Wizard.
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer Key:
✔ 1. True
✘ 2. False
Index: 2.5 (c)
Use Case: ADVPN
Objective Title: Explore, Build & Flush Shortcut Tunnel
Points: 10
Objective Text:
Background
In a traditional hub-and-spoke VPN topology, all traffic from one spoke to another travels
entirely through the hub. In an ADVPN configuration, the first packet is sent through the Hub at
which point the Hub coordinates with each Spoke to build the shortcut tunnel and update the
dynamic routing table for each spoke allowing them to communicate directly.
In this exercise, you will use ICMP traffic between a host at Branch_1 to a host at Branch_2 to
trigger the ADVPN shortcut tunnel creation, monitor the packet flow, and finally teardown the
shortcut tunnel manually.
Tasks
Explore the BGP and VPN Configurations:

1. On FGT-EDGE, navigate to Dashboard > Network
2. Click the IPsec widget to view all tunnels
3. You will see two tunnels are built.
4. Go to Dashboard > Network
5. Click the Routing widget
6. Notice there are two routes with the Type of BGP: one for each Branch network.
7. On FGT-BR1 and FGT-BR2, explore the same dashboard information.
FGT-BR1:
FGT-BR2:
Prepare a Sniffer to Watch the ADVPN Shortcut Tunnel Being Built:
1. On FGT-EDGE, click the >_ button in the upper-right corner to open a CLI window
2. Type the following command and hit Enter to enable the sniffer:
diagnose sniffer packet any ‘host 172.20.1.52 and host

172.20.2.53 and icmp’ 4
3. Repeat steps 1 and 2 on both FGT-BR1 and FGT-BR2
Initiate Traffic to Trigger the ADVPN Shortcut Tunnel Creation:

1. On the Lab Activity Tab, access Carol and choose the RDP option.
2. Launch a Command Prompt window
3. Type the following command:
ping 172.20.2.53 -n 8
4. Return to FGT-EDGE
5. In the CLI window, you will see 4 entries like the following:
6. Return to FGT-BR1
7. In the CLI window, you will see several ICMP request and reply packets. Notice packets 2
and 3 are using the Hub interface and then all remaining packets use Hub_0 which is the
ADVPN shortcut tunnel.
9. In the CLI window, you will also see several ICMP request and reply packets. Because
this was the receiving firewall, packets 1 and 4 used the Hub interface and all remaining
packets used the Hub_0 interface.
View and Flush the ADVPN Shortcut Tunnels from the CLI:
2. In the CLI window, use the CTRL-C keyboard combination to stop the existing sniffer
3. There are two ways to view the existing VPN tunnels at the CLI. Type both commands to
view their differences:
diagnose vpn tunnel list

diagnose vpn ike gateway list
4. The ADVPN shortcut tunnel is indicated by the _0 at the end of it’s name based on the
Phase 2 Selector being used. In this lab, because the primary IPsec tunnels Phase 2
Selectors on the Branch FortiGate devices are called Hub, the ADVPN shortcut tunnel
will be called Hub_0.
5. Minimize the CLI window by clicking the _ icon in the upper-right corner of the CLI
window.
6. Go to Dashboard > Network
7. Click anywhere in the IPsec widget to view additional details for all IPsec tunnels.
8. Notice the new ADVPN shortcut tunnel, identified by the _0 at the end of the tunnel
name. This widget also shows the Remote Gateway and Phase 2 Selectors used by the
shortcut tunnel.
9. Maximize the CLI window by clicking the green box labeled CLI Console (1) in the
lower-right corner of the GUI. If you closed the CLI console rather than minimizing it,
launch a new CLI window by clicking the >_ icon in the upper-right corner of the GUI.
10. Bringing down the phase2 interface of the shortcut tunnel does not destroy the tunnel;
it must be properly flushed. To flush the existing ADVPN shortcut tunnel, the following
command can be run from either spoke FortiGate for the shortcut tunnel. For the
purposes of this lab, run this command from the FGT-BR1 CLI window.
diagnose vpn ike gateway flush name Hub_0
11. View the VPN tunnels again with commands listed in step 3 or step 6. Notice the Hub_0
tunnel no longer exists.
13. Go to Dashboard > Network and click on the IPsec widget.
14. Because the shortcut tunnel was flushed from FGT-BR1, the shortcut tunnel no longer
exists on FGT-BR2.
Stop and Think

How many ADVPN shortcut tunnels are supported in FortiOS on FortiGate?
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer Key:
✔ 1. Based on the max value of phase2 tunnels specific to the FortiGate model
✘ 2. 512
✘ 3. Unlimited
✘ 4. 10
Index: 2.5 (d)
Use Case: ADVPN
Objective Title: ADVPN Timeouts
Points: 0
Objective Text:
Background
By default, ADVPN shortcut tunnels are not automatically torn down after a period of inactivity.
This can cause the network to ultimately create a full mesh topology. To avoid this, you must
enable an idle timeout interval. The default value is 15 minutes but can be adjusted to as little
as 5 minutes and as long as 30 days.
In this exercise, you will configure the idle timeout to 5 minutes, flush the VPN tunnels,
re-establish the shortcut tunnel and validate the shortcut tunnel automatically terminates.
Tasks
Set an Idle Timeout for the Shortcut Tunnels:

2. In the CLI window, make the following configuration changes:
config vpn ipsec phase1-interface

edit Hub
set idle-timeout enable
set idle-timeoutinterval 5
next
end
3. Repeat this for FGT-BR2
Note: This setting only takes effect for new tunnels being established. Any existing tunnels, and
subsequent shortcut tunnels, will not retroactively adopt this setting. Therefore, parent tunnels
must also be flushed and re-built.
4. On both FGT-BR1 and FGT-BR2, run the following command from the CLI:
diagnose vpn ike gateway flush name Hub

5. The VPN from the Spoke to the Hub will automatically start back up again. To verify, run
the following command as well from the CLI:
diagnose vpn ike gateway list
Initiate Traffic Again to Establish the Shortcut Tunnel Between FGT-BR1 and
FGT-BR2:
1. Return to Carol
2. From the Command Prompt, run the ping command again:
ping 172.20.2.53 -n 8
3. Return to FGT-BR1 and navigate to Dashboard > Network
4. Click on the IPsec widget
5. Notice the Hub_0 tunnel has been built again.
Note: The idle-timeoutinterval setting applies to both the primary VPN but also all ADVPN
shortcut tunnels that are established. This means if traffic to the Datacenter, via the Hub VPN,
is idle for 5 minutes, it will also be torn down.
To avoid having shortcut tunnels being torn down if the parent tunnel is down, there is a
default setting to keep shortcut tunnels active. This only applies to phase1-interface
configurations with auto-discovery-receiver value enabled. Below is the configuration for this
setting:
config vpn ipsec phase1-interface

edit “Hub”
set auto-discovery-receiver enable
set auto-discovery-shortcuts independent
next
end
To automatically tear down the shortcut tunnel if the parent tunnel is down, change the value
to dependent.
Validate the Shortcut Tunnel Automatically Terminates After 5 Minutes of

Inactivity:
1. On FGT-BR1, navigate to Log & Report > System.
2. Click on the VPN Events card.
3. Once 5 minutes have passed since the shortcut tunnel was established, you will see the
Hub_0 tunnel status change with the two actions phase2-down and tunnel-down like
seen in the screenshot below.
Index: 2.5 (e)
Use Case: ADVPN
Objective Title: Learn More About ADVPN with SD-WAN
Points: 0
Objective Text:
Learn More About ADVPN with SD-WAN
If you would like to learn more about using ADVPN combined with SD-WAN, ask your instructor about
the Constructing a Secure SD-WAN Architecture workshop offered by the Fast Track Program.
As organizations transition to a digital business model, their network topologies are significantly
impacted. The adoption of cloud services, the virtualization of the traditional network, and an
increasingly mobile workforce accessing applications in the cloud are accelerating advancements in wide
area networking technologies. The traditional wide area network (WAN) is struggling to keep up because
it relies on a static infrastructure of devices that simply can't accommodate shifting, and often
temporary resource allocation and workloads.
Participants who attend this workshop will learn how to:
• Apply software-defined networking (SDN) to wide area networks in an enterprise environment
• Implement application control and traffic shaping over SD-WAN
• Use FortiManager to enable unified policy across multiple enterprise branches
• Configure virtualized products supporting WAN aggregation while gaining hand-on experience
• Combine the redundancy of SD-WAN with the full mesh capabilities of ADVPN for a highly
dynamic enterprise WAN solution.
Index: 3.0
Use Case: NGFW Policy-based Inspection
Points: 0
Objective Text:
Introduction
The Fortinet FortiGate NGFW has two inspection modes; Profile-based and Policy-based.
Policy-based NGFW mode allows administrators to add applications and web filter categories
directly to a Security Policy without having to first create and configure an Application Control
or Web Filter profile.
When Policy-based NGFW mode is enabled, the FortiGate will automatically be configured to
use Central NAT and Flow-based inspection security profiles. These two modes combine to
make administrating a FortiGate simple and easy while providing high performance.
In the following set of exercises, we will explore a FortiGate (FGT-EDGE) configured in
Policy-based NGFW mode and configure policies to protect end users and enforce company
policies.
Important
Upon clicking the Continue button, the FGT-EDGE device in the lab will receive a configuration
and reboot. It may take a minute before the device is ready.
Index: 3.1
Use Case: Blocking Specific Applications
Points: 0
Objective Text:
Introduction
Security policies work with SSL Inspection & Authentication policies to inspect traffic. To allow
traffic from a specific user or user group, both Security and SSL Inspection & Authentication
policies must be configured. A default SSL Inspection & Authentication policy with the
certificate-inspection SSL Inspection profile is preconfigured. Traffic will match the SSL
Inspection & Authentication policy first. If the traffic is allowed, packets are sent to the IPS
engine for application, URL category, user, and user group match, and then, if enabled, UTM
inspection (antivirus, IPS, DLP, and email filter) is performed
In this lab objective, we will explore a FortiGate (FGT-EDGE) configured for Policy-based
Inspection and block access for applications that do not meet Acme Corp’s internet policies.
Index: 3.1 (a)
Objective Title: Verify NGFW Mode
Points: 5
Objective Text:
Background
NGFW Mode is a per VDOM setting. This means administrators can operate individual VDOMs
on their FortiGate in either NGFW Policy-based or Profile-based mode. If the VDOM feature is
not enabled, the entire FortiGate is set to the mode selected.
Goal
For this objective, we will be working on the FGT-EDGE to verify that FGT-EDGE is set to operate in
NGFW Policy-based mode.
User: admin Password: Fortinet1!
Success
In order to successfully complete this objective, you will need to go to System > Settings
section and verify that NGFW Mode is set to Policy-based.
Note: Do not make any changes here. Otherwise, it will affect next Lab objectives.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 1
Hint Text:
Hint
1. Go to System > Settings
2. Scroll down and verify the selected NGFW Mode is Policy-based
3. Click Apply, if necessary, to save any changes.
Index: 3.1 (b)
Objective Title: Configure SSL/SSH Inspection Profile
Points: 5
Objective Text:
Background
As more and more organizations turn to secure web based applications, the use of
SSL-encryption is becoming more common. Encrypting this legitimate web application traffic
can have the undesirable side effect of masking the attempts of cybercriminals as they launch
attacks against this infrastructure. Secure Socket Layer (SSL) Inspection can help combat this
threat.
Goal
Enable SSL Deep Packet Inspection to inspect encrypted network traffic.
Success
To successfully complete this objective, you'll need to enable SSL Inspection on HTTPS, SMTPS,
POP3S and IMAPS ports using the 'custom-deep-inspection' SSL/SSH inspection profile.
After you have configured the SSL/SSH Inspection profile, go to Policy & Objects > SSL
Inspection & Authentication. Click and Edit LAN-WAN policy to verify if the correct SSL
Inspection profile ‘custom-deep-inspection’ has been applied for encrypted network traffic
inspection.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 1
Hint Text:
Hint
1. Go to Security Profiles > SSL/SSH Inspection
2. Edit the ‘custom-deep-inspection’ profile
----------------------- Hint 2 Section -----------------------
Hint: 2 Points: 1
Hint Text:
Hint
1. In the Protocol Port Mappings section, enable the following options:
• HTTPS
• SMTPS
• POP3S
• IMAPS
2. Click OK to save the changes
Index: 3.1 (c)
Objective Title: Configure NGFW Policy to Block Applications
Points: 10
Objective Text:
Background
In the NGFW Policy-based mode, you can add applications and web filtering categories directly
to a policy without having to first create and configure Application Control or Web Filter
profiles.
Goal
Configure a new security policy to block Twitter and YouTube applications only.
Success
To successfully complete this objective, you will have to create a new ‘LAN’ – ‘Internet’ Security
Policy to block applications Twitter and YouTube.
Note: After you have configured the Security Policy to block Twitter and YouTube, mouse over
the Name column. Once the mouse pointer changes into a multi-directional pointer, click and
drag ‘Block Applications’ policy above ‘Internet’ policy to place it at the top of the policy list as
shown in the screenshot below.
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 2
Hint Text:
Hint
1. Go to Policy & Objects > Security Policy
2. Click Create New
3. Enter the following information:
• Name: Blocked Applications
• Incoming Interface: LAN
• Outgoing Interface: Internet
• Source: all
• Destination: all
• Schedule: Always
• Service: App Default
• Application: Twitter and YouTube (Choose applications one at a time as shown

below and click Close)
• URL Category: Leave blank
• Action: Deny
5. Mouse over the Name column. Once the mouse cursor changes to a multi-directional
pointer, click and drag the policy above the ‘Internet’ policy to place it at the top of the
list.
Index: 3.1 (d)
Points: 0
Objective Text:
Background
In this exercise, you will test the previously configured policy to verify traffic to Twitter and
YouTube has been correctly blocked.
Tasks
1. Go to Bob’s workstation tab

2. Open a web browser
3. Right-click on the Twitter bookmark and open in a new tab
4. Right-click on the YouTube bookmark and open in a new tab
5. Right-click on the LinkedIn bookmark and open in a new tab
6. You will see that only access to LinkedIn is allowed. Twitter and YouTube have both
been blocked.
Index: 4.0
Use Case: Conclusion
Objective Title: Review
Points: 0
Objective Text:
Review
After completing this Fast Track module, you should now:
1. Understand the benefits of FortiGate NGFW.
2. Be able to configure and leverage NGFW and automation capabilities of FortiGate in
your environment.
3. Extend these new skills to other Fortinet solutions.
Index: 4.0 (a)
Use Case: Conclusion
Objective Title: End of Session
Points: 0
Objective Text:
You have successfully completed the Fortinet

NGFW Fast Track Hands On Lab Training
Thank you for participating! We hope that you found this training of value.
To learn more about what the FortiGate can do, we encourage you to enroll in the
NSE 4 courses and pursue your FortiGate certification. For more information, go
to https://training.fortinet.com/

FFT - Fortifying The Enterprise Network With NGFW Lab Guide r2.07

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FFT - Fortifying The Enterprise Network With NGFW Lab Guide r2.07

Uploaded by

Copyright:

Available Formats

Index: 1.

Fortifying the Enterprise Network (NGFW)

Username: admin Password: Fortinet1!

Lab 1.0: Introduction

Time to Complete: 90 minutes

----------------------- Hint 1 Section -----------------------

----------------------- Hint 2 Section -----------------------

• Quarantine Duration: 10 minutes

• Packet Logging: Disabled

• Rate-based settings: Specify

• Duration (seconds): 120

• Track By: Source IP

5. Click OK to save the filter to the IPS profile

7. Click OK again to save the changes to the IPS profile

----------------------- Hint 1 Section -----------------------

Use the following credentials:

3. Double-click the RDP_BruteForce_Attack to simulate the attack.

1. Return to the FGT-EDGE device

Stop and Think

----------------------- Hint 1 Section -----------------------

----------------------- Hint 2 Section -----------------------

----------------------- Answer Section -----------------------

----------------------- Hint 1 Section -----------------------

4. Click OK to save the policy.

----------------------- Hint 1 Section -----------------------

1. On the FGT-EDGE, go to Security Profiles > AntiVirus

----------------------- Hint 1 Section -----------------------

2. Open Mozilla Thunderbird email client using the icon.

Stop and Think

----------------------- Hint 1 Section -----------------------

----------------------- Hint 2 Section -----------------------

----------------------- Answer Section -----------------------

----------------------- Hint 1 Section -----------------------

----------------------- Hint 2 Section -----------------------

• Name: External Malware Threat Feed

• URI of external resource: http://100.65.0.254/hashfile.txt

• HTTP basic authentication: Disable

2. Click OK to save the settings

----------------------- Hint 1 Section -----------------------

• Use FortiGuard outbreak prevention database: Enable

• Use external malware block list: Enable

----------------------- Hint 1 Section -----------------------

----------------------- Hint 1 Section -----------------------

• Name: Compromised Host

• FortiGate: All FortiGates

4. Click the Add Trigger card

• Name: Compromised Host

• Threat level threshold: High

8. Select the newly created entry and click Apply

----------------------- Hint 1 Section -----------------------

Stop and Think

----------------------- Hint 1 Section -----------------------

----------------------- Hint 2 Section -----------------------

----------------------- Answer Section -----------------------

Configure BGP Settings on FGT-EDGE:

2. In the Local AS field, enter 65400

3. In the Router ID field, enter 0.0.0.101

4. Under Neighbor Groups, click Create New

5. Enter the following settings:

7. Click Apply to save the BGP settings.

Configure BGP Settings on FGT-BR1:

Username: admin Password: Fortinet1!

2. Go to Network > BGP