FortiADC-D Advanced Workshop

version 4.4.0
Q1 2016 EMEA SE Meeting
Rafael Gracioli – CSE

© Copyright Fortinet Inc. All rights reserved.

Initial Configuration
Package Contents

https://www.dropbox.com/s/7wvbie3t0fsq3ar/FortiADC-D-Advanced-Workshop-v2.0.2.1-package.zip?dl=0

§ FortiADC-VM compressed § Auxiliary tools:

image »  Putty – SSH/Telnet terminal
§ FortiGate-VM compressed »  WinSCP – File Transfer
image »  VMware Player installation
§ Certificates folder package
»  3CDaemon – FTP/TFTP/
§ Workstations Syslog server
»  fad-ws-client »  DVWA vm
»  fad-ws-server
»  VNC Viewer

3
Prerequisites

§  A computer with at least 4GB RAM, running:

»  64bit version of Windows XP, 7, 8.x
»  Mac OS X *
§  VMs memory could be reduced to 1024MB
§  Enable Hardware VT technology configuration in your computer's BIOS (mostly in HP laptops)
§  Administrator privileges on your computer: be able to add/remove routes, disable/enable firewall/
etc
§  Firefox Web browser
§  VMware Player (6 or later) or VMware WorkStation (10 or later) for Windows / VMware Fusion
(6.0.5 or later) for Mac
§  SSH/Telnet Terminal
§  VNC Viewer

4
VM Management Network

§  The VM network we will be using should be on the same subnet as VMware

interface vmnet8 (VMware default NAT network).
§  In this document, vmnet8 network is 10.8.2.0/24. Open a cmd and check
your vmnet8 subnet using: ipconfig

5
VM Management Network Customized

§  Customize vmnet8, open a cmd as Administrator

§  Then go to C:\Program Files (x86)\VMware\VMware Player
§  Execute the following commands
vnetlib.exe -- stop nat
vnetlib.exe -- stop dhcp
vnetlib.exe -- set vnet vmnet8 mask 255.255.255.0
vnetlib.exe -- set vnet vmnet8 addr 10.8.2.0
vnetlib.exe -- set adapter vmnet8 addr 10.8.2.1
vnetlib.exe -- set nat vmnet8 internalipaddr 10.8.2.2
vnetlib.exe -- update dhcp vmnet8
vnetlib.exe -- update nat vmnet8
vnetlib.exe -- update adapter vmnet8
vnetlib.exe -- start dhcp
vnetlib.exe -- start nat

6
FortiADC VM Installation

§ Use VM supplied in workshop package or download FortiADC VM

template from Support -
https://support.fortinet.com/Download/FirmwareImages.aspx

§ For HA lab, generate 2x VM eval licenses in MyFortinet

§ For SSL Forward Proxy lab, generate eval license for FGT-VM

7
LAN Segments

§  Start the FortiADC VM: VMWare Player -> Open Virtual Machine -> select
“fortiadc-vm-64-hw7.ovf” file
§  In VMware Player, press Ctrl+d to enter Virtual Machine Settings
»  Select a Network Adapter
»  Click on LAN Segments
»  Click add to create the following LAN segments:
§  Clients
§  Servers
§  Heartbeat
§  Data
§  decrypt
§  encrypt

8
Network Adapters

§  Connect "Network Adapter" on NAT, will be port1 on FortiADC

§  Connect "Network Adapter 2" on LAN Segment Clients, will be port2
§  Connect "Network Adapter 3" on LAN Segment Servers, will be port3

9
FortiADC Initial Configuration

§ Configure FortiADC management interface (port1)

config system interface
edit port1
set ip 10.8.2.118/24
next
end

§ Configure default gateway config route static

edit 1
set gateway 10.8.2.2
next
end

10
FortiADC Initial Configuration

Verification

§ Ping port1
§ From terminal, SSH to FortiADC
§ Open FortiADC GUI
§ Save initial config: System -> Maintenance -> Backup and
Restore -> Backup

11
Network Design

§  "fad-ws-client" - one Linux VM instance acting as clients

§  "fad-ws-server" - one Linux VM instance acting as servers
§  FortiADC in the middle
§  No NAT clients servers
.1 .1
port2 port3
.2 .254 .254 .2

.3 .3
For*ADC
1.1.1/24 2.2.2/24

VM Environment

12
FortiADC Interfaces

§ Configure FortiADC client interface (port2)

config system interface
edit port2
set ip 1.1.1.254/24
set allowaccess https ping ssh
next
end

§ Configure FortiADC server interface (port3)

config system interface
edit port3
set ip 2.2.2.254/24
set allowaccess https ping ssh
next
end

13
Client and Server Configuration

1.  Start fad-ws-client and fad-ws-server VMs - IMPORTANT: if asked, choose "I
moved it" to preserve network interfaces
2.  Management IPs:
»  fad-ws-client: 10.8.2.105
»  fad-ws-server: 10.8.2.106
3.  user: root
password: workshop
4.  Connect network interfaces as follow:
»  fad-ws-client eth0 (Network Adapter 1) on NAT
»  fad-ws-client eth1 (Network Adapter 2) on LAN Segment "Clients"
»  fad-ws-server eth0 (Network Adapter 1) on NAT
»  fad-ws-server eth1 (Network Adapter 2) on LAN Segment "Servers"

14
Initial Setup Verification

§  From terminal, open SSH to clients and servers

§  Check interface configuration with “ifconfig”
§  Ping FortiADC interfaces
§  Check FortiADC status
# get system status
# get system interface <port#>
# diagnose hardware get deviceinfo nic-detail <port#>
# get router info routing-table all
§  Open FortiADC GUI and check interfaces
§  Save initial config: System -> Maintenance -> Backup and Restore ->
Backup
15
Initial Setup Verification

§ System Status:
FortiADC-VM # get system status
Version: FortiADC-VM v4.4.0,build0480,160113
VM Registration: Trial License is in use.(Expire in 14 days 23 hours 57 mins)
VM License File: Trial License.
VM Resources: 1 CPU/1 allowed, 1619 MB RAM/2048 MB allowed, 29 GB Disk/1024 GB allowed
Serial-Number: FADV0000000TRIAL
WAF Signature DB: 00001.00001
IP Reputation DB: 00001.00020
Bootloader version: n/a
Log disk: Capacity 29 GB, Used 56 MB ( 0.19%), Free 29 GB
Hostname: FortiADC-VM
HA configured mode: standalone
HA effective mode: Standalone
Distribution: International
Uptime: 0 days 0 hours 2 minutes
Last reboot: Fri Jan 29 07:59:41 PST 2016
System time: Fri Jan 29 08:02:24 PST 2016
Statistics table: synced with config

16
Initial Setup Verification

Interface Configuration
FortiADC-VM # get system interface port2
type : physical
mode : static
vdom : root
redundant-master :
ip : 1.1.1.254/24
ip6 : ::/0
allowaccess : https ping ssh
mtu : 1500
speed : auto
status : up
mac-addr : 00:0c:29:24:aa:32
secondary-ip : disable
ha-node-secondary-ip : disable

17
Initial Setup Verification

Interface Status
FortiADC-VM # diagnose hardware get deviceinfo nic-detail port2
(...)
Speed: 10000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: off
MDI-X: Unknown
Supports Wake-on: uag
Wake-on: d
Link detected: yes
(...)

18
Initial Setup Verification

Routing Table

FortiADC-VM # get router info routing-table all

Codes: K - kernel route, C - connected, S - static, O - OSPF, P - PPPoE
> - selected route, * - FIB route

C>* 1.1.1.0/24 is directly connected, port2

C>* 2.2.2.0/24 is directly connected, port3
C>* 169.254.0.0/16 is directly connected, haport0
C>* 10.8.2.0/24 is directly connected, port1

19
Initial Setup Verification

Interfaces – GUI

20
Initial Setup

End of Initial Setup

§ Execute a configuration backup

§ Keep it as it will be needed in the labs

21