DO NOT REPRINT ree Ee AA FortiGate Infrastructure Lab Guide for FortiOS 6.2DO NOT REPRINT © FORTINET Fortinet Training http://www fortinet.com/training Fortinet Document Library http://does.fortinet. com Fortinet Knowledge Base http:/fkb.fortinet.com Fortinet Forums https://forum fortinet.com Fortinet Support https:/supporfortinet. com FortiGuard Labs http://www fortiguard.com Fortinet Network Security Expert Program (NSE) https:!/wwww.fortinet.com/support-and-training/training/network-security-expert-program.html Feedback Email: courseware @fortinet.com F2RTINET. 6/18/2019DO NOT REPRINT © FORTINET TABLE OF CONTENTS Virtual Dabs Bask cc ccsssncssesrcrenesscisserersomsstomcprercomecisccereccis cassrail Network Topology. 7 Lab Environment 7 Remote Access Test. 8 Logging In, 9 Disconnections and Timeouts. 14 Screen Resolution... a ’ 3 een Sending Special Keys... cenit amore Student Tools, 13 Troubleshooting Tips. 13 Lab 1: Routing. 16 Exercise 1: Configuring Route Failover. 7 Verify the Routing Configuration. Configure a Second Default Route... Configure the Firewall Policies. i View the Routing Table. Configure Link Health Monitors, Test the route failover. Restore the Routing Table. Exercise 2: Equal Cost Multipath and Policy Routing 27 Configure Administrative Distance. Change the ECMP Load Balancing Method Verify Traffic Routing ..... seis Configure Priority... Verify ECMP. Configure Policy Route for HTTPS Traffic. Verity the Policy Route... Lab 2: SD-WAN Configuration... Exercise 1: Configuring SD-WAN, Remove Interface References, Configure SD-WAN Load Balancing, Create a Static Route for the SD-WAN Interface... sececeeetnneetennneennneeeed Create a Firewall Policy for SD-WAN Load Balancing, 40DO NOT REPRINT © FORTIN Evan Load Balancing Configuration... - 41 Exercise 2: SD-WAN Rule. 43 Configure SD-WAN Rules, 43 Verify SD-WAN Rules... .cecsceeeesseennenesnees . - an Lab 3: VDOM Configuration, ..0..0.........0:ccssessssssessssesessseeseesssseeneeneeseenee coe Exercise 1: Creating VDOMs and VDOM Objects. 48 Createa VDOM. 48 Create a Per-VDOM Administrator. 49 Move an Interface to a Different VDOM, 50 Add DNS service to an Interface. cesses Test the Per-VDOM Administrator Account. . oe 52 Execute Per-VDOM CLI Commands........... seseeeeeseeseeseesee js Exercise 2: Configure an Inter-VDOM Link...................... ets teeocersvectaetcceccee 55 Create an Inter-VDOM Link 55 Configure Routing Between VDOMs. 56 Configure Firewall Policies for Inter-VDOM Traffic. 58 Test the Inter-VDOM Link. 60 Lab 4: Transparent Mode Configuration... eee 84 Exercise 1: Creating a Transparent Mode Voom... 63 Create a Transparent Mode VDOM, 63 Moving an Interface to a Different DOM. : 3 64 Exercise 2: Creating an Inter-VDOM Link. 66 Create an Inter-VDOM Link 66 Create firewall policies. 67 Route Inter-VDOM traffic. 70 Test the Transparent Mode VDOM................ cosoesnesnnnnnnennennonee 70 Lab 5: Site-to-Site IPsec VPN Configuration. 73 Exercise 1: Configuring Route-Based IPsec VPN... 75 Create a VPN Using the VPN Wizard, 7 . 75 Review the Objects Created by the VPN Wizard,.............sssssssssessseseeseeeee a Review the VPN Configuration on Remote-FortiGate. 79 Exercise 2: Testing and Monitoring the VPN. 80 Test the VPN. 80 Exercise 3: Configuring an IPsec VPN Between Two FortiGate Devices. 82 Prerequisites, 82 Create Phases 1 and 2 on Local-FortiGate... 83 Create a Static Route for a Route-based VPN on Local-FortiGate. 84 Create an Interface Zone on Local-FortiGate, 84 Create Firewall Policies for VPN Traffic on Local-FortiGate. 85 Review the VPN Configuration on Remote-FortiGate.... ce et Testthe IPsec VPN. 87DO NOT REPRINT © FORTIN 4: Estnguring a Backup IPsec VPN. 88 Configure a Backup VPN on Local-FortiGate. 88 Review the Backup VPN Configuration on Remote-FortiGate. 89 Test the VPN Redundancy. . . a) Lab 6: Fortinet Single Sign-On (FSSO) Configuration... 91 Exercise 1: Configuring FSSO Collector Agent-Based Polling Mode 92 Install the FSSO Collector Agent 92 Configure the FSSO Collector Agent. 94 Configure SSO on FortiGate, 98 Assign Polled FSSO Users to a Firewall Policy. .. 100 Test FSSO_ - .. .. .. ae - 101 Lab 7: High Availability (HA). 105 Lab HA Topology, 105 Exercise 1: Configuring HA 108 Configure HA Settings on Local-FortiGate. 108 Configure HA Settings on Remote-FortiGate. 109 Observe and Verify the HA Synchronization Status. 109 Verify FortiGate Roles ina HA Cluster........ penis ntosiaa eet 110 View Session Statistics.. as = 111 Exercise 2: Triggering an HA Failover. 112 Trigger Failover by Rebooting the Primary FortiGate....... weve M2 Verify the HA Failover and FortiGate Roles...... er eae i 113 Trigger an HA Failover by Resetting the HA Uptime. 114 Observe HA Failover Using Diagnostic Commands. 414 Exercise 3: Configuring the HA Management Interface. 116 Access the Secondary FortiGate through the Primary FortiGate CLL... 116 ‘Set Up a Management Interface, wee IT Configure and Access the Primary FortiGate Using the Management Interface 17 Configure and Access the Secondary FortiGate Using the Management interface, 118 Disconnect FortiGate From the Cluster. 119 Restore the Remote-FortiGate Configuration 120 Lab 8: Web Proxy Configuration. = ernest 22 Exercise 1: Configuring an Explicit Web Proxy. 123 ‘Show the Explicit Web Proxy Settings. 123 Enable Explicit Web Proxy. 123 Create an Authentication Scheme. 123 Create an Authentication Rule. ecco. 124 Create a Proxy Policy... ee cocoate sete 125 Configure Firefox for Expict Web Proxy. 126 Test the Explicit Web Proxy Configuration. 128 List the Active Explicit Web Proxy Users, 129DO NOT REPRINT © FORTIN Ese ict Web Proxy Sessions. . ses si = Exercise 2: Configuring the Transparent Web Proxy. Disable the Explicit Web Proxy in Firefox. Redirect the Trafficto the Transparent Web Proxy. Create the Proxy Policies, Testing the Transparent Web Proxy. List Transparent Web Proxy Sessions. Lab 9: Diagnostics Performance... cesses esnnnnnnennnnennnnonene Exercise 1: Knowing What is Happening Now. Run Diagnostic Commands, co Exercise 2: Troubleshooting a Connectivity Problem Identify the Problem, Use the Sniffer. Use the Debug Flow Tool. Fixthe Problem, Testthe Fix. 129 131 131 133 135 135 136 137 137 139 139 139 140 141 4141DO NOLREPRINT Network Topology © FORTINET Virtual Lab Basics In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab and its virtual machines. It also shows the topology of the virtual machines in the lab. If your trainer asks you to use a different lab, such as devices physically located in your ‘ classroom, then ignore this section. This section applies only tothe vitual lab accessed through the Internet. If you do net know which lab to use, please ask your = trainer. Network Topology & “ ae Lab Environment Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have their own training lab environment or point of deliveries (PoD). FortiGate Infrastructure 6,2 Lab Guide 7 Fortinet Technologies Ine.DO NQT.RERRINT Virtual Lab Basics © FORTINET Remote Access Test Before starting any course, check if your computer can connect to the remote data center successfully. The remote access test fully verifies if your network connection and your web browser can support a reliable connection to the virtual lab. ‘You do not have to be logged in to the lab portal in order to run the remote access test. To run the remote access test 1. From a browser, access the following URL: https://use.cloudshare.com/test.ave If your computer connects successfully to the virtual lab, you will see the message All tests passed! Remote Access Tests 2. Inside the Speed Testbox, click Run. The speed test begins. Once complete, you wll get an estimate for your bandwidth and latency. I those estimations are not within the recommended values, you wil gt any error message: 8 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOLREPRINT Logging n © FORTINET Remote Access Tests Logging In After you run the remote access test to confirm that your system can run the labs successfully, you can proceed to login. ‘You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain a link and a passphrase. To log in to the remote lab 41. Click the login link provided by your instructor over er 2. Enter your email address and the class passphrase provided by your trainer over email, and then click Login, 3. Enter your first and last name. 4. Click Register and Login FortiGate Infrastructure 6,2 Lab Guide 8 Fortinet Technologies ine.DO NQJ, REPRINT ii. © FORTINET ‘Your system dashboard appears, listing the virtual machines (VMs) in your lab topology. 5. Toopena VM from the dashboard, do one of the following: + From the top navigation ber, click a V's tab. (Prccucirore mremrccnse sonnets “8. _FESRTINET 9 Viral Machines + From the box of the VM you want to open, click View VM. (Peoria nonamnemoacrmto me 0: RERRTINET. Follow the same procedure to access any of your VMs When you open a VM, your browser uses HTMLS to connect to it. Depending on the VM you select, the web browser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of a Fortinet VM. 10 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOLREPRINT Disconnectons and Timeouts © FORTINET For most lab exercises, you will connect to ajumpbox VM, that could be either a Windows or a Linux VM. From the jumpbox VM, you will connect over HTTPS and SSH to ll other Fortinet VMs in the lab environment. Disconnections and Timeouts I your computer's connection to the VM times out or closes, to regain access, return to the window or tab that contains the list of VMs for your session, and reopen the VM. I that fails, see Troubleshooting Tips on page 13. Screen Resolution ‘The GUIs of some Fortinet devices require @ minimum screen size. To configure screen resolution in the HTMLS client, use the Resolution drop-down list on the left. You can also change the color depth FortiGate Infrastructure 6,2 Lab Guide 1" Fortinet Technologies Ine.DO NOQEL.RERRINT Aiuto ase © FORTINET aaa a Ronee Sending Special Keys ‘You can use the Virtual Keyboard panel to either send the Ctr-Alt-Del combination, or the Windows ke From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard: FortiGate Infrastructure 6.2 Lab Guide 12 Fortinet Technologies Ine.DO NOLREPRINT student Toos © FORTINET Student Tools ‘There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance: (Picloudshore iovenetrcceiarArtieneg 0 Latino Troubleshooting Tips + Donot connact to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or high- latency connections, + Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that your computer is always on, and does not go to sleep or hibernate. + Forbest performance, use @ stable broadband connection, such as @ LAN, FortiGate Infrastructure 6,2 Lab Guide 13 Fortinet Technologies Ine.DO NQT.RERRINT Vital Lab Basics © FORTINET + You can run a remote access test from within your lab dashboard. It wll measure your bandwidth, latency and ‘general performance: 5, connective Tart + Ifthe connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnact, notify the instructor. + If you cant connect to a VM, on the dashboard, open the VM action menu, and select Reset: «+ If that does not solve the access problem, you can try to revert the VM back to its initial state, Open the VM action menu, and select Revert: ul . Q seria iote sina ste wt une attr wok Ty rls = 14 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOLREPRINT Troubleshostng Tips © FORTINET following example appears License Files, [fe] ox Cancel | During the labs, ifthe VM is waiting for a response from the authentication server, a license message similar to the Pee eee To expacite the response, enter the following command in the CLI update-now FortiGate Infrastructure 6,2 Lab Guide Fortinet Technologies Ine.DO NOT REPRINT © FORTINET Lab 1: Routing In this lab, you will configure the routar settings, and try scenarios to lear how FortiGate makes routing decisions, Objectives + Route traffic based on the destination IP address, as well as other criteria + Balance traffic among multiple paths + Implement route failover + Implement policy routing + Diagnose a routing problem Time to Complete Estimated: 50 minutes Prerequisites Before beginning this lab, you must rastore a configuration file to Local-FortiGate. To restore the Local-FortiGate configuration file 1. Ontthe Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10..0.1.254 with the user name admin and password 5 2. In the upper-right comer of the serean, click admin, and then click Configuration > Restore. word. FortiGate VMB4 6.2.0 build0866 (GA) ESE oysem CSc @ Change Password i Revisions @ Logout 3. Click Local PC, and then click Upload. 4. Click Desktop > Resources > FortiGate-nfrastructure > Routing > 1ocal-routing. conf, and then click Open. 5. Click OK. 8. Click OK to reboot 16 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOT REPRINT © FORTINET Exercise 1: Configuring Route Failover Inthe lab network, Local FortiGate has two interfaces connected to the Intemet: portt and port2. During tis exerelee, you wll configure the pos connection as the primary Intemet ink, andthe port2 connection as the backup Intemet link. Local-ForiGate should use the port connection onyif the port connection is down, To achieve this objective, you will configure two default routes with different administrative distances, as well as configure two link health monitors, Verify the Routing Configuration First, youll verify the existing routing configuration on Local-FortiGate. Take the Expert Challenge! Onthe Local-FortiGate GUI (10.0.1.254 | adnin/password), complete the following: + View the existing static route configuration on Lecal-FortiGate + Enable the Distance and Priority columns on the static route configuration page + Make note of the Distance and Priority values of the existing default route Ifyou require assistance, or to verify your work, use the step-by-step instructions that follow. After you complete the challenge, see Configure a Second Default Route on page 18, To verify the routing configuration 1. Ontthe Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 1 name admin and password 5 2. Click Network > Static Routes. +0.1.254 with the user Create New | Destination Gateway Interface oooon (0.20.1 254 ant 4, Right-click any of the columns to open the context-sensitive menu. 5. Inthe Available Columns section, select Distance and Priority, and then click Apply. FortiGate Infrastructure 6,2 Lab Guide 7 Fortinet Technologies Ine.DO NQT.BERRINI. Eerie t: Configuring Route lover © FORTINET Destination + Gateway IP + BE Best Fit Al Colurnns D Reset Table ¥ Destination v Gateway IP Interface v Status ¥ Comments Distance Priority ‘The Distance and Priority columns display. * Desiaton = Gateray brace = ¥ Carmen aooos van 1254 ont Note that, by default, static routes have a Distance value of 10, and a Priority value of 0 Configure a Second Default Route ‘You will create a second default route inactive, you will assign it a higher distance. the port2 interface, To make sure this second default route remains Take the Expert Challenge! + On the Local-FortiGate GUI, configure a second default route using port2 + Assign it a Distance of 20, and Priority of 5 Ifyou require assistance, or to verify your work, use the step-by-step instructions that follow. After you complete the challenge, see Configure the Firewall Policies on page 19. To configure a second default route 4. Continuing on the Local-FortiGate GUI, click Network Static Routes. 2. Click Create New. 3. Configure the fllowing settings: 18 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT, BERRIN Taio © FORTINET eld Value Gateway 410.200.2254 Interface port ‘Administrative Distance 20 Configure the Firewall Policies 4. Click the plus (+) icon to expand the Advanced Optionssection, 5. Inthe Priority field, enter a value of 5 ew Sta Rode Destnaton © BEDE tere sevice oooo0000 vseace oon . teway Actoss 10-200 2258 Aderiristraive Distance 20 [9 cnn: EE "Advanced Options Prionty © Comments sass statue Cancel 6 Click OK. A second default route is added. + create YDestnitnn ¥ Sana Comment TDsnce © Prony ‘0000 oo 364 w a 0008 02764 a = Configure the Firewall Policies ‘You will modify the existing Full_ Access firewall policy to log all sessions. You will also create @ second firewall policy to allow traffic through the secondary interface. FortiGate Infrastructure 6,2 Lab Guide 18 Fortinet Technologies Ine.DO NQT.RERRINT Eerie t: Configuring Route lover © FORTINET Take the Expert Challenge! ‘+ Continuing on the Local-FortiGate, enable logging for all sessions in the existing Full_ Access firewall policy + Create a second firewall policy named 2ackup Access + Configure the Backup_Access policy to allow traffic from port3 to port2 with NAT enabled + Enable logging on the Backup_Access policy forall sessions If you require assistance, or to verify your work, use the step-by-step instructions that follow. ‘After you complete the challenge, see Viow the Routing Table on page 21 To configure the firewall policies 41. Continuing on the Local-FortiGate GUI, cick Policy & Objects > IPv4 Policy, 2. Double-click the existing Full_ Access policy to edit it. 3. Enable logging for All Sessions, Leasing Ontions |] Generate Logs when Sesion Starts CD Capture Packets a Comments Enablethis pliey © 1 we All Sessions logging ensures that all trafficis logged, and not just sessions inspected by security profiles. This will assist in verifying traffic routing using the Forward Traffic logs. 4. Click OK. 5. Click Create New. 6. Configure a second firewall policy with the following settings: or Dares Name Backup_Access Incoming Interface pont ‘Outgoing Interface porta Source LOCAL_SUBNET 20 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT: BRRRUN Feiner © FORTINET View the Routing Table mr rare Destination all Schedule always Service ALL Action Accept Nat 7. Enable logging for All Sessions, 8. Click OK. View the Routing Table ‘The Local-FortiGate configuration now has two default routes with different distances. You will view the routing table to s00 which one is active, To view the routing table ‘1. Continuing on the Local-Windows VM, open PUTTY and connect over SSH to the LOCAL-FORTIGATE saved 2. Atthe login prompt, enter the username and password rassw 3. Enter the following command to confirm the list of active routes in the routing table: [Note that the sacond default route is not liste. 4, Enterthe following CLI command to list both active and inactive routes: val ba Confirm that the second default route is listed as inactive, FortiGate Infrastructure 6,2 Lab Guide 2 Fortinet Technologies Ine.DO NQT.RERRINT © FORTINET Stop and think! Exercise 1: Configuring Route Failover ‘Why is the port2 default route inactive? “The port2 default route has @ higher administrative distance than the port default route. Whan two ormore routes to the same destination have different distances, the lower distance route is always active. 6. Leave the PUTTY sassion open, Configure Link Health Monitors ‘You will configure two link health monitors to monitor the status of both the port and port2 routes. To configure link health monitoring 41. Continuing on the LOCAL-FORTIGA TE PUTTY session, enter the following CLI commands to create @ link health monitor for portfon Local-FortiGate, get eerver 4. set gateway-ip 10.200.1.254 1 ping 2. Configure another link health monitor for port2, eng 3. Leave your PuTTY session open, Test the route failover First, you will access various websites and use the Forward Traffic logs to verify that the portt route is being used. Next, you wil force a failover by reconfiguring the port link health monitor to ping an invalid IP address. You will then generate some more traffic, and use the Forward Traffic logs to verify that the port2 route is being used, To confirm port! route is primary 11. Retum to the browser tab where you are logged in to the Local-FortiGate GUI, and then click Log & Report> Forward Traffic. 2. Right-click any of the columns to open the context-sensitive menu. 3. In the Available Columns section, select Destination Interface. FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT, BERRIN Taio © FORTINET ‘Test the route failover Date/Time x 'D Reset Table 2019/02/25 08:03:17 7 Datertore My 1001.10 2019/02/25 08:03:17 Sep: 10.0.1.10 4, Scroll down in the context-sensitive menu and click Apply. ‘The Destination Interface column is displayed. 3. Open a few new tabs in the web browser, and visit a few websites: + http://www. pearsonvue.com/fortinet «http: //eve.mitre.org + http://www. sicar.org 6. Retum to the browser tab where you are logged in to the Local-FortiGate GUI, and click Log & Report > Forward Traffic. 7. Click the refresh icon. Add Fiter DaterTime Source | Destination orauaasoe0e37 100110 1722071078 2401/5581 8 Result 8. Locate the relevant log entries for the three websites you accessed, and verify that their Destination Interface indicates port, FortiGate Infrastructure 6,2 Lab Guide Fortinet Technologies ine. 23DO NQTRERRINT Eerie: Conigrng Route Failover © FORTINET @ & [Oasra B tox lomtine | Soxce nator 1 Pescatonnare Resat Pry | Onetraon rc Porswvios 20 00 0a ome Wen Senweee) Viserne rans) we 2019075061816 1001 10a 1572401495 adc) Fu acees() pn aor 06 1857 100110 W719 711 2 (reer) TZ TSNGTTASTIO Fea secess 0) 2019072061857 100110 ww 219211 1882 (nearer) TSG SIG Fal pesmi This verifies that the portt route is curently active and in use To force the failover 41. Retum to the open LOCAL-FORTIGATE PuTTY session, and enter the following CL commands to modify the port! ink monitor: config system link-monitor 2. Wait a few seconds. Because 10..200.1.13 is a non-existent host inthe lab network, the link health monitor will not receive any replies. Because of ths, the link health monitor will assume that the port Internet connection is down, and remove the corresponding route from the routing table. 3. Leave your PUTTY session open. To verify the route change 1. Retum to the browser tab where you are logged in to the Local-FortiGate GUI, and click Log & Report> System Events, ‘Verify that the Local-FortiGate detected the link monitor failure and removed the corresponding portt route. | 2. Click Monitor > Routing Monitor. 3. Verify that the port2 route is active in the routing table, © Retest] Q Rose toon] OVviw © 7 a Tyee Network = Gateway & btertaces © Distance Metre = Fm Too Toa00 7 54 Ci 7 a Comected 1001024 0000 1B pore 0 a Comectes 10200102 0000 pont ° a Comectes 102002078 0000 por 0 a To verity traffic logs 41. Continuing on the Local-Windows VM, open a few new tabs in the web browser, and visit afew websites: 24 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT. BERBUN Foiovr Restore the Rong Teble © FORTINET + http://www.pearsonvue.com/fortinet + http: //eve.mitre.org «+ http://www.eicar.org 2. Ratum to the browser tab where you are loggad in to the Locel-FortiGate GUI, and click Log & Report > Forward Traffic. 3. Locate the relevant log entries for the three websites you accessed, and verify that their Destination Interface indicates port2. @ & omrne = Dmertine | Sauce Destaten ea Rest Paley | Dena ec 00110 719211 1862 amare Face Accees 2] mee 190110 maT OR rrr vere Bact Access (2) pot? TOE me aaaTT prec SETOIE Bang Ace WM pa 1901.10 21921 08 rer TSIE/40016 Baap Acces) po Oe a mea aR Ge MEE eB VonG TSN ese ee A poe (0070 1G Tab VIMEAMB Sreon Access lw woe ‘This verifies that the Local-FortiGate is using the port2 defauit route, Restore the Routing Table Before starting the next exercise, you will restore the portt link health monitor's server configuration with a valid host address, which will estore the port! default route as the active route in the routing table. To restore the port health monitor configuration 1. Retum to the open LOCAL-FORTIGATE PuTTY session, and enter the following CLI commands config system link-monitor set server 4.2.2.1 end 2. Close the PuTTY session. To verify the routing table 1. Retum to the browser tab where you are logged in to the Locel-FortiGate GUI, and click Monitor > Routing Monitor. 2. Verify that the port2 route is removed, and the port route is active © Fetes] Q Radaizonp] © Vw @ Desi Asieer [Se 0 a ‘ers sr onmaye sce aarce are Tm Toa Tas a o ones 1001008 000 0 0 comectnt ___soamaqz 0900 o o FortiGate Infrastructure 6 2 Lab Guide 25 Fortinet Technologies Ine.DO NOTREPBINT Eerie t: Configuring Route lover © FORTINET 3. Close the browser. 26 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOT REPRINT © FORTINET Exercise 2: Equal Cost Multipath and Policy Routing In this exercise, you! configure equal cost multipath (ECMP) routing on the Local-FortiGate to balance the Intemet traffic between portt and port. After that, youll configure a policy route to route HTTPS traffic through portt only. Configure Administrative Distance ‘To establish ECMP, first you will configure multiple static routes with the same administrative distance. Take the Expert Challenge! Onthe Local-FortiGate GUI (10.0.1 .254 | aamin/password), complete the following: «+ Change the port2static route administrative Distanceto 10 + Verify that both port! and port2 default routes ere active in the routing table Ifyou require assistance, or to verify your work, use the step-by-step instructions that follow. After you compl ‘the challenge, see Changs the ECMP Load Balancing Method on page 28. To configure administrative distance 1. Ontthe Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at name admin and password »: 2. Click Network > Static Routes. 3. Double-click the port2 static route to edit it. 4, Change the Administrative Distance to 10. word. Em Sate Roe Destnaton © HEBD ier serice ‘oocoocoo rierace por Catenay Ades 0.200254 armarane Oeince © [TH Advanced Options __| 5. Click OK. FortiGate Infrastructure 6,2 Lab Guide Fortinet Technologies Ine. -1,254 with the user 2DO NQT.BRRBIN Tg menos Erercise 2: Equl Cost Multipath and Poy Routing © FORTINET To verify the routing table 1. Continuing on the Local-FortiGate GUI, click Mor 2. Verity that both default routes are now active: © Fest || 0 Roueloaan | 4 Eat Rove | © ¢ Ea = 1r> Routing Mor Tyee Netwerk: Gateway F ireertaces Distance state on00n 102001 i pod 0 state 00.000 10,200.2.254 or im Connected 1001 0000 ports a Connected 10200.1 074 ooo Bi pot! a Connected 102002024 0000 1 pone a Change the ECMP Load Balancing Method By default, the ECMP load balancing method is based on source IP. This works well when there are multiple clients generating traffic. In the lab network, because you have only one client (Local-Windows), the source IP mathod will not balance any trafic to the second route, Only one route will always be used, For this reason, you will change the load balancing method to use both source and destination IP. Using this method, as long as the traffic goes to multiple destination IP addresses, FortiGate will balance the traffic across both routes. To modify the ECMP load balancing method ‘1. Continuing on the Local-Windows VM, open PUTTY and connect over SSH to the LOCAL-FORTIGATE saved 2. At the login prompt, enter the user name admin and password password. 3. Enter the following CLI commands to change the ECMP load-balancing method, 4, Leave the PUTTY session open, Verify Traffic Routing You will generate some HTTP traffic and verify traffic routing using the Forward Traffic logs. 28 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT. BEBRINT: an Poiy Routing Configure Pity © FORTINET Take the Expert Challenge! + On Local-Windows, open a few new browser tabs and generate some HTTP traffic + Verify the traffic routing on Local-FortiGate using the Forward Traffic logs + Identify why all the outgoing packets are still being routed through port! Ifyou require assistance, or to verfy your work, use the step-by-step instructions that follow. After you complete the challenge, see Configure Priority on page 28. To verify traffic routing 1. Ontthe Local-Windows VM, open new tabs in the web browser, and visit a few websites + http://www.pearsonvue.com/fortinet «+ http: //eve.mitre.org © http://www.eicar.org 2. Retum to the browser tab where you are loggad in to the Locel-FortiGate GUI, and click Log & Report > Forward Traffic. 3._ Identify the Destination Interface in the relevant log entries for the websites you accessed, @ & [Onurns Why are all the outgoing packets stil being routed through port? ‘Stop and think! ‘The port2 route is not being used because it was configured with a higher priority value than the port route (see Configure a Second Default Route on page 18). When two routes to the same destination have the same administrative distance, both remain active. However, ifthe priorties are different, the route with the lowest priority value is used. So, to achieve ECMP with static routes, the distance and priority values ‘must be the same for both routes, Configure Priority ‘You will change the priority value for the port2 route to match the portt route. FortiGate Infrastructure 6,2 Lab Guide 28 Fortinet Technologies Ine.DO WQGREPRINT Erercise 2: Equl Cost Multipath and Poy Routing © FORTINET Take the Expert Challenge! On Local-FortiGate, modify the static routing configuration so both default routes are eligible for ECMP. If you require assistance, orto verify your work, use the step-by-step instructions that follow. After you complete the challenge, see Verify ECMP on page 30 To configure priority Continuing on the Local-FortiGate GUI, lick Network > Static Routes. Double-click the port2 default route to edit. CCick the plus (+) icon to expand the Advanced Optionssection. Change the Priority value to 0 Click OK. Verify ECMP Now that both port’ and port2 routes share the same distance and priority values, they are eligible for ECMP, First, you will verify the routing table, and then verify traffic routing using the Forward Traffic logs. To verify the routing table |. Retum to the open LOCAL-FORTIGATE PUTTY session, and enterthe following CLI commands on the Local- FortiGate: FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT. BEBRINT: an Poiy Routing Congr Plcy Route for HTTPS Tri © FORTINET To configure the CLI sniffer 41. Continuing on the LOCAL-FORTIGATE PUTTY session, enter the following CLI commands: ‘The filter 'tep[13]&2==2' matches packets with the SYN flag on, so the output will show all SYN packets to port 80 (HTTP), 2. Leave the PUTTY window open in the background. To verify ECMP routing 41. On the Local-Windows VM, open new tabs in the web browser, and visit a few websites: «http://www. pearsonvue.com/fortinet/ «+ http: //eve.mitre.org «+ http://www. sicar-org 2, Retum to the open LOCAL-FORTIGATE PUTTY session, and press Ctri#C to stop the sniffer. 3. Analyze the sniffer output. ‘The SYN packets are egressing both port! and port2. This verifies that Local-FortiGate is now load balancing al Internet traffic across both routes. |. Leave the PUTTY session open, Configure Policy Route for HTTPS Traffic You wil force all HTTPS traffic to egress through portt using a policy route. llother trafic should remain unaffected and balanced between port? and port2. To implement this, you will configure a policy route. FortiGate Infrastructure 6,2 Lab Guide 31 Fortinet Technologies Ine.DO NQTARRERIN Bs rate Erercise 2: Equl Cost Multipath and Poy Routing © FORTINET To configure a policy route for HTTPS traffic 1. Return to the browser tab where you are logged into the Local-FortiGate GUI, and click Network > Policy Routes, 2. Click Create New. 3. Configure the following settings: an Ware Protocol Top Incoming interface port Source addrass>IP/Netmask 10.0.1.0/24 Destination Address > IP/Netmask 0.0.0.010 Source Ports From 1 to 65535 Destination Ports From 443 to 443, Action Forward Traffic (Outgoing Interface and portt Gateway Address 10.200.1.254 The policy route should look lke the following example: Nev foanaraia Protea HEB 2c scr |r | sony Ironing iertice | gor) x TwectService Bt oo] BMask| ow ‘ctor BERBER 80 Pocy aire Ourgdinginterace © | perth - Statue EEE © oes Ls 4. Click OK. 32 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT. BEBRINT: an Poiy Routing Vert the Pl Rute © FORTINET Verify the Policy Route First, you will verify the routing table, and then verify policy routing by generating HTTPS traffic and viewing the CLI sniffer output. To verify the policy route table ‘14 Continuing on the Local-FortiGate GUI, click Monitor > Routing Monitor. 2. Click Policy 2 Fetesh || @ Rowe oon] @ Ven ]| © Te eto Gateray P races. Dance wi te conan 102001254 iw pont 0 ‘ te conn 2254 rd 0 0 fcoineces 00.00 ono Boos 0 0 Jconectd 10200 024 ooo i pont a 0 fconecis o2mn200 can moe a 0 3. Verify thatthe policy route is added tothe policy rout table, & Retesh] | @ Rowe Loomw| © Vew | Search @) Sack meme Fre owe e Destraton Garay Pee ston fen —eOyaeee SaaS mmpeel —OOOWODDN_vaaonaN «Tor © Fase To verify policy routing for HTTPS traffic 41, Retum to the open LOCAL-FORTIGATE PUTTY session, and enter the following CL! commands on Local FortiGate: diag: enifte: Ne: and port 443" 4 ket any *t: ‘As before, this sniffer filter matches packets with the SYN flag on, but this time for port 443 (HTTPS). Leave the PUTTY window open in the background 2. Onthe Local-Windows VM, open new tabs in the web browser, and then visit afew HTTPS websites: + htips:/imww-fortiguard.com + https://supporfortinet.com 3. Return to the LOCAL-FORTIGATE PUTTY session, and then press Ctrl+C to stop the sniffer. 4, Analyze the sniffer output: FortiGate Infrastructure 6,2 Lab Guide 33 Fortinet Technologies Ine.DO NOW-RERRINT Exercise 2: Equal Cost Multipath and Pole Routing © FORTINET 100.1254 - PuTTY ‘The SYN packets are agressing port only. This verifies that Local-FortiGate is applying the policy route for HTTPS traffic. To verify non-HTTPS traffic routing 41. Continuing on your LOCAL-FORTIGATE PUTTY session, enter the following CLI command: org 3. Retum to the open LOCAL-WINDOWS PuTTY session, and press Ctri+C to stop the sniffer. 4, Analyze the sniffer output: 10.0:1.254 - PuTTY HTTP (port 80) traffic remains unaffected by the policy route, and is stil load balanced across both and port? routes, FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT. BEBRINT: an Poiy Routing Vert the Pl Rute © FORTINET Stop and think! ‘The Local-FortiGate configuration still has the two link he enable routing failover for ECMP scenarios? th monitors for port1 and port2. Do they also ‘Yes. If Local-FortiGate detects a problem in any of the routes, the link monitor will ramove the corresponding route, and all Internet traffic will be routed through the remaining route. 5. Close the PUTTY session and browser. FortiGate Infrastructure 6,2 Lab Guide 35 Fortinet Technologies Ine.DO NOT REPRINT © FORTINET Lab 2: SD-WAN Configuration In this lab, you will configure SD-WAN on Local-FortiGate. Objectives + Configure SD-WAN load balancing + Configure routes and firewall policies for SD-WAN + Configure SD-WAN rules for an internet service + Verify SD-WAN load balancing Time to Complete Estimated: 20 minutes Prerequisites Before beginning this lab, you must restore a configuration file to Local-FortiGate. To restore the Local-FortiGate configuration file 1. Ontthe Local-Windows VM, open a browser and log in to the Lecal-FortiGate GUI at 10.0.1.254 with the user name admin and password pa: 2. Inthe upper-right comer of the screen, click admin, and then click Configuration > Restore. FortiGate VMB4 v6.2.0 buildO866 (GA) FRE sen 3 Configuration @ Change Password @ Logout Revisions 3. Click Local PC, and then cick Upload, 4, Click Desktop > Resources > FortiGateInfrastructure > SDWAN > 1oca1-sawan.con:, and than click Open. 5. Click OK. 6. Click OK to reboot. 36 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOT REPRINT © FORTINET Exercise 1: Configuring SD-WAN In this exercise, you will configure SD-WAN using the port! and port2 interfaces on Local-FortiGate Remove Interface References Before you can add port! and port2 as SD-WAN member interfaces, you must remove all configuration elements referencing the two interfaces, Take the Expert Challenge! COnthe Local-FortiGate GUI (10.0.1.254 | admin/password), remove all firewall policies and routes referencing port and port2. Ifyou require assistance, or to verify your work, use the step-by-step instructions that follow. After you complete the challenge, see Configure SD-WAN Load Balancing on page 38 To remove interface references 1. Onthe Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 19, name admin and password password. 2. Click Network > Static Routes. 3. Select the portt defauit route, and then click Delete, 0.4.254.with the user + Create New gf Edt fig Clone ¥ Destination > Gateway = imertace > 4. Click OK. 5. Click Policy & Objects > IPv4 Policy. 6. Select the Full_ Access policy, and then click Delete. + cess vew | 7 Et [ose J a Pay conn a ter) TS LOA SUBNET Sol avo ALD FortiGate Infrastructure 6,2 Lab Guide 37 Fortinet Technologies ine.DO NQTRERRINE.s Eerie t: Configuring SD.NAN © FORTINET Configure SD-WAN Load Balancing You will configure SD-WAN load belancing forall Internet traffic between port and port. Take the Expert Challenge! On the Local-FortiGate GUI (10.0.1. 254), complete the following: + Configure SD-WAN members with the following configuration + port with Gateway 10.200.1.254 + port2with Gateway 10. 200.2.254 + Edit SD-WAN Rules to use Source-Destination IP as the load-balancing method, Ifyou require assistance, orto verify your work, use the step-by-step instructions that follow. After you complete the challenge, see Create a Static Route for the SD.WAN Interface on page 40 To configure SD-WAN load balancing 4. Continuing on the LocalFortiGate GUI, click Network > SD-WAN. 2. Set Status to Enable. 3. Inthe SD-WAN Interface Members section, click tne +sign to ade the first interface SDWAN Name SD-WAN Type SD-WANK caus [EXE © osc ‘SD-WAN Interface Members face ee EEE: » 4, Configure the following settings: sions. or Pare Interface portt Gateway 10.200.1.284 Status 38 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOT. BERRIMA © FORTINET 5. Inthe SD-WAN Interface Members section, click the +sign again to add the second interface, 6. Configure the following settings: Configure SD-WAN Load Balancing mr Value Interface port Gateway 10.200.2.254 Status ‘The SO-WAN configuration should look like the following example: ‘SD-WAN Name SD-WAN Type SD-WAN Interface status JEFRR © cisatie ‘SD-WAN Interface Members Interface (port! x Gateway | 10.200.1.264 Cost Status © Disable Trierface x Gateway [10.200.2.254) Cost 0 suns EEE 0 ose 7. Click Apply. Continuing on the Local-Windows VM, open PUTTY and connect over SSH to the LOCAL-FORTIGATE saved 9. Atthe login prompt, enter the user name acn:n and password password. 10, Use the following commands to set Load Balancing Algorithm to Source-Destination IP: sys! asl-wan~Link 11, Donot close the PUTTY window. FortiGate Infrastructure 6,2 Lab Guide 38 Fortinet Technologies Ine.DO NOT RERBUND wan msrtce Eerie t: Configuring SD.NAN © FORTINET Create a Static Route for the SD-WAN Interface ‘You will create a default route using the sd-wan virtual interface. Take the Expert Challenge! On the Local-FortiGate GUI (10.0.1.254), configure a default route using the sdwan interface. Ifyou require assistance, or to verify your work, use the step-by-step instructions that follow. After you complete the challenge, see Create a Firewall Policy for SD-WAN Load Balancing on page 40. To create a static route for SD-WAN ‘1. Continuing on the Local-FortiGate GUI, click Network > Static Routes. 2. Click Create New. 3. Configure the following settings: eld rare Destination Subnet 0.00.010.000 Interface SD.WAN Administrative Distance 10 4. Click OK. Create a Firewall Policy for SD-WAN Load Balancing ‘You will create the firewall policy to allow the Intemet traffic to pass from port3 to the sd-wan interface To create a firewall policy for SD-WAN load balancing 1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy. 2. ClickCreate New. 3. Configure the following settings: Pr Value Name ‘SDWAN_Access FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT. BERRINA Voi the S0-WAN Load Balancing Configuration © FORTINET ar Paty Incoming Interface pon (Outgoing Interface ‘SD-WAN ‘Source LOCAL_SUBNET Destination all Schedule always Service ALL Action Accept NAT 4. Click OK. Verify the SD-WAN Load Balancing Configuration First, you will review the Locel-FortiGate routing table to examine the routes installed for SD-WAN. Then, you will Use the CLI packet capture too! to verify whether or not FortiGate is load balancing HTTP traffic between the SD- WAN member interfaces, To review the routing table |. Continuing on the PUTTY window, enter the following command to confirm the list of active routes in the routing table: te grtable all 2. Verify that both default routes for port1 and port2 have the same distance value and are active in the routing table, FortiGate Infrastructure 6,2 Lab Guide 41 Fortinet Technologies Ine.DO NOTSREIRBUN Tin configuration Eerie t: Configuring SD.NAN © FORTINET we After you create a static route forthe SD-WAN interface, FortiGate automatically adds individual routes, with the same distance value, forall member interfaces. This ensues all routes willbe active inthe routing table, which makes them eligible for load = balancing To verify the SD-WAN load balancing configuration 11 Continuing on the LOCAL-FORTIGA TE PUTTY session, enter the following CLI commands: (On the Local-Windows VM, open new tabs the web browser, and visit a few websites + ttp://www.pearsonvue.com/fortinet! «http: //eve.mitre.org «+ hltp//wnw.eicar org 3. Return to the open LOCAL-FORTIGATE PuTTY session, and press Ctrl+C to stop the sniffer. 4, Analyze the sniffer output “The SYN packets are egressing both port and port2. This verifies that Local-FortiGate is now load balancing al Internet traffic across SD-WAN member interfaces. 5. Close the PUTTY session and your browser. 42 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOT REPRINT © FORTINET Exercise 2: SD-WAN Rule In this exercise, you will create SD-WAN rules on Local-FortiGate to route specific traffic to a specific interface, Configure SD-WAN Rules ‘You will configure two SD-WAN rules. One for al the traffic going out from port2 and another rule to route traffic for Fortinet. CMP Intemet service to port Take the Expert Challenge! On the Local-FortiGate GUI (20.0.1.254), configure SD-WAN rules to match the following trafic: + Rule t: all Source Address, Fortinet ICMP Internet Service, Outgoing Interfaces Strategy Manual, and Interface preference port! + Rule 2; all Source Address, all Destination Address, Outgoing Interfaces Strategy Manual, and Interface preference port2. Ifyou require assistance, or to verify your work, use the step-by-step instructions that follow. After you complete the challenge, see To verify SD-WAN rules on page 44 To create SD-WAN rules 1. Ontthe Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user name admin and password password. 2. Click Network > SD-WAN Rules. 3. Click Create New. 4, Configure the following settings: or Value Name Fortinet_CMP_Rule Source address all Internet Service Fortinet.ICMP Click Internet Service and then, in the top search bar, type Fort inctto see all the Intemet services related to Fortinet, Find Internet service Fortinet. CMP and click the service to select it. FortiGate Infrastructure 6,2 Lab Guide 43 Fortinet Technologies Ine.DO NOLRERRINT Enerese 2: SO.WAN Rule © FORTINET Geel Pare Strategy Manual Interface preference port 5. Click OK. 6. Click Create Newto create another rule. T. Configure the following settings: Geel pare Name All Access, Rule Source adress all Intemet Service all Stretegy Manual Interface preference port2 8. Click OK. Verify SD-WAN Rules ‘You willuse the CLI packet capture tool to verify how SD-WAN rules route the ICMP traffic for Fortinet IP and for other traffic To verify SD-WAN rules ‘1. Continuing on the Local-Windows VM, open PUTTY and connect over SSH to the LOCAL-FORTIGATE saved session 2. At the login prompt, enter the username acimin and password password. 3. Enter the following command to run the packet capture: diagnose sniffer packet any "icmp" 4 4, On the Local-Windows VM, open a command prompt window, and then run the fellowing command to ping 4.2.2.2 ping 4.2.2.2 5. Analyze the sniffer output on the PUTTY session: 44 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT. BERRINT Verify S:WAN Rules © FORTINET ese ho reply Peres eat ‘The ICMP packets are going out from port2 only. You can run the test again with another IP 4.2.2.1 and you will see the same behavior. This verifies that all the traffic is going out through port2 only, as you specified in the rule 8. Continuing on the command prompt window, run the following command to ping a Fortinet service |P: reply reply Peer eset) art Peas ees ec cmeeret rc ieTee ‘This verifies that the traffic is matching Fortinet_ICMP_Rule and is going out through port 8. Close the PuTTY session, command prompt window, and your browser. FortiGate Infrastructure 6,2 Lab Guide 45 Fortinet Technologies Ine.DO NOT REPRINT © FORTINET Lab 3: VDOM Configuration Inthis lab, you will reate one VDOM and configure an inter-VDOM link. Objectives + Use VDOMs to split a FortiGate device into multiple virtual devices + Create an administrative account and limit access to one VDOM + Route traffic between VDOMSs by using inter-VDOM links Time to Complete Estimated: 25 minutes Topology ‘The goal of the lab isto create the following topology. You will use VDOMs to logically split Local-FortiGate into two virtual firewalls: the root VDOM, and the customer VDOM, Both VDOMSs are running in NAT mode. So all Intemet traffic coming from Local-Windows must pass through the customer VDOM first, and then the root Voom. Zz 20 98 LocalFortiGate reotvOute Linux Localvindows 190410 Before beginning this lab, you must restore a configuration file to Local-FortiGate, Prerequisites FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOTRERBINT © FORTINET To restore the Local-FortiGate configuration file 1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1. 254 with the user name admin and password password. 2. Inthe upper-right comer of the screen, click admin, and then click Configuration > Restore. QO amine FortiGate VM64 ¥6.2.0 buildd866 (GA) @ System D) Backup @ Change Password = Revisions & Logout 3. Click Local PC, and then click Upload. 4, Click Desktop > Resources > FortiGate-nfrastructure> VDOM > 12ca1-vpou1. conf, and then click Open. 5. Click OK. 6. Click OK to reboot. FortiGate Infrastructure 6,2 Lab Guide ar Fortinet Technologies Ine.DO NOT REPRINT © FORTINET Exercise 1: Creating VDOMs and VDOM Objects In this exercise, you will add a new VDOM. Then, you will create an inter-VDOM link between the VDOM you added, and the root VDOM. You will also create an administrator account that will have access to only one Voom. we The configuration file for this exercise already has VDOMs enabled. You will use only multi-vdom mode in this exercise. Create a VDOM FortiGate with enabled VDOMs always includes a root VDOM, Administrators can create additional VDOMSs to split the physical FortiGate into multiple virtual firewalls. In the next steps, you will add a sacond VDOM. To create a VDOM 1. Onithe Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1. 254 with the user name admin and password pasewors. ‘You will notice that the FortiGate menu has changed. This is because VDOMs are enabled. There is now a drop-down list at the top of the menu. In the drop-down lst, you can select the global settings or the VDOM- specific settings for the root VDOM. The default setting is Global 2. Click System > VDOM. 3. Click Create New. 4, Configure the following VDOM settings: or Dated Virtual Domain customer NGFW Mode Profile-based 5. Click OK. 48 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT. RERRINT voom otjecs Ciesie a Pe DOM Adminstrator © FORTINET "Notice that the drop-dovm list at the top of the menu shows a third option: the VDOM-specifi settings for customer: = FortiGate VM64 Create a Per-VDOM Administrator ‘You will create an administrator account that has access to only the customer VDOM To create a per-VDOM administrator 1. Return to the browser tab where you are logged in to the Local-FortiGate GUI, and click Global > System > Administrators. 2. Click Create New> Administrator. 3. Configure the following settings: ary cars User Name customer-admin Type Local User Password fortinet Confirm Password fortinet Administrator Profile prof_admin Virtual Domains customer 4, Remove root from the Virtual Domains list to restrict the new administrator's access to customer. S customer & root FortiGate Infrastructure 6,2 Lab Guide 49 Fortinet Technologies Ine.DO NOT.REPBENT com © FORTINET Exercise 1: Creating VDOMs and VDOM Objects New Administrator User Name Tye a Match a user on a remote server group Match all users in a remote server group Use public key infrastructure (PKI) group Password 7 @ Confirm Password ® Comments Mite a comment i Administrator Profile + Virtual Domains 5. Click OK. Move an Interface to a Different VDOM ‘The account customer-admin will be able to og in only through an interface in the customer VOOM. So, move the ports interface, which connects to the intemal network, to the customerVDOM. To move an interface to a different VDOM. 1. Continuing on the Local-FortiGate GUI, cick Global Network > Interfaces. 2. Edit port, 3. Inthe Virtual Domain drop-down list, select customer Ezit interface Interface Name (00:50:56:AE-4A:0B) Alias Link Status Up @ Type Physical Interface Vitual Domain [Te customer] 4. Click OK. FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT. RERRINT voom otjecs ‘Ads ONS sence oan interface © FORTINET Add DNS service to an Interface For Locel-Windows, the DNS serveris port3. First, you will enable the DNS database in the Feature Visibility section. Then, you will add ONS service to port. To enable the DNS database 1. Continuing on the Lecal-FortiGate GUI, at the top of the menu, from the drop-down list, select the customer VOOM. FortiGate VM64 customer 2. Click System > Feature Visibility 3. Inthe Additional Features section, turn on the DNS Database switch 1 customer | Feature Visibility @ Dashboard > Additional Features 2 Secu Fobric > (ep Asivanced Endpoint Controt (m Fortiviewr > Aliw Unnamed Policies o } Network > [O]ONS Datsbase a System ¥ Replacement Messages ® Domain’ P Repaation o ‘Aanced © 008 Policy @ Erai Colecton 4. Click Apply To add DNS service to an interface ‘1. Continuing on the Local-FortiGate GUI, in the customer VDOM, click Network > DNS Servers. 2. Under DNS Service on Interface, click Create New, and then configure the following settings: FortiGate Infrastructure 6,2 Lab Guide 51 Fortinet Technologies ine.DO NQVEREPBUNT.. account © FORTINET eld Value Exercise 1: Creating VDOMs and VDOM Objects Interface pon Mode Forward to System DNS, Interface Mode DNSFiter 3. Click OK. 4, Log out of the Local-FortiGate GUI. FortiGate VMB4 # System 1) Configuration @ Change Password Test the Per-VDOM Administrator Account ‘To see what access is available to the customer-admin account, try logging on to the FortiGate-Local GUI as customer-admin. To test the per-VDOM administrator account 41. Login again to the Local-FortiGate GUI, but this time use the administrator name customer-admin with the password rort inet 2. View the GUI and examine what the VDOM administrator is allowed to control Because the customer-admin administrator can access only the customer VOOM, the GUI does not display the Global configuration settings or the VDOM-specific settings for the root VDOM. 3. Log out of the Local-FortiGate GUI, and log in again with the user name acimin and password password, which has access to the global settings and all VDOMs. FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT. RERRINT voom otjecs © FORTINET ‘Stop and think! Execute Per-VDOM CLI Commands Why is the dashboard different between the two login sessions? Logging in with the acznin account gives you full access to both the root DOM as well as the FortiGate system resources. Logging in with the cus tomer-aanin account provides access only to thecustomerVDOM, and does not provide access to the system resource details. Execute Per-VDOM CLI Commands After you enable VDOMs, the structure of the GUI menu and the tree structure of the CLI changes. In this ‘exercise, you will examine the differences in the CL! for VDOMs. To execute per-VDOM CLI commands 41. Continuing on the Local-Windows VM, opan PUTTY and connect over SSH to the LOCAL-FORTIGATE saved session 2. Atthe login prompt, enter the username admin and password password. 3. Trytorun the following command to list the routing table: get router info routing-table all Did the CLI reject the command? To run this command when VDOMs are enabled, you must specify the VDOM first, in order for FortiGate te know which VDOM's routing table to display. 4, Toenter the customer VDOM context, type the following commands. config vdom edit customer Be careful when typing VDOM names with the edit command, ' 5 @ \VDOM names are case sensitive, and the edit command can both modify and create VOOM, For example, fyou enlerecit 00%, you will not enter the pre-existing = root DOM. Instead, you vill create and enter a new VDOM named Root. ‘5. Now that you've specified the VOM, try looking at the routing table again: get rout info routing-table all ‘The command works now. The information displayed in the routing table is specific to the customer VDOM. Remember that each VDOM has its own routing table. 6. Goto the root VDOM context: edit root 7. Enter the command for listing the routing table: get info routing rable all FortiGate Infrastructure 6,2 Lab Guide 53 Fortinet Technologies Ine.DO NQT.RERRIN Toa. Exercise: Creating VOOMs and VDOM Objects © FORTINET This time, the information displayed in the routing table belongs to the root VDOM. You will observe that this table is different from the one for the customer VOOM 8. Close the PUTTY session. 54 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOT REPRINT © FORTINET Exercise 2: Configure an Inter-VDOM Link In this exercise, you will route traffic between two VDOMs using an inter-VDOM link Create an Inter-VDOM Link ‘You wil create an inter-VDOM link to route traffic between two VDOMs, To create an inter-VDOM link 41. On the Local-Windows VM, open a browser and lg into the Local-FortiGate GUI at 10.0. 1.254 with the user name adnin and password caceword. 2. Inthe Global VDOM, Click Network > Interfaces. 3. Click Create New, and then select VDOM Link. 4, Inthe Name fied, type v1ink. 5. Inthe Interface 0 (vlink0) section, configure the following settings: crcl Value Virtual Domain root IP/Network Mask 410.10.100.1/30 ‘Administrative Access HTTPS, PING, SSH 6. Inthe Interface 1 (Vlink1) section, configure the following settings: Geel Pars Virtual Domain customer IP/Network Mask 10,10.100.2/30 Administrative Access HTTPS, PING, SSH FortiGate Infrastructure 6,2 Lab Guide 55 Fortinet Technologies ine.DO NQT-BEBRINdus Exercise 2: Config an nt-VDOM Link © FORTINET Name [vin Intertaceo (wink) VituatDemin | @root 7 1PNetmase [ soao003700 AdminisratveAccess HTTPS GAPING CIPMG-Access CUCARWAP SSH sump iertcestate EEE © visite Interface 1 (tink) VituatDomin | @ astomer 7 Petmask [[10.10:1002700 Admiistathencces HTTPS PING CFMGAcouss CICAPWAP SSH suv Comments [Wteaconment site intertaestate EET © istics 7. Click OK. After creating the inter-VDOM link, notice the two inter-VDOM sub-interfaces added within the root and customer VDOMSs (expand vlink). Thess interfaces are named vlinkO and vlink1. You can use them to route traffic between two VDOMSs. Y Sanus) Y Name) Y Weber) (PNermask ve Y Access] _¥ vital Doman opens oooo0000 BH Phisical ntertace © 0st open oooov000 i Physical ntertace 6 O pont oo000000 Physical rtrtace © ost O pent ooooo000 i Physical terface 6 ox oO pore ooeo0000 HH Physical htertace 6 Oporto oooo0000 Physical rtrface 8 ox ans sink 1010-100.1 256.286.255.252 % VOOMLinkinterface HTTPS rast ssH ens lint 10.10,100.2 256.255.255.252 % VOM LinkInteface HTTPS customer Sst Configure Routing Between VDOMs ‘You will add the static routes to both VDOMs to route traffic between them. The objective is to have Intemet traffic from Local-Windows crossing the customer VDOM first and then the root VDOM, before the traffic goes to the Linux server and the Internet. To configure routing between VDOMs 41. Continuing on the Local-FortiGate GUI, in the VOOM drop-down list, select the customer VDOM. 56 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Ine.DO NQT. BERBUM Tow tine © FORTINET customer @ Global 2. Click Network > Static Routes. 3. Click Create New to specify a default route for the customer. 4, Add the following route: ar Value Destination Subnet 0.0.0,010.0.0.0 Gateway 10.10.10. Interface lint 5. Click OK. Now, you will specify @ route for the rootVDOM to the internal natwork 6. Inthe VDOM drop-down list, select root. FortiGate VM64 © customer 7. Click Network > Static Routes. 8. Click Create New. 9. Configure the following route: FortiGate Infrastructure 6,2 Lab Guide Fortinet Technologies Ine. Configure Routing Between VDOMs 57DO NQT-RERRIN Tiecvoom tate Exercise 2: Config an nt-VDOM Link © FORTINET ar Value Destination ‘Subnet 10.0.1.0/24 Gateway 10,10.100.2, Interface vlinko 10. Click OK. Configure Firewall Policies for Inter-VDOM Traffic ‘You will create firewall policies to allow Intemet traffic to pass through the customer and root VDOMs. Take the Expert Challenge! Onthe Local-FortiGate GUI (10.0.1 .254 | admin/password), configure the appropriate firewall polices to allow traffic to flow freely across the inter-VDOM ink. This will raquire two firewall policies, one from port3 to viink, and one from vlinkO to port, If you require assistance, or to verify your work, use the step-by-step instructions that follow. After you complete the challenge, see Test the Inter-VDOM Link on page 60. To configure firewall policies for inter-VDOM traffic for port3 to vlink1 1. Continuing on the Local-FortiGate GUI, in the VOOM drop-down list, click customer. FortiGate VM64 @ customer , @ Global \ 2. Click Policy & Objects > IPv4 Policy. 3. Click Create New. 4. Configure the following firewall policy to allow traffic to pass from port3to vlink1 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT. BERBUM Tow tine Contig Firewall Polis for inierVDOM Tiff © FORTINET ar Value Name Internet Incoming Interface port Outgoing Interface link Source all Destination all ‘Schedule always ‘Service ALL Action ACCEPT NAT 5. Click OK. To configure firewall policies for inter-VDOM traffic for vlink0 to port1 41. Continuing on the Local-FortiGate GUI, in the VDOM drop-down list, cick root. 2. Click Policy & Objects > IPv4 Policy. 3. Click Create New 4, Configure the following policy: or Value Name Internet Incoming Interface vlinko (Outgoing Interface port! Source all Destination all Schedule always Service ALL, Action ACCEPT NAT 5. Click OK. FortiGate Infrastructure 6,2 Lab Guide 58 Fortinet Technologies ine.DO NOTRE RINT Exercise 2: Configure anInte-VDOM Link © FORTINET Test the Inter-VDOM Link Now, you will test your configuration to confirm that Intemet traffic is being routed through the two VDOMs and the inter-VDOM link To test the inter-VDOM link 41. Continuing on the Local-Windows VM, open a few browser tabs, and visita few external HTTP websites, such as: «http://w. pearsonvue.com/fortinet/ «http: //eve.mitre.org + http://wmw.eicar.org Traffic should be flowing through both VDOMs now. 2. Opena command prompt window, and then run a traceroute command to an Internat public IP address tracert -d 4.2.2.2 3. Check the output. “The first hop IP address is 10.0. 1.254, which is port3 in the customer VOOM. The second hop IP ‘address is 10. 10.100..2, which is the inter-VDOM link in the root VDOM. The third hop IP address is 10.200.1.254, which is the Linux server 4, Close the command prompt and your browser. 60 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOT REPRINT © FORTINET Lab 4: Transparent Mode Configuration In this lab, you will create a transparent mode VDOM. You will also configure an inter-VDOM link, this time between a transparent mode VDOM and a NAT mode VDOM. Objectives + Configure a transparent mode VDOM. + Configure an inter-VDOM link Time to Complete Estimated: 20 minutes Lab Topology ‘The goal of this lab is to create the following topology. You will use VDOMSs to logically split Local-FortiGate into ‘wo virtual firewalls: the root VOOM and the inspect VDOM. The root VDOM is in NAT mode. The inspect ‘DOM is in transparent mode and will be inspecting the traffic for virus protection, So, all Internet traffic coming ‘rom Local-Windows must pass through the root VDOM first, and then the inspect VDOM 102001124 ee. a P oor be1ne Local-FortiGate_ root VOOM | Local-Windows j >! sae Local-FortiGate Inspect DON 490.200 1 200724 10200125424 Prerequisites Before beginning this lab, you must restore a configuration file to Local-FortiGate, FortiGate Infrastructure 6,2 Lab Guide Fortinet Technologies Ine. 6DO NOT REPRINT Lab 4: Transparent Mode Configuration © FORTINET To restore the FortiGate configuration file 1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 20.0.1. 254 with the user name admin and password password. 2. Inthe upper-right comer of the screen, click admin, and then click Configuration > Restore. QO amine FortiGate VM64 ¥6.2.0 buildd866 (GA) @ System D) Backup @ Change Password = Revisions & Logout 3. Ensure the Scopeis set to Global, cick Local PC, and then click Upload 4, Click Desktop > Resources > FortiGate-Infrastructure > Layer2> 1ocal-layer-2.cont, and then click Open. 5. Click OK. 8. Click OK to reboot, 62 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOT REPRINT © FORTINET Exercise 1: Creating a Transparent Mode VDOM ‘The configuration file for this exercise already has VDOMs enabled. In this exercise, you need to create a transparent mode VDOM called inspect and then move the interface to the inspect VDOM. Create a Transparent Mode VDOM ‘You will create a new VDOM, and then change its operation mode to transparent, To create a transparent mode VDOM 1. Ontthe Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user name admin and password password. ‘The configuration that you restored at the beginning of this lab has VDOMs enabled. For this reason, you will 's0e 2 drop-down list at the top of the menu. It provides access to the global settings and to each VDOM- specific setting. 2. Inthe drop-down lst, select Global. 3. Click System > VDOM, and then click Create New. 4. Configure the following settings: ar Value Virtual Domain inspect NGFW Mode Profile-based FortiGate Infrastructure 6,2 Lab Guide 63 Fortinet Technologies Ine.DO NOT. RERRINT: voow Execs {: Creating a Transparent Mode VOOM © FORTINET aaa 5. Click OK. 8. Continuing on the Local-Windows VM, open PUTTY and connect over SSH to the LOCAL-FORTIGATE saved session. imin and password p; 7. At the login prompt, enter the username 8. Enter the following command to change the inspectVDOM operation mode from the default NAT mode to transparent mode: o/28 Stop and think! What is that 10.2 IP address for? It is the management IP address for the transparent mode VDOM. Interfaces that belong to a transparent mode VDOM do not have IP addresses, but the VDOM itself has one. You can use this IP address for administrative access to the device and this VDOM, 9. Close the PUTTY session. Moving an Interface to a Different VDOM ‘You will move the interface portt to the inspect VOOM, Take the Expert Challenge! On the Local-FortiGate GUI (2 inspect DOM. Ifyou require assistance, or to verify your work, use the step-by-step instructions that follow. 2.284 | admin/passwora), move the portt interface to the 64 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQT. REPRINT: wode vou Moving an Ineface to Ditferent VOOM © FORTINET To move an interface to a different VDOM ‘1. Retumto the browser tab where you are logged in tothe Local-FortiGate GUI, select the Global VDOM, and then click Network > Interfaces. 2. Edit port 3. Inthe Virtual Domain drop-down list, select inspect, Edit Interface Interface Name (00:50'58:AE'48:15) Alias Link Status = Un @ Type Physical interface Virtual Domain 4. Click OK. FortiGate Infrastructure 62 Lab Guide 65 Fortinet Technologies Ine.DO NOT REPRINT © FORTINET Exercise 2: Creating an Inter-VDOM Link In this exercise, you will create an inter-VDOM link. Than, you will create the firewall polices that allow Internat access across both VDOMs. Finally, you will configure and test antivirus inspection in the inspect VDOM. Create an Inter-VDOM Link Create the inter-VDOM link for routing traffic from the root VOOM to the Internet through the inspect VDOM. To create an inter-VDOM link 1. Ontthe Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1. 254 with the user name admin and password password. 2. Select the Global VDOM and click Network> Interfaces. 3. Click Create New, and then select VDOM Link. 4, In the Name field, type v2 in. 5, Inthe Interface 0 (vlinkO) section, configure the following settings: er) Value Virtual Domain root IP/Natwork Mask 10.200.1.1/24 ‘Administrative Access HTTPS, PING, SSH 6. Inthe Interface 1 (vlink1) section, configure the following settings: Geel Cary Virtual Domain inspect ‘Administrative Access HTTPS, PING, SSH 7. Click OK. The Interfaces page displays the updated configurations. 8. Review the inter-VDOM link interfaces you just created (expand vlink). 66 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQE. REBRIN Dow un Create firewall policies © FORTINET Note that vlink0 and vlink1 are logical interfaces that you can use to route traffic between the root and inspect VDOMs. An |P address is configurable only on the NAT mode VDOM interface. ies Create firewall poli ‘You will create firewall policies to allow Intemet traffic to pass through both VDOMs. You will also enable antivirus ingpection in the inspect DOM Take the Expert Challenge! On the Local-FortiGate GUI (10.0.1. 254 | acmin/password) complete the fallowing: + Create two firewall policies to allow Intemet traffic to pass through beth VDOMs. One policy willbe from vlink to portt and the other will be from ports to vlink0. + Inthe inspect VDOM, enable the default antivirus inspection profile on the firewall policy. Ifyou require assistance, or to verify your work, use the step-by-step instructions that follow. After you complete tha challenge, see Route |nter-VDOM traffic on page 70. To create a firewall policy on the inspect VDOM 41. Continuing on the Local-FortiGate GUI, from the VDOM drop-down list, select inspect FortiGate VM64 S inspect FortiGate Infrastructure 6,2 Lab Guide or Fortinet Technologies Ine.DO NQF.BERRINT Eerie 2: Creating an nt: VDOM Link © FORTINET 2. Click Policy & Objects > IPv4 Policy. 3. Click Create New. 4. Configure the following settings: eld Value Name Inspected_Intemet Incoming Interface wink Cutgoing Interface portt Source all Destination all Schedule always Service ALL Action ‘ACCEPT 5, Inthe Security Profiles section, turn on the AntiVirus switch, and then, in the antivirus profile drop-down list, select g-default, Tere @ seid wat becrbanttice | wk) sto REGGE oc ees Prac Oona sii vine (O/B won 0 cere aoc s 2 —— om. 6. Click OK. 68 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQE. REBRIN Dow un Create firewall policies © FORTINET To create a firewall policy on the root VOM 1 Continuing on the Local-FortiGate GUI, from the VDOM drop-down list, select root 2. Click Policy & Objects > IPv4 Policy, and then click Create New. 3. Configure the following settings. ory are Name Intemet Incoming Interface pons Outgoing Interface winko Source all Destination al Schedule always Serves ALL Action ACCEPT 4, Inthe FirewalliNetwork Options section, turn on the NAT switch. 5. Inthe Logging Options section, tum on the Log Allowed Traffic switch, and then select All Sessions. legates ose a 6. Click OK. FortiGate Infrastructure 6,2 Lab Guide 6 Fortinet Technologies Ine.DO NOT. BERRINT Eerie 2: Creating an nt: VDOM Link © FORTINET Route Inter-VDOM traffic ‘To route traffic from Local-Windows te the inspect VDOM, you must create a default route in the root VDOM. To route inter-VDOM traffic ‘1. Continuing on the Local-FortiGate GUI and in the root VDOM, click Network > Static Routes. 2. Click Create New. 3. Configure the following settings: eld Par Destination Subnet 0.0.0.040.0.0.0 Gateway Address 10,200.1.254 Interface vlinko 4, Click OK. Test the Transparent Mode VDOM ‘You will use the traceroute command to confirm that Intemet traffic is crossing the inter-VDOM link. Then, you ill try to download a virus to confirm that antivirus inspection in the inspect VOOM is working, To test the transparent mode VDOM ‘1, Continuing on the Lecal-Windows VM, open a command prompt window. 2. Run the following traceroute to verify that your first two hops are 10.0.1.254 and 10.200.1.254 tracert -a 1 ‘Stop and think! ‘You will observe that the first hop IP address is 190. 1.254, which is port3 in the root VOM. The second hop IP address is 10. 200.1.254, whichis the Linux server. Why isnt the traceroute showing any IP addrass belonging to the inspect VDOM? Atransparent VDOM does not route packets ike a NAT VDOM. Instead, it forwards frames based on the destination MAC addresses as a LAN Layer 2 ewitch, A traceroute shows the IP addresses of all the routers: along a path to a destination. The inspect VDOM is not acting as a router, but as @ Layer? switch. 3. Close the command promat. 4, Open anew browser tab and visit: 5. Click Download ANTI MALWARE TESTFILE, and then click Download. 70 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQE. REBRIN Dow un Test the Trensparent Mode VOOM © FORTINET eicar Ss Se See TUROPEAN EXPERT GROUP FOR IFSECURIY DowNLoAD SaaS BEA nore ofc arses weve odarcaretine wots Wr nado ac Te é eT = r.com file using HTTP. |. Select the option to download the. IMPORTANT NOTE EICAR cannot be held responsible when these fles or your AV scanner in combination with these files cause any Forward Traffic. 2. Locate a log entry forthe www. eicar.org website 3. Click one of the entries to view more details. ‘Stop and think! Why do the log entries indicate that the traffic was permitted? Remember that the rootVDOM is the unrestricted Internet side ofthe inter-VDOM link. Inthe next steps {you will review the logs for the inspectVDOM. Review log files on the inspect VDOM 4. Continuing on the Local-FortiGate GUI, in the VOOM drop-down list, select inspect. 2. Click Log & Report> Forward Traffic, click one of the log entries. 3. Click the Security ab and then cick Show Matching Logs. Taba You should see that the item was blocked by the antivirus policy. FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOT REPRINT © FORTINET Lab 5: Site-to-Site IPsec VPN Configuration In this lab, you will configure a point-to-point IPsec VPN between two FortiGate devices. You will also configure redundant VPN tunnels with failover capability between the two FortiGate devices. Objectives + Deploya site-to-site VPN between two FortiGate devices + Monitor VPN tunnels + Configure redundant VPNs between two FortiGate devices Time to Complete Estimated: 50 minutes Prerequisites Before beginning this lab, you must restore a configuration file to Remote-FortiGate and Local-FortiGate Make sure to restore the correct configuration on each FortiGate using the following steps. Failure to restore the correct configuration on each FortiGate wil prevent you from doing the lab exercise. To restore the Remote-FortiGate configuration file 41. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at Username adinin and password password, 2. Inthe upper-right comer of the screen, click admit Q emin- FortiGate VM64 6.2.0 build0868 (GA) 1 with the and then click Configuration > Restore. @ System , Dpsactep | [CyComauaton 9] 2 Restore] | a change Password Revisions & Logout 3. Click Local PC, and then cick Upload. 4, Click Desktop > Resources > FortiGateInfrastructure > Site-to-Site-IPsec > Route-basedIPSEC > remote-rvp. conf, and then click Open. Click OK. Click OK to reboot, FortiGate Infrastructure 6,2 Lab Guide 73 Fortinet Technologies Ine.DO NOT REPRINT Lab 5: Ste4o-Ste IPsec VPN Configuration © FORTINET To restore the Local-FortiGate configuration file 1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1. 254 with the user name admin and password password. 2. Inthe upper-right comer of the screen, click admin, and then click Configuration > Restore. OQ esrin- FortiGate VMB4 6.2.0 build0866 (GA) @ System * Toe $B Revisions & Logout 3. Click Local PC, and then click Upload. 4, Click Desktop > Resources = FortiGatenfrastructure > Site-to-Site-\Psec > Route-based4PSEC > ocal-svp.cong, and then click Open. 5. Click OK. 6. Click OK to reboot. 74 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NOT REPRINT © FORTINET Exercise 1: Configuring Route-Based IPsec VPN During this lab, you will configure an |Psec tunnel between Local-FortiGate and the Remote-FortiGate for communication between the Local-Windows VM and Remote-Windows VM, Create a VPN Using the VPN Wizard Now, you will configure Local-FortiGate using the VFN wizard, which creates the IPsacin route-based mode, To create a VPN using the VPN wizard 1. Ontthe Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1. 254 with the user name admin and password password. ‘2. Click VPN > IPsec Tunnels. 3. Click Create New. cuteness ‘5. Click Next. 6. Configure the following settings: Geel Dares Remote Device IP Address Ip Aderess 10,200.31 Outgoing interface port Authentication Method Pre-shared Key Pre-shared Key fortinet 7. Click Next. 8. Configure the following settings: FortiGate Infrastructure 6,2 Lab Guide 75 Fortinet Technologies ine.DO NOFBERBIN Te ven wars Exercise 1: Corigrng Route Based IPsec VEN © FORTINET or aes Local interface pot Local Subnets 10.0.1.0/24 Remote Subnets 10.0.2.0/24 9 Click Create. You should see the following screen: [PEN Creation ward © The VEN tas been set up ‘Summary of Created Objects Phase 1 Interface ToRemete Local Address Group ToRemota local # Eat Remote Address Group iy ToRemote remote # Edit Phase 2 Interface ToRemote ‘Static Route 3 A eat Blackhole Route 4 @ Edt Localta Remote Policy yen ToRemete_lacal(2) # Eat Remote to Local Polcy yon_ToRemete remote (4) | Edt ‘Add Another | Show Tunnel List 10. Click Show Tunnel List. ‘You will see the VPN you just created. Gem) AEH @ ou GFW ah ja [erence meet @ race 4 Review the Objects Created by the VPN Wizard Now, you will review the objects that were created by the VPN wizard. 76 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Ine.DO NQT. BERRUN Toses psecven © FORTINET To review the objects created by the VPN wizard Review the Objects Created by the VPN Wizard 1. Continuing on the Local-FortiGate GUI, click VPN > IPsec Tunnels. 2. Select the VPN you just created, and then click Edit Notice the quick mode selectors that the wizard configured for you just rela bom Ste. Fons Conn Te Camem Tens ‘cere (creaa0y von ‘ees a aca Fea ToRete Temata ‘You will need this information to configure the other FortiGate. The quick mode selectors on both sides must miror each other. In other words, the Local Address on one side must match the Remote Address on the other side. 3. Click Cancel 4. Click Network > Interfaces. 5. Click the plus (+) icon that appears beside port You will see a new virtual interface named ToRemote (matching the phase 1 name). o ror 1020021255755750 Psat rie 2 0. sons2se7s552550, Firseatinaice PNG ITS 8 TD Tas ‘Stop and think! What does this virtual interface tell us about the VPN created by the wizard? Ist route based? ‘The wizard created the VPN using a route-based configuration. FortiGate automatically adds an IPsec virtual interface for each VPN configured as route based. Route-based VPN is also known as interface-based VPN, ‘Aroute-based VPN requires firewall policies and at least one route to the remote network. As you will see, the wizard has creatad all of these additional objects for you. FortiGate Infrastructure 6,2 Lab Guide Fortinet Technologies Ine. 7DO NOFBERBIN Te ven wars Exercise 1: Corigrng Route Based IPsec VEN © FORTINET 6. Click Policy & Objects > Addresses, and then click the + icon to expand AddressandAddress Group. (Observe two new firewall address objects: ToRemote_local_subnet_1, and ToRemote_remote_subnet_ 1 ee Te ale BPREMALL AT PORT. stmt e0000 3 Loca, sumer sunt 00.054 JB 10cH, wenons ssn 00 11022 [B REVOTE, sumer sat 020% EREWOTE WROONS tnt 02004 fm sown Tum. 200R! Powe ata saae. 19210194210 [ip TReneloalutret Siete ——SS*~*~*~«SO TOT J ween ree set} Stet 002004 = Sit wean Bom atene con aun 2 oretcam fon rac a nteriscnst co oon lshlceacon Bonmcosstnnecom — FODN bonito om onion oon one ome sxtet oocam i sonariptcoarcom— FCOM scare accu ake ip Bomicon ys png com ss ces once 2t5 sess ie fa bannato {B lognmerosat cam B kegrwrdovenet aes Cro ‘B WRena sess Cro Bp Teena comet subnet | Click Policy & Objects > IPv4 Policy. Observe the two new firewall policies: one from port3 to ToRemote and another from ToRemote to ports You will see that the Action is both cases is ACCEPT. 0 nee Sarce ‘esinaon ‘Seheae |Sewee | acton | NAT 2a on TeRerats cca! ToRence local My EFenaeereroie | Baws | WAL [CACCERT] © Disses estes pr Tera ema ToRencte remote ERermst cs! Bakes | MALL EAACEPT 8. Click Network > Static Routes, and then wizard. 3k the + icon to expand IPv4to view the static route added by the 78 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Ine.DO NQT. BERRUN Taser psecven Review the VPN Configuration on Remote FortiGate © FORTINET rn Gone PN wa] Stop and think! Why did the IPsec wizard add a second route using the blackhole interface? FortiGate drops all packets routed to the blackhole interface. The IPsec wizard added two static routes: one to the IPsec virtual interface, with a distance of 10 and one to the blackhole interface, with a distance of 254. The route with the lowest distance, the one to the IPsec virtual interface, takes precedence. However, if the VPN is down, the route to the blackhole interface becomes active, even though it was originally the higher-distance route. So, traffic destined to the VPN is now routed to the blackhole interface and dropped. The route to the blackhole interface prevents FortiGate from sending VPN traffic to the default route while the VPN is down, The route to the blackhole interface also prevents FortiGate from creating unnecessary sessions in the session table. Review the VPN Configuration on Remote-FortiGate For the purposes of this lab, Remote-FortiGate is preconfigured for you. This configuration was included in the configuration file you uploaded at the beginning of this lab. You can review this configuration by completing the steps that follow. To review the Remote-FortiGate configuration 11. Continuing on the Lecal-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.20) with the username admin and password password. 2. Toreview the VPN configuration, click VPN > IPsec Tunnels, and review ToLocal. 3. To review the static route for the route-based VPN, click Network > Static Routes, and reviewToLocal. 4. Toreview the interface , clickNetwork > Interfaces, click the plus (+) icon that appears beside port4, ‘You will see a new virtual interface named ToLocal (matching the phase 1 name) 5. To review the firewall policies for VPN traffic on Remote-FortiGate, click Policy & Objects > IPv4 Policy, and reviewpn_ToLocal_local and vpn_ToLocal_remote. FortiGate Infrastructure 6,2 Lab Guide 78 Fortinet Technologies Ine.DO NOT REPRINT © FORTINET Exercise 2: Testing and Monitoring the VPN You have finished the configuration on both FortiGate devices. Now, you will tas the VPN. Test the VPN Now, you will test the VPN. To test the VPN 1. Ontthe Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1. 254 with the user name admin and password password. 2. Click Monitor > IPsec Monitor. Notice that the VPN is currently down. 3. Right-click the VPN, and then click Bring Up and select All Phase 2 Selectors. Ty Tew ‘Gaeway= PewriD= —_weanigOwa>—_OdgingOaa | Phaiet= Prave suede 1 ee Sis ‘Oaira tp (O erg boon {Loe oa VPN ap ‘The Name column of the VPN contains @ green up arrow, indicating that the tunnel is up. Stop and think! Do | always have to bring up the tunnel manually after creating it? No. In the current configuration, the tunnel will stay down until you either bring it up manually, or there is ‘traffic that should be routed through the tunnel. Because you are not generating traffic batween 10.9.1.0/24 and 10.0.2.0/24 yet, the tunnel is still down. If you had generated the required traffic while the tunnel was down, it would have come up automatically. 4, On the Local-Windows VM, open a command prompt window, and then run the following command to ping Remote-Windows: 10.0.2 The ping should work. 5. Close the command prompt window. 6. Ratum to the Local-FertiGate GUI, and then click Monitor > IPsec Monitor. 7. Click Refresh to refresh the screen ‘You will notice that counters for Incoming Data and Outgoing Data have increased. This indicates that the traffic between 10.0.1.10 and 10.0.2. 10 is successfully being encrypted and routed through the tunnel. 80 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.DO NQE RERRIN Trane ven Teste vEN © FORTINET FortiGate Infrastructure 6.2 Lab Guide 81 Fortinet Technologies Inc.DO NOT REPRINT © FORTINET Exercise 3: Configuring an IPsec VPN Between Two FortiGate Devices Inthis exercise, you will configure ona VPN for redundancy between Local-FortiGate and Remote-FortiGate. Prerequisites Before beginning this lab, you must restore a configuration file on Remote-FortiGate and Local-FortiGate. ‘Make sure to restore the correct configuration on each FortiGate using the following steps. Failure to restore the correct configuration on each FortiGate will prevent you from doing the lab exercise. ’ To restore the Remote-FortiGate configuration file 1. Onthe Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 19.2 username asinin and password password. 2. Inthe upper-right comer of the screen, click admin, and then click Configuration > Restore. Q aanin- FoniGate VMe4 6.2.0 build0866 (GA) & System , @ Change Password & Logout 3. Click Local PC, and then click Upload. 4, Click Desktop > Resources > FortiGate-Infrastructure > Site-to-Site-IPsec > Redundant IPsec VPN > vemote-zedundant—vEN. conf, and then click Open. 5. Click OK. 6. Click OK to reboot. To restore the Local-FortiGate configuration file 1. Ontthe Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 0.0.1. 254 with the user name admin and password paceword 82 FortiGate Infrastructure 6.2 Lab Guide Fortinet Technologies Inc.