FFT - Proactive Advanced Endpoint Protection, Visiblity and Control For Critical Assets v6.4r8 Lab Guide

Index: 1.
0
Use Case: Proactive Advanced Endpoint Protection, Visibility and Control for Critical Assets
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Proactive Advanced Endpoint Protection, Visibility and

Control for Critical Assets
Endpoints are frequently the target of initial compromise or attacks. Fortinet strengthens
endpoint security through integrated visibility, control, and proactive defense. With the ability
to discover, monitor, and assess endpoint risks, you can ensure endpoint compliance, mitigate
risks, and reduce exposure.
In this Fast Track, we will explore controlling endpoints using Fortinet Advanced Endpoint
Protection tools in mixed Windows & Linux environments and see first-hand how these
solutions integrate with the Fortinet Security Fabric to protect your company’s critical assets.
The products included in the Security Operation Solutions are:
FortiClient: Fabric connected agent protecting and monitoring endpoints

FortiClient EMS: Central management of all FortiClient protected endpoints
FortiEDR: Next-Gen endpoint security solution and automated EDR
FortiGate: High threat protection performance with automated visibility to stop attacks
Note: For all objectives, click Continue then select the next available objective from the list to
proceed.
Index: 1.0 (a)
Objective Title: Topology
Points: 0
Objective Text:
Welcome
to the
Advanced Endpoint Workshop
Network Topology
Index: 1.0 (b)
Objective Title: Agenda
Points: 0
Objective Text:
Proactive Advanced Endpoint Protection, Visibility and

Control for Critical Assets
This Fast Track focuses on FortiClient EMS and FortiEDR.
FortiClient EMS is the central manager for FortiClient protected endpoints. As an advanced
Endpoint Protection Platform (EPP), FortiClient is available on Windows, Mac, Linux, iOS,
Android and Chromebook devices and is designed to integrate with the Fortinet Security Fabric
providing visibility, compliance control, vulnerability management and protection using
pattern-based anti-malware, behavior-based exploit protection, web-filtering, application
firewall and secure remote access.
FortiEDR (formally enSilo) is an Endpoint Detection & Response (EDR) solution offering certified
next-gen AV, automated EDR, forensics, threat hunting and virtual patching capabilities in a
single, lightweight agent. Compliant with regulations such as PCI/DSS and HIPAA, FortiEDR
features multi-tenant management in the cloud, on-premise and hybrid environments.
FortiClient EMS
Topic Time
Lab 2.0: FortiClient EMS & Fortinet Security Fabric 15 Minutes
Lab 2.1: Customizing the FortiClient Installer 15 Minutes
Lab 2.2: Dynamic Access Control with Endpoint Tagging 30 Minutes
FortiEDR
Topic Time
Lab 3.1: EDR Architecture and Deployment 10 Minutes
Lab 3.2 EDR Advanced Protection 25 Minutes
Lab 3.3 EDR Events, Forensics, and Reporting 25 Minutes
Index: 2.0
Use Case: FortiClient EMS & Security Fabric
Points: 0
Objective Text:
FortiClient EMS & Security Fabric
Endpoint Protection provides security measures that prevent threat, mitigate risks, reduce
exposure, and ensure endpoint compliance. An additional key function of FortiClient EMS is to
strengthen the Security Fabric by providing information about the endpoints to the FortiGates.
The FortiClient EMS can pull machine and user information from Active Directory, which can
then be used by the FortiGate policies.
In the following objectives of this use case, you will establish the communication between EMS,
Active Directory, and Security Fabric.
Objectives
• Connect FortiClientEMS to Active Directory.
• Integrate FortiClientEMS into the Security Fabric.
Time to Complete
Estimated: 10 minutes
Index: 2.0 (a)
Objective Title: Integrating FortiClient EMS with Active Directory
Points: 10
Objective Text:
Integrate FortiClient EMS with Active Directory

Endpoints can be manually imported from an AD server. You can import and synchronize information
about computer accounts with an LDAP or LDAPS service. You can add endpoints by identifying
endpoints that are part of an AD domain server. Once EMS knows about the domain, you will assign it to
the default policy that will be applied to any FortiClient registering to EMS. This includes the features to
be enabled on the endpoint and the Security Fabric telemetry details.
Add Domain
1. From the Lab Activity: Endpoint tab, access FortiClient EMS using the HTTPS option.
Note: Unless otherwise indicated, all username and passwords for various admin consoles
are:
Username: admin Password: Fortinet1!
2. Navigate to Endpoints > Domains > Add a domain.
3. Use the following information:
• IP address/Hostname: 172.16.100.10
• Port: 389
• Bind type: Regular
• Username: admin
• Password: Fortinet1!
Note: The common practice is to observe the distinguished name (DN) of a domain
when there is more than one forest in the network. In the above, it was possible to
obtain the value automatically as there is only one domain but in case of manual
entry is required, the DN is acmecorp.net
4. Click Test
5. Click Save once the successful message appears.
Note: While the domain information is being synced in EMS, it may take up to a minute to
complete. Wait for the synchronization process to complete. You may need to reload
Manage Domains page by clicking on Refresh on the top right if acmecorp.net does not
appear in Endpoints > Domains.
Assign User Group/Users to Endpoint Policy
1. Click Endpoint Policy > Manage Policies.

2. Click Default_ policy and click Edit.
3. In the Endpoint Groups field, click Edit.

4. Expand acmecorp.net > Users and click Domain Users.
Note: FortiClient EMS v6.4 supports endpoint management based on AD user/user groups
5. Click Save.
6. In the Users field, select the following users:
• alice
• bob
• carol
• david
Note: EMS provides granular control in assigning endpoint policies to specific AD
users/user groups.
7. In the Telemetry Server List field, Select FortiGate-Edge from the drop-down menu.
8. Click Save.
Stop & Think

(True or False) Does FortiGate also has the capability to provide complete management and
telemetry solution to FortiClient endpoints?
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 2
Hint Text:
Hint 1:
FortiGate was the only device to manage FortiClient until EMS became available.
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer
False
FortiGate provides the required telemetry service to extend visibility and control vulnerability
and quarantine compromised endpoint.
Answer Key:
✘ 1. True
✔ 2. False
Index: 2.0 (b)
Objective Title: Integrating FortiClient EMS with Security Fabric
Points: 0
Objective Text:
Integrate FortiClient EMS with Security Fabric

Although the endpoints in this lab environment reside behind the ISFW FortiGate, EMS and
Security Fabric initial configurations need to be completed in the Security Fabric Root device
(FortiGate-Edge) of the Security Fabric group.
Configure Fabric Connector

1. From the Lab Activity: Endpoint tab, access FGT-EDGE using the HTTPS option.
2. Click Security Fabric > Fabric Connectors

3. Click Create New
4. Click FortiClient EMS and use the following information:
• Type: FortiClient EMS
• Name: FortiClient-EMS
• IP/Domain: 172.16.100.125
• HTTPS port: 443
• Synchronize firewall addresses: Leave it set to enabled by default

5. Click OK
Note: A ‘Verify EMS Server Certificate’ window should come up. The FortiGate needs to be
authorized on the EMS server which you will do after this exercise.
6. Click OK
7. Click Security Fabric > Fabric Connectors.

Note: FortiClient-EMS connector was automatically created based on the information you
just provided in the Settings section. Notice that this connector has a red arrow pointing
downward, which means that it is not communicating properly to its destination.
Authorize FortiGate-Edge Fabric Device on EMS Server

1. From the web browser, access the FortiClient EMS using the web console.
2. A Fabric Device Authorization Requests window for FortiGate-Edge should pop up. Click
Authorize
CAUTION: Click F5 to refresh browser window and wait for a few seconds in case the Fabric
Device Authorization Requests window doesn’t show up.
Authorize EMS Server Certificate on Root FortiGate-Edge

1. From the web browser, access the FGT-EDGE using the web console.
2. Click Security Fabric > Fabric Connectors
3. Click FortiClient EMS and click Edit
4. In the FortiClient EMS Status section (right-hand side), click Authorize

5. In the Verify EMS Server Certificate window, click Accept
6. Click OK
Note: FortiClient EMS Fabric Connector should have a successful up connection status.
Authorize FortiGate-ISFW Fabric Device on EMS Server
2. A Fabric Device Authorization Requests window for FortiGate-ISFW should pop up. Click
Authorize
CAUTION: Click F5 to refresh browser window and wait for a few seconds in case the Fabric
Device Authorization Requests window doesn’t show up.
3. Click Administration > Fabric Devices

Note: Both FortiGates should show up as authorized.
Index: 2.3
Use Case: Customizing the FortiClient Installer
Points: 0
Objective Text:
Customizing the FortiClient Installer
To facilitate the installation of FortiClient on the endpoints, EMS allows the creation of custom
FortiClient deployment packages with pre-configured parameters needed for an endpoint to
register with EMS and connect to FortiGate as part of the Security Fabric group. These
installation packages however, are only for Windows and Mac OS operating systems.
You can install FortiClient (Linux) on Ubuntu, CentOS, and RedHat operating systems. In the
interest of time the FortiClient(Linux) has already been installed for you on the Ubuntu
workstation.
In this exercise, you will create an installation package and install FortiClient on the Windows
workstation.
Objectives
• Create a deployment package.
• Install FortiClient from EMS deployment package.
Time to Complete
Index: 2.3 (a)
Objective Title: Creating Deployment Package
Points: 10
Objective Text:
Create Deployment Package

In this objective, you will create a FortiClient installer and pre-configure the parameters needed for an
endpoint to register with EMS and connect to FortiGate as part of the Security Fabric group.
2. Click Manage Installers > Deployment Packages.
3. Click + Add.
4. Under Version section, select Installer Type as Choose an official release.
5. Leave the release and patch at 6.4 and 6.4.0 respectively.
7. Click Next.
8. Under General section, type the Name as FCT-Installer
Note: Make sure the name is typed in the exact same manner as shown below in the
screenshot.
9. Click Next.
10. Under Advanced section, tick the checkbox:
• Enable automatic registration

• Enable desktop shortcut
• Enable Endpoint Profile and choose Default endpoint profile from the drop-down
list.
11. Click Next.
12. Under Telemetry section, tick the checkbox Enable Telemetry connection to Security and
choose FortiGate-Edge as the Telemetry Server List.
13. Click Finish.
Stop & Think

(True or False) When you enable and configure Installer ID in the FortiClient Installer
deployment package, FortiClient EMS automatically groups endpoints according to installer
ID group assignment rules?
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 4
Hint Text:
Hint 1:
You can configure a FortiClient installer with an installer ID, then deploy this installer to the
desired endpoints. When the endpoints' FortiClient connects to FortiClient EMS, FortiClient
EMS places them in the desired group. For example, consider you want all endpoints located in
your company's headquarters to be placed in the same endpoint group.
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer
True
Answer Key:
✔ 1. True
✘ 2. False
Index: 2.3 (b)
Objective Title: Installing FortiClient
Points: 0
Objective Text:
Install FortiClient
In most companies, new machines connect to the corporate network on a regular basis. In this
exercise, we have a Windows machine that was recently joined to the domain and requires
further steps to meet the company’s compliance policy. To that end, we will install FortiClient
on this workstation via the install package we created in the previous objective.
1. From the Lab Activity: Endpoint tab, access Alice machine using the RDP option.
Username: ACMECORP/alice Password: Fortinet1!
1. Open a web browser on the desktop and using the FCT-Installer bookmark, browse to
https://172.16.100.125:10443/installers/FCT-Installer
2. Click Continue to this website (not recommended) to get past the certificate warning page.
3. The installer folder should be displayed. Select FortiClientSetup_6.4.0_x64.exe
4. Pay attention to the bottom right corner of the browser, to see that the file is being
downloaded.
Note: Click keep and allow the download if you see a browser pop-up warning that the file
might be harmful.
6. When you get confirmation that the file has been downloaded, the installer should be saved
in the Downloads folder. Go ahead and start the installer.
7. Once the Installer starts, go ahead and close (or minimize) the browser.
8. Follow the wizard process by ticking the checkbox Yes, I have read and accept the License
Agreement.
9. Click Next.
10. Leave the default directory specified and click Next.
11. Click Install and wait for a few moments while the installation completes.
12. When the installer wizard is done, click Finish.
Note: Pay attention to FortiClient notification on the taskbar. FortiClient will attempt to
register to EMS and connect to the Security Fabric as per the pre-configuration settings
customized in the package. It will continue to obtain and update all required signatures and
may take a few minutes. The process to update the signatures will be required for an
upcoming exercise.
13. Open the FortiClient console by double clicking the FortiClient icon on the Desktop.
Note: Wait for a few minutes to allow FortiClient to be fully synchronized with EMS. The
endpoint should be now compliant and the console should look like the following:
Verify Endpoint Registration
1. From the web browser, access FortiClient EMS using the web console.
2. Click Dashboard > FortiClient Status.

Note: The console page will show information with regards to the current status of
managed endpoints. You can look into the Endpoint widget to see the number of machines
that are online or offline, as well as how many are managed or unmanaged.
3. For more details, go ahead and click on the number inside the bubble to observe additional
information about these endpoints. Hover the mouse on the green icons to view the status
of EMS management synchronization and FortiTelemetry connection status.
Note: Alice’s avatar may not be visible but will eventually sync up on the next sync cycle.
Index: 2.4
Use Case: Dynamic Endpoint Grouping/Tagging
Points: 0
Objective Text:
Dynamic Endpoint Grouping/Tagging
As part of the Security Fabric, you can now configure categorization rules on EMS to
dynamically group/tag FortiClient Fabric Agent endpoints. You can then share these endpoint
groups with FortiGate over the EMS connector. EMS dynamically updates these endpoint
groups when host compliance or other events happen. You can combine the endpoint groups
with FortiGate firewall policies to provide dynamic access control based on endpoint status.
You can dynamically group endpoints by OS type, OS version, certificate, logged in domain,
files, running applications/processes, registry keys, and more. When a FortiClient endpoint
registers to EMS, EMS dynamically groups the endpoint based on the compliance verification
rules.
You can selectively block, allow, or captive portal display endpoint groups based on their
real-time compliance statuses.
In this use case, you will create verification rules to apply tags to the endpoints, and then pull
those tags into the FortiGate via an EMS connector. You will then apply the tags to the firewalls
and demonstrate the changes in access as the tags on the endpoint change.
Objectives
• Create Compliance Verification Rules and Tags
• Dynamically control user access
Time to Complete
Index: 2.4.1
Use Case: Dynamic Access Control (AD Group Membership)
Points: 0
Objective Text:
Dynamic Access Control Based on AD Group Membership
A feature that was introduced in the 6.2 version of EMS, is the ability to tag endpoints based on
Active Directory user group membership of the logged in user. EMS considers the endpoint as
satisfying the rule if the logged in user belongs to the selected AD group. You can also use the
NOT option to indicate that the rule requires that the logged in user certain does not belong to
certain AD groups.
As these conditions change, EMS updates the tags on the Endpoints and passes that
information on to the FortiGates, which can then dynamically control access to the endpoints
via the firewall policies.
In this use case, you will create verification rules to apply tags to the endpoints, and then pull
those tags into the FortiGate via an EMS connector. You will then apply the tags to the firewalls
and demonstrate the changes in access as the tags on the endpoint change.
Objectives
• Create Compliance Verification Rules and Tags
• Setup FortiClient EMS Fabric Connector
Time to Complete
Index: 2.4.1 (a)
Objective Title: Creating Compliance Verification Rules and Tags
Points: 0
Objective Text:
Create Compliance Verification Rules and Tags
EMS tags the endpoints based on Compliance Verification Rules. Let’s have a look at an existing
rule, and then create a few more.
Verify an Existing Compliance Rule

2. Click Compliance Verification > Compliance Verification Rules.
3. Select the Trusted_Windows_PC rule and click Edit.
Note: This rule will apply a tag named Trusted_PC_TAG to a device, if that device has a
Windows OS and is being managed by EMS.
4. Click Cancel to close this rule.

Create New Rule
Alice works in the Sales department of AcmeCorp, and is therefore a member of the Sales group
in Active Directory. In a previous task, you configured EMS to retrieve domain information from
AcmeCorp’s Active Directory. Let’s make use of that information by creating a rule that will tag
devices based on the AD group membership of the user who is logged onto that device.
1. Click +Add and use the following information:
• Name: Sales_User
• Tag Endpoint As: Sales_User_Tag (Press Enter)

Note: You must press enter after entering the name of a new tag, otherwise it will
not be created.
2. Click +Add Rule and use the following information:
• OS: Windows
• Rule Type: AD Group
• AD Group: Sales
Note: Take a moment to explore the different rule types with which you can apply
tags to devices.
3. Click Save.
4. Click Save.
Verify Tagged Devices/Users

EMS will compare these rules with information from endpoints and then apply the associated
tags.
1. Click Compliance Verification > Host Tag Monitor.
Note: Please wait for 1-2 minutes if the following tags don’t appear. You should see Alice’s
endpoint machine tagged with the Sales_User_Tag and Trusted_PC_Tag.
Index: 2.4.1 (b)
Objective Title: Applying Tags to Firewall Policies
Points: 0
Objective Text:
Apply Tags to Firewall policies

EMS tags are pulled and automatically synced with the EMS server. They are converted into
read-only dynamic firewall addresses that can be used in firewall policies, routing, and so on.
You will now use the EMS tags to dynamically control access via the firewall policies.
1. From the Lab Activity: Endpoint tab, access FGT-ISFW using the HTTPS option.
2. Click Policy & Objects > Firewall Policy.
3. Expand Sales Network (port2) -> EDGE_ISFW Network (port4) section.

4. Select the To Marketing Network policy and click Edit.
5. Click Source
6. Click FCTEMS0000110975_Sales_User_Tag
7. Click Close and click OK
Note: You are giving sales users access to marketing network.
8. Repeat the steps above and add the FCTEMS0000110975_Trusted_PC_Tag to the To HR
Network policy.
Index: 2.4.1 (c)
Objective Title: Verifying Dynamic Access Control
Points: 0
Objective Text:
Verify Dynamic Access

Verify Network Access Before Tag Enforcement
Let’s see what access Alice has in the network. To test this, you are simply going to use Putty to
establish a connection to hosts in the remote networks.
1. From the web browser, access Alice machine using the web console.
2. If you have not logged in automatically, login as the user alice and password Fortinet1!
3. Open the Putty application by double clicking on the Putty shortcut on the Desktop.
4. Select HR from the Saved Sessions area, and click on the Load button.
5. Click Open
Note: The Putty window should open, and you should see the login prompt. This tells you
that the application was able to access the destination host in the HR network and establish
a connection. So Alice has access to the HR network.
6. Close the Putty windows to end the session.

7. Repeat the above steps for the Marketing and Sales networks.
Note: You should see that Alice also has access to marketing and sales network as well.
Disconnect FortiClient
1. Open the FortiClient console, and click Disconnect.
2. When asked if you are sure you want to disconnect, select Yes.
5. Open Putty from Desktop. Select Sales from the Saved Sessions area, click Load and click
Open
Note: The Putty window should open, and you should see the login prompt. This tells you
that the application was able to access the destination host in the Sales network and
establish a connection. So Alice has access to the Sales network which makes sense as Alice
is in the Sales AD group
3. Repeat the steps above for the HR network.

Note: Although a Putty window opens, it does not display the login prompt. This tells us
that the application does not have access to the HR network anymore and therefore cannot
establish a connection. If you remember, the HR policy is for Trusted_PC_TAG, and trusted
PCs are those that are managed by EMS. So Alice should not be able to access the HR
network while disconnected from EMS. As you can see, the Firewall policies can dynamically
control access based on the tags that EMS applies to the endpoints. You have also seen that
these tags can be based on a large number of conditions, providing fine grain access control
of the endpoints.
4. Repeat the steps above for the Marketing network.

Note: Although a Putty window opens, it does not display the login prompt. This tells us
that the application does not have access to the marketing network and therefore cannot
establish a connection.
Re-Connect FortiClient
1. Open FortiClient console on Alice’s machine.
2. Click Fabric Telemetry
3. Enter EMS IP: 172.16.100.125
4. Click Connect
Index: 2.4.2
Use Case: Identity Compliance
Points: 0
Objective Text:
Identity Compliance
EMS can now dynamically group endpoints based on their user identity. An end user can
provide their user identity in FortiClient for the following social network accounts:
• LinkedIn
• Google
• Salesforce
• User Input
When the end user selects User Input, they can specify personal information, including their
avatar, name, phone number, and email address. If they select another option, FortiClient reads
their avatar, name, phone number, and email address from the corresponding account.
FortiClient displays this information and sends it via Telemetry to EMS. EMS uses this
information to apply applicable host verification tags on endpoints. If the endpoint user doesn't
supply these parameters, it would be considered as non-compliant
In this use case, you will enable user identity settings, create a user identity based tag through a
compliance verification rule. You will then apply the tag to the firewall policy and demonstrate
the changes in access as the tags on the endpoint change.
Objectives
• Enable user identity settings
• Configure compliance verification rule and tag
Time to Complete
Index: 2.4.2 (a)
Objective Title: Enabling User Identity Settings
Points: 0
Objective Text:
Enable User Identity Settings
In this exercise, you will enable user identity settings for the default endpoint profile.
2. Click Endpoint Profiles > Manage Profiles.

3. Click Default and click Edit.
4. Click System Settings.
5. Scroll down to User Identity Settings section and under Allow Users to Specify Identity
Using, enable the following:
• Manually Enter User Details: Toggle on
• Linkedln: Toggle on
Note: You will not test this social login in the lab. This is just to illustrate that users
can also provide their social login to identity themselves.
• Notify Users to Submit User Identity Information: Toggle on
Note: EMS can also be configured to allow end users specify their user identity in
FortiClient using social network accounts such as LinkedIn, Google and Salesforce.
6. Click Save.
Index: 2.4.2 (b)
Objective Title: Creating Compliance Verification Rules and Tags
Points: 0
Objective Text:
Create Compliance Verification Rules and Tags
EMS tags the endpoints based on Compliance Verification Rules. You will create a user identity
based compliance rule.
Create Rule
1. Click Compliance Verification > Compliance Verification Rules.

2. Click + Add and use the following information:
• Name: User_Identity
• Tag Endpoint As: User_Specified_Tag and press Enter
Note: Press Enter to save the tag.
3. Click + Add Rule and use the following information:

• OS: Windows
• Rule Type: User Identity and click + icon
Note: Click + icon to save the Rule Type
• User Identity: User Specified
4. Click Save.
5. Click Save.
Index: 2.4.2 (c)
Objective Title: Submitting User Information
Points: 0
Objective Text:
Submit User Information
Let’s verify what level of network access does Alice’s Windows machine has in the network and
how does the user identity based tag modifies it.
2. Open web browser and click CNN bookmark.

Note: You will find out that Alice’s PC doesn’t has internet access.
3. Open FortiClient console on desktop in case its closed.
4. On the FortiClient console, you will see a User Profile pop-up.
Note: If you don’t see user profile pop-up yet, wait for a few minutes for the FortiClient to
receive configuration update from the EMS server. Once the pop-up appears, there are two
available options to provide user identity as a result of two different user identity settings
(Manual and Linkedln) enabled in the FortiClient EMS previously.
5. Choose User Specified and enter the following user information:
• Full Name: Alice Nelson
• Email: alice@acmecorp.net
• Phone: 9876543210
Note: Do not hit Submit yet.
6. Click Add Picture > Choose File > Select Alice_Nelson.jpg from Desktop.
7. Click Use Picture.
8. Click Submit.
9. Click Alice’s avatar in the FortiClient console to view the user information submitted
through the above steps.
Verify Host Tag Monitor
2. Click Compliance Verification > Host Tag Monitor

Note: Please wait for 1-2 minutes if the tag doesn’t appear as shown in the screenshot
below. You should see that Alice’s machine is successfully tagged the User_Specified_Tag
based on the user identity compliance verification rule configured previously. Alice’s avatar
may not be visible right away. But, will eventually synchronize on the EMS in the next sync
cycle.
Index: 2.4.2 (d)
Objective Title: Applying Identity Tag to Firewall Policy
Points: 10
Objective Text:
Apply Tag to Firewall Policy

As per AcmeCorp’s internet policy, access to external websites should only be granted to users
who have successfully submitted their identity information.
You will now use the EMS tag to dynamically control access via the firewall policy.
Apply Tag to Firewall Policy

1. From the web browser, access FGT-ISFW using the web console.
2. Click Policy & Objects > Firewall Policy
3. Click +Create New and use the following information:
• Name: To Internet
• Incoming Interface: Sales Network (port2)
• Outgoing Interface: EDGE_ISFW Network (port4)
• Source: FCTEMS0000101980_User_Specified_Tag
Note: EMS tags are imported into the FortiGate as firewall address objects. In case
the above EMS tags don’t show up in the source address list, please wait for 1-2
minutes and press F5 to refresh the browser tab.
• Destination: all
• Schedule: always
• Service: ALL
• Action: ACCEPT
4. Click OK
Verify Dynamic Access Control

2. Open web browser and click CNN bookmark.
Note: You will find out that Alice’s PC has been granted access to external websites after
you applied the EMS tag to firewall policy.
Stop and think

Out of the following, what are the different Compliance Verification Rule types supported by
FortiClient EMS? (Select all that apply)
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 2
Hint Text:
Hint 1:
In the EMS console, click Compliance Verification > Compliance Verification Rules > + Add > +
Add Rule > Rule Type
----------------------- Answer Section -----------------------
Answer: checkbox
Answer Text:
Answer:
All options are correct
AntiVirus From the AV Software dropdown list, select the desired conditions. You
• Windows
Software installed and running and that the AV signature is up-to-date. You can a
• macOS endpoint does not have AV software installed or running or that the AV
FortiClient AV and third-party AV software that registers to the Window
• Linux Windows Security Center of the status of its signatures. FortiClient que
third party AV software is installed and if the software reports signature
The endpoint must satisfy all configured conditions to satisfy this rule.
Only FortiClient 6.2.2+ endpoints support this rule type.
Certificate In the Subject CN and Issuer CN fields, enter the certificate subject and
• Windows
that the rule requires that a certain certificate is not present for the endp
• macOS The endpoint must satisfy all conditions to satisfy this rule. For example
certificate B, and NOT certificate C, then the endpoint must have both c
• Linux
OS Version • Windows From the OS Version field, select the OS version. If the rule is configure
as satisfying the rule if it has one of the configured OS versions installe
• macOS
• Linux
• iOS
• Android
Registry In the Registry Key field, enter the registry key or registry data value. E
• Windows
Key to indicate a registry data value. You can also use the NOT option to in
data value is not present on the endpoint.
The endpoint must satisfy all configured conditions to satisfy this rule. F
key A, registry key B, and NOT registry key C, then the endpoint must h
Windows From the Windows Security dropdown list, select the desired conditions
• Windows
Security Defender, Bitlocker Disk Encryption, Exploit Guard, Application Guard,
NOT option for the rule to require that the endpoint have Windows Defe
Application Guard, and/or Windows firewall disabled.
The endpoint must satisfy all configured conditions to satisfy this rule.
Only FortiClient 6.2.2+ endpoints support this rule type.
Answer Key:
✔ 1. Certificate
✔ 2. AntiVirus Software
✔ 3. OS Version
✔ 4. Windows Security
✔ 5. Registry Key
Index: 3.0
Use Case: FortiEDR - Advanced Protection
Objective Title: FortiEDR - Advanced Protection
Points: 0
Objective Text:
FortiEDR – Advanced Protection
The security team at ACME Corp must enhance its existing endpoint security solution to
prevent malware prevention and data loss.
Using FortiEDR, the SOC team will find and remediate possible threats on these new users’
laptops, particularly those working in more secure areas such as accounting and finance,
without impacting critical business services.
This enhanced endpoint protection use case will include the following exercises:
• Overview of backend EDR infrastructure
• Deploying FortiEDR collector on a workstation
• Virtual patching feature until vulnerable software can be patched during a scheduled
upgrade (maintenance window).
• Examining malware missed by first-generation signature-based anti-virus
• Configuring pre- and post-execution scanning policies
• Event and forensics analysis on malware, PUPs (possibly unwanted programs), and
suspicious programs
• Creating exceptions, generating reports, and archiving events.
Time to Complete: 60 minutes

Index: 3.1
Use Case: Architecture and Deployment
Points: 0
Objective Text:
Introduction
Before installing FortiEDR collectors on each endpoint, ACMEcorp’s security

administrators must verify that the backend EDR components (core, manager, and
threat repository) are set up correctly and communicated with each other.
Once FortiEDR backend infrastructure has been verified, the security admins will install
endpoint collectors on workstations, add them to the associated collector groups in
inventory, and then assign the appropriate policies and playbooks.
Objectives
• Overview of backend EDR infrastructure
• Deploy the EDR collector on a victim PC
Time to Complete
Index: 3.1 (a)
Objective Title: Architecture and Overview
Points: 0
Objective Text:
Background
This objective introduces the FortiEDR solution components required to stop malicious threats.
This exercise provides additional context for future objectives.
The FortiEDR solution has several components, all of which work together to protect endpoints
at scale.
• FortiEDR Collector – a lean collector agent runs on each endpoint (Microsoft, OS X,

Linux)
• FortiEDR Core – this security policy enforcer determines whether an endpoint

connection request is legitimate or should be blocked.
• FortiEDR Aggregator – manages the collection from the collectors to the FortiEDR
Central Manager
• FortiEDR Central Manager – a central web server and backend server for viewing
and analyzing events
• FortiEDR Threat Hunter Repository – allows admins to find and delete malware
across any of the devices.
Tasks
1. From the Lab Activity: Endpoint tab, access FortiEDR using the HTTPS option.
User name: admin Password: Fortinet1!
2. Click Dashboard. Locate System Components widget and note the system
components of the system.
Stop and Think
Key questions to ask before installing collector agents on the endpoints in your environment:
1. How are endpoints in an environment best grouped (roles, geography, departments,

etc.), and which groups might need more security controls at the application level?
2. Once an admin establishes security groupings, what types of different program

execution policies might be needed to protect those endpoints from known malicious
content and vulnerable applications?
Index: 3.1 (b)
Objective Title: Deployment
Points: 10
Objective Text:
Tasks
Endpoint deployment/provisioning
Username: ACMECORP/alice Password: Fortinet1!
2. Open the install folder on the desktop and click FortiEDRCollectorInstaller.
Note: Exact version might be different than the picture above
2. Go through the install wizard setting. Use the default settings and click Next
3. Leave path set to default: c:\program files\Fortinet\FortiEDR and click Next.
4. Use the following collector configuration and click Install
• Aggregator Address: 172.16.100.133
• Port: 8081
• Registration password: Fortinet1!
5. Click Yes
6. Click Close
7. Once installed, FortiEDR should be visible from on bottom right-hand side of the toolbar.
8. Optional: Open Windows command line and type in netstat -an 10
Note: There should be a port 555 connection to 172.168.100.132 [FortiEDR core] and a port
8081 connection to 172.168.100.133 [FortEDR manager/aggregator])
9. From the web browser, access FortiEDR using the web console.
10. Click the dashboard. Note green bar in the upper right side, indicating that the collector is
properly running on the Windows 2016 (Alice) victim machine
11. Click Inventory > Collectors to show all collectors

Note: To avoid changing menus, one could click on the green dashboard “running” bar
instead.
12. Make sure that the newly added endpoint (Alice) has:
• been appropriately added to the Default Collector Group, and
• a state of “running” (in green)
13. Click Security Settings > Security Policies.
14. Note that all policies by default are in simulation mode (which alerts on malicious activities).
Keep these settings for the next malware analysis exercise.
Note: Policies toggled on (green button) are in prevention mode. Prevention mode not only
alerts on malicious activity, but also actively block files categorized as malicious or
suspicious.
Note: Policies are always in either simulation or prevention mode. However, the rules
under each policy can be disabled on a case by case basis.
15. Once a policy is selected, the Default Collector group will show up on the right-hand side, as
shown below.
16. Click Communications Control > Policies and do the following:
17. Default Communication Control Policy: check
18. Fortinet Policy: prevention (green)
21. Click Assign Collector Group

21. After selecting the Assign Collector Group, note the Default Collector Group box has been
set to Assigned.
22. On the right-hand side of the Policies Settings page, check that the collectors (which include
the Alice victim PC) in the Default Collector Group are assigned to the Default
Communication Control Policy.
Success
Now that the Alice victim PC now has a FortiEDR collector installed and is added to the correct
security collector groups, it can detect malicious software runs on the machine.
Stop and Think

How might the following endpoint collector group categories work in an enterprise
environment?
• Default collector group (default group for newly installed collectors)
• High-security collector group (used by EDR playbooks to isolate infected systems for
forensic analysis)
• Working groups (temporarily in simulation mode during early deployment)
• Simulation group (used for troubleshooting, for a short period)
Question:
A user calls the help desk and cannot print. What can be done by the help desk to see if
FortiEDR is impacting the printing process?
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 0
Hint Text:
Hint
The user needs to be put in a group that doesn’t restrict them, but simulates the restrictions so
that the help desk can look at what events are being generated.
This will help determine communications control rule might be preventing the print job.
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer
Simulation (Notification Only): FortiEDR only issues an alert for all connections that violate a
rule in a FortiEDR security policy. In simulation mode, FortiEDR does not secure
communications. FortiEDR comes pre-configured in simulation mode and can be used for
troubleshooting, but not security, until simulation mode is switched to prevention mode..
Answer Key:
✔ 1. Simulation group
✘ 2. High security group
✘ 3. Printing security group
Index: 3.2
Use Case: Advanced Protection
Points: 0
Objective Text:
Introduction
ACMEcorp’s security admins must reduce their attack surface by stopping advanced
malware and virtually patching healthcare and point of sale workstations until the next
scheduled maintenance.
Because threat actors target users with custom malware, ACMEcorp’s endpoint
protection solution must detect malware without relying only on legacy signature-based
solutions that depend on hashes, as would be the case with first-generation endpoint
products. ACMEcorp must also defuse critical vulnerabilities in older and unpatched
workstations in a way that does not disrupt business continuity.
Security admins at ACMEcorp would like to stop all advanced malware from initially
executing on endpoint clients. For the files allowed to run, the ACMEcorp security team
would like to inspect, record, and block malicious behaviors.
Objectives
• Analyze modified malware
• Create pre-execution security policies
• Virtual patch low reputation and vulnerable applications
• Create data exfiltration security policies to protect against ransomware.
Time to Complete
Index: 3.2 (a)
Objective Title: Malware Analysis
Points: 0
Objective Text:
Background
Because threat actors target executives with custom malware, ACMEcorp’s endpoint protection
solution must detect malware without relying only on legacy signature-based solutions that
depend on hashes, as would be the case with first-generation endpoint products.
Tasks
To demonstrate how FortiEDR’s pre and post-execution rules detect modified malware, we will
be appending characters to a known malicious file to change the hash signatures and confirm
how it is undetectable with ClamWin (a first-generation open source antivirus tool) and Virus
Total (a cloud-based antivirus database).
After modifying the executable, we will use PE Studio to find suspicious artifacts and compare
the modified executable (with the new signature, due to the appended strings) to the original
malware.
Note: Manually typing the following commands is optional, as there is a Windows

signature-change.bat file on the desktop, which will run through the below commands with
comments, as well as a signature-change.txt file that is copy/paste friendly.
Be sure to set the pre-execution policy to simulation to allow signature-change.bat to run

correctly.
1. On the FortiEDR, toggle the security policies back to simulation (Security Settings > Security
Policies > Execution Prevention )
Note: For good measure, it’s helpful to confirm that the security policies are always assigned to
the collector group as demonstrated below (Check policy, click Assign Collector Group, and
then assign to the right collector group, Default Collector Group).
Note: The side Collector Group Assignment window does not come up unless you check a box
or expand the policy. When set to simulation mode, FortiEDR will still detect the malware but
not block it at the client end (FortiEDR collector). After this exercise, you should see events in
the FortiEDR manager.
3. On Alice, open the Windows command prompt (CMD) and enter the command
cd c:\program files (x86)\clamwin\bin
4. Next, enter the following command
Sigtool.exe –sha1 c:\reports\tpsreport.exe > c:\programdata\.clamwin\db\tpsreport.hdb
Note: sigtool.exe is included with ClamWin. It creates a ClamWin antivirus signature for the
known malicious file. It requires two dashes (- - ) before passing parameters, like sha1.
5. Next, enter the following command to scan the directory using the newly generated
signature (Note: double dashes are required for the parameter, as seen in the output
example)
Clamscan.exe –database=”c:\programdata\.clamwin\db\tpsreport.hdb” c:\reports
6. Type the following command to examine the hash of the file using certutil (note: single
dash, not double dash)
certutil -hashfile c:\reports\tpsreport.exe
7. Enter the following command to change directory to c:\reports
cd c:\reports
8. Now make a copy of TPSreport.exe file entering the following command

copy TPSreport.exe TPSreport-fasttrack.exe
9. Append the string “fasttrack” to the newly named file by entering the following command
echo “fasttrack” >> TPSreport-fasttrack.exe
10. Enter the following two commands and note the different SHA1 hash
certutil -hashfile TPSreport.exe
certutil -hashfile TPSreport-fasttrack.exe
Note: This new modified file is not recognizable by ClamAV, as evidenced by the following
commands.
cd c:\program files (x86)\clamwin\bin
Clamscan.exe –database=”c:\programdata\.clamwin\db\tpsreport.hdb” c:\reports

10. Open Frhed (a hex editor located on the Alice victim machine desktop).
11. Click File > Open (or use shortcut “control-o”)
12. Open the file c:\reports\tspresport-fasttrack.exe and note “fasttrack” string at the end of
the file.
Note: The FortiEDR pre-execution rules sometimes prevents opening this file in a hex editor.
If so, you may have to return to EDR and apply the simulation mode to the pre-execution to
do this exercise.
Note: A simple modification like this might not thwart all commercial scanners that use
non-signature based detection, such as file heuristics or static analysis. The next exercise will
demonstrate how one might look inside a file to find questionable components.)
13. Click and open PE Studio (icon on Windows Desktop)
14. Click File > Open and enter in c:\reports\TPSreport-fasttrack.exe
Note: The FortiEDR pre-execution rules sometimes prevents opening this file in PE Studio. If
so, you may have to return to EDR and apply the simulation mode to the pre-execution to
do this exercise.
Note: Wait about a minute for PE Studio to inspect the code and find the malicious artifacts.
After some time, items in the left panel will turn red.
15. Click Indicators on the left and note the blacklisted items inside the file (levels 1,2,3)
16. Click Imports on the left panel and note the blacklisted items (x).
17. Click strings on the left panel and note the blacklisted strings (x).
18. OPTIONAL: Now open PE Studio again (new instance).
19. OPTIONAL: Open up c:\reports\TPSreport.exe and compare with

c:\reports\TPSreport-fasttrack.exe in a side-by-side manner, similar to the layout below.
Note: Simply appending a few characters to the end of the file may evade some
signature-based antivirus programs registered with Virus Total, even though PE Studio clearly
shows it has some malicious looking components inside.
Note: If there is a delay with PE Studio connecting us to Virus Total, manually search the
webpage for hashes (www.virustotal.com). PE Studio depends on open access to the free
version of Virus Total, which sometimes times out with excessive use.
Stop and Think

In your environment, ask yourself two key questions:
• What defenses are in place if threat actors sent your company’s executives custom
made malware?
• Which lines of defense (firewalls, secure email gateways, desktop AV) might depend on
signature-based protection in detecting malware?
The limitations of signature-based solutions compel security admins to think more carefully
about pre and post-execution policies on protected endpoints. Using FortiEDR, we can prevent
malicious files from executing or even allowing them to execute and safely record their
interaction with other operating systems' files.
Question:
Which of the following artifacts might be helpful when initially analyzing malware with a tool
like PE Studio (choose all that apply)?
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 0
Hint Text:
Hint 1
Malicious software often attempts to hide its intents in order to evade early detection and
static analysis. In doing so, it often leaves suspicious patterns, unexpected metadata, anomalies
and other valuable indicators.
----------------------- Answer Section -----------------------
Answer: checkbox
Answer Text:
Answer
Malicious software often attempts to hide its intents in order to evade early detection and
static analysis. In doing so, it often leaves suspicious patterns, unexpected metadata, anomalies
and other valuable indicators.
Answer Key:
✔ 1. suspicious patterns
✔ 2. unexpected metadata
✔ 3. anomalies
Index: 3.2 (b)
Objective Title: Pre-Exec Protection
Points: 0
Objective Text:
Background
Security admins at ACMEcorp would like to stop all malware from initially executing on
endpoint clients. The following steps will create a pre-execution security policy that prevents
malware from damaging a computer.
Rules included in this policy include:
• Detecting malicious files
• Privilege escalation exploit detection
• Suspicious drivers
• Suspicious file detection
• Suspicious script execution
• Unconfirmed file detection
Tasks
Create a pre-execution security policy

2. In FortiEDR, click Security Settings > Security Policies and confirm policies are in prevention
mode (simulation mode was just for testing purposes in the previous exercise).
Note: All Execution Prevention rules are set to block (except for those grayed out)
3. On the right-hand side, note that Default Collector Group is in the Execution Prevention
policy
4. From the web browser, access Alice machine using the web console and open Explorer
5. In Explorer, open c:\reports\, then right-click on TPSreport-fasttrack.exe
6. Optional: If you toggle the pre-execution to simulation and set the post-execution policies
prevention, you should see the following ransomware message and then a popup from
FortiEDR collector stopping the file from actually being encrypted. Otherwise, this
message will be surpressed.
7. At the bottom right hand side, you should see the following pop up, indicating that FortiEDR
has blocked the malicious process.
Note: If this file runs multiple times, you will see the popup has different PID (process ID)
numbers, indicating that FortiEDR allowed it to run each time and stopped malicious activity
in the post-execution policy. While FortiEDR stops malware in pre- and post-execution, in
some environments, we may still want to allow users to open suspicious files and then
check for malicious activity afterward.
8. Close all popups (if applicable).
10. Click Event Viewer and confirm that FortiEDR labeled the event as suspicious and stopped
the files from being renamed.
Stop and Think
How might FortiEDR pre-execution rules better protect users than legacy signature-based
antivirus solutions or sandbox solutions that first detonate malware in a virtual machine?
Question:
How might malware creators ensure that their files remain undetected in some VM sandboxed
environments?
----------------------- Answer Section -----------------------
Answer: checkbox
Answer Text:
Answer
Malware creators look for the following clues that their software is being run in a virtualized
environment and not by their targeted users:
• MAC OUI
• Low CPU count / low RAM
• Screen resolution
• Recent file count, desktop file count
• Few application, active windows, or processes
• Malware researcher tools
Answer Key:
✔ 1. MAC OUI known hypervisors (VMware etc)
✔ 2. Low CPU core count / low RAM
✔ 3. Screen resolution
✔ 4. Recent file count / Desktop file count
✔ 5. Few applications, active windows, or processes
✔ 6. Check for malware researcher tools (wireshark, procmon, sysmon, python.exe, etc)
Index: 3.2 (c)
Objective Title: Virtual Patching
Points: 10
Objective Text:
Background
FortiEDR categorizes application based on the Common Vulnerability Scoring System (CVSS) CVE
scheme. This scoring system provides a useful vulnerability assessment tool and is classified
based on the National Vulnerability Database (NVD) severity ratings (Unknown, Low, Medium,
High, Critical).
As older and unpatched workstations come online, security admins at ACMEcorp must reduce
their attack surfaces and maintain business continuity. Mission-critical applications, such as
point of sale and healthcare workstations, cannot be interrupted before the next patch
maintenance window.
Tasks
Virtually Patch Endpoints Running Vulnerable or Low-reputation Software.

2. Click Inventory > Collectors
3. Ensure that the Alice victim PC is in Default Collector Group
5. Next, open the install folder on the desktop and install the 2013 version of Opera (already
downloaded from https://ftp.opera.com/ftp/pub/opera/desktop/). Click the Opera exe file
(v15) and hit the Accept and Install option.
5. On the Alice victim PC, open up Opera. You should be able to surf the web with no
problems.
Note: the start-up page this version displays is 404 (not found), but other pages work.
6. Confirm that the Opera version is v15.0 (circa 2013). On the left-hand corner, pull down the
Opera menu and select About Opera.
Note: In the background, Opera runs an updater to upgrade from version 15, so if you
close this browser and re-open, you may see a different version than 15.0
7. From the web browser, access FortiEDR using the web console
8. Click Communication Control > Applications
9. Under Application, note that FortiEDR collector has registered Opera version 15.0.
Note: if you do not see the Opera Internet Browser, make sure that applications view is
set to All on the left upper hand side of the display. If the wrong application filter is on,
then you will only see a subset of applications.
10. From the web browser, access Alice machine using the web console and close the
Opera browser.
11. In the files folder on the desktop, Right-click on the v42 version of Opera, Run as
administrator and then click Accept and Upgrade.
12. Once Opera opens again, confirm that the new version number has upgraded to 42.0
(Menu > About Opera).
Note: on the desktop is a modified O that indicates that Opera has gone from version 15
to version 42.0. Now that we’ve opened v42.0 up, the FortiEDR collector will this as a
new application.
14. Go to Communication Control > Applications and note the updated version (42) as well as
the previous older version (15).
Note: version 42.0 will not show up in Communication Control if the new version of Opera
has not been executed on the Alice Victim host machine. Be sure to open it on the endpoint
first before going to Communication Control > Applications.
Note: if neither Opera browser applications are showing up in Communication Control,

confirm that the All Applications option is selected in the top left.
15. Check the checkbox for version 15 for Opera Internet Browser.
Note: if Opera is not showing up in Communication Control, confirm that the All
Applications option is selected in the top left.
16. Click Modify Action
17. Under Modify Action (for Opera v15), pull down the menu for Default Communications
Policy and select Deny.
18. Click Save.
Note: On the right-hand side of the screen (in Application Details), Default Communication
Control was set to allow. By saving this deny policy, FortiEDR does not allow the first older (v15)
version from connecting to the Internet but allow other later and (more secure!) versions to
function as expected. This policy reduces the attack surface of computer systems that cannot
afford downtime due to software patches (point of sale, OT, kiosks, etc.).
Success
Your Opera browser (v42) should now communicate with the internet. Other workstations
added to this collector group and policy would not use Opera (v15) to communicate to the
Internet.
Stop and Think

Many departments in your environment cannot tolerate downtime associated with patch
updates. If there is a critical vulnerability in an application, Communications Control reduces
risk until the next maintenance window.
Question:
Which of the following issues could NOT be addressed with FortiEDR’s Communication Control?
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 0
Hint Text:
Hint 1
Communication Control allows or denies applications from communicating to other hosts.
----------------------- Hint 2 Section -----------------------
Hint: 2 Points: 0
Hint Text:
Hint 2
Applications that are “virtually patched” still can run locally.
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer
A user playing an offline game – Communications control allows programs to safely run locally,
just not communicate with other hosts until allowed by policy.
All of the other scenarios listed would be stopped by FortiEDR communication control policies.
Answer Key:
✘ 1. users running outdated versions of a program with known vulnerabilities
✘ 2. a user installs an open source program, but company policy prohibits because of the risk
of outbound communication
✘ 3. A user in finance installing an insecure file sharing program
✔ 4. A user is playing offline games during a meeting
Index: 3.2 (d)
Objective Title: Post-Exec Protection
Points: 0
Objective Text:
Background
The post-execution policies (exfiltration prevention and ransomware prevention) offer security
admins an additional safety net needed to detect highly advanced malware by recording each
host details that would provide additional info about a program’s behavior, such as suspicious
file encryption and data leaks.
The ACMEcorp security team would like to inspect and block malicious behaviors on files
allowed to execute.
Tasks
In this lab, instead of stopping malware before it runs, pre-execution policies will log only, and
the post-execution security policy will catch malicious files.
Configure Post Execution Security Policy

2. Click Security Settings > Security Policies

3. Set the Execution Prevention rule to Simulation (toggled to gray, not green).
4. Once prompted by the Policies Mode Change box, select Set to Simulation
5. Look to the right-hand side and ensure that the Default Collector Group is attached to
these policies.
7. Open up File Explorer to c:\reports
8. Right-click on the TPSreport-fasttrack.exe file and open as administrator.
9. Clear the popup windows (malware alert and FortiEDR alerts)
11. Confirm that TPS-report.exe was tagged as suspicious and prevented from running.
12. On the right-hand side, confirm that the file was classified post-execution as ransomware.
13. From the web browser, access Alice machine using the web console and open File Explorer.
14. In File Explorer, go to c:\reports
15. Click dynamiccode64.exe file. (Event will be analyzed in the next exercise)
Stop and Think

By recording what files do, how might we identify APT (advanced persistent threats) that move
laterally in a network?
Index: 3.3
Use Case: Events, Forensics, and Reports
Points: 0
Objective Text:
Introduction
PUPs (possibly unwanted programs) pose potential problems to security-conscious

organizations.
Acme Corp admins will use FortiEDR to inspect raw events and gather more information
on how PUPs communicate with localhost files and remote hosts. This information will
then help analyze and classify potentially malicious events.
Once Acme Corp’s security admins make a decision, they will generate reports that
document their choices and, in some cases, create exceptions for executables, which
would allow certain processes to execute without creating future events.
Objectives
• Install PUPs on a victim machine.
• Analyze events generated by installed programs
• Forensically analyze what executed programs have done
• Create exceptions, reports, and archiving handled events.
Time to Complete
Index: 3.3 (a)
Objective Title: PUPs and Suspicious Files
Points: 0
Objective Text:
Tasks
The files in this exercise are not technically malware, but they may pose some risks to
security-conscious enterprises, as they might communicate to other countries or possibly are a
platform for other potentially unwanted programs.
2. Open the install folder on the desktop and Right-click on the DriverEasy_Setup.exe file.
3. Install as administrator.
• Language English
4. Click Install Now. (Note the FortiEDR popup messaging saying it was blocked)
4. Close both the installation screen, as well as the FortiEDR alert message.
Note: there may be several popup alerts for each PID, as the program tries to start multiple
times.
5. In the install folder on the desktop, right-click and install (as administrator) the
SteamSetup.exe file.
6. Run through the install wizard screens:
• Welcome screen
• Language: English
• Install location: c:\program files\steam

Note: The popup from FortiEDR, then click the Got It message, and the Finish button on the steam
wizard.
8. Let steam update. (Or cancel)
9. Once steam updates and opens, then close it ( in the upper right-hand corner)
Stop and Think
Netsh, which comes with DriverEasy, is a command-line scripting utility that allows you to
display or modify the network configuration of a computer that is currently running. Steam is a
gaming platform safely used by millions of home users.
Why might these be problematic on computers in an enterprise environment?
Question:
Which of the following tools might be a problem for users in enterprise environments?
----------------------- Answer Section -----------------------
Answer: checkbox
Answer Text:
Answer
All of the tools below are generally considered questionable for most enterprise users
(excluding appropriate IT and security employees)
• Netcat
• Wireshark
• Nmap
• Nessus
• IRC
Answer Key:
✔ 1. nc (netcat)
✔ 2. wireshark
✔ 3. nmap
✔ 4. nessus
✔ 5. irc
Index: 3.3 (b)
Objective Title: Event Analysis
Points: 10
Objective Text:
Tasks
2. Click the Event Viewer module at the top of the screen.
Note: You should see the alerts generated by the previous exercise. These non-archived
alerts are aggregated by process, and an alert can comprise of multiple raw events.)
3. Click on each of the alerts and note the Device the event was detected on the endpoint
4. Find and click the endpoint device (Alice) to see the alerts associated with it.
• DriverEasy.exe classified as Inconclusive
• SteamService.exe classified as PUP
Note: Your classifications may be slightly different, as FortiEDR needs additional

context to label a file as PUP or malicious.
5. On the right side of the EDR GUI in the CLASSIFICATION DETAILS pane, click the triangle ( )
in the Triggered Rules window next to the Unconfirmed Executable to expand it for more
details.
Note: The Exfiltration Prevention engine triggered the rule Unconfirmed Executable –
Executable File Failed Verification rule for the DriverEasy.exe process, which is often used
in MITRE techniques such as Credential Dumping and Input Capture.
FortiEDR solution indicates the rule that triggered an event and detailed information about
the rule (description of the rule, MITRE techniques and possible remediation steps). This
information helps bridge knowledge gaps and help SOC admins quickly remediate and
resolve issues.
6. At the bottom left corner of the screen, click the triangle ( ) in the ADVANCED DATA pane
to expand for an Event Graph and Geo Location data related to the highlighted event.
Note: Geo Location may not show in some cases
This graph shows the point at which FortiEDR blocked the DriverEasy.exe process and all the
steps leading up to it. This event in particular included:
• Chrome.exe created the process DriverEasy_Setup.exe

• DriverEasy_Setup.exe created the process DriverEasy_Setup.tmp
• DriverEasy_Setup.tmp created the process DriverEasy.exe
• DriverEasy.exe attempted to make a connection to 172.217.1.110 but was blocked.
Note: the yellow bug on the card for the connection attempt shows which rule was
broken at which step. These bugs will change based on the Classification of the event
7. If Geo Location is in the ADVANCED DATA pane, click it.
8. On this screen, we might see an attempted connection to an IP. For example, the IP
Address of 172.217.1.110 is owned by Google in the United States.
9. Click the triangle ( ) next to ADVANCED DATA to minimize the pane once again.
Stop & Think
Events in FortiEDR can be organized by either processes or devices, depending on which view is
selected. When might each view help investigate security events?
(Note: Some events may not need immediate attention, yet a SOC admin might click on them to
get more information before moving on to another event. This can lead to a mixture of read
and unread events within the Event Viewer. Clicking the filter at the top of the list ( )
allows you to hide some events, including the Read events.
If multiple admins are using the system, the read/unread status is local to the individual admin
and not system-wide. The upcoming objective will demonstrate how to use the Handled and
Archive statuses, which are system-wide flags.)
Question: When does an Alert or Device change its status from Unread to Read? (Pick one)
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer Key:
✘ 1. Once any event within the alert has been read
✔ 2. Once all events within the alert have been read
✘ 3. When the alert has been flagged as Handled
✘ 4. After you exit from the FortiEDR Manager GUI
Index: 3.3 (c)
Objective Title: Forensics
Points: 10
Objective Text:
Tasks
2. Click Event Viewer.
3. Now, click the triangle ( ) for the DriverEasy.exe event to dive into the Raw Event Details
screen.
4. You will see raw events, each with their ID.
5. At the bottom of the screen, click the triangle ( ) to expand the ADVANCED DATA pane
showing the Event Graph and Geo Location information (if visible).
6. Click on each Raw Event to view its details more closely. You will notice how FortiEDR
blocked multiple events, including:
• Access to the WMI Service
• An attempt to connect to the internet
• A connection to the IP address (172.217.3.142 in the example above)

7. Click the back button ( ) to return to the Events List .
8. Click the checkbox ( ) for the DriverEasy.exe event and then click the Forensics button
Note: You will be in the Flow Analyzer View, similar to the Event Graph available from the
Event Viewer tool.
9. Click the Stacks View icon ( ) in the upper right corner of the screen.
Note: There is a lot of detailed information about the event available here in Forensics
under the Stacks View. Each of the steps leading up to the event will be listed and can be
clicked.
Start with the first PARENT PROCESS CREATION step and work your way to the right.
Pieces of useful information to determine if the event is safe or malicious include:
• Source Process
• Company
• Target
• Executable File Name
• Certificate
• Hash
Note: In the last raw event, you’ll notice the red dot ( ) on the top line for the executable
DriverEasy.exe. This dot indicates where the rule was violated that created the event.
On the far right, click the three vertical dots icon ( ) next to the violating process's hash.
10. Select VirusTotal

11. This will open a new tab in the browser to the VirusTotal.com website for the entry
matching the hash.
Note: VirusTotal does not provide a definitive answer regarding the safety rating of a hash.
However, it is a reputable source that helps make an educated decision when used with
additional context.
12. Close the VirusTotal browser tab.
13. Return to the Event Viewer by clicking the tab at the top of the screen.
Stop & Think
Question: You have loaded an event to the Forensics tab and now want to add another event
for comparison. What is the best way to do this? Feel free to try this in your environment.
Hint – As part of the process, look for this icon
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer Key:
✘ 1. You can only view one event at a time in the Forensics tab
✔ 2. Go to the Event Viewer tab, select the second event and click the Forensics button to
load it into the Forensics tab
✘ 3. Go to the Event View tab and choose both events then click the Forensics tab
✘ 4. Click Add in the Forensics tab
Index: 3.3 (d)
Objective Title: Exceptions, Reports, and Archiving
Points: 10
Objective Text:
Tasks
1. On the Event Viewer page, find and click the alert for device Alice.
2. Click the checkbox on the left for the DriverEasy.exe event
3. At the top of the screen, choose the Export pull-down menu and select PDF
Note: In the above example, only events within view would be exported into PDF. In many
environments, auditors may require PDF exports of all events, including those Archived.
4. A pop-up window will display on the screen showing the report being generated. Once it
is finished being developed, click the Download link to save a copy of the report.
5. At the bottom of the browser, click the saved PDF file to preview the report.
6. In the report, we have the most pertinent information about the event, including the ID,
which can be used to help locate the event later if we ever need to review it again:
• ID
• Device
• Process
• Classification
• Destinations
• Received
• Action
• Policies and Rules
7. Close the browser tab for the report to return to the FortiEDR interface.
8. Click the Close button to close the pop-up window
9. Click the DriverEasy.exe event so that it expands, and you can see the User, Certificate, full
Process Path, and the number of Raw data items.
10. Click the Create Exception icon ( ) to the left of the User field.
11. In the pop-up window, create the new exception with the following values, then click the
Create Exception button.
• All groups
• All destinations
• Expand Advanced and select Current Path

12. Click again on the DriverEasy.exe event and click the Handle Event button at the top of the
screen
Note: Clicking the little flag next to each event also handles events.
13. A pop-up window will display. Set the following fields and click the Save and Handled
button.
• Set the Classification to Safe
• Check the Archive When Handled checkbox
14. The archived event will now disappear from the Events List.
Stop & Think
Question: What is the best practice for creating exceptions?

----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer Key:
✘ 1. Apply exception to as many paths or destinations as possible, but make sure they cover
as few users as possible
✘ 2. Always file a ticket with Fortinet before creating an exception
✔ 3. Apply exceptions to a minimal number of destinations and paths
✘ 4. Create exceptions for as many events as possible to prevent productivity inhibitors
Index: 4.0
Use Case: Conclusion
Objective Title: Review
Points: 0
Objective Text:
Review
After completing this Fast Track module, you should now understand how:
1. FortiClient EMS protects the endpoint and integrates into the Fortinet Security Fabric for
increased visibility and control of the network.
2. FortiEDR provides endpoint protection for pre and post infection scenarios with extensive event
monitoring, alerting and forensic investigation capabilities.
Index: 4.0 (a)
Use Case: Conclusion
Objective Title: End of Session
Points: 0
Objective Text:
You have successfully completed the

Proactive Advanced Endpoint Protection,
Visibility and Control for Critical Assets
Hands-On Lab
Thank You
To get more information on this or other Fortinet solutions, please consider

looking at Fortinet's NSE training.
Please take a moment to complete our short survey located within web portal tab above.

FFT - Proactive Advanced Endpoint Protection, Visiblity and Control For Critical Assets v6.4r8 Lab Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FFT - Proactive Advanced Endpoint Protection, Visiblity and Control For Critical Assets v6.4r8 Lab Guide

Uploaded by

Copyright:

Available Formats

Index: 1.

Proactive Advanced Endpoint Protection, Visibility and

The products included in the Security Operation Solutions are:

FortiClient: Fabric connected agent protecting and monitoring endpoints

Proactive Advanced Endpoint Protection, Visibility and

FortiClient EMS & Security Fabric

• Integrate FortiClientEMS into the Security Fabric.

Integrate FortiClient EMS with Active Directory

• Bind type: Regular

Assign User Group/Users to Endpoint Policy

1. Click Endpoint Policy > Manage Policies.

3. In the Endpoint Groups field, click Edit.

Stop & Think

----------------------- Answer Section -----------------------

Integrate FortiClient EMS with Security Fabric

Configure Fabric Connector

2. Click Security Fabric > Fabric Connectors

• Type: FortiClient EMS

• HTTPS port: 443

• Synchronize firewall addresses: Leave it set to enabled by default

7. Click Security Fabric > Fabric Connectors.

Authorize FortiGate-Edge Fabric Device on EMS Server

Authorize EMS Server Certificate on Root FortiGate-Edge

4. In the FortiClient EMS Status section (right-hand side), click Authorize

3. Click Administration > Fabric Devices

Customizing the FortiClient Installer

• Install FortiClient from EMS deployment package.

Create Deployment Package

• Enable automatic registration

13. Click Finish.

Stop & Think

----------------------- Hint 1 Section -----------------------

----------------------- Answer Section -----------------------

2. Click Dashboard > FortiClient Status.

Dynamic Endpoint Grouping/Tagging

• Dynamically control user access

Dynamic Access Control Based on AD Group Membership

• Setup FortiClient EMS Fabric Connector

• Dynamically control user access

Create Compliance Verification Rules and Tags

Verify an Existing Compliance Rule

4. Click Cancel to close this rule.

• Tag Endpoint As: Sales_User_Tag (Press Enter)

2. Click +Add Rule and use the following information:

• Rule Type: AD Group

Verify Tagged Devices/Users

Apply Tags to Firewall policies

Username: admin Password: Fortinet1!

2. Click Policy & Objects > Firewall Policy.

3. Expand Sales Network (port2) -> EDGE_ISFW Network (port4) section.

Verify Dynamic Access

6. Close the Putty windows to end the session.

3. Repeat the steps above for the HR network.

4. Repeat the steps above for the Marketing network.

1. Open FortiClient console on Alice’s machine.

2. Click Fabric Telemetry

3. Enter EMS IP: 172.16.100.125

• Configure compliance verification rule and tag

• Dynamically control user access

Enable User Identity Settings

2. Click Endpoint Profiles > Manage Profiles.

Create Compliance Verification Rules and Tags

1. Click Compliance Verification > Compliance Verification Rules.