Professional Documents
Culture Documents
Labs FGI 5.2.8 v1.00
Labs FGI 5.2.8 v1.00
FortiGate I
Student Guide
for FortiGate 5.2.8
Internet
AD/DNS/DHCP Server
SMTP : userX@training.lab
FortiAnayzer
student/fortinet
AD
.1 .254 .249
Wan2
Objectives
Configure FortiGate network interfaces and a default route for administrative access via your lab
network, such as with web browser, Telnet or SSH client
Distinguish between encrypted vs. non-encrypted configuration backups
Back up and restore configuration files
Find the FortiGate model and FortiOS firmware build information inside a configuration file
Tasks
In this lab, the following tasks will be completed:
Exercise 1: Accessing the Command Line Interface (CLI)
Exercise 2: Accessing FortiGate Web Config
Exercise 3: Configuring Network Connectivity
Exercise 4: Exploring the CLI
Exercise 5: Configuring Global System Settings
Exercise 6: Performing Configuration Backup
Time to complete
Estimated: 45 minutes
This shows all words that the CLI will accept next after the get command. When the --More--prompt
appears in the CLI, either press the spacebar key to continue scrolling, press the Enter key to scroll
one line at a time, or press the Q key to exit.
Depending on objects and branches used with this command, there may be other sub-keywords and
additional parameters to enter.
Press the Key to display the previous get system status command and try some of the control
key sequences that are summarized below.
Previous command or CTRL+P
Next command or CTRL+N
Beginning of line CTRL+A
End of line CTRL+E
Back one word CTRL+B
Forward one word CTRL+F
Delete current Character CTRL+D
Abort command and exit branch CTRL+C
CTRL+C is context sensitive and in general, aborts the current command and moves up to the previous
command branch level. If already at the root branch level, CTRL+C will force a logout of the current
session and another login will be required.
FortiGate I Student Guide 5
Module 1 Lab 1: Initial Setup and Configuration
Enter the command:
execute ?
This lists all words that the CLI will accept next after the execute command.
Type:
execute
then press the Tab key 3 times.
The first time you press the Tab key, notice that the CLI adds the next word in the command. It is the
first word in the list from the previous step. Each time that you press the Tab key after that, notice that
the CLI replaces that word with the next possible word in the list, in alphabetical order, until you press
the spacebar key. This indicates that you have selected that word, and are ready to enter the next word
(if any).
Enter the following CLI commands and compare the available keywords for each one:
config ?
show ?
These two commands are closely related.
config begins the configuration mode while show displays the configuration. The only difference is
show full-configuration. The default behavior of the show command is to only display the
differences from the factory-default configuration.
Enter the following CLI commands to display the FortiGate unit’s internal interface configuration settings
and compare the output for each of them:
show system interface internal
show full-configuration system interface internal
Only the characters shown in bold type face need to be typed, optionally followed by <tab>, to
complete the command key word. Use this technique to reduce the number of keystrokes to enter
information. CLI commands can be entered in an abbreviated form as long as enough characters are
entered to ensure the uniqueness of the command keyword.
Note: At the --More-- prompt in the CLI, press the spacebar to continue scrolling or <enter> to
scroll one line at a time. Press <q> to exit
Enter the CLI command below to display the factory set IP address of the FortiGate’s internal interface.
show system interface internal
The internal interface’s IP address is 192.168.1.99. This address will be used later for HTTP
administrative access to the FortiGate device.
Connect to the GUI on the FortiGate and go to System > Dashboard > Status end under System
Information click Backup
Select Encrypt configuration file and enter the password: fortinet. Click Backup and save the encrypted
configuration file to the Desktop with the filename student-initial-enc.conf
Caution: When backing up the FortiGate unit’s configuration, be sure to use a naming convention
that you understand and which identifies both the date and the device information. Every time that
you log in and make changes to your device (even if the change seems minor or insignificant), you
should ALWAYS make a backup of the configuration file. This will always be the best form of
protection against problems
On the FortiGate and go to System > Dashboard > Status end under System Information click Backup
Click Backup and save the configuration file to the Desktop with the filename student-initial.conf
Using WordPad, open the file student-initial.conf. In another instance of WordPad, open the file
student-initial-enc.conf and compare the details in both
Next try restoring the encrypted configuration file. Browse the Desktop and navigate to the file
student-initial-enc.conf and click Restore.
This time you will need to enter the password fortinet as this file is encrypted
Administrative Access
In this lab, you will create and modify administrative access permissions.
Objectives
Create a new administrative user
Restrict administrative access
Time to Complete
Estimated: 10 minutes
On the Student VM, open a browser and log in to the Student FortiGate's GUI:
https://192.168.1.99
Go to System > Admin > Settings and select Enable Password Policy.
Configure these settings:
Minimum Length: 8
Must Contain: Enable
1 Upper Case Letter
1 Numerical Digit
Enable Password Expiration : Enable
90 days
On the Student VM, open a browser and go to the Remote FortiGate's GUI:
https://192.168.1.99
Log in as the admin account.
Go to System > Admin > Administrators. Edit the admin account and enable the setting Restrict this
Admin Login from Trusted Hosts Only. Set Trusted Host #1 to the address 10.10.10.0/24.
Click OK to save the changes.
Try connecting to the GUI of the Remote FortiGate again. What is the result this time?
Because you are connecting from the 192.168.1.110 address (because of DHCP on the
Student FortiGate) you should notice that you can't connect any more since you restricted
logins to specific source IP addresses in Trusted Hosts.
Attempt to ping 192.168.1.99. You should notice that FortiGate also doesn't respond to ping
anymore. This is also blocked by the restriction on source IP.
Open the console of the Remote FortiGate device. Enter the following CLI commands to add
192.168.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin account:
conf sys admin
edit admin
set trusthost2 192.168.0.0/16
end
FortiGate I Student Guide 14
Module 1 Lab 2: Administrative Access
Try to ping the Remote FortiGate and access its GUI again. Access should be restored.
Go to System > Dashboard > Status. In the System Information widget, in the Current Administrator
row, click the [Details] link.
The GUI should display a list of administrators currently logged in to the FortiGate.
By default, each source IP address can attempt to log in up to 3 times. If they fail 3 times, they are
locked out for 60 seconds.
To help improve the overall password security, use the CLI to decrease the maximum number of
attempts and increase the lockout timer:
config system global
set admin-lockout-threshold 2
set admin-lockout-duration 100
end
In this lab, you will work with Fortigate’s event log and monitoring.
Objectives
Enable logging of system events
Locate event logs for specific information
Tasks
In this lab, you will complete the following tasks:
Exercise 1 Using the GUI's Status Monitor
Exercice 2 Event Log & Logging Options
Time to Complete
Estimated: 35 minutes
Close the widget list window. Widgets can be removed from the page simply by click the X in the upper
left corner of each one.
Hover the mouse over the title bar of the System Resources widget and click Edit to create a custom
widget.
A line chart appears in a new custom System Resource History widget showing a trace of
CPU, memory and sessions over the past hour.
The refresh rate of this window is automatically set to 1/20 of the time period (interval)
configured.
The Alert Message Console widget displays recent system events, such as system restart and
firmware upgrade.
Hover the mouse over the title bar of the Alert Message Console widget and click History to
view the entire message list.
FortiGate I Student Guide 17
Module 2 Lab 1: Status Monitor and Event Log
Note: If there are no alerts you can reboot the FortiGate in order to see one. To do so, connect to
the CLI and use the command exe reboot
At the top of the dashboard, click Dashboard and select Add Dashboard.
Enter any name of your choice for the new dashboard and select the single column display.
The new dashboard will show up as a selectable menu option on the right hand side
Test the functionality of the refresh, page forward, and page back icons in this window. You may need
to generate some additional traffic in order to properly test these functions.
Click Dashboard and select Reset Dashboards to reset all the dashboards to the default.
In Web Config, go to System > Config > Advanced and configure email service with the following details:
SMTP server: 192.168.3.1
Authentication: None
Logout of the GUI, then login again
Go to Log&Report > Log Config > Alert E-mail and configure email alerts with the following
details:
Email from: fgt-userX@training.lab
Email to: userX@training.lab
Alert emails can be sent based on selected event categories or simply on a log message
severity level. Only one of these options can be enabled at a time.
Still in the Alert E-mail window, enable Send alert email for the following and configure the
settings below:
Interval Time: 1 minute
Send alert email for the following Select all
Click Apply to save the settings.
Log in to the CLI once again and type the following command:
diagnose log alertmail test
Logout from the web GUI of the FortiGate then Login again.
Open the email client application outlook express and confirm that the test messages have
been received.
If a severity level is used, the CLI contains additional interval hold-off timers for log levels above
the selected severity level.
To view the Alert E-mail settings that were just configured, enter the following commands in
the CLI:
show system email-server
show alertemail setting
Note: If the FortiGate unit collects more than one log message before an interval is reached,
it combines the messages and sends out one alert email.
Remote Monitoring
The aim of this lab is for students to set up logging to a remote device and monitoring of the FortiGate unit’s
behavior. It can be advantageous to use remote monitoring instead of local monitoring in order to reduce
resource usage. For example, while the GUI widgets provide useful displays of your system information, they
also carry a significant resource cost and should be used sparingly.
Objectives
Enabling remote monitoring by FortiAnalyzer, Syslog and SNMP servers
Tasks
In this lab, you will complete the following tasks:
Exercise 1 Enabling Logging to a FortiAnalyzer device
Exercise 2 Enabling Logging to a syslog device
Exercise 3 Enabling SNMP Monitoring
Time to Complete
Estimated: 10 minutes
From the CLI on the FortiGate enter the folowing commands to set up logging to the syslog server
config log syslogd setting
set status enable
set server 192.168.1.110
end
Check that your Windows XP VM has the ip 192.168.1.110, if not change the ip address of the
syslog server to your ip address in the FortiGate config.
Additionnal option can be set, like syslog facility
On your Windows XP VM, start the 3CDaemon application in order to start the Syslog server
To generate a few log messages logout from the webui by clicking on the logout button on the right
corner:
On your Windows XP VM, check on the 3CDeamon application if you have received logs :
Then configure the IP address of the FortiGate 192.168.1.99 and click Advanced to configure the Read
community : training
Then browse the MIB of the FortiGate, select an OID, set Operations to Get and click Go
Firewall Policies
Objectives
Configure firewall policies configurable in FortiOS
Configure source match options available in FortiOS firewall policies
Apply different firewall object types of Address, Service and Schedule
Configure firewall policy logging options
Configure NAT
Configure Source NAT settings using Overload IP Pools
Configure Destination NAT settings using Virtual IPs
Configure firewall policies based on device types
Reorder firewall policies
Use CLI commands to review your configuration and perform status checks
Time to Complete
Estimated: 40 minutes
Internet
AD/DNS/DHCP Server
SMTP : userX@training.lab
AD
192.168.3.1
.254
VMX
Log in to Web Config and go to System > Dashboard > Status. In the System Information pane create
a backup of the device configuration to a location on the Windows XP VM. Modify the name of the
configuration file to identify it as being created before Module 3.
In Web Config, go to Policy & Objects > Objects > Addresses and create a new address object with the
following details:
Name Student_Internal
Type IP/Netmask
Subnet/IP Range: 192.168.1.0/24
Interface: internal
The unrestricted internal wan1 policy will need to be temporarily disabled in the policy list. To do
this, go to Policy & Objects > Policy > IPv4, right-click the unrestricted Internal wan1 policy and select
Disable.
Next click Create New to add a new firewall policy to provide general Internet access from the internal
network. Configure the following settings:
Incoming Interface internal
Source Address Student_Internal
Outgoing Interface wan1
Destination Address all
Schedule always
Service http, https, DNS, ping, SSH
Action ACCEPT
Logging options Enabled (Log all Sessions)
Firewall / Network Options
NAT Enabled
Use Outgoing Interface Address Enabled
Comments General Internet access
Leave other field unchanged
When creating firewall policies, keep in mind that the FortiGate device is a stateful firewall, therefore,
a firewall policy only needs to be created for the direction of the originating traffic
From the Windows XP VM, open a web browser and connect to various external web servers.
From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic and
identify the log entries for your Internet browsing traffic.
With the current settings you should have many 0 byte log messages with action start. These
are the session start logs.
When sessions close you will have a separate log entry for the amount of data sent and received
Logging session starts generates twice the amount of log messages. This option should only be
used when this level of detail is absolutely necessary.
In Web Config, go to Policy & Objects > Policy > IPv4 and right-click any of the column headings.
Select Column Settings > Count to display a packet and bytes count for each rule in the policy
list display. Move this column accordingly for easier viewing
Note that FortiGate is applying a new source address: that of the destination interface Wan1
(192.168.3.10X)
Use the same steps you performed earlier to create a second firewall policy. Configure the following
settings:
Incoming Interface internal
Source Address Student_Internal
Outgoing Interface wan1
Destination Address Click Create and configure the following:
Category: Address
Name: ADServer
IP/Netmask :
192.168.3.1/255.255.255.255
Schedule always
Service ping
Action DENY
Log Violation Traffic Enabled
From the Windows XP VM, open a DOS command prompt and ping the ADServer as follows.
ping 192.168.3.1 -t
Because you have not changed the rule ordering, the ping should still work as it matches the
ACCEPT policy and not the DENY policy just created. This demonstrates the behavior of policy
ordering. The second policy was never checked because the traffic matched the first
From the GUI, go to Policy & Objects > Policy > IPv4 and right-click any of the column headings. Select
Column Settings > ID. Move this column accordingly for easier viewing. By default only the sequence
number of the firewall policy is displayed in the GUI.
Next, click the Seq.# for the DENY policy created previously and drag this policy upwards to position it
before the General Internet access policy
Return to the Windows XP and examine the DOS command prompt window still running the
continuous ping. You should observe that this traffic is now blocked
From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic
and identify the log entries for your Ping traffic.
In this exercise, a virtual IP address will be configured to allow connections from Internal to the Fortinet Training
web server located at 192.168.3.1
Go to Policy & Objects > Objects > Virtual IPs and create a new virtual IP mapping with the following
details:
Name vip_to_webserver
External Interface internal
Type Static NAT
External IP Address 192.168.1.1
Mapped IP Address 192.168.3.1
Port Forwarding Disabled (default)
Click OK to save the changes.
To view the VIP settings, enter the following command in the CLI:
show firewall vip
In Web Config create a new firewall policy to provide a guest PC access to the web server with the
following details
Incoming Interface internal
Source Address all
Outgoing Interface wan1
Destination Address vip_to_webserver
Schedule always
Service HTTP, HTTPS
Action ACCEPT
Logging options Enabled (Log all Sessions)
Enable NAT Enabled
Use Destination Interface Address Enabled
Comments Windows VM access to WebServer
The firewall is stateful so any existing sessions will not use this new firewall policy until they time out or
are cleared. The sessions can be cleared individually from the session widget on the Status page or
from the CLI by executing the following:
diag sys session clear
Move this policy to the top of the policy list
Open a web browser window on the Windows VM and access the following URL:
http://192.168.1.1/
If the virtual IP operation is successful, the Fortinet Training Server web page is displayed
To view the source and destination NAT mappings, enter the following CLI command:
get system session list | grep 192.168.1.1:80
Sample Output:
FWF60C3G11002343 # get system session list | grep 192.168.1.1:80
FortiGate I Student Guide 32
Module 3 Lab 1: Firewall Policies
tcp 3596 192.168.1.110:4528 192.168.3.101:33084 192.168.1.1:80 192.168.3.1:80
tcp 3596 192.168.1.110:4529 192.168.3.101:12605 192.168.1.1:80 192.168.3.1:80
tcp 3596 192.168.1.110:4527 192.168.3.101:24867 192.168.1.1:80 192.168.3.1:80
Note that the outgoing connections from the Windows XP are now being NATed with the VIP address
as opposed to the firewall address. This is a behavior of the source NAT (SNAT) VIP. That is, when
you enable SNAT on a policy, a VIP static NAT takes priority over the destination interface IP address.
User Authentication
In this lab, you will learn how to authenticate users with FortiGate.
Objectives
Create an authentication policy
Manage user authentication
Track user login events
Monitor active users
Enable the captive portal
Exempt some users from the captive portal
Time to Complete
Estimated: 20 minutes
Note: Student_False has the IP 192.168.250.250/32 so it does not match the IP of the Win-
Student VM.
On the Student FortiGate's GUI, go to User & Device > Monitor > Firewall. De-authenticate your user
session.
Open a web browser and connect to a new web site.
FortiGate should not prompt you to login, but show a disclaimer instead.
Look at the firewall policies in the CLI. You should find that the second policy with the captive
portal is suppressed.
config firewall policy
show
end
This means that even though internal has captive portal enabled for all traffic that is behind it,
any traffic that matches the second firewall policy will not receive the captive portal to
authenticate.
Unset the captive portal on the interface.
SSL VPN
In this lab, you will manage user groups and portals for the SSL VPN.
Objectives
Configure and connect to an SSL VPN
Enable authentication security
Configure a firewall policies for access to private network resources
Time to Complete
Estimated: 30 minutes
Log in to Web Config and go to System > Dashboard > Status. In the System Information pane create
a backup of the device configuration to a location on the Windows XP VM. Modify the name of the
configuration file to identify it as being created before Module 5.
In the Web Config go to System > Config >Features and click on Show More. Select: Multiple Security
Profiles, SSL-VPN Realms and SSL-VPN Personnal Bookmark Management.
Click Apply.
Authentication must be configured for an internal user to access the SSL VPN gateway. Go to User &
Device > User > User Definition and create a new entry with the following details:
Local User Enable Next
Username SSL_User
Password ssl_pw
Next
Next
Enable Create
Go to User & Device > User > User Group and create a new user group with the following details:
Name: SSLVPN
Type: Firewall
Members: SSL_User
Go to VPN > SSL > Settings and set the following setting
Listen on Interface(s) internal
Login on Port 8443
Restrict Access Allow access from any host
IP Ranges SSLVPN_TUNNEL_ADDR1
Authentication/PortalMapping
All Other Users/Groups web-access
Click Apply
Return to the VPN SSL web page and click to log out of the SSL VPN connection.
In this exercise, an SSL VPN Tunnel Mode connection with split tunneling will be configured on the
FortiGate device.
With split tunneling enabled, traffic for networks behind the FortiGate unit is passed through the VPN
while other traffic follows its normal route.
In Web config go to Policy & Objects > Objects > Addresses and create new entry
Name: Web_server
Type: IP/Netmask
Subnet / IP range 192.168.3.1
In Web Config, go to VPN > SSL > Portals and select the full-access portal.
Configure it as follow:
Go to VPN > SSL > Settings and Edit the Authentication/Portal Mapping and change the SSL-VPN
Portal to full-access:
Click Ok and Apply
To view the routing table device before Tunnel Mode is initiated, enter the following command in the
DOS Command Prompt on the Windows XP VM:
C:\>route print
Sample output is:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.99 192.168.1.110 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.110 192.168.1.110 10
192.168.1.110 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.110 192.168.1.110 10
192.168.251.0 255.255.255.0 192.168.251.11 192.168.251.11 10
192.168.251.11 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.251.255 255.255.255.255 192.168.251.11 192.168.251.11 10
224.0.0.0 240.0.0.0 192.168.1.110 192.168.1.110 10
224.0.0.0 240.0.0.0 192.168.251.11 192.168.251.11 10
255.255.255.255 255.255.255.255 192.168.1.110 192.168.1.110 1
255.255.255.255 255.255.255.255 192.168.251.11 192.168.251.11 1
Default Gateway: 192.168.1.99
===========================================================================
Persistent Routes:
None
In the web browser, connect to the portal at the following address:
https://192.168.1.99:8443
When prompted, log in as SSL_User with the password of ssl_pw.
The first time Tunnel Mode is used on the device, a plug in will need to be installed. Click the link
presented in the message to download and install the plugin.
IPSec VPN
Objectives
In this lab, IPSec VPNs will be configured to neighboring students.
First, each student will configure a route-based VPN to one of their neighbors and a policy-based VPN to the
other neighbor.
Tasks
In this lab, the following tasks will be completed:
• Exercise 1 Route-based and Policy based IPSec VPN Configuration
Timing
Estimated time to complete this lab: 30 minutes
Log in to Web Config and go to System > Dashboard > Status. In the System Information pane create
a backup of the device configuration to a location on the Windows VM. Modify the name of the
configuration file to identify it as being created before Module 6.
Go to System > Config > Features, click on the Show More button, and enable Policy-based IPSec
VPN.
Edit the internal interface and change the IP address: 192.168.X0.254 and change the range of the
DHCP Server: 192.168.X0.10 to 192.168.X0.110, then click OK.
Execute an ipconfig /release and an ipconfig /renew in a DOS prompt windows.
Connect to the FortiGate with the new ip address : https://192.168.X0.254
Verify that you can ping your to direct neighbors from the FortiGate with the following CLI commands:
exec ping 192.168.3.10(X-1)
exec ping 192.168.3.10(X+1)
The Route-based IPSEC VPN configuration
Go to VPN > IPsec >Tunnels and create a new Phase 1 Named VPN-User(X-1) and choose Custom
VPN Tunnel (No Template). Configure it as follow
Name : VPN-User(X-1)
Enable IPsec Interface Mode Enabled
Under Network
Remote Gateway Static IP Address
IP Address 192.168.3.10(X-1)
Interface wan1
Under Authentication
Method Pre-shared Key
Pre-shared Key Fortinet
Version 1
Mode Main
Under Phase 1 Proposal
Encryption AES256
Authentication SHA1
Diffie-Hellman Group 5
Under Phase 2 Selectors
Name : VPN-User(X-1)-P2
Enable IPsec Interface Mode Enabled
Policy 2:
Incoming Interface VPN-User(X-1)
Source Address Net-User(X-1)
Outgoing Interface internal
Destination Address all
Schedule always
Service ALL
Action ACCEPT
Logging options Enabled (Log all Sessions)
Enable NAT Disabled
Antivirus
Objectives
In this exercise, global antivirus settings will be explored including:
• Accessing the FortiGuard Distribution Network
• Ensuring that antivirus definitions are updated through the FortiGuard Subscription Services
• Setting up file quarantine
• Enabling antivirus scanning for web proxy server
• Customizing antivirus replacement messages
Tasks
In this lab, the following tasks will be completed:
• Exercise 1 Enabling FortiGuard Subscription Services and Updates
• Exercise 2 Configuring Global Antivirus Settings
• Exercise 3 Testing Virus Scanning for HTTP
• Exercise 4 Inspecting HTTPS Traffic
Timing
Estimated time to complete this lab: 30 minutes
Go to Policy & Object > Policy > IPv4 and edit the internal wan1 policy to enable UTM using
the Standard antivirus profile.
Replacement messages are substituted for the infected file when the FortiGate antivirus engine
detects a virus.
Go to System > Config > Replacement Message. Click on Extended view, Go to Security and
edit the text of the default Virus Block Page.
The same Replacement Messages can be displayed using the following commands in the CLI:
show full system replacemsg utm virus-html
Note: Some replacement messages are stored in raw HTML code. Make sure that the correct
syntax is used and preserve the existing HTML tags. An external HTML editor can be used to
create the replacement message and then copy and paste the resulting HTML code into the
FortiGate replacement message text window.
The Eicar file is an industry-standard used to test antivirus detection. The file contains the
following characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUSTEST-FILE!$H+H*
The HTTP virus message is shown when infected files are blocked or have been quarantined.
In the message that is displayed, click the link to the Fortinet Virus Encyclopedia to view
information about the detected virus.
In Web Config, go to Log&Report > Traffic Log > Forward Traffic and locate the antivirus event
messages.
In Web Config, go to Log&Report > Security Log > Antivirus and locate the antivirus event messages.
Go to Security Profiles > Monitor > AV Monitor to view details of the log event.
Note: There may be policies in place from previous exercises that could allow the files to be
downloaded. If the above steps do not work, go to the firewall policies and ensure that all other
policies other than the default are disabled.
Note: If there’re no UTM Monitor folder, go to System > Admin > Settings and verify that UTM
Monitor is selected in Display Options on GUI
To ensure that there are no existing sessions prior to deep scanning the communication exchange,
connect to the CLI of the FortiGate unit and enter the command:
diag sys session clear
Return to the Eicar web page and attempt to download the eicar.com file from the Download area using
the secure SSL enabled protocol https section.
Note: You may be prompted to accept a security warning to accept the digital certificate from
the Eicar web site.
This time, the download will be blocked by the FortiGate unit and the replacement message
will be displayed.
In Web Config, edit the internal wan1 policy to disable UTM.
Objectives
Time to Complete
Estimated: 15 minutes
Click OK.
2. Try to browse any web site. FortiGate will ask you for authentication. Use these credentials:
3. While browsing different web sites, type the following CLI command to check the list of active web
proxy users:
Tip: In the case of explicit web proxy, for each connection to a web site, two sessions are
created with the FortiGate: one from the client to the proxy, and another one from the
proxy to the server.
6. Disable explicit proxy on the interface Internal, delete the explicit proxy policy and disable the
explicit proxy in System > Networks > Explicit Proxy and disable the proxy in Mozilla Firefox
Web Filtering
Objectives
In this lab, web filtering will be configured to block specific categories of web content. The interaction of
local categories and overrides will also be demonstrated.
Tasks
In this lab, the following tasks will be completed:
• Exercise 1 Testing Web Category Filtering
• Exercise 2 Configuring Web Filtering Authentication
• Exercise 3 Configuring Web Filtering Quotas
Timing
Estimated time to complete this lab: 40 minutes
Log in to Web Config and go to System > Dashboard > Status. In the System Information pane
create a backup of the device configuration to a location on the Windows XP VM. Modify the
name of the configuration file to identify it as being created before Module 9.
In Web Config, go to Security Profiles > Web Filter > Profile and create a new web filter profile
called Category_Test. (Click Create New ( ) in the upper right-hand corner of the Edit Web
Filter Profile window)
In the Edit Web Filter Profile window, set the Inspection Mode to Proxy and enable the following
FortiGuard web categories with an action of Block.
Local Catgories
Potentially Liable
Adult/Mature Content
Bandwidth Consuming
Security Risk
General Interest - Personal
General Interest - Business
Unrated
Click OK
In the CLI, enter the following commands to enable Extended UTM logs in order to have more
details on the logs for Web Filtering:
config webfilter profile
edit Category_Test
set log-all-url enable
end
config system global
set gui-webfilter enable
end
Go to Policy & Object > Policy > IPv4 and edit the internal wan1 policy to enable UTM. Enable
web filtering using the Category_Test profile.
In a web browser connect to a web site. A Web Page Blocked window should be displayed.
In Web Config, go to System > Config > Replacement Message. Select the Extended View and
Expand FortiGuard Web Filtering and edit the FortiGuard Block Page to customize the text of
the message.
Revisit the web site and ensure that the customized FortiGuard Block Page message is
displayed.
Web filtering can be configured to prompt user for authentication before accessing a web resources. A
warning page is displayed where the user must enter their credentials before proceeding to the web
page.
In Web Config, go to User & Device > User > User Definition. Create a new user called
Override_User with a password of fortinet.
Go to User & Device > User > User Group and create a new user group with the following
details:
Name web-override
Type Firewall
Members Select Override_User created in step 1
Go to Security Profiles > Web Filter > Profile and edit the Category_Test profile.
Select all the categories and set the Change Action for Selected Categories to setting to
Authenticate.
Select the web-override user group from Available User Groups and move it to Selected User
Groups.
In the web browser, attempt to connect to a blocked category web site. A Web Page Blocked
message is displayed again, this time with a Proceed button.
Enter the user name of Override_User and the password of fortinet and click Continue.
The blocked web page should be displayed.
Note: The Web Filter Block Override web page may not function properly when flow-based
web filtering is used instead of proxy-based filtering.
In Web Config, go to Log&Report > Traffic Log > Forward Traffic and locate the log messages
related to the web filtering activity.10.
In Web Config, go to Log&Report > Security Log > Web Filter and locate the log messages
related to the web filtering activity.
In addition to using category and classification blocks and overrides, an access quota can be assigned
by category, category group, or classification.
Quotas allow access to web resources for a specified length of time. The quotas are calculated
separately for each user based on the authentication credentials provided and are reset every day at
midnight.
In Web Config, go to Security Profiles > Web Filter > Profile.
Edit the Category_Test profile. Expand Quota on Categories and click Create New to create
new quotas. Select the categories to be assigned quotas and select the quota time value to 5
minutes.
In the web browser, attempt to visit a blocked category web site again. Click the Proceed link
on the Web Page Blocked page. Authenticate on the Web Filter Block Override page using the
Override_User credentials.
Note: The Web Category Override web page may not function properly when flow-based
web filtering is used instead of proxy-based filtering.
Once authenticated properly, the quota timer is initiated. Go to Security Profiles > Monitor >
FortiGuard Quota to display the current quota timer value.
When the daily quota value is reached the FortiGuard replacement message will be displayed
again.
In Web Config, go to Log&Report > Security Log > Web Filter and locate the log messages
related to the web filtering activity.
In Web Config, Edit the profile Category_Test, expand Quota on Categories and delete the
quotas on the selected categories.
Still in this web filter profile, select flow-based. A notification is displayed as follows :
Test the behavior of the flow based inspection by connecting to a web site that is usually
blocked. Check the log entry for this request.
Edit the internal wan1 policy to disable UTM.
Application Control
Objectives
In this lab, access to specific applications will be blocked using
the application control on the FortiGate unit.
Tasks
In this lab, the following tasks will be completed:
• Exercise 1 Creating an Application Control List
• Exercise 2 Testing Application Control
Timing
Estimated time to complete this lab: 15 minutes
Log in to Web Config and go to System > Dashboard > Status. In the System Information pane
create a backup of the device configuration. Modify the name of the configuration file to identify
it as being created before Module 10.
In Web Config, go to Security Profiles > Application Control > Application Sensor and create a
new application control sensor called App_Control_Lab. (Click Create New ( ) in the upper
right-hand corner of Web Config)
In application Overrides, Add a signature in the seach windows type youtube and select all the
signatures and click Use Selected Signatures :
Then change the actions for these signatures by Traffic Shaping and Shared-1M-pipe and click
Apply.
Go to Policy & Object > Policy > IPv4 and edit the internal wan1 firewall policy to enable
UTM. Enable application control using the App_Control_Lab sensor.
On the Windows XP VM, launch a web browser and access the following web site:
http://www.youtube.com
On the YouTube web site, attempt to play a random video.
In Web Config, go to Log&Report > Traffic Log > Forward Traffic and locate the log entry for the
application control action verify that the traffic shaper is applied:
In Web Config, go to Security Profiles > Application Control > Application Sensor and edit the
App_Control_Lab sensor. Set the action for the YouTube application filter to Block.
In the web browser, access the following web site and attempt to play a video once again:
http://www.youtube.com
View the details of the log entry for this action in the Log & Report > Traffic Log > Forward
Traffic:
View the details of the Application monitor in Security Profiles > Monitor :
In Web Config, go to Security Profiles > Application Control > Application Sensor and create a
new Application Control Sensor called App_Control_Lab2. (Click Create New ( ) in the upper
righthand corner of Web Config)
Create a second filter in the App_Control_Lab2 sensor with the following details:
Sensor Type: Filter based
Category proxy
Action: Block
Go to Policy > Policy > Policy and edit the internal wan1 firewall to use the App_Control_Lab2
sensor.
Return the web browser, attempt to access the following web site (which is a proxy used by
some users to bypass url filtering systems):
http://proxite.us
On the proxy web site, enter the URL of a site to visit for example www.psg.fr and click Go.
In the Log&Report > Traffic Log > Forward Traffic , locate the log entries for the blocked proxy
actions :
View the details of the Application monitor in Security Profiles > Monitor :
Go to Policy > Policy > Policy and edit the internal wan1 firewall to disable UTM.
In the CLI enter the following command to reset the configuration to the factory default :
execute factoryreset