Labs FGI 5.2.8 v1.00

Module 1 Lab 1: Initial Setup and Configuration
FortiGate Multi-Threat Security Systems I

Administration, Content Inspection and SSL VPN
Student Lab Guide

Course 201 (5.0.4) v1.05
FortiGate I
Student Guide
for FortiGate 5.2.8
FortiGate I Student Guide 1

Table of Content
.............................................................................................................................. 4
Lab 1: Initial Setup and Configuration .................................................................................. 4
Exercise 1 Accessing the Command Line Interface (CLI) ....................................................................... 5
Exercise 2 Accessing FortiGate Web Config ........................................................................................... 7
Exercise 3 Configuring Network Connectivity .......................................................................................... 8
Exercise 4 Exploring the CLI.................................................................................................................... 9
Exercise 5 Configuring Global System Settings .................................................................................... 10
Exercise 6 Performing Configuration Backup ........................................................................................ 11
Lab 2: Administrative Access ............................................................................................. 12
Exercise 1 Administrators, Passwords, and Permissions ...................................................................... 13
Exercise 2 Restricting Administrator Access ......................................................................................... 14
............................................................................................................................ 16
Lab 1: Status Monitor and Event Log ................................................................................. 16
Exercise 1 Using the GUI's Status Monitor ............................................................................................ 17
Exercise 2 Event Log & Logging Options .............................................................................................. 20
Exercise 3 Configuring Email Alerts ...................................................................................................... 21
Lab 2: Remote Monitoring ................................................................................................... 22
Exercise 1 Enabling Logging to a FortiAnalyzer device ........................................................................ 23
Exercise 2 Enabling Logging to a Syslog (optional) .............................................................................. 24
Exercise 3 SNMP Monitoring ................................................................................................................. 25
............................................................................................................................ 27
Lab 1: Firewall Policies ........................................................................................................ 27
Exercise 1 Creating Firewall Policy Objects .......................................................................................... 28
Exercise 2 Policy Actions ....................................................................................................................... 30
Exercise 3 Access through Virtual IPs ................................................................................................... 32
Exercise 4 Dynamic NAT with IP Pools ................................................................................................. 34
Exercise 5 Device Identification ............................................................................................................. 35
............................................................................................................................ 36
Lab 1: User Authentication .................................................................................................. 36
Exercise 1 Authentication via a Firewall Policy...................................................................................... 37
Exercise 2 Captive Portals ..................................................................................................................... 38
............................................................................................................................ 39
Lab 1: SSL VPN .................................................................................................................... 39
Exercise 1 Configuring SSL VPN for Web Access ................................................................................ 40
Exercise 2 Configuring SSL VPN Tunnel Mode with Split Tunneling .................................................... 44
............................................................................................................................ 46
Lab 1: IPSec VPN ................................................................................................................. 47
Exercise 1 Route-based and Policy-based IPSec VPN Configuration .................................................. 48
............................................................................................................................ 52
Lab 1: Antivirus .................................................................................................................... 52
Exercise 1 Enabling FortiGuard Subscription Services and Updates.................................................... 53
Exercise 2 Configuring Global Antivirus Settings .................................................................................. 55
Exercise 3 Testing Virus Scanning for HTTP ........................................................................................ 56
Exercise 4 Inspecting HTTPS Traffic ..................................................................................................... 58

............................................................................................................................ 59
Lab 1: Explicit Web Proxy.................................................................................................... 59
Exercise 1 Configuring the Explicit Web Proxy...................................................................................... 60
............................................................................................................................ 63
Lab 1: Web Filtering ............................................................................................................. 63
Exercise 1 Testing Web Category Filtering ........................................................................................... 64
Exercise 2 Configuring Web Filtering Authentication ............................................................................ 66
Exercise 3 Configuring Web Filtering Quotas ........................................................................................ 68
.......................................................................................................................... 70
Lab 1: Application Control................................................................................................... 70
Exercise 1 Creating an Application Control List ..................................................................................... 71
Exercise 2 Testing Application Control .................................................................................................. 72
Exercise 3 Creating an Application Control Filter .................................................................................. 74
Internet
AD/DNS/DHCP Server
SMTP : userX@training.lab
FortiAnayzer
student/fortinet
AD
.1 .254 .249
Wan1 : .101 Wan1 : .102 Wan1 : .120
Wan2
int int int

Console Console
Console
VM1 VM2 VM20
.11 .12 .20

Initial Setup and Configuration

This lab will provide an initial orientation to FortiGate's administrative GUI and CLI, and (if necessary) will guide
you through basic setup. Additionally, this lab will guide you through how to properly backup and restore a
configuration file.
Objectives
 Configure FortiGate network interfaces and a default route for administrative access via your lab
network, such as with web browser, Telnet or SSH client
 Distinguish between encrypted vs. non-encrypted configuration backups
 Back up and restore configuration files
 Find the FortiGate model and FortiOS firmware build information inside a configuration file
Tasks
In this lab, the following tasks will be completed:
 Exercise 1: Accessing the Command Line Interface (CLI)
 Exercise 2: Accessing FortiGate Web Config
 Exercise 3: Configuring Network Connectivity
 Exercise 4: Exploring the CLI
 Exercise 5: Configuring Global System Settings
 Exercise 6: Performing Configuration Backup
Time to complete
Estimated: 45 minutes

Accessing the Command Line Interface (CLI)
From your PC, open a RDP connection to your Windows XP VM : 192.168.251.X with the following
credentials :
User userX
Password fortinetX
Domain TRAININGAD
where X is your user number.
Start a Putty session and double click on the shortcut : Console FortigateX (where X is your user
number)
At the FortiGate CLI login prompt, log in with username of admin (all lowercase). The default password
on the device is blank.
Reset the FortiGate device to factory defaults by typing the following command:
exec factoryreset
When asked to continue, type Y, press <enter>, and wait for the reset to complete.
Log in to the CLI once again and type the following command to display status information about the
FortiGate unit:
get system status
The output displays the FortiGate unit serial number, firmware build, operational mode, and additional
settings.
Confirm that the firmware build on the FortiGate unit is v5.2.8 build0727, the required version for this
course.
Type the following command to see a full list of accepted objects for the get command:
get ?
Note: The ? character is not displayed on the screen.
This shows all words that the CLI will accept next after the get command. When the --More--prompt
appears in the CLI, either press the spacebar key to continue scrolling, press the Enter key to scroll
one line at a time, or press the Q key to exit.
Depending on objects and branches used with this command, there may be other sub-keywords and
additional parameters to enter.
Press the  Key to display the previous get system status command and try some of the control
key sequences that are summarized below.
Previous command  or CTRL+P
Next command  or CTRL+N
Beginning of line CTRL+A
End of line CTRL+E
Back one word CTRL+B
Forward one word CTRL+F
Delete current Character CTRL+D
Abort command and exit branch CTRL+C
CTRL+C is context sensitive and in general, aborts the current command and moves up to the previous
command branch level. If already at the root branch level, CTRL+C will force a logout of the current
session and another login will be required.
Enter the command:
execute ?
This lists all words that the CLI will accept next after the execute command.
Type:
execute
then press the Tab key 3 times.
The first time you press the Tab key, notice that the CLI adds the next word in the command. It is the
first word in the list from the previous step. Each time that you press the Tab key after that, notice that
the CLI replaces that word with the next possible word in the list, in alphabetical order, until you press
the spacebar key. This indicates that you have selected that word, and are ready to enter the next word
(if any).
Enter the following CLI commands and compare the available keywords for each one:
config ?
show ?
These two commands are closely related.
config begins the configuration mode while show displays the configuration. The only difference is
show full-configuration. The default behavior of the show command is to only display the
differences from the factory-default configuration.
Enter the following CLI commands to display the FortiGate unit’s internal interface configuration settings
and compare the output for each of them:
show system interface internal
show full-configuration system interface internal
Only the characters shown in bold type face need to be typed, optionally followed by <tab>, to
complete the command key word. Use this technique to reduce the number of keystrokes to enter
information. CLI commands can be entered in an abbreviated form as long as enough characters are
entered to ensure the uniqueness of the command keyword.
Note: At the --More-- prompt in the CLI, press the spacebar to continue scrolling or <enter> to
scroll one line at a time. Press <q> to exit
Enter the CLI command below to display the factory set IP address of the FortiGate’s internal interface.
show system interface internal
The internal interface’s IP address is 192.168.1.99. This address will be used later for HTTP
administrative access to the FortiGate device.

Accessing FortiGate Web Config
To access Web Config using a standard Web browser (Mozilla Firefox), ensure that cookies and Javascript are
enabled for proper rendering and display of the graphical user interface.
Ensure that the IP addressing mode on the PC is set to DHCP (Obtain an IP address automatically).
The FortiGate device will assign the PC an address in the range of 192.168.1.110 to
192.168.1.210.
Verify the PC settings using the ipconfig command from the Windows command prompt. The default
gateway corresponds to the IP address of the internal interface on the FortiGate unit (192.168.1.99).
Open a web browser and type the following address to access the FortiGate Web Config interface.
https://192.168.1.99
Accept the self-signed certificate or security exemption if a security alert appears.
HTTPS is the recommended protocol for administrative access to the FortiGate unit. Other available
protocols include SSH, ping, SNMP, HTTP, and Telnet.
At the login screen, enter the username of admin and leave the password blank. Click Login.
The Dashboard is displayed after a successful login. Before continuing with the rest of the initial
configuration, explore the Dashboard page and find the following information:
Current Firmware Version _______________________________
Date and Time _______________________________
Serial Number _______________________________
Operation Mode _______________________________
Other system details found on the Dashboard include the current CPU, memory and disk (if present)
usage, alert messages, number of administrative users, features enabled and FortiGuard Services
status.
To avoid Web Config timeouts during the lab exercises, increase the idle timeout. Go to System >
Admin > Settings. Increase the Idle Timeout to 60 minutes.
Leave all other settings unchanged.
Click Apply to save the changes.
Before proceeding to the next exercise, ensure that the FortiGate unit is running the correct version of
FortiOS firmware (FortiOS version 5.2.8).
Note: If are not running the correct version, click Update for Firmware version on the Dashboard
and browse to the firmware file available from the Fortinet Support site with a valid service contract
or on the server http://192.168.3.1/files/Firmware

Configuring Network Connectivity
The FortiGate unit’s wan1 interface settings must be configured using DHCP
Configure the wan1 Interface Using DHCP

In the Web Config, go to System > Network > Interface. Select the wan1 interface and click Edit (
).
On the page, configure the following settings:
Addressing mode DHCP
Distance: 5
Retrieve default gateway from server
Administrative access HTTPS HTTP PING
Click OK.
In a DOS command prompt window use nslookup command to verify the IP address of a web site. For
example:
nslookup www.fortigate.com
Ping the IP address displayed through the command above using the following command in the CLI:
exec ping <IP_address_of_web_site>
To secure the wan2 interface from accidental usage, remove the IP address and administratively
disable this port.
In Web Config, go to System > Network > Interface, edit the wan2 interface, set the IP address to
0.0.0.0/0.0.0.0, disable all the management services, set the administrative status to down and
click OK.
Note that the interface list will now display wan2 with an IP/Netmask of 0.0.0.0/0.0.0.0 and a
disabled status icon ( ). A display refresh may be needed to see the new status information.
Perform an ipconfig /renew on the windows XP VM.
The FortiGate unit runs a DHCP server configured for the internal interface. To view the configuration
of the built-in DHCP server go to System > Network > Interface. Select the internal interface and click
Edit ( ) or double-click the entry to view the settings for the pre-defined DHCP server in the
section DHCP Server.
Note: The DHCP leases are preserved even when the FortiGate unit is re-booted. To clear all DHCP
leases, disable and then re-enable the specific DHCP server.
Click Cancel to exit.
To view the DHCP address leases, go to System > Monitor > DHCP Monitor and locate the entry for
the PC in the displayed list.
As Windows XP VM is connected to the trusted internal subnet, a list of all the DHCP address
leases that have been assigned will be displayed.

Exploring the CLI
To view the configuration of the FortiGate interfaces through the CLI, type the following command:
show system interface
To see verbose settings, type the following command:
show full-configuration
To view additional parameters for all interfaces, type the following command:
get system interface
Compare the get command output with the output from the show command. The information from
each is similar: get displays all settings and values, while show gives the syntax for the configuration.
The FortiGate CLI is hierarchical, which means that some commands are only applicable at a certain
level or context. To demonstrate the hierarchy, modify the wan1 interface to add additional
administrative access to assist with troubleshooting during initial deployment.
To add SSH access on the wan1 interface, type the following CLI commands:
config system interface
edit wan1
set allowaccess https ping ssh
end
Note: The set command is not additive. The existing parameters must be re-entered along with
the new parameter being added.
Verify the changes by typing the following command:
show system interface wan1
Display the configuration of the DHCP server that provides IP addresses to the
PCs connected to the internal interface with the following commands:
show system dhcp server or show full system dhcp server
get system dhcp server
To inspect the DHCP leases in the CLI for the addresses distributed by the internal interface DHCP
server, type the following command:
exec dhcp lease-list
Other available DHCP CLI commands are listed below. Please do not run these commands at this
time
DHCP leases can be cleared with the following command:
exec dhcp lease-clear

Configuring Global System Settings
In Web Config, go to System > Network > DNS. Select Specify and modify the following DNS Settings:
Primary DNS Server 192.168.3.1
Secondary DNS Server 8.8.8.8
Click Apply.
Compare the output for the following DNS CLI commands:
show system dns
get system dns
The output should correspond to the changes made in Step 1.
For logging purposes, as well as to optimize FortiGuard updates, the FortiGate unit should be set to
the correct time zone and NTP server synchronization should be enabled.
Go to System > Dashboard > Status. In the System Information widget, click the [Change] link for
System Time.
Select the appropriate Time Zone – GMT+1:00 Brussels, Copenhagen, Madrid, Paris
Enable Synchronize with NTP Server. By default, Use FortiGuard Servers will be used, or a local
NTP server can be used if available.
Click OK.
Display the current system time from the CLI by typing the following command:
execute time
Type exec time ? to view the syntax to set the system time manually.
Verify that the date setting is correct by typing the following CLI command:
exec date
In the System Information widget, click the [Change] link for Host Name and change the hostname of
the FortiGate unit to FGTUSERX. (where X is your user number)
Click OK.
The new hostname will appear in the browser title bar at the next login or when the page is refreshed.
View the CLI equivalent commands for all the system settings configured in the above steps by typing
the following command:
show system global

Performing Configuration Backup
Connect to the GUI on the FortiGate and go to System > Dashboard > Status end under System
Information click Backup
Select Encrypt configuration file and enter the password: fortinet. Click Backup and save the encrypted
configuration file to the Desktop with the filename student-initial-enc.conf
Caution: When backing up the FortiGate unit’s configuration, be sure to use a naming convention
that you understand and which identifies both the date and the device information. Every time that
you log in and make changes to your device (even if the change seems minor or insignificant), you
should ALWAYS make a backup of the configuration file. This will always be the best form of
protection against problems
On the FortiGate and go to System > Dashboard > Status end under System Information click Backup
Click Backup and save the configuration file to the Desktop with the filename student-initial.conf
Using WordPad, open the file student-initial.conf. In another instance of WordPad, open the file
student-initial-enc.conf and compare the details in both
Next try restoring the encrypted configuration file. Browse the Desktop and navigate to the file
student-initial-enc.conf and click Restore.
This time you will need to enter the password fortinet as this file is encrypted

Module 1 Lab 2: Administrative Access
Administrative Access
In this lab, you will create and modify administrative access permissions.
Objectives
 Create a new administrative user
 Restrict administrative access
Time to Complete

Administrators, Passwords, and Permissions
On the Student VM, open a browser and log in to the Student FortiGate's GUI:
https://192.168.1.99
Go to System > Admin > Settings and select Enable Password Policy.
Configure these settings:
Minimum Length: 8
Must Contain: Enable
1 Upper Case Letter
1 Numerical Digit
Enable Password Expiration : Enable
90 days
Click Apply to save the changes.

Log out of the GUI.
Log in again.
Due to the password policy that you just configured, FortiGate should prompt you to enter a new
administrator password. Enter a new password that meets the requirements : FortinetX
Go to System > Admin > Admin Profile. Create a new profile called Security_Admin_Profile. Set
Security Profile Configuration to Read-Write, but set all other permissions to Read Only.
Click OK to save the changes.

Go to System > Admin > Administrators. Click Create New to add a new administrator account that is
named Security_Admin, password FortinetX.
In Admin Profile, select the profile created in the previous step. This limits that administrator’s access.
They will only able to modify and create security profiles.
Note: Administrator names and passwords are case-sensitive. You cannot include characters such
as < > ( ) # " in an administrator account name or password. Spaces are allowed, but not as the first
or last character. To enter spaces in a name or password via the CLI, you must enclose each in
straight quotes ( ' ).
Caution: For convenience in the lab, you will not set the password of the account named admin.
However, in real networks, you should always set administrator passwords, make them strong, and
change them often.
Go to System > Dashboard > Status. In the System Information widget, to view the configuration for
administrator accounts and profiles, enter:
show system admin
show system accprofile
Log out of the admin account's GUI session.
Log in as Security_Admin with its password.
Test this administrator’s access: try to create or modify settings on the Student FortiGate that are not
allowed by that account's profile.
You should see that this account can only configure security profiles.
Log out as Security_Admin, then Log back in as admin.
Delete the Security_Admin account.
Restricting Administrator Access
On the Student VM, open a browser and go to the Remote FortiGate's GUI:
https://192.168.1.99
Log in as the admin account.
Go to System > Admin > Administrators. Edit the admin account and enable the setting Restrict this
Admin Login from Trusted Hosts Only. Set Trusted Host #1 to the address 10.10.10.0/24.
Try connecting to the GUI of the Remote FortiGate again. What is the result this time?
Because you are connecting from the 192.168.1.110 address (because of DHCP on the
Student FortiGate) you should notice that you can't connect any more since you restricted
logins to specific source IP addresses in Trusted Hosts.
Attempt to ping 192.168.1.99. You should notice that FortiGate also doesn't respond to ping
anymore. This is also blocked by the restriction on source IP.
Open the console of the Remote FortiGate device. Enter the following CLI commands to add
192.168.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin account:
conf sys admin
edit admin
set trusthost2 192.168.0.0/16
end
Try to ping the Remote FortiGate and access its GUI again. Access should be restored.
Go to System > Dashboard > Status. In the System Information widget, in the Current Administrator
row, click the [Details] link.
The GUI should display a list of administrators currently logged in to the FortiGate.
By default, each source IP address can attempt to log in up to 3 times. If they fail 3 times, they are
locked out for 60 seconds.
To help improve the overall password security, use the CLI to decrease the maximum number of
attempts and increase the lockout timer:
config system global
set admin-lockout-threshold 2
set admin-lockout-duration 100
end

Module 2 Lab 1: Status Monitor and Event Log
Status Monitor and Event Log
In this lab, you will work with Fortigate’s event log and monitoring.
Objectives
 Enable logging of system events
 Locate event logs for specific information
Tasks
In this lab, you will complete the following tasks:
 Exercise 1 Using the GUI's Status Monitor
 Exercice 2 Event Log & Logging Options
Time to Complete

Using the GUI's Status Monitor
On the Windows VM, open a web browser. Go to the URL that is internal IP address on the FortiGate
named Student, and log in as admin.
https://192.168.1.99/
Go to System > Dashboard > Status and locate the System Resources widget.
This widget provides a snapshot overview of the overall resource utilization on the FortiGate
Some widgets are not displayed on the dashboard by default. Click Widget to display the list of widgets
available to add to the dashboard.
Close the widget list window. Widgets can be removed from the page simply by click the X in the upper
left corner of each one.
Hover the mouse over the title bar of the System Resources widget and click Edit to create a custom
widget.
Configure these settings:

Custom Widget Name: System Resource History
View Type: Historical
Time Period: Last 60 minutes
A line chart appears in a new custom System Resource History widget showing a trace of
CPU, memory and sessions over the past hour.
The refresh rate of this window is automatically set to 1/20 of the time period (interval)
configured.
The Alert Message Console widget displays recent system events, such as system restart and
firmware upgrade.
Hover the mouse over the title bar of the Alert Message Console widget and click History to
view the entire message list.
Note: If there are no alerts you can reboot the FortiGate in order to see one. To do so, connect to
the CLI and use the command exe reboot
At the top of the dashboard, click Dashboard and select Add Dashboard.
Enter any name of your choice for the new dashboard and select the single column display.
The new dashboard will show up as a selectable menu option on the right hand side

Test the functionality of the refresh, page forward, and page back icons in this window. You may need
to generate some additional traffic in order to properly test these functions.
Click Dashboard and select Reset Dashboards to reset all the dashboards to the default.

Event Log & Logging Options

From the Student FortiGate CLI, check the overall status of the FortiGate:
get system status
Verify the Log hard disk status. It is set to Available
Log out of the GUI. When logging back in, use an incorrect password once and then use the correct
password to log back in again.
Go to Log & Report > Event Log > System and examine the log to find the invalid password event.
Go to Policy & Objects > Objects > Address, and create a new firewall address using the following
settings:
Name: Fortinet_website
Type: FQDN
FQDN: www.fortinet.com
Leave the remaining settings at their defaults and click OK to save the changes.
Next go to Log & Report > Event Log > System and review the log entries.
Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.

Configuring Email Alerts
In this exercise, the FortiGate unit will be configured to send alert email messages to a mail account.
In Web Config, go to System > Config > Advanced and configure email service with the following details:
SMTP server: 192.168.3.1
Authentication: None
Logout of the GUI, then login again
Go to Log&Report > Log Config > Alert E-mail and configure email alerts with the following
details:
Email from: fgt-userX@training.lab
Email to: userX@training.lab
Alert emails can be sent based on selected event categories or simply on a log message
severity level. Only one of these options can be enabled at a time.
Still in the Alert E-mail window, enable Send alert email for the following and configure the
settings below:
Interval Time: 1 minute
Send alert email for the following Select all
Click Apply to save the settings.
Log in to the CLI once again and type the following command:
diagnose log alertmail test
Logout from the web GUI of the FortiGate then Login again.
Open the email client application outlook express and confirm that the test messages have
been received.
If a severity level is used, the CLI contains additional interval hold-off timers for log levels above
the selected severity level.
To view the Alert E-mail settings that were just configured, enter the following commands in
the CLI:
show system email-server
show alertemail setting
 Note: If the FortiGate unit collects more than one log message before an interval is reached,
it combines the messages and sends out one alert email.

Module 2 Lab 2: Remote Monitoring
Remote Monitoring
The aim of this lab is for students to set up logging to a remote device and monitoring of the FortiGate unit’s
behavior. It can be advantageous to use remote monitoring instead of local monitoring in order to reduce
resource usage. For example, while the GUI widgets provide useful displays of your system information, they
also carry a significant resource cost and should be used sparingly.
Objectives
 Enabling remote monitoring by FortiAnalyzer, Syslog and SNMP servers
Tasks
In this lab, you will complete the following tasks:
 Exercise 1 Enabling Logging to a FortiAnalyzer device
 Exercise 2 Enabling Logging to a syslog device
 Exercise 3 Enabling SNMP Monitoring
Time to Complete

Enabling Logging to a FortiAnalyzer device
The FortiAnalyzer server in your lab environment has been pre-configured.
In Web UI, go to Log&Report > Log Config > Log Settings and confirm that the default logging location
and display are set to Disk.
Enable Send Logs to FortiAnalyzer/FortiManager
Enter the IP address of the FortiAnalyzer: 192.168.3.249
Check the select Upload Option: realtime
Click Apply
Stay in Log&Report > Log Config > Log Setting. Click Test Connectivity to verify the connection status
to the FortiAnalyzer device. A green checkmark should be displayed for the connection.
In the web browser, access a few random websites to generate traffic.

Access the FortiAnalyzer device:
http://192.168.3.249
Log in with the username of student and password of fortinet.
In FortiAnalyzer Web UI,
Check ADOM is set to LabFormation
Go to FortiView tab
Then on left menu, go to Log View
Locate log entries for your FortiGate device based on the device name assigned.

Enabling Logging to a Syslog (optional)
From the CLI on the FortiGate enter the folowing commands to set up logging to the syslog server
config log syslogd setting
set status enable
set server 192.168.1.110
end
Check that your Windows XP VM has the ip 192.168.1.110, if not change the ip address of the
syslog server to your ip address in the FortiGate config.
Additionnal option can be set, like syslog facility
On your Windows XP VM, start the 3CDaemon application in order to start the Syslog server
To generate a few log messages logout from the webui by clicking on the logout button on the right
corner:
On your Windows XP VM, check on the 3CDeamon application if you have received logs :

SNMP Monitoring
From the GUI, go to System > Config > SNMP to enable SNMP Monitoring.
Select Enable for the SNMP Agent
Click Apply.
Create a new SNMP v1/v2c community
Community Name: training
Hosts / Interface: 192.168.1.110 / Internal
Click OK
Go to System > Network > Interface and edit the internal interface and add SNMP for the Administrative
Access.
From the GUI, go to System > Config > SNMP and download the FortiGate MIB File
On your Windows XP VM, start the iReasoning MIB Browser application and Load the Fortinet MIBs
Then configure the IP address of the FortiGate 192.168.1.99 and click Advanced to configure the Read
community : training

Then browse the MIB of the FortiGate, select an OID, set Operations to Get and click Go

Module 3 Lab 1: Firewall Policies
Firewall Policies
Objectives
 Configure firewall policies configurable in FortiOS
 Configure source match options available in FortiOS firewall policies
 Apply different firewall object types of Address, Service and Schedule
 Configure firewall policy logging options
 Configure NAT
 Configure Source NAT settings using Overload IP Pools
 Configure Destination NAT settings using Virtual IPs
 Configure firewall policies based on device types
 Reorder firewall policies
 Use CLI commands to review your configuration and perform status checks
Time to Complete
Internet
AD/DNS/DHCP Server
SMTP : userX@training.lab
AD
192.168.3.1
.254
IP Pool : External_IP Wan1 :

192.168.3.20X 192.168.3.10X
VIP : vip_to_webserver int :

192.168.1.1 192.168.1.99

192.168.3.1
DHCP :
192.168.1.110
VMX

Creating Firewall Policy Objects
Log in to Web Config and go to System > Dashboard > Status. In the System Information pane create
a backup of the device configuration to a location on the Windows XP VM. Modify the name of the
configuration file to identify it as being created before Module 3.
In Web Config, go to Policy & Objects > Objects > Addresses and create a new address object with the
following details:
Name Student_Internal
Type IP/Netmask
Subnet/IP Range: 192.168.1.0/24
Interface: internal
The unrestricted internal  wan1 policy will need to be temporarily disabled in the policy list. To do
this, go to Policy & Objects > Policy > IPv4, right-click the unrestricted Internal  wan1 policy and select
Disable.
Next click Create New to add a new firewall policy to provide general Internet access from the internal
network. Configure the following settings:
Incoming Interface internal
Source Address Student_Internal
Outgoing Interface wan1
Destination Address all
Schedule always
Service http, https, DNS, ping, SSH
Action ACCEPT
Logging options Enabled (Log all Sessions)
Firewall / Network Options
NAT Enabled
Use Outgoing Interface Address Enabled
Comments General Internet access
Leave other field unchanged
When creating firewall policies, keep in mind that the FortiGate device is a stateful firewall, therefore,
a firewall policy only needs to be created for the direction of the originating traffic
From the Windows XP VM, open a web browser and connect to various external web servers.
From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic and
identify the log entries for your Internet browsing traffic.
With the current settings you should have many 0 byte log messages with action start. These
are the session start logs.
When sessions close you will have a separate log entry for the amount of data sent and received
Logging session starts generates twice the amount of log messages. This option should only be
used when this level of detail is absolutely necessary.
In Web Config, go to Policy & Objects > Policy > IPv4 and right-click any of the column headings.
Select Column Settings > Count to display a packet and bytes count for each rule in the policy
list display. Move this column accordingly for easier viewing

From the CLI, enter the following command to see the source NAT action.
get system session list
FG-USER1 # get system session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION
tcp 3593 192.168.1.110:1688 192.168.3.101:62104 66.171.121.34:80 -
tcp 3593 192.168.1.110:1690 192.168.3.101:62106 66.171.121.34:80 -
tcp 3593 192.168.1.110:1692 192.168.3.101:62108 66.171.121.34:80 -
udp 175 192.168.1.110:1144 192.168.3.101:61560 192.168.3.1:53 -
tcp 3594 192.168.1.110:1697 192.168.3.101:62113 173.194.67.100:80 -
udp 176 192.168.3.101:1029 - 192.168.3.251:514 -
tcp 3593 192.168.1.110:1693 192.168.3.101:62109 173.194.34.41:80 -
tcp 3593 192.168.1.110:1687 192.168.3.101:62103 66.171.121.34:80 -
tcp 3593 192.168.1.110:1689 192.168.3.101:62105 66.171.121.34:80 -
Note that FortiGate is applying a new source address: that of the destination interface Wan1
(192.168.3.10X)

Policy Actions
Use the same steps you performed earlier to create a second firewall policy. Configure the following
settings:
Destination Address Click Create and configure the following:
Category: Address
Name: ADServer
IP/Netmask :
192.168.3.1/255.255.255.255
Schedule always
Service ping
Action DENY
Log Violation Traffic Enabled
From the Windows XP VM, open a DOS command prompt and ping the ADServer as follows.
ping 192.168.3.1 -t
Because you have not changed the rule ordering, the ping should still work as it matches the
ACCEPT policy and not the DENY policy just created. This demonstrates the behavior of policy
ordering. The second policy was never checked because the traffic matched the first
From the GUI, go to Policy & Objects > Policy > IPv4 and right-click any of the column headings. Select
Column Settings > ID. Move this column accordingly for easier viewing. By default only the sequence
number of the firewall policy is displayed in the GUI.
Next, click the Seq.# for the DENY policy created previously and drag this policy upwards to position it
before the General Internet access policy
Return to the Windows XP and examine the DOS command prompt window still running the
continuous ping. You should observe that this traffic is now blocked
From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic
and identify the log entries for your Ping traffic.

With the current settings you should have one entry for the Ping traffic which was allowed followed by
many 0 byte log messages for the violation traffic.
To stop your logs filling up with 0 byte log messages, you may enable the following setting from the CLI
to create a session table entry for denied traffic and blocking packets belonging to this session.
config system settings
set ses-denied-traffic enable
end
This setting will reduce the amount of logging entries caused by the violation traffic. Notice how the
time between log entries increases.
Remove option after check
config system settings
set ses-denied-traffic disable
end

Access through Virtual IPs
In this exercise, a virtual IP address will be configured to allow connections from Internal to the Fortinet Training
web server located at 192.168.3.1
Go to Policy & Objects > Objects > Virtual IPs and create a new virtual IP mapping with the following
details:
Name vip_to_webserver
External Interface internal
Type Static NAT
External IP Address 192.168.1.1
Mapped IP Address 192.168.3.1
Port Forwarding Disabled (default)
To view the VIP settings, enter the following command in the CLI:
show firewall vip
In Web Config create a new firewall policy to provide a guest PC access to the web server with the
following details
Source Address all
Destination Address vip_to_webserver
Schedule always
Service HTTP, HTTPS
Action ACCEPT
Enable NAT Enabled
Use Destination Interface Address Enabled
Comments Windows VM access to WebServer
The firewall is stateful so any existing sessions will not use this new firewall policy until they time out or
are cleared. The sessions can be cleared individually from the session widget on the Status page or
from the CLI by executing the following:
diag sys session clear
Move this policy to the top of the policy list
Open a web browser window on the Windows VM and access the following URL:
http://192.168.1.1/
If the virtual IP operation is successful, the Fortinet Training Server web page is displayed
To view the source and destination NAT mappings, enter the following CLI command:
get system session list | grep 192.168.1.1:80
Sample Output:
FWF60C3G11002343 # get system session list | grep 192.168.1.1:80
tcp 3596 192.168.1.110:4528 192.168.3.101:33084 192.168.1.1:80 192.168.3.1:80
tcp 3596 192.168.1.110:4529 192.168.3.101:12605 192.168.1.1:80 192.168.3.1:80
tcp 3596 192.168.1.110:4527 192.168.3.101:24867 192.168.1.1:80 192.168.3.1:80
Note that the outgoing connections from the Windows XP are now being NATed with the VIP address
as opposed to the firewall address. This is a behavior of the source NAT (SNAT) VIP. That is, when
you enable SNAT on a policy, a VIP static NAT takes priority over the destination interface IP address.

Dynamic NAT with IP Pools
Currently, all traffic generated from the Windows XP VM through the Student FortiGate device has a translated
source IP address of wan1 (192.168.3.10X).
The network address translation occurs because of the Nat enable setting in firewall policy that was created in
Exercise 1.
In this exercise, an IP address pool will be created so that outgoing traffic generated from the Windows VM will
have source NAT applied using the IP address specified in the pool.
In Web Config , go to Policy & Objects > Objects > IP Pool and create a new IP pool with the following
details:
Name External_IP
Type Overload
External IP Range 192.168.3.20X - 192.168.3.20X
Go to Policy & Objects > Policy > IPv4 and and right-click the outgoing General Internet Access policy.
( internal  wan1 policy using the source address of Student_Internal).
Select Copy Policy, then right-click the same policy again and select Paste > Before.
Select the new copy of the General Internet Access policy and configure these settings:
Schedule always
Service http, https, DNS, ping, SSH
Action ACCEPT
Enable NAT Enabled
Use Dynamic IP Pool External_IP
Comments Windows VM source NAT override
Click OK to save the changes. Verify that you have enabled it.
FortiGate does stateful inspection, so any existing sessions will not use this new firewall policy until
they time out or you manually clear the session table. You can do this either individually from the
session widget on the dashboard, or clear the entire list from the CLI:
diag sys session filter src 192.168.1.110
From the Windows VM, open a DOS Command Prompt and ping the 8.8.8.8. This will generate
a new session.
From the CLI and enter the following command to verify the source NAT IP address:
get system session list | grep 192.168.3.20X
Sample output:
FWF60C3G11002343 # get system session list | grep 192.168.3.201
icmp 27 192.168.1.110:768 192.168.3.201:6284 8.8.8.8:8 -
As indicated in the session list, a new entry for ICMP traffic is generated and the source NAT IP
address is 192.168.3.20X.
Device Identification
Disable all outgoing policies except for the General Internet Access policy.
From the Windows XP, run a continuous ping to 192.168.3.1.
Edit the outgoing general Internet access policy. Select Source Device Type and choose a type that
will not match your test VM in Windows, such as Linux PC. Click OK.
FortiGate will notify you that this action enables device identification on the source interface. Click
OK to accept this change.
Return to the continuous ping. You should observer this traffic is blocked. Try browsing the Internet
and confirm the firewall blocks this traffic.
Go to your Forward Traffic log. You should observer that there are no logging entries. This is because
the traffic matches the implicit deny policy and logging is not enabled by default.
Edit the implicit deny policy and enable log violation traffic. Return to the Forward Traffic log and confirm
there are logging entries for the denied traffic.
Edit the outgoing general Internet access policy and change the Source Device Type to Windows PC
to match your Windows host.
Return to the continuous ping, started earlier. You should observer this traffic is allowed. Try browsing
the Internet and confirm that the firewall allows this traffic.
Go to User & Device > Device > Device Definition and review the details of your detected host device.
This is a dynamic device list. FortiGate may update its list of devices and cache them to the flash disk
to speed up detection.
diag user device list
Clear the device from the CLI and then verify that it's removed:
diag user device clear
From the Windows XP, visit a few web sites. This will generate traffic so that device identification can
detect the host. Usually, it will use the HTTP User-Agent: header.
Display the device list again, and look for the internal host.
Perform a show from the CLI to confirm there are no devices in the configuration file.
show user device
From the GUI, go to User & Device > Device > Device Definition. Edit your device from the device list.
Add an alias called myDevice. This creates a static device in the configuration file.
Click OK to save the change.
Perform the following show command to confirm that the device now appears in the configuration file
as a permanent device.
show user device
Go to User & Device > Device > Device Group. Note that your device is already a member of
several predefined device groups.
Click Create New and add a new device group called myDevGroup. Add myDevice to the
Members list and click OK.
Note that your device is still a member of the predefined groups and is now a member of the
custom group myDevGroup.
Return to the outgoing general internet access policy and configure it to use your permanent
device or static device group. Check that your traffic is unaffected by this change.
Module 4 Lab 1: User Authentication
User Authentication
In this lab, you will learn how to authenticate users with FortiGate.
Objectives
 Create an authentication policy
 Manage user authentication
 Track user login events
 Monitor active users
 Enable the captive portal
 Exempt some users from the captive portal
Time to Complete

Authentication via a Firewall Policy
a backup of the device configuration to a location on the Windows VM.
Modify the name of the configuration file to identify it as being created before Module 4.
Go to User & Device> User > User Definition and create a new local user called Auth_Sample with a
password of auth_pw.
Go to User & Device > User > User Group and create a new group that includes the new sample user
with the following details:
Name Auth_Users
Type Firewall
Members Select the Auth_Sample user from the
Available Users Group list and use the
right arrow to move it to the Members list
Confirm that the user is properly configured by using the CLI command
diag test auth local Auth_Users Auth_Sample auth_pw
Go to Policy & Objects > Policy > IPv4 and edit the General Internet Access policy (unrestricted
internal wan1 policy) with the following details
Source User(s) Auth_Users
Schedule always
Service ALL
Action ACCEPT
Log Enabled (Log all Sessions)
Click OK to save the changes to the policy
On the Win-Student server, open a web browser. Connect to a new web site. At the login prompt, enter
the following credentials:
Username Auth_Sample
Password auth_pw
You should observe that after successful authentication, FortiGate redirects your browser to the web
site that you requested.
On the Student FortiGate, go to User & Device > Monitor > Firewall to view the details of the
authenticated user along with some details about their IP address, how much traffic they have
sent, what method of authentication was used and so on.
If you right-click the columns at the top, you can find more information that can be added to the
display.
From the CLI, view the IP addresses and users which have successfully authenticated to the
FortiGate unit with the following command:
diag firewall auth list
Clear all authenticated sessions with the following command:
diag firewall auth clear
Caution: Be careful when using this command on a FortiGate in a real network. It will clear all
authenticated users.

Captive Portals
Note: Verify that you are not authenticated through the FortiGate before you begin.Use either the
User Monitor in the GUI or the CLI command from the previous exercise in order to de-authenticate
On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4.
Edit the second policy (which does not have authentication enabled and is slightly greyed out currently)
and enable it.
You can go into the policy select Enable this policy at the bottom and then apply the change, or right
click the Seq # and select Enable.
On the Windows desktop, open a web browser and connect to a new web site
You should observe that, unlike before, FortiGate doesn't ask you to authenticate. However, you can
still access the website even though the first policy has authentication enabled.
This illustrates the behavior of authentication and how it interacts with the Firewall policies. The source
for the first policy is your IP AND all users in the training group. You have not authenticated yet, so your
traffic does not match the source for that policy. The second policy will match all IPs and has no
authentication options enabled, so it matches your traffic and allows the connection through.
Since FortiGate found a policy match with just the source IP, it does not force a login.
On the Student FortiGate's GUI, go to System > Network > Interfaces and edit the internal interface.
Set the Security Mode to Captive Portal and click OK to save the change
Open a web browser and connect to a new web site
FortiGate should prompt you to log in. Use the same credentials as the previous exercise.
Note: If you are not prompted to login, refer to step 1
On the Student FortiGate's GUI, go to Policy & Objects > Objects > Addresses
Right click on Student_Inernal object, choose Clone option. Then rename it to in Student_False
Edit Student_False object and modify Subnet / IP Range : 192.168.250.250
Go to Policy & Objects > Policy > IPv4. Edit the first firewall policy. Change the source to Student_False
and the group to Auth_Users.
Note: Student_False has the IP 192.168.250.250/32 so it does not match the IP of the Win-
Student VM.
On the Student FortiGate's GUI, go to User & Device > Monitor > Firewall. De-authenticate your user
session.
Open a web browser and connect to a new web site.
FortiGate should not prompt you to login, but show a disclaimer instead.
Look at the firewall policies in the CLI. You should find that the second policy with the captive
portal is suppressed.
config firewall policy
show
end
This means that even though internal has captive portal enabled for all traffic that is behind it,
any traffic that matches the second firewall policy will not receive the captive portal to
authenticate.
Unset the captive portal on the interface.

Module 5 Lab 1: SSL VPN
SSL VPN
In this lab, you will manage user groups and portals for the SSL VPN.
Objectives
 Configure and connect to an SSL VPN
 Enable authentication security
 Configure a firewall policies for access to private network resources
Time to Complete

Configuring SSL VPN for Web Access
a backup of the device configuration to a location on the Windows XP VM. Modify the name of the
In the Web Config go to System > Config >Features and click on Show More. Select: Multiple Security
Profiles, SSL-VPN Realms and SSL-VPN Personnal Bookmark Management.
Click Apply.
Authentication must be configured for an internal user to access the SSL VPN gateway. Go to User &
Device > User > User Definition and create a new entry with the following details:
Local User Enable Next
Username SSL_User
Password ssl_pw
Next
Next
Enable Create
Go to User & Device > User > User Group and create a new user group with the following details:
Name: SSLVPN
Type: Firewall
Members: SSL_User
Go to VPN > SSL > Settings and set the following setting
Listen on Interface(s) internal
Login on Port 8443
Restrict Access Allow access from any host
IP Ranges SSLVPN_TUNNEL_ADDR1
Authentication/PortalMapping
All Other Users/Groups web-access
Click Apply

Go to VPN > SSL > Portals and edit the web-access porta. Review setting as following:.
Click Create new under Predefined Bookmarks

Add a new bookmark with the following details:
Category Intranet
Name Fortinet Training Server
Type HTTP/HTTPS
Location 192.168.3.1
Description: Intranet
SSO Disabled
Click OK and click Apply

A firewall policy is needed to allow access to the SSL VPN and authenticate the user. Go to Policy &
Objects> Policy > IPv4 and create a new policy with the following details:
Incoming Interface ssl.root
Source Address SSLVPN_TUNNEL_ADDR1
Source User(s) SSLVPN
Outgoing Interface Wan1
Destination Address All
Service HTTP/HTTPS
NAT Disable
Logging Options Disable
Click OK to apply policy
On the Windows VM, open a web browser and type the following address to connect to the SSL VPN
portal:
https://192.168.1.99:8443
Confirm any security exemptions or alerts that may be displayed.
Note : The SSL VPN gateway listens to port 8443. In an actual deployment, port 443 is
recommended as this port is typically open on firewalls to allow easy remote access using SSL. The
port can be changed by going to System > Admin > Settings and editing the Web Admin HTTPS
service from port 443 to a different port number (for example, 8443). Afterwards, edit the SSL VPN
login port from 8443 to 443.
When prompted, log in as SSL_User with the password of ssl_pw. The SSL VPN portal page will be
displayed.
If the connection fails, verify the following:

• SSL_User is a member of the SSLVPN user group.
• The SSLVPN user group is associated with the ssl.root  wan1 SSL VPN policy.
• Re-enter a new password for SSL_User in Web Config.
Click the created bookmark link. A new browser window displays the web site.
Note the URL of the web site in the browser address bar:
https://192.168.1.99:8443/proxy/http/192.168.3.1/
The first part of the address, is the encrypted link to the FortiGate SSL VPN gateway:
https://192.168.1.99:8443...
The second part of the address is the instruction to use the SSL VPN HTTP proxy:
.../proxy/http...
The final part of the address is the destination of the connection from the HTTP proxy:
.../192.168.3.1/
In this example, the connection is encrypted up to the SSL VPN gateway. The connection to the final
destination from the HTTP proxy is unencrypted.
In Web Config, go to VPN > Monitor > SSL-VPN Monitor and locate the details of the SSL VPN
connection.
Return to the VPN SSL web page and click to log out of the SSL VPN connection.

Configuring SSL VPN Tunnel Mode with Split
Tunneling
In this exercise, an SSL VPN Tunnel Mode connection with split tunneling will be configured on the
FortiGate device.
With split tunneling enabled, traffic for networks behind the FortiGate unit is passed through the VPN
while other traffic follows its normal route.
In Web config go to Policy & Objects > Objects > Addresses and create new entry
Name: Web_server
Type: IP/Netmask
Subnet / IP range 192.168.3.1
In Web Config, go to VPN > SSL > Portals and select the full-access portal.
Configure it as follow:
Note: Please make the difference between

Web_server IP pool which are routed in tunnel
SSLVPN_TUNNEL_ADDR1 IP assigned by Fortigate to Client

Note: In the Tunnel Mode widget, note that the default IP range of SSLVPN_TUNNEL_ADDR1 has
been used. A custom IP address pool can be created if required in the Policy & Objects > Objects
> Addresses section.
Note: Routing Adresses configured in SSL-VPN Portal will be erased by Firewall Policy
Go to Policy & Objects > Policy > IPv4 modify Destination Address from all to Web_server and enable
NAT
Go to VPN > SSL > Settings and Edit the Authentication/Portal Mapping and change the SSL-VPN
Portal to full-access:
Click Ok and Apply
To view the routing table device before Tunnel Mode is initiated, enter the following command in the
DOS Command Prompt on the Windows XP VM:
C:\>route print
Sample output is:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.99 192.168.1.110 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.110 192.168.1.110 10
192.168.1.110 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.110 192.168.1.110 10
192.168.251.0 255.255.255.0 192.168.251.11 192.168.251.11 10
192.168.251.11 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.251.255 255.255.255.255 192.168.251.11 192.168.251.11 10
224.0.0.0 240.0.0.0 192.168.1.110 192.168.1.110 10
224.0.0.0 240.0.0.0 192.168.251.11 192.168.251.11 10
255.255.255.255 255.255.255.255 192.168.1.110 192.168.1.110 1
255.255.255.255 255.255.255.255 192.168.251.11 192.168.251.11 1
Default Gateway: 192.168.1.99
===========================================================================
Persistent Routes:
None
In the web browser, connect to the portal at the following address:
https://192.168.1.99:8443
When prompted, log in as SSL_User with the password of ssl_pw.
The first time Tunnel Mode is used on the device, a plug in will need to be installed. Click the link
presented in the message to download and install the plugin.

When the plugin is correctly installed, restart the web browser.
In the web browser, connect to the portal once again at the following address:
https://192.168.1.99:8443
When prompted, log in as SSL_User with the password of ssl_pw.
From the Tunnel Mode widget click Connect to initiate the tunnel mode connection.
The fortissl virtual interface will receive an IP address from the FortiGate device. The assigned IP
should be in the 10.212.134.[200-210] range.
Note : The IP addressed to be allocate to client PCs can be defined in the SSL VPN Portal definition.
To view the routing table after Tunnel Mode has been initiated, enter the following command in a DOS
Command Prompt on the Windows XP VM:
C:\>route print
Sample output
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.99 192.168.1.110 10
10.212.134.200 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.212.134.200 10.212.134.200 50
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.110 192.168.1.110 10
192.168.1.99 255.255.255.255 192.168.1.110 192.168.1.110 1
192.168.1.110 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.110 192.168.1.110 10
192.168.3.1 255.255.255.255 10.212.134.200 10.212.134.200 1
192.168.251.0 255.255.255.0 192.168.251.11 192.168.251.11 10
192.168.251.11 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.251.255 255.255.255.255 192.168.251.11 192.168.251.11 10
224.0.0.0 240.0.0.0 10.212.134.200 10.212.134.200 50
224.0.0.0 240.0.0.0 192.168.1.110 192.168.1.110 10
224.0.0.0 240.0.0.0 192.168.251.11 192.168.251.11 10
255.255.255.255 255.255.255.255 10.212.134.200 10.212.134.200 1
Default Gateway: 192.168.1.99
Note the differences now that the SSL tunnel mode is fully established between the Windows VM and
FortiGate unit.
A new entry for the host at the IP address of 192.168.3.1 has been added to the routing table
with a metric of 1 pointing to the fortissl IP address of 10.212.134.200. This indicates that
only traffic to the 192.168.3.1 address is being sent over the SSL VPN.
In the web browser on the Windows VM, connect to the Training portal web site once again to
test the connection:
http://192.168.3.1
In Web Config, go to VPN > Monitor > SSL-VPN Monitor and locate the details of the SSL VPN
connection.
In Web Config, disable the firewall policies created in this lab.

Module 6 Lab 1: IPSec VPN
IPSec VPN
Objectives
In this lab, IPSec VPNs will be configured to neighboring students.
First, each student will configure a route-based VPN to one of their neighbors and a policy-based VPN to the
other neighbor.
Tasks
• Exercise 1 Route-based and Policy based IPSec VPN Configuration
Timing
Estimated time to complete this lab: 30 minutes

Route-based and Policy-based IPSec VPN
Configuration
a backup of the device configuration to a location on the Windows VM. Modify the name of the
Go to System > Config > Features, click on the Show More button, and enable Policy-based IPSec
VPN.
Edit the internal interface and change the IP address: 192.168.X0.254 and change the range of the
DHCP Server: 192.168.X0.10 to 192.168.X0.110, then click OK.
Execute an ipconfig /release and an ipconfig /renew in a DOS prompt windows.
Connect to the FortiGate with the new ip address : https://192.168.X0.254
Verify that you can ping your to direct neighbors from the FortiGate with the following CLI commands:
exec ping 192.168.3.10(X-1)
exec ping 192.168.3.10(X+1)
The Route-based IPSEC VPN configuration
Go to VPN > IPsec >Tunnels and create a new Phase 1 Named VPN-User(X-1) and choose Custom
VPN Tunnel (No Template). Configure it as follow
Name : VPN-User(X-1)
Enable IPsec Interface Mode Enabled
Under Network
Remote Gateway Static IP Address
IP Address 192.168.3.10(X-1)
Interface wan1
Under Authentication
Method Pre-shared Key
Pre-shared Key Fortinet
Version 1
Mode Main
Under Phase 1 Proposal
Encryption AES256
Authentication SHA1
Diffie-Hellman Group 5
Under Phase 2 Selectors
Name : VPN-User(X-1)-P2

Click advanced… and set the following:
Encryption AES256
Authentication SHA1
DH Group 5
Autokey Keep Alive Enabled
Auto-negotiate Enabled
Leave other fields at their default value
Go to System >Network > Routing and create a new static route:
Destination IP/Mask 192.168.(X-1)0.0/24
Device VPN-User(X-1)
Go to Policy & Objects > Policy > IPv4 and create two new policies as follows:
Policy 1:
Source Address all
Outgoing Interface VPN-User(X-1)
Destination Address
Net-User(X-1) click
192.168.(X-1)0.0/24
Schedule always
Service ALL
Action ACCEPT
Enable NAT Disabled
Policy 2:
Incoming Interface VPN-User(X-1)
Source Address Net-User(X-1)
Outgoing Interface internal
Schedule always
Service ALL
Action ACCEPT
Enable NAT Disabled

Go to VPN > IPsec >Tunnels and create a new Phase 1 Named VPN-User(X+1) and choose Custom
VPN Tunnel (No Template). Configure it as follow
Name : VPN-User(X+1)
Enable IPsec Interface Mode disabled
Under Network
Remote Gateway Static IP Address
IP Address 192.168.3.10(X+1)
Interface wan1
Under Authentication
Method Pre-shared Key
Pre-shared Key Fortinet
Version 1
Mode Main
Encryption AES256
Authentication SHA1
Diffie-Hellman Group 5
Under Phase 2 Selectors
Name : VPN-User(X+1)-P2
Click advanced… and set the following:
Encryption AES256
Authentication SHA1
DH Group 5
Autokey Keep Alive Enabled
Auto-negotiate Enabled
Leave other fields at their default value
Go to Policy & Objects > Policy > IPv4 and create a new policy as follows:
Local Interface internal
Source address all
Outgoing VPN Interface wan1
Action IPsec
Destination Address
Net-User(X+1) Click
192.168.(X+1)0.0/24
Schedule Always
Service All
VPN Tunnel Use Existing
VPN-User(X+1)

Allow traffic be initiated from the Enabled
remote site
Move this policy at the top of the section internal  wan1 policy
Go to VPN > Monitor > IPsec Monitor, click Bring Up and verify the tunnels go up.
From a dos prompt try to ping the remote PCs
C:\>ping 192.168.X-1)0.10
C:\>ping 192.168.X+1)0.10

Module 7 Lab 1: Antivirus
Antivirus
Objectives
In this exercise, global antivirus settings will be explored including:
• Accessing the FortiGuard Distribution Network
• Ensuring that antivirus definitions are updated through the FortiGuard Subscription Services
• Setting up file quarantine
• Enabling antivirus scanning for web proxy server
• Customizing antivirus replacement messages
Tasks
• Exercise 1 Enabling FortiGuard Subscription Services and Updates
• Exercise 2 Configuring Global Antivirus Settings
• Exercise 3 Testing Virus Scanning for HTTP
• Exercise 4 Inspecting HTTPS Traffic
Timing

Enabling FortiGuard Subscription Services and
Updates
a backup of the device configuration. Modify the name of the configuration file to identify it as being
created before Module 7.
In Web Config go to System > Config > FortiGuard to verify the details of the FortiGuard Subscription
Services licensing for the Student FortiGate unit.
What is the antivirus definition version, expiry, and last update attempt for the FortiGate unit?
AV Engine Version: _________________
AV Definitions: _________________
If only the version field is showing, the FortiGate unit firmware was upgraded recently and there
have been no further update attempts.
Back in System > Config > FortiGuard, expand AntiVirus and IPS Options and enable a scheduled
update for every four hours.
Still in the AntiVirus and IPS Options window, click Update Now to force the FortiGate unit to obtain the
latest antivirus and IPS definitions. If properly entitled and depending on Internet congestion, the
FortiGate unit will receive and install the updated definitions after 3 to 5 minutes.
After a few minutes, return to System > Config > FortiGuard and check for the new updates. Today’s
date should appear next to the version number for both AV and IPS Definitions.
The AV and IPS signature databases can also be updated either individually or together
through the CLI using the following commands:
exec update-av Update AV engine/definitions
exec update-ips Update IPS engine/definitions
exec update-now Update all engines/databases
 Note: Antivirus and IPS updates can also be set to be pushed automatically to the FortiGate
unit. To allow push updates, expand AntiVirus and IPS Options and enable Allow Push
Updates.
In the classroom environment, the FortiGate unit is behind a NAT device. Port forwarding must
be configured on the NAT device, otherwise push updates will not work
 Note: The update-now command will update antivirus and IPS definitions only. It will not
upgrade the system firmware.
To view the update settings, enter the following CLI commands on the FortiGate unit:
get system autoupdate schedule
The defined FortiGuard autoupdate interval was set to 4 hours through Web Config
but the CLI shows 4:60. This means that the additional minutes interval will be
randomly picked from 0 to 59 minutes to spread out the request load on the FortiGuard
server. An exact hour and minute interval can be set through the CLI using the
following commands:
config system autoupdate schedule
set time 4:0
end
Verify the change with the following CLI command:
show system autoupdate schedule

In the FortiGuard Subscription Services window, expand Web Filtering and Email Filtering Options.
Configure the settings with the following details:
Enable Web filter cache Enabled / TTL: 1800 seconds (30 minutes)
Enable antispam cache Enabled / TTL: 900 seconds (15 minutes)
Port Selection Use Alternate Port (8888)
By default, FortiGuard uses UDP/53 since this port is often left open for DNS traffic. If there is
another IPS device on the network that is decoding DNS data on port 53, the FortiGuard
request/response may trigger an alert as the data is encrypted. In this scenario, change to the
alternate port of 8888 and ensure that any upstream devices will permit this traffic to pass.
 Note: The status of FortiGuard Web Filtering may show as unreachable until a web filter profile
is applied to a firewall policy.

Configuring Global Antivirus Settings
Display the default quarantine settings for the FortiGate device by entering the following command in
the CLI :
get antivirus quarantine
File quarantine is available if the FortiGate unit model has an internal hard disk or if a
FortiAnalyzer device is available. The default destination for the quarantine is Disk.
 Note: If using a FortiGate device without a hard disk, enable quarantine to the online FortiAnalyzer device.
For example:
config antivirus quarantine
set destination FortiAnalyzer
end
In Web Config, go to System > Config > Features, click on the Show More button, and enable
Multiple Security Profiles in order to be able to create new security prolifes.
Go to Security Profiles > AntiVirus > Profile and create a new profile called Standard with the
following details (Click Create New ( ) in the upper right-hand corner of the Edit AntiVirus
Profile window):
Inspection Mode Proxy
Detect Viruses Block
Detect Connections to Botnet C&C Block
Servers
Protocol Virus Scan and Block>HTTP enabled
Click OK
In the CLI, enter the following commands:

set gui-antivirus enable
set gui-utm-monitors enable
end
Go to Policy & Object > Policy > IPv4 and edit the internal  wan1 policy to enable UTM using
the Standard antivirus profile.
Replacement messages are substituted for the infected file when the FortiGate antivirus engine
detects a virus.
Go to System > Config > Replacement Message. Click on Extended view, Go to Security and
edit the text of the default Virus Block Page.
The same Replacement Messages can be displayed using the following commands in the CLI:
show full system replacemsg utm virus-html
 Note: Some replacement messages are stored in raw HTML code. Make sure that the correct
syntax is used and preserve the existing HTML tags. An external HTML editor can be used to
create the replacement message and then copy and paste the resulting HTML code into the
FortiGate replacement message text window.

Testing Virus Scanning for HTTP

On the Windows XP VM, launch a web browser and access the following web site:
http://eicar.org
On the Eicar web page, click Download Anti Malware Test File and download the eicar.com file from
the Download area using the standard protocol http section.
The download attempt will be blocked by the FortiGate unit and the following replacement
message will be displayed:
The Eicar file is an industry-standard used to test antivirus detection. The file contains the
following characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUSTEST-FILE!$H+H*
The HTTP virus message is shown when infected files are blocked or have been quarantined.
In the message that is displayed, click the link to the Fortinet Virus Encyclopedia to view
information about the detected virus.
In Web Config, go to Log&Report > Traffic Log > Forward Traffic and locate the antivirus event
messages.

In Web Config, go to Log&Report > Security Log > Antivirus and locate the antivirus event messages.
Go to Security Profiles > Monitor > AV Monitor to view details of the log event.
 Note: There may be policies in place from previous exercises that could allow the files to be
downloaded. If the above steps do not work, go to the firewall policies and ensure that all other
policies other than the default are disabled.
 Note: If there’re no UTM Monitor folder, go to System > Admin > Settings and verify that UTM
Monitor is selected in Display Options on GUI

0 Lab 1: Antivirus
Inspecting HTTPS Traffic
In the previous exercise, the Eicar test file was able to be downloaded and blocked using HTTP. In this exercise,
the Eicar test file will be downloaded again, this time using HTTPS
On the Windows XP VM, launch a web browser and access the following web site once again:
http://eicar.org
On the Eicar web page, click Download Anti Malware Test File and download the eicar.com file from
the Download area using the secure SSL enabled protocol https section.
The download should be successful.
In order to inspect HTTP over SSL, go to Policy > Policy > Policy and Edit the internal  wan1 policy
and enable the SSL Inspection. This will enable inspection of SSL encrypted traffic on the FortiGate
unit.
To ensure that there are no existing sessions prior to deep scanning the communication exchange,
connect to the CLI of the FortiGate unit and enter the command:
Return to the Eicar web page and attempt to download the eicar.com file from the Download area using
the secure SSL enabled protocol https section.
 Note: You may be prompted to accept a security warning to accept the digital certificate from
the Eicar web site.
This time, the download will be blocked by the FortiGate unit and the replacement message
will be displayed.
In Web Config, edit the internal  wan1 policy to disable UTM.

Module 8 Lab 1: Explicit Web Proxy
Explicit Web Proxy

In this lab, you will learn how to configure FortiGate to be an explicit web proxy.
Objectives
• Configure a FortiGate as an explicit web proxy
Time to Complete

Configuring the Explicit Web Proxy
On the Windows VM, open a web browser. Go to the GUI of the FortiGate,and log in as admin.
Go to System > Dashboard > Status. In the Features widget, enable Explicit Proxy. Click Apply.
Go to System > Network > Explicit Proxy and enable HTTP / HTTPS web proxy and click Apply.
Go to System > Network > Interfaces and edit Internal. Enable the option Enable Explicit Web Proxy.
Click OK.
Go to Policy & Objects > Policy > Explicit Proxy. Click Create New. Add this explicit proxy policy:
Explicit Proxy Type Web
Source Address All
Destination Address All
Action AUTHENTICATE
Add this authentication rule
Source User(s) Auth_Sample
Schedule always
Click OK to save it.
Open Mozilla Firefox. Click the Open menu icon on the top right corner. Select Options:
Go to the Advanced > Network tab and click Settings:

1. Select manual proxy configuration and enter:
HTTP Proxy 192.168.X0.254

Port 8080
Enable the option Use this proxy server for all protocols.
Additionally, add the subnet 192.168.0.0/16 to the No Proxy for list. This list contains the names, IP
addresses and subnet of web sites that will be exempted from using the proxy:
Click OK.

2. Try to browse any web site. FortiGate will ask you for authentication. Use these credentials:
User Name Auth_Sample

Password auth_pw
After that, you should have Internet access through the explicit web proxy.
.
3. While browsing different web sites, type the following CLI command to check the list of active web
proxy users:
# diagnose wad user list

You can also check this list from the GUI, by going to User & Device > Monitor > Firewall.
4. Type these CLI commands to list some web proxy sessions:
diagnose sys session filter clear
diagnose sys session filter dport 8080
diagnose sys session list

You can also use the grep command to display only the source and destination IP addresses and
ports for each session:
diagnose sys session list | grep hook=pre

Why is the source IP address of all those sessions 192.168.1.110 ?
Why is the destination IP address of all those sessions 192.168.1.99 ?
Why don’t we see any public IP address listed in those sessions?
5. While browsing a HTTP site, type these other commands to list another set of proxy sessions:
diagnose sys session filter clear
diagnose sys session filter dport 80
diagnose sys session list | grep hook=out

Why is the source IP address of all these sessions 192.168.3.10X?
Why don’t we see the IP address of Windows XP VM (192.168.1.110)?
Tip: In the case of explicit web proxy, for each connection to a web site, two sessions are
created with the FortiGate: one from the client to the proxy, and another one from the
proxy to the server.
6. Disable explicit proxy on the interface Internal, delete the explicit proxy policy and disable the
explicit proxy in System > Networks > Explicit Proxy and disable the proxy in Mozilla Firefox

Module 9 Lab 1: Web Filtering
Web Filtering
Objectives
In this lab, web filtering will be configured to block specific categories of web content. The interaction of
local categories and overrides will also be demonstrated.
Tasks
• Exercise 1 Testing Web Category Filtering
• Exercise 2 Configuring Web Filtering Authentication
• Exercise 3 Configuring Web Filtering Quotas
Timing

Testing Web Category Filtering
Log in to Web Config and go to System > Dashboard > Status. In the System Information pane
create a backup of the device configuration to a location on the Windows XP VM. Modify the
name of the configuration file to identify it as being created before Module 9.
In Web Config, go to Security Profiles > Web Filter > Profile and create a new web filter profile
called Category_Test. (Click Create New ( ) in the upper right-hand corner of the Edit Web
Filter Profile window)
In the Edit Web Filter Profile window, set the Inspection Mode to Proxy and enable the following
FortiGuard web categories with an action of Block.
 Local Catgories
 Potentially Liable
 Adult/Mature Content
 Bandwidth Consuming
 Security Risk
 General Interest - Personal
 General Interest - Business
 Unrated
Click OK
In the CLI, enter the following commands to enable Extended UTM logs in order to have more
details on the logs for Web Filtering:
config webfilter profile
edit Category_Test
set log-all-url enable
end
set gui-webfilter enable
end
Go to Policy & Object > Policy > IPv4 and edit the internal  wan1 policy to enable UTM. Enable
web filtering using the Category_Test profile.
In a web browser connect to a web site. A Web Page Blocked window should be displayed.
In Web Config, go to System > Config > Replacement Message. Select the Extended View and
Expand FortiGuard Web Filtering and edit the FortiGuard Block Page to customize the text of
the message.

Revisit the web site and ensure that the customized FortiGuard Block Page message is
displayed.

Configuring Web Filtering Authentication
Web filtering can be configured to prompt user for authentication before accessing a web resources. A
warning page is displayed where the user must enter their credentials before proceeding to the web
page.
In Web Config, go to User & Device > User > User Definition. Create a new user called
Override_User with a password of fortinet.
Go to User & Device > User > User Group and create a new user group with the following
details:
Name web-override
Type Firewall
Members Select Override_User created in step 1
Go to Security Profiles > Web Filter > Profile and edit the Category_Test profile.
Select all the categories and set the Change Action for Selected Categories to setting to
Authenticate.
Select the web-override user group from Available User Groups and move it to Selected User
Groups.
In the web browser, attempt to connect to a blocked category web site. A Web Page Blocked
message is displayed again, this time with a Proceed button.
Click Proceed to view the Web Filter Block Override page.

Enter the user name of Override_User and the password of fortinet and click Continue.
The blocked web page should be displayed.
Note: The Web Filter Block Override web page may not function properly when flow-based
web filtering is used instead of proxy-based filtering.
In Web Config, go to Log&Report > Traffic Log > Forward Traffic and locate the log messages
related to the web filtering activity.10.
In Web Config, go to Log&Report > Security Log > Web Filter and locate the log messages
related to the web filtering activity.

Configuring Web Filtering Quotas
In addition to using category and classification blocks and overrides, an access quota can be assigned
by category, category group, or classification.
Quotas allow access to web resources for a specified length of time. The quotas are calculated
separately for each user based on the authentication credentials provided and are reset every day at
midnight.
In Web Config, go to Security Profiles > Web Filter > Profile.
Edit the Category_Test profile. Expand Quota on Categories and click Create New to create
new quotas. Select the categories to be assigned quotas and select the quota time value to 5
minutes.
In the web browser, attempt to visit a blocked category web site again. Click the Proceed link
on the Web Page Blocked page. Authenticate on the Web Filter Block Override page using the
Override_User credentials.
Note: The Web Category Override web page may not function properly when flow-based
web filtering is used instead of proxy-based filtering.
Once authenticated properly, the quota timer is initiated. Go to Security Profiles > Monitor >
FortiGuard Quota to display the current quota timer value.
When the daily quota value is reached the FortiGuard replacement message will be displayed
again.
In Web Config, go to Log&Report > Security Log > Web Filter and locate the log messages
related to the web filtering activity.
In Web Config, Edit the profile Category_Test, expand Quota on Categories and delete the
quotas on the selected categories.
Still in this web filter profile, select flow-based. A notification is displayed as follows :
Click OK and then Apply

Test the behavior of the flow based inspection by connecting to a web site that is usually
blocked. Check the log entry for this request.
Edit the internal  wan1 policy to disable UTM.

Module 10 Lab 1: Application Control
Application Control
Objectives
In this lab, access to specific applications will be blocked using
the application control on the FortiGate unit.
Tasks
• Exercise 1 Creating an Application Control List
• Exercise 2 Testing Application Control
Timing

Creating an Application Control List
Log in to Web Config and go to System > Dashboard > Status. In the System Information pane
create a backup of the device configuration. Modify the name of the configuration file to identify
it as being created before Module 10.
In Web Config, go to Security Profiles > Application Control > Application Sensor and create a
new application control sensor called App_Control_Lab. (Click Create New ( ) in the upper
right-hand corner of Web Config)
In application Overrides, Add a signature in the seach windows type youtube and select all the
signatures and click Use Selected Signatures :
Then change the actions for these signatures by Traffic Shaping and Shared-1M-pipe and click
Apply.
Go to Policy & Object > Policy > IPv4 and edit the internal  wan1 firewall policy to enable
UTM. Enable application control using the App_Control_Lab sensor.

Testing Application Control
On the Windows XP VM, launch a web browser and access the following web site:
http://www.youtube.com
On the YouTube web site, attempt to play a random video.
In Web Config, go to Log&Report > Traffic Log > Forward Traffic and locate the log entry for the
application control action verify that the traffic shaper is applied:
In Web Config, go to Security Profiles > Application Control > Application Sensor and edit the
App_Control_Lab sensor. Set the action for the YouTube application filter to Block.
In the web browser, access the following web site and attempt to play a video once again:
http://www.youtube.com

View the details of the log entry for this action in the Log & Report > Traffic Log > Forward
Traffic:
View the details of the Application monitor in Security Profiles > Monitor :

Creating an Application Control Filter
In Web Config, go to Security Profiles > Application Control > Application Sensor and create a
new Application Control Sensor called App_Control_Lab2. (Click Create New ( ) in the upper
righthand corner of Web Config)
Create a second filter in the App_Control_Lab2 sensor with the following details:
Sensor Type: Filter based
Category proxy
Action: Block
Go to Policy > Policy > Policy and edit the internal  wan1 firewall to use the App_Control_Lab2
sensor.
Return the web browser, attempt to access the following web site (which is a proxy used by
some users to bypass url filtering systems):
http://proxite.us
On the proxy web site, enter the URL of a site to visit for example www.psg.fr and click Go.

In the Log&Report > Traffic Log > Forward Traffic , locate the log entries for the blocked proxy
actions :
View the details of the Application monitor in Security Profiles > Monitor :
Go to Policy > Policy > Policy and edit the internal  wan1 firewall to disable UTM.
In the CLI enter the following command to reset the configuration to the factory default :
execute factoryreset

Labs FGI 5.2.8 v1.00

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Labs FGI 5.2.8 v1.00

Uploaded by

Copyright:

Available Formats

Module 1 Lab 1: Initial Setup and Configuration

FortiGate Multi-Threat Security Systems I

Student Lab Guide

FortiGate I Student Guide 1

FortiGate I Student Guide 2

Wan1 : .101 Wan1 : .102 Wan1 : .120

int int int

VM1 VM2 VM20

.11 .12 .20

FortiGate I Student Guide 3

Initial Setup and Configuration

FortiGate I Student Guide 4

FortiGate I Student Guide 6

FortiGate I Student Guide 7

Configure the wan1 Interface Using DHCP

FortiGate I Student Guide 8

FortiGate I Student Guide 9

FortiGate I Student Guide 10

FortiGate I Student Guide 11

FortiGate I Student Guide 12

Click Apply to save the changes.

Click OK to save the changes.

FortiGate I Student Guide 13

Restricting Administrator Access

FortiGate I Student Guide 15

Status Monitor and Event Log

FortiGate I Student Guide 16

Configure these settings:

FortiGate I Student Guide 18

FortiGate I Student Guide 19

Event Log & Logging Options

FortiGate I Student Guide 20

FortiGate I Student Guide 21

FortiGate I Student Guide 22

In the web browser, access a few random websites to generate traffic.

FortiGate I Student Guide 23

FortiGate I Student Guide 24

FortiGate I Student Guide 25

FortiGate I Student Guide 26

IP Pool : External_IP Wan1 :

VIP : vip_to_webserver int :

FortiGate I Student Guide 27

FortiGate I Student Guide 28

FG-USER1 # get system session list

FortiGate I Student Guide 29

FortiGate I Student Guide 30

FortiGate I Student Guide 31

FortiGate I Student Guide 33

FortiGate I Student Guide 36

FortiGate I Student Guide 37

FortiGate I Student Guide 38

FortiGate I Student Guide 39

FortiGate I Student Guide 40

Click Create new under Predefined Bookmarks

Click OK and click Apply

FortiGate I Student Guide 41

If the connection fails, verify the following:

FortiGate I Student Guide 43

Note: Please make the difference between

FortiGate I Student Guide 44

FortiGate I Student Guide 45

FortiGate I Student Guide 46

FortiGate I Student Guide 47

FortiGate I Student Guide 48