FortiGate Multi-Threat Security Systems I

Administration, Content Inspection and SSL VPN
Course 201

www.fortinet.com

FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Student Guide v4.1 for FortiOS 4.0 MR2 Course 201 01-4200-0201-20100430 © Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuardAntivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Contents
Introduction............................................................................... 1
Course Overview ........................................................................................... 3 Course Objectives ................................................................................... Prerequisites ........................................................................................... Who Should Attend ................................................................................. Certification ............................................................................................. Self-Paced Training Course .................................................................... Course Evaluation (for Self-Paced Training Students) ........................... 3 3 3 4 4 4

Lesson 1 - Overview and System Setup ................................ 7
Unified Threat Management .......................................................................... 7 The Fortinet Solution ..................................................................................... 8 FortiGate Appliance ................................................................................ 8 FortiGuard ............................................................................................. 10 FortiManager ......................................................................................... 10 FortiAnalyzer ......................................................................................... 11 FortiMail ................................................................................................ 11 FortiClient.............................................................................................. 11 FortiWeb................................................................................................ 12 FortiDB .................................................................................................. 12 FortiScan ............................................................................................... 12 FortiSwitch ............................................................................................ 12 FortiCarrier ............................................................................................ 12 Firewall Basics............................................................................................. 13 Types of Firewalls ................................................................................. 15 Network Address Translation ................................................................ 17 FortiGate Capabilities .................................................................................. 18 Firewall.................................................................................................. Unified Threat Management.................................................................. WAN Optimization ................................................................................. Endpoint Control ................................................................................... Virtual Domains ..................................................................................... Traffic Shaping ...................................................................................... Secure VPN .......................................................................................... High Availability ..................................................................................... Logging ................................................................................................. User Authentication ............................................................................... 18 18 19 19 19 19 20 20 20 20

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

i

Contents

FortiGate Unit Components.......................................................................... 21 CPU ....................................................................................................... 21 FortiASIC Content Processor................................................................. 21 DRAM .................................................................................................... 21 Flash Memory ........................................................................................ 21 Hard Drive.............................................................................................. 21 Network Interface Ports ......................................................................... 21 Serial Console Port ................................................................................ 21 USB Port ................................................................................................ 21 Wireless ................................................................................................. 21 Module Slot Bays ................................................................................... 22 PC Card Slot .......................................................................................... 22 FortiGate Unit Front View ...................................................................... 23 FortiGate Unit Back View....................................................................... 24 FortiGate Operating Modes .......................................................................... 25 NAT/Route Mode ................................................................................... 25 Transparent Mode.................................................................................. 26 Device Administration................................................................................... 27 Web Config ............................................................................................ 27 Command Line Interface........................................................................ 37 Administrators ........................................................................................ 48 DHCP..................................................................................................... 54 Interface Addressing .............................................................................. 57 DNS ....................................................................................................... 61 Configuration Backup and Restore ........................................................ 62 Firmware Upgrades ............................................................................... 64 Disk Usage............................................................................................. 65 Lab 1 - Initial Setup .......................................................................................66

Lesson 2 - Logging and Alerts ............................................. 81
Logging Levels ............................................................................................. 81 Emergency............................................................................................. 81 Alert........................................................................................................ 81 Critical .................................................................................................... 81 Error ....................................................................................................... 81 Warning.................................................................................................. 82 Notification ............................................................................................. 82 Information ............................................................................................. 82 Debug .................................................................................................... 82 Log Storage .................................................................................................. 83 Local Logging......................................................................................... 83 Remote Logging..................................................................................... 85 FortiGuard Analysis Service .................................................................. 86 FortiAnalyzer.......................................................................................... 87

ii

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Contents

Log Types .................................................................................................... 88 Event Log .............................................................................................. Traffic Log ............................................................................................. Attack Log ............................................................................................. AntiVirus Log ......................................................................................... Web Filter Log ....................................................................................... Email Filter Log ..................................................................................... DLP Log ................................................................................................ Application Control Log ......................................................................... Network Scan Log ................................................................................. 88 88 88 88 88 88 89 89 89

Generating Logs .......................................................................................... 90 Viewing Log Files......................................................................................... 93 Log Display Formats ............................................................................. 94 Logging to a FortiAnalyzer Device............................................................... 97 FortiAnalyzer Device List ...................................................................... 98 Viewing FortiAnalyzer Logs................................................................. 100 Browsing Log Files.............................................................................. 103 Searching the Logs ............................................................................. 104 Logging to Multiple FortiAnalyzer Units or Syslog Servers........................ 106 Content Archiving ...................................................................................... 107 Viewing Content Archives ................................................................... 109 Alert Email ................................................................................................. 110 SNMP ........................................................................................................ 111 Configuring an Interface for SNMP Access......................................... 114 Reporting ................................................................................................... 115 Report Layout...................................................................................... 115 Lab 2 - Logging and Monitoring ................................................................. 117

Lesson 3 - Firewall Policies ................................................ 125
Policy Matching.......................................................................................... 126 Firewall Policy List............................................................................... 127

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

iii

Contents

Firewall Policy Elements............................................................................. 131 Firewall Addresses............................................................................... 133 Firewall Schedules............................................................................... 138 Firewall Services.................................................................................. 145 Firewall Actions .................................................................................... 151 Logging Traffic ..................................................................................... 155 Network Address Translation ............................................................... 156 Identity-Based Policies......................................................................... 164 Threat Management............................................................................. 166 Traffic Shaping..................................................................................... 187 Virtual IPs............................................................................................. 197 Load Balancing .................................................................................... 203 DoS Policy List..................................................................................... 213 Sniffer Policy List ................................................................................. 214 Firewall Suggested Practices ..................................................................... 215 General ................................................................................................ 215 Policies................................................................................................. 215 NAT...................................................................................................... 215 Lab 3 - Firewall Policies ..............................................................................217

Lesson 4 - Authentication .................................................. 233
Authentication Methods .............................................................................. 234 Local Users .......................................................................................... 234 Remote Users ...................................................................................... 234 Authenticated Operations ........................................................................... 236 Firewall Authentication ......................................................................... SSL VPN Authentication ...................................................................... IPSec Authentication............................................................................ Administrator Authentication ................................................................ 236 239 240 242

Users .......................................................................................................... 243 User Groups ............................................................................................... 245 Firewall User Group ............................................................................. 246 Directory Service User Group .............................................................. 248 Identity-Based Policies ............................................................................... 250 Authentication Rules ............................................................................ 251 Monitoring Firewall Authentication.............................................................. 253 Lab 4 - Authentication .................................................................................254

iv

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Contents

Lesson 5 - SSL VPN ............................................................ 261
FortiGate VPN ........................................................................................... 261 SSL VPN ............................................................................................. 261 IPsec VPN........................................................................................... 262 SSL VPN.................................................................................................... 263 Operating Modes................................................................................. 263 Web-Only Mode .................................................................................. 263 Tunnel Mode ....................................................................................... 264 User Groups .............................................................................................. 265 Portals........................................................................................................ 267 Web-Access Portal.............................................................................. 267 Tunnel-Access Portal .......................................................................... 269 Full-Access Portal ............................................................................... 270 Enabling SSL VPN..................................................................................... 271 SSL VPN Firewall Policies......................................................................... 273 Web-Only Mode Firewall Policies ....................................................... 273 Tunnel Mode Firewall Policies ............................................................ 276 Connecting to the SSL VPN ...................................................................... 278 Web Portal Page ................................................................................. 278 Lab 5 - SSL VPN ....................................................................................... 279

Lesson 6 - FortiGuard Subscription Services .................. 287
FortiGuard Distribution Network ................................................................ 287 Connecting to the FortiGuard Servers ................................................ 289 FortiGuard Antivirus Service...................................................................... 290 FortiGuard Intrusion Prevention System Service....................................... 291 FortiGuard Web Filtering Service .............................................................. 292 FortiGuard Antispam Service..................................................................... 293 FortiGuard Vulnerability Management Service .......................................... 294 FortiGuard Subscription Services Licensing.............................................. 295 Updating Antivirus and IPS Services ......................................................... 296 Scheduled Updates ............................................................................. Override Server ................................................................................... Push Updates...................................................................................... Manual Updates .................................................................................. 297 297 297 299

Web Filtering and Antispam Options ......................................................... 301 Port Selection ...................................................................................... 301 Caching ............................................................................................... 301

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

v

Contents

Configuring FortiGuard Subscription Services Using the CLI..................... 303 FortiGuard Center....................................................................................... 304 Lab 6 - Fortinet Subscription Services ........................................................305

Lesson 7 - Threat Management .......................................... 311
Content Scanning Techniques ................................................................... 311 Flow-Based Scanning .......................................................................... 311 File-Based Scanning............................................................................ 312 Threat Management Architectural Components......................................... 313 Proxies ................................................................................................. 313 IPS Engine ........................................................................................... 314 Scanunit Daemon ................................................................................ 314 URLFilter Daemon ............................................................................... 315 Update Daemon................................................................................... 315

Lesson 8 - Antivirus ............................................................ 319
Virus Types................................................................................................. 319 Virus..................................................................................................... 319 Trojan................................................................................................... 319 Worm ................................................................................................... 319 Antivirus Elements...................................................................................... 320 File Size ............................................................................................... 320 File Pattern........................................................................................... 320 Virus Scan............................................................................................ 320 File Type .............................................................................................. 320 Grayware ............................................................................................. 321 Heuristics ............................................................................................. 321 File Filters ................................................................................................... 322 File Filter Actions ................................................................................. 322 Defining File Filters .............................................................................. 323 Virus Databases ......................................................................................... 329 Regular Virus Database ....................................................................... 329 Extended Virus Database .................................................................... 329 Flow-Based Virus Scanning ................................................................. 330 Updating the Antivirus Definitions ........................................................ 331 Grayware .................................................................................................... 332 Grayware Categories ........................................................................... 332 Heuristics.................................................................................................... 336 Quarantine.................................................................................................. 337 Quarantine Options.............................................................................. 337 Quarantined Files List .......................................................................... 339 Quarantine Virus Senders.................................................................... 340
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

vi

Contents

Antivirus Profiles ........................................................................................ 342 Enabling Antivirus Profiles in Firewall Policies .................................... 344 Antivirus Suggested Practices ................................................................... 345 Lab 7 - Antivirus Scanning ......................................................................... 346

Lesson 9 - Email Filtering ................................................... 351
Email Filtering Actions ............................................................................... 352 Tag ...................................................................................................... 352 Discard ................................................................................................ 352 Email Filtering Methods ............................................................................. 353 IP Address Check ............................................................................... URL Check .......................................................................................... Email Checksum Check ...................................................................... Black/White List................................................................................... HELO DNS Lookup ............................................................................. Return E-mail DNS Check .................................................................. Banned Word ...................................................................................... Multipurpose Internet Mail Extensions (MIME) Headers Check.......... 353 353 353 353 353 353 354 354

FortiGuard Email Filters............................................................................. 356 Global Filters ....................................................................................... 356 Customized Filters .............................................................................. 357 Banned Word............................................................................................. 358 Defining Banned Word Lists................................................................ 358 IP Address Filtering ................................................................................... 365 Defining IP Address Lists .................................................................... 365 Email Address Filtering.............................................................................. 369 Defining Email Address Filters ............................................................ 369 Multipurpose Internet Mail Extensions (MIME) Headers Check ................ 373 DNS Blackhole List and Open Relay Database List .................................. 374 Email Filter Profiles.................................................................................... 375 Enabling Email Filter Profiles in Firewall Policies................................ 379 FortiMail Email Filtering ............................................................................. 380

Lesson 10 - Web Filtering ................................................... 383
Web Filtering Elements.............................................................................. 383 URL Filter................................................................................................... 384 Defining URL Filter Lists ..................................................................... 384 FortiGuard Web Filter ................................................................................ 388 FortiGuard Web Filtering Categories .................................................. 389 FortiGuard Web Filtering Classes ....................................................... 391 FortiGuard Web Filtering Overrides .................................................... 392
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

vii

...... 399 Web Filtering Authentication Page.......................................... 400 Local Ratings.................................................Web Filtering .......414 Lesson 11 ........................................................................... 394 Administrative Overrides ................................................................Application Control ..................................................................... 437 Enabling Data Leak Prevention in Firewall Policies ................................................................................................ 408 Advanced Filtering Settings ......... 413 Lab 8 ............................................................................................................. 452 Enabling Application Control in a Firewall Policy ........... 394 Override Rules ................... 449 Application Types .................................................................................. 431 Rule Processing ..........................................457 viii Course 201-v4.......... 439 Data Leak Prevention Logging....................................................... 411 Enabling Web Filter Profiles in Firewall Policies ......................................................................442 Lesson 12 ........................................ 423 Monitored Data Types ........................... 423 Data Leak Prevention Rules...............................................................................................1 Administration..............................Data Leak Prevention ......................................................... 434 Data Leak Prevention Sensor Actions ..................... 395 Web Filtering Override Page..................................................................................................... 455 Application Control Logging .............................Application Control ....... 452 Defining Application Control Lists ......................................................................................................................................................................................................................................Contents Web Filtering Overrides... 424 Compound Rules ...................................................................................................................... 424 Regular Rules ........... 456 Lab 10 ............................................ 405 Defining Web Content Filters Lists......................................................................................................... 440 Data Leak Prevention Suggested Practices ................................................................................... 433 Rule Priority . 399 User Overrides.Data Leak Prevention .............. 433 Data Leak Prevention Sensors.................................................................................... 450 Application Control Lists ................................................................................................................ 401 Local Categories................................................. 405 Web Filter Profiles . Content Inspection and SSL VPN 01-4200-0201-20100604 ........ 441 Lab 9 .................................................................................................................................... 403 Web Content Filter................................................................................................

.......................... 461 Application Sensors .....Endpoint Control ..................................................................................... 469 Monitoring Endpoints ........... 466 Enabling Endpoint NAC in Firewall Policies .................... 461 Endpoint NAC Profiles .....................................................................................................................................................Contents Lesson 13 ...............1 Administration.... Content Inspection and SSL VPN 01-4200-0201-20100604 ix ................... 468 Vulnerability Scanning ........................... 469 Assets ....................................................................... 473 Course 201-v4................................................................................................ 461 Endpoint Network Access Control ..........................

Contents x Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.

com .fortinet.Introduction 1 www.

.

Implement logging and monitoring features of the FortiGate device using a FortiAnalyzer appliance for content archiving. Content Inspection and SSL VPN 01-4200-0201-20100604 3 . web filtering. Construct firewall policies with schedules. Students will gain a solid understanding of how to integrate the FortiGate unit into an existing environment and the operational maintenance involved to ensure optimal performance and full protection of corporate assets. Enable FortiGate threat management features in policies including antivirus. email filtering. data leak prevention and application control. Understand the differences between operating a FortiGate unit in NAT/Route and Transparent modes. Update FortiGuard Subscription Services. IP pool. source and service type restrictions. Course Objectives Upon completion of this course. students will learn about the most common features of the FortiGate unit. students will be able to: • Use Web Config and the CLI to complete the following administration and maintenance tasks for FortiGate devices: • • • • • • • • • • • • Configure system and network settings. Monitor system alerts. Perform system backups. Create administrative accounts. Apply firewall policy options for authentication. Verify device performance and operational status. virtual IP address. Prerequisites The following is required to attend this course: • • Introductory-level network security experience Basic understanding of core network security and firewall concepts Who Should Attend This introductory-level course is intended for anyone who is responsible for the day-to-day administration and management of a FortiGate unit. and traffic shaping.Introduction Course Overview Course Overview This course provides an introduction to the configuration and administration of FortiGate Unified Threat Management (UTM) appliances. and unauthorized traffic logging. Through a variety of hands-on labs. Manage firmware to ensure availability and reliability.1 Administration. Course 201-v4.

The FortiGate must be running FortiOS version 4. type the following URL in a web browser: http://campus. • Remote access to the FortiAnalyzer unit at the following address: http://209.training.Course Overview Introduction Certification This course helps to prepare students for the following certification exams: • • Fortinet Certified Network Security Associate (FCNSA) Fortinet Certified Network Security Professional (FCNSP) Self-Paced Training Course Course 201 . • • Internet connection An Internet connection is required.230. a USB to Serial adaptor can be purchased from a local computer supply store. A FortiGuard Subscription Services license Each new FortiGate unit comes with a free 30-day license to access FortiGuard Subscriptions Service updates. The comments provided will help to guide development of future versions of this course. please complete the course survey. If beyond the initial 30-day trial time limit.com Click Student Survey in the Quick Links pane on the left hand side of the web page. the following are required to perform the hands-on exercises included in this Student Guide: • A PC or laptop running Microsoft Windows 2000/XP/2003/Vista/7 The PC or laptop used for the exercises in the Student Guide requires a serial port to connect the FortiGate unit to the computer.134 Course Evaluation (for Self-Paced Training Students) Once this training has been concluded.87. Content Inspection and SSL VPN 01-4200-0201-20100604 . If the computer does not include a serial port.1 Administration. a license to access FortiGuard Subscriptions Services is required to complete some of the exercises in the course. 4 Course 201-v4. To access the survey.0 MR2 of the firmware.Administration. • A FortiGate unit This course is designed to be used with a Small Office/Home Office (SOHO) level FortiGate model (FortiGate 80 Series or lower). Content Inspection and SSL VPN is available as a 2day instructor-led course (public class or private on-site session) or as a selfpaced training course. If this training is being taken as self-paced.fortinet.

fortinet.LESSON 1 Overview and System Setup 5 www.com .

.

an effective UTM solution must deliver a network security platform comprised of robust and fully integrated security and networking functions. In order to address the challenges faced by the modern organization. all without impairing the performance of the network. which offer limited threat management capabilities across different technology areas. antivirus and more in a single device. UTM devices incorporate firewall.1 Administration. The performance and processing power required to provide complete content level protection is difficult to achieve without purpose-built hardware. the Unified Threat Management (UTM) market has emerged. and provide basic network security functions like firewall and VPN services. The costs and complexities associated with managing an increasingly distributed network with no clear perimeter adds strain to already taxed resources. These standalone network security products. Content Inspection and SSL VPN 01-4200-0201-20100604 7 . Course 201-v4. Others have simply relabeled their existing network security products.Overview and System Setup Unified Threat Management Lesson 1 Overview and System Setup Maintaining a secure network environment using existing network security technologies is a significant challenge due to a number of reasons: • • Increasingly sophisticated and rapidly evolving cyber threats evade one or more standalone security technologies. intrusion prevention. however. fail to provide the comprehensive security. Many vendors have attempted to provide UTM capabilities by cobbling together existing firewall and VPN offerings with antivirus and intrusion detection and/or prevention technologies from other vendors. Unified Threat Management In order to solve the security problems for businesses and service providers. Protection must be provided against the next generation of threats and offer centralized management from a single console. • Most standalone network security offerings generally consist of single-purpose security software deployed onto PC-based hardware platforms. network deployment flexibility and the performance necessary to combat complex network-level and content-level security threats.

IPSec and SSL VPN. application control. the FortiGuard security subscription services and an integrated suite of management. data leak prevention. reporting. P2P. FortiGate platforms incorporate sophisticated networking features. easily managed security device that delivers a full suite of capabilities including: • Application-level services such as virus protection. This dynamic protection forms the basis of the FortiGuard Subscription Services. Fortinet supplies a comprehensive UTM solution comprised of the FortiGate network security platform. administration profiles. such as high availability for maximum network uptime and virtual domain capabilities to separate various networks requiring different security policies.1 Administration. and SNMP • • The FortiGate relies on the dedicated Fortinet Global Threat Research Team that researches and develops protection against known and unknown security threats. 8 Course 201-v4. web content filtering. which results in continuous updates for antivirus. intrusion detection. reporting and analysis products. all FortiGate appliances include a proprietary technology platform. a proprietary operating system that provides the foundation for all security functions. FortiGate Network Security Product Portfolio From the FortiGate 30 series for small businesses and branch offices to the FortiGate 5000 series for large enterprises and services providers. email filtering. Fortinet UTM solutions enable customers to cost-effectively defend against current and next generation network and application layer threats without slowing down their networks. FortiGate Appliance The FortiGate unit is a dedicated. as well as IM. Content Inspection and SSL VPN 01-4200-0201-20100604 . intrusion prevention. secure administrative access. software and services for the best security and performance possible. and traffic shaping Management services such as user authentication. which includes the proprietary FortiASIC processor specifically designed for accelerating certain security functions. Also part of the FortiGate technology platform is FortiOS. logging.The Fortinet Solution Overview and System Setup The Fortinet Solution Fortinet is a leading worldwide provider of Unified Threat Management network security solutions. web filtering and antispam services. and VoIP filtering Network-level services such as firewall. Fortinet UTM solutions are built from the ground up offering truly integrated hardware.

1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 9 .Overview and System Setup The Fortinet Solution SOHO Branch Office Medium Enterprise Large Enterprise Service Provider 5140 FortiGate 5000 series AMC -SW1 AMC -DW1 3 PWRACC CONSOLE USB 1 2 3 4 5 6 7 8 STA IPM PWRACC PWRACC PWRACC 4 CONSOLE USB 1 2 3 4 5 6 7 8 STA IPM CONSOL E CONSOL E 5 PWRACC CONSOLE USB 1 2 3 4 5 6 7 8 STA IPM 2 1 2 PWRACC 3 PWRACC 4 PWRACC 5 USB USB PWRACC CONSOLE USB 1 2 3 4 5 6 7 8 STA IPM PWRACC CONSOLE USB 1 2 3 4 5 6 7 8 STA IPM PWRACC CONSOLE USB 1 2 3 4 5 6 7 8 STA IPM PWRACC PWRACC PWRACC MANAG EMENT E T H O MANAG EMENT E T H O CONSOLE USB CONSOLE USB CONSOLE USB CONSOLE CONSOLE CONSOLE USB USB USB SYSTEM CONS OLE R S 2 3 2 SYSTEM CONS OLE R S 2 3 2 1 1 1 1 1 1 Z R E 0 Z R E 0 Z R E 1 Z R E 1 2 2 2 2 2 2 Z R E 2 E2 14 12 10 8 6 4 2 0 ZRE E1 15 13 11 9 7 5 3 1 E2 14 12 10 8 6 4 2 0 ZRE E1 15 13 Z R E 2 3 4 3 4 3 4 3 4 3 4 3 4 11 9 7 5 3 1 5 6 5 6 5 6 5 6 5 6 5 6 CLK EXT FLT OK INT FLT HOTSW AP RESE T CLK EXT FLT OK INT FLT 7 7 7 7 7 7 HOTSW AP RESE T 8 8 8 8 8 8 LED MODE LED MODE STA IPM STA IPM STA IPM STA IPM STA IPM STA IPM PSUA PSUB 1 2 3 4 5 6 7 8 ST IPM A 1 2 3 4 5 6 7 8 ST IPM A -E4 AMC -SW2 USB AMC -DW2 AUX Esc Enter STA TUS POWER CONSOL E 1 2 3 4 5 6 7 8 9 10 FortiGate 3810A CON E SOL PWR Esc Enter 1 2 3 4 5 6 7 8 9 10 MOD EM USB Hi-T emp FortiGate 3600A FG-A SW MCCON E SOL 1 3 5 7 9 11 13 15 17 Esc Enter POW ER STA TUS MOD EM 2 4 6 8 10 12 14 16 18 FortiGate 3016B FSM FSM FSM5 FortiGate 1240B FSM FSM CONSOLE 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 ASM USB FortiGate 1240B CONSOLE USB A1 A2 Redundant power supply Gigabit performance High port density FortiGate 1000 series INTE RNAL EXTERNAL DMZ HA 1 2 3 4 CONSOL E USB Esc Ente r PWR 8 FortiGate 800 620B-DC USB CONS OLE FortiGate 620B NP2 Powered 311B STATUS ALARM 1 POWER HA 1/2 3/4 5/6 7/8 9/10 USB CONSOLE ASM FortiGate 311B Pow ered NP2 TUS STA ALARM POW ER HA ASM CONSOLE USB 9/10 7/8 5/6 3/4 1/2 FortiGate 310B Esc Enter CON SOLE USB 1 2 10/100 3 4 5 10/100/1000 6 Gigabit Ethernet FortiGate 300A 1 3 5 7 9 11 13 15 17 19 21 23 25 26 W AN1 WAN2 USB CONSOL E 2 4 6 8 10 12 14 16 18 20 22 24 FortiGate 224B CONSO LE USB 1 2 INT ERNAL 3 4 DMZ 1 DMZ 2 WAN 1 WAN 2 Esc Ente r A FortiGate 200A 111C USB 1 2 3 4 5 6 7 8 WAN1 WAN2 ALARM HA Integrated logging CONSOLE STATUS POWER HDD1 HDD2 FortiGate 111C USB 1 2 3 4 5 6 7 8 WAN1 WAN2 ALARM HA CONSOLE STA TUS POWER FortiGate 110C 1 2 3 4 1 2 3 4 FortiGate 82C 1 POWERSTATUS HA ALARM WAN 1 WAN 2 DMZ INTERNAL 3 5 2 4 6 FortiGate 80C 1 POWERSTATUS HA ALARM WIFI WAN 1 WAN 2 DMZ INTERNAL 3 5 2 4 6 FortiWifi 80CM 1 POWERSTA TUS HA ALARM WAN1 WAN2 DMZ INT AL ERN 3 5 2 4 6 B High availability. VLAN support FortiGate 60B 1 POWERSTA TUS HA ALARM Wifi WAN1 WAN2 DMZ INT AL ERN 3 5 2 4 6 B FortiWifi 60B INTERNAL WAN1 WAN2 LINK / ACT POWER STATUS HDD 1 2 3 10/100 FortiGate 51B INTERNAL WAN 1 POWER STA TUS 1 2 3 WAN 2 LINK/ ACT 10/1 00 FortiGate 50B WLAN WAN 1 (Po E) INT ERNA L WAN 2 LINK/ ACT 10/1 00 POW ER STA TUS 1 2 3 FortiWifi 50B FortiGate 30B WAN WLAN INTERNAL LINK / ACTIVITY 10/100 POWER STATUS 1 2 3 4 30B FortiWifi 30B Course 201-v4.

FortiManager To compliment the FortiGate product line. including redundant. high-availability locations that automatically deliver updates to the Fortinet security platforms. web filtering and traffic-shaping services. With the FortiGuard Subscription Services enabled. VPN. 10 Course 201-v4. intrusion prevention. and also support active/active redundant fail-over for uninterrupted service.1 Administration. 60B series. performance. spam filtering. network-based security solutions designed to protect smaller deployments from network level and content level threats. FortiGate Solutions for Large-Sized Enterprises and Service Providers The Fortinet network security solution for large enterprises and service providers includes the FortiGate 1000 series of devices to the FortiGate 5000 series. The high capacity. Fortinet also offers FortiManager appliances which enable customers to manage all Fortinet products from a centralized console. web filtering and email filtering functionality. and maintain the full range of network protection services provided by Fortinet products. customers can rest assured that their Fortinet security platforms are performing optimally and protecting their corporate assets with the latest security technology. It minimizes the administrative effort required to deploy. FortiGuard Subscription Services are continuously updated by the 24x7x365 Global Threat Research Team possessing in-depth expertise in content and network level attacks. hot-swappable power supplies and fans to minimize single-point failures. 50B series. with integrated enterprise firewall. reliability and easy management of FortiGate units make them natural choices as the cornerstone of a service provider's managed service offerings. 51B. availability and reliability. FortiGate Solutions for Medium-Sized Enterprises The FortiGate enterprise series.The Fortinet Solution Overview and System Setup FortiGate Solutions for the Small Office/Home Office (SOHO) and Branch Office The FortiGate 30B series. Content Inspection and SSL VPN 01-4200-0201-20100604 . meets enterprise-class requirements for network level and content level threat protection. intrusion prevention. configure. which includes the FortiGate 200A to the FortiGate 800 models. The FortiGuard network has data centers around the world located in secure. FortiGuard FortiGuard Subscription Services extend the value of the initial investment in Fortinet by providing customers with dynamic updates to antivirus. 80C series along with the 100C and 111C devices are all-in-one. Units in the FortiGate enterprise series meet the requirements for mission critical enterprise applications. These models include all of the key security services provided by other FortiGate models. These high performance units are designed to meet the most stringent requirements for performance and reliability. antivirus / antispyware.

FortiAnalyzer appliances minimize the effort required to monitor and maintain acceptable use policies. FortiClient's protection agent is powered by FortiGuard Subscription Services to ensure devices are comprehensibly protected against today's blended threats. Spam email results in wasted corporate resources and decreased employee productivity. Fortinet offers FortiAnalyzer appliances for forensics. As well. these devices are exposed to blended threats such as viruses. signaling a change in strategy for spammers looking to profit from unsuspecting users. It provides network administrators with a comprehensive view of network usage and security information. users accessing inappropriate and dangerous web content jeopardize device integrity. For complete email security that includes content archiving and the highest levels of antispam and antivirus capabilities. Course 201-v4. Unfortunately. negatively impact productivity and violate corporate content access guidelines.Overview and System Setup The Fortinet Solution FortiAnalyzer For centralized analysis and reporting. traffic analysis. vulnerability assessments. This can be illustrated by the dramatic rise in phishing attacks. including traffic. and to comply with governmental regulations regarding privacy and disclosure of security breaches. IPSec VPN. virus. content filtering. to identify attack patterns and prosecute attackers. a product that provides unified endpoint security for desktops. increasingly sophisticated content level threats now commonly use email applications as a mode of attack. antispam and web content filtering. provide maximum protection for blended email-related threats and facilitate regulatory compliance. multi-layered email security platforms that remove unwanted spam.1 Administration. and content archiving. They accept and process a full range of log records provided by FortiGate systems. Fortinet provides FortiClient software. The FortiAnalyzer unit is a dedicated hardware solution that securely aggregates and analyzes log data from FortiGate security appliances. laptops and mobile devices. antivirus. PC desktop and laptop devices have allowed users to access enterprise applications and mission critical data both in the office and on the road. daily corporate email servers and users alike are becoming increasingly overwhelmed. such methods fall short from comprehensively protecting against blended threats and do not enforce content access guidelines. spyware and worms. FortiMail With the worldwide volume of spam now significantly increasing. spam. Content Inspection and SSL VPN 01-4200-0201-20100604 11 . event. The FortiMail device can provide full messaging server functionality when configured in Server Mode. archiving and graphical reporting functions. FortiAnalyzer devices also provide advanced security management functions such as quarantine archiving. In addition. event correlation. FortiClient provides unified security agent features for personal computers including personal firewall. Fortinet offers FortiMail specialized email security appliances. Fortinet FortiMail is a family of high-performance. such as antivirus agents. are available to protect devices from certain threats. While security technologies. attack. and email filtering data. FortiClient For endpoint security. supporting the needs of enterprises and service providers responsible for discovering and addressing vulnerabilities across dispersed FortiGate systems.

FortiScan FortiScan devices integrate endpoint vulnerability management. Database Activity Monitoring (DAM). 12 Course 201-v4. secure MMS with scanning of all interfaces. remediation. scalable. FortiCarrier FortiCarrier devices extend the integrated security concept to protect critical applications across a service provider's IP network.The Fortinet Solution Overview and System Setup FortiWeb FortiWeb devices protect. application acceleration. industry and federal compliance. FortiWeb goes beyond traditional web application firewalls to provide XML security enforcement. Multi-path traffic switching and Dynamic Congestion Avoidance features on the device switch data flows to the lowest latency path . Content Inspection and SSL VPN 01-4200-0201-20100604 . unified appliance. FortiDB FortiDB devices provide a comprehensive solution to secure databases and applications such as ERP. balance. auditing and compliance as well as change control. improve the security of confidential information and aid in legislative and PCI compliance. FortiSwitch FortiSwitch devices meet the growing needs of high-speed interconnected applications driven by server virtualization. patch management. privacy.1 Administration. FortiWeb devices protect webbased applications. addressing vulnerability management. Features such as a GTP firewall. With FortiSwitch hardware at the core. servers and throughout the network. resilient. auditing and reporting into a single. and server load balancing. and parallel and cloud computing applications. and accelerate Web applications. databases. A FortiScan device can be used to identify security vulnerabilities and finds compliance exposures on hosts. CRM. network operators can build wire speed. and an SIP/IMS signaling firewall assure service providers of the security.avoiding congestion while maintaining full Ethernet compliance. ultra-low latency fabrics with the simplicity and robustness of standard Ethernet. data loss prevention. and the information exchanged between them. SCM and custom applications. data center consolidation. and quality of service that are critical to their businesses.

viruses. The rules may be defined by the firewall administrator or the default rules may apply. confidential business information) and leaking in (for example. spyware. Firewalls control the flow of traffic between two or more networks. to apply advanced filtering options and other security settings configured in the policy.1 Administration. Normally. Course 201-v4. Internet Firewall Untrusted network Trusted corporate network The area situated between the Internet and a trusted internal network is often referred to as a demilitarized zone (DMZ) or perimeter network. Firewalls can enforce an organization’s security policies by filtering outgoing (also referred to as egress) traffic to ensure that it complies with usage policies.Overview and System Setup Firewall Basics Firewall Basics A firewall is a hardware-based network device or software running on a computer that actively inspects and controls the flow of traffic between computer networks of different trust levels. Content Inspection and SSL VPN 01-4200-0201-20100604 13 . this is where firewalls are positioned but some larger organizations may also place firewalls between different parts of their own network that require different levels of security. Examples include the Internet which is an untrusted zone and an internal network which is a zone with a higher level of trust. Incoming traffic is similarly inspected and matched against the firewall’s policies to allow or deny access. the firewall either allows or denies passage based on a set rules configured on the device. unauthorized users. Depending on the sophistication of the firewall. As network traffic passes through the firewall. In basic terms. or malicious traffic from accessing a network. it can provide rudimentary or advanced protection. Or. or spam). a firewall might permit all traffic of a specified type (such as HTTP) and deny all other services or requests. For example. it might be configured to deny all traffic types except incoming (also referred to as ingress) traffic from a specified network address or address range. allowing good information through but blocking intrusions. a firewall’s main function is to keep information from leaking out (for example.

may want to prevent employees from accessing inappropriate web sites from workplace computers. Administrators might use this reporting information to know what the firewall is doing. allow management for multiple firewalls. For example. Identifying the user can permit the firewall to allow the user to access some services but not others. who tried to break into the network. • Reporting on network traffic and firewall activities.1 Administration. such as filtering spam and spyware. By authenticating users. For example. High-end enterprise products can also create virtual private networks. Firewalls designed for businesses can be more extensively customized in various ways. who tried to access inappropriate material on the Internet and so forth. the firewall can screen network traffic for unacceptable content such as files that contain viruses or unacceptable spam email. • Performing authentication to verify the identity of the users or processes. telecommuters and traveling salespeople can use a VPN to connect to the corporate network. • Allowing connections to an internal network. They can perform more involved operations. Some common firewall features include: • • Blocking unwanted incoming traffic based on source or destination IP addresses Blocking outgoing network traffic based on source or destination IP addresses. for example. Content Inspection and SSL VPN 01-4200-0201-20100604 . preventing intrusions into the network and allowing administrators to monitor traffic.Firewall Basics Overview and System Setup Entry-level software firewalls for personal computers are widely available or even built in to the operating system to protect an individual computer when it accesses an external network. • 14 Course 201-v4. This can be an advantage for organizations who. Blocking network traffic based on content. support sophisticated authentication or access management systems. the firewall has additional information it can work with to filter packets. and allow for load balancing and failover.

packets are only forwarded if they belong to a connection that has already been established and tracked in a state table. If the two do not match. Stateful Firewall A stateful firewall is a form of packet filtering that does more than just examine the headers of a packet to determine source and destination information. If the information matches what is in memory. Course 201-v4. When a packet is received by the firewall. the desired action is taken.Overview and System Setup Firewall Basics Types of Firewalls Firewalls fall into different categories including: • • • Packet filter firewall Stateful firewall Application layer (or proxy-based) firewall Packet Filter Firewall Data that is transmitted across a TCP/IP network is broken down into small chunks called packets. Content Inspection and SSL VPN 01-4200-0201-20100604 15 . the packet is allowed to pass the firewall. It also looks at the contents of the packet to determine what the state is of each connection that is created and holds attributes of each connection in a state table in memory. Packet filter firewalls act by inspecting incoming and outgoing packets. the packet is dropped.1 Administration. from the start to the end of the connection. Since more intensive checking is performed at the time of setup of the connection. No connection state information is maintained with this type of packet filtering. If a packet matches the packet filter’s set of rules. The packets are filtered based only on information contained in the packet headers for example. When stateful filtering is used. instead of checking the packet against the firewall's established rule set each time a packet is received. port number and protocol. the packet filter may allow the packet. Once the session has ended. This allows an added layer of protection from the threat of port scanning. These attributes may include details such as the IP addresses and ports involved in the connection and the sequence numbers of the packets passing through the connection. all packets for that session that are delivered after the initial setup are processed quickly since they belong to an existing pre-screened session. Stateful firewalls provide added efficiency in terms of packet inspection since they only need to check the state table. its entry in the state table is discarded and the ports closed off until a connection to the specific port is requested. the source and destination IP address. drop (silently discard) the packet or reject it (with an error response). it will compare the information reported in the packet header with the state of its associated session stored in memory in the state table. For example.

With a proxy firewall. and so forth. In the case of a proxy firewall. A proxy stands between the protected and unprotected network. blocking inappropriate content. This effectively eliminates IP routing between the networks. traffic never flows directly between the networks. The proxy also terminates internal traffic that is headed out to the Internet and repackages it in a new packet with the source IP address of the proxy. No internal host is directly accessible from the external network and no external host is directly accessible by an internal host.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 . Proxy-based firewalls work at the application layer of the TCP/IP protocol stack inspecting the contents of the traffic. viruses. as dictated by its rule set. not the internal host. the firewall is the endpoint of the incoming and outgoing connection. The proxy repackages the messages into new packets that are allowed into the internal network. 16 Course 201-v4. such as certain web sites. attempts to exploit client software vulnerabilities. the proxy repackages requests and responses. Instead. modifying traffic as it passes through the gateway. all external connections leading into the proxy terminate at the proxy.Firewall Basics Overview and System Setup Application Layer (or Proxy-Based) Firewall Some firewalls can serve proxy server functions.

reserved IP addresses to one or more public IP addresses. to have an unregistered (private) IP address and still be reachable over the Internet. Typically.Overview and System Setup Firewall Basics Network Address Translation Network Address Translation (NAT) is a method of mapping one or more private. the NAT device has a public IP address that can be seen by external hosts. Another advantage of dynamic NAT is that it allows a private network to use private IP addresses that are invalid on the Internet but useful as internal addresses. Using NAT allows a network to maintain public IP addresses separately from private IP addresses and allows a single device to act as an agent between a public network and a private network. Typically. Static NAT Static NAT is a type of NAT in which a private IP address is mapped to a public. Using NAT conserves IP addresses since a single unique IP address can be used to represent an entire group of computers. When replies come back to the NAT device. When a private IP address requests access to the Internet.1 Administration. Computers on the local network use a completely different set of IP addresses. it determines which internal computer the response belongs to and routes it to its proper destination. This method of mapping an unregistered IP address to a registered IP address on a one-to-one basis is particularly useful when a device needs to be accessible from outside the network. the internal IP address is removed and replaced with the public IP address of the NAT device. Course 201-v4. using a specific block of IP addresses that are never recognized or routed on the Internet. where the public address is always the same IP address. the device will choose an IP address from the table that is not being used at the time by another private IP address. When traffic goes out. This allows an internal host. static IP address. NAT provides additional security on the network by effectively hiding the entire internal network to the outside world by using only one address for the entire network. As a result. organizations can use their own internal IP addressing schemes. with a single IP address provided by their Service Provider. such as a web server. the NAT device will maintain a table of registered IP addresses. Dynamic NAT helps to secure a network as it masks the internal configuration of a private network and makes it difficult for someone outside the network to monitor individual usage patterns. Content Inspection and SSL VPN 01-4200-0201-20100604 17 . Dynamic NAT Dynamic NAT is one form of NAT in which a private IP address is mapped to a public IP address drawn from a pool of registered public IP addresses.

tag. DNSBL.FortiGate Capabilities Overview and System Setup FortiGate Capabilities FortiGate devices include a comprehensive array of security and networking capabilities. heuristics. can send alert email to system administrators. for instance. and can log. in conjunction with the FortiGuard Web Filtering Service offers a solution to control access to inappropriate web sites that may expose businesses to potentially liable material. or clear suspicious packets or sessions. and block spam messages and their malicious attachments. Attack signatures reliably protect the network from known attacks. Unified Threat Management Antivirus The FortiGate unit uses a combination of techniques to provide real-time protection against virus attacks. banned word check. ORDBL. pass. 18 Course 201-v4. jeopardize network security and consume valuable bandwidth. worms and spyware. Instant Messaging (IM). Web Filtering The FortiGate unit. application control is a more user-friendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Firewall A FortiGate unit uses firewall policies to dictate whether traffic will be allowed or denied access to the network. and more. file recognition.1 Administration. Traffic will not be able to pass through the FortiGate unit unless it matches the policy rules exactly. Email Filtering The FortiGate unit delivers reliable and high performance features to detect. These techniques include signature blocking. The FortiGate unit uses UTM profiles to dictate which type of content inspection will be performed on traffic passing though the firewall. An organization can create custom signatures to customize the Intrusion Prevention System on the FortiGate unit for diverse network environments. including IP address checks. IP address checks. reset. and VoIP. quarantine. Peer-to-Peer (P2P). Application Control Application Control detects network traffic based on the applications generating the traffic. checksum checks. Based on FortiGate Intrusion Prevention protocol decoders. and URL checks and more. The FortiGuard infrastructure ensures the rapid identification of new threats and the development of new attack signatures. Content Inspection and SSL VPN 01-4200-0201-20100604 . drop. The FortiGuard Web Filtering database is a URL database with over 60 million rated web sites and 76 web content categories. The FortiGate Intrusion Prevention System matches network traffic against patterns contained in attack signatures. Intrusion Prevention The FortiGate unit can record suspicious traffic in logs. black/white list.

1 Administration. Using VDOMs can also simplify administration of complex configurations because administrators do not have to manage as many routes or firewall policies at one time. firewall policies. Traffic shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate device. Actions in response to detected data leakage include: • • • • • Log leakage Block sending of the data Content archiving Ban user from using this protocol Add user to the banned user List WAN Optimization The FortiGate WAN optimization can be used to improve performance and security across a WAN by applying a number of related techniques. and VPN configurations. user authentication. A single FortiGate unit can then be flexible enough to serve multiple departments of an organization. For example. Traffic Shaping Traffic shaping controls the bandwidth available and the priority of traffic processed by a firewall policy. including enforcement of the use of FortiClient End Point Security software. routing. email. separate organizations or be the basis for a service provider’s managed security service. Endpoint client computers can also be scanned to help determine if the computers are vulnerable to attacks.Overview and System Setup FortiGate Capabilities Data Leak Prevention Data Leak Prevention (DLP) protects sensitive information from being transmitted over web. and SSL acceleration. block or monitor is available on the FortiGate device. A database of end point applications to allow. including protocol and application-based data compression and optimization data deduction (a technique that reduces how often the same data is transmitted across the WAN). VDOMs provide separate security domains that allow separate zones. secure tunneling. the policy for the corporate web server might be given higher priority than the policies for an employee's computer. Endpoint Control Endpoint control can be used to block or monitor applications on the client computer. or file transfer protocols. Content Inspection and SSL VPN 01-4200-0201-20100604 19 . web caching. Clients can be monitored to ensure they have both the most recent version of the FortiClient software and the most up-to-date antivirus signatures. Course 201-v4. Virtual Domains Virtual Domains (VDOMs) enable a FortiGate unit to function as multiple independent units. Rules and compound rules are defined to detect possible data leaks and specify the action to take in response. Rules and compound rules are combined into DLP Sensors which can be enabled in firewall protection profiles.

and TACACS+. Logging A FortiGate unit provides extensive logging capabilities for traffic.FortiGate Capabilities Overview and System Setup Secure VPN The built-in SSL and IPSec VPN capabilities of the FortiGate unit can ensure the confidentiality and integrity of data transmitted over the Internet. VPN. To the network. 20 Course 201-v4. Directory Services. FortiGate HA is implemented by configuring two or more FortiGate units to operate as an HA cluster. LDAP. High Availability FortiGate High Availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and increased performance. Customized SSL VPN web portal configurations can be created which have a different look and feel. and spam filtering services. User Authentication A FortiGate unit can control access to network resources by defining lists of authorized users. Supported external server types for authentication include: RADIUS. IPS. web filtering. as well as different types of web portal functionality. processing network traffic and providing normal security services such as firewall.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 . User authentication can be performed locally on the FortiGate unit. system and network protection functions. or through the use of external authentication servers and and digital certificates. virus scanning. The FortiGate unit provides enhanced authentication in addition to encrypting and securing information sent from a web browser to a web server. the HA cluster appears to function as a single FortiGate unit. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse.

1 Administration. accelerating cryptographic operations. Some high-end enterprise models may include Small Formfactor Pluggable (SFP) and XPF (a 10Gbps version of SFP) network interfaces.8 Ghz Intel processor is included. Serial Console Port The FortiGate unit includes a serial console port to allow access to a management computer. Some higher-end models may include dual processors. Network Interface Ports The FortiGate unit includes a collection of interface connections to connect the device to various networks. Flash Memory The FortiGate unit can include from 32MB to 64MB of flash memory to store firmware images on the device. such as an internal network. Content Inspection and SSL VPN 01-4200-0201-20100604 21 . 60 and 80C are WiFi enabled and will enable wireless connections between host computers and the FortGate unit. processing firewall policies and accelerating packing traffic for applications such as VoIP and HTTPS. such as the FortiWifi 30. 50.Overview and System Setup FortiGate Unit Components FortiGate Unit Components A FortiGate unit. Course 201-v4. may include some of the following components: CPU Depending on the model of FortiGate device. a DMZ network or to a WAN network. DRAM The FortiGate unit can include from 64MB to 1GB of DRAM. a 300 Mhz to 1. from the CPU. The FortiASIC processior includes an engine for antivirus signature scanning. FortiASIC Content Processor This custom-designed processor augments the capabilities of the unit by offloading some of the intensive processing activities. archiving content and quarantines as well as enabling the WAN optimization mechanisms on certain FortiGate models. Hard Drive Some FortiGate devices include a hard drive that can be used for storing logs. such as antivirus scanning. Wireless Some FortiGate devices. depending on the model. USB Port A USB port is included on the FortiGate device for use with any FAT16 formatted USB drive or an external modem.

22 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 .FortiGate Unit Components Overview and System Setup Module Slot Bays Some high-end models of FortiGate device include slot bays for Advanced Mezzanine Cards (AMC). PC Card Slot Some models of FortiGate devices integrate a PC card slot (also called PCMCIA) for additional expansion using a Type II PC card.1 Administration. where the FortiGate is a blade card that is installed within a chassis.

Overview and System Setup FortiGate Unit Components FortiGate Unit Front View Each model of a FortiGate unit may look different. The indicator will be red when the modem is in use and connected. Similar indicators will be available on most FortiGate units. This indicator will flash green when there is network activity on the interface and will be off when there is no link established on the interface.1 Administration. Status LED: This indicator will flash green when the FortiGate unit is starting up and will be off when the FortiGate unit is running normally. WAN1 and WAN2 interface LED: There are indicators for each of the wan interfaces on the FortiGate unit. This indicator will flash green when there is network activity on the interface and will be off when there is no link established on the interface. Internal interface LEDs: There are indicators for each internal interface on the FortiGate unit. 1 Power LED: This indicator will display green when the FortiGate unit is powered on. Course 201-v4. and the connected equipment has power. Content Inspection and SSL VPN 01-4200-0201-20100604 23 . Alarm: The Alarm indicator will display red when a major error has occurred and will display amber when a minor error has occurred. or when the device is shut off. and the connected equipment has power. The indicator will display green when the correct cable is in use. which is commonly used in classroom configurations. The indicator will display green when the correct cable is in use. The example device illustrated below is the FortiGate 51B.

WAN1 and WAN2: A straight-through Ethernet cable connects the wan1 interface to the Internet (public switch.1 Administration. Similar interface connections will be available on most FortiGate units. Power: Plug the power adaptor connection here. 24 Course 201-v4.FortiGate Unit Components Overview and System Setup FortiGate Unit Back View Each model of FortiGate unit may look different. or for USB drives. which is commonly used in classroom configurations. The wan2 connection offers an optional redundant connection to the Internet. Internal interfaces are MDI/MDIX auto-sensing. both straight through and cross-over cables will work. USB: These optional USB connections can be used for a serial modem (serial to USB adapter required). Console: This RJ-45 interface connects the FortiGate unit to the management computer using the supplied DB-9 serial cable. Content Inspection and SSL VPN 01-4200-0201-20100604 . The example device illustrated below is the FortiGate 51B. Internal: Ethernet cables connect the FortiGate unit to computers on an internal network. router or modem). therefore.

1. In Route Mode. DMZ 10. NAT/Route Mode NAT/Route Mode is the default configuration on the FortiGate unit.3 Internet Router WAN1 204.168. All of its interfaces are on different subnets.1 Administration. each FortiGate unit is visible to the network that it is connected to. An organization would typically use NAT/Route Mode when the FortiGate unit is deployed as a gateway between private and public networks.10. no translation takes place. Content Inspection and SSL VPN 01-4200-0201-20100604 25 .1.168. Course 201-v4.Overview and System Setup FortiGate Operating Modes FortiGate Operating Modes A FortiGate unit can operate in two different modes depending on the configuration of the network and the needs of the organization.2 NAT mode policies control traffic between internal and external networks. Internal 192.10. the FortiGate unit performs network address translation before IP packets are sent to the destination network.10. In NAT/Route Mode. Each interface that is connected to a network must be configured with a private IP address that is valid for that network. In NAT/Route Mode.99 192.5 Routing policies control traffic between internal networks. In its default NAT/Route Mode configuration. In NAT Mode. No traffic can pass through the FortiGate unit until firewall policies are put in place to allow network traffic to pass.1 10.10.23.1. Firewall policies control communications through the FortiGate unit. firewall policies can operate in NAT Mode or in Route Mode. the unit functions as a firewall.

26 Course 201-v4.1. the unit functions as a firewall.10.1 Administration. All of its interfaces are on the same subnet.2 Router Internal Hub or switch 10.5 10. This type of configuration is used when an organization wishes to make use of the features of the FortiGate without altering the IP infrastructure of the network.3 Transparent Mode on the FortiGate unit would typically be used on a private network behind an existing firewall or behind a router.FortiGate Operating Modes Overview and System Setup Transparent Mode In Transparent Mode.10. No traffic can pass through the FortiGate unit until firewall policies are added. Content Inspection and SSL VPN 01-4200-0201-20100604 . Configure a management IP address so that configuration changes can be made. In its default Transparent Mode configuration. the FortiGate unit is invisible to the network.10. Connect network segments to the FortiGate unit to allow the device to control traffic between these network segments.23. Gateway to public network WAN1 Internet 204.10.

Overview and System Setup Device Administration Device Administration Administration tasks on the FortGate unit can be performed from either a graphical user interface (Web Config) or a command line interface (CLI). When a menu item is selected. it expands to reveal a submenu.1 Administration. Web Config consists of a menu and web pages. Content Inspection and SSL VPN 01-4200-0201-20100604 27 . Web Config Web Config can be used to configure most FortiGate settings and to monitor the status of the FortiGate unit using HTTP or a secure HTTPS connection from any computer running a web browser. the associated page is displayed. Course 201-v4. When one of the submenu items is selected. such as System.

5 or higher) Ethernet cables (Since internal interfaces are MDI/MDIX auto-sensing. straight-through or crossover cables will work) 28 Course 201-v4. the following are required: • • • • A computer with an Ethernet connection A display monitor with a resolution of at least 1280x1024 A supported web browser such as Microsoft Internet Explorer (version 8 or higher) or Firefox (version 3. The saved configuration can be restored at any time.1 Administration. it can be backed up.Device Administration Overview and System Setup Configuration changes made using Web Config are effective immediately without resetting the firewall or interrupting service. Once satisfied with a configuration. To connect to the Web Config interface. Content Inspection and SSL VPN 01-4200-0201-20100604 .

Configure FortiGate static and dynamic routing. SSL. Configure user accounts for use with firewall policies that require user authentication. High Availability (HA). displayed under System > Dashboard > Status uses widgets to display important information about the FortiGate device. Configure logging and alert email. such as network interfaces. Configure IPSec. Monitor list of known endpoints.1 Administration. This menu item is only available devices containing an internal hard drive supporting WAN Optimization. Router Firewall UTM VPN User WAN Opt. IPS. Configure antivirus. LDAP. A default dashboard displays core widgets. replace or add additional items to the dashboard. System Configure system facilities. and Windows AD. Also configure external authentication servers such as RADIUS. Elements can be moved around on the Status page and or click Widget to remove. system time and set system options. data leak prevention and application control.Overview and System Setup Device Administration System Dashboard The system dashboard. Configure FortiClient settings for endpoints. Configure WAN Optimization rules and caching. Configure software application detection on endpoints. View log messages and reports. email filtering. DHCP services. web filtering. Content Inspection and SSL VPN 01-4200-0201-20100604 29 . and PPTP virtual private networking. Configure firewall policies and protection profiles that apply network protection features. Web Config Menu The left-hand navigation menu displayed in Web Config provides access to configuration options for all major features of the FortiGate unit. & Cache Endpoint Log&Report Course 201-v4. Also configure virtual IP addresses and IP pools. virtual domains.

30 Course 201-v4. including firmware versions and operating mode. Content Inspection and SSL VPN 01-4200-0201-20100604 . available services and more. versions of antivirus and IPS definitions.Device Administration Overview and System Setup Default System Dashboard Widgets System Information The System Information widget on the Status tab displays information regarding the FortiGate unit.1 Administration. License Information The License Information widget displays the current status of service contracts.

1 Administration. along with links to reboot. restart. Content Inspection and SSL VPN 01-4200-0201-20100604 31 . and reset the FortiGate device. Unit Operation The Unit Operation widget displays which interfaces are currently in use.Overview and System Setup Device Administration CLI Console The Status tab displays a CLI Console where commands can be entered without leaving Web Config. System Resources The System Resource widget displays the current CPU and memory usage. Course 201-v4.

Log and Archive Statistics The Log and Archive Statistics widget displays summary logging and archive information.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 .Device Administration Overview and System Setup Alert Message Console The Alert Message Console displays important system warnings. 32 Course 201-v4.

Content Inspection and SSL VPN 01-4200-0201-20100604 33 .Overview and System Setup Device Administration Top Sessions Top Sessions displays the IP addresses that have the most sessions open on the FortiGate unit. Add Widgets Click Widget to display the additional dashboard elements. Course 201-v4.1 Administration.

The Help window that is displayed is context sensitive.1 Administration. widgets can be added to the web page. Content Inspection and SSL VPN 01-4200-0201-20100604 . Online Help Online help can be accessed from anywhere in Web Config by clicking the Online Help icon. delete or reset existing dashboard pages.Device Administration Overview and System Setup Add Dashboards Click Dashboard to add additional dashboard pages or to rename. Once a new dashboard page has been added. 34 Course 201-v4.

1 Administration.Overview and System Setup Device Administration Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 35 .

36 Course 201-v4.Device Administration Overview and System Setup Searching Help It is also possible to search the Help index by clicking Show Navigation in the Help window and clicking the Contents.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 . Index or Search tabs.

1 Administration. including the Internet. Content Inspection and SSL VPN 01-4200-0201-20100604 37 . The following is required to use the CLI: • • A computer with an available COM port A null modem cable. The CLI supports the same configuration and monitoring functionality as Web Config. to connect the FortiGate console port to a communications port on the computer Terminal emulation software such as HyperTerminal for Windows or PuTTY • A CLI administrative session can also be accessed remotely using SSH. The default login name on the FortiGate unit is admin with a blank password Course 201-v4.or Telnet. the CLI can be used for advanced configuration options that are not available from the Web Config. The CLI Console widget on the dashboard can be used to access the command line interface directly in Web Config. including a user name and password. In addition.Overview and System Setup Device Administration Command Line Interface The FortiGate Command Line Interface (CLI) can be accessed by connecting a management computer serial port to the FortiGate serial console connector. such as the RJ-45 to DB9 serial cable provided with the FortiGate unit. Telnet or a secure SSH can also be used to connect to the CLI from any network that is connected to the FortiGate unit. Logging in to the CLI The following settings must be configured in the terminal emulation software to connect to the CLI: Bits per second Data bits Parity Stop bits Flow control 9600 8 None 1 None The administrator wishing to makes changes to the FortiGate device through the CLI must enter appropriate login credentials.

The command line prompt changes to the # character once the administrator has completed a successful login. Content Inspection and SSL VPN 01-4200-0201-20100604 .Device Administration Overview and System Setup . 38 Course 201-v4.1 Administration.

The command structure includes the following components: • • • • • Commands Objects Tables Sub-commands Fields and values Commands Commands are at the top level of the CLI command structure and indicate an action that the FortiGate unit should perform on a part of the configuration or host on the network. Note: The ? character that is typed is not displayed in the command line. Once logged in as an administrator. Content Inspection and SSL VPN 01-4200-0201-20100604 39 .Overview and System Setup Device Administration CLI Command Structure The structure of the CLI commands allows an administrator to modify any of the settings within the FortiGate unit from the command line. type ? at the # prompt to view the available commands.1 Administration. Course 201-v4.

and antivirus protection. For example: get hardware status show Displays the FortiGate unit configuration.Device Administration Overview and System Setup The FortiGate CLI uses the following commands: config Configures CLI objects. For example: execute factoryreset diagnose Commands in the diagnose branch are used to debug the operation of the FortiGate unit and to set parameters for displaying different levels of diagnostic information. or use get with a full path to display the settings for a particular object. For example: show branch execute Runs static commands to reset the FortiGate unit to factory defaults or to back up or restore a FortiGate configuration file.1 Administration. Use show within a config command to display the configuration of that command. the router. get can also be used within a config command to display the settings for that command. Content Inspection and SSL VPN 01-4200-0201-20100604 . By default. such as the firewall. 40 Course 201-v4. For example: config system admin get Displays system status information. Use show full-configuration to display the complete configuration. only changes to the default configuration are displayed. For example: diagnose branch exit Exits the CLI. The execute commands are available only from the root level.

Course 201-v4. Objects contains tables and/or fields.Overview and System Setup Device Administration Objects The next level of the FortiGate CLI command structure is based on configurable objects. In this example. For each of the commands at the top level. type the command followed by the ? character. all objects related to the config command are displayed.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 41 . To view the objects associated with a command. there are objects that can be associated with it.

a banned word list. and FortiGuard-Web category filtering gui imp2p ips log netscan report router spamfilter system user voip vpn wanopt web-proxy webfilter Objects are containers for more specific lower level items that are each in the form of a table. Moves packets from one network segment to another towards a network destination. and topology viewer Controls user access to Internet Messaging and Peer-toPeer applications Configures the Intrusion Prevention System Configures logging Configures the Endpoint network vulnerability scanner. application antivirus dlp endpoint control firewall Configures application control. CLI console. optionally providing quarantine of infected files Configures Data Leak Prevention (DLP). Configures parts of the Endpoint NAC feature: Controls connections between interfaces according to policies based on IP addresses and type of service. and administrators Authenticates users to use firewall policies or VPNs Configures VoIP profiles for firewall policies. Table entries consist of keywords that can be set to particular values (or parameters). address groups. deleted or edited. Entries in the table can be added. Scans services for viruses and grayware. Provides Virtual Private Network access through the FortiGate unit Configures FortiGate WAN optimization Configures the FortiGate web proxy.Device Administration Overview and System Setup The objects vary depending on the command that is entered and include the following:. filter URLs. email and IP addresses Configures options related to the overall operation of the FortiGate unit. Note: There may be other CLI objects that are model-specific and. only available on certain FortiGate models. virtual domains. policies and protection profiles. based on packet headers Filters email based on MIME headers. For example. 42 Course 201-v4. Configures SQL reports. the firewall object contains tables of addresses. applies protection profiles Controls preferences for the web-based manager. Blocks or passes web traffic based on a banned word list. therefore.1 Administration. such as interfaces. Content Inspection and SSL VPN 01-4200-0201-20100604 .

The available tables will be different depending on the object being modified. To exit a table. Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 43 .1 Administration. enter the end command.Overview and System Setup Device Administration Tables The next level of the command structure is the table. the administrator is editing the FortiGate unit interface table. the command prompt changes to identify the table. When entering a table. In this example. The table allows the modification of an objects’ fields and values.

the edit sub-command is entered to modify the port field. 44 Course 201-v4. In this example.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 ..Device Administration Overview and System Setup Sub-commands Sub-commands are command that are available only when nested within the scope of another command and affect fields and their values.

Overview and System Setup Device Administration Fields and Values The final components of the CLI command structure are the fields and values. the parameters are written to the configuration file.255.255.110. type end to go back to the table level. Once the desired parameters are set. In this example.0 in the port1 table.1 Administration. Alternately. The parameters are the actual items that are being edited through the CLI. If this option is used. Course 201-v4. Each table could have a collection of fields. The fields and values available for modification will be different depending on the table that is being edited. the vdom called root is being assigned the value of 172.20. These changes are not lost should a system reboot occur.251 255. Content Inspection and SSL VPN 01-4200-0201-20100604 45 . any of which can be modified through the CLI. type next to display the next parameter. Modifying the cfg-save parameter can change the behavior so that changes are not automatically saved. all changes must be saved manually before exiting the CLI by entering exe cfg save at the root level. to configure other parameters. when end or next is entered. By default.

Device Administration Overview and System Setup CLI Basics There are shortcuts and options available to simplify using CLI commands. After completing the first word of a command. and arrow keys to scroll 46 Course 201-v4. along with a description of each option. press the space bar and then the tab key to scroll through the objects available at the current cursor position. Command Help • • Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command. Press the tab key at any prompt to scroll through the options available for that prompt. Type a command followed by an object and press the question mark (?) key to display a list of branches available for that command/object combination. Type the first characters of any command and press the tab key or the question mark (?) key to complete the command or to scroll through the options that are available at the current cursor position.1 Administration. • Recalling Commands Recall previously entered commands by using the through the commands previously entered. • Command Completion • • • Use the tab key or the question mark (?) key to complete commands. Content Inspection and SSL VPN 01-4200-0201-20100604 . Type a command followed by a space and press the question mark (?) key to display a list of the objects available for that command and a description of each.

Command Abbreviation Abbreviate commands.1.1/24 The IP address is displayed in the configuration file in dotted decimal format. type either: set ip 192. Function Beginning of line End of line Back one character Forward one character Delete current character Previous command Next command Abort the command Exit the CLI if used at the root prompt Line Continuation To break a long command over multiple lines. For example. use a \ character at the end of each line.255.168. the command get system status can be abbreviated to g sy st.1 255. Key combination CTRL+A CTRL+E CTRL+B CTRL+F CTRL+D CTRL+P CTRL+N CTRL+C CTRL+C Course 201-v4.Overview and System Setup Device Administration Editing Commands Use the and keys to move the cursor back and forth in a recalled command. For example.168. Content Inspection and SSL VPN 01-4200-0201-20100604 47 . Use the Backspace and Delete keys and the control keys listed below to edit the command.1 Administration.0 or set ip 192.255. and branches to the smallest number of nonambiguous characters. See the FortiGate CLI Reference Guide for more details on using the CLI.1. IP Address Formats Enter an IP address and subnet using either dotted decimal or slash-bit format. objects.

Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. go to System > Admin > Admin Profile. Admin Profiles Admin profiles define the permissions assigned to administrators. After connecting to Web Config or the CLI. Once they are added. It can. additional administrators can be configured. they can: • • • • • Enable VDOM configuration Create VDOMs Configure VDOMs Assign regular administrators to VDOMs Configure global options 48 Course 201-v4. and in addition. administrators are given various levels of access to different parts of the FortiGate unit configuration using an admin profile. however. This is a special profile which cannot be viewed or changed. The factory default system administrator account called admin uses an admin profile called super_admin. Any administrator assigned to the super_admin profile has full access to the FortiGate unit configuration in all VDOMs.Device Administration Overview and System Setup Administrators Administrators are responsible for the firewall’s configuration and operation. The admin account has full read/write control of the FortiGate unit’s configuration. The system’s factory default configuration has one administrative account called admin. To view the list of available admin profiles on the FortiGate unit. Multiple admin profiles can be created and assigned to administrators to restrict them to specific tasks. be assigned to additional administrative users.

or admin profile. The default prof_admin profile can also be assigned to any administrator and allows the same access as the super_admin profile. select the profile and click Edit ( ) or double-click the entry. To view or modify any other admin profiles in the list (other than super_admin). Content Inspection and SSL VPN 01-4200-0201-20100604 49 . This profile can be edited to remove any permissions that should be available to the administrator.Overview and System Setup Device Administration Users assigned to the super_admin profile: • Can delete other users assigned the super_admin profile and/or change the configured authentication method. • The default super_admin_read_only profile can be assigned to any administrator and allows them to view all the configuration settings on the FortiGate unit but not make any modifications.1 Administration. Course 201-v4. only if the other users are not logged in. Can delete the default admin account only if another user with the super_admin profile is logged in and the default admin user is not. but is tied to a specific VDOM. password.

Select None. Access Control 50 Course 201-v4.Device Administration Overview and System Setup New admin profiles can be defined by clicking Create New ( ) on the Admin Profile List page. Complete the parameters of the admin profile as needed. Profile Name The name assigned to the profile will be used to identify the profile on the New Administrator page. Content Inspection and SSL VPN 01-4200-0201-20100604 . Read Only or Read-Write for each of the configuration settings listed.1 Administration.

select them and click Edit ( ) or double-click the entry. To view the list of available administrators on the FortiGate unit. Course 201-v4. however. go to System > Admin > Administrators. The maximum password length is 32 characters. Content Inspection and SSL VPN 01-4200-0201-20100604 51 . admin has no password. By default. The default admin user cannot be renamed.1 Administration.Overview and System Setup Device Administration Administrative Users An identity must be created for each administrative user assigned to the FortiGate unit. To view or modify any administrator in the list (other than admin). The default admin user will be displayed in the list. The administrator will log into the FortiGate unit with the credentials defined. the password can and should be modified for the account immediately after initial login to Web Config or CLI. select them and click Change Password ( ). To modify the password for any administrator in the list.

Select the authentication type used by the administrator. or PKI to authenticate using a digital certificate. Select the Admin Profile from the list to define the permissions (or rights) assigned to the administrator. Administrator The name assigned to the administrator that will be used to log into the FortiGate unit. Trusted Hosts Administrators will only be able to log into FortiGate devices from the hosts identified. Select Regular to authenticate with the Password entered. RADIUS or TACACS+ server. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. Complete the parameters of the administrator as needed. Remote to authenticate using an entry in an LDAP. The password entered must conform to the rules identified in Admin Settings.Device Administration Overview and System Setup New administrators can be defined by clicking Create New ( ) on the Administrators List page. Click + to add more Trusted Hosts fields. Type Password Enter the password used by the administrator to log in using Regular authentication. Admin Profile 52 Course 201-v4.

Define the language for the interface and the number of entries displayed for administrators. Web Administration Ports Password Policy Define the ports used for administrative access to Web Config Define the policy settings to be enforced when administrator passwords are created. Enable IPv6 Support on GUI to display fields required when using IP v6. Administrators will be forced to reauthenticate after a certain period of inactivity as defined by this value.1 Administration.Overview and System Setup Device Administration Admin Settings Settings related to administrator access are defined in System > Admin > Settings. Timeout Settings Display Settings Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 53 .

go to System > DHCP Server > Service. 54 Course 201-v4. select the server and click Edit ( ) or double-click the entry. To view the parameters of the internal DHCP server. and are leased to PCs as needed. A range of IP addresses is defined on the FortiGate unit.1 Administration.Device Administration Overview and System Setup DHCP The FortiGate unit can operate as a Dynamic Host Configuration Protocol (DHCP) server to assign IP addresses to PCs on the network. To view the list of available DHCP servers on a Fortigate unit. A DHCP server called internal is available by default on the FortiGate unit. Multiple DHCP servers can be created on the FortiGate unit. Content Inspection and SSL VPN 01-4200-0201-20100604 . The PC must be set to Obtain an IP address automatically to receive the IP address from the FortiGate device.

1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 55 . Course 201-v4.Overview and System Setup Device Administration The parameters of the internal DHCP server are displayed.

56 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 .Device Administration Overview and System Setup Address Leases Administrators can view the list of addresses that have been leased to PCs on the network.1 Administration. Go to System > DHCP Server > Address Leases.

HTTPS. and SSH. internal1. Content Inspection and SSL VPN 01-4200-0201-20100604 57 .Overview and System Setup Device Administration Interface Addressing One of the first tasks in setting up a FortiGate device to operate in the network is to configure the network interfaces. The interfaces on a FortiGate unit can support multiple IP addresses. internal2 and internal3. A FortiGate interface can be configured with a static IP address or acquire its IP address from a DHCP or PPPoE server. ping. for example. there are five interfaces. On the FortiGate 51B for example. The number of physical interfaces on a FortiGate unit varies per model. The FortiGate interfaces can be configured using either Web Config or the CLI command config system interface. The interfaces are named wan1. each with independent administrative access settings. Administrative access is configured per interface and can include the following protocols: • • • • • • HTTPS PING HTTP SSH SNMP Telnet Course 201-v4. wan2.1 Administration.

The same is true for any assigned secondary IP addresses. Content Inspection and SSL VPN 01-4200-0201-20100604 . Note that an IP address can only be assigned on the same subnet as the network to which the interface connects. 58 Course 201-v4. The IP address and subnet information are entered in the IP/Netmask field. configure a manual (or static) IP address on the Interface tab in System > Network.Device Administration Overview and System Setup Manual In Web Config.1 Administration. Select Manual as the Addressing mode.

When DHCP is selected.Overview and System Setup Device Administration DHCP No configuration information is required on the FortiGate unit for interfaces that are configured to use DHCP. If Retrieve default gateway from server is selected. The interface is configured with the IP address and optionally the DNS server addresses and default gateway address that the DHCP server provides. Content Inspection and SSL VPN 01-4200-0201-20100604 59 . the gateway (next hop) retrieved by the interface will be set as the default gateway for the FortiGate device. This will override any DNS entries configured in the system. Course 201-v4. the FortiGate unit automatically broadcasts a DHCP request. the DNS servers retrieved by the interface will become the FortiGate device’s preferred DNS servers.1 Administration. If Override internal DNS is selected. This will override any other configured default gateways.

PPPoE unnumbered configurations require an IP address in the Unnumbered IP field. PPPoE requires a username and password. 60 Course 201-v4.1 Administration. the FortiGate unit automatically broadcasts a PPPoE request.Device Administration Overview and System Setup PPPoE If PPPoE is configured for the interface. Content Inspection and SSL VPN 01-4200-0201-20100604 . In addition. If the ISP has assigned a block of IP addresses. use one of them. Otherwise. this IP address can be the same as another interface or it can be any IP address.

FortiGate SOHO models can provide DNS forwarding on their interfaces. DNS server IP addresses are usually supplied by the ISP. To obtain these addresses automatically. Configure SOHO-level FortiGate models to obtain DNS server addresses automatically. DNS requests sent to the interface are forwarded to configured DNS server addresses or ones that the FortiGate unit obtained automatically. The IP addresses of the DNS servers to which the FortiGate unit connects must be specified. at least one FortiGate unit interface must use the DHCP or PPPoE addressing mode.Overview and System Setup Device Administration DNS Several FortiGate functions make use of DNS. Content Inspection and SSL VPN 01-4200-0201-20100604 61 . Course 201-v4.1 Administration. including alert email and URL blocking. Hosts on the attached network use the interface IP address as their DNS server.

If the password used to encrypt the configuration file is forgotten. the configuration file can no longer be used. either to the hard drive of the management PC. 62 Course 201-v4. Backups are performed manually by clicking the Backup link in the System Information widget. Content Inspection and SSL VPN 01-4200-0201-20100604 . Indicate the location for the backup. The configuration file can then be used to revert the device to the state saved in the file. To protect the contents of the backup. to a remote FortiManager device or to a USB disk. Go tothe System Information widget at System > Dashboard > Status to backup and restore configuration files.Device Administration Overview and System Setup Configuration Backup and Restore The configuration of the FortiGate device can be saved to a file. select the option to encrypt the configuration file and enter a password to decrypt the file.1 Administration.

Content Inspection and SSL VPN 01-4200-0201-20100604 63 . click the Restore link in the System Information widget.1 Administration. Locate the configuration file and enter the password if the file was encrypted. Course 201-v4.Overview and System Setup Device Administration To revert the FortiGate device to the configuration saved in the file.

In Web Config. Alternately.Device Administration Overview and System Setup Firmware Upgrades Firmware upgrades can be applied through Web Config.1 Administration. the firmware file must be obtained from Fortinet Support. CLI. apply the update from System > Maintenance > Firmware. Click the Update link and mbrowse to the location of the firmware file obtained from Fortinet. the firmware file can be applied from the System Information widget in System > Dashboard > Status. To upgrade the firmware through Web Config or CLI. or automatically through the FortiGuard Management Service. Content Inspection and SSL VPN 01-4200-0201-20100604 . 64 Course 201-v4.

Content Inspection and SSL VPN 01-4200-0201-20100604 65 .Overview and System Setup Device Administration Disk Usage An administrator can track the capacity of a FortiGate device hard disk through System > Maintenance > Disk. Course 201-v4.1 Administration.

The factory default subnet assignment of 192. The FortiGate unit’s built-in DHCP server will assign addresses to the devices connected to these ports as required.0/24 will be used. Verify that the WAN1 LED indicators on the front of the device (Link/Activity and 10/100) are green. 2 Connect the PC’s network cable into the internal1 interface of the FortiGate unit and make sure the corresponding INTERNAL LED indicators are green. all addresses used are private addresses as outlined in RFC1918. Note: In the classroom lab environment.1 Administration. Tasks In this lab. The wan1 Internet subnet is actually a private address subnet and cannot be used in a real-world situation. Note: The internal interface on a FortiGate unit is a multi-port switching hub port with auto-MDX sensing so either a straight or cross-over cable can be used.168.1. Content Inspection and SSL VPN 01-4200-0201-20100604 .Connecting the FortiGate unit Overview and System Setup Lab 1 Initial Setup Objectives This lab will guide the student through the basic setup of the FortiGate unit and provide an initial orientation to the CLI and Web Config. the following tasks will be completed: • • • • • • • Exercise 1 Connecting the FortiGate unit Exercise 2 Accessing the Command Line Interface (CLI) Exercise 3 Accessing FortiGate Web Config Exercise 4 Configuring Network Connectivity Exercise 5 Exploring the CLI Exercise 6 Configuring Global System Settings Exercise 7 Configuring Administrative Users Timing Estimated time to complete this lab: 55 minutes Exercise 1 Connecting the FortiGate unit 1 Plug the Internet connection into the wan1 port on the FortiGate unit. 66 Course 201-v4.

00 MR2. The default password on the device is blank. type Y. Content Inspection and SSL VPN 01-4200-0201-20100604 67 . operational mode. 6 Type the following command to see a full list of accepted objects for the get command: get ? Note: The ? character is not displayed on the screen. a USB to serial adapter (purchased separately) can be used to connect the PC to the FortiGate device. and wait for the reset to complete. press <enter>. Confirm that the firmware build on the FortiGate unit is 4. Course 201-v4. log in with username of admin (all lowercase). and additional settings.Overview and System Setup Accessing the Command Line Interface (CLI) Exercise 2 Accessing the Command Line Interface (CLI) 1 When setting up a new FortiGate unit. The serial connection settings required are: • • • • • 9600 bps 8 bit data no parity 1 stop bit no flow control 3 At the FortiGate CLI login prompt. the required version for this course. there may be other sub-keywords and additional parameters to enter. 2 Start a terminal emulation program on the PC to connect to the FortiGate unit (such as Windows HyperTerminal or TeraTerm). establishing the connection to the CLI is generally the first step.1 Administration. Depending on objects and branches used with this command. firmware build. Use a serial cable to connect the serial port on the PC to the FortiGate console port that is located on the back of the device. 5 Log in to the CLI once again and type the following command to display status information about the FortiGate unit: get system status The output displays the FortiGate unit serial number. 4 Reset the FortiGate device to factory defaults by typing the following command: exec factoryreset When asked to continue. If the PC is not equipped with a serial port. even if many of the configuration changes are performed in Web Config.

9 Type the following command to see the entire list of execute commands: execute ? 10 Enter the following CLI commands and compare the available keywords for each one: config ? show ? These two commands are closely related. execute <tab> The command displays the list of available system utility commands one at a time each time the <tab> key is pressed. 68 Course 201-v4. or CTRL+N CTRL+A CTRL+E CTRL+B CTRL+F CTRL+D CTRL+C CTRL+C is context sensitive and in general. The default behavior of the show command is to only display the differences from the factory-default configuration.1 Administration. 8 Type the following command and press the <tab> key 2 or 3 times. Content Inspection and SSL VPN 01-4200-0201-20100604 . aborts the current command and moves up to the previous command branch level.Accessing the Command Line Interface (CLI) Overview and System Setup 7 Press the key to display the previous get system status command and try some of the control key sequences that are summarized below. config begins the configuration mode while show displays the configuration. If already at the root branch level. Previous command Next command Beginning of line End of line Back one word Forward one word Delete current character Abort command and exit branch or CTRL+P . CTRL+C will force a logout of the current session and another login will be required. The only difference is show full-configuration. Note: Log back into the CLI if the admin login timeout has elapsed.

110 to 192. 1 Ensure that the IP addressing mode on the PC is set to DHCP (Obtain an IP address automatically). Note: At the --More-. 4 At the login screen. ensure that cookies and Javascript are enabled for proper rendering and display of the graphical user interface.99). SNMP.168. Before continuing with the rest of the initial configuration. Use this technique to reduce the number of keystrokes to enter information. https://192. Click Login. enter the username of admin and leave the password blank. 2 Verify the PC settings using the ipconfig command from the Windows command prompt.168. This address will be used later for HTTP administrative access to the FortiGate device. HTTPS is the recommended protocol for administrative access to the FortiGate unit. optionally followed by <tab>. The default gateway corresponds to the IP address of the internal interface on the FortiGate unit (192.Overview and System Setup Accessing FortiGate Web Config 11 Enter the following CLI commands to display the FortiGate unit’s internal interface configuration settings and compare the output for each of them: show system interface internal show full-configuration system interface internal Only the characters shown in bold type face need to be typed. make sure to record the original PC network settings before proceeding. The FortiGate device will assign the PC an address in the range of 192. show system interface internal The internal interface’s IP address is 192.168.168. Exercise 3 Accessing FortiGate Web Config To access Web Config using a standard Web browser. explore the Dashboard page and find the following information: Course 201-v4. to complete the command key word. Press <q> to exit. ping.210.1.168.1. HTTP.1. 12 Enter the CLI command below to display the factory set IP address of the FortiGate’s internal interface. Content Inspection and SSL VPN 01-4200-0201-20100604 69 . Other available protocols include SSH.prompt in the CLI.1.99 Accept the self-signed certificate or security exemption if a security alert appears. Caution: If using a personal laptop or PC for the following exercise. 3 Open a web browser and type the following address to access the FortiGate Web Config interface. and Telnet. CLI commands can be entered in an abbreviated form as long as enough characters are entered to ensure the uniqueness of the command keyword.1.1 Administration. press the spacebar to continue scrolling or <enter> to scroll one line at a time.99. 5 The Dashboard is displayed after a successful login.

complete the section Configuring the wan1 Interface Using PPPoE. alert messages. Click Apply to save the changes. click Update for Firmware version on the Dashboard and browse to the firmware file available from the Fortinet Support site with a valid service contract. Note: If are not running the correct version. 70 Course 201-v4. 6 To avoid Web Config timeouts during the lab exercises. Leave all other settings unchanged. Go to System > Admin > Settings. and FortiGuard Services status. Complete the steps for the configuration that applies to the Internet setup on the computer being used to complete the exercise. 7 Before proceeding to the next exercise.Configuring Network Connectivity Overview and System Setup Current Firmware Version Date and Time Serial Number Operation Mode Other system details found on the Dashboard include the current CPU and memory usage.1 Administration. increase the idle timeout. If using static IP addresses. Manual (Static IP). number of active sessions. ensure that the FortiGate unit is running the correct version of FortiOS firmware (FortiOS version 4. complete the section Configuring the wan1 interface Using Manual Assignments. or PPPoE. • • • If the network setup supports DHCP. Increase the Idle Timeout to 60 minutes.0 MR2). complete the section Configuring the wan1 Interface Using DHCP. If using PPPoE. Exercise 4 Configuring Network Connectivity The FortiGate unit’s wan1 interface settings must be configured using one of the following addressing modes: DHCP. Content Inspection and SSL VPN 01-4200-0201-20100604 . number of administrative users.

Course 201-v4. enter its IP address in the Secondary DNS Server field. go to System > Network > Interface tab. 1 In Web Config. For example: 192. 1 In the Web Config. config system global set cfg-save <automatic/manual/revert> set cfg-revert-timeout <600> (in seconds. Click OK.20/255. In the Primary DNS Server field. If a second DNS server is available. Addressing mode DHCP Distance: 5 Retrieve default gateway from server Administrative access Click OK. only when cfg-save is revert) 3 After a few seconds. Addressing mode IP/Netmask Manual Enter the IP address and netmask (as provided by a network administrator).0 Administrative access Click Apply. enter the IP address of the DNS server given by the network administrator.255.168. configure the following settings: . No explicit save command is required. complete the steps below for the wan1 network configuration. HTTPS 2 Click the Options tab to open Networking Options. HTTPS 2 Wait a few seconds for the wan1 interface to acquire an address from the ISP’s DHCP server before continuing. Note: Configuration changes get saved to the non-volatile flash memory when clicking OK in Web Config or when next or end is entered on the CLI. the acquired DHCP address assignment will be displayed in the IP/Netmask column on the Interface page. On the Edit Interface page.1 Administration. Configuring the wan1 Interface Using Manual Assignments If the Internet setup on the student PC uses manual IP assignments. Content Inspection and SSL VPN 01-4200-0201-20100604 71 .20. this behavior can be changed to require an explicit save or to revert after a set period if an explicit save is not performed. perform the steps below to configure the wan1 interface.Overview and System Setup Configuring Network Connectivity Configuring the wan1 Interface Using DHCP If the Internet setup (ISP or other) being used on the student computer uses DHCP. For CLI configuration only. configure the following settings: .255. Select the wan1 interface and click Edit ( ). go to System > Network > Interface. Continue at step 4. Select the wan1 interface and click Edit ( ). On the Edit Interface page.

0. Leave the Dead Gateway Detection values at their default.0.0.0. 2 Go to System > Network > Options. Leave the distance to the default of 10.0/0. In the Primary DNS Server field. go to System > Network > Interface . Configuring the wan1 interface using PPPoE If the Internet setup on the student PC uses PPPoE. leave the Destination/IP Mask settings at the default setting 0. In the New Static Route window. enter its IP address in the Secondary DNS Server field.0.0. enter the IP address of the DNS Server as provided by a network administrator. Leave the distance to the default of 10. Retrieve default gateway from server Enable only if the ISP supports this option Override internal DNS Administrative access Click OK.0. Click Apply. On the Edit Interface page. 3 Go to the Router > Static > Static Route tab to configure a new static route entry for the default gateway. Click OK. Enable only if the ISP supports this option HTTPS 72 Course 201-v4. If a second DNS server is available.0/0.0.1 Administration. 1 In Web Config. Select the the wan1 device from the list and enter the IP address for Gateway as the default gateway device as provided by a network administrator. Content Inspection and SSL VPN 01-4200-0201-20100604 . Select the the wan1 device from the list and enter the IP address for Gateway as the default gateway device as provided by a network administrator. In the New Static Route window.Configuring Network Connectivity Overview and System Setup 3 Go to the Router > Static > Static Route and click Create New to define a new static route entry for the default gateway. configure the following settings: . leave the Destination/IP Mask settings at the default setting 0. Addressing mode Username Password PPPoE Enter the username provided by the ISP.0. Enter the password provded by the ISP. Continue at step 4. perform the steps below to configure the wan1 interface. Select the wan1 interface and click Edit ( ). Click OK. Continue at step 4.0.

0/0.0. another login may be required. A display refresh may be needed to see the new status information.0. type the following commands to view the interface settings for wan1: config system interface edit wan1 get end In the displayed output. enter the following commands below to disable and clear the IP address of the wan2 interface: config system interface edit wan2 set status down end 8 In Web Config. irrespective of the type of addressing used (DHCP. The IP address can only be unset from the CLI. Note: The DHCP leases are preserved even when the FortiGate unit is re-booted.Overview and System Setup Configuring Network Connectivity All users. Content Inspection and SSL VPN 01-4200-0201-20100604 73 .1 Administration. note the same DHCP parameters that were viewed for the wan1 interface in the previous step.com 6 Ping the IP address displayed through the command above using the following command in the CLI: exec ping <IP_address_of_web_site> 7 To secure the wan2 interface from accidental usage. As new PCs are connected to the trusted internal subnet. disable and then re-enable the specific DHCP server. To view the configuration of the built-in DHCP server go to System > DHCP Server > Service. For example: nslookup www. In the CLI.fortinet. a list of all the DHCP address leases that have been assigned will be displayed. Note that the interface list will now display wan2 with an IP/Netmask of 0. Click Cancel to exit. Select the internal DHCP server and click Edit ( ) or double-click the entry to view the settings for the pre-defined DHCP server. remove the IP address and administratively disable this port. go to System > DHCP Server > Address Leases and locate the entry for the PC in the displayed list. To clear all DHCP leases.0 and a disabled status icon (red dot with ).0. 4 From the CLI. go to System > Network > Interface. 5 In a DOS command prompt window use the nslookup command to verify the IP address of a web site. Manual. 10 To view the DHCP address leases. or PPPoE) should continue with the following steps. Course 201-v4.0. Note: Depending on how long it has been since the last command has been entered in the CLI. 9 The FortiGate unit runs a DHCP server configured for the internal interface.

The existing parameters must be re-entered along with the new parameter being added. type the following CLI commands: config system interface edit wan1 set allowaccess https ping ssh next end Note: The set command is not additive. Please do not run these commands at this time.Exploring the CLI Overview and System Setup Exercise 5 Exploring the CLI 1 To view the configuration of the FortiGate interfaces through the CLI. To demonstrate the hierarchy. type the following command: exec dhcp lease-list Other available DHCP CLI commands are listed below. which means that some commands are only applicable at a certain level or context. 5 Verify the changes by typing the following command: show system interface wan1 6 Display the configuration of the DHCP server that provides IP addresses to the PCs connected to the internal interface with the following commands: show system dhcp server or show full system dhcp server get system dhcp server 7 To inspect the DHCP leases in the CLI for the addresses distributed by the internal interface DHCP server.1 Administration. To add SSH access on the wan1 interface. DHCP leases can be cleared with the following command: exec dhcp lease-clear DHCP leases can be refreshed with the following command: exec interface dhcpclient-renew <interface name> 74 Course 201-v4. modify the wan1 interface to add additional administrative access to assist with troubleshooting during initial deployment. Content Inspection and SSL VPN 01-4200-0201-20100604 . type the following command: show system interface 2 To see verbose settings. The information from each is similar: get displays all settings and values. while show gives the syntax for the configuration. type the following command: show full-configuration 3 To view additional parameters for all interfaces. 4 The FortiGate CLI is hierarchical. type the following command: get system interface Compare the get command output with the output from the show command.

2. 4. Click OK. 3 For logging purposes.1 Leave as the default server address. (For example.91. Enable Synchronize with NTP Server.112. The new hostname will appear in the browser title bar at the next login or when the page is refreshed. (In a classroom environment. 7 View the CLI equivalent commands for all the system settings configured in the above steps by typing the following command: show system global Course 201-v4. as well as to optimize FortiGuard updates. pool. the Primary DNS and Secondary DNS servers can only be configured manually.53 and 208.1 Administration. Enable Automatically adjust clock for daylight savings changes if required in the local area. go to System > Network > Options.org will be used. click the [Change] link for Host Name and change the hostname of the FortiGate unit to UserX.Overview and System Setup Configuring Global System Settings Exercise 6 Configuring Global System Settings 1 In Web Config. In the System Information widget. Select the appropriate Time Zone.ntp.112. 2 Compare the output for the following DNS CLI commands: show system dns get system dns The output should correspond to the changes made in Step 1. or a local NTP server can be used if available. click the [Change] link for System Time.52 respectively. In a self-paced environment. Content Inspection and SSL VPN 01-4200-0201-20100604 75 . User2) Click OK. the FortiGate unit should be set to the correct time zone and NTP server synchronization should be enabled. The factory defaults are set to Fortinetmaintained DNS forwarders 208. Go to System > Dashboard > Status. assign to X the student number as dictacted by the instructor. By default. assign to X a random value. 5 Verify that the date setting is correct by typing the following CLI command: exec date 6 In the System Information widget.2. Note: For FortiGate 200A models and higher. 4 Display the current system time from the CLI by typing the following command: execute time Type exec time ? to view the syntax to set the system time manually.91. Modify the following DNS Settings: Primary DNS Server Secondary DNS Server Click Apply.

168. 3 Log back into Web Config using the new admin password. create a new administrator account that will be used for day-to-day administration of the FortiGate device and restrict the source IP connection with Trusted Hosts. Go to System > Admin > Administrators.0. set the password to fortinet. To save the changes. 2 Click to select the default admin administrator and click Change Pasword ( ) The factory default password for the admin account is empty. Note: Ping requests to this device are also restricted by the trusted host setting of the administrator account. Content Inspection and SSL VPN 01-4200-0201-20100604 . Click Cancel to close the Edit Administrator page.0/24 super_admin 76 Course 201-v4. The factory default Trusted Host setting of 0.0/0 allows connections from any host address. Click Create New to assign a new administrator with the following settings: Administrator Type Password Trusted Host #1 Admin Profile Click OK to save the changes. Click to select the default admin administrator and click Edit ( ) or doubleclick the entry in the list. click OK.1 Administration. 4 To enhance administrative security.0.Configuring Administrative Users Overview and System Setup Exercise 7 Configuring Administrative Users 1 Go to System > Admin > Administrators to view the list of current administrators. admin1 Regular fortinet 192.1.

7 To view the CLI configuration for administrative users and profiles. Click Create New to define a new admin profile called content-control as in the New Admin Profile window illustrated below.1 Administration.Overview and System Setup Configuring Administrative Users 5 Go to System > Admin > Admin Profile. Configure the new administrator account using the following settings: Administrator Type Password Trusted Host #1 Admin Profile Click OK. Content Inspection and SSL VPN 01-4200-0201-20100604 77 .0/24 content-control Course 201-v4. Click OK. Limiting access only to the areas affecting content inspection helps to eliminate accidental errors that could adversely affect connectivity. 6 Go to System > Admin > Administrators and create a new administrative account that uses the new content-control admin profile. type the following commands: show system admin show system accprofile cadmin Regular 123456 192.168.1.

The data will be able to be viewed but not edited.1 Administration. Try to access areas set to read only.Configuring Administrative Users Overview and System Setup 8 Test the new administrative access login by logging out of the current Web Config session and logging in again as the new cadmin user.0/24 subnet even if the correct password is entered.168.1. 78 Course 201-v4. go to System > Network > Interface. Content Inspection and SSL VPN 01-4200-0201-20100604 . The Trusted Host setting configured for admin1 and cadmin will only allow access to PCs connected to the internal 192. for example.

LESSON 2 Logging and Alerts 79 www.com .fortinet.

.

Course 201-v4. In the following example of a log message. All messages at and above the minimum log level selected will be logged. Logging Levels All log messages have severity or priority levels. Error This level is generated by event and spam filter logs and indicates that an error condition exists and functionality could be affected. which in this example indicates that the admin user has added a new firewall policy. specifically administrative events. Alert. the unit logs for Error. Logging allows an administrator to track down and pinpoint problems efficiently by monitoring the many facets of network and Internet traffic. In addition to being able to identify problems. Critical.96. antivirus. This indicates the occurrence of a normal event.1) seq=3 msg="User admin added new firewall policy 3 from GUI(192. and Emergency level messages. the priority level is notification. Content Inspection and SSL VPN 01-4200-0201-20100604 81 .96.1)" The minimum logging levels is selected from the drop down list for each enabled log type. and traffic volume.168. as well as establish network behavior baselines. Alert Attack logs are the only logs that generate an alert severity level. This level indicates that immediate action is required. such as allowed traffic. Critical This level is generated by event. and spam filter logs and indicates that functionality is affected.Logging and Alerts Logging Levels Lesson 2 Logging and Alerts Logging is a key element of maintaining a FortiGate unit in a network. typical traffic patterns (regular protocols that pass through the network). This type of network information can tell an administrator at a glance whether or not the FortiGate device is functioning correctly and can help identify any configuration changes that are necessary for optimal operation. logging lets an administrator monitor normal events.1 Administration.168. can generate an emergency severity level. if the Error level is selected. for example. The administrator should define at what severity level the FortiGate unit will record logs when the logging location is configured. Emergency Event logs. 2007-01-11 14:23:37 log_id=0104032126 type=event subtype=admin pri=notification vd=root user=admin ui=GUI(192. This level indicates the system has become unstable.

1 Administration. Notification This level is generated by traffic and web filter logs and indicates information about normal events. Information This level is generated by content archive. event. 82 Course 201-v4. and spam filter logs and indicates general information about system operations.Logging Levels Logging and Alerts Warning This level is generated by event and antivirus logs and indicates that functionality could be affected. Debug This level is primarily used as a technical or customer support function on an asdirected basis only. Content Inspection and SSL VPN 01-4200-0201-20100604 .

The logging level required can be selected from the Minimum log level list. Memory When logging to memory is enabled. the FortiGate unit overwrites the oldest messages. log entries captured to memory will be lost. Local logs can also be read from the CLI using the execute log display command if a log filter has been defined. that is. recent log entries are stored for most log types except for Traffic and Content. Course 201-v4. When the system has reached its capacity for log messages.1 Administration.Logging and Alerts Log Storage Log Storage FortiGate logs can be stored in various locations depending on the type and frequency of the logs to save. if the FortiGate unit is reset or loses power. Local logs are displayed under Log&Report > Log Access. Memory logs can be backed up to an FTP server using the execute backup command. IPS Packet Archives can be enabled for memory logs. Memory is volatile. Content Inspection and SSL VPN 01-4200-0201-20100604 83 . mainly due to their frequency and large file size. FortiGate logs can be stored in the following locations: • • • • • System memory Local hard disk Syslog FortiGuard Analysis Service FortiAnalyzer appliance Local Logging Local logs are stored and viewed on the FortiGate device. Select the log type to be viewed.

1 Administration. recipients. Content archiving provides a method of simultaneously logging and archiving copies of content transmitted over the network. The archiving of information is triggered by Data Leak Prevention sensors. the older logs can be overwritten. In this case. Content Inspection and SSL VPN 01-4200-0201-20100604 . 84 Course 201-v4.Log Storage Logging and Alerts Disk If the FortiGate unit includes a hard disk. IPS Packet Archives can be enabled for memory logs. such as email and web pages. and the content of messages and files. DLP Archive can be enabled when logging to the hard disk. Content logs include information such as the senders. logging to that disk can be enabled. information will be archived to the local hard disk on the FortiGate unit. The logging level required can be selected from the Minimum log level list. If full content archiving is enabled. The administrator should specify how the FortiGate unit handles new logs when the hard disk becomes full. If the DLP sensor is configured to archive data when triggered and DLP Archive is enabled on the FortiGate. SQL Logging is enabled by selecting the log type from the list. All log types are supported when logging to hard disk except for Content logs. either when a maximum size is reached or at a scheduled time. Log rolling settings can identify when information will be written to a new log file. or the device can stop logging information altogether. FortiGate units can also archive a copy of the associated file or message with the content log message.

either Comma Separated Values (CSV) or normal. Course 201-v4. The CSV format contains commas. The logging level required can be selected from the Minimum log level list. and Windows systems. When logging to a Syslog server there are two different log file formats available. Usually. the Facility can be used to identify the source of the log message. The FortiGate reports the Facility at a default value of local7. Content Inspection and SSL VPN 01-4200-0201-20100604 85 . whereas the normal format contains spaces. but any value can be selected from the list. communication with the Syslog server takes place on port 514 but any port number can be used. Syslog A Syslog server is a remote computer running software used to collect log messages forwarded over an IP network. including Linux. Administrators commonly use Syslog servers for logging purposes because computers on a variety of operating systems can run Syslog software. The Facility value is used as a way of determining which process of the computer created the machine and can be used to distinguish between different classes of syslog messages. On the FortiGate unit.1 Administration.Logging and Alerts Log Storage Remote Logging Remote logs include information forwarded from the FortiGate unit to an external storage mechanism. The IP address or FQDN of the Syslog server must be identified where the information is to be forwarded. Unix.

Content Inspection and SSL VPN 01-4200-0201-20100604 .Log Storage Logging and Alerts FortiGuard Analysis Service FortiGuard Analysis Service is a subscription-based service that provides a webbased logging and reporting solution. 86 Course 201-v4. An active license for this service must be available for the service to be enabled.1 Administration.

Logging and Alerts

Log Storage

FortiAnalyzer
A FortiGate unit can be configured to send log messages to a FortiAnalyzer device on the local network or over the Internet. FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools, and data storage. The IP Address of the FortiAnalyzer device must be identified. Click Test Connectivity to ensure that a connection to the FortiAnalyzer device is available. To conserve bandwidth over the network, FortiGate units equipped with a hard drive can buffer log information locally and upload to the FortiAnalyzer device at a scheduled time. Enable Buffer to hard disk and upload and set the time for the transfer. IPS Packet Archives can be enabled for FortiAnalyzer logs. The administrator should specify how the FortiGate unit handles new logs when the hard disk on the FortiAnalyzer becomes full. In this case, the older logs can be overwritten, or the device can stop logging information altogether.

Further details regarding logging to a FortiAnalyzer device are provided in the Logging to a FortiAnalyzer Device section of this lesson.

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

87

Log Types

Logging and Alerts

Log Types
A FortiGate system can log a wide range of system activity including overall network traffic, attack incidents, and general system events.

Event Log
The Event Log records management and activity events including configuration changes, admin logins, or high availability and VPN events.

Traffic Log
The Traffic log records any traffic between a source and destination interface. These interfaces must be correctly classified in the FortiAnalyzer device so that it can identify if the session is incoming or outgoing, internal or external. Traffic logs are only generated when the session table entry expires. This is because the log message also includes the amount of data sent and received. This is not the case for violation traffic as no session entry is created and a log message is generated immediately indicating 0 bytes were transmitted and received.
Note: Any denied traffic on a FortiGate device is implicit and not logged. Therefore, to log violation traffic, a deny and log rule is required. Also, in order to log connections to closed ports, set the global variable set loglocaldeny enable.

Attack Log
The Attack log records attacks that are detected and prevented by the FortiGate unit. The FortiGate unit will log attack signatures and attack anomalies. Packet logging can also be enabled through the IPS settings (CLI or Web Config). This feature provides administrators with the ability to analyze packets for forensics and false positive detection.

AntiVirus Log
The Antivirus log records virus incidents within the proxies. For example, when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email.

Web Filter Log
The Web Filter log records HTTP FortiGate log rating errors including web content blocking actions that the FortiGate unit performs. The logs contain the URLs and optionally the user name who requested the resource if user authentication is enabled.

Email Filter Log
The Email Filter log records detected spam and blocks email address patterns and content in SMTP, IMAP, and POP3 traffic.

88

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Logging and Alerts

Log Types

DLP Log
The Data Leak Prevention log records data that matches pre-defined sensitive patterns as it passes through the FortiGate unit. The data patterns can also be blocked.

Application Control Log
Application Control logs includes any activities triggered by the application control features on the FortiGate device.

Network Scan Log
Network Scan logs include the information gathered by running a vulnerability assessment against client computers on the network.

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

89

Generating Logs

Logging and Alerts

Generating Logs
Depending on the information required to record, logging can be enabled in various locations in Web Config including: • • • UTM profiles and sensors Event log Firewall policy

UTM Profiles and Sensors
Threat management logging is enabled within UTM profiles for antivirus, web filtering, email filtering, and VoIP filtering and in sensors for IPS and DLP.

90

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Logging and Alerts

Generating Logs

Event Log
FortiGate unit events to be logged are enabled from the Event Log list.

If the CLI is used to disable certain event logs for a destination, the Event Log option display check boxes are greyed out.

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

91

Generating Logs

Logging and Alerts

Firewall Policy
Traffic logging can be enabled for individual firewall policies. Logging traffic per firewall policy is more granular and better suited for troubleshooting.

When traffic logging is enabled on a majority of firewall policies, consideration must be made for the CPU and network utilization of the logging operation. Local hard disk traffic logging on heavily used systems can be CPU intensive and should be avoided whenever possible. Remote devices such as FortiAnalyzer units or SysLog should be used instead.

92

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Logging and Alerts

Viewing Log Files

Viewing Log Files
Log Access displays options for viewing log files stored locally in memory or on the hard disk. A Log Access display window is available for each log type available and provides options for viewing log messages, such as search and filtering options, including selecting the log type to view. The columns that appear in Log Access reflect the content found in the log file. The bottom portion of the Log Access page includes navigational features to help move through the log messages and locate specific information, for example, going to the next page, previous page, last, or first page. A number can also be entered to jump ahead to a particular page of log messages, for example, entering the number 5 displays the fifth page.

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

93

Viewing Log Files

Logging and Alerts

Log Display Formats
Log messages can be viewed in Formatted view or Raw view.

Formatted View
Formatted View presents logs information in a columnar format. Column Settings allows the log information columns that are displayed to be added or removed (for example, Date, Time, Source etc.). Filters allow only the log messages that fit a specified filter criteria to be viewed. For example, to view all log messages for a specific date range, the Date filter can be used.

Select the log type from the Log&Report > Log Access menu including: • • • • • • • • • Application Control DLP Email Filter Attack Web Filter Antivirus Event Traffic Network Scan

94

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Logging and Alerts

Viewing Log Files

Columns can be added or removed from the the log display by clicking Column Settings ( ).

Select the fields to be displayed from the Available fields list and click to move the field to the Show list. Click Move Up and Move Down to change the order of the fields in the list. Fields will be displayed in Formatted View in the order they are shown in the list. To remove a field from the columns displayed, select it in the Show list and click to move it back to the Available fields list In addition, filters can be used to display only the log messages that fit a specified filter criteria. For example, to view all log messages for a specific date range, use the Date filter. Click Filter ( ) to edit the filters for the column.

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

95

Viewing Log Files

Logging and Alerts

Raw View
When log messages display in raw view, the log message displays as it is saved in the log file.

96

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Logging and Alerts

Logging to a FortiAnalyzer Device

Logging to a FortiAnalyzer Device
A FortiGate device can be configured to send log messages to a FortiAnalyzer unit. FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools, and data storage. Logging to the FortiAnalyzer unit is enabled in the FortiGate device by either specifying the FortiAnalyzer device’s IP address or enabling Automatic Discovery. FortiGate units running FortiOS version 3.0 or greater use the Fortinet Discovery Protocol (FDP), a UDP protocol, to locate a FortiAnalyzer unit. When a FortiGate administrator selects Automatic Discovery, the FortiGate unit uses HELO packets to locate FortiAnalyzer units on the network within the same subnet. If FDP has been enabled for its interface to that subnet, the FortiAnalyzer unit will respond. Once the FortiGate unit discovers a FortiAnalyzer unit, the FortiGate unit automatically enables logging to the FortiAnalyzer and begins sending log data. Depending on its configuration, the FortiAnalyzer unit may then automatically register the device and save its data, add the device but ignore its data, or ignore the device entirely. The connection status of the FortiAnalyzer device will be identified in the FortiAnalyzer Connection Summary window.

The Syslog protocol (UDP port 514) is used by default by the FortiGate unit to transport log messages to the FortiAnalyzer unit. TCP port 514 (OFTP) is used to transfer the content archive and to remotely view the log files and reports. If logging data is traversing a public network, an IPSec tunnel can be used to secure the communication between the FortiGate and the FortiAnalyzer devices. The FortiGate unit can send all log message types, as well as quarantine files, to a FortiAnalyzer unit for storage. Log files stored on a FortiAnalyzer unit can also be uploaded to an FTP server for archival purposes. The transfer of log data between the FortiGate unit and the FortiAnalyzer can be secured using IPSec.

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

97

the FortiAnalyzer unit cannot create a secure tunnel without being configured first. The Secure column the in Device List identifies when secure connections are enabled.1 Administration. the closed lock ( ) will appear. 98 Course 201-v4. or syslog devices. FortiClient installations. This connection attempt handling depends on the type of the device attempting to connect. An administrator may choose to block connection attempts from devices that they do not want to add to the device list since connection attempts must be reconsidered with each attempt. the selections made in the Unregistered Device Options window.Logging to a FortiAnalyzer Device Logging and Alerts FortiAnalyzer Device List The device list displays devices allowed to connect to the FortiAnalyzer unit and their connection permissions. Secure connections are enabled and configured between the FortiAnalyzer unit and the device(s) being monitored though the CLI. If secure connections are enabled. Connection attempts occur when a device sends traffic to the FortiAnalyzer unit before they have been added to the device list on the unit. however. It may also display unregistered devices attempting to connect. FortiAnalyzer units will either ignore the connection attempt. and whether or not the maximum number of devices has been reached on the FortiAnalyzer unit. The secure tunnel must be configured on both ends of the tunnel including the FortiAnalyzer unit and the device. Secure connections cannot be configured with FortiMail units. Content Inspection and SSL VPN 01-4200-0201-20100604 . or automatically add the device to its device list.

Logging and Alerts Logging to a FortiAnalyzer Device Device Registration The FortiAnalyzer device list can display both registered and unregistered devices. Course 201-v4. If the device is a known type. Content Inspection and SSL VPN 01-4200-0201-20100604 99 . The device must be configured to send traffic to the FortiAnalyzer unit to establish a connection. This option will add devices automatically. either manually or automatically. If the device is an unknown type. Allow the connection.1 Administration. but do not keep the device’s log data. add as an unregistered device. the FortiAnalyzer unit handles connection attempts from unregistered or unrecognized devices in one of these ways: • • Ignore the connection and only allow connections from manually added devices. and add as a registered device and keep a specified amount of the device’s log data. allow the connection. add as an unregistered device. and keep a specified amount of the device’s log data. allow the connection. A device will not be able to use most of the FortiAnalyzer unit’s features until the device is registered. Depending on the settings in Unregistered Device Options. but will not keep data until manually registered. • • Manually adding a device to the device list configures connections from the device but does not automatically establish a connection.

Last 1 Day. Last 7 days.1 Administration. either Anytime. Select the Timeframe for the list to be displayed. focusing on specific log types and time frames. Select the log type to be viewed by selecting it from Log & Archive > Log Access. as well as the FortiAnalyzer unit itself.Logging to a FortiAnalyzer Device Logging and Alerts Viewing FortiAnalyzer Logs The FortiAnalyzer Log Viewer displays logs for devices that were added to the device list. Historical The Historical tab displays all log messages for the selected log type whose time stamps are within the specified time frame. Content Inspection and SSL VPN 01-4200-0201-20100604 . Last 1 Hour. or Last Month. 100 Course 201-v4. Select the devices to be displayed in the log list from the Show list.

1 Administration. Course 201-v4. and contains only the most current entries. Content Inspection and SSL VPN 01-4200-0201-20100604 101 . The display refreshes every few seconds.Logging and Alerts Logging to a FortiAnalyzer Device Select the columns be displayed by clicking Column Settings. Real-time An up-to-the-minute display of the log messages received by the FortiAnalyzer unit can be displayed by clicking Realtime Log ( ) . Identify the columns to display in the list by selecting the column and moving it from the Available Fields list to the Display Fields list.

for rapid visual comparison. which becomes green when a filter is configured and enabled. If log messages are displayed in formatted view.Logging to a FortiAnalyzer Device Logging and Alerts Display Options Click the Display Options link at the bottom of the window to to choose either Raw or Formatted view or to resolve host names and services. the log view can be customized by hiding. columns can be filtered to display only those log messages that do or do not contain the specified content in that column. When viewing real-time logs. the time column cannot be filtered on (by definition of the real-time aspect. When displaying log messages in formatted view. displaying and arranging columns and/or by filtering columns. Content Inspection and SSL VPN 01-4200-0201-20100604 . Formatted view Formatted view displays log messages in a columnar format. Each log field in a log message appears in its own column. 102 Course 201-v4. the log messages can be displayed and arranged and/or filtered by column contents. Raw View Raw view displays log messages exactly as they appear in the log file. aligned with the same field in other log messages.1 Administration. refining the view to include only those log messages and fields that are required for display. By default. When viewing log messages in formatted view. only current logs are displayed). most column headings contain a gray filter icon.

the FortiAnalyzer unit checks to see if it is time to roll the log file. Logs can be imported in normal log. if older log files from a device are available. and starts a new log file with the same name. If log uploading has been enabled. In addition. In this window. view the log information. these logs can be imported into the FortiAnalyzer unit in order to generate reports on older data. or reaches the scheduled time.1 Administration.log.gz) or comma separated value format. As the FortiAnalyzer unit receives new log items. When a log file reaches its maximum size. as selected by the current log view filter settings. This can be useful when restoring data or loading log data for temporary use. choose to automatically delete the rolled log file after uploading. thereby freeing the amount of disk space used by rolled log files. download log files to the hard disk.Logging and Alerts Logging to a FortiAnalyzer Device Browsing Log Files Log Browse enables the administrator to see all stored log files for all devices and the FortiAnalyzer itself. a log file can be downloaded to save it as a backup or for use outside the FortiAnalyzer unit. The download consists of either the entire log file. For example. If the log upload fails. Content Inspection and SSL VPN 01-4200-0201-20100604 103 . compressed log (. If the file size is not exceeded. A device’s log files can be imported. or delete unneeded files. or a partial log file. Device log file size and consumption of the FortiAnalyzer disk space can be controlled by configuring log rolling and/or scheduled uploads to a server. Course 201-v4. such as when the FTP server is unavailable. it verifies whether the log file has exceeded its file size limit. the FortiAnalyzer unit saves the log files with an incremental number. the logs are uploaded during the next scheduled upload.

Indexed log fields are those that appear with a filter icon when browsing the logs in column view. unindexed log fields do not contain a filter icon for the column or do not appear in column view. but do appear in the raw log view. Quick Search keywords cannot contain special characters such as single (‘) quotes. or only contain a wild card as the last character of a keyword (logi*) Quick Searches can be perfomed quickly by entering the search value in the search field on the Log Display page..1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 . wild card characters (*). question marks (?). Quick Search Quick Search finds results more quickly if the search terms are relatively simple and only need to search indexed log fields. 104 Course 201-v4.Logging to a FortiAnalyzer Device Logging and Alerts Searching the Logs The device log files can be searched for matching text using two search types. double quotes (“).

and require the use of special characters. entering the criteria as needed and clicking Quick Search.Logging and Alerts Logging to a FortiAnalyzer Device Quick Searches can also be performed by clicking Advanced Search. Full Search Full Search can be used if the search terms are more complex. but is often slower than Quick Search. both indexed and unindexed. Course 201-v4. Full Search performs an exhaustive search of all log fields. Content Inspection and SSL VPN 01-4200-0201-20100604 105 . regular expressions or log fields not supported by Quick Search.1 Administration.

Logging to Multiple FortiAnalyzer Units or Syslog Servers Logging and Alerts Logging to Multiple FortiAnalyzer Units or Syslog Servers FortiGate devices can support up to three FortiAnalyzer and/or Syslog servers for logging. For example. all Web filter logs to FortiAnalyzer2. Logging to multiple destinations must configured using the CLI. all Event logs can be sent to FortiAnalyzer1.) 106 Course 201-v4. see the FortiGate CLI Reference Guide. and Traffic logs to FortiAnalyzer3. This allows for load balancing of log traffic in busy network environments. (For more information. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.

Full content archives are those which contain both the summary and a hyperlink to the associated archived file or message.Logging and Alerts Content Archiving Content Archiving Content archiving provides a method of simultaneously logging and archiving copies of content transmitted over the network. For example. the Subject log field of email content archives contains a link that enables that email message to be viewed. and whether the FortiAnalyzer unit has the copy of the file or message associated with the summary log message. FortiGate units can also archive a copy of the associated file or message with the content log message. if the FortiAnalyzer unit has a full content archive for an email message. Course 201-v4. Whether or not each content archive will be full or summary varies by whether the device is configured to send full content archives. recipients. Summary content archives are those which contain only a log message consisting of summary metadata.1 Administration. or to examine the contents of archived files. such as email and web pages. When content archives are received by the FortiAnalyzer unit. Content logs include information such as the senders. and the content of messages and files. the Subject field does not contain a link. data filtering similar to other log files can be used to track and locate specific email or instant messages. leveraging its large storage capacity for large media files that can be common with multimedia content. If the FortiAnalyzer unit has only a content archive summary. Content archive data is needed to generate many of the reports available on the FortiAnalyzer device. Content archiving may also be required by corporate policy and/or to ensure regulatory compliance. Content Inspection and SSL VPN 01-4200-0201-20100604 107 . whether the content satisfies content archiving requirements. If full content archiving is enabled. Both FortiGate content archive logs and their associated copies of files or messages can be stored and viewed remotely on a FortiAnalyzer unit.

Content Inspection and SSL VPN 01-4200-0201-20100604 . Archiving through Data Leak Prevention is examined in further detail in Lesson 11 . such as antivirus scanning. SMTP. At least one of the threat management functions. and IM traffic can be displayed on the System Dashboard or the full content archive to a FortiAnalyzer device. FTP. web filtering.Content Archiving Logging and Alerts Content archiving is enabled through DLP rules.Data Leak Prevention. 108 Course 201-v4. and spam filtering for the relevant protocol should be enabled to use the full content archiving features for that protocol. POP3. Content meta-information for HTTP.1 Administration. IMAP. Rules are added to DLP sensor which are then applied within a protection profile. HTTPS.

Course 201-v4. The content archive logs can be viewed in Raw or Formatted view.Logging and Alerts Content Archiving Viewing Content Archives All archived logs stored on a FortiAnalyzer unit can be viewed from Log & Archive > Archive Access in FortiAnalyzer Web Config. Content Inspection and SSL VPN 01-4200-0201-20100604 109 .1 Administration.

an alert email can be configured to send notifications for critical events such as an HA member leaving the cluster. For example.Alert Email Logging and Alerts Alert Email Alert Emails enable the FortiGate unit to send notifications to an email address upon detection of a message meeting a defined event type or security level. Up to three recipients can be specified per mail server and the email body is base64 encoded.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 . 110 Course 201-v4. The FortiGate unit uses the SMTP server name to connect to the mail server. When configuring alert email. configure at least one DNS server.

Using an SNMP manager.Logging and Alerts SNMP SNMP Simple Network Management Protocol (SNMP) enables administrators to manage hardware on a network including servers. Course 201-v4. access SNMP traps and data from any FortiGate interface configured for SNMP management access. SNMP v1 and v2c compliant SNMP managers have read-only access to FortiGate system information and can receive FortiGate traps. An SNMP manager is a computer running an application that can read the incoming traps from the agent and track the information. To monitor FortiGate system information and receive FortiGate traps. Enable the SNMP agent option and enter information for the Description. Configure the hardware or FortiGate SNMP agent to report system information and to send traps (alarms or event messages) to SNMP managers. as well as Fortinet supported standard MIBs (available from the Fortinet Support site) into an SNMP manager. and Contact. agents. and other network devices. switches. Location. An SNMP-managed network is made up of three main components: managed devices. compile the Fortinet proprietary Management Interface Bases (MIBs). The FortiGate SNMP implementation is read-only. and SNMP managers. routers. Content Inspection and SSL VPN 01-4200-0201-20100604 111 . workstations.1 Administration. SNMP is configured through System > Config > SNMP v1/v2c.

112 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 .SNMP Logging and Alerts SNMP Communities Add SNMP communities so that SNMP managers can connect to the FortiGate unit to view system information and receive SNMP traps. SNMP communities can be configured to have different SNMP queries and traps and they can be configured to monitor the FortiGate unit for different sets of SNMP events.1 Administration. Up to eight SNMP managers per community can be added.

To receive traps. as well as the FortiGate unit serial number and hostname.0 MIB into the SNMP manager. Available traps include: • • • • • • • • • • • • • • • • CPU overusage Memory low Log disk space low HA cluster status changed HA heartbeat failure HA member up HA member down Interface IP changed Virus detected Oversize file/email detected Fragmented email detected IPS Signature IPS Anomaly VPN tunnel up VPN tunnel down FortiAnalyzer disconnection Course 201-v4.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 113 . All traps include the trap message. load and compile the Fortinet 3.Logging and Alerts SNMP SNMP Traps The FortiGate agent can send traps to SNMP managers added to SNMP communities.

Content Inspection and SSL VPN 01-4200-0201-20100604 .SNMP Logging and Alerts Configuring an Interface for SNMP Access One or more interfaces must be configured on the FortiGate unit to accept SNMP connections before a remote SNMP manager will be able to connect to the FortiGate agent. Click to enable SNMP in the Administrative Access section of the web page. 114 Course 201-v4.1 Administration. Go to System > Network > Interface and edit the applicable interface.

or can be set to be created on demand. Logs are the basis of all FortiAnalyzer reports. A report is a collection of log information which is then displayed in the report in the form of text. the report can be defined. graphs and tables. FortiAnalyzer reports provide flexible options. Course 201-v4. go to Report > Config > Report to configure and define layout of the report. Logs must be collected or uploaded before a report can be generated. Reports are only available logging to a FortiAnalyzer device. nor for devices that are not registered with the FortiAnalyzer unit. Define when reports are to be created by modifying the the Schedule settings. Reports cannot be created for devices that are of an unknown type. After logs are collected or uploaded.1 Administration. such as generic Syslog devices.Logging and Alerts Reporting Reporting Reports provide an easy way to analyze and view the information from logs. Report Layout In FortiAnalyzer Web Config. An administrator can create reports based on log information that has been accumulated over a period of time. Reports can be scheduled for compilation. offering a choice to compile a report layout based on variables (which can be reused) or based on specific information. Content Inspection and SSL VPN 01-4200-0201-20100604 115 .

Content Inspection and SSL VPN 01-4200-0201-20100604 . such as charts or graphics that are to be included on the report.Reporting Logging and Alerts Click Add to select components.1 Administration. 116 Course 201-v4.

you will complete the following tasks: • • • • Exercise 1 Exploring Web Config Monitoring Exercise 2 Configuring System Event Logging Exercise 3 Exploring the FortiAnalyzer Interface Exercise 4 Configuring Email Alerts (Optional) Timing Estimated time to complete this lab: 35 minutes Exercise 1 Exploring Web Config Monitoring 1 Log in to Web Config on the FortiGate unit as admin. system event logging will be configured. Go to System > Dashboard > Status. Course 201-v4. Verify the CPU Usage and Memory Usage status dials. Content Inspection and SSL VPN 01-4200-0201-20100604 117 . 3 Hover the mouse pointer over the System Resources title bar and click History. Tasks In this lab.Logging and Alerts Exploring Web Config Monitoring Lab 2 Logging and Monitoring Objectives In this exercise.1 Administration. 2 Locate the System Resources widget.

In the System Resource History graph window. the time interval represented by each horizontal grid square can be selected from the pull-down menu to the right of Time Interval. the DLP Archive and Log statistics will be uninteresting at this time. 6 Log and DLP archive statistics are shown in the Log and Archive Statistics widget. Hover over the Alert Message Console title bar and click the History icon to view a pop-up window that displays the entire message list. The refresh rate of this window is automatically set to 1/20th of the time interval. virus.1 Administration. and intrusion history. memory usage. session. 118 Course 201-v4. Click Close. Since there will have been little or no traffic through the FortiGate unit and no content inspection configured.Exploring Web Config Monitoring Logging and Alerts 4 A pop-up window appears showing a trace of past CPU usage. network utilization. such as system restart and firmware upgrade. Click Close. 5 The Alert Message Console widget displays recent critical system events. Content Inspection and SSL VPN 01-4200-0201-20100604 .

Add them to the dashboard by clicking Widgets and selecting from the pop-up window. 8 Some widgets are not displayed by default. 7 There will already be a number of sessions recorded by the FortiGate unit. Test the function of the various icons in this window. Click Return to re-display the graphical view of the Top Sessions widget. There are icons for display refresh. Click the Details link on the Top Session widget to display more information about the sessions or click each graphical bar representing sessions per IP address.1 Administration. page forward and back. as well as clear session.Logging and Alerts Exploring Web Config Monitoring The Reset link in the top-right of the Statistics box will clear the current statistics counts. Identify the Web Admin sessions in the Session table display by looking for the TCP sessions from the PC IP address to the IP address of the internal interface of the FortiGate unit. Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 119 . column display filters.

The keywords may also differ. disk or memory. 4 On the Log&Report > Log Config > Event Log page. click Enable and select all events. If using a FortiGate device without a local hard drive. Expand Remote Logging & Archiving and click to enable FortiAnalyzer. 120 Course 201-v4. This would be a rare situation in an actual network but appropriate for a FortiGate 5000 series chassis when a FortiAnalyzer blade is used. Alternate settings are to register only (and ignore logging messages) or ignore (manual registration).Configuring System Event Logging Logging and Alerts Exercise 2 Configuring System Event Logging 1 Go to Log&Report > Log Config > Log Setting. Content Inspection and SSL VPN 01-4200-0201-20100604 . The FortiAnalyzer unit being used is configured to automatically accept and register all new FortiGate device connections. A pop-up window displays to indicate a successful connection and registration process.134 Information Note: Depending on the location of class. there would be additional configuration required at the FortiAnalyzer end to permit the necessary connection for manual device registration. the log level is set to the lowest and most verbose level.230. Click Apply to save the changes. In an actual scenario. Automatic discovery of a FortiAnalyzer unit with the Fortinet Discovery Protocol is only applicable when the FortiGate unit and the FortiAnalyzer unit are on the same broadcast domain (subnet).87. Click Apply. 2 In Remote Logging & Archiving. 3 While still in the Log Settings window. the level would more likely be set to Warning or Notification. click Test Connectivity to register with the FortiAnalyzer device. enable Memory logging instead. Information. Click Close to exit from the FortiAnalyzer Connection Summary window. the instructor may direct students to a FortiAnalyzer unit at a different address. depending on the destination. expand Local Logging & Archiving and confirm that Disk logging is enabled and that the Minimum log level is set to Information.1 Administration. For initial testing purposes. Note: There are different logging capabilities. In actual deployments. Apply the following settings: IP Address Minimum log level 209. The CLI settings for the logging destinations can be displayed with the following commands: get log <destination> setting get log <destination> filter Substitute <destination> with either fortianalyzer.

The log message view is pre-formatted to show selected items in columns.Logging and Alerts Exploring the FortiAnalyzer Interface 5 Test the logging setup with some simulated log messages sent to the logging destinations using the following CLI command: diagnose log test 6 Go to Log&Report > Log Access. The messages are color-coded according to severity level. go to Log&Archive > Log Browse > Log Browse.1 Administration. Course 201-v4. 2 In the FortiAnalyzer Web Config.87. Select each log type from the Log Access menu item one at a time. 3 Expand a category in the list. After a successful login. Exercise 3 Exploring the FortiAnalyzer Interface 1 Connect to a FortiAnalyzer by typing the following address in a web browser: https://209. Select one of the log files and click Display ( ) to show the log entries in the file.134 Note: Depending on the location of class. the instructor may direct students to a FortiAnalyzer unit at a different address. Click the Change Display Options link and click Raw to view the logs entries in raw format. In the Log Browse window. Click Show Log File Names and the names of the log files will display. Log in with the username student and the password fortinet.230. FortiGate device names are displayed as HostName(SerialNumber). 5 Log out of the FortiAnalyzer device. Content Inspection and SSL VPN 01-4200-0201-20100604 121 . 4 Explore the log message display features in the Log Browse window. Accept the self-signed certificate messages if they are displayed. Click Disk from the Log Access pages to view the entries for the test messages. the FortiAnalyzer Dashboard displays. expand No Group and expand the name of the student FortiGate device to verify that log messages are being received by the FortiAnalyzer unit.

Enable if the email server requires authentication and enter the sender’s email address and account password. go to Log&Report > Log Config > Alert Email and use the following settings to complete the Alert E-mail configuration: SMTP server Email from Email to Authentication Type the name or IP address of an online email account server. Type the destination email address. 3 Open the email client application and confirm that the test messages have been received. Interval Time Send alert mail for the following Send alert email for logs based on severity Click Apply to save the settings. Type the sender’s email address.Configuring Email Alerts (Optional) Logging and Alerts Exercise 4 Configuring Email Alerts (Optional) This exercise can only be completed if an online email account is available to test with. 1 The FortiGate unit will be configured to send alert mail to a test mail account. 2 Click Test Connectivity. In Web Config on the FortiGate unit. Enable and select the Alert level from the minimum log level list. the CLI contains additional interval hold-off timers for log levels above the selected threshold level. Test messages will be sent to the email account. 122 Course 201-v4. Check the following CLI commands for the Alert Email configuration: show system alertemail show alertemail setting Note: If the FortiGate unit collects more than one log message before an interval is reached. it combines the messages and sends out one alert email. If a threshold level is used.1 Administration. Alert emails can be sent based on selected event categories or simply on a log message threshold level. Content Inspection and SSL VPN 01-4200-0201-20100604 . 1 minute Select Intrusion detected and Virus detected.

com .fortinet.LESSON 3 Firewall Policies 123 www.

.

Traffic logging can be enabled for a firewall policy so the FortiGate unit will log all connections that use this policy. Each policy can be configured to route connections or apply Network Address Translation (NAT) to translate source and destination IP addresses and ports. Course 201-v4. intrusion prevention. the source address. For a packet to be connected through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. destination address. it analyzes the packet and compares the content to determine if the information contained conforms to a policy that is in place. An accept policy can apply FortiGate features such as virus scanning and authentication to the communication session accepted by the policy. and VLAN subinterfaces. Threat management elements such as antivirus. web filtering. ACCEPT policies accept communication sessions. In addition. traffic shaping and endpoint control can be enabled in firewall policies as needed. and service of the packet must match the firewall policy. Content Inspection and SSL VPN 01-4200-0201-20100604 125 .1 Administration. When the firewall receives a connection request in the form of a packet. Firewall policies can also be used to control connections and traffic between FortiGate interfaces. IPSEC and SSLVPN policies apply a tunnel mode IPSec VPN or SSL VPN and may optionally apply NAT and allow traffic for one or both directions.Firewall Policies Lesson 3 Firewall Policies Firewall policies control all traffic passing through the FortiGate unit. zones. The policy can also direct the firewall to require authentication before the connection is allowed. email filtering. data leak protection and application control are enabled in firewall policies to apply protection to traffic passing through the firewall. DENY policies deny communication sessions. IP pools can be used in conjunction with dynamic NAT when the firewall translates source addresses.

To block access to specific services. The first policy that matches is applied to the connection attempt. Therefore. service port. the firewall still accepts all connections from the internal network to the Internet other than FTP connections. the default policy is a very general policy because it matches all connection attempts. No policy below the default policy will ever be matched. add a policy that denies FTP connections above the general policy. it selects a policy list to search through for a policy that matches the connection attempt. Policies that are exceptions to general policies should be added to the policy list above the general policies. If virtual domains are enabled on the FortiGate unit. firewall policies are configured separately for each virtual domain. 126 Course 201-v4.1 Administration. For example. and time and date at which the connection attempt was received. The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt. Content Inspection and SSL VPN 01-4200-0201-20100604 . a general policy may allow all users on the internal network to access all services on the Internet. For example. General policies are policies that can accept connections from multiple source and destination addresses or from address ranges. Arrange policies in the policy list from more specific to more general. Connection attempts for all other kinds of services do not match the FTP policy but do match the general policy. Exceptions to that policy are added to the policy list above the default policy. such as FTP servers on the Internet.Policy Matching Firewall Policies Policy Matching When the FortiGate unit receives a connection attempt on an interface. The FortiGate unit starts at the top of the selected policy list and searches down the list for the first policy that matches the connection attempt source and destination addresses. If no policy matches. The deny policy blocks FTP connections. General policies can also accept connections from multiple service ports or have schedules that mean the policy can be matched over a wide range of times and dates. the connection is dropped.

Two default policies are included on the FortiGate device. Section View Selecting Section View in Web Config will display firewall polices organized by Source and Destination interfaces. Policies can be added. Firewall policy order affects policy matching.1 Administration. and an implicit Deny policy which blocks all traffic. Course 201-v4. edited. deleted.Firewall Policies Policy Matching Firewall Policy List The firewall policy list displays firewall policies in their order of matching precedence for each source and destination interface pair. an Allow policy allowing all traffic. and re-ordered in the policy list. Content Inspection and SSL VPN 01-4200-0201-20100604 127 .

Content Inspection and SSL VPN 01-4200-0201-20100604 . and are not grouped by interface. according to a sequence number. 128 Course 201-v4.1 Administration. When policies are re-ordered. If a firewall policy is created with a source or destination interface of ANY. only the global view will be available in Web Config.Policy Matching Firewall Policies Global View Selecting Global View will list all firewall policies in order. the sequence number will change in consequence. The Policy ID value is independent of the sequence number.

the number of packets and bytes that match a firewall policy can be displayed. Content Inspection and SSL VPN 01-4200-0201-20100604 129 . Reorder the items in the Show these fields in this order list by selecting the item and clicking Move Up or Move Down. Select the to move it to the Show item to display from the Available fields list and click these fields in this order list. Use the Column Settings options to add or remove table columns from the displayed list. if the Count field is added to the column settings.Firewall Policies Policy Matching Column Settings Some columns of information may not be displayed by default.1 Administration. Course 201-v4. For example.

Select a policy and click Move ( ) to change the order of policies in the list.Policy Matching Firewall Policies Filtering Columns Click Filter ( ) to edit the column filters which allow the policy list to be filtered or sorted according to criteria specified. Moving a policy in the list does not change its policy ID number. Content Inspection and SSL VPN 01-4200-0201-20100604 . Reordering Policies A policy can be moved within the list to influence the order in which policies are evaluated. or after rebooting the FortiGate unit. filters are configured by specifying what to filter on and whether to display information that matches the filter or to select NOT to display information that does not match the filter. the policy that is first in the list is evaluated first. Filters are useful for reducing the number of entries that are displayed on the list. firewall encryption policies must be evaluated before regular firewall policies. Filters can be added for one column or for multiple columns.1 Administration. Different filter styles are available depending on the type of information displayed in individual columns. Filter configuration is maintained after leaving Web Config. When more than one policy has been defined for the same interface pair. Alternately. In all cases. The ordering of firewall encryption policies is important to ensure that they take effect as expected. ) to create the new policy in The policy ordering can also be changed using the CLI move command from the firewall policy table. For example: config firewall policy move X before Y end 130 Course 201-v4. after logging out of Web Config. when creating a new policy click Insert ( the list before the selected policy.

Elements used in the creation of a firewall policy include: • • • • • • • • • • • • Addresses Schedules Services Action Network Address Translation Identity-Based Policies Threat Management Options Traffic Shaping Endpoint Network Access Control Allowed Traffic Logging Virtual IPs Load Balancing Multiple policies can be enabled on the FortiGate device to scan traffic passing through the interfaces on the device.Firewall Policies Firewall Policy Elements Firewall Policy Elements Multiple elements are included in the creation of a firewall policy. then combined with others to create the final policy.1 Administration. Course 201-v4. Each element is configured separately. Content Inspection and SSL VPN 01-4200-0201-20100604 131 .

1 Administration. click Insert ( selected policy. Alternately. Content Inspection and SSL VPN 01-4200-0201-20100604 . 132 Course 201-v4.Firewall Policy Elements Firewall Policies Click Create New ( ) in the Policy List to create a new firewall policy or select an existing policy and click Edit ( ) to modify or view the policy. ) to create a new policy in the list before the currently Note: The Comments field is very useful to complete when working with firewall policies as important details can be documented about the firewall policy which may be referred to in the future.

Firewall Policies

Firewall Policy Elements

Firewall Addresses
Firewall addresses are added to the Source and Destination Address fields of firewall policies to match the source or destination IP addresses of packets that are received by the FortiGate unit.

Multiple addresses can be added on the FortiGate device and the appropriate address can be selected when creating the policy.

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

133

Firewall Policy Elements

Firewall Policies

To view the list of available addresses on the FortiGate unit, go to Firewall > Address > Address.

To view or modify any individual addresses in the list, select the address from the list and click Edit ( ) or double-click the entry. The FortiGate unit comes configured with a default All address which represents any IP address on the network. This is required in order to reach all addresses on the Internet.

134

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Firewall Policies

Firewall Policy Elements

New firewall addresses can be defined by clicking Create New ( ) on the Address List page, or by selecting [Create New...] from the Source Address and Destination Address drop-down list on the New Policy page. Complete the parameters of the firewall address as needed.

Address Name

The name assigned to the address will be used to identify the address on the New Policy page. Addresses must have unique names to avoid confusion in firewall policies Addresses can be identified by Subnet/IP Range or FQDN. If using Subnet/IP Range enter the firewall IP address and subnet mask. If using an IP address range, separate the addresses at each end of the range by a hyphen. For example, 192.168.110.100192.168.110.120 or 192.168.110.[100-120]. To represent all addresses on the subnet, use the * wildcard, for example 192.168.110.* . If using FQDN enter the fully qualified domain name, for example, www.fortinet.com or acme.com.

Type Subnet/IP Range or FQDN

Interface

Select the interface or zone with which the IP address will be associated. Alternately, Any can be selected to associate the IP address with the interface/zone when the policy is created.

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

135

Firewall Policy Elements

Firewall Policies

Address Groups
Related addresses can be organized into address groups to simplify policy creation and management. For example, after adding three addresses and configuring them in an address group, configure a single policy using all three addresses. Multiple address groups can be added on the FortiGate device and the appropriate address group can be selected when creating the policy. To view the list of available address groups on the FortiGate unit, go to Firewall > Address > Group.

To view or modify any individual groups in the list, select the group and click Edit ( ) or double-click the entry.

136

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Firewall Policies

Firewall Policy Elements

New firewall address groups can be defined by clicking Create New ( ) on the Address Group List page, or by selecting [Multiple...] from the Source Address and Destination Address drop-down list on the New Policy page. Complete the parameters of the firewall address group as needed.

Group Name

The name assigned to the group will be used to identify the address group on the New Policy page. The list of available firewall addresses is displayed. Select an address and click to move the address from the Available Addresses list to the Members list. The list of addresses in the group is displayed. Select an address and click to remove the address from the Members list and move it back to the Available Addresses list.

Available Addresses

Members

If an address group is included in a policy, it cannot be deleted unless it is first removed from the policy.

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

137

Firewall Policy Elements

Firewall Policies

Firewall Schedules
Schedules are used to control when policies are active.

One-Time Schedule
One-time schedules are used to activate a policy for a specified period of time. For example, a firewall might be configured with a default policy that allows access to all services on the Internet at all times and a one-time schedule can be added to block access to the Internet during a holiday period. Multiple one-time schedules can be added on the FortiGate device and the appropriate schedule can be selected when creating a policy.

138

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Firewall Policies

Firewall Policy Elements

To view the list of available one-time schedules on the FortiGate unit, go to Firewall > Schedule > One-time.

To view or modify any one-time schedules in the list, select the schedule and click Edit ( ) or double-click the entry.

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

139

Firewall Policy Elements

Firewall Policies

New one-time schedules can be defined by clicking Create New ( ) on the Onetime Schedule List page, or by selecting [Create New...] from the Schedule dropdown list on the New Policy page. Complete the parameters of the one-time schedule as needed.

Name

The name assigned to the one-time schedule will be used to identify the schedule on the New Policy page. Select the start date and time for the one-time schedule. Select the end date and time for the one-time schedule.

Start Stop

140

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Firewall Policies

Firewall Policy Elements

Recurring Schedules
Recurring schedules are used to activate policies at specified times of the day or on specified days of the week. For example, game play can be prevented during working hours by creating a recurring schedule. Multiple recurring schedules can be added on the FortiGate device and the appropriate schedule can be selected when creating a policy. To view the list of available recurring schedules on a FortiGate unit, go to Firewall > Schedule > Recurring.

To view or modify any recurring schedules in the list, select the schedule and click Edit ( ) or double-click the entry.

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

141

Select the daily end time for the recurring schedule. Select the daily start time for the recurring schedule. Name The name assigned to the recurring schedule will be used to identify the schedule on the New Policy page.. Day of the Week Start Stop 142 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 . Select the days affected by the recurring schedule. or by selecting [Create New.] from the Schedule drop-down list on the New Policy page.1 Administration.. Complete the parameters of the recurring schedule as needed.Firewall Policy Elements Firewall Policies New recurring schedules can be defined by clicking Create New ( ) on the Recurring Schedule List page.

1 Administration. after adding multiple schedules and configuring them in a schedule group. Multiple schedule groups can be added on the FortiGate device and the appropriate group can be selected when creating a policy. go to Firewall > Schedule > Group. To view the list of available schedule groups on the FortiGate unit. select the group and click Edit ( ) or double-click the entry. Course 201-v4. To view or modify any individual groups in the list.Firewall Policies Firewall Policy Elements Schedule Groups Related schedules can be organized into groups to simplify policy creation and management. Content Inspection and SSL VPN 01-4200-0201-20100604 143 . For example. configure a single policy using all the selected schedules.

1 Administration. Group Name The name assigned to the group will be used to identify the schedule group on the New Policy page. 144 Course 201-v4.Firewall Policy Elements Firewall Policies New schedule groups can be defined by clicking Create New ( ) on the Schedule Group List page. Select a schedule and click to remove the schedule from the Members list and move it back to the Available Schedules list. Complete the parameters of the schedule group as needed. The list of available firewall schedules is displayed. Content Inspection and SSL VPN 01-4200-0201-20100604 . it cannot be deleted unless it is first removed from the policy. Select a schedule and click to move the schedule from the Available Schedules list to the Members list. Available Schedules Members If a schedule group is included in a policy. The list of schedules in the group is displayed.

Services control the opening and closing of ports.Firewall Policies Firewall Policy Elements Firewall Services The Service list is used to determine the types of communication accepted or denied by the firewall.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 145 . Course 201-v4.

These services can be added to a policy by selecting them from the Service dropdown list on the New Policy page.Firewall Policy Elements Firewall Policies Predefined Services Certain services are predefined on the FortiGate unit and can be easily added to a policy by selecting from the list To view the list of predefined services. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. or can be added to service groups. 146 Course 201-v4. go to Firewall > Service > Predefined.

To view the list of available custom services on the FortiGate unit. Multiple custom services can be added on the FortiGate device and the appropriate service can be selected when creating a policy. Course 201-v4.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 147 . go to Firewall > Service > Custom.Firewall Policies Firewall Policy Elements Custom Services A custom service can be created for any type of communication that is not in the predefined list. To view or modify any custom services in the list. select the service and click Edit ( ) or double-click the entry.

Protocol Type • • 148 Course 201-v4. ICMP or IP as the protocol for the service.1 Administration.. indicate the Protocol Number value.. Select TCP/UDP/SCTP. indicate the Source Port and Destination Port number range.] from the Service drop-down list on the New Policy page. If IP is selected. Complete the parameters of the custom service as needed. Name The name assigned to the custom service will be used to identify the service on the New Policy page. If ICMP is selected. Content Inspection and SSL VPN 01-4200-0201-20100604 .Firewall Policy Elements Firewall Policies New services can be defined by clicking Create New ( ) on the Custom Services List page. or by selecting [Create New. • If TCP/UDP/SCTP is selected. indicate the Type and Code values.

go to Firewall > Service > Group. select the group and click Edit ( ) or double-click the entry. To view or modify any individual groups in the list. To view the list of available service groups on the FortiGate unit. Content Inspection and SSL VPN 01-4200-0201-20100604 149 .1 Administration.Firewall Policies Firewall Policy Elements Service Groups To make it easier to add and manage policies. Multiple service groups can be added on the FortiGate device and the appropriate group can be selected when creating a policy. A service group cannot be added to another service group. Course 201-v4. A service group can contain predefined services and custom services in any combination. groups of services can be created and a single policy can be used to allow or block access for all the services in the group.

. The list of services in the group is displayed. Available Schedules Members If a service group is included in a policy. The list of available services is displayed. Select a service and click to remove the service from the Members list and move it back to the Available Services list. 150 Course 201-v4.Firewall Policy Elements Firewall Policies New service groups can be defined by clicking Create New ( ) on the Service Group List page or by selecting [Multiple. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.. Group Name The name assigned to the group will be used to identify the service group on the New Policy page. it cannot be deleted unless it is first removed from the policy. Select a service and click to move the service from the Available Services list to the Members list. Complete the parameters of the service group as needed.] from the Service drop-down list on the New Policy page.

the FortiGate unit performs the configured action and any other configured options on all packets in the session. such as requiring authentication to use the policy. and may optionally include other packet processing instructions. If the initial packet matches the firewall policy. Deny. Packet handling actions can be Accept. or specifying threat management features such as virus scanning to be applied to packets in the session.Firewall Policies Firewall Policy Elements Firewall Actions The firewall action identifies the response to make when the policy matches a connection attempt.1 Administration. Accept A policy action of Accept permits communication sessions. Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 151 . SSL-VPN or IPSec.

152 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 .Firewall Policy Elements Firewall Policies Deny A policy action of Deny blocks communication sessions. and may optionally log the denied traffic.1 Administration.

Content Inspection and SSL VPN 01-4200-0201-20100604 153 . SSL VPN will be covered in further detail in Lesson 6 .SSL VPN.1 Administration.Firewall Policies Firewall Policy Elements SSL VPN A policy action of SSL-VPN configures an SSL VPN firewall encryption policy to accept SSL VPN traffic. This action is available only after an SSL VPN user group has been added. Policies with an SSL-VPN action can also include settings for NAT and identitybased policies. Course 201-v4.

Content Inspection and SSL VPN 01-4200-0201-20100604 .Firewall Policy Elements Firewall Policies IPSec A policy action of IPSec applies a firewall encryption policy to process packets in policy-based IPSec VPNs. threat management features such as virus scanning can be specified to be applied to packets in the session as well as traffic shaping. 154 Course 201-v4.Secure Network Deployment and IPSec VPN.1 Administration. In addition. Tunnel options must be identified when assigning an action of IPSec for the policy. IPSec VPN is covered in further detail in Course 301 .

1 Administration. Course 201-v4.Logging and Alerts. Additional details regarding logging is provided in Lesson 2 . SSL-VPN or IPSec policies or Log Violation Traffic for Deny policies to record messages to the traffic log whenever the policy processes a connection. Logging will be performed based on the configuration defined in Log&Report > Log Config > Log Settings. Content Inspection and SSL VPN 01-4200-0201-20100604 155 .Firewall Policies Firewall Policy Elements Logging Traffic Enable Log Allowed Traffic for Accept.

enable No NAT. No NAT If no address translation of the source address is to be performed by the FortiGate unit for this policy.Firewall Policy Elements Firewall Policies Network Address Translation Network Address Translation (NAT) of the source address and port of packets accepted by the policy can be enabled as part of the firewall policy. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. 156 Course 201-v4.

2. An IP pool defines an address or a range of IP addresses.12.12.2. Enable Dynamic IP Pool.168.12 range. IP pools cannot be used when using zones.Firewall Policies Firewall Policy Elements Enable NAT Click Enable NAT when address translation is necessary.2 . the option to enable Dynamic IP Pool becomes available. the IP address of the client on the internal network is translated from 10. Content Inspection and SSL VPN 01-4200-0201-20100604 157 . and select an IP pool to translate the source address to an IP address randomly selected from addresses in the IP Pool.1 Administration. Course 201-v4.10. In this example. all of which respond to ARP requests on the interface to which the IP pool is added. In this example. An IP pool can only be associated with an interface. the IP address of the client on the internal network is translated from 10.172.168.1 to an address within the 172.10.1 to 192.10.16.10. Dynamic IP Pool When Enable NAT is selected in the firewall policy and an IP pool has been defined.

To view the list of available IP pools on the FortiGate unit. select the pool and click Edit ( or double-click the entry. ) 158 Course 201-v4. To view or modify any individual pool in the list. Content Inspection and SSL VPN 01-4200-0201-20100604 . go to Firewall > Virtual IP > IP Pool.Firewall Policy Elements Firewall Policies Multiple IP pools can be added on the FortiGate device and the appropriate pool can be selected when creating a policy.1 Administration.

IP Range/Subnet Course 201-v4. Name The name assigned to the IP Pool will be used to identify the pool when Dynamic IP Pool is enabled on the New Policy page. Define the IP address range and subnet for the IP pool.] from the Dynamic IP Pool drop-down list on the New Policy page.Firewall Policies Firewall Policy Elements New IP pools can be defined by clicking Create New ( ) on the IP Pool List page or by selecting [Create. Content Inspection and SSL VPN 01-4200-0201-20100604 159 ..1 Administration.. Complete the parameters of the IP pool as needed.

These rules will allow the administrator to control port translation instead of allowing the system to assign them randomly. go to Firewall > Policy > Central NAT Table. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. To view or modify any individual NAT rules in the list. Multiple NAT rules can be added on the FortiGate device. select the table and click Edit ( ) or double-click the entry. 160 Course 201-v4. To view the list of available NAT rules on the FortiGate unit.Firewall Policy Elements Firewall Policies Central NAT Table Central NAT Table allows the manual creation of NAT rules and NAT mappings. These NAT rules can be used in firewall policies by selecting the Use Central NAT Table option.

Firewall Policies Firewall Policy Elements New NAT rules can be defined by clicking Create New ( ) on the NAT Table List page. Source Address Select the source IP address from the list. Content Inspection and SSL VPN 01-4200-0201-20100604 161 .1 Administration. Enter the translated port number. Enter the port that the address is coming from. A group of source address can be defined by clicking Multiple. Select a dynamic IP pool from the list or click [Create New] to define a new dynamic IP pool. Complete the parameters of the NAT rule as needed. or click [Create New] to define a new source IP address. Translated Address Original Port Translated Port Course 201-v4. A group of multiple translated addressed can be defined by clicking Multiple.

Content Inspection and SSL VPN 01-4200-0201-20100604 . In this example. a policy with Fixed Port enabled can only allow one connection to that service at a time. Some applications do not function correctly if the source port is translated. Enable Fixed Port to prevent NAT from translating the source port. 162 Course 201-v4.10.16. In most cases. Dynamic IP Pool is also enabled. If Dynamic IP Pool is not enabled. if Fixed Port is enabled. the IP address of the client on the internal network is translated from 10. but the source port of 1025 is not translated.12.1 Administration.2 . the option to enable Fixed Port becomes available.10. Fixed port NAT can only be enabled through the CLI.172.16.Firewall Policy Elements Firewall Policies Fixed Port When NAT is enabled in the firewall policy.12.1 to an address within the 172.12 range.

translates the destination address of the packets to a mapped IP address on another hidden network.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 163 . and then forwards the packets through the FortiGate unit to the hidden destination network. Course 201-v4.Firewall Policies Firewall Policy Elements Destination Network Address Translation Destination Network Address Translation (DNAT) accepts packets from an external network that are intended for a specific destination IP address.

and successfully authenticate.Firewall Policy Elements Firewall Policies Identity-Based Policies Identity-based policies can be enabled to configure firewall policies to require authentication.1 Administration. network users must send traffic involving a supported firewall authentication protocol to trigger the firewall authentication challenge. 164 Course 201-v4. If identity-based policies are enabled in a firewall policy. Content Inspection and SSL VPN 01-4200-0201-20100604 . before the FortiGate unit will allow any other traffic matching the firewall policy.

Disclaimers Enabling Disclaimer and Redirect URL displays the Authentication Disclaimer page (a replacement message) that the user must accept to connect to the destination.1 Administration. Identity-based policies will be examined in further detail in Lesson 6 Authentication. Course 201-v4. If you enter a URL in the Redirect URL field. the user is redirected to that URL after authenticating and/or accepting the user authentication disclaimer. The disclaimer option is available when Identity-based Policy is enabled. Content Inspection and SSL VPN 01-4200-0201-20100604 165 .Firewall Policies Firewall Policy Elements Authentication rules must be defined to specify the user group details identifying users who will be forced to authenticate.

UTM elements that apply different protection settings are preconfigured. traffic between trusted internal addresses can use moderate protection.1 Administration. 166 Course 201-v4. The types and levels of protection for different firewall policies can be customized. Content Inspection and SSL VPN 01-4200-0201-20100604 . for example.Firewall Policy Elements Firewall Policies Threat Management The threat management capabilities of the FortiGate unit are enabled in the firewall policy. traffic between internal and external addresses can use strict protection. then selected when the policy is created. Threat management attributes available in firewall policies include: • • • • • • • • Protocol Options Antivirus IPS Web Filtering Email Filtering Data Leak Prevention Application Control VoIP Enabling UTM in the New Policy window will allow the selection of the threat management elements.

Content Inspection and SSL VPN 01-4200-0201-20100604 167 .1 Administration.Firewall Policies Firewall Policy Elements Course 201-v4.

1 Administration.Firewall Policy Elements Firewall Policies Protocol Options Protocol options include settings related to proxy operations. Content Inspection and SSL VPN 01-4200-0201-20100604 . 168 Course 201-v4.. A Protocol Options List can be selected when UTM is enabled in a firewall policy. or click [Create New. Click Edit ( ) to modify a selected Protocol Options List from the Policy page. select the list from Protocol Options drop-down list.] to define a new list. To enable the attributes contained in a Protocol Options List within the policy..

To view the list of available Protocol Options Lists on the FortiGate unit. select the list and click Edit ( ) or double-click the entry.1 Administration. Course 201-v4.Firewall Policies Firewall Policy Elements Multiple Protocol Options Lists can be added on the FortiGate device and the appropriate list can be selected when creating a policy. To view or modify any individual Protocol Options Lists. Content Inspection and SSL VPN 01-4200-0201-20100604 169 . go to Firewall > Policy > Protocol Options.

Name The name assigned to the Protocol Options list will be used to identify the list on the New Policy page.] from the Protocol Options drop-down list on the New Policy page. Select to enable logging of oversized files.. 170 Course 201-v4..1 Administration. Select to enable logging of invalid certificates Enable Oversized File File Enable Invalid Certificate Log Expand each protocol to view the attributes specific to that protocol. Complete the parameters of the protocol options as needed.Firewall Policy Elements Firewall Policies New Protocol Options Lists can be defined by clicking Create New ( ) on the Protocol Options List page or by selecting [Create New. Content Inspection and SSL VPN 01-4200-0201-20100604 .

• Threshold defines the size of the file or email to trigger the action. Client comforting helps to prevent client application timeouts while files are being buffered for scanning by the FortiGate unit.1 Administration. Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 171 . Port Identify the port to which the protocol options will be applied when scanning HTTP traffic. either Pass or Block. • Interval is the time in seconds before client comforting starts after the download has begun. Comfort Clients • Oversize File/Email Define the action to be taken on any oversize files or emails being transferred using HTTP. It is also the time between subsequent intervals. Amount is the number of bytes sent at each interval.Firewall Policies Firewall Policy Elements HTTP Expand HTTP to set the attributes affecting HTTP traffic.

172 Course 201-v4.Firewall Policy Elements Firewall Policies Monitor Content Information for Dashboard Enable Chunked Bypass Select to view the activity of the protocol from the Dashboard menu. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. Select to enable the chunked bypass setting.

.Firewall Policies Firewall Policy Elements HTTPS Expand HTTPS to set the attributes affecting secured HTTP traffic. Monitor Content Information for Dashboard Allow Invalid SSL Certicate Course 201-v4. Select to view the activity of the protocol from the Dashboard menu. Content Inspection and SSL VPN 01-4200-0201-20100604 173 . Enable to allow expired or invalid digital certificates to be accepted. Port Identify the port to which the protocol options will be applied when scanning HTTPS traffic.1 Administration.

• Threshold defines the size of the file or email to trigger the action. Monitor Content Information for Dashboard Select to view the activity of the protocol from the Dashboard. Amount is the number of bytes sent at each interval Comfort Clients • Oversize File/Email Define the action to be taken on any oversize files or emails being transferred using FTP. • Interval is the time in seconds before client comforting starts after the download has begun. Port Identify the port to which the protocol options will be applied when scanning FTP traffic. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. It is also the time between subsequent intervals. either Pass or Block. 174 Course 201-v4.Firewall Policy Elements Firewall Policies FTP Expand FTP to set the attributes affecting FTP traffic. Client comforting helps to prevent client application timeouts while files are being buffered for scanning by the FortiGate.

either Pass or Block.1 Administration.Firewall Policies Firewall Policy Elements IMAP Expand IMAP to set the attributes affecting IMAP traffic. Oversize File/Email Monitor Content Information for Dashboard Allow Fragmented Messages Select to view the activity of the protocol from the Dashboard. Port Identify the port to which the protocol options will be applied when scanning IMAP traffic. Content Inspection and SSL VPN 01-4200-0201-20100604 175 . • Threshold defines the size of the file or email to trigger the action. Enable to allow fragmented email messages. Course 201-v4. Define the action to be taken on any oversize files or emails being transferred using IMAP.

Oversize File/Email Monitor Content Information for Dashboard Allow Fragmented Messages Enable to view the activity of the protocol from the Dashboard. Define the action to be taken on any oversize files or emails being transferred using POP3. Enable to allow fragmented email messages to be passed.1 Administration. 176 Course 201-v4. • Threshold defines the size of the file or email to trigger the action. Port Identify the port to which the protocol options will be applied when scanning POP3 traffic. either Pass or Block. Content Inspection and SSL VPN 01-4200-0201-20100604 .Firewall Policy Elements Firewall Policies POP3 Expand POP3 to set the attributes affecting POP3 traffic.

Firewall Policies Firewall Policy Elements SMTP Expand SMTP to set the attributes affecting SMTP traffic. Email Signature Text Course 201-v4. Enable to allow fragmented email messages to be passed.1 Administration. Define the action to be taken on any oversize files or emails being transferred using SMTP. either Pass or Block. Port Identify the port to which the protocol options will be applied when scanning SMTP traffic. Content Inspection and SSL VPN 01-4200-0201-20100604 177 . Oversize File/Email Monitor Content Information for Dashboard Allow Fragmented Messages Append Email Signatures Select to view the activity of the protocol from the Dashboard. Type the text of the email signature to be appended using SMTP. • Threshold defines the size of the file or email to trigger the action. This text field becomes available when the Append Email Signature option is enabled. Enable if a signature is to be appended by the FortiGate unit to any email transferred using SMTP.

1 Administration.Firewall Policy Elements Firewall Policies IM Expand IM to set the attributes affecting instant messaging traffic. either Pass or Block. Oversize File/Email Define the action to be taken on any oversize files or emails being transferred using IM. 178 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 . Monitor Content Information for Dashboard Select to view the activity of the protocol from the Dashboard. • Threshold defines the size of the file or email to trigger the action.

Port Identify the port to which the protocol options will be applied when scanning NNTP traffic. Threshold defines the size of the file or email to trigger the action. either Pass or Block.Firewall Policies Firewall Policy Elements NNTP Expand NNTP to set the attributes affecting NNTP traffic. Content Inspection and SSL VPN 01-4200-0201-20100604 179 .1 Administration. Oversize File/Email Monitor Content Information for Dashboard Select to view the activity of the protocol from the Dashboard. Define the action to be taken on any oversize files or emails being transferred using NNTP. Course 201-v4.

.] to define a new profile. Click Edit ( ) to modify a selected antivirus profile from the Policy page. Content Inspection and SSL VPN 01-4200-0201-20100604 ..Antivirus. Select the antivirus profile from the drop-down list.1 Administration. Creating an antivirus profile is described in detail in Lesson 8 . 180 Course 201-v4.Firewall Policy Elements Firewall Policies Antivirus Click Enable Antivirus to enforce the attributes contained in an antivirus profile within the policy. or click [Create New.

Course 201-v4. or click [Create New.Secure Network Deployment and IPSec VPN.1 Administration.Firewall Policies Firewall Policy Elements IPS Filtering Click Enable IPS to enforce the rules contained in an IPS sensor within the policy.] to define a new IPS sensor. Creating an IPS sensor is described in detail in Course 301 . Content Inspection and SSL VPN 01-4200-0201-20100604 181 .. Click Edit ( ) to modify a selected IPS sensor from the Policy page. Select the IPS sensor from the drop-down list..

Select the web filter profile from the drop-down list. Content Inspection and SSL VPN 01-4200-0201-20100604 . Click Edit ( ) to modify a selected web filter profile from the Policy page. 182 Course 201-v4...Firewall Policy Elements Firewall Policies Web Filtering Click Enable Web Filter to enforce the attributes contained in a web filter profile within the policy. or click [Create New.Web Filtering. Creating a web filter profile is described in detail in Lesson 10 .] to define a new web filter profile.1 Administration.

. Select the email filter profile from the drop-down list. Click Edit ( ) to modify a selected email filter profile from the Policy page. Course 201-v4. Creating an email filter profile is described in detail in Lesson 9 .. or click [Create New.] to define a new email filter profile.1 Administration.Firewall Policies Firewall Policy Elements Email Filtering Click Enable Email Filter to enforce the attributes contained in a email filter profile within the policy.Email Filtering. Content Inspection and SSL VPN 01-4200-0201-20100604 183 .

or click [Create New. Click Edit ( ) to modify a selected DLP sensor from the Policy page..] to define a new DLP sensor. When a DLP sensor is enabled.Firewall Policy Elements Firewall Policies DLP Filtering Click Enable DLP Sensor to enforce the rules contained in a DLP sensor within the policy. Creating a DLP sensor is described in detail in Lesson 11 . 184 Course 201-v4.. Select the DLP sensor from the drop-down list.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 .Data Leak Prevention. a Protocol Options list must be selected.

. Creating an application control list is described in detail in Lesson 12 . Content Inspection and SSL VPN 01-4200-0201-20100604 185 . Click Edit ( ) to modify a selected application control list from the Policy page. Select the application control list from the drop-down list. Course 201-v4.Firewall Policies Firewall Policy Elements Application Control Click Enable Application Control to enforce attributes contained in an application control list within the policy. or click [Create New.Application Control.] to define a new application control list.1 Administration..

. Content Inspection and SSL VPN 01-4200-0201-20100604 . Click Edit ( ) to modify a selected VoIP profile from the Policy page.] to define a new VoIP profile.Firewall Policy Elements Firewall Policies VoIP Click Enable VoIP to enforce attributes contained in an VoIP profile within the policy. Select the VoIP profile from the drop-down list.1 Administration. or click [Create New.. 186 Course 201-v4.

Content Inspection and SSL VPN 01-4200-0201-20100604 187 . Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits.] to define a new traffic shaper. enable Reverse Direction Traffic Shaping and select a traffic shaper from the list.Firewall Policies Firewall Policy Elements Traffic Shaping Traffic shaping controls the available bandwidth and the priority of traffic processed by a policy.. Select a traffic shaper from the dropdown list or click [Create New. IPSEC.1 Administration.. and priority queue adjustment to assist packets in achieving the guaranteed rate. Traffic shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate device. If traffic shaping is to be applied to traffic passing in the reverse direction. Course 201-v4. the policy for the corporate web server might be given higher priority than the policies for an employee’s computer. Click to enable Traffic Shaping on the policy. Traffic shaping is available for Accept. For example. Click Edit ( ) to modify a selected traffic shaper from the Policy page. and SSL-VPN policies and is also available for all supported services. Traffic shaping does not increase the total amount of bandwidth available but is used to improve the quality of bandwidth-intensive and sensitive traffic.

Flows greater than the maximum rate are subject to traffic policing. and therefore FortiGate units do not apply traffic shaping. For example. this connection is logically associated with through traffic. such as prioritization and traffic shaping. If traffic shaping is enabled in the firewall policy. it ensures that traffic cannot consume bandwidth greater than the maximum at any given instant in time. sometimes used instead with differentiated services.Firewall Policy Elements Firewall Policies Traffic Shapers Traffic shapers help to ensure that traffic may consume bandwidth at least at the guaranteed rate by assigning a greater priority queue if the guarantee is not being met. If traffic shaping is not enabled in the firewall policy. Because the second connection’s traffic is technically originating from the FortiGate proxy and therefore the FortiGate unit itself. Exceptions to this rule include traffic types that. are connections related to a session governed by a firewall policy. the FortiGate unit initiates a second connection that transmits scanned content to its destination. Such traffic also uses the highest priority queue. For traffic types originating on or terminating at the FortiGate unit. queue 0. Content Inspection and SSL VPN 01-4200-0201-20100604 . For traffic passing through the FortiGate unit. Packets may or may not use a priority queue directly or indirectly derived from the Type of Service (ToS) byte. or IPSec tunnel negotiations. or priority queue increase in an effort to meet bandwidth guarantees configured in the firewall policy. it uses the highest priority queue. firewall policies do not apply. such as administrative access to the FortiGate unti through HTTPS or SSH. while technically originated by the FortiGate unit. However. 188 Course 201-v4. It may also apply additional QoS techniques. After packet acceptance. the FortiGate unit may instead or also subject packets to traffic policing. in the packet’s IP header. the method used is determined by the priority queue and whether traffic shaping is enabled. the FortiGate unit classifies traffic and may apply traffic policing at additional points during processing. and is therefore subject to possible bandwidth enforcement and guarantees in its governing firewall policy. and traffic for that session uses the priority queue determined directly by matching the ToS byte in its header with the values configured on the FortiGate unit. if the administrator has enabled scanning by FortiGuard Antivirus.1 Administration. In this way. queue 0. the FortiGate unit neither limits nor guarantees bandwidth. it behaves partly like other through traffic. Also. traffic from the sender technically terminates at the FortiGate proxy that scans that traffic type.

Packets cannot egress if there are insufficient tokens to pay for its egress. Rate calculation and behavior can alternatively be described using the token bucket metaphor. If applying bandwidth limitations to certain flows. Performance and stability is sacrificed on traffic X to increase or guarantee performance and stability to traffic Y. the available bandwidth at a given moment may be less than bucket capacity. Incorrect traffic shaping configurations may actually further degrade certain network flows since the excessive discarding of packets can create additional overhead at the upper layers. Traffic Shaping Considerations Traffic shaping will by definition attempt to normalize traffic peaks/bursts and can be configured to prioritize certain flows over others. these non-conformant packets are dropped. There is a physical limitation to the amount of data which can be buffered and for how long. A basic traffic shaping example would be to prioritize certain traffic flows at the detriment of other traffic which can be discarded. due to deductions from previous packets and the fixed rate at which tokens accumulate. As a result. the packet must deduct bandwidth tokens from the bucket equal to its packet size in order to egress. so bursts are propagated rather than smoothed. tokens are added to the bucket. which represent available bandwidth. up to the capacity of the bucket. although their peak size is limited. Bursts cannot borrow tokens from other time intervals.1 Administration. Packets in excess are dropped. A depleted bucket refills at the rate of the configured bandwidth limit. Course 201-v4.Firewall Policies Firewall Policy Elements Packet rates specified for Maximum Bandwidth or Guaranteed Bandwidth are: rate = amount / time (where rate is expressed in kilobytes per second (KB/s). the fact that these sessions can be limited and. frames and packets will be dropped and sessions will be affected. By limiting traffic peaks and token regeneration in this way. which represents burst size bounds. Packets deduct from the amount of bandwidth available to subsequent packets and available bandwidth regenerates at a fixed rate. Bursts are not redistributed over a longer interval. total bandwidth use during each interval of one second is at most the integral of the configured rate. where: • • • • • A traffic flow has an associated bucket. actual size varies by the current number of tokens in the bucket. but the limit on the total amount per time interval is ensured. which may be attempting to recover from these errors. therefore. negatively impacted must be accepted. excess tokens are discarded. down to a minimum of 0 KB/s. bandwidth available to a given packet may be less than the configured rate. and is the size of the configured bandwidth limit. Maximum burst size is the capacity of the bucket (the configured bandwidth limit).) Burst size at any given instant cannot exceed the amount configured in Maximum Bandwidth. Once these thresholds have been surpassed. The bucket receives tokens. Content Inspection and SSL VPN 01-4200-0201-20100604 189 . That is. which may be less than bucket capacity. When a packet arrives. As time passes. at the fixed configured rate.

Traffic shaping is not effective during extremely high-traffic situations where the traffic is exceeding the FortiGate unit's capacity. A session. Distribute firewall policies over all three priority queues (low.Firewall Policy Elements Firewall Policies Traffic shaping is enforced for traffic which may flow in either direction. delays. the FortiGate settings may require adjusting. If traffic shaping is not applied to a policy. medium. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface. will have traffic shaping applied even if the data stream is then coming from external to internal. To make traffic shaping work efficiently. 190 Course 201-v4. If the FortiGate unit cannot process all of the traffic it receives. be sure to observe the following rules: • • • Enable traffic shaping on all firewall policies. which may be set up by an internal host to an external one through an internal external policy. and latency are likely to occur.1 Administration. To ensure that traffic shaping is working at its best. dropped packets. Content Inspection and SSL VPN 01-4200-0201-20100604 . collisions. If these are not clean. and high). Packets must be received by the FortiGate unit before they are subject to traffic shaping. the policy is set to high priority by default. or buffer overruns. Traffic shaping is effective for normal IP traffic at normal traffic rates. verify that the interface Ethernet statistics are clean of errors.

1 Administration. To view the list of available shared traffic shapers on the FortiGate unit. In effect.Firewall Policies Firewall Policy Elements Shared Traffic Shapers Shared traffic shapers will apply the Guaranteed and Maximum Bandwidth values defined between all IP addresses affected by the policy. Multiple shared traffic shapers can be added on the FortiGate device and the appropriate shared traffic shapers can be selected when creating a policy. To view or modify any shared traffic shapers in the list. Content Inspection and SSL VPN 01-4200-0201-20100604 191 . Course 201-v4. select the traffic shaper and click Edit ( ) or double-click the entry. the settings are shared between all IP addresses. go to Firewall > Traffic Shaper > Shared.

or Low. Identify the amount of bandwidth available for selected network traffic (in Kbytes/sec).Firewall Policy Elements Firewall Policies New shared traffic shapers can be defined by clicking Create New ( ) on the Shared Traffic Shaper List page..] from the Traffic Shaping drop-down list on the New Policy page. or by selecting [Create New. Medium. Important and latency-sensitive traffic should be assigned a high priority. The FortiGate unit provides bandwidth to lowpriority connections only when bandwidth is not needed for high-priority connections. Select a traffic priority of High. Name The name assigned to the shared traffic shaper will be used to identify the traffic shaper on the New Policy page.1 Administration. Less important and less sensitive traffic should be assigned a low priority. Content Inspection and SSL VPN 01-4200-0201-20100604 . Complete the parameters of the shared traffic shaper as needed. Select Per Policy or For All Policies Using This Shaper. Identify the guaranteed amount of bandwidth available for selected network traffic (in Kbytes/sec).. Apply Shaper Maximum Bandwidth Guaranteed Bandwidth Traffic Priority 192 Course 201-v4.

Firewall Policies Firewall Policy Elements The bandwidth available for traffic controlled by a policy is used for both control and data sessions and is used for traffic in both directions. Content Inspection and SSL VPN 01-4200-0201-20100604 193 . both the put and get sessions share the bandwidth available to the traffic controlled by the policy.1 Administration. if guaranteed bandwidth is applied to an internal to external FTP policy and a user on an internal network uses FTP to put and get files. The guaranteed and maximum bandwidth available for a policy is the total bandwidth available to all traffic controlled by the policy. Bandwidth availability is not shared between multiple instances of using the same service if these multiple instances are controlled by different policies. Course 201-v4. If multiple users start multiple communications sessions using the same policy. you can create one FTP policy to limit the amount of bandwidth available for FTP for one network address and create another FTP policy with a different bandwidth availability for another network address. For example. all of these communications sessions must share the available bandwidth for the policy. For example.

1 Administration. Per-IP traffic shapers will override shared traffic shapers. Click Edit ( ) to modify the selected per-IP traffic shaper on the Policy page. every IP address will receive the total of the bandwidth values indicated. 194 Course 201-v4.. Multiple per-IP traffic shapers can be added on the FortiGate device and the appropriate per-IP traffic shapers can be selected when creating a policy..] to define a new Traffic Shaper. Content Inspection and SSL VPN 01-4200-0201-20100604 . Click to enable Per-IP Traffic Shaping on the policy and select a per-IP traffic shaper from the list or click [Create New. In effect.Firewall Policy Elements Firewall Policies Per-IP Traffic Shapers Per-IP traffic shapers will apply the Guaranteed and Maximum Bandwidth values defined to all IP address affected by the policy.

Content Inspection and SSL VPN 01-4200-0201-20100604 195 . To view or modify any per-IP traffic shapers in the list.1 Administration. select the traffic shaper and click Edit ( ) or double-click the entry. go to Firewall > Traffic Shaper > Per-IP.Firewall Policies Firewall Policy Elements To view the list of available per-IP traffic shapers on the FortiGate unit. Course 201-v4.

.. Maximum Bandwidth Guaranteed Bandwidth 196 Course 201-v4. Name The name assigned to the shared traffic shaper will be used to identify the traffic shaper on the New Policy page. The guaranteed amount of bandwidth available for selected network traffic (in Kbytes/sec) is defined by this value.Firewall Policy Elements Firewall Policies New per-IP traffic shapers can be defined by clicking Create New ( ) on the perIP traffic shaper list page. or by selecting [Create New. The amount of bandwidth available for selected network traffic (in Kbytes/sec) is limited to this value. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.] from the Per-IP Traffic Shaping drop-down list on the New Policy page. Complete the parameters of the shared traffic shaper as needed.

the firewall session table entry is used to determine what the destination address will be translated to. however. The server computer’s address does not appear in the packets the client receives. and is bound to a FortiGate unit interface. When an IP address or IP address range is bound to a FortiGate unit interface using a virtual IP.10. When the server answers the client computer. the interface responds to ARP requests for the bound IP address or IP address range. A virtual IP’s external IP address can be a single IP address or an IP address range. A virtual IP can be a single IP address or an IP address range bound to a FortiGate unit interface. To add a firewall policy that maps addresses on an external network to an internal network. Virtual IPs use Proxy ARP so that the FortiGate unit can respond to ARP requests on a network for a server that is actually installed on another network.1 Administration. When you bind the virtual IP’s external IP address to a FortiGate unit interface. there is no reference to the client computer’s network. To allow connections from the Internet to the web server. it must be added to a NAT firewall policy. the network interface responds to ARP requests for the bound IP address or IP address range. The client has no indication that the server’s private network exists.Firewall Policies Firewall Policy Elements Virtual IPs Virtual IPs can be used to allow connections through a FortiGate unit using network address translation firewall policies. The server has no indication that another network exists. it might have a private IP address such as 10. The client computer’s address does not appear in the packets the server receives. To implement the translation configured in the virtual IP or IP pool. For example. After the FortiGate unit translates the network addresses. the FortiGate unit receives packets from a client. if the computer hosting a web server is located on the internal network. add a virtual IP to an external FortiGate unit interface so that the external interface can respond to connection requests for users who are actually connecting to a server on the DMZ or internal network. Add a virtual IP to the firewall that maps the external IP address of the web server on the Internet to the actual address of the web server on the internal network. You add the virtual IP to a NAT firewall policy to actually implement the mapping configured in the virtual IP. all the communication is coming directly from the FortiGate unit. This time. For example. Course 201-v4. Virtual IPs also translate the source IP address or addresses of return packets from the source address on the hidden network to be the same as the destination address of the originating packets. the procedure works the same way but in the other direction. To get packets from the Internet to the web server. As far as the server can tell. there is no reference to the server computer’s network. Content Inspection and SSL VPN 01-4200-0201-20100604 197 . When virtual IPs are used. by default. After the FortiGate unit translates the network addresses.42. add an external to internal firewall policy and set the Destination Address to the virtual IP. add an external to internal firewall policy and add the virtual IP to the destination address field of the policy. there must be an external address for the web server on the Internet.10. The addresses in the packets are remapped and forwarded to the server on the private network. The server sends its response packets and the FortiGate unit receives them at its internal interface.

198 Course 201-v4. • • • • When port forwarding. Only load balance virtual IPs and static NAT virtual IPs mapped to a single IP address support an external IP of 0. Different kinds of virtual IPs can be created. each of which can be used for a different DNAT variation.255.0. The virtual IP name cannot be the same as any address name or address group name. the external port must not be set so that its range exceeds 65535. Content Inspection and SSL VPN 01-4200-0201-20100604 .0. The number of ports in these two ranges must be equal. the external IP range cannot include any interface IP addresses.Firewall Policy Elements Firewall Policies Virtual IP ranges can be of almost any size and can translate addresses to different subnets.0 if the virtual IP type is static NAT and is mapped to a range of IP addresses.255. • In addition to binding the IP address or IP address range to the interface. Therefore. The mapped IP range must not include any interface IP addresses.0.0. The external IP cannot be 0. Port mapping maps a range of external port numbers to a range of internal port numbers. the virtual IP also contains all of the information required to map the IP address or IP address range from the interface that receives the packets to the interface connected to the same network as the actual IP address or IP address range.0.0.0.1 Administration.255.0 or 255. No duplicate entries or overlapping ranges are permitted. an internal range of 20 ports mapped from external port 65530 is invalid as the last port in the range would be 65550. Virtual IP ranges have the following restrictions: • • The mapped IP cannot include 0. For example.

Firewall Policies Firewall Policy Elements Virtual IP Mappings Multiple virtual IP mappings can be added on the FortiGate device and the appropriate mapping can be selected when creating a policy.1 Administration. select the mapping entry and click Edit ( ) or double-click the entry. Course 201-v4. go to Firewall > Virtual IP > Virtual IP. Content Inspection and SSL VPN 01-4200-0201-20100604 199 . To view the list of available Virtual IP Mappings on the FortiGate unit. To view or modify any virtual IP mappings in the list.

Static NAT is the only type available for the Virtual IP Mapping.] from the drop-down list on the New Policy page. Enable if port forwarding is to be performed. Content Inspection and SSL VPN 01-4200-0201-20100604 . Complete the parameters of the virtual IP mapping as needed. Enter the IP address or IP address range that the external IP address is to be mapped to. Enter the IP address or IP address range to be used for the mapping. External Interface Type External IP Address/Range Mapped IP Address/Range Port Forwarding 200 Course 201-v4.1 Administration. Select the external interface for the mapping...Firewall Policy Elements Firewall Policies New virtual IP mappings can be defined by clicking Create New ( ) on the Virtual IP Mappings list page. Name The name assigned to the Virtual IP Mapping will be used to identify the mapping on the New Policy page. or by selecting [Create New.

instead of having five identical policies for five different but related virtual IPs located on the same network interface. combine the five virtual IPs into a single virtual IP group. Content Inspection and SSL VPN 01-4200-0201-20100604 201 . go to Firewall > Virtual IP > VIP Group. Course 201-v4. For example.1 Administration. To view or modify any individual groups in the list. Firewall policies using VIP groups are matched by comparing both the member VIP IP address(es) and port number(s). Multiple virtual IP groups can be added on the FortiGate device and the appropriate group can be selected when creating a policy. which is used by a single firewall policy. To view the list of available virtual IP groups on the FortiGate unit. select the group and click Edit ( ) or double-click the entry.Firewall Policies Firewall Policy Elements Virtual IP Groups Multiple virtual IPs can be organized into a group to simplify the firewall policy list.

The list of available virtual IP groups is displayed.Firewall Policy Elements Firewall Policies New virtual IP groups can be defined by clicking Create New ( ) on the Virtual IP Group List page or by selecting [Multiple. Select a virtual IP and click to move it from the Available VIPs list to the Members list.] from the Destination Address dropdown list on the New Policy page.. Content Inspection and SSL VPN 01-4200-0201-20100604 . Interface Available VIPs Members 202 Course 201-v4. Select a virtual IP and click to remove the virtual IP from the Members list and move it back to the Available VIPs list. The list of virtual IPs in the group is displayed. Complete the parameters of the service group as needed.. Group Name The name assigned to the group will be used to identify the virtual IP group on the New Policy page.1 Administration. Select the interface to which the virtual IP group will be bound.

allowing more simultaneous requests to be handled. as determined by the selected load balancing algorithm for more even traffic distribution. Course 201-v4. Internet User FortiGate LAN/WAN Real Server Real Server Real Server Server Load Balancing is a dynamic.Firewall Policies Firewall Policy Elements Load Balancing FortiGate load balancing intercepts incoming traffic and shares it across available servers. the service being provided can be highly available. The external IP address is not always translated to the same mapped IP address. more servers can be added behind the FortiGate unit in order to cope with the increased load. If the load increases substantially. In this scenario. one-to-many NAT mapping. but up to eight can be used. an external IP address is translated to one of the mapped IP addresses. the load can still be handled by the other servers. The topology of the cluster is transparent to end users. The FortiGate unit schedules requests to the different servers and makes parallel services of the cluster to appear as a virtual service on a single IP address.1 Administration. Virtual servers are configured on the FortiGate unit (load balancer) and bound to a cluster of real servers. Because the load is distributed across multiple servers. By doing so. and the users interact with the system as if it were only a single virtual server. Server load balancing requires that at least one real server be configured. Up to eight real servers can be bound to one virtual server. Content Inspection and SSL VPN 01-4200-0201-20100604 203 . The real servers may be interconnected by high-speed LAN or by a geographically dispersed WAN. If one of the servers breaks down. the FortiGate unit enables multiple servers to respond as if they were a single device or server.

Firewall Policy Elements Firewall Policies Load Balancing Methods Load balancing methods include: Static When static load balancing is used. SSL Session ID When SSL Session ID is selected. Set the server weight when adding a server. traffic load is spread evenly across all servers. This method works best in environments where the servers or other equipment you are load balancing have similar capabilities. servers with a higher weight value will receive a larger percentage of connections. First Alive When first alive load balancing is used. persistence time is equal to the SSL sessions. and all servers are treated as equals regardless of response time or number of connections. the following persistence options are available: None No persistence option is selected. Weighted When weighted load balancing is used. A separate server is required. no additional server is required. requests are always directed to the server that has the least number of current connections. SSL session states are set in the CLI using config firewall vip. The round trip time is determined by a Ping monitor and is defaulted to 0 if no ping monitors are defined. requests are always directed to the first alive real server. Dead servers or non responsive servers are avoided. Content Inspection and SSL VPN 01-4200-0201-20100604 . requests are redirected to the next server. Least Session When least session load balancing is used. Round Robin When round robin load balancing is used. Depending on the type of protocol selected for the virtual server. HTTP Cookie When HTTP Cookies is selected. persistence time is equal to the cookie age.1 Administration. Cookie ages are set in the CLI using config firewall vip. 204 Course 201-v4. Persistence Persistence is the process of ensuring that a user is connected to the same server every time they make a request within the boundaries of a single session. Least Round Time Trip When least RTT load balancing is used. requests are always directed to the server with the least round trip time.

Course 201-v4. To view the list of available virtual servers on the FortiGate unit. Multiple virtual servers can be added on the FortiGate device and the appropriate virtual server can be selected when creating a policy. When the virtual server’s external IP address is bound to an interface on the FortiGate unit. To view or modify any individual virtual servers in the list.1 Administration.Firewall Policies Firewall Policy Elements Virtual Servers Configure a virtual server’s external IP address and bind it to a FortiGate unit interface. go to Firewall > Load Balance > Virtual Server. Content Inspection and SSL VPN 01-4200-0201-20100604 205 . select the server and click Edit ( ). the network interface responds to ARP requests for the bound IP address by default.

Enter the IP address of the virtual server. Select the persistence option for this virtual server. either HTTP. Content Inspection and SSL VPN 01-4200-0201-20100604 . Enter the port used on the virtual server. Select the interface to which the virtual server will be bound. Type Interface Virtual Server IP Virtual Server Port Load Balance Method Persistence 206 Course 201-v4. Name The name assigned to the virtual server will be used to identify it on the New Policy page. Complete the parameters of the virtual server as needed.1 Administration. Select the load balance method to be used for this virtual server. TCP. Select the type of server to be created. UDP or IP.Firewall Policy Elements Firewall Policies New virtual servers can be defined by clicking Create New ( ) on the Virtual Server List page.

1 Administration. The list of available health check monitors is displayed. Content Inspection and SSL VPN 01-4200-0201-20100604 207 . Select a health check monitor and click to move the monitor from the Available list to the Selected list. Health Check Course 201-v4. Click to remove the health check monitors from the Selected list and move it back to the Available list.Firewall Policies Firewall Policy Elements HTTP Multiplexing Enable if HTTP requests and responses are to be multiplexed over a single TCP connection.

expand the name for the virtual server.Firewall Policy Elements Firewall Policies Real Servers Real servers must be configured and bound to a virtual server. select the real server and click Edit ( ) or double-click the entry. To view the list of available real servers on the FortiGate unit. Multiple real servers can be added on the FortiGate device.1 Administration. 208 Course 201-v4. To view or modify any individual real servers in the list. Content Inspection and SSL VPN 01-4200-0201-20100604 . go to Firewall > Load Balance > Real Server.

Complete the parameters of the real server as needed. Assign a weight value to the real server Enter the maximum number of connections allowed by the real server. Course 201-v4. Standby or Disabled. Virtual Server IP Address Port Weight Maximum Connections Mode Select the name of the virtual server that this real server will be bound to. Enter the port number of the real server.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 209 .Firewall Policies Firewall Policy Elements New real servers can be defined by clicking Create New ( ) on the Real Server List page. Enter the IP address of the real server. either Active. Select the mode.

Content Inspection and SSL VPN 01-4200-0201-20100604 . To view the list of available monitors on the FortiGate unit. 210 Course 201-v4. a health check monitor must be configured to use when polling. Multiple health check monitors can be added on the FortiGate device. go to Firewall > Load Balance > Health Check Monitor.Firewall Policy Elements Firewall Policies Health Check Monitors To determine a virtual server’s connectivity status. select the health check monitor and click Edit ( ) or double-click the entry.1 Administration. expand the type of monitor. To view or modify any individual health check monitors in the list. The health check monitors are displayed on the Monitor page.

HTTP. either TCP. or PING. Select the type of monitor. Enter the number of retry attempts that should be made. Complete the parameters of the monitor as needed. If a reply is not received within the timeout period. Enter the port number of the health check monitor. A health check occurs every number of seconds indicated by the interval. Content Inspection and SSL VPN 01-4200-0201-20100604 211 .1 Administration. it will attempt a health check again. Name Type Port Interval Timeout Enter a name for the health check monitor.Firewall Policies Firewall Policy Elements New health check monitors can be defined by clicking Create New ( ) on the Health Check Monitors List page. Retry Course 201-v4.

1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 . 212 Course 201-v4.Firewall Policy Elements Firewall Policies Monitors The Load Balance Monitor List displays the status of virtual and real servers and presents an option to start or stop the servers.

DoS policies are examined in detail in Course 301 . Content Inspection and SSL VPN 01-4200-0201-20100604 213 . Course 201-v4.1 Administration.Secure Network Deployment and IPSec VPN.Firewall Policies Firewall Policy Elements DoS Policy List DoS policies are used to apply DoS sensors to network traffic based on the FortiGate unit interface the traffic is leaving or entering the network on.

Firewall Policy Elements Firewall Policies Sniffer Policy List Sniffer policies can configure a FortiGate unit interface to operate as a one-arm IPS appliance by sniffing packets for attacks without actually receiving and otherwise processing the traffic. Content Inspection and SSL VPN 01-4200-0201-20100604 . One-arm IPS is examined in further detail in Course 301 .Secure Network Deployment and IPSec VPN.1 Administration. 214 Course 201-v4.

If all policies are removed from the firewall there are no policy matches and all connections are dropped. If FDP has been enabled for its interface to that subnet. the FortiGate unit automatically enables logging to the FortiAnalyzer and begins sending log data. for example. Content Inspection and SSL VPN 01-4200-0201-20100604 215 . to locate a FortiAnalyzer unit. an IPSec tunnel can be used to secure the communication between the FortiGate and the FortiAnalyzer devices.0 when creating a VIP for a FortiGate unit where the external interface IP address is dynamically assigned. Use a 32-bit subnet mask when creating a single host address.0. The FortiGate unit can send all log message types. the SMTP server might act as an open relay. If. NAT is enabled for inbound SMTP traffic. Use subnets or specific IP addresses for source and destination addresses and use individual services or service groups.255. Use the external IP of 0. add them to the policy list above the general policy. or ignore the device entirely. TCP port 514 (OFTP) is used for the transfer of the content-archive and the remote viewing of log files and reports. the FortiAnalyzer unit will respond.255. Do not enable source NAT for inbound traffic unless it is required by an application. the FortiGate unit uses HELO packets to locate FortiAnalyzer units on the network within the same subnet. for example. Course 201-v4. the FortiAnalyzer unit may then automatically register the device and save its data. Depending on its configuration. add the device but ignore its data.0. FortiGate units running FortiOS version 3.255. If logging data is traversing a public network.Firewall Policies Firewall Suggested Practices Firewall Suggested Practices Fortinet suggests the following practices related to maintaining the firewall: General The settings for a firewall policy should be as specific as possible. NAT mode policies use network address translation to hide the addresses in a more secure zone from users in a less secure zone. 255. Policies Arrange firewall policies in the policy list from more specific to more general. For example.0 or greater can use Fortinet Discovery Protocol (FDP). a very general policy matches all connection attempts. Traffic shaping bandwidth management is in kilobytes. NAT mode is preferred because all the internal or DMZ networks can have secure private addresses. a UDP protocol. Log files stored on a FortiAnalyzer unit can be uploaded to an FTP server for archival purposes. as well as quarantine files. NAT For security purposes. When a FortiGate administrator selects Automatic Discovery. Once the FortiGate unit discovers a FortiAnalyzer unit.1 Administration. When creating exceptions to a general policy. The firewall searches for a matching policy starting at the top of the policy list. multiply by eight to calculate the kilobits. to a FortiAnalyzer unit for storage. The Syslog protocol (UDP port 514) is used by default by the FortiGate unit to transport log messages to the FortiAnalyzer unit.

1 Administration.) 216 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 . (Logging to multiple destinations is configured using the CLI.Firewall Suggested Practices Firewall Policies FortiGate devices can support up to three FortiAnalyzer devices and/or syslog servers for logging. This allows load balancing of log traffic in busy network environments.

1 Administration. Click Create New to configure a new group with the services shown below. go to Firewall > Address > Address. PING all-dept Subnet/IP Range 192. Course 201-v4. HTTP.Firewall Policies Creating Firewall Policy Objects Lab 3 Firewall Policies Objectives In this lab. click the Available Services and Members lists: Group Name Members web DNS. To select the services for the web group.0/24 Any or to move them between Click OK to save the change.168.1. HTTPS. Tasks In this lab. Content Inspection and SSL VPN 01-4200-0201-20100604 217 . you will complete the following tasks: • • • • • Exercise 1 Creating Firewall Policy Objects Exercise 2 Creating Firewall Policies Exercise 3 Testing Firewall Policies Exercise 4 Configuring Virtual IP Access Exercise 5 Debug Flow Timing Estimated time to complete this lab: 45 minutes Exercise 1 Creating Firewall Policy Objects 1 In Web Config. Click Create New and configure a new address object for the internal subnet IP using the following settings: Address Name Type Subnet/IP Range Interface Click OK to save. firewall policy objects will be created and a new policy will be configured and tested. 2 Go to Firewall > Service > Group.

Click Create New to configure a new recurring schedule using the following parameters: Name Day Start Stop office_hours Monday to Friday Hour: 08 Minute: 00 Hour: 20 Minute: 00 Click OK. 2 Disable this unrestricted policy by unchecking the internal Status column. 3 Create a new firewall policy that will be used to provide general Internet access. From the CLI type the exec time command or go to System > Dashboard > Status in Web Config and view the System Information widget. a firewall policy only needs to be created for the direction of the originating traffic. keep in mind that the FortiGate device is a stateful firewall. 1 Go to Firewall > Policy > Policy. Go to Firewall > Policy > Policy. Exercise 2 Creating Firewall Policies When creating firewall policies. Note: When using schedules. Click Create New and configure the following settings: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Log Allowed Traffic Enable NAT Comments internal all-dept wan1 all office_hours web ACCEPT Enabled Enabled General Internet access Click OK after entering all the parameters. Select the default policy and click Edit ( ) (or double-click the entry) to view the factory settings. expand the internal wan1 interface list. Content Inspection and SSL VPN 01-4200-0201-20100604 . therefore.Creating Firewall Policies Firewall Policies 3 Go to Firewall > Schedule > Recurring. 218 Course 201-v4. make sure that the system time is at the correct local setting.1 Administration. wan1 policy in the Note: It is useful to keep the default internal wan1 policy available for testing purposes since it will allow all traffic types from any address to any address to pass through the FortiGate device. Click Cancel to return to the Policy List.

Content Inspection and SSL VPN 01-4200-0201-20100604 219 . under internal Course 201-v4.Firewall Policies Creating Firewall Policies This new all-dept policy will be displayed in the section view of the Policy List wan1.1 Administration.

in this scenario.168. On the Policy List.210 Interface: Any Destination Interface / Zone Destination Address Schedule Service Action Log Allowed Traffic Enable NAT Comments Click OK.. This new support-dept policy will be displayed in the section view of the Policy List under internal wan1. the support department.] Address Name: support-dept Type: Subnet/IP Range Subnet/IP Range: 192.1 Administration.. click Create New to create the support department Internet access policy using the following settings: Source Interface / Zone Source Address internal Select [Create New.1.168.1.Creating Firewall Policies Firewall Policies 4 Create a policy for an IP range used by a specific group of users.110192. wan1 all office_hours web ACCEPT Enabled Enabled Support Internet access 220 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 .

Course 201-v4. click Before and type the Policy ID of the general Internet policy and click OK.Firewall Policies Creating Firewall Policies 5 Select the support-dept policy created in step 4 and click Move ( ) to place this policy above the all-dept general Internet access policy created in step 3. The re-ordered policy list will be displayed. In the Move Policy window.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 221 .

click [Create New.] Name: lunch_time Day: Mon-Fri Start Hour:11 Minute:45 Stop Hour:13 Minute:15 Service Action Log Allowed Traffic Enable NAT Comments Click OK.Creating Firewall Policies Firewall Policies 6 Create a policy allowing Internet access during a specific time period using the settings below: Source Interface / Zone Source Address Destination Interface / Zone Destination Address Schedule internal support-dept wan1 all Under Recurring. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration... This new support-dept lunch time policy will be displayed in the section view of the Policy List under internal wan1. web ACCEPT Enabled Enabled Support lunch time Internet access 222 Course 201-v4.

Policies should be listed from most exclusive to most inclusive so that the proper policies are matched. and Service settings.1 Administration. • • Course 201-v4. Important Points For Firewall Policy Configuration • Policies are organized according to the direction of traffic from the originator of a request to the receiver of the request. Content Inspection and SSL VPN 01-4200-0201-20100604 223 . Policies are matched to traffic in the order they appear in the policy list rather than by ID number. The section view of the firewall Policy List should appear as follows: 8 View the CLI configuration for the firewall policies created above: show firewall policy View the CLI configuration for a single firewall policy: show firewall policy <ID> Obtain the ID number of the policy from the show firewall policy output used above. Destination. Return traffic is automatically allowed back through due to the stateful nature of the FortiGate device.Firewall Policies Creating Firewall Policies 7 Use Move to place the support-dept lunch time policy above the support-dept office hours policy. Matching is based on Source. Schedule.

5 Visit another web site. 3 Check the traffic log at Log&Report > Log Access > Traffic to see evidence of the FortiGate action. Access should be denied. 7 Set the policy actions back to Accept. 8 **IMPORTANT** Before proceeding to the next exercise. 6 Return to the traffic log at Log&Report > Log Access > Traffic to see evidence of the traffic violation.Testing Firewall Policies Firewall Policies Exercise 3 Testing Firewall Policies 1 Open a web browser and browse to a valid web site. 4 Change the action for the policies to Deny and ensure that Log Violation Traffic is enabled.) Locate the IP address for the student computer and HTTP port (TCP/80) and check the policy ID column. Note: Be mindful of testing the firewall policy schedule outside of the specified hours.1 Administration. click Widget > Top Sessions. 2 Go to System > Dashboard > Status. In the Top Sessions pane. including the ID of the policy being used. 224 Course 201-v4. click the bar on the chart for the student IP address to view the session details. Use the column filters to reduce the number of session entries displayed to TCP only. Content Inspection and SSL VPN 01-4200-0201-20100604 . go to Firewall > Policy > Policy and re-enable the unrestricted policy by checking the policy in the Status column of the firewall Policy List. (If this widget is not visible.

209 Enter the IP address of www. 2 To view the VIP settings through the CLI. Name External Interface Type External IP Address Mapped IP Address Port Forwarding Protocol External Service Port Map to Port Click OK to save the changes.Firewall Policies Configuring Virtual IP Access Exercise 4 Configuring Virtual IP Access 1 A virtual IP that uses port forwarding will be created to make the Fortinet web server appear as if it was on the local subnet and not on a non-standard port.1. Content Inspection and SSL VPN 01-4200-0201-20100604 225 .com Enable TCP 8088 80 Note: The Service setting for this policy is ANY.com. enter the following command: show firewall vip 3 Create a new firewall policy to provide a guest PC access to the web server with the following settings: Source Interface / Zone Source Address Name Destination Interface / Zone Destination Address Name Schedule Service Action Log Allowed Traffic Enable NAT Comment internal all-dept wan1 special-web office_hours ANY ACCEPT Enabled Enabled Guest PC access to web server special-web internal Static NAT 192. Course 201-v4. Due to the VIP port mapping. Click Create New and configure the virtual IP mapping as shown below. Click OK.1 Administration. Use nslookup to verify the address for www. only the configured ports will be allowed so it is unnecessary to further restrict traffic with the Service setting.168.fortinet.fortinet. Go to Firewall > Virtual IP > Virtual IP.

1. 226 Course 201-v4. access the following URL: http://192. 6 Try to access the following URL using the regular HTTP port of 80: http://192. Content Inspection and SSL VPN 01-4200-0201-20100604 . 5 In a new web browser window. wan1 list as it has a Note: This guest PC would need to be further secured by limiting the user access to only the web browser and removing administrative access and the ability to run other programs.Debug Flow Firewall Policies 4 Position this all-dept policy at the top of the internal narrower scope compared to the other policies. enter the following CLI command: get system session list Exercise 5 Debug Flow 1 From the CLI.168.168. 7 To view the source and destination NAT mappings. These additional measures are operating-system dependent. the Fortinet web page displays.1.209:8088 If the special-web virtual IP operation is successful. a log in will be required.209 There should be no response.1 Administration. type the following command to clear the session table: diag sys session clear If connecting to the CLI using SSH or Telnet.

208.com. Content Inspection and SSL VPN 01-4200-0201-20100604 227 . 192.225:80->192.10:44977) from wan1.Firewall Policies Debug Flow 2 Type the CLI commands shown below to configure the debug flow to trace the route selection and session establishment for an HTTP connection to www.3. port-44977" Matched firewall policy.168.202. the output displayed may vary slightly.202.1. Check to see which policy this session matches: id=36870 trace_id=1 func=fw_forward_handler line=463 msg="Allowed by Policy-1: SNAT" Apply source NAT: id=36870 trace_id=1 func=__ip_session_run_tuple line=1840 msg="SNAT 192.10:44977" SYN ACK received: id=36870 trace_id=2 func=resolve_ip_tuple_fast line=3395 msg="vd-root received a packet(proto=6.com Depending on the FortiGate model being used.3.3. SYN packet received: id=36870 trace_id=1 func=resolve_ip_tuple_fast line=3395 msg="vd-root received a packet(proto=6.168.225:80) from internal.70. http://www." SYN sent and a new session is allocated: id=36870 trace_id=1 func=resolve_ip_tuple line=3522 msg="allocate a new session-00000483" Lookup for next-hop gateway address: id=36870 trace_id=1 func=vf_ip4_route_input line=1595 msg="find a route: gw-192.168.10.1. lookup next available port: id=36870 trace_id=1 func=get_new_addr line=1615 msg="find SNAT: IP-192. Enter the following commands: diag debug enable diag debug flow filter addr <IP address of www.1 Administration.fortinet. Use nslookup to confirm the address for www.com> diag debug flow show console enable diag debug flow show function-name enable diag debug flow trace start 100 3 From a web browser connect to the following URL and observe the debug flow trace.254 via wan1" Source NAT.168.110:1849->208.fortinet.fortinet.110->192.70.3.com.168.168." Course 201-v4.fortinet.

168. Identified as the reply direction: id=36870 trace_id=2 func=resolve_ip_tuple_fast line=3433 msg="Find an existing session.202.3.110 via internal" ACK received: id=36870 trace_id=3 func=resolve_ip_tuple_fast line=3395 msg="vd-root received a packet(proto=6.168. 192.1.70.168.70. reply direction" Apply destination NAT to inverse source NAT action: id=36870 trace_id=2 func=__ip_session_run_tuple line=1854 msg="DNAT 192.110->192. id-00000483.1 Administration.168.10:44977" Receive data from client: id=36870 trace_id=4 func=resolve_ip_tuple_fast line=3395 msg="vd-root received a packet(proto=6.10:44977->192." Match existing session in reply direction: id=36870 trace_id=5 func=resolve_ip_tuple_fast line=3433 msg="Find an existing s ession. id-00000483.Debug Flow Firewall Policies Found existing session ID.168. original direction" Apply source NAT: id=36870 trace_id=3 func=ip_session_run_all_tuple line=4378 msg="SNAT 192.225:80) from internal.3.1. 192.168.110:1849->208.1. id-00000483.225:80) from internal.202.168.3.168. id-00000483.3.10:44977) from wan1. reply direction" 228 Course 201-v4.202." Match existing session in the original direction: id=36870 trace_id=4 func=resolve_ip_tuple_fast line=3433 msg="Find an existing session. original direction" Apply source NAT: id=36870 trace_id=4 func=ip_session_run_all_tuple line=4378 msg="SNAT 192. 208.1.70.168." Match existing session in the original direction: id=36870 trace_id=3 func=resolve_ip_tuple_fast line=3433 msg="Find an existing session.110->192.168.1.10:44977" Receive data from server: id=36870 trace_id=5 func=resolve_ip_tuple_fast line=3395 msg="vd-root received a packet(proto=6.110:1849->208.225:80>192. Content Inspection and SSL VPN 01-4200-0201-20100604 .1.110:1849" Lookup for next-hop gateway address for reply traffic: id=36870 trace_id=2 func=vf_ip4_route_input line=1595 msg="find a route: gw-192.

Firewall Policies Debug Flow Apply destination NAT to inverse source NAT action: id=36870 trace_id=5 func=ip_session_run_all_tuple line=4390 msg="DNAT 192.168.110:1849" 4 Enter the following command to disable the debug flow trace: diag debug flow trace stop 5 Disable the special-web policy.1.1 Administration. Course 201-v4.3.10:44977>192.168. Content Inspection and SSL VPN 01-4200-0201-20100604 229 .

1 Administration.Debug Flow Firewall Policies 230 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 .

fortinet.LESSON 4 Authentication 231 www.com .

.

Content Inspection and SSL VPN 01-4200-0201-20100604 233 . To use a particular resource.1 Administration. When a user attempts remote access to a private network using an SSL VPN connection. When a remote user attempts remote access to a private network through an IPSec VPN dialup group. When user authentication is enabled. Course 201-v4. On a FortiGate unit. called user groups. The FortiGate unit can be configured to prompt for credentials during the following operations: • • • • When a user attempts to access a resource through an interface with a firewall policy with the Action set to ACCEPT. the user must belong to one of the user groups that is allowed access and correctly provide credentials to prove his or her identity if asked to do so. therefore there must be a measure in place to detect and exclude any unauthorized access. The way in which the request is presented to the user depends on the method of access to that resource. When an administrator attempts to log into the Web Config or CLI interface.Authentication Lesson 4 Authentication The computer network should only be used by those who are authorized to do so. access to network resources can be controlled by defining lists of authorized users. the user is presented with a request for authentication when trying to access the protected resource.

The FortiGate unit stores the user names and passwords of the users and uses them to authenticate users. adding individual users with authentication to that server is redundant. for example. 234 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 . different mechanisms can be configured to prompt the user for credentials. and other services. the connection is refused by the FortiGate unit. email. If using authentication servers. the servers must be configured before configuring FortiGate users or user groups that require them. If the RADIUS server cannot authenticate the user.Authentication Methods Authentication Authentication Methods Depending on the service requiring authentication. This method enables access only to selected employees. Users who access the corporate network from home or while traveling could use the same user name and password that they use at the office. RADIUS Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication. Using RADIUS authentication. authorization. If adding the server to the user group.1 Administration. Local Users A local user is a user configured on a FortiGate unit. configure them before configuring users and user groups. This is a simple way to provide access to the corporate VPN for all employees. • Specify the authentication server instead of a password. If the RADIUS server can authenticate the user. the user is successfully authenticated with the FortiGate unit. the FortiGate unit forwards the user’s credentials to the RADIUS server for authentication. The FortiGate unit can be configured to work with external authentication servers in two different ways: • Add the authentication server to a user group. These two uses of an authentication server cannot be combined in the same user group. and accounting functions. The user name must exist on both the FortiGate unit and authentication server. Remote Users In an enterprise environment. Individual users do not need to be configured on the FortiGate unit. To use external authentication servers. User names that exist only on the authentication server cannot authenticate on the FortiGate unit. for example. it might be more convenient to use the same system that provides authentication for local area network access. Anyone in the server’s database is a member of the user group.

On networks that use Windows Active Directory (AD) or Novell eDirectory servers for authentication. the user is successfully authenticated with the FortiGate unit. TACACS+ allows a client to accept a username and password and send a query to a TACACS+ authentication server. FortiGate LDAP support does not supply information to the user about why authentication failed.1 Administration. such as notification of password expiration. Course 201-v4. that is available from some LDAP servers. Content Inspection and SSL VPN 01-4200-0201-20100604 235 . such as users. and other information. If a user is required to authenticate using an LDAP server. FortiGate LDAP support does not extend to proprietary functionality. the FortiGate unit contacts the LDAP server for authentication. The default port for a TACACS+ server is 49. systems and services. For certificate authentication. the connection is refused by the FortiGate unit. Directory Services A Directory stores information about network objects. FortiGate units can transparently authenticate users without asking them for their user name and password. The FortiGate unit sends this user name and password to the LDAP server. Public-Key Infrastructure Public Key Infrastructure (PKI) authentication utilizes digital certificates for authentication. FortiGate LDAP supports LDAP over SSL/TLS.Authentication Authentication Methods LDAP Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain databases of user names. no username or password are necessary. If the LDAP server cannot authenticate the user. customized certificates will be installed on the FortiGate unit and the end users can also have customized certificates installed on their browsers. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. email addresses. passwords. the user enters a user name and password. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. The Fortinet Server Authentication Extensions (FSAE) must be installed on the network and the FortiGate unit configured to retrieve information from the supported Directory. To authenticate with the FortiGate unit. In addition. TACACS+ Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol used to communicate with an authentication server. If the LDAP server can authenticate the user.

before the FortiGate unit will allow any other traffic matching the firewall policy. the option to require authentication can be enabled. When authentication is enabled in a firewall policy. The administrator can restrict which of these supported authentication protocols may be used to authenticate by including only one of them in the firewall service selected in the authentication rules of the identity-based policy. the authentication style will be either certificate-based or user name and password-based. This option requires that the firewall Action setting be ACCEPT or SSL-VPN and that an identity-based policy be configured for the allowed group. network users must respond to a firewall authentication challenge. Depending on which of these supported protocols are included in the selected firewall services group and which of those enabled protocols the network user uses to trigger the authentication challenge.1 Administration. 236 Course 201-v4.Authenticated Operations Authentication Authenticated Operations Firewall Authentication When a firewall policy is created. the authentication challenge is issued for any of the four protocols (depending on the connection protocol): • • • • HTTP (can also be set to redirect to HTTPS) HTTPS FTP Telnet The selections made in the Protocol Support list of the Authentication Settings window control which protocols support the authentication challenge. Content Inspection and SSL VPN 01-4200-0201-20100604 . and successfully authenticate. Protocol Support When authentication is enabled for a firewall policy.

an authentication rule that includes SMTP. or Telnet sessions are being used: config user setting config auth-ports edit <auth_port_table_id_int> set port <port_integer> set type { ftp | http | https | telnet } end end end Where <auth_port_table_id_int> is any integer and <port_integer> is the non-standard TCP authentication port number. certificate-based authentication (HTTPS or HTTP redirected to HTTPS only) occurs: customized certificates must be installed on the FortiGate unit and on the browsers of network users. HTTPS. or Telnet TCP ports (21. the network user would then be able to access his or her email. 80. If DNS is not available. which the FortiGate unit matches. Otherwise. Prior to using either POP3 or SMTP. Firewall Authentication on Non-Standard Ports By default. For user ID and password authentication. In most cases. when a communication session is accepted by an identify-based firewall policy the user must authenticate with the firewall before being able to communicate through the FortiGate unit. The following commands are used if firewall users need to authenticate with the FortiGate unit and if non-standard ports for FTP. If HTTP. user name and password-based authentication occurs. HTTP. users must provide their user names and passwords. HTTP. POP3 and HTTPS services must be selected in the firewall policy. For certificate authentication (HTTPS or HTTP redirected to HTTPS only). the FortiGate unit prompts network users to input their firewall user name and password. Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 237 . if HTTPS certificate-based authentication is required before allowing SMTP and POP3 traffic.Authentication Authenticated Operations For example. users will not be able to use a domain name when using a supported authentication protocol to trigger the FortiGate unit’s authentication challenge. upon successful certificate-based authentication. HTTPS. which the FortiGate unit would use to verify the network user’s certificate. it is important to ensure that users can use DNS through the FortiGate unit without authentication. and 23 respectively). customized certificates must be installed on the FortiGate unit and the users can also have customized certificates installed on their browsers. FTP or Telnet is selected.1 Administration. The style of the authentication method varies by the authentication protocol. users can only authenticate with a communication session that uses the standard FTP. 443. By default. users will see a warning message and have to accept a default FortiGate certificate. If HTTPS is selected. the network user would send traffic using the HTTPS service.

108:42639) hook=pre dir=reply act=dnat 192. diagnose sys session list Sample output: session info: proto=6 proto_state=05 expire=107 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= ha_id=0 hakey=46703 policy_dir=0 tunnel=/ user=test group=Firewall_User state=may_dirty authed rem statistic(bytes/packets/allow_err): org=30202/629/1 reply=1727262/1201/1 tuples=2 orgin->sink: org pre->post.168.after) 0/(0. adding non-standard authentication ports does not change the standard authentication port.177. reply pre->post dev=6->3/3->6 gwy=192.168.182.182.88/10.0.168. use this command to add additional nonstandard authentication ports.0).177.88:8080>192.1 Administration.88:8080(192.23:3597) pos/(before.168.23 hook=post dir=org act=snat 10. Content Inspection and SSL VPN 01-4200-0201-20100604 .168.0.177.108:42639(10.182. If the FortiGate unit is operating with virtual domains enabled. This example illustrates firewall authentication on a non-standard port of 8080.23:3597>192.0.182.182.0) misc=0 policy_id=1 auth_info=1 chk_client_info=0 vd=0 serial=00156a95 tos=ff/ff app=0 dd_type=0 dd_rule_id=0 238 Course 201-v4. each VDOM has a different non-standard authentication port configuration.Authenticated Operations Authentication For each protocol. The standard authentication port is still valid and cannot be changed. 0/(0.

the FortiGate unit must be configured to forward authentication requests to the appropriate server. password.Authentication Authenticated Operations SSL VPN Authentication Remote users must be authenticated before they can request services and/or access network resources through an SSL VPN web portal. In the case of certificate authentication. The accounts for individual users and user groups containing those users have to be created prior to configuring strong authentication. A successful login determines the access rights of remote users according to user group. the FortiGate unit authenticates the user based on user name. the required certificates must be installed. When a remote client connects to the FortiGate unit. LDAP and TACACS+ to authenticate remote clients. The authentication process relies on FortiGate user group definitions. and a firewall encryption policy has to be created to permit access by that user group. The user group settings specify whether the connection will operate in web-only mode or tunnel mode. Strong authentication can be used to verify the identities of SSL VPN user group members.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 239 . Course 201-v4. which can optionally use established authentication mechanisms such as RADIUS. and authentication domain. LDAP and TACACS+ server. If password protection will be provided through a RADIUS.

Authenticated Operations Authentication IPSec Authentication The FortiClient application can establish an IPSec tunnel with a FortiGate unit configured to act as a dialup server. That is. When a VPN peer or dialup client is configured to authenticate using digital certificates. RADIUS and LDAP to authenticate dialup clients. Content Inspection and SSL VPN 01-4200-0201-20100604 . More than one FortiGate/FortiClient dialup client may connect through the same VPN tunnel when the dialup clients share a preshared key and assume the same identifier. • Permit access to remote peers or dialup clients who each have a unique peer ID and a unique preshared key. When the FortiGate unit acts as a dialup server. remote peers or clients can be required to have a particular peer ID. Each peer or client must have a user account on the FortiGate unit. XAuth draws on existing FortiGate user group definitions and uses established authentication mechanisms such as PAP. Access can be permitted only to remote peers or dialup clients that have pre-shared keys and/or peer IDs configured in user accounts on the FortiGate unit. Extended Authentication Extended Authentication (XAuth) increases security by requiring authentication of the user of the remote dialup client in a separate exchange at the end of phase 1. If two VPN peers (or a FortiGate unit and a dialup client) are required to accept reciprocal connections based on peer IDs. This is available only if the FortiGate unit authenticates using certificates. enable the exchange of their identifiers when defining the phase 1 parameters. The IPSec tunnel is established if authentication is successful and the IPSec firewall policy associated with the tunnel permits access. Whether certificates or pre-shared keys are used to authenticate the FortiGate unit. it sends the DN of its certificate to the FortiGate unit. A FortiGate unit can be configured to function either as an XAuth server or an XAuth client. it does not identify the client using the phase 1 remote gateway address. This adds another piece of information that is required to gain access to the VPN. • Permit access only for remote peers or clients that have certain peer identifier (local ID) value configured. CHAP. 240 Course 201-v4. The FortiGate dialup server compares the local ID specified at each dialup client to the FortiGate user-account user name. The options for authentication of an IPSec connection include: • Permit access only for remote peers or clients who use certificates that are recognized.1 Administration. This DN can be used to allow VPN access for the certificate holder. • Permit access to remote peers or dialup clients who each have a unique preshared key. A peer ID is not required for a remote peer or client that uses a pre-shared key and has a static IP address. This is available with both certificate and preshared key authentication. The client must have an account on the FortiGate unit and be a member of the dialup user group. a FortiGate unit can be configured to deny connections to all remote peers and dialup clients except the one having the specified DN. The dialup-client preshared key is compared to a FortiGate user-account password. Each peer or client must have a user account on the FortiGate unit.

might require a user name and password. The FortiGate unit can be configured as an XAuth client. acting as an XAuth server. Content Inspection and SSL VPN 01-4200-0201-20100604 241 . which it provided when challenged.Authentication Authenticated Operations A FortiGate unit can act as an XAuth server for dialup clients. the FortiGate unit challenges the user for a user name and password. Course 201-v4.1 Administration. with its own user name and password. If the FortiGate unit acts as a dialup client. When the phase 1 negotiation completes. It then forwards the user’s credentials to an external RADIUS or LDAP server for verification. the remote peer.

Users authenticated with the PKI-based certificate are permitted access to internal network resources based on the user group they belong to and the associated access profile. potentially exposing the unit to attempts to gain unauthorized access. the other 0.0.0.0. The trusted host addresses all default to 0.0. The RADIUS server authenticates users and authorizes access to internal network resources based on the access profile of the user.0.1 Administration.0/0. and associated with the administrator with the user group.0/0. To authenticate an administrator with an LDAP or TACACS+ server. a RADIUS. an administrator must connect only through the subnet or subnets specified. LDAP. the FortiGate unit does not respond to administrative access attempts from any other hosts. the server must be created. included in a user group. 242 Course 201-v4. CLI access through the console connector is not affected. If even one administrator is left unrestricted. This provides the highest security.0. Content Inspection and SSL VPN 01-4200-0201-20100604 . When trusted hosts are set for all administrators.255. In addition to knowing the password. this configuration is less secure. If one of the trusted host addresses is set to a non-zero address. The administrator can even restrict access to a single IP address if defined with only one trusted host IP address with a netmask of 255. The trusted hosts defined apply both to the web-based manager and to the CLI when accessed through telnet or SSH. or digital certificates.255. Trusted Hosts Setting trusted hosts for administrators increases the security of the network by further restricting administrative access. the unit accepts administrative access attempts on any interface that has administrative access enabled.255.Authenticated Operations Authentication Administrator Authentication Administrators can be authenticated using a password stored on the FortiGate unit.0/0 will be ignored. or TACACS+ server. The only way to use a wildcard entry is to leave the trusted hosts at 0. However.

LDAP. A user group defined on a Microsoft Active Directory or Novell eDirectory server To view the list of users available on the FortiGate unit. To view or modify any individual users in the User List. Course 201-v4. or TACACS+ server A user account with a digital certificate stored on the FortiGate unit A RADIUS. Users can access resources that require authentication only if they are members of an allowed user group. go to User > Local > Local.Authentication Users Users A user is an identity configured on the FortiGate unit or on an external authentication server. or TACACS+ server. Content Inspection and SSL VPN 01-4200-0201-20100604 243 . select them and click Edit ( ) or double-click the entry. LDAP. All user identities stored on the server will be able to authenticate. An identity can be: • • • • • A local user account with a user name and password stored on the FortiGate unit A local user account with a password stored on an external RADIUS.1 Administration.

Type the password that will used for user authentication. LDAP and TACACS+ servers that belong to the user group. Complete the parameters of the user as needed. Course 201-v4. the FortiGate unit checks the RADIUS. If a match is not found. select the pre-configured TACACS+ server from the list. select the preconfigured LDAP server from the list. Click Disable to preserve the user entry in the list but prevent them from authenticating.1 Administration. RADIUS and TACASC+ servers can be configured by going to User > Remote and providing the information required for identifying the server. Enable if the user is to authenticate using a password stored on a remote LDAP server. the FortiGate unit authenticates users by requesting their user name and password.Users Authentication New users can be added by clicking Create New on the User List page. When enabled. select the preconfigured RADIUS server from the list. Content Inspection and SSL VPN 01-4200-0201-20100604 244 . In most cases. When enabled. When enabled. Password Enable if the user is to authenticate using a password stored on the FortiGate unit. The FortiGate unit checks local user accounts first. Enable if the user is to authenticate using a password stored on a remote TACACS+ server. User Name Assign a name to the user. Match user on LDAP server Match user on RADIUS server Match user on TACACS+ server Note: LDAP. Authentication succeeds when a matching user name and password are found. Enable if the user is to authenticate using a password stored on a remote RADIUS server.

An administrator will need to determine the number and membership of user groups appropriate to the authentication requirements of the organization. not to individual users.1 Administration. Authentication succeeds when a matching user name and password are found. Content Inspection and SSL VPN 01-4200-0201-20100604 245 . Expand each user group type in the list to view the member groups.Authentication User Groups User Groups User groups have users or authentication servers as members. Course 201-v4. Firewall policies and SSL VPNs allow access to user groups. go to User > User Group > User Group. User groups are assigned one of two types: • • Firewall Directory Service To view the list of available user groups on the FortiGate unit. The FortiGate unit will check user authentication based on top-to-bottom scan of user groups listed in identify-based policies.

The user can connect successfully to the IPSec VPN only if the user name is a member of the allowed user group and the password matches the one stored on the FortiGate unit. select them and click Edit ( ) or double-click the entry. In this case. Expand Firewall in the User Group List to view the member groups. 246 Course 201-v4.User Groups Authentication Firewall User Group A firewall user group provides access to a firewall policy that requires authentication and lists the user group as one of the allowed groups. A firewall user group can also provide access to an IPSec VPN for dialup users.1 Administration. the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option. To view or modify any individual firewall user groups in the list. Content Inspection and SSL VPN 01-4200-0201-20100604 . The FortiGate unit requests the group member’s user name and password when the user attempts to access the resource that the policy protects. The user’s VPN client is configured with the user name as peer ID and the password as pre-shared key.

Enable to allow members of the Firewall group to access an SSL VPN. User Name Assign a name to the firewall user group. Content Inspection and SSL VPN 01-4200-0201-20100604 247 . Available Users/Groups The list of available users and user groups is displayed. Select a user or group and click to move them from the Available Users/Groups list to the Members list. tunnel-access or web-access. The list of members in the group is displayed. Complete the parameters of the firewall user group as needed. Select a user or user group and click to remove them from the Members list and move them back to the Available Services list. Type Allow SSL-VPN Access Click to enable Firewall. Members Course 201-v4. When enabled.Authentication User Groups New firewall user groups can be added by clicking Create New on the list page. The name will be used to identify the firewall user group when the Authentication Rule is created.1 Administration. either full-access. select the level of access.

The FortiGate unit can be configured to allow access to members of Directory Service user groups who have been authenticated on the network. Content Inspection and SSL VPN 01-4200-0201-20100604 . The Fortinet Server Authentication Extensions (FSAE) must be installed on the network domain controllers to enable Directory Service authentication. For a Directory Service user group. A Directory Service user group provides access to an identity-based policy that requires Directory Service type authentication and lists the user group as one of the allowed groups. The members of the user group are Directory Service users or groups that are selected from a list that the FortiGate unit receives from the configured Directory Service server User Group List to view the member groups. The FortiGate unit receives the user’s name and IP address from the FSAE collector agent. select them and click Edit ( ) or double-click the entry. To view or modify any individual Directory Service user groups in the list.1 Administration.User Groups Authentication Directory Service User Group Select this type of group to require Directory Service authentication. 248 Course 201-v4. the Directory Service server authenticates users when they log on to the network.

Select a user or group and click to move them from the Available Users/Groups list to the Members list. The list of members in the group is displayed.1 Administration.Authentication User Groups New Directory Service user groups can be added by clicking Create New on the list page. Type Available Users/Groups Click to enable Directory Service. Complete the parameters of the Directory Service user group as needed. Select a user or user group and click to remove them from the Members list and move them back to the Available Services list. Members Course 201-v4. The name will be used to identify the Directory Service user group when the Authentication Rule is created. The list of available users and user group is displayed. User Name Assign a name to the Directory Service user group. Content Inspection and SSL VPN 01-4200-0201-20100604 249 .

Identity-Based Policies Authentication Identity-Based Policies Identity-based policies enforce authentication options for firewall policies with an Action set to ACCEPT or SSL-VPN. 250 Course 201-v4. but will be enforced in SSL-VPN policies. Identity-based policies are optional for ACCEPT policies. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.

threat management elements are defined in the authentication rules.1 Administration. services to which the policy will apply as well as the schedule. threat management. When identity-based policies are enabled. click Add to define the Authentication Rules.Authentication Identity-Based Policies Authentication Rules Authentication Rules define aspects of the authentication being enforced. An Implicit_Deny authentication rule is added by default to the list of rules. Content Inspection and SSL VPN 01-4200-0201-20100604 251 . traffic shaping and logging options. including the user groups affected by the policy. In the Policy window with Identity-Based Policy enabled. Course 201-v4.

Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. RADIUS or TACACS+ servers. such as: • Firewall user groups defined locally on the FortiGate unit as well as on any connected LDAP. This option is enabled by default.Identity-Based Policies Authentication Including User Groups Any identity-based policies must reference the groups to require authentication. Any Directory Service groups authenticating using Fortinet Server Authentication Extensions (FSAE) Any Directory Service groups authenticating using NTLM • • 252 Course 201-v4.

Authentication Monitoring Firewall Authentication Monitoring Firewall Authentication A list of users currently authenticated using firewall authentication can be viewed through the User Monitor. For each authenticated user the list includes: • • • • • • The authenticated user’s name The user group of the authenticated user How long the user has been authenticated How long until the user’s session times out The authenticated user’s source IP address The amount of traffic through the FortiGate unit caused by the user (traffic volume) An administrator can sort and filter the information on the authentication monitor according to any of the columns in the monitor.1 Administration. From the list. Course 201-v4. all currently authenticated users can be deauthenticated. Go to User > Monitor > Firewall to display the list of users authenticated by the FortiGate unit. disable the user account (in User > Local > Local) and then use the monitor list to immediately end the user’s current session. Content Inspection and SSL VPN 01-4200-0201-20100604 253 . To permanently stop a user from re-authenticating. or select single users to de-authenticate.

2 Go to User > User Group > User Group. 254 Course 201-v4. Click Create New and enter a user name and password. Content Inspection and SSL VPN 01-4200-0201-20100604 . go to User > User > User. Click OK to save the changes. the following tasks will be completed: • • • Exercise 1 Creating an Identity-Based Firewall Policy Exercise 2 Testing the Firewall Policy For Web Traffic Exercise 3 Adding User Disclaimers and Redirecting URLs Timing Estimated time to complete this lab: 20 minutes Exercise 1 Creating an Identity-Based Firewall Policy 1 In Web Config. Click OK.Creating an Identity-Based Firewall Policy Authentication Lab 4 Authentication Objectives In this lab. User disclaimer messages will also be added to the Internet-bound policies and sessions will be redirected to a specified URL. Tasks In this lab.1 Administration. a new policy to implement user authorization will be added for afterhours Internet web access. Click Create New and create a group that includes the authorized user with the following settings: Name Type Members auth-user Firewall Select the user created in step 1 from the Available Users Group list and use the right arrow to move it to the Members list.

Move ANY to the Selected Services List. Content Inspection and SSL VPN 01-4200-0201-20100604 255 . In this mode it acts as an idle timer rather than a hard timeout.1 Administration. config system global set auth-keepalive enable end After-hours Internet web access Note: Authentication keepalive extends the time of the session when traffic is present. 4 Move this new all-dept policy to the top of the internal wan1 policy list.Authentication Creating an Identity-Based Firewall Policy 3 Go to Firewall > Policy > Policy and configure a new policy with the following settings: Source Interface / Zone Source Address Name Destination Interface / Zone Destination Address Name Schedule Service Action Log Allowed Traffic Enable NAT Enable Identity Based Policy internal all-dept wan1 all always web ACCEPT Enabled Enabled Enabled Click Add to create an Authentication Rule. Comment Click OK. 5 Enable Authentication Keep-alive for the web traffic firewall policies using the CLI commands below. Move auth-user to the Selected User Groups List. Course 201-v4.

Testing the Firewall Policy For Web Traffic Authentication Exercise 2 Testing the Firewall Policy For Web Traffic 1 In a new web browser window. attempt to access a new web site. enter an incorrect user name or password. 3 When prompted to authenticate. Content Inspection and SSL VPN 01-4200-0201-20100604 . 256 Course 201-v4. enter the username and password of the user created in Exercise 1. 2 In the Authentication Keepalive window.1 Administration. At the login prompt. click the Logout link and attempt to browse to another web site.

After logging in. go to Log&Report > Log Access > Event. Locate event log messages for the firewall policy authentication events. This directs the user to the redirect URL specified in the firewall policy created in Step 1. 2 Clear all authenticated sessions using the CLI command: diagnose firewall iprope resetauth 3 In a new web browser window.1 Administration. only this time enter the correct credentials. Click Yes.Authentication Adding User Disclaimers and Redirecting URLs 4 In the Web Config. Note the log message level used for this type of event. 5 Clear all authenticated sessions (be careful with this command on a live system!) with the following CLI command: diagnose firewall iprope resetauth 6 Re-connect to the web site. access a web site. Enable Enter the URL of a web page to be redirected to. Content Inspection and SSL VPN 01-4200-0201-20100604 257 . log in as the user created in Exercise 1. Click the entry in the list to view the details. Click the new window link. 7 From the CLI. Course 201-v4. When prompted by the authentication login page. an authentication keep-alive page opens. When the first user disclaimer message appears. I agree. view the IP addresses and users which have successfully authenticated to the FortiGate unit with the following CLI command diagnose firewall iprope authuser Exercise 3 Adding User Disclaimers and Redirecting URLs 1 In Web Config go to Firewall > Policy > Policy and edit the authenticating alldept policy by modifying the following settings: Enable Disclaimer and Redirect URL Redirect URL Click OK.

and for one of the authentication firewall policies: show user local show user group show firewall policy <id> 8 Go to Firewall > Policy > Policy and disable all the internal except for the default all policy. Content Inspection and SSL VPN 01-4200-0201-20100604 . Expand Authentication and click Edit to modify the Disclaimer Page. Replace the text the network access provider with the student name. wan1 policies 258 Course 201-v4. 7 Examine the following CLI commands for the users.1 Administration. 5 Clear the authenticated sessions before each test with the following CLI command: diagnose firewall iprope resetauth 6 Browse to a web page and note the change to the replacement message.Adding User Disclaimers and Redirecting URLs Authentication 4 Go to System > Config > Replacement Message. user groups. Click OK.

com .fortinet.LESSON 5 SSL VPN 259 www.

.

strong encryption. if desired. Transactions involving three (or more) parties are not supported because traffic only passes between client and server applications. from which a number of different enterprise applications may be accessed. mediumsized businesses. This includes both traffic intended for the private network and Internet traffic that is normally sent unencrypted. each with its own private network. Split tunneling ensures that only the traffic for the private network is sent to the SSL VPN gateway. This conserves bandwidth and alleviates bottlenecks. SSL is typically used for secure web transactions. one may be better suited to their requirements. FortiGate VPN The FortiGate unit supports SSL. and IPSec VPN technologies. With the FortiGate unit’s built-in VPN capabilities. and restricted access to company network resources and services. a company that has two offices in different cities. to provide remote offices or individual users with secure access to private networks.SSL VPN FortiGate VPN Lesson 5 SSL VPN A Virtual Private Network (VPN) is a way to use a public network. enterprises.1 Administration. SSL VPN SSL VPNs are a good choice for roaming users who depend on a wide variety of thin-client computers to access enterprise applications and/or company resources from a remote location. they support simple client/user authentication processes (including X. After a secure HTTP link has been established between the web browser and web server. The FortiGate unit provides enhanced authentication. such as the Internet.509 digital certificates). Course 201-v4. When the SSL VPN feature is used. telecommuters can use VPN clients to access private data resources securely from a remote location. SSL forms a connection between two end points such as a remote client and an enterprise network. Each combines encryption and VPN gateway functions to create private communication channels over the Internet which helps to defray physical network costs and enables an administrator to define and deploy network access and firewall policies using a single management tool. The Fortinet implementation enables a specific port to be assigned for users to log in to the web portal and to customize the login page. An organization has the freedom to use either of the VPN technologies. In addition. however. SSL supports sign-on to a web portal front-end. For example. application data is transmitted directly between selected client and server applications through the tunnel. Content Inspection and SSL VPN 01-4200-0201-20100604 261 . all client traffic is encrypted and sent to the SSL VPN. Similarly. Internet traffic is sent through the usual unencrypted route. can use a VPN to create a secure tunnel between the offices. and service providers can ensure the confidentiality and integrity of data transmitted over the Internet. small home offices.

IPSec is well suited to network-based legacy applications that are not web-based. IP packets are encapsulated by the VPN client and server software running on the hosts. Web-only mode provides remote users with access to server applications from any thin-client computer equipped with a web browser. Because FortiGate units support industry standard IPSec VPN technologies. Access to SSL VPN applications is controlled through user groups. IPSec creates a secure tunnel between two host devices. As a layer 3 technology.509 digital certificates. A FortiGate unit can act as a policy server. IPSec VPNs are a good choice for site-to-site connections where appliance-based firewalls are used to provide network protection and company-sanctioned client computers are issued to users.1 Administration. Tunnel-mode client computers must also have ActiveX (IE) or Java Platform enabled. as well as airport kiosks. As an option. Access to the network resources on a corporate IPSec VPN can be enabled for specific IPSec peers and/or clients. an IPSec VPN can be configured between a FortiGate unit and most third-party IPSec VPN devices or clients. Tunnel-mode gives remote users the ability to connect to the internal network from laptop computers. and hotels. to authenticate and encrypt traffic. The encrypted packets look like ordinary packets that can be routed through any IP network. enabling FortiClient users to download and apply VPN settings automatically. Internet cafes. FortiGate units implement the Encapsulated Security Payload (ESP) protocol in tunnel mode. the remote user must have a web browser and if Telnet/VNC/RDP are used. 262 Course 201-v4. SSL VPNs provide secure access to certain applications. IPsec VPN FortiGate units support Internet Protocol Security (IPSec). IPSec VPNs provide secure network access only. The FortiGate IPSec VPN feature is compatible with the VPN client feature of the FortiClient Host Security application. a framework for the secure exchange of packets at the IP layer. manual keys can be specified.FortiGate VPN SSL VPN To access server-side applications with SSL VPN. Dedicated IPSec VPN software must be installed on all IPSec VPN peers and clients and the software has to be configured with compatible settings. Content Inspection and SSL VPN 01-4200-0201-20100604 . Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or X. IPSec supports multiple connections to the same VPN tunnel (a number of remote VPN devices effectively become part of the same network). the Sun Java Runtime Environment (JRE) must be enabled. The amount of security that can be applied to users is limited.

the FortiGate unit provides access to selected services and network resources through a web portal. The feature comprises an SSL daemon. to support older browsers. VNC. FTP. password. support a 64-bit cipher length. a secure web connection between the remote client and the FortiGate unit is established using the SSL VPN security in the FortiGate unit and the SSL security in the web browser.SSL VPN SSL VPN SSL VPN Operating Modes The operating mode of the SSL VPN to be used depends on the number and type of applications installed on the remote computer. Linux. Web browsers offer different SSL security capabilities. JavaScript. The web browser must. Web-only mode provides remote users with a fast and efficient way to access server applications from any thin client computer equipped with a web browser. SMB/CIFS.4 (or later). Web-Only Mode Web-only mode is for thin. The following modes of SSL VPN operation are only supported on FortiGate units running in NAT/Route mode: • • Web-only mode Tunnel mode When a remote client connects to the FortiGate unit. After the connection has been established. The user group settings specify whether the connection will operate in web-only mode or tunnel mode. Support for SSL VPN web-only mode is built into the FortiOS operating system. and a web portal which provides users with access to network services and resources including HTTP/HTTPS. SSL encryption is used to ensure traffic confidentiality. and RDP. The FortiGate unit offers an SSL version 2 option through the CLI. the FortiGate unit redirects the web browser to the web portal home page and the user can access the server applications behind the FortiGate unit. if required. a Sun Java Runtime Environment 1. the FortiGate unit authenticates the user based on user name. remote clients equipped with only a web browser. In addition. Firefox or any other supported browser If Telnet/VNC or RDP are used. The remote client computer must be equipped with the following software: • • • Microsoft Windows 2000/XP/2003/Vista/7. at a minimum. Course 201-v4.1 Administration. setting up an appropriate policy and selecting web-only mode access in the user group settings. It offers true clientless network access using any web browser that has built-in SSL encryption and the Sun Java Runtime Environment. After successful authentication. the FortiGate unit supports a range of cipher suites for negotiating SSL communications with a variety of web browsers. The user group settings determine which server applications can be accessed. or UNIX operating system Internet Explorer. and authentication domain. the FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. and Accept Cookies enabled. with Java. Content Inspection and SSL VPN 01-4200-0201-20100604 263 . running on the FortiGate unit. A successful login determines the access rights of remote users according to user group. Configuring the FortiGate unit involves enabling SSL VPN. When the FortiGate unit provides services in web-only mode. In web-only mode. Telnet.

Linux or Macintosh Microsoft Internet Explorer with ActiveX enabled or another supported web browser with Java enabled 264 Course 201-v4. deploy a dedicated SSL VPN client to any remote client through the web browser. Internet traffic is sent through the usual unencrypted route. Content Inspection and SSL VPN 01-4200-0201-20100604 . remote clients connect to the FortiGate unit and the web portal login page using a web browser. tunnel mode allows remote clients to access the local internal network as if they were connected to the network directly. This conserves bandwidth and alleviates bottlenecks. Where users have complete administrative rights over their computers and use a variety of applications. When the user initiates a VPN connection with the FortiGate unit through the SSL VPN client. The client uses the assigned IP address as its source address for the duration of the connection. After successful authentication. setting up an appropriate policy and selecting tunnel-mode access in the user group settings. they can initiate a VPN tunnel with the FortiGate unit whenever the SSL connection is open. In tunnel mode. and Internet cafés. Configuring the FortiGate unit to establish a tunnel with remote clients involves enabling SSL VPN. The FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as members of a user group. If the applications on the client computers used within a user community vary greatly. The firewall policy and threat management profiles on the FortiGate unit ensure that inbound traffic is screened and processed securely. Tunnel mode offers remote users the freedom to connect to the internal network using the traditional means of web-based access from laptop computers. the FortiGate unit establishes a tunnel with the client and assigns the client a virtual IP address from a range of reserved addresses. the FortiGate unit redirects the web browser to the web portal home page. the user can access the network behind the FortiGate unit. After the user installs the SSL VPN client software. After the tunnel has been established. a secure SSL connection is established initially for the FortiGate unit to download SSL VPN client software to the web browser. as well as from airport kiosks. In tunnel mode. hotel business centers. The user can then download the SSL VPN client (available as an ActiveX. Split tunneling is also available which ensures that only the traffic for the private network is sent to the SSL VPN gateway.1 Administration.SSL VPN SSL VPN Tunnel Mode Tunnel mode is used for remote computers that run a variety of client and server applications. Java or stand alone application) and install it using controls provided through the web portal. The SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate unit through an SSL VPN tunnel over the HTTPS link between the web browser and the FortiGate unit. The remote computer must be equipped with the following software: • • Microsoft Windows 2000/XP/2003/Vista/7.

To view or modify any individual user groups in the User Group List. Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 265 . add the server itself to the group.SSL VPN User Groups User Groups User groups provide access to firewall policies that require SSL VPN access. If all accounts in a remote server are to be added to the user group. To view the list of available user groups available on the FortiGate unit. Local user accounts. go to User > User Group > User Group and expand Firewall. User groups whose members will have access to the SSL VPN will have Allow SSL-VPN Access enabled along with the type of portal to be presented to those users.1 Administration. select the group and click Edit ( ) or double-click the entry. The FortiGate unit requests the user name and password when the user accesses the SSL VPN web portal. The user group settings include the choice of portals to be used by user group members. RADIUS or TACACS+ servers can be members of a user group. or users with accounts in remote LDAP.

enable Firewall. In this scenario. Web-access will allow access to Web-Only Mode portals only. Enable to allow members of the user group to access the SSL-VPN. Content Inspection and SSL VPN 01-4200-0201-20100604 . The name of the user group will be used to identify the group when the Authentication Rules are specified in an SSL VPN policy. select the portal type that will be accessible by members of the user group.1 Administration. Complete the parameters of the user group as needed. The list of members in the group is displayed. Type Allow SSL-VPN Access Select the type of user group to be created. • • • Tunnel-access will allow access to Tunnel Mode portals only. Full-access will allow access to both portal modes. Select a user or group and click to move them from the Available Users/Groups list to the Members list. Name Assign a name to the user group. Select a user or user group and click to remove them from the Members list and move them back to the Available Services list. Available Users/Groups The list of available users and user groups is displayed. When enabled. Members 266 Course 201-v4.User Groups SSL VPN New user groups can be added to the list by clicking Create New on the User Group List page.

The FortiGate unit forwards the client requests to servers on the Internet or internal network.SSL VPN Portals Portals A portal is the web page that is displayed when a member of a user group logs into the SSL VPN. Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 267 . Web-Access Portal The Web-Access portal allows members of a user group to access a Web-Only Mode SSL VPN. The FortiGate unit includes the following pre-defined portal types: • • • Web-Access Tunnel-Access Full-Access The portal displays a collection of widgets which allow access to functionality on the portal. Bookmarks are hyperlinks to frequently accessed web pages or server applications that can be used to start any session from the home page.1 Administration. Click a bookmarked link on the portal page to access a web site.

Automatic or Static. Content Inspection and SSL VPN 01-4200-0201-20100604 . Enter a description to provide desciptive information regarding the bookmarked link. 268 Course 201-v4. Identify the type of link for either web pages or web applications.Portals SSL VPN Users can click Add to create new bookmarks or Edit to modify existing bookmarks. Name Type Location Description SSO The name entered will be used as the link on the Web-Access Portal.1 Administration. Identify the destination of the link. Define whether single sign-on capabilities will be Disabled.

1 Administration. The application is downloaded to the local hard drive and must be manually installed. Course 201-v4. Click Connect to create the tunnel to the destination IP address identified in the Tunnel Mode policy. Content Inspection and SSL VPN 01-4200-0201-20100604 269 . A link is presented to allow users to download a stand-alone application used to create the Tunnel Mode link to the destination IP address.SSL VPN Portals Tunnel-Access Portal The Tunnel-Access Portal allows access to a Tunnel-Only Mode SSL VPN.

Content Inspection and SSL VPN 01-4200-0201-20100604 . 270 Course 201-v4.1 Administration.Portals SSL VPN Full-Access Portal The Full-Access Portal combines the functionality of the Web and Tunnel-Access Portals.

Click [Edit] to select an IP address range.SSL VPN Enabling SSL VPN Enabling SSL VPN The process of enabling SSL VPNs on the FortiGate unit is similar for both operating modes. or a custom addressing range can be defined through Firewall > Address > Address.1 Administration. Course 201-v4. The FortiGate unit uses the assigned address to communicate with the SSL VPN client. A pre-defined IP address range called SSLVPN_TUNNEL_ADDR1 can be used. The IP Pools allows a range of IP addresses to be reserved for remote SSL VPN clients. After the FortiGate unit authenticates a request for a tunnel-mode connection. Web Mode SSL VPNs do not require IP Pools to be defined. If configuring a tunnel mode SSL VPN. IP Pools must be defined. Content Inspection and SSL VPN 01-4200-0201-20100604 271 . Enable SSL-VPN IP Pools Click to enable SSL VPNs on the FortiGate unit. the SSL VPN client connects to the FortiGate unit and is assigned an IP address from this range. Go to VPN > SSL > Config to enable SSL VPN connections and set the basic options needed to support SSL VPN configurations.

Enabling SSL VPN SSL VPN Server Certificate Choose the certificate that will be presented to the client initiating the SSL VPN session. By default. Expand Advanced to define the WINS or DNS servers that are made available to the SSL VPN clients. the FortiGate unit will use a self-signed certificate which will produce security warnings in most browsing software. ensure that the required certificates have been installed on the client. Before enabling. Content Inspection and SSL VPN 01-4200-0201-20100604 . the client will not be able to establish a connection The value specified controls how long the connection can remain idle before the system forces the remote user to log in again. Keep in mind that if a higher level of encryption is chosen than the web browser supports. If the SSL VPN will be publicly available. Enable if mutual authentication is required between the client and server.1 Administration. Certificates and CRLs can be imported onto the FortiGate unit through System > Certificates. Up to two DNS servers and WINS servers can be specified. it is good practice to use a certificate signed by a recognized certificate authority. Select a level of encryption used for SSL VPN connections. This setting will require a client certificate to complete authentication. Require Client Certificate Encryption Key Algorithm Idle Timeout Advanced 272 Course 201-v4.

Specify the originating IP address of the SSL VPN connection. a range of private IP addresses or the private IP address or a server or host. Content Inspection and SSL VPN 01-4200-0201-20100604 273 . select the IP address or addresses that remote clients need to access. The Destination Address may correspond to an entire private network behind a FortiGate unit. selecting an Action of SSL VPN and an appropriate identity-based policy. Select the destination interface for the policy. For the Destination Address.1 Administration. • • For the Source Address.SSL VPN SSL VPN Firewall Policies SSL VPN Firewall Policies All SSL VPNs require at least one SSL VPN firewall policy. Go to Firewall > Policy > Policy to define the attributes of the Web-Only Mode SSL VPN policy. Web-Only Mode Firewall Policies A firewall policy for Web-Only Mode requires selecting appropriate Source and Destination Addresses. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Select the source interface for the policy. The firewall policy specifies the originating IP address of a packet (Source Address) and the destination address(es) of the intended recipient(s) or network(s) (Destination Address). Specify the destination address(es) of the intended recipient(s) or network(s) for the SSL VPN connection Course 201-v4. select the predefined address of ALL.

Click Add to define an Authentication Rule.SSL VPN Firewall Policies SSL VPN Action SSL Client Certificate Restrictive Select SSL VPN. When enabled. Identity Based Policy is automatically enabled when the Action of SSL VPN is selected. select the cipher strength from the drop-down list. Select a User Group with Allow SSL VPN Access enabled. Identity Based Policy 274 Course 201-v4. Enable if the client certicate accepted must be of a certain cipher strength. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.

Select the appropriate profile or sensor from the list for any enabled UTM elements. Content Inspection and SSL VPN 01-4200-0201-20100604 275 . Click to enable the UTM elements required for traffic through the web-only mode VPN. Click to enable logging of traffic by allowed users. Select the schedule the allowed users will be bound by. Select the services accessible by allowed users through the SSL VPN and click to move the Services to the Selected Services list. Service Schedule Log Allowed Traffic UTM Course 201-v4.SSL VPN SSL VPN Firewall Policies Authentication Rules Authentication Rules define the authentication options and other parameters for users affected by the SSL VPN policy. User Group Select the user group that requires access to the SSL VPN and click to move to the Selected User Groups list.1 Administration.

For the Destination Address. • • Go to Firewall > Policy > Policy to define the attributes of the Tunnel Mode SSL. For the Source Address.SSL VPN Firewall Policies SSL VPN Tunnel Mode Firewall Policies A firewall policy for Tunnel Mode requires selecting an appropriate Source Interface and Source and Destination Addresses. A default IP address range called SSLVPN_TUNNEL_ADDR1 is available. The Destination Address may correspond to an entire private network behind a FortiGate unit. and can be edited if necessary through Firewall > Address > Address. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. This interface appears in the firewall policy interface lists and static route interface lists and allows remote user access to additional networks. select the IP address or addresses that remote clients need to access. SSL VPN Tunnel Mode policies use a virtual interface. • For the Source Interface. a range of private IP addresses or the private IP address or a server or host. identify the range of IP addresses that can be connected to the FortiGate unit. 276 Course 201-v4. called sslvpn tunnel interface.

Select SSLVPN_TUNNEL_ADDR1. Source Address Destination Interface/Zone Destination Address Schedule Service Action Log Allowed Traffic NAT Enable Identity Based Policy UTM Click to enable the UTM elements required for traffic through the tunnel mode VPN. Select the services accessible by allowed users through the VPN. Enable if per-IP traffic shaping is required on the tunnel mode traffic. Click Add to define an Authentication Rule. Enable if traffic shaping is required on the tunnel mode traffic. Click to select If NAT is used.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 277 . Traffic Shaping Per-IP Traffic Shaping Enable Endpoint NAC Course 201-v4. the Action of ACCEPT is selected. This address range is available by default on the FortiGate unit. Select a User Group with Allow SSL VPN Access enabled. servers or hosts to which IP packets may be delivered. Select the appropriate profile or sensor from the list for any enabled UTM elements. Select the required per-IP traffic shaper from the list Enable is Endpoint Control is applied to tunnel mode traffic. Identity Based Policy can be enabled when the Action of ACCEPT is selected.SSL VPN SSL VPN Firewall Policies Source Interface/Zone Select sslvpn tunnel interface. Click to enable logging of traffic by allowed users. This interface is available by default on the FortiGate unit. For tunnel mode SSL VPN. Select the schedule the allowed users will be bound by. Corresponds to the range of IP addresses permitted to setup SSL VPN connections. Select the required traffic shaper from the list. Select the destination interface for the policy Select the IP addresses that represent the local network.

If port 443 is being used for another purpose. 278 Course 201-v4. Web-Access Portals will present the list of bookmarks that can be clicked to access web sites.1 Administration. ensure that this does not conflict with the port used for administrative connections to the FortiGate unit through Web Config. Content Inspection and SSL VPN 01-4200-0201-20100604 . Tunnel-Access Portals will present the widgets to connect to the tunnel. a different TCP port number can be specified for users to access the portal login page by modifying the SSLVPN Login Port under System > Admin > Settings. Full-Access Portals will present the widgets for both Web-Access and TunnelAccess portals. Web Portal Page The portal page that is displayed after logging in will depend on the type selected in the user group settings.Connecting to the SSL VPN SSL VPN Connecting to the SSL VPN Connect to the FortiGate SSL VPN Portal home page by entering the following address in the web browser: https://<FortiGate_IP_address>:10443 Optionally.

Click OK. Leave all the other settings at default. Configure the following settings to enable the SSL VPN service: Enable SSL-VPN IP Pools Enable Click [Edit] and add SSLVPN_TUNNEL_ADDR1 to the Selected list. an SSL VPN will configured to allow both web-only mode and tunnel mode access to public web sites. Click Create New and add a new user with the User Name of Test SSL and Password of 123456. Click Apply. Go to User > User Group > User Group and click Create New. Go to User > User > User. 3 Create a new user group that includes the new local user. Content Inspection and SSL VPN 01-4200-0201-20100604 279 . Click OK. Move the Test SSL user from the Available Users/Groups list to the Members list. the following tasks will be completed: • Configuring SSL VPN for Full Access Timing Estimated time to complete this lab: 25 minutes Exercise 1 Configuring SSL VPN for Full Access 1 Go to VPN > SSL > Config.SSL VPN Configuring SSL VPN for Full Access Lab 5 SSL VPN Objectives In this lab. 2 Configure authentication for an internal user to access the SSL VPN gateway service.1 Administration. Configure the following settings: Name Type Allow SSL-VPN Access Available Users/Groups SSLVPN Firewall Enable and select the full-access portal from the list. Tasks In this lab. Course 201-v4.

Configuring SSL VPN for Full Access SSL VPN 4 Create a new firewall policy to allow access to the SSL VPN and authenticate the user. Content Inspection and SSL VPN 01-4200-0201-20100604 . always Enabled Service Schedule Log Allowed Traffic Click OK. Go to Firewall > Policy > Policy. Click Create New to configure a policy with the following settings: Source Interface Source Address Destination Interface Destination Address Action SSL Client Certificate Restrictive internal all wan1 all SSL-VPN Disabled Click Add to configure a new identity-based policy with the following settings: Available User Groups Move SSLVPN from the Available User Groups list to the Selected User Groups list.1 Administration. 280 Course 201-v4. 5 Move this SSLVPN policy to the top of the internal wan1 policy list. Move ANY from the Available Services list to the Selected Services list.

Note: By default. click Add to create a new bookmark with the following details: Name Type Location Description SSO Click OK. Then. log in as the Test SSL user with the password of 123456. check the following: • The Test SSL user is a member of the SSLVPN user group. use port 443 as this port is typically open on Firewalls allowing easy remote access using SSL.99:10443/ Confirm the first-time Security Alert that is displayed. change the SSL VPN login port from 10443 to 443.1. In an actual deployment. 7 When prompted.168. 8443). • The SSLVPN user group is associated with the internal policy.fortinet. If the connection fails. the SSL VPN gateway listens to port 10443. This can be changed by going to System > Admin > Settings and changing the Web Admin HTTPS service from 443 to a different port number (for example. 8 On the portal page. • The SSL VPN policy is at the top of the policy list for internal If after performing these checks. the connection still fails try re-entering the password in the local user configuration .SSL VPN Configuring SSL VPN for Full Access 6 Test the SSL VPN by connecting to the portal by typing the following address in the web browser: https://192.1 Administration. wan1 SSL VPN wan1.com Optional Disabled Course 201-v4. Fortinet HTTP/HTTPS http://www. Content Inspection and SSL VPN 01-4200-0201-20100604 281 .

Because split tunnelling is not enabled. /www.1.168.0. https://192.0. database servers. the local interface fortissl will be listed as UP.99.1. a user connects to a corporate network using a remote access VPN software client and a hotel wireless network.com The first part of the address. Content Inspection and SSL VPN 01-4200-0201-20100604 . when the user connects to Internet resources.99 192. a default route is displayed for the tunnel interface . is the encrypted link to the FortiGate SSL VPN gateway.xxx 11 If this is the first time an SSL VPN tunnel is used on the PC. 13 Reopen the web browser and enter the address of the VPN portal: https://192.Configuring SSL VPN for Full Access SSL VPN 9 Click the newly created bookmark. Active Routes: Network Destination Netmask 0. 282 Course 201-v4.fortinet.com.1.99:10443. for example. The user with split tunneling enabled is able to connect to file servers. The connection to the final destination from the HTTP proxy is unencrypted. and a local LAN or WAN at the same time.1 Administration. the Internet. In contrast. Note the URL of the web site in the web browser address bar: https://192. A new window displays the selected web site. The final part of the address. which is the local tunnel endpoint. using the same physical network connection.168. Download the client software to the PC desktop and close the web browser. 10 Examine the PC’s current routing table by typing the following command from a DOS command prompt: route print Note that the current default gateway is 192.1. When the tunnel is active.168.1. install the Fortinet SSL VPN Client plug-in for the browser.99:10443/proxy/http/www.1.0 0.fortinet. the connection is encrypted up to the SSL VPN gateway.1. is the destination of the connection from the HTTP proxy.0. and other servers on the corporate network through the VPN connection. /proxy/http is the instruction to use the SSL VPN HTTP proxy.168. the connection request doesn't go through the VPN link but rather through the wireless connection and out the gateway provided by the hotel network. Click the Click here to download and install it link that appears in the Tunnel Model widget.0.168.99:10443/ 14 Click the Connect button in the Tunnel Mode widget. Note: Split tunneling is a computer networking concept which allows a VPN user to access a public network. For example. The second part of the address. This connection service is usually facilitated through a program such as a VPN client software application.168. Return to the routing table through the DOS prompt and note that the default gateway is now 10. mail servers.0 Gateway Interface Metric 10 192. 12 Run the installation application for the client software from the PC desktop.0. In this example.0. web sites and FTP sites. for example.

sslvpn tunnel interface all wan1 all always ANY ACCEPT Enabled Enabled Course 201-v4.1/24 ssl. Source Interface Source Address Destination Interface Destination Address Schedule Service Action Log Allowed Traffic Enable NAT Click OK. In Web Config. TCP SYN packets should be observed incoming to the ssl. this time using a regular Accept action.1 Administration.root interface. 16 To observe the cause of the configuration problem run a packet sniffer command in the CLI with the following filter and observe the output while trying to reload the webpage. Configure the static route with following settings: Destination IP/Mask Device 10. Use the nslookup command to get the IP address of the server before testing in this case. We also need to define a route back to the SSL VPN client for both RPF criteria and new session establishment. In addition to the SSL VPN policy.fortiguard.root interface to the wan1 interface. additional objects must be created to allow access from the ssl. The ssl.root interface which is the source of all SSL VPN tunnel traffic. 17 Logout of the SSL VPN portal by clicking Logout ( ).root Leave the remaining default settings and click OK. To allow these packets.0.root interface represents the clients from the SSL VPN tunnel. 19 Create a new firewall policy from the sslvpn tunnel interface. test using the servers IP address.com Note that the connection fails when tunnel mode is active. go to Router > Static > Static Route and click Create New. Content Inspection and SSL VPN 01-4200-0201-20100604 283 . this session must be accepted by creating a policy from the ssl. 18 Create a static route for the SSL VPN tunnel client IP address. diag sniffer packet any "port 80" 4 If not using DNS forwarding on the FortiGate and DNS queries are forwarded from the PC to external DNS servers.0.SSL VPN Configuring SSL VPN for Full Access 15 Open a new web browser window and attempt to connect to the following web site: www.

root wan1 policy will be displayed in the Policy list. 20 Log back into the SSL VPN portal and click Connect to activate the SSL VPN tunnel. Content Inspection and SSL VPN 01-4200-0201-20100604 . 21 From the DOS prompt.root interface is now permitted.fortiguard. 24 Disable the two SSL policies created in this lab. 23 Run the packet sniffer command once again to verify that the traffic from the ssl. confirm that the default route is now the tunnel endpoint (10.Configuring SSL VPN for Full Access SSL VPN This new ssl.com The connection should be successful.0.0.1). 22 Connect directly to the following web site through the web browser: www.1 Administration. 284 Course 201-v4.

fortinet.com .LESSON 6 FortiGuard Subscription Services 285 www.

.

high availability data centers in locations worldwide. Delivery methods include push. the FortiGate unit communicates with the Service Point using UDP on port 53. This system ensures that devices are updated to provide high levels of detection for both known and unknown threats. as well as web and email filtering. intrusion prevention. administrators can ensure that their FortiGate. With the FortiGuard Subscription Services enabled. including antivirus. Content Inspection and SSL VPN 01-4200-0201-20100604 287 . Subscription services are delivered through the FortiGuard Distribution Network.FortiGuard Subscription Services FortiGuard Distribution Network Lesson 6 FortiGuard Subscription Services FortiGuard Subscription Services provide continuously updated security solutions to Fortinet security device users. pull. the FortiGate unit contacts another Service Point and information is available within seconds. it is connecting to the closest FortiGuard Service Point. and FortiClient products from secure. and FortiClient installations are performing optimally and are protecting their corporate assets with the latest security technology. Course 201-v4.1 Administration. FortiGuard Subscription Services are continuously updated to provide up-to-date protection from new and emerging threats before they can harm corporate resources or infect end-user computing devices. FortiMail. Worldwide coverage of FortiGuard services is provided by FortiGuard Service Points. By default. or customized delivery frequency that can be configured based on the requirements of the organization. If the Service Point becomes unreachable for any reason. set it up once and updates arrive automatically. FortiGuard Distribution Network The FortiGuard Distribution Network delivers updates to FortiGate. When a FortiGate unit connects to the FortiGuard Distribution Network. Fortinet adds new Service Points as required. FortiMail.

The FortiGuard Service Point hostname can not be changed through Web Config.FortiGuard Distribution Network FortiGuard Subscription Services Alternately. check the configuration. the UDP port used for Service Point communication can be switched to port 8888 through Web Config. routes may need to be added to the FortiGate routing table of the network to allow the FortiGate unit to use HTTPS on port 443 to connect to the Internet. If the default FortiGuard Service Point hostname must be changed. If the FortiGate unit is unable to connect to the FortiGuard Distribution Network. 288 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. use the system fortiguard hostname CLI command. For example.

fortiguard. www.net server.com is in the Search Engine category). The next available FortiGuard server returns the response to the query. All other servers are listed by weight.net. in what category is www. The service. The top servers on the list have the best round-trip time. The FortiGuard Server returns the response to the query (for example.net FortiGuard Server 1 DNS FortiGuard Server 2 FortiGate The FortiGate unit submits a DNS A Record lookup for service.FortiGuard Subscription Services FortiGuard Distribution Network Connecting to the FortiGuard Servers The following steps illustrate the process used by the FortiGate unit to locate and connect to the FortiGuard servers to submit a query.fortiguard. If no response is obtained from the first server within 2 seconds.com?).net to the FortiGate unit. The FortiGate unit submits a query to the FortiGuard Server (for example. The weight is equal to the time zone difference between the FortiGate unit and the FortiGuard servers multiplied by 10.google. license check and server list request to the service.google. The server list is initially ordered by weight.fortiguard.1 Administration. service.net server returns the service status and server list information to the FortiGate unit. the next FortiGuard Server in the server list is contacted. The server list can be viewed in the CLI using the following command: diag debug rating Course 201-v4.fortiguard. Content Inspection and SSL VPN 01-4200-0201-20100604 289 . The FortiGate unit submits an INIT message.fortiguard. The DNS server returns the IP address for service.

Content Inspection and SSL VPN 01-4200-0201-20100604 .Antivirus of this course will discuss antivirus filtering in further detail. applications.FortiGuard Antivirus Service FortiGuard Subscription Services FortiGuard Antivirus Service The FortiGuard Antivirus Service keeps FortiGate. Signature updates are continually updated through the FortiGuard Antivirus Service. The FortiGuard Antivirus Service prevents both new and evolving virus. 2 An antivirus signature is developed and tested by Fortinet engineers. The following steps illustrate how new threats and vulnerabilities are addressed through the service: 1 Fortinet engineers identify a new virus threat. Lesson 8 . and malware threats and vulnerabilities from gaining access to the network. Fortinet collaborates with the world’s leading threat monitoring organizations to advise and learn of new vulnerability discoveries. FortiMail and FortiClient devices fully up-to-date with the latest antivirus defenses against network-based threats. 3 The antivirus signature database is uploaded to FortiGuard Distribution Network. the FortiGate/FortiClient/FortiMail units block the attack. 5 When the cyber attack is launched. Updates to the FortiGate and FortiMail devices and FortiClient installations are fully automated to ensure protection against the latest content level threats. spyware. or data assets. 4 The FortiGuard Antivirus Service automatically pushes the update to FortiGate/FortiClient/FortiMail devices which are dynamically updated.1 Administration. 290 Course 201-v4.

Content Inspection and SSL VPN 01-4200-0201-20100604 291 .FortiGuard Subscription Services FortiGuard Intrusion Prevention System Service FortiGuard Intrusion Prevention System Service The FortiGuard Intrusion Prevention System (IPS) Service arms FortiGate customers with the latest defenses against stealthy. malicious. and activity inspection engines. applications.Secured Network Deployment and IPSEc VPN course discusses the Intrusion Prevention System in further detail.1 Administration. or data assets. Policies allow full control of all attack detection methods to provide flexibility to the organization. Fortinet works with organizations worldwide to isolate the latest application and OS vulnerabilities to prevent both new and yet unknown threats and vulnerabilities from gaining access to network. The FortiGuard IPS Service also supports behavior-based heuristics adding valuable recognition capabilities beyond simply matching content against known signatures. The 301 . The FortiGuard IPS Service includes a library of over 4000 IPS signatures and the latest anomaly inspection. and suspicious network-level threats. deep packet inspection. full content inspection. Course 201-v4.

If the policy allows the page.1 Administration. and more than two billion web pages. harassment. The FortiGuard Web Filtering Service provides policybased access control for over 77 web content categories. When a user requests access to a web page. Otherwise. legal liability. 292 Course 201-v4. and enterprise businesses of all sizes. a user-definable blocked message is sent to the user and the event is logged in the content filtering log. If the rating for the web page is cached in the FortiGate unit. However. it is immediately compared with the policy for the user. inappropriate Internet usage has led to lower productivity. When the rating response is received by the FortiGate unit. Content Inspection and SSL VPN 01-4200-0201-20100604 . the web site response is passed to the user. inappropriate use of company resources. and human resource issues. The FortiGuard Web Filtering Service delivers updates through the FortiGuard Distribution Network to regulate web activities to meet different usage polices and compliance requirements.FortiGuard Web Filtering Service FortiGuard Subscription Services FortiGuard Web Filtering Service Surfing the Internet has become a critical part of conducting business and often a requirement for government and educational institutions. it is compared to the policy rules. government agencies. libraries. Lesson 10 . The FortiGuard Web Filtering Service has been developed to attain CIPA Compliance with HR4577. the request is sent to the web site and a rating request is made simultaneously to the FortiGuard Web Filtering Service.Web Filtering of this course will discuss web filtering in further detail. The FortiGuard Web Filtering Service is a hosted service designed to provide Web URL filtering for schools. over 60 million rated web sites.

The FortiGuard Antispam Service is automated by Fortinet to provide constant monitoring and dynamic updates. The FortiGuard Antispam Service delivers antispam signature updates for FortiGate. the FortiGuard Antispam Service deploys dual scan technology to quickly identify. The FortiGuard Antispam Service uses an IP address black list compiled from email captured by spam probes located around the world along with other spam filtering tools. unknowing transport of spyware. greyware. and FortiClient customers to help reduce the amount of spam at the network perimeter. Some side effects include wasteful email server build-out. the ability to keep email servers running smoothly and spam free is becoming more critical than ever. or block obvious spam messages.1 Administration. or even embedded viruses. downtime.Email Filtering of this course will discuss email filtering in further detail. To increase detection rates.FortiGuard Subscription Services FortiGuard Antispam Service FortiGuard Antispam Service With the heavy and growing reliance on email for business communications. If legitimate email becomes falsely classified as spam it can be equally disastrous for a corporation as critical communications can become impaired. tag. FortiMail. Unsolicited email (spam) has created tremendous pressure on the communication infrastructure. Lesson 9 . Content Inspection and SSL VPN 01-4200-0201-20100604 293 . intrusions. Spam probes are decoy email addresses purposely configured to attract spam and identify known spam sources to create the antispam IP address list. Course 201-v4. A dedicated team of engineers and analysts monitor global spam activities and analyze latest spam techniques to provide comprehensive protection against spams.

removal of risks while providing up to date information to mitigate those risks.fortiguard. Used in conjunction with the vulnerability scanning capabilities of the FortiAnalyzer device. 294 Course 201-v4.1 Administration. Core to this solution is the ever expanding vulnerability database. delivered though the FortiGuard Distribution Network.com. the FortiGuard Vulnerability Management Service can enable the detection. For more information on the FortiGuard Vulnerability Management Service. Content Inspection and SSL VPN 01-4200-0201-20100604 . visit: http://www.FortiGuard Vulnerability Management Service FortiGuard Subscription Services FortiGuard Vulnerability Management Service The FortiGuard Vulnerability Management Service provides periodic delivery of signatures to aid in the detection of vulnerabilitties in an organization's network due to flaws in software or faulty application configuration.

The License Information pane in System > Dashboard > Status in Web Config displays the status of the support contract and FortiGuard subscriptions for the FortiGate device. Course 201-v4. FortiGuard subscription status indicators are green for OK.1 Administration. To renew the FortiGuard license after the free trial. grey if the FortiGate unit cannot connect to the FortiGuard network. Content Inspection and SSL VPN 01-4200-0201-20100604 295 . contact Fortinet Technical Support.FortiGuard Subscription Services FortiGuard Subscription Services Licensing FortiGuard Subscription Services Licensing FortiGate units come with a free 30-day trial license for the FortiGuard Subscriptions Services. and yellow if the license has expired. The FortiGate unit updates the license information status indicators automatically by connecting to the FortiGuard network.

the FortiGate unit must be able to connect to the FortiGuard Distribution Network using HTTPS on port 443.Updating Antivirus and IPS Services FortiGuard Subscription Services Updating Antivirus and IPS Services FortiGuard update information is displayed in Web Config at System > Maintenance > FortiGuard. Content Inspection and SSL VPN 01-4200-0201-20100604 . Subscription services that are properly registered and are receiving updates are identified with a green check mark ( ). 296 Course 201-v4. To receive scheduled updates to the antivirus and IPS definitions.1 Administration. Services that are not valid or expired are identified with a red X ( ).

The FortiGuard Distribution Network must be able to connect to this IP address for the FortiGate unit to be able to receive push update messages. Also. Course 201-v4. the FortiGate unit also sends the SETUP message when one Internet connection goes down and the FortiGate unit fails over to the other Internet connection. expand AntiVirus and IPS Options. The SETUP message that the FortiGate unit sends when push updates are enabled include the IP address of the FortiGate interface to which the FortiGuard Distribution Network connects. Enabling push updates is not recommended as the only method for obtaining updates. The Schedule Update options include the ability to check for updates to the antivirus and IPS definitions at the following times: • • • Hourly: Specify the number of hours and minutes between each update request. If redundant connections to the Internet are available. it sends a SETUP message to the FortiGuard Distribution Network. the IP address of a FortiManager configured to provide FortiGuard services. When a FortiGate unit is configured to allow push updates. The FortiGate unit sends the SETUP message if the IP address of this interface is changed manually or if the interface addressing mode has been set to DHCP or PPPoE and the DHCP or PPPoE server changes the IP address. Push Updates The FortiGuard Distribution Network can push antivirus and IPS updates to FortiGate units to provide the fastest possible response to critical situations. when the FortiGate unit receives a push notification it makes only one attempt to connect to the FortiGuard Distribution Network and download updates. configuring push updates is recommended in addition to configuring scheduled updates. The next time new antivirus or IPS definitions are released. Daily: Specify the time of day to check for updates.FortiGuard Subscription Services Updating Antivirus and IPS Services Scheduled Updates On the System > Maintenance > FortiGuard page. the FortiGuard Distribution Network notifies all FortiGate units that are configured for push updates that a new update is available. Within 60 seconds of receiving a push notification. The FortiGate unit must be registered before it can receive push updates. The interface used for push updates is the interface configured in the default route of the static routing table. through a FortiManager device) or if a connection to the FortiGuard Distribution Network can not be made. Content Inspection and SSL VPN 01-4200-0201-20100604 297 . Weekly: Specify the day of the week and the time of day to check for updates. On average the FortiGate unit receives new updates sooner through push updates than if the FortiGate unit receives only scheduled updates. When the network configuration permits. When enabled. the Use override server address option may be used. Override Server If the organization provides updates to the FortiGuard Subscription Services using their own FortiGuard server (for example. for example. the FortiGate unit requests an update from the FortiGuard Distribution Network.1 Administration. enter the IP address or domain name the server to be used. The FortiGate unit might not receive the push notification.

In the example below. • Push Updates Through a NAT Device If the FortiGuard Distribution Network can only connect to the FortiGate unit through a NAT device. Content Inspection and SSL VPN 01-4200-0201-20100604 . The update is received by the FortiGate unit. The FortiGate unit can only receive update messages on UDP port 9443.10.10. The FortiGate unit connects to the Internet using a proxy server.10.Use Override Push IP 172.Destination NAT 172. the FortiGate unit also sends the SETUP message to notify the FortiGuard Distribution Network of the address change.1 port 9443.1 Administration.Port udp 12443 NAT Device . Push updates might be unavailable if: • • The FortiGate unit has not been registered. This tells the FortiGuard Server to send updates to that address and port. If the FortiGate unit must connect to the Internet through a proxy server. the FortiGate unit is configured to allow push updates.10.Updating Antivirus and IPS Services FortiGuard Subscription Services If the FortiGate device is operating in Transparent mode and the management IP address is changed.1 using port 12443 as configured.1.16.16.16. port forwarding must be configured on the NAT device and port forwarding information must be added to the push update configuration.1. There is a NAT device installed between the FortiGate unit and the FortiGuard Distribution Network (see the section Push Updates Through a NAT Device in this lesson).1.Allow Push Update .1 . Push updates will be sent by the FortiGuard Server to 172.1.1 udp port 12443 . The NAT device will then map this IP address to 10. use the config system autoupdate tunneling command to allow the FortiGate unit to connect or tunnel to the FortiGuard Distribution Network using the proxy server.16. The override push IP address is configured for 172.Maps to: 10.1 using UDP port 12443. Internet FortiGate .1 udp port 9443 FortiGuard Server 298 Course 201-v4.

Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 299 .1 Administration.FortiGuard Subscription Services Updating Antivirus and IPS Services Manual Updates The FortiGuard antivirus and IPS definitions can be updated manually at any time if a connection to the Fortinet Distribution Network is available Click Update Now in the Antivirus and IPS Options to force a manual update to the antivirus and IPS definitions.

Updating Antivirus and IPS Services FortiGuard Subscription Services If a connection to the Fortinet Distribution Network is not available from the FortiGate device. Click the [Update] link for either the Antivirus or IPS Definitions. Content Inspection and SSL VPN 01-4200-0201-20100604 . 300 Course 201-v4. Click Browse to locate the antivirus or IPS definition files. the latest definition files can be downloaded from another computer and copied to the computer used to connect to Web Config.1 Administration.

An alternate port of 8888 can be used. Content Inspection and SSL VPN 01-4200-0201-20100604 301 . Course 201-v4. The cache uses a small percentage of the FortiGate system memory. Caching Caching is available for web filtering and antispam. Click Test Availability to verify that FortiGuard Services are available through either the default or alternate port.1 Administration. Port Selection FortiGuard services are reachable over port 53.FortiGuard Subscription Services Web Filtering and Antispam Options Web Filtering and Antispam Options FortiGuard Web Filtering and Antispam Options are configured at System > Maintenance > FortiGuard. Caching is strongly recommended as it improves performance by reducing FortiGate unit requests to the FortiGuard server.

the last recently used IP address or URL is deleted. A Time To Live (TTL) setting controls the number of seconds webfilter and antispam query results are stored in the cache before contacting the server again. Content Inspection and SSL VPN 01-4200-0201-20100604 . 302 Course 201-v4.1 Administration.Web Filtering and Antispam Options FortiGuard Subscription Services When the cache is full.

FortiGate units connect to the FDN using a set of default connection settings. Content Inspection and SSL VPN 01-4200-0201-20100604 303 . These settings can be overriden to use IP addresses and port numbers other than the defaults.FortiGuard Subscription Services Configuring FortiGuard Subscription Services Using the CLI Configuring FortiGuard Subscription Services Using the CLI The CLI can also be used to configure communications with the FortiGuard Distribution Network for FortiGuard Services.1 Administration. and those updates are redistributed to the FortiGate units. a FortiManager unit can be used as a local FortiGuard Distribution Server. By default. For example. The following CLI command can be used to view the configuration options for the FortiGuard Services: config system fortiguard Course 201-v4. service updates are downloaded to the FortiManager device.

Content Inspection and SSL VPN 01-4200-0201-20100604 . and dangerous Web URL Submission Service The Fortinet FortiGuard Center is where to find timely threat and vulnerability information. spam. spyware.com 304 Course 201-v4.FortiGuard. intrusion prevention. The FortiGuard Center is updated around-the-clock as new information becomes available. The FortiGuard Center is accessed at the following address: http://www. as well as other online resources provided by Fortinet's Global Threat Response Team. web content filtering.FortiGuard Center FortiGuard Subscription Services FortiGuard Center The FortiGuard Center is a comprehensive on-line resource providing a rich security knowledge base and technical resources including: • • • Spyware. virus.1 Administration. and antispam attack library Vulnerability encyclopedia which provides detailed descriptions of popular operating systems and applications Virus.

the following task will be completed: • Exercise 1 Enabling FortiGuard Services and Updates Timing Estimated time to complete this lab: 10 minutes Exercise 1 Enabling FortiGuard Services and Updates 1 In Web Config. Content Inspection and SSL VPN 01-4200-0201-20100604 305 . if properly entitled and depending on Internet congestion. What is the antivirus definition version. access to the FortiGuard Distribution Network will be configured and services updated. 2 On the FortiGuard Distribution Network page. Tasks In this lab.1 Administration. The AV and IPS signature databases can also be updated either individually or together through the CLI using the following commands: exec update-av exec update-ips Update AV engine/definitions Update IPS engine/definitions Course 201-v4. otherwise the Push Update feature will not work. After 3 to 5 minutes. Click Apply. 3 Return to the AntiVirus and IPS Options and click Update Now to force the FortiGate unit to obtain the latest antivirus and IPS definitions.FortiGuard Subscription Services Enabling FortiGuard Services and Updates Lab 6 Fortinet Subscription Services Objectives In this exercise.fortinet. Port forwarding must be configured on the NAT device. and last update attempt for the FortiGate unit? If only the version field is showing. Wait a few minutes and return to System > Maintenance > FortiGuard and check for the new updates. Note: This exercise can only be completed if the FortiGate unit has already been registered on the Fortinet Support web site (https://support. Today’s date should appear next to the [Update] link for both AV and IPS Definitions. This action sends a request to an FDN server. Note: In the classroom environment. go to System > Maintenance > FortiGuard to verify the details of the FortiGuard licensing entitlement for the FortiGate unit. expand Antivirus and IPS Options and enable a scheduled update for every four hours.com). the FortiGate unit is behind a NAT device. the FortiGate unit will receive and install updated definitions. expiry. the FortiGate unit firmware was upgraded recently and there have been no further update attempts.

Enabling FortiGuard Services and Updates FortiGuard Subscription Services exec update-now Update now Note: Antivirus and IPS updates can also be set to be pushed automatically to the FortiGate unit. Content Inspection and SSL VPN 01-4200-0201-20100604 . Change to UDP/8888 for FortiGuard communication and ensure upstream devices permit this traffic to pass. This helps to spread out the request load on the FortiGuard server. as the data is encrypted. If there is another IPS device on the network that is decoding DNS data on port 53. expand Web Filtering and Email Filtering Options and configure the following FortiGuard service settings: Web Filter Cache Web Filter Cache TTL Antispam Cache Antispam Cache TTL Port Selection Click Apply. the FortiGuard request/response may trigger an alert. This means that the additional minutes interval will be randomly picked from 0 to 59 minutes. 4 View the CLI settings by entering the following commands in the CLI: get system autoupdate schedule get system fortiguard The defined FortiGuard autoupdate interval was set to 4 hours through Web Config but the CLI shows 4:60. Note: By default. FortiGuard uses UDP/53. Note: The update-now command is only for updating antivirus and IPS definitions only and not for upgrading the system firmware.1 Administration. 6 Confirm that the FortiGuard Services are reachable by expanding Web Filtering and Email Filtering Options once again and clicking Test Availability to establish connectivity between the FortiGate unit and the FDN server. Enabled 1800 seconds (30 minutes) enable 900 seconds (15 minutes) 53 (default) 306 Course 201-v4. every 4 hours. To allow push updates. An exact hour and minute interval can be set through the CLI as illustrated in this example: config system autoupdate schedule set time 4:0 end Verify the change with: show system autoupdate schedule 5 On the FortiGuard Distribution Network page. because this port is almost always open for DNS traffic. expand AntiVirus and IPS Options and enable Allow Push Update and set the update schedule required. for example.

Course 201-v4. Save the file to the local hard disk and change the backup file name to reflect that this backup was created at the end of Lab 7. save the changes to the FortiGate configuration. Go to System > Dashboard > Status and in the System Information widget click the Backup link. Content Inspection and SSL VPN 01-4200-0201-20100604 307 .1 Administration.FortiGuard Subscription Services Enabling FortiGuard Services and Updates 7 Before proceeding to the next lab.

Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.Enabling FortiGuard Services and Updates FortiGuard Subscription Services 308 Course 201-v4.

LESSON 7 Threat Management 309 www.fortinet.com .

.

These techniques include: • • Flow-based scanning File-based scanning Flow-Based Scanning Flow-based scanning is a technique where data is inspected as it enters the organization at a packet-by-packet level.Threat Management Content Scanning Techniques Lesson 7 Threat Management The FortiGate unit controls communications and protects network content from vulnerabilities and malicious security threats through the integration of technologies which are normally found in separate products. This technique uses signatures to match the data being received. Course 201-v4.1 Administration. Threat management features on the FortiGate unit include the following: • • • • • • • Antivirus Intrusion prevention Web filtering Email filtering Data leak prevention Application control VoIP filtering Content Scanning Techniques Two prevailing techniques are used by security software vendors to inspect data in hopes of identifying and blocking malicious content as it enters the organization. Hackers. if data in the flow matches an exisiting signature. Content Inspection and Basic VPN Access 01-4200-0201-20100604 311 . Once the file is received by a browser. the file is decompressed for display or execution. the data is deemed to be malicious and the transfer is cancelled. will deliberately compress or archive their malicious files and content to evade these scanners. aware of the operation of flow-based scanners.

the FortiGate method delivers higher detection and accuracy rates. Flow-based techniques do offer marginal performance gains. the FortiGate unit emulates the file execution to decrypt the data to the point where the contents are exposed and can be accurately analyzed for threats. This approach allows the FortiGate unit to counteract evasion techniques by unpacking and decrypting files prior to inspection. If the file is encrypted. The perfomance gains are also weighed against the price of lower detection rates. Flow-based scanning can be enabled on certain specific FortiGate devices through the CLI. The final exposed data is subject to application-specific scanning. meaning they are programmed to mutate themselves by randomizing the use of different algorithms and keying information to create multiple permutations of a virus. Fortinet’s solution provides protection beyond wild list viruses to include heuristics analysis and file emulation techniques to dynamically detect polymorphic virus and new threat variants. the FortiGate unit subjects files to multple layers of content. removing the need to manage a collection of signatures for each permutation of the virus.Content Scanning Techniques Threat Management Flow-based scanners. the FortiGate unit reassembles the complete file for analysis. The signature database will in turn grow to the point where system performance is affected. File-Based Scanning The FortiGate device uses an alternate technique where files are reassembled before application-aware proxy methods are used for file analysis. the FortiGate unit requires just one signature to detect any variation of the polymorphic virus. Content Inspection and Basic VPN Access 01-4200-0201-20100604 . This can pose some scalability issues in that the number of signatures developed by the vendor to catch the original and mutant viruses can increase significantly. however. an unpacker is called upon to expose the true contents of the file. By using emulation routines. The FortiGate unit’s file-based scanning technique has proven to be very effective and monthly testing by an independent third-party organization (ICSA) shows a 100% capture rate for active viruses on the Internet. the FortiGate system intercepts the file fragments as they are delivered to the client who requested the file download. but these gains are often negated by having to match the stream of data against a large and ever swelling database of virus variants. If the file is found to be compressed. Once all the fragments have been received. protocol and heuristic analysis allowing the system to detect even the most sophisticated polymorphic content. Flow-based scanning vendors may defend the method by claiming that it is easy to write signatures to match the compressed or uncompressed files. By going the extra length to unpack and decrypt files. Only the signature of the exposed file needs to be checked. and their reliance on static signatures are at best guessing the contents of the file. Using deep-file analysis and proxy-based application engines. Some viruses. 312 Course 201-v4. a claim that can not be made by stream-based vendors. are considered to be polymorphic.1 Administration. As data is transferred between the hosts. increasing the likelihood of false positives and potentially blocking legitimate file traffic. designed to best capture and thwart any threat.

it expects to receive data in response. Content Inspection and Basic VPN Access 01-4200-0201-20100604 313 . The proxy for certain protocols will buffer the server's response before flushing it to the client. some clients do not follow standards and may close a connection before the minimum timeout interval has elapsed. Tasks performed by the application proxies include: Making Decisions The proxy. or the proxy to server or proxy to client connection is slow since the buffering or flushing stage can take a relatively long time. Splicing is a technique that keeps the client from timing out and closing the connection. A problem arises if the server response is large. Splicing is used for FTP uploads. While buffering and flushing. The client therefore closes the connection without receiving a response. in cooperation with the inspection daemons (antivirus. the proxy sends no information to the client and server. if the inspection daemon identifies this portion as infected the client and server connections are closed after sending any appropriate error responses or replacement message. Course 201-v4. As well. This delay can be longer than the minimum timeout dictated by the application protocol. If the response is clean the final part is sent. pass or block data passing through the FortiGate based on the policies in place. or for email protocols such as SMTP. Buffering Files When a client connects to a server and makes a request. This proxy sits between the client and the server intercepting all connections (requests and responses). This features sends some of the server's response to the client while buffering it.1 Administration. Depending on the details of the application protocol. the client either discards the incomplete response or accepts the substituted infection notification. POP and IMAP.Threat Management Threat Management Architectural Components Threat Management Architectural Components The architectural components involved in threat management on the FortiGate unit include the following: • Proxies • • • • • • • • Application proxies SSL proxy Web proxy SSL VPN proxy IPS engine Scanunit daemon URL filter daemon Update daemon Proxies Application Proxies Each protocol that can be inspected has a dedicated transparent proxy in the FortiOS architecture. antispam or webfiltering) is responsible for making the decision to buffer. The final part is withheld from the client while the proxy inspects it.

This information is returned to the proxies to allow it to determine if the file is over the size limits in place. Amount: number of bytes sent at each interval.Threat Management Architectural Components Threat Management To avoid timeouts on HTTP and FTP upload a similar technique called client comforting can be used. Web Proxy The FortiGate device can be configured to operate as an explicit web proxy for HTTP and HTTPS sessions through the use of an internal web proxy. SSL Proxy To provide antivirus. The scanunit daemon will decompress or unpack files received by the FortiGate unit and will examine the files to determine their final uncompressed size. the proxies will decide which action to take. displaying replacement messages when a specific action has been triggered. The SSL proxy is used to encrypt/decrypt data streams before feeding them to the standard application proxies. an SSL proxy has been introduced. The scanunit will also examine data to determine if any banned words have been used or if any banned ActiveX and Java applets have been used. calculating the file size and taking the corresponding action when oversized file limits are put in place.1 Administration. The IPS engine and signature database on the FortiGate unit are updated automatically through the FortiGuard Distribution Network. Logging Content. The antivirus engine is invoked by the daemon to perform scanning on the data and communicate the result of the scan back to the proxies. IPS Engine The IPS engine is responsible for examining traffic and comparing it against known and customized intrusion signatures. Based on this result. Scanunit Daemon The scanunit daemon is responsible for much of the functionality of the threat management system. The scanunit daemon performs the first level of parsing on data arriving at the FortiGate unit. 314 Course 201-v4. If file pattern filtering has been configured on the FortiGate unit. Content Inspection and Basic VPN Access 01-4200-0201-20100604 . It is also the time between subsequent intervals. SSL VPN Proxy The SSL VPN Proxy provides the ability to establish secure connections between remote clients and the FortiGate unit through an SSL VPN. antispam and web filtering inspection on SSL encrypted data streams. Replacement Messages and File Size Calculations The proxies are also responsible for logging content. When the connection is established the FortiGate unit provides access to selected services and network resources through a web portal. the scanunit daemon will be responsible for checking if the patterns exist. Client comforting can be fine tuned by configuring the following parameters: • • Interval: time in seconds before client comforting starts after the download or upload has begun.

1 Administration. URLFilter Daemon The URLFilter Daemon will query the FortiGuard service for URL ratings on behalf of the proxy and will calculate and forward the appropriate action as described in the protection profile. Update Daemon The update daemon will query for. The file checksum values will be calculated and compared to the values for known viruses. Course 201-v4. the scanunit will determine if the file matches the quarantine requirements. signature and engine updates. The antispam engine is also invoked by the daemon to perform various filtering techniques depending on the mailing protocol used. and download. Content Inspection and Basic VPN Access 01-4200-0201-20100604 315 . the update daemon will report its existence back to the FortiGuard Service in order to maintain the active and extended virus database contents.Threat Management Threat Management Architectural Components When file quarantine is configured. When a virus is detected.

Threat Management Architectural Components Threat Management 316 Course 201-v4. Content Inspection and Basic VPN Access 01-4200-0201-20100604 .1 Administration.

LESSON 8 Antivirus 317 www.com .fortinet.

.

or any number of commands without the user's knowledge or consent. Virus Types A computer virus infects a computer without the permission or knowledge of the user. trojans. scripts. but in fact. worms and spyware. The user unknowingly sends the data over the network or the Internet. reformatting the hard drive or passing control of the computer to a hacker. perform undisclosed malicious functions. Unlike a virus. Malicious trojans conceal and install applications on an affected computer. DVD. Trojans often appear to perform a desirable function. since the code is not self-replicating. in real-time. POP3. The FortiGate unit uses virus definitions to detect and remove viruses. Content Inspection and SSL VPN 01-4200-0201-20100604 319 . Viruses are usually malicious. Worm A worm is a self-replicating computer program that exploits network weaknesses to send copies of itself to other computers on the network without any user intervention. and can cause a variety of damage to the infected computer such as deleting data. and other threats from content as it passes through the FortiGate unit. Virus A true virus is a self-replicating piece of programming code spread through the network when executable code is passed to another computer by a user on the infected computer. worms do not need to attach themselves to an existing program. The FortiGate unit scans incoming and outgoing email attachments (SMTP. or USB drive. including web-based email. if only by consuming bandwidth. trojans. A trojan is not really a virus. Trojan An application contains a trojan when it unloads hidden programs. While the term virus is used generically to define any infectious software. trojans. or carries it on a removable device such as a CD. IMAP) and all FTP and HTTP traffic. whereas viruses almost always corrupt or modify files on a targeted computer. such as allowing unauthorized access to the host machine. worms.1 Administration. spyware and worms before they enter the network. Antivirus gateways close the vulnerability window by stopping viruses. Worms almost always cause at least some harm to the network. threats can vary. Course 201-v4. without degrading web performance.Antivirus Virus Types Lesson 8 Antivirus The antivirus capabilities of the FortiGate unit detect and eliminate viruses.

grayware and heuristic scans will not be performed as the file has already been found to be a threat and has been dealt with. File size checks are enabled though Protocol Options. 320 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 . File Size The size of a file will be checked against preset thresholds and will be blocked if it is outside the allowed range. File Type In addition to file pattern checking. previously unknown. then it is stopped and a replacement message is sent to the end user. saving system resources for other processing operations. while heuristics is used to cover any new. If a file fails any of the elements of the antivirus scan. No other levels of protection are applied. Some elements have specific functions. virus threats. Virus Scan If the file is passed by the file pattern filter. a virus scan will be applied to it. The virus scan. regardless of the file name. These elements work together to offer the network unparalleled virus protection.1 Administration. there is no need to use further system resources on the file at this time. is recognized as a blocked pattern. no further scans are performed. File Pattern Once the full file is received. A list predefined types is available on the FortiGate unit. all virus definitions and signatures are up dated regularly through the FortiGuard Subscription Services. . the FortiGate unit can be configured to analyze the file and determine its type.exe for example. If the file is not a blocked pattern or type. This scan is performed first as further checks against the file will not be necessary on oversized files. For example. File filters should be configured to block all files that are a potential threat and to prevent active computer virus attacks.exe. the FortiGate unit verifies the file against the file pattern filter. The virus definitions are kept up to date through the FortiGuard Subscription Services. If the file is a blocked pattern. the FortiGate unit will send the end user a replacement message and the file will be deleted or quarantined. To ensure that the system is providing the most protection available. the next level of protection is applied.Antivirus Elements Antivirus Antivirus Elements The antivirus elements work in sequence to provide an efficient method of scanning incoming files. if the file fakefile. The FortiGate unit performs antivirus processing in the following order: • • • • • • File size File pattern Virus scan File type Grayware Heuristics The antivirus scan starts from the least resource-intensive element to the most resource-intensive element.

The FortiGate heuristic engine performs tests on the file to detect virus-like behavior or known virus indicators. Content Inspection and SSL VPN 01-4200-0201-20100604 321 . Grayware programs are generally considered an annoyance. Heuristics After an incoming file has passed the grayware scan. it is subjected to a heuristics scan. but may also produce some false positive results.Antivirus Antivirus Elements Grayware Once past the file pattern filter. Grayware programs are unsolicited commercial software programs that get installed on computers. Course 201-v4. but these programs can cause system performance problems or be used for malicious ends. often without the user’s consent or knowledge. the incoming file will be checked for grayware.1 Administration. file type filter and the virus scan. heuristic scanning may detect new viruses. In this way.

exe to the File Pattern List will block any files ending in . the FortiGate unit can analyze a file and determine its type. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. this behavior can be reversed with all files being blocked unless explicitly passed. In addition to the built-in patterns provided by default on the FortiGate unit. the file will be stopped and a replacement message will be sent to the user. If both File Filter and Virus Scan are enabled. the FortiGate unit will block files that match the enabled file filters and will not pass the files along to be scanned for viruses. a matching file will be allowed to pass and the next antivirus action will be performed. regardless of the file name. For example. or any other pattern. In effect. extension. In addition to file pattern checking. the FortiGate unit writes a message to the virus log and sends an alert email message if configured to do so. Block If the file filter action is set to Block. If a file does not match any specified patterns. customized file patterns can be added to the File Pattern List. Files that were allowed continue to antivirus scanning while files not matching any allowed patterns are blocked by the wildcard at the end. Simply enter all the file patterns to be passed with the Allow attribute. File Filter Actions The FortiGate unit can apply one of the following actions towards files that match a configured pattern or type. files are allowed if not explicitly blocked. At the end of the list. Using the Allow action. 322 Course 201-v4. Files can be blocked by name. File pattern entries are not case sensitive. an allinclusive wildcard (*. it is passed along to antivirus scanning.*) can be added with a Block action. adding *. When the file is blocked by the file filter.exe. Allow If the file filter action is set to Allow. Files are compared to enabled file patterns from top to bottom. The list of types available to filter against is pre-configured on the FortiGate unit.File Filters Antivirus File Filters File filters are configured to block files that are a potential threat and to prevent active computer virus attacks.

1 Administration. Course 201-v4. go to UTM > Antivirus > File Filter. Content Inspection and SSL VPN 01-4200-0201-20100604 323 . To view the list of file filters currently available on the FortiGate unit. click to select the filter from the list and click Edit ( ) or double-click the entry. To view or modify any individual file filter.Antivirus File Filters Defining File Filters Multiple File Filter Lists can be added on the FortiGate device and the appropriate list can be selected within individual antivirus profiles.

Click OK.File Filters Antivirus New file filters can be defined by clicking Create New on the File Filter List page and assigning a name for the filter. Content Inspection and SSL VPN 01-4200-0201-20100604 . 324 Course 201-v4.1 Administration. New File Patterns or File Types can be defined.

A pre-defined File Pattern List called built-in patterns contains common file patterns to block. The maximum number of file patterns in a list is 5000.Antivirus File Filters File Pattern Filtering File patterns can be up to 80 characters long. click the checkbox for the name of pattern and click Enable ( ). Course 201-v4. Click the arrow to expand the File Patterns list. click to select the built-in pattern list and click Edit ( ) or double-click the entry. To view these patterns. To enable the blocking of a pattern in this list.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 325 .

Select Allow or Block. Filter Type Pattern Action Enable Select File Name Pattern. Click to enable the filter.1 Administration. Type the pattern to filter against. click Create New and define the parameters of the file pattern filter as needed. Content Inspection and SSL VPN 01-4200-0201-20100604 . 326 Course 201-v4.File Filters Antivirus To create a new file pattern filter.

Click to enable the filter. Course 201-v4. Select the File Type to be filtered from the list. Select Allow or Block.1 Administration.Antivirus File Filters File Type Filtering To filter based on a file type. click Create New and define the parameters of the filter. Content Inspection and SSL VPN 01-4200-0201-20100604 327 . Filter Type File Type Action Enable Select File Type. selecting a file type from the pre-defined list.

binhex elf. lzh. 328 Course 201-v4.File Filters Antivirus Only supported file types can be used in the filter. gif. exe hta html jad cod javascript msoffice fsg. zip. The Unknown Filetype is used for any file type that is not listed in the table. bmp ignored unknown The Ignored Filetype is used for traffic that the FortiGate unit typically does not scan. bzip2 bat msc uue. upx. cab. mime. base64. tiff. tar. png. including streaming audio and video. rar. petite. File types available for selection include: Archive Batch File Common Console Document Encoded Data Executable HTML Application HTML File Java Application Descriptor Java Compiled Bytecode Javascript File Microsoft Office Packer Palm OS Application Symbian Installer System File Windows Help File activemime Images Ignored Filetype Unknown Filetype arj. aspack prc sis hlp activemime jpeg. gzip.1 Administration. bzip. Content Inspection and SSL VPN 01-4200-0201-20100604 .

Antivirus Virus Databases Virus Databases The FortiGate unit uses virus definitions to detect threats as content passes through the FortiGate unit. Regular Virus Database The Regular Virus Database includes the most commonly seen viruses on the network. Three different virus databases can be enabled on the FortiGate unit. but have been found in the past. These viruses are referred to as being “in the wild” since FortiGuard Subscription Services has detected recent activity for the viruses.1 Administration. plus “zoo” viruses which FortiGuard Subscription Services has not detected any recent activity on. A valid FortiGuard Subscription Services license is required to receive antivirus definition updates once the initial one-month trial period has expired. To view the database information. This database is usually adequate for virus filtering on most networks. Extended Virus Database The Extended Virus Database is used in enhanced security environments since it contains viruses which are displaying current activity. Content Inspection and SSL VPN 01-4200-0201-20100604 329 . Course 201-v4. go to UTM > Antivirus > Virus Database. The virus definitions on the FortiGate unit are refreshed every time the FortiGate unit receives an update from the FortiGuard Server.

With flow-based scanning.1 Administration.Virus Databases Antivirus Flow-Based Virus Scanning Flow-based virus scanning provides an alternative to the file-based scanning methods traditionally used on the FortiGate unit. improving performance over file-based virus scanning but with a lower catch rate. files are scanned for viruses as they are read by the device. Flow-based virus scanning is available on certain specific device models and is enabled though the CLI using the following commands: config antivirus settings set default-db flow-based 330 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 .

1 Administration.Antivirus Virus Databases Updating the Antivirus Definitions Usually the antivirus definitions are updated automatically through the FortiGuard Subscription Services. Course 201-v4. See Lesson 6 . The antivirus definitions can also be updated manually by clicking Update Now in the Antivirus and IPS Options. A valid FortiGuard Subscription Services license is required to receive antivirus definition updates once the initial one-month trial period has expired. Go to System > Maintenance > FortiGuard to view the details of the antivirus definitions currently in use on the FortiGate unit. Content Inspection and SSL VPN 01-4200-0201-20100604 331 .FortiGuard Subscription Services for further details on updating antivirus definitions.

Not all BHOs are malicious. 332 Course 201-v4. This advertising content may take many forms. BHOs can also be used to capture search results. Grayware detection is enabled through the Virus Database list. There can be a fine line between Adware and Spyware. Browser Helper Objects Browser Helper Objects (BHO) are designed to be supplementary applications or plug-ins designed to add additional capabilities to a web browser. change the default web page. install software without user knowledge. Grayware Categories Grayware filtering is applied to a variety of program types.Grayware Antivirus Grayware The FortiGate unit scans for known grayware executable programs. Adware Adware is usually embedded in freeware programs and causes ads to pop up whenever the program is opened or used. An operating BHO can be undetectable to a user during regular browser use and can control the behavior of Internet Explorer. BHOs can be used for malicious purposes. as often adware contains a spyware component. but is typically in the form of browser pop-up advertisements. All Grayware categories are filtered on when Grayware Detection is enabled. it may be surreptitiously installed along with a desired piece of software or as an upgrade for additional functionality in one's web browsing software. Under most circumstances a user is not aware of the adware component being installed on the local machine. However. but the potential exists to track surfing habits and gather other information. and so forth. Content Inspection and SSL VPN 01-4200-0201-20100604 . display advertisements. The list is refreshed whenever the FortiGate unit receives a virus update package.1 Administration.

In the event that a dialer is installed a user may discover unexpected toll charges on their phone bill as dialers allow others to use the PC modem to call premium numbers or make long distance calls. Typically the files are for local installation. There are also times when a downloader will be installed during the installation of a desired program. start pages. Content Inspection and SSL VPN 01-4200-0201-20100604 333 . Such tools are typically used to subvert existing network and host security.Antivirus Grayware Dialers Dialers can be used to make unwanted calls through a user's modem or Internet connection. Jokes These are applications typically received by email. Hacker Tools Hacker tools are typically used for security auditing and analysis. Downloaders Downloaders are malicious applications that retrieve files. Jokes have been reported that analyze the host system seemingly scanning for viruses. Some hijackers have the ability to manipulate DNS settings to reroute DNS requests to a malicious DNS server. Hacker tools can also be downloaded to crack server password files. As with most forms of spyware it is typically installed without the user's knowledge. A downloader application is under most circumstances stealthily installed without user consent or knowledge. or display inappropriate content on the screen. Joke programs can include custom cursors and programs that appear to affect the system. however. Games Games are computer programs that are intended for computer users' pastime. Games are usually joke or nuisance games that could be blocked from network users. or educated consent. Others will open a large number of Internet browser windows. have an alternative purpose.1 Administration. Once finished the joke may inform the user that a selection of randomly selected files are viruses. Jokes will often cause undesired visual effects on the user's display. Some jokes alter the look of the display by changing color schemes or backgrounds. Hijackers These are applications that manipulate the web browser or other settings to change the user's favorite or bookmarked sites. One of the signs that a downloader is operating on a host is the detection of a spurious connection attempt by a personal firewall. They do. or menu options. Under many circumstances this connection is initiated by an unrecognized application. such as advertising and dial software from a remote location. Many corporate environments have policies prohibiting the possession of such software. or overwhelm network servers. Course 201-v4. The intent of joke software is to cause the user confusion and/or distress.

or network. is synonymous with file sharing programs that are used to swap music. 334 Course 201-v4. record. These applications may also qualify as Grayware. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. Spyware Spyware typically refers to the component of an adware that is responsible for tracking a user's activities. Alternatively. Targeted advertising can then be displayed based on the user's online habits. NMT These are applications that could be used for malicious purposes. disrupt network security. Under most circumstances. These applications can be used to capture passwords. Keylogging applications under many circumstances are downloaded and installed purposefully by a malicious user. and other files. This may include personally identifiable data. The spyware component will usually report online activities to a central server. Misc These applications or components are uncategorized due to multiple functionalities. keylogger applications are operating in an obscured manner. The keylogger may record the information locally for later retrieval. or otherwise non-malicious behavior. movies. or possibly cause other forms of network disruption. Under rare circumstances the spyware can be particularly malicious in that it can report very detailed activities to a third party. are those performed online. and send browsing preferences or other information back to an external destination. Remote Access Tools Remote Access Tools (RAT) allow outside users to remotely change and monitor a computer on a network. record instant messaging conversations. while a legitimate protocol. P2P. P2P These are applications that are installed to perform file exchanges. Typically. send email and so forth.Grayware Antivirus Keyloggers Keyloggers are applications that log input to the computer through the keyboard and/or mouse. Some P2Ps are being used as an entry point for viruses. Plugins These are applications that are aimed to add additional programs or features to an existing application in an attempt to control. some keyloggers will transmit data to a third party in a remote location. They may function as applications that alter network settings. the activities the author of the spyware is interested in. This network can then compile a profile of the user's activities. These applications could also be used for legitimate purposes or in-house research such as risk management amplitude tests.

Toolbars are often installed to augment the capabilities of Internet browsing software. This may take the form of offering such things as a search box. often allowing easier or faster access to content. Course 201-v4. or perhaps buttons allowing access to often-visited web sites.1 Administration. Some toolbars work with adware. Content Inspection and SSL VPN 01-4200-0201-20100604 335 . or send personally identifying data or user browsing habits to a third party. Toolbars can however be used to cause undesired browser behavior.Antivirus Grayware Toolbars Toolbars are applications installed into a user's Internet browser. Under most circumstances Toolbars are not hidden from plain view. like BHOs. may re-direct search results. Toolbars are offered by many legitimate companies for harmless reasons. Still others.

heuristic scanning may detect new viruses. In this way.1 Administration. it is subjected to a heuristics inspection. 336 Course 201-v4.Heuristics Antivirus Heuristics After an incoming file has passed the first three antivirus elements. Content Inspection and SSL VPN 01-4200-0201-20100604 . but may also produce some false positive results. The FortiGate heuristic engine performs tests on the file to detect virus-like behavior or known virus indicators.

Select the destination for the Quarantined Files. Select the protocols to be filtered for blocked files. Quarantine Options Infected. The file quarantine will be limited to the size defined here. Select the protocols to be filtered for suspicious files. define the attributes for the quarantined files. specific files can be submitted and file patterns added to the AutoSubmit list for automatic uploading to Fortinet for further analysis.Antivirus Quarantine Quarantine FortiGate units with a local disk can quarantine blocked and infected files. Go to UTM > Antivirus > Quarantine to configure the quarantine options. Max Filesize to Quarantine Course 201-v4.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 337 . Also. Files stored on the FortiAnalyzer unit can be retrieved for viewing. either the hard disk on the FortiGate unit or a FortiAnalyzer device. The Quarantined File List displays the file name and status information about the file that has been quarantined. Files beyond this limit will not be able to be quarantined. FortiGate units without a local disk can quarantine blocked and infected files to a FortiAnalyzer unit. When quarantining to a local disk. Quarantine Infected Files Quarantine Suspicious Files Quarantine Blocked Files Quarantine To Select the protocols to be filtered for quarantine files. suspicious and blocked files can be quarantined based on their protocol.

older files can be overwritten or new files can be dropped.1 Administration. Enable AutoSubmit When quarantining to a FortiAnalyzer device. Enable to allow the FortiGate unit to submit suspicious files to FortiGuard Subscription Services for further analysis.Quarantine Antivirus Disk Age Limit Low Disk Space Quarantine files will be kept on the disk for the time limit defined. only the following attribute needs to be defined: Max Filesize to Quarantine The file quarantine will be limited to the size defined here. 338 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 . When disk space becomes limited. Files beyond this limit will not be able to be quarantined.

duplicate count.1 Administration. service. The list can be sorted by file name. or time to live (TTL).Antivirus Quarantine Quarantined Files List The Quarantined Files list displays information about each file quarantined as a result of virus infection or file blocking. Content Inspection and SSL VPN 01-4200-0201-20100604 339 . go to Log&Report > Archive Access > Quarantine. date. To view the Quarantined Files list. The list can also be filtered to view only Quarantined Files with a specific status or from a specific service. Course 201-v4. status.

Quarantine Antivirus Quarantine Virus Senders Client sending viruses can also be quarantined based on their source IP address or interface. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. enable Quarantine Virus Sender (to Banned User List). 340 Course 201-v4. In the antivirus profile.

such as traffic to the victim of an IPS attack.1 Administration. the user’s quarantine might apply only to particular traffic. Course 201-v4. To view the Banned User List. Depending on the quarantine settings.Antivirus Quarantine Banned User List The Banned User list displays all quarantined users and can be used by the administrator to selectively release users from quarantine. quarantine can be configured to expire after a selected time period. Content Inspection and SSL VPN 01-4200-0201-20100604 341 . Optionally. go to User > Monitor > Banned User.

any traffic being examined by the policy will have the antivirus operations applied to it. To vew or modify an antivirus profiles in the list and click Edit ( the entry. The view the list of antivirus profiles on the FortiGate unit. Content Inspection and SSL VPN 01-4200-0201-20100604 .Antivirus Profiles Antivirus Antivirus Profiles Antivirus operations to be applied to network traffic are defined through antivirus profiles. ) or double-click 342 Course 201-v4.1 Administration. go to UTM > Antivirus > Profile. The antivirus profiles are in turn enabled within firewall policies.

The user’s source IP address or the interface of the incoming virus can be used as the basis for the quarantine. Identify the protocols to be scanned for quarantine matching. Identify the protocols to be scanned for file filter matching. The length of time for the quarantine can be defined as a period of minutes or indefinitely. Content Inspection and SSL VPN 01-4200-0201-20100604 343 . Define the parameters of the profile. The File Filter List to be used within this antivirus profile is selected from the Options column. Click Logging if virus activity is to be logged. File Filter Quarantine Quarantine Virus Sender Course 201-v4. Check to add the sender of a virus to the Banned User List. Click Logging if file filter matching activity is to be logged. Click Logging if quarantine activity is to be logged.Antivirus Antivirus Profiles New antivirus profiles can be defined by clicking Create New on the Antivurs Profile List. Name Virus Scan Enter name for the antivirus profile. Identify the protocols to be scanned for viruses.1 Administration.

Click to enable Antivirus filtering and select the name of the antivirus profile. 344 Course 201-v4.1 Administration. Click to enable UTM filtering in the policy. Content Inspection and SSL VPN 01-4200-0201-20100604 . A Protocol Options list must be selected when Antivirus is enabled. Click Edit ( ) to modify the attributes of the antivirus profile directly from the New Policy window. Any traffic passing through the firewall when the policy is in use will be filtered based on the elements identified in the antivirus profile.Antivirus Profiles Antivirus Enabling Antivirus Profiles in Firewall Policies The antivirus profile used to enable the antivirus elements is identified when a firewall policy is created.

This is of particular importance with email. rather than on both occasions. This is particularly important if the FortiGate unit is frequently entering conserve mode. mail protocols and HTTP) leaving a higher threshold on FTP. scan email either as it arrives at the mail server or is retrieved by the client. If streaming media needs to be passed. Content Archive Full content archiving can place great demands on storage capacity and on the network used to transmit the data. Consider reducing the Oversize Threshold memory settings if the FortiGate unit shows persistently high memory usage. File Pattern Checking Blocking based upon file patterns can improve the overall performance of the FortiGate unit by avoiding the need to scan the file. The FortiGate unit sends a replacement message for an oversized file or email attachment to the HTTP or email proxy client. Note: Use of the file filters can adversely affect the ability of individual proxies to perform early detection of streaming media and bypass buffering of files. consider lowering thresholds on some protocols (for example. Where possible. Configure the FortiGate unit to buffer one to 15 percent of available memory to store oversized files and email. avoid scanning files twice. Course 201-v4. Quarantine Use quarantine if false positives are anticipated and there is a need to be able to release files to end users or conduct further antivirus analysis/submission. If full archiving for all traffic is required. disable file filters to ensure that the streaming media is not buffered. Administrators can block oversized files by selecting block for Oversized File/Email in the Protocol Options window. Scanning (General) To optimize performance.Antivirus Antivirus Suggested Practices Antivirus Suggested Practices Oversize Threshold To optimize memory utilization. The FortiGate unit then blocks a file or email that exceeds this limit instead of bypassing antivirus scanning and sending the file or email directly to the server or receiver. make sure that any remote logging device is located in close proximity to the FortiGate unit using a dedicated network interface on the FortiGate device. Consider using summary-level content archiving and/or use content archiving selectively unless transaction archiving is required for auditing purposes. Content Inspection and SSL VPN 01-4200-0201-20100604 345 .1 Administration.

update the AV definition versions by going to System > Maintenance > FortiGuard. Content Inspection and SSL VPN 01-4200-0201-20100604 .Configuring Global Antivirus Settings Antivirus Lab 7 Antivirus Scanning Objectives In this exercise. go to System > Maintenance > FortiGuard. This information can also be accessed from the License Information widget at System > Dashboard > Status. global antivirus settings will be explored including: • • • • • • Ensuring that antivirus definitions are updated through the FortiGuard Subscription Services. Tasks In this lab. Go to the FortiGuard Center web page at the following address: www.1 Administration. The equivalent CLI commands are: get system status diagnose autoupdate versions 3 If required. Enabling Grayware scanning. Customizing antivirus replacement messages. Locate the AV Definitions version information for the FortiGate unit. In the meantime.fortiguard. the following tasks will be completed: • • • Exercise 1 Configuring Global Antivirus Settings Exercise 2 Configuring an Antivirus Profile Exercise 3 Testing Antivirus Scanning for HTTP Timing Estimated time to complete this lab: 20 minutes Exercise 1 Configuring Global Antivirus Settings 1 Confirm that the FortiGate Antivirus Database versions are up to-date. Setting up file quarantine with the FortiAnalyzer device.com Locate and note the current database version shown in the Update Center pane of the FortiGuard Center web page. 346 Course 201-v4. Enabling antivirus scanning for web proxy server. continue with the lab. Note: The update may take several minutes to complete. Click Update Now. Expand Antivirus and IPS Options. Enabling file pattern blocking. 2 From Web Config.

Click OK. Select the builtin-patterns list and click Edit ( ) or double click the entry in the list. 7 Replacement messages are substituted for the infected file when the FortiGate antivirus engine detects a virus. Click Apply. 6 File quarantine is available if the FortiGate unit model has an internal hard disk or if a FortiAnalyzer device is available. An external HTML editor can be used to create the replacement message and then copy and paste the resulting HTML code into the FortiGate replacement message text windows. Expand File Patterns and select the *. Alternately. display the same Replacement Messages in the CLI with the following commands: show system replacemsg http [http-virus/http-block/.exe and *.Antivirus Configuring Global Antivirus Settings The equivalent CLI commands to invoke an FDN check and AV/IPS update are as follows: exec update-av exec update-now 4 To help slow the spread of potentially malicious viruses and unauthorized program applications from being installed. 5 Go to UTM > AntiVirus > Virus Database. Enable Grayware Detection to scan for malicious grayware-type installers. Expand HTTP.. Content Inspection and SSL VPN 01-4200-0201-20100604 347 . go to UTM > AntiVirus > File Filter. by FTP as well as all email attachments.) Configure the quarantine settings as follows: Quarantine Infected Files Quarantine Suspicious Files Quarantine Blocked Files Max Filesize to Quarantine Disk Age Limit Low Disk Space Click Apply. Go to UTM > AntiVirus > Quarantine and enable quarantine to Disk.com files will be blocked from being downloaded from the web. enable all protocols enable all protocols enable all protocols 50 MB 168 hours (7 days) Overwrite oldest file Course 201-v4.exe and *. Go to System > Config > Replacement Message.1 Administration. all *. enable quarantine to the online FortiAnalyzer device.com file patterns. Click Enable ( ).. Make sure that the correct syntax is used and preserve the existing HTML tags. Click Edit ( ) to view the default Virus message and File block messages for HTTP.] Note: Some replacement messages are stored in raw HTML code. (If using a FortiGate device without a hard disk. In Web Config.

Note: There may be policies in place from previous exercises that could allow the files to be downloaded. The files that have been quarantined will be listed. 348 Course 201-v4. 3 Go to Log&Report > Archive Access > Quarantine. Content Inspection and SSL VPN 01-4200-0201-20100604 . In the message that is displayed.org 2 On the page presented. 4 Go to Log&Report > Log Access > Antivirus. Click Disk to view the Antivirus event messages. type the following address: http://eicar. A Protocol Options list must be selected when Antivirus is enabled.1 Administration. Click OK. Enable all protocols. there is a link to the Fortinet Virus Encyclopedia that provides information about the detected virus. Enable Antivirus and select the Standard antivirus profile. 2 Go to Firewall > Policy > Policy. Enable all protocols and Logging. This file does not contail a real virus but will trigger a virus or grayware signature and will be stopped by the FortiGate unit. Select the the default list. Select builtin-patterns from the Options drop-down list.com file. Click Create New and assign the following settings to the profile: Name Virus Scan File Filter Standard Enable all protocols and Logging.Configuring an Antivirus Profile Antivirus Exercise 2 Configuring an Antivirus Profile 1 Go to UTM > Antivirus > Profile. Exercise 3 Testing Antivirus Scanning for HTTP 1 In a web browser. Modify the default policy to enable UTM. click the Anti-Malware Test File link and attempt to download the eicar. go to the firewall policies and ensure that all other policies other than the default are disabled. If the above steps do not work. Quarantine Click OK. The HTTP Virus message is shown when the files that are infected or blocked have been quarantined.

com .fortinet.LESSON 9 Email Filtering 349 www.

.

Bulk means the message is sent as part of a larger collection of messages. such as Viagra ads and Nigerian scam messages. Course 201-v4. job enquiries. and sales enquiries.1 Administration. Unsolicited email can be normal email. Unsolicited means that the recipient has not granted verifiable permission for the message to be sent and the sender has no discernible relationship with all or some of the recipients. A message is considered spam if it is both unsolicited and bulk. To judge an email message as spam is quite subjective. and still-revocable permission for it to be sent. customer communications and discussion lists. Most people easily agree on some email message as being spam. explicit. The message content is generally irrelevant in determining whether a message is spam though most are commercial in nature. FortiGuard uses spam probes located around the world to attract spam email. Content Inspection and SSL VPN 01-4200-0201-20100604 351 . Generally. an email message is considered to be spam if: • • The recipient's personal identity and context are irrelevant because the message is equally applicable to many other potential recipients. This information is continuously updated to ensure accurate spammer lists and improves spam detection rates. such as subscriber newsletters. all having substantively identical content. Bulk email can be normal email. others may consider newsletters as legitimate email. FortiGuard uses the industry standard's definition of spam as Unsolicited Bulk Email (UBE). Some may include all advertisements and newsletters as spam. such as first contact enquiries. The recipient has not verifiably granted deliberate.Mail Filtering Lesson 9 Email Filtering Email filtering can be configured to manage unsolicited commercial email by detecting spam email messages and identifying spam transmissions from known or suspected spam servers.

352 Course 201-v4. Any email filter action can be logged to the event log. if virus scanning is enabled. Each email filter passes the email to the next filter if no matches or problems are found. the FortiGate unit will convert the entire subject line. Discarding immediately drops the connection. including the tag.1 Administration.Email Filtering Actions Mail Filtering Email Filtering Actions The FortiGate unit can either tag or discard email that it determines to be spam. Tagging affixes a custom word or phrase to the subject line or a MIME header and value into the body of email identified as spam. Content Inspection and SSL VPN 01-4200-0201-20100604 . Discard For SMTP. Tag To affix the tag to the subject line. This improves the display for some email clients that cannot properly display subject lines that use more than one encoding. to UTF-8 by default. spam email can only be discarded. If virus scanning is not enabled SMTP spam can be either tagged or discarded.

The FortiGuard service checks the body of email messages to extract any URL links. or reject for each IP address. If a URL match is found. If the source domain name does not match the IP address. The logic of this check is that if a domain is capable of sending mail it should be capable of receiving mail routed by DNS records. If FortiGuard does not find a match. These URL links are sent to a FortiGuard server to see if any are listed. URL Check FortiGuard Subscription Services provides a spam URL blacklist. The Fortigate unit terminates the session. Email Checksum Check FortiGuard Subscription Services provides an email message checksum blacklist.1 Administration. Return E-mail DNS Check An administrator can enable or disable checking the incoming email return address domain against the registered IP address in the Domain Name Server. An administrator can add to and edit IP and email addresses to the list and can configure the action to take as spam. the email is marked as spam and the action selected in the email filter profile is taken. If the return address domain name does not match the IP address. The FortiGate unit then passes or marks/blocks the email message according to the server response. Course 201-v4. the email is marked as spam and the action selected in the email filter profile is taken. Spam messages often contain URL links to advertisements (also called spamvertizing). Fortinet keeps the FortiGuard IP blacklist up-to-date as new spam sources are found. the mail server sends the email to the recipient. If the IP address is found. HELO DNS Lookup An administrator can enable or disable checking the source domain name against the registered IP address in the Domain Name Server. IP Address Check FortiGuard provides a spam IP address blacklist. FortiGuard terminates the session. If FortiGuard does not find a match. the mail server sends the email to the recipient. Fortinet keeps the FortiGuard URLs up-to-date as new spam sources are found. clear. Content Inspection and SSL VPN 01-4200-0201-20100604 353 . The filter checks each IP address in sequence. An IP address can be placed anywhere in the list. This filtering method calculates the checksum of an email message and sends this checksum to the FortiGuard servers to determine if the checksum is on the blacklist.Mail Filtering Email Filtering Methods Email Filtering Methods The FortiGate unit will filter email based on a variety of methods. Black/White List The Black/White list can check incoming IP and email addresses against the configured spam filter IP and Email Address List (SMTP only). The FortiGuard service extracts the SMTP mail server source address and sends the IP address to a FortiGuard server to see if this IP address matches the list of known spammers.

If a match is found. If a match is found. If no match is found. The language to scan against must be defined as well as whether to search the email body. the email is passed on to the next spam filter. the corresponding action is taken. Add or remove DNSBL and ORDBL servers the organization subscribes to from the list and configure the action to take as spam or reject for email identified as spam from each server. Some vendors publish a list of IP addresses that users may want to avoid because of suspicious spamming activities. These malformed headers can fool some spam and virus filters. The second part is called the value. the action for each MIME header must be configured as spam or clear. the corresponding action is taken. DNS Blackhole List and Open Relay Database List An administrator can enable or disable checking email traffic against configured DNS Blackhole List (DNSBL) and Open Relay Database List (ORDBL) servers. MIME headers can be added or edited with the option of using wildcards and regular expressions. If matches are found. The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in sequence. Spammers often insert comments into header values or leave them blank. subject. Perl regular expressions or wildcards can be when adding banned word patterns to the list. Content Inspection and SSL VPN 01-4200-0201-20100604 . the message is marked as spam. The FortiGate unit compares the IP address or domain name of the sender to any database lists configured. or just header. the email is passed on to the next spam filter. Some examples of MIME headers include: • • • • X-mailer: outgluck X-Distribution: bulk Content_Type: text/html Content_Type: image/jpg The first part of the MIME header is called the header key. the FortiGate unit searches for words or patterns in email messages. in sequence. Also. such as the type of text in the email body or the program that generated the email. Use the MIME headers list to mark email from certain bulk mail programs or with certain types of content that are common in spam messages. MIME header filtering is enabled within each email filter profile. the email message is passed along to the next filter. values assigned to the words are totalled. If enabled in the email filter profile. Multipurpose Internet Mail Extensions (MIME) Headers Check An administrator can enable or disable checking source Multipurpose Internet Mail Extensions (MIME) headers against the configured spam filter MIME header list.Email Filtering Methods Mail Filtering Banned Word Spam can be controlled by blocking email messages containing specific words or patterns. or both as well as the action to take for each word. If no match is found.1 Administration. MIME headers are added to email to describe content type and content encoding. If no match is found. Mark the email as spam or clear for each header configured. 354 Course 201-v4. If a threshold value is exceeded.

Please check with the service being used to confirm the correct domain name for connecting to the server. Because the FortiGate unit uses the server domain name to connect to the DNSBL or ORDBL server. Using DNSBLs and ORDBLs is an effective way to tag or reject spam as it enters the network.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 355 . Course 201-v4. it must be able to look up this name on the DNS server. There are several free and subscription servers available that provide reliable access to continually updated DNSBLs and ORDBLs. These lists act as domain name servers that match the domain of incoming email to a list of IP addresses known to send spam or allow spam to pass through.Mail Filtering Email Filtering Methods Some spammers use unsecured third-party SMTP servers to send unsolicited bulk email.

These URLs are links to spammers' web sites promoting their products and services. FortiGuard maintains a global IP reputation database where the reputation of each IP is built and maintained based on multiple properties relating to this IP address gathered from various sources. these spamvertised email addresses provide another powerful global filter to identify and filter spam.1 Administration. About 90% of spam has one or more URLs in the message body. Most spam messages have an email address in the message body that prompts one to contact the spammers. In phishing spam. This database is similar to the spamvertised URLs. FortiGuard collects spam samples through the Fortinet global spam trap network and spam sample submissions received from customers and partners. A dedicated service team of engineers and analysts is committed to respond to and resolve any false positive report and other issues in 24 hours. 356 Course 201-v4. These global filters are constantly updated and enable the FortiGate. The properties of an IP address include its Who-is information. The URLs are then subject to a continuous aging process where obsolete ones are promptly removed. FortiIP is a sender IP reputation database while FortiSig are spam signature databases. The URLs are then extracted from the spam samples which go through rigorous QA processing before they are injected into the FortiSig Database. monitor and analyze latest spam techniques. FortiSig1 The FortiSig1spam signature database contains spamvertised URLs. FortiSig2 The FortiSig2 spam signature database contains spamvertised email addresses. etc. FortiClient and FortiMail products to detect and filter most prevailing spam in the Internet.FortiGuard Email Filters Mail Filtering FortiGuard Email Filters Fortinet takes a comprehensive and multi-layer approach and uses a number of filtering techniques to detect and filter spam. its service provider. FortiIP Sender IP Reputation Database Most spam is presently sent from mis-configured or virus-infected hosts. continuously update FortiIP and FortiSig databases. One of the key properties used to maintain the reputation is the email volume from this sender as gathered from the FortiGuard service network. By comparing a sender's recent email volume with its historical pattern. Global Filters FortiGuard Subscription Services provides databases to be used as global filters. these URLs direct one to a fake bank or other financial institution's web site preying for private financial information. By extracting these email addresses from the spam sample. geographical location. whether it is an open relay or hijacked host. and research and design new spam filters. FortiGuard updates each IP's reputation in real-time and provides a highly effective sender IP address filter. Content Inspection and SSL VPN 01-4200-0201-20100604 .

Content Inspection and SSL VPN 01-4200-0201-20100604 357 .1 Administration. FortiRule This global filter uses dynamically updated heuristic rules to identify spam. body. mime header. Customized Filters Various customized spam filters are provided to compliment the email filtering solution on the FortiGate. to techniques such as Bayesian training available with FortiMail units. The object can be part of the message body or an attachment. exploiting various attributes in the spam message header. With manually crafted heuristic rules for specific spam attacks. Course 201-v4. These customized filters range from banned word filters. heuristic rules.Mail Filtering FortiGuard Email Filters FortiSig3 The FortiSig3 spam signature database contains spam object checksums. FortiRule further increases the catch rate with virtually no false positives. Using a proprietary algorithm. local white and black lists of sender email address. FortiClient and FortiMail devices. The checksum is then added into the FortiSig database. providing another highly effective global filter with virtually no false positives. objects in spam are identified and a fuzzy checksum is calculated from each object. and attachments.

For a single word. To view or modify any individual Banned Word List. values assigned to the words are totalled. Defining Banned Word Lists Multiple Banned Word Lists can be added on the FortiGate device and the appropriate list can be selected for each email filter profile. For a phrase. To block any word in a phrase. If a user-defined threshold value is exceeded. the FortiGate unit blocks all email containing the exact phrase. 358 Course 201-v4. the email message is passed along to the next filter. Content Inspection and SSL VPN 01-4200-0201-20100604 . Banned words can be one word or a phrase up to 127 characters long. If matches are found. To view the list of banned word filters currently available on the FortiGate unit. If enabled in the email filter profile.1 Administration. the FortiGate unit searches for words or patterns in email messages. go to UTM > Email Filter > Banned Word. Perl regular expressions or wildcards can be used to add banned word patterns to the list. use Perl regular expressions. the FortiGate unit blocks all email containing the word. If no match is found. the message is marked as spam. click to select from the list and click Edit ( ) or double-click the entry.Banned Word Mail Filtering Banned Word Spam can be controlled by blocking email messages containing specific words or patterns.

1 Administration. Course 201-v4. Click OK and define the parameters of the banned word as needed. Content Inspection and SSL VPN 01-4200-0201-20100604 359 .Mail Filtering Banned Word New Banned Word Lists can be defined by clicking Create New and assigning a name for the list.

Content Inspection and SSL VPN 01-4200-0201-20100604 . The score for a pattern is applied only once even if it appears in the message multiple times. The score value of each banned word appearing in the message is added. either Wildcard or Regular Expression. and if the total is greater than the threshold value set in the email filter profile.Banned Word Mail Filtering Click Create New to define new banned words to appear in the list. Click to enable the banned word list.1 Administration. or Both. the message is processed according to the Spam Action. the Subject line. Select the language the banned word is filtered against. Identify which part of the message will be scanned for the banned word. Select a pattern type. either the Body of the message. Pattern Pattern Type Language Where Type the banned word pattern to filter against. Score Enable 360 Course 201-v4.

Course 201-v4.Mail Filtering Banned Word Edit the Banned Words List at any time to add new words or edit or disable any entries in the list.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 361 .

the period (.*\. fortinetccom.Banned Word Mail Filtering Using Perl Regular Expressions The Email Address List.*) where (. Regular Expressions and Wildcard Match Pattern A wildcard character is a special character that represents one or more other characters. mytest. not 0 or more times of any character. Content Inspection and SSL VPN 01-4200-0201-20100604 . To match exactly the word test. use the regular expression /i.com In Perl regular expressions.) and (*) use the escape character (\). For example: • To match fortinet. the pattern does not have an implicit word boundary. For example: • forti*.com but also fortinetacom. atestb. the expression should be \btest\b.com. It is similar to the question mark (?) in a wildcard match pattern. the regular expression test not only matches the word test but also any word that contains test such as atest.1 Administration. (*) means match 0 or more times of the character before it.com not only matches fortinet. the regular expression should be fortinet\. To make a word or phrase case insensitive. The most commonly used wildcard characters are the asterisk (*).com but does not match fortinet. For example. MIME headers list. which typically represents zero or more characters in a string of characters. testimony.com matches fortiiii. fortinetbcom. Case Sensitivity Regular expression pattern matching is case sensitive in the web and antispam filters. and Banned Word List entries can include wildcards or Perl regular expressions. As a result: • fortinet. In Perl regular expressions. To match a special character such as (. which typically represents any one character. and so on. and the question mark (?). For example.) means any character and the (*) means 0 or more times. the wildcard match pattern forti*. /bad language/i will block all instances of bad language regardless of case.) refers to any single character.com.com should therefore be fort. Word Boundary In Perl regular expressions. use (. The notation \b specifies the word boundary.com To match any character 0 or more times. For example. 362 Course 201-v4.

such as foo and 12bar8 and foo_1 low The strings “100” and “mk” optionally separated by any amount of white space (spaces. three or four “b”s followed by a “c” “a” followed by at least two “b”s followed by a “c” “a” followed by any number (zero or more) of “b”s followed by a “c” “a” followed by one or more “b”s followed by a “c” “a” followed by an optional ” b” followed by a “c”. and “c” (such as “defg”) Any two decimal digits. newlines) “abc” when followed by a word boundary (for example.Mail Filtering Banned Word Perl Regular Expression Formats The following table describes some of the Perl regular expression formats.4}c ab{2.1 Administration. etc). in abc! but not in abcd) “perl” when not followed by a word boundary (for example. that is.}c ab*c ab+c ab?c a. Expression abc ^abc abc$ a|b ^abc|abc$ ab{2. either “abc” or ”ac“ “a” followed by any single character (not a new line) followed by a “c” “a. abba. same as \d{2} Makes the pattern case insensitive. but anywhere in the string) “abc” at the beginning of the string “abc” at the end of the string Either of “a” and “b” The string “abc” at the beginning or at the end of the string “a” followed by two.c a\. tabs.c Matches “abc” (the exact character sequence. the '/' is treated as the delimiter. “b” and “c” Either of “Abc” and “abc” Any (nonempty) string of “a”s. the leading and trailing space is treated as part of the regular expression [abc] [Aa]bc [abc]+ [^abc]+ \d\d /i \w+ 100\s*mk abc\b perl\B \x /x Course 201-v4. In regular expressions. acbabcacaa) Any (nonempty) string which does not contain any of “a”. such as 42. Content Inspection and SSL VPN 01-4200-0201-20100604 363 . Use this to break up a regular expression into (slightly) more readable parts Used to add regular expressions within other text. If the first character in a pattern is forward slash '/'. The pattern between ‘/’ will be taken as a regular expressions. “b”. /bad language/i blocks any instance of bad language regardless of case A “word”: A nonempty sequence of alphanumeric characters and lines (underscores). and anything after the second ‘/’ will be parsed as a list of regular expression options ('i'. The pattern must contain a second '/'. in perlert but not in perl stuff) Tells the regular expression parser to ignore white space that is neither preceded by a backslash character nor within a character class. For example. 'x'.c” exactly Any one of “a”. “b”s and “c”s (such as a. An error occurs if the second '/' is missing.

.*v.*g.!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i 364 Course 201-v4. To block purposely misspelled words use this format: /^.) /try it for free/i /student loans/i /you’re already approved/i /special[\+\-\*=<>\.\.*r.Banned Word Mail Filtering Examples To block any word in a phrase use this format: /block|any|word/ Spammers often insert other characters between the letters of a word to fool spam blocking software.*i.!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i To block common spam phrases use this format: (These phrases are some examples of common phrases found in spam messages.*a.*$/i /cr[eéèêë][\+\\*=<>\.1 Administration.*o..\. Content Inspection and SSL VPN 01-4200-0201-20100604 .

go to UTM > Email Filter> IP Address. ) Course 201-v4. Defining IP Address Lists Multiple IP Address Lists can be added on the FortiGate device and the appropriate list can be selected for each email filter profile.1 Administration. If no match is found.Mail Filtering IP Address Filtering IP Address Filtering The FortiGate unit uses both an IP Address List and an Email Address List to filter incoming email. Content Inspection and SSL VPN 01-4200-0201-20100604 365 . To view or modify any individual IP Address List. To view the list of IP Address Lists currently available on the FortiGate unit. the FortiGate unit compares the IP address of the message’s sender to the IP Address List in sequence. select the list and click Edit ( or double-click the entry. the message is passed to the next enabled spam filter. the action associated with the IP address is taken. When performing an IP address check. If a match is found.

IP Address Filtering Mail Filtering New IP Address Lists can be defined by clicking Create New on the IP Address List page and assigning a name for the list. Content Inspection and SSL VPN 01-4200-0201-20100604 . Click OK and define the parameters of the IP address as needed.1 Administration. 366 Course 201-v4.

The message can be Marked as Spam.128.128.x/x. for example.128. Content Inspection and SSL VPN 01-4200-0201-20100604 367 . Enable IP addresses and netmask can be entered in the following formats: x.255.x. 62.100/24 Course 201-v4. IP/Netmask Action Type the IP address and netmask to filter against. Marked as Clear or Marked as Rejected. 62.100 x.x.x.x. for example.x.x. Select the action to be taken when an email message is received from the IP address being filtered.x.x/x. for example.1 Administration.0 x. 62.69.x.100/255.x.x.69.69.Mail Filtering IP Address Filtering Click Create New to add a new IP address entry to the list.255. Click to enable the IP Address List.

IP Trust If the FortiGate unit sits behind a company’s Mail Transfer Units (MTU). Content Inspection and SSL VPN 01-4200-0201-20100604 . external IP addresses may be added to the IP trust table if it is known that they are not sources of spam. 368 Course 201-v4. The only IP addresses that need to be checked are those from outside of the company.IP Address Filtering Mail Filtering Edit the Banned Words List at any time to add new words or edit or disable any entries in the list. Use the iptrust command from the CLI to add an entry to a list of trusted IP addresses. In some cases.1 Administration. it may be unnecessary to check email IP addresses because they are internal and trusted.

the action associated with the email address is taken. the message is passed to the next enabled antispam filter. click to select the list and click Edit ( ) or double-click the entry. To view the Email Address Lists currently available on the FortiGate unit. If no match is found. Defining Email Address Filters Multiple Email Address Lists can be added on the FortiGate device and the appropriate list can be selected for each email filter profile. go to UTM > Email Filter> E-mail Address. Content Inspection and SSL VPN 01-4200-0201-20100604 369 . Course 201-v4.1 Administration. To view or modify any individual Email Address List.Mail Filtering Email Address Filtering Email Address Filtering When performing an email check. the FortiGate unit compares the email address of the message’s sender to the Email Address List in sequence. If a match is found.

370 Course 201-v4. Click Create New to add a new email address to the list.Email Address Filtering Mail Filtering New Email Address Lists can be defined by clicking Create New on the Email Address List page and assigning a name. Content Inspection and SSL VPN 01-4200-0201-20100604 . Click OK.1 Administration.

Course 201-v4. E-mail Address Pattern Type Action Enable Type the email address to filter against. Select Mark as Spam or Mark as Clear.Mail Filtering Email Address Filtering Define the parameters of the email address as needed. Click to enable the email address filter. Select Wildcard or Regular Expression.1 Administration.. Content Inspection and SSL VPN 01-4200-0201-20100604 371 .

372 Course 201-v4.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 .Email Address Filtering Mail Filtering Edit the Email Address List at any time to add new addresses or edit or disable any entries in the list.

Course 201-v4. The second part is called the value.Mail Filtering Multipurpose Internet Mail Extensions (MIME) Headers Check Multipurpose Internet Mail Extensions (MIME) Headers Check An administrator can enable or disable checking source Multipurpose Internet Mail Extensions (MIME) headers against the configured spam filter MIME header list. If no match is found. configure the action for each MIME header as spam or clear. Mark the email as spam or clear for each header configured. Use the MIME headers list to mark email from certain bulk mail programs or with certain types of content that are common in spam messages. If a match is found. MIME headers are added to email to describe content type and content encoding. These malformed headers can fool some spam and virus filters. Add to and edit MIME headers. Content Inspection and SSL VPN 01-4200-0201-20100604 373 . the corresponding action is taken. or just header. with the option of using wildcards and regular expressions. Some examples of MIME headers include: • • • • X-mailer: outgluck X-Distribution: bulk Content_Type: text/html Content_Type: image/jpg The first part of the MIME header is called the header key. MIME headers check can only be configured using the config spamfilter mheader command in the CLI. The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in sequence. Also. such as the type of text in the email body or the program that generated the email. Spammers often insert comments into header values or leave them blank.1 Administration. the email is passed on to the next spam filter.

Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.DNS Blackhole List and Open Relay Database List Mail Filtering DNS Blackhole List and Open Relay Database List An administrator can enable or disable checking email traffic against configured DNS Blackhole List (DNSBL) and Open Relay Database List (ORDBL) servers. Add or remove DNSBL and ORDBL servers the organization subscribes to from the list and configure the action to take as spam or reject for email identified as spam from each server (SMTP only). Please check with the service being used to confirm the correct domain name for connecting to the server. it must be able to look up this name on the DNS server. These lists act as domain name servers that match the domain of incoming email to a list of IP addresses known to send spam or allow spam to pass through. Using DNSBLs and ORDBLs is an effective way to tag or reject spam as it enters the network. Some spammers use unsecured third-party SMTP servers to send unsolicited bulk email. the email is passed on to the next spam filter. If a match is found. in sequence. DNSBL and ORDBL configuration can only be changed using the config spamfilter dnsbl command in the CLI. If no match is found. Some vendors publish a list of IP addresses that users may want to avoid because of suspicious spamming activities. the corresponding action is taken. Because the FortiGate unit uses the server domain name to connect to the DNSBL or ORDBL server. There are several free and subscription servers available that provide reliable access to continually updated DNSBLs and ORDBLs. The FortiGate unit compares the IP address or domain name of the sender to any database lists configured. 374 Course 201-v4.

Content Inspection and SSL VPN 01-4200-0201-20100604 375 . any traffic being examined by the policy will have the email filtering operations applied to it.1 Administration.Mail Filtering Email Filter Profiles Email Filter Profiles Email filtering operations are defined through email filter profiles. go to UTM > Email Filter > Profile. Course 201-v4. The email filter profiles are in turn enabled within firewall policies. To view the list of email filter profiles on the FortiGate unit. select the item and click Edit ( ) or double-click the entry. To vew or modify any email filter profiles in the list.

IP Address BWL Check HELO DNS Lookup E-Mail Address BWL Check Return E-Mail DNS Check 376 Course 201-v4. Enable to look up the soruce domain name for SMTP mail messages. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. Identify the protocols to be scanned for FortiGuard URL checks. Identify the protocols to be scanned for IP addresses as well as the name of the Black/White list to be used. Identify the protocols from which spam will be submitted to FortiGuard for examination.Email Filter Profiles Mail Filtering New email filter profiles can be defined by clicking Create New on the Email Filter Profile List page. Identify the protocols to be scanned for FortiGuard email checksums. Define the parameters of the profile. Enable to check that the domain specified in the reply to or from address has an A or MX record. Identify the protocols to be scanned for email addresses as well as the name of the Email Address List to be used. IP Address Check URL Check Email Checksum Check Spam Submission Identify the protocols to be scanned for FortiGuard IP address checks.

1 Administration. Identify where the tag will be added to filtered email messages. Identify the spam action to be taken on SMTP messages that match a configured filter. Type the tag that will be inserted into the email message when filtered. Spam Action Tag Location Tag Format Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 377 . either Tagged or Discarded.Mail Filtering Email Filter Profiles Banned Word Check Identify the protocols to be scanned for banned words as well as the name of the Banned Words List to be used. either the Subject or MIME (the message body).

Email Filter Profiles Mail Filtering Email Filtering Logging Logging for email filtering can be enabled within the email filter profile.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 . 378 Course 201-v4.

Course 201-v4.Mail Filtering Email Filter Profiles Enabling Email Filter Profiles in Firewall Policies The email filter profile used to enable the email filtering elements is identified when a firewall policy is created.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 379 . Click to enable Email Filter and select the name of the email filter profile. Click Edit ( ) to modify the attributes of the email filter profile directly from the New Policy window. When email filtering is enabled in the policy. Click to enable UTM filtering in the policy. Any traffic passing through the firewall when the policy is in use will be filtered based on the elements identified in the email filter profile. a Protocol Options list must be selected.

or as the second layer of Fortinet’s multilayered email filtering solution. The FortiMail unit employs additional sophisticated antispam technologies that are not available through the FortiGate unit. and email archiving capabilities to incoming and outgoing email traffic. The FortiMail unit is able to operate as a stand-alone email filtering system. to screen both incoming and outgoing email. antispam. antivirus. The FortiMail unit has an enhanced set of features for detecting and blocking spam messages and malicious attachments. FortiMail email filtering techniques for incoming email include: • • • • • • • • • • • • • Forged IP scanning Graylist scanning DNSBL scanning Deep header scanning SURBL scanning Bayesian scanning Heuristic scanning Image spam scanning PDF scanning Locally-administered black/white lists Banned word scanning Dictionary scanning Sender reputation The following table compares some of the differentiating features between a FortiMail and FortiGate unit: FortiMail Wildlist Virus Protection Legacy Virus Protection Advanced Spam Filtering Email Quarantine Email Archiving Email Routing Yes Yes Yes Yes Yes Yes FortiGate Yes No Limited No Yes. Content Inspection and SSL VPN 01-4200-0201-20100604 .FortiMail Email Filtering Mail Filtering FortiMail Email Filtering The FortiMail unit is an integrated hardware and software solution that provides powerful logging and reporting. if using a FortiAnalyzer unit No 380 Course 201-v4.1 Administration.

fortinet.LESSON 10 Web Filtering 381 www.com .

.

Fortinet categorizes more than 40 million domains and billions of web pages to ensure its customers steer clear of malware on the Internet. providing automated updates with any newly categorized content in 78 categories. Web Filtering Elements The FortiGate unit performs web filtering processing in the following order: • • • • • URL Filtering (Exempt/Block/Allow) FortiGuard Web Filtering Web Content Exempt Web Content Block Script Filter After these web filtering steps have been completed. FortiGuard Web Filtering works dynamically with FortiGate systems.Web Filtering Web Filtering Elements Lesson 10 Web Filtering FortiGate Web Filtering processes all web content against known malicious URLs to block inappropriate material and malicious scripts including Java applets. interact with each other in such a way as to provide maximum control and protection for Internet users. and FortiGuard Web Filter. A Web Exempt List match will terminate any further checking including antivirus scanning. Course 201-v4. antivirus scanning is performed. cookies. Content Inspection and SSL VPN 01-4200-0201-20100604 383 .1 Administration. An allow match exits the URL Filter List and the other web filters are processed. namely Web Content Filter. FortiGuard services are also user-customizable to allow corporate network URL additions to prevent access to additional undesirable sites including phishing-target websites. and ActiveX scripts entering the network. URL Filter. The three main sections of the web filtering function.

to allow or block URLs. If the FortiGate unit blocks web pages matching any specified URLs or patterns. Content Inspection and SSL VPN 01-4200-0201-20100604 . The URL Filter List can have up to 5000 entries. click to select the filter from the list and click Edit ( ) or double-click the entry. To view the list of URL filters currently available on the FortiGate unit.URL Filter Web Filtering URL Filter Access to specific URLs can be allowed or blocked by adding them to the URL Filter list. To view or modify any individual URL filters. 384 Course 201-v4. go to UTM > Web Filter > URL Filter. regular expressions or wildcard characters. Patterns can be added using text. a replacement message is displayed in its place.1 Administration. Defining URL Filter Lists Multiple URL Filter Lists can be added on the FortiGate device and an appropriate filter can be selected within individual web filter profiles.

Click OK.Web Filtering URL Filter New URL Filter Lists can be defined by clicking Create New on the URL Filter page and assigning a name for the filter.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 385 . Course 201-v4.

URL Filter

Web Filtering

Click Create New to define the parameters of the URL filter.

URL Type Action Enable

Type the URL of the web site to be filtered. Type the pattern to filter against, either Simple, Regex or Wildcard. Select Allow or Block. Click to enable the filter.

Type the top-level URL or IP address to control access to all pages on that web site. For example, www.example.com or 192.168.144.155 controls access to all pages at this web site. Enter a top-level URL followed by the path and filename to control access to a single page on a web site. For example, www.example.com/news.html or 192.168.144.155/news.html controls the news page on this web site. To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For example, adding example.com controls access to www.example.com, mail.example.com, www.finance.example.com, etc. Access to all URLs that match patterns created can be controlled using text along with regular expressions or wildcard characters. For example, example.* matches example.com, example.org, and example.net. URLs with an action set to Exempt are not scanned for viruses. If users on the network download files through the FortiGate unit from a trusted website, add the URL of this website to the URL Filter List with an action set to Exempt so the FortiGate unit does not apply virus scanning to files downloaded from this URL.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

386

Web Filtering

URL Filter

FortiGate URL blocking supports standard regular expressions (see Using Perl Regular Expressions in Lesson 9 - Email Filtering).

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

387

FortiGuard Web Filter

Web Filtering

FortiGuard Web Filter
FortiGuard Web Filtering is a managed web filtering solution that sorts hundreds of millions of web pages into a wide range of categories administrators can allow, block, log, or override. The FortiGate unit accesses the nearest FortiGuard Web Filtering Service Point to first determine the category of a requested web page and then follows the firewall policy configured for that user or interface. FortiGuard Web Filtering includes millions of individually rated web sites. Pages are sorted and rated into 78 categories. Categories may be added to or updated as the Internet evolves. To make configuration simpler, administrators can also choose to allow, block, log, or override entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy. FortiGuard Web Filtering ratings are performed by a combination of methods including text analysis, exploitation of the Web structure, and human raters. Users can notify the FortiGuard Web Filtering Service if they feel a web page is not categorized correctly. FortiGuard Web Filtering will rate new sites quickly, as required.

388

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Web Filtering

FortiGuard Web Filter

FortiGuard Web Filtering Categories
FortiGuard Web Filtering Categories are based upon the web content viewing suitability of three major groups of customers: enterprises, schools, and home/families. They also take into account customer requirements for Internet management. The categories are defined to be easily manageable and patterned to industry standards. Each category contains websites or web pages that have been assigned based on their dominant web content. A website or web page is categorized into a specific, likely to be blocked category according to its content. When a website contains elements in different categories, web pages on the site are separately categorized. Categories Potentially Liable Groups Drug Abuse, Folklore, Hacking, Illegal or Unethical, Marijuana, Occult, Phishing, Plagiarism, Proxy Avoidance, Racism and Hate, Violence, Web Translation, Child Abuse Abortion, Adult Materials, Advocacy Organizations, Alcohol, Extremist Groups, Gambling, Lingerie and Swimsuit, Nudity and Risque, Pornography, Sex Education, Sports Hunting and War Games, Tasteless, Tobacco, Weapons Advertising, Brokerage and Trading, Digital Postcards, Freeware and Software Downloads, Games, Instant Messaging, Newsgroups and Message Boards, Web Chat, Web-based Email Internet Radio and TV, Internet Telephony, Multimedia Download, Peer-to-Peer File Sharing, File Sharing and Storage Spyware and Malware Arts and Entertainment, Child Education, Culture, Education, Finance and Banking, General Organizations, Health and Wellness, Homosexuality, Job Search, Medicine, News and Media, Personal Vehicles, Personal Websites and Blogs, Political Organizations, Real Estate, Reference, Religion, Restaurant and Dining, Search Engines and Portals, Shopping and Auction, Society and Lifestyles, Sports, Travel Armed Forces, Business, Government and Legal Organizations, Information Technology, Information and Computer Security, Web-based Application Content Servers, Dynamic Content, Miscellaneous, Secure Websites, Web Hosting, Domain Parking, Unrated

Controversial

Potentially NonProductive

Potentially Bandwidth Consuming Potential Security Risks General Interest

Business Oriented Others

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

389

FortiGuard Web Filter

Web Filtering

FortiGuard Web Filtering Categories are defined in a web filter profile. Expand FortiGuard Web Filtering, and identify the action on specific categories or classifications..

390

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Web Filtering

FortiGuard Web Filter

FortiGuard Web Filtering Classes
In addition to categorizing web page content into categories, the FortiGuard Web Filtering Service further classifies the web pages based on media types or sources. Similar to categorization, this classification enables customers to further refine the web access management. Customers will have the capability to block offensive materials, such as pornographic images, by preventing the finding of such materials in the first place. Class Cached Contents Image Search Audio Search Video Search Multimedia Search Description Web pages that are stored or cached in a second website, generally a search engine website. Websites providing a search of images or photos, or the results of image or photo searches. Websites providing a search of audio clips or the results of audio searches. Websites providing a search of video clips or the results of video searches. Websites providing a mixed search of images, photos, audio, and video materials or the results of such searches. Websites or web pages whose URLs are found in spam emails. These web pages often advertise sex sites, single clubs, and other potentially nuisance or offensive materials. This class includes all other web pages that do not fall into one of the above classes, including regular web searches and others.

Spam URL

Unclassified

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

391

FortiGuard Web Filter

Web Filtering

FortiGuard Web Filtering Overrides
FortiGuard Web Filtering Overrides can be used when access is required to web sites that would be blocked by FortiGuard web filtering. On the web filter profile web page, expand FortiGuard Web Filtering Overrides and click the protocols that web filtering overrides are to be applied to (HTTP or HTTPS). A protocol must be selected or the options will be inaccessible.

392

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

Web Filtering

FortiGuard Web Filter

Override Scope

The scope defines who may use the override rule. Select one of the following choices from the list: • • • • • User User Group IP Profile Ask

Override Type

The type defines the level of access to sites where an override has been applied. Select one of the following choices from the list: • • • • Exact Domain Categories Ask Directory

Off-site URLs

This option defines whether the override web page will display the images and other contents from the blocked offsite URLs. Allow Deny Ask

Override Time User Group

Specifies when the override rule will end. If User Group has been specified in Override Scope, select the user group in the Available column and move that group to the Selected column.

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

393

Web Filtering Overrides

Web Filtering

Web Filtering Overrides
Users may require access to web sites that are blocked by a firewall policy. In these cases, an administrator can allow an override of the block for a specified period of time. When a user attempts to access a blocked site, if override is enabled, a link appears on the block page directing the user to an authentication form. The user must provide a correct user name and password or the web site remains blocked. Authentication is based on user groups and can be performed for local, RADIUS, and LDAP users. An administrator can give the user the ability to override a web site that would have been blocked by a firewall policy. When a user attempts to access a blocked site for which the override option is enabled, the FortiGuard override page will be displayed.

Administrative Overrides
Administrative overrides are defined by an administrator to allow access to blocked web sites based on directory, domain name, or category. These overrides are backed up with the main configuration and managed by the FortiManager system. Administrative overrides are not cleaned up when they expire and these override entries can be reused by extending their expiry dates. Administrative overrides can be created using both the CLI and Web Config To view the overrides, or to add Override Rules, go to UTM > Web FIlter > Override.

Select Administrative Overrides from the list and click Edit ( entry.

) or double-click the

394

Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604

click Create New to configure the new rule. On the Administrative Overrides page. Content Inspection and SSL VPN 01-4200-0201-20100604 395 . or category. Course 201-v4.1 Administration.Web Filtering Web Filtering Overrides Override Rules Override Rules allow access to blocked web sites based on a directory. domain name.

enter the username. Date and Time 396 Course 201-v4. Select the user or user group who may use the rule. choose the user group name from the list. When a Scope of IP is selected. When a Scope of User Group is selected. User Group. Content Inspection and SSL VPN 01-4200-0201-20100604 . Type the URL or domain name of the website. either User. IP or IPv6 When a Scope of User is selected. When a Scope of IPv6 is selected.1 Administration. Select Allow or Block Specify when the override rules will end using the displayed time options. type the v6 IP address.Web Filtering Overrides Web Filtering Directory and Exact Domain Rules Directory and domain rules allow the URL or domain name of a website to be used as the basis of the override rule Type URL Scope Select Directory or Exact Domain. User/UserGroup/IP/IPv6 Off-site URLs This option defines whether the override web page will display the images and other content from blocked offiste URLs. type the IP address.

User Group. Type Categories Classifications Scope Select Categories. Content Inspection and SSL VPN 01-4200-0201-20100604 397 . Select Categories from the Type drop-down list. Select the appropriate classifications to be overriden.1 Administration. Select the appropriate category to be overriden. Click in the Override column to enable the Categories and Classifications to be overriden. Course 201-v4.Web Filtering Web Filtering Overrides Category Rules Category Rules allow an override based on FortiGuard Categories. IP or RPv6. Select User.

Specify when the override rules will end using the displayed time options. 398 Course 201-v4. When a Scope of IP is selected. When a Scope of IPv6 is selected.1 Administration. type the v6 IP address. Off-site URLs Date and Time Select Allow or Block. type the IP address.Web Filtering Overrides Web Filtering User When a Scope of User is selected. When a Scope of User Group is selected. Content Inspection and SSL VPN 01-4200-0201-20100604 . enter the username. choose the user group name from the list.

Web Filtering Web Filtering Overrides Web Filtering Override Page When an Override Rule match is found. the following FortiGuard Web Filter Block Override authentication page is displayed to the user.1 Administration. the user must provide a correct user name and password to access the web page. Web Filtering Authentication Page If the Override Scope is User or User Group. When required. Authentication is based on user groups and can be performed for local. Course 201-v4. users are presented with the Web Page Blocked page. and LDAP users. Content Inspection and SSL VPN 01-4200-0201-20100604 399 . RADIUS.

) or double- 400 Course 201-v4. and are purged when they expire.. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.Web Filtering Overrides Web Filtering User Overrides Entries are added to the user override list when a user authenticates to enable a user override. User overrides are not backed up as part of the FortiGate unit configuration. To view the user overrides select User Overrides and click Edit ( click the entry. An administrator can view and delete user overrides.

This allows an administrator to assign any URL to a different category.Web Filtering Local Ratings Local Ratings Local Ratings override the rating or classification applied to a URL by the FortiGuard Web Filtering Service. which will appear in reports as Local Category. Course 201-v4.1 Administration. To view the local rating configured on the FortiGate device. go to UTM > Web Filter > Local Ratings. Content Inspection and SSL VPN 01-4200-0201-20100604 401 .

Content Inspection and SSL VPN 01-4200-0201-20100604 . 402 Course 201-v4. Alternately. click the classification that the URL will be reassigned to.1 Administration. Click the category that the URL will be reassigned to. URL Category Rating Classifications Type the URL of the web site that will be assigned a new local rating. click Create New.Local Ratings Web Filtering To assign a URL a different rating.

Type the name of the Local Category and click Create New. allowing ratings to be applied. Go to UTM > Web Filter > Local Categories. Administratorcreated categories will appear in the Local Ratings window.Web Filtering Local Categories Local Categories Local Categories can be created for applying Local Ratings. Content Inspection and SSL VPN 01-4200-0201-20100604 403 .1 Administration. Course 201-v4.

404 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.Local Categories Web Filtering The new Local Category will be displayed in the New Local Rating window by expanding the Local Categories item.

even if it appears on the page multiple times. every requested web page is checked against the content filter. Perl regular expressions or wildcards can be used to add banned word patterns to the list. Course 201-v4. Web content patterns can be one word or a text string of up to 80 characters long. The score value of each pattern appearing on the page is added and if the total is greater than the threshold value set in the profile. click to select the filter and click Edit ( ) or double-click the entry. The maximum number of patterns in the list is 5000.Web Filtering Web Content Filter Web Content Filter Web content can be controlled by blocking specific words or patterns. The score for a pattern is applied only once. go to UTM > Web Filter > Web Content Filter. the page is blocked. Defining Web Content Filters Lists Multiple Web Content Filter Lists can be added on the FortiGate device and the most appropriate list can be selected within individual web filter profiles.1 Administration. With a Web Content Filter enabled in a web filter profile. To view the Web Content Filter Lists currently available on the FortiGate unit. Content Inspection and SSL VPN 01-4200-0201-20100604 405 . To view or modify any individual Web Content Filter Lists.

406 Course 201-v4.1 Administration. Click OK. Content Inspection and SSL VPN 01-4200-0201-20100604 .Web Content Filter Web Filtering New Web Content Filter Lists can be defined by clicking Create New and assigning a name for the filter.

If the action is set to Exempt. Enter the value for the rating score. Click to enable the Web Content Filter. Content Inspection and SSL VPN 01-4200-0201-20100604 407 . Action Select Block or Exempt. Select the type of pattern used. • Pattern Pattern Type Score Enable Type the pattern for the filter. the page will be blocked.Web Filtering Web Content Filter Click Create New and define the parameters of the Web Content Filter. • If the action is set to Block and the patterns defined in the Web Content Filter appears on a web page.1 Administration. either Wildcard or Regular Expression. the page will not be blocked even if the Web Content Filter would otherwise block it. Course 201-v4.

To vew or modify any web filter profiles in the list. 408 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 . any traffic being examined by the policy will have the web filtering operations applied to it.1 Administration.Web Filter Profiles Web Filtering Web Filter Profiles Web filtering operations are defined through web filter profiles. The web filter profiles are in turn enabled within firewall policies. go to UTM > Web Filter > Profile. select the profile and click Edit ( ) or double-click the entry. To view the list of web filter profiles on the FortiGate unit.

Click Logging if web URL filtering activity is to be logged. Click Logging if Web Content Filtering activity is to be logged. Content Inspection and SSL VPN 01-4200-0201-20100604 409 . Identify the protocols to be scanned for web URL matching. Name The name entered will be used to identify the web filter profile when enabling web filtering within a policy. Select the search engine to be used. click Create New on the Web Filter Profile List page and define the parameters of the profile. Web Content Filter Web URL Filter Safe Search Course 201-v4.Web Filtering Web Filter Profiles To create a new web filter profile.1 Administration. Identify the protocols to be scanned for web content. The Web URL Filter to be used within this web filter profile is selected from the Option column. The Web Content Filter to be used within this Web Content Profile is selected from the Option column.

When Allow is enabled. Block and Log. quota values can be defined for the category Click in the appropraite column to allow overrides of categories. Click Logging if FortiGuard Web Filtering activity is to be logged. FortiGuard Web Filtering Overrides Identify the protocols to be scanned for Fortiguard Web Filtering Overrides. Click the blue arrow to define the categories to Allow.1 Administration.Web Filter Profiles Web Filtering FortiGuard Web Filtering Identify the protocols to be scanned for Fortiguard Web Filtering. Content Inspection and SSL VPN 01-4200-0201-20100604 . 410 Course 201-v4.

Content Inspection and SSL VPN 01-4200-0201-20100604 411 . ActiveX Filter Cookie Filter Java Applet Filter Web Resume Download Block Enable to block ActiveX applications. Enable to block URLs that are improperly formed.1 Administration. Block Invalid URLs Course 201-v4. Enable to block web browser cookies. Expand Advanced Filter and enable the filtering options for the required protocols and enable logging if necesary. Enable logging if required Enable to block Java applications. Enable logging if required. Enable logging if required. for example when they contain unsupported encoding formats.Web Filtering Web Filter Profiles Advanced Filtering Settings Advanced settings are configured in the web filter profile. Enable to force file downloads to always begin again from the beginning when web downloads are interrupted.

and TIFF. When enabled for HTTP or HTTPS. redirects may be designed specifically to circumvent web filtering as the initial web page could have a different rating than the destination web page of the redirect.Web Filter Profiles Web Filtering HTTP Post Action Select the post action from the dropdown list. Allow Websites When a Rating Error Occurs Strict Blocking Rate URLs by Domain and IP Address Block HTTP Redirects by Rating When enabled for HTTP and HTTPS. Rate Images by URL Blocks images that have been rated by FortiGuard Subscription Services. however. web site access is allowed if any classification or category matches the allowed list. this option applies the rating of the original web site to redirections. in some cases. Content Inspection and SSL VPN 01-4200-0201-20100604 . web site access is disallowed if any classification or category matches the block rating or lists. some false ratings may occur. Many web sites use HTTP redirects legitimately. providing additional security against attempts to bypass the FortiGuard system. this option sends both the URL and the IP address of the requested site for checking. When enabled for HTTP and HTTPS. 412 Course 201-v4. Rated image types are GIF. When disabled. When enabled for HTTP or HTTPS. BMP. Daily log of remaining quota Enable to generate a daily log entry with remaining quota values. However. because IP rating is not updated as quickly as URL rating. Blocked images are replaced on the originating web pages with blanks. PNG. JPEG. the FortiGate unit will allow users to access websites that returned an error when queried for a rating from FortiGuard Subscription Services. the FortiGate 4xx and 5xx Errors unit will replace 4xx and 5xx HTTP errors with its own internal pages. Provide Details for Blocked HTTP When enabled for HTTP.1 Administration.

a Protocol Options list must be selected. Content Inspection and SSL VPN 01-4200-0201-20100604 413 . Click to enable the web filter and select the name of the web filter profile.1 Administration. Course 201-v4. Click to enable UTM filtering in the policy.Web Filtering Web Filter Profiles Enabling Web Filter Profiles in Firewall Policies The web filter profile used to enable the web filtering elements is identified when a firewall policy is created. When Web Filter is enabled. Click Edit ( ) to modify the attributes of the web filter profile directly from the New Policy window. Any traffic passing through the firewall when the policy is in use will be filtered based on the elements identified in the web filter profile.

the following tasks will be completed: • • • Exercise 1 Configuring Local Web URL and Content Filtering Exercise 2 Testing Web Category Filtering Exercise 3 Web Filtering Overrides Timing Estimated time to complete this lab: 35 minutes Exercise 1 Configuring Local Web URL and Content Filtering 1 Log in to Web Config as the admin user.) followed by the same preceding match (*) until the end of the line ($). Select the default internal click Edit ( ) or double-click the entry. To create a new URL filter.org or http://www. Click Create New and enter the name URL_List. There are many references on the web for Regular Expressions or Perl compatible regular expressions. Click OK.regexlib. Click Create New and enter the name URL_Profile. The interaction of local categories and overrides will also be examined. for example.*$ Regex Block enable Note: ^. Click OK.1 Administration. HTTPS. URL Type Action Enable ^. Click OK.Configuring Local Web URL and Content Filtering Web Filtering Lab 8 Web Filtering Objectives In this lab. web and content filtering will be configured. click Create New to define the following attributes for the URL filter. 2 In the URL_List window. Tasks In this lab. http://perldoc.*$ means “at the beginning of the line” (^) match any single character (.aspx. go to UTM > Web Filter > URL Filter. and Logging for Web URL Filter. Content Inspection and SSL VPN 01-4200-0201-20100604 .perl.com/CheatSheet. Select the URL filter called URL_List from the Options list. 3 Go to UTM > Web Filter > Profile. 4 Go to Firewall > Policy > Policy. wan1 policy and 414 Course 201-v4. Enable HTTP.

or partner.com entry and click Move To ( ) to place this entry above the global blocking URL entry in the list. 12 On the www. pick three words to add to a web content filter and a phrase in which one of the words occurs. chose technology.fortinet. Content Inspection and SSL VPN 01-4200-0201-20100604 415 . program. 10 In the URL filter list click to select the new www. 9 Click Create New and add the following filter: URL Type Action Enable Click OK to save the changes. When Web Filter is enabled. a Protocol Options list must be selected.fortinet. Note: Web browser caching may interfere with web filtering. 6 Open a new web browser window and browse to a random web site. 7 Go to System > Config > Replacement Message.Web Filtering Configuring Local Web URL and Content Filtering 5 Click to enable UTM.com web page. Note: Ensure that the words selected do not appear as part of the graphics or flash movies on this web page. Edit the URL block message and add a custom message. www. If the web site is not blocked. 11 Test access to www. Enable Web Filter and select the URL_Profile web filter profile. clear the cache in the web browser and try again.fortinet. Click to select the URL List filter and click Edit ( ) or double click the entry. Note that all web sites are now blocked and that the URL Filter Block Replacement Message is displayed. Select the default list and click OK.fortinet.com. Expand HTTP.1 Administration. 8 Go to UTM > Web Filter > URL Filter.com Simple Allow enable Word 1 Word 2 Word 3 Phrase Course 201-v4. For example.

View the log messages again to locate the entry for the web content block event.fortinet. (If the page appears. Click Create New. 416 Course 201-v4.com to test that this page is blocked and that the Banned Word Block Replacement Message is displayed. 18 Click Create New to add Word 2 to the web content filter list as follows: Action Pattern Pattern Type Language Score Enable Block Type Word 2 using the form: /Word/i Regular Expression Western 5 enabled Block <Word 1> Wildcard Western 5 enabled The regular expression /word/i is used to accept any combination of upperand lowercase letters. 19 Clear the cache in the web browser and reload the www.fortinet. clear the cache on the browser and try again. Click OK to save the changes. Enter the name Content_Filter and click OK.) 16 Go to Log&Report > Log Access > Web Filter. 17 Go to UTM > Web Filter > Web Content Filter. Click to select the Word 1 pattern and click Disable ( ) before continuing. click Create New and add Word 1 to the content pattern list as follows: Action Pattern Pattern Type Language Score Enable Click OK. 14 Go to UTM > Web Filter > Profile and edit URL_Profile. Content Inspection and SSL VPN 01-4200-0201-20100604 .com web page to test that the page is blocked and the replacement message is displayed. Check the Disk log messages for the web content block entry. On the Content_Filter page.1 Administration. Click to select Content_Filter and click Edit ( ). Enable HTTP and Logging for Web Content Filter. 15 Reload www.Configuring Local Web URL and Content Filtering Web Filtering 13 Go to UTM > Web Filter > Web Content Filter. Select the Content_Filter from the Options list Set the Threshold to 5.

4 Go to Firewall > Policy > Policy and edit the default internal Change the web filter profile to Category_Test.fortinet.Web Filtering Testing Web Category Filtering 20 Go to UTM > Web Filter > Web Content Filter. Click to enable HTTP. 21 Test the access to www. Exempt Type the phrase chosen earlier. Click to select Content_Filter and click Edit ( ). Click Create New and configure a new web filter profile called Category_Test. Content Inspection and SSL VPN 01-4200-0201-20100604 enable for HTTP enable for HTTP and HTTPS enable for HTTP and HTTPS wan1 policy. 5 Try to connect to a few different web sites. The FortiGuard Web Filtering Block Message should be displayed. HTTPS and Logging and enable category blocking and logging as follows. 2 Expand FortiGuard Web Filtering.1 Administration. 417 . Course 201-v4. The page should still pass even if the threshold has been reached since the exempt phrase is tested first. Click OK. 22 Add Word 3 to the web content filter list with a score of 5 and test. The web page should be displayed because of the exempt phrase.com. Potentially Liable Controversial Potentially Non-productive Potentially Bandwidth Consuming Potential Security Violating General Interest Business Oriented Others Unrated Block and Log Block and Log Block and Log Block and Log Block and Log Block and Log Block and Log Block and Log Block and Log 3 Expand Advanced Filter and enable the settings as follows: Rate Images by URL Strict Blocking Rate URLs by Domain and IP Address Click OK to save the changes. Regular Expression Western enabled Exercise 2 Testing Web Category Filtering 1 Go to UTM > Web Filter > Profile. Click Create New to add an exempt pattern to the web content filter list as follows: Action Pattern Pattern Type Language Enable Click OK.

2 Go to UTM > Web Filter > Profile and edit the Category_Test profile. Click OK. 8 Go to UTM > Web Filter > Local Ratings.1 Administration. 10 Try to visit a URL in the local category. Click OK. IP Exact Domain Deny Constant/15 minutes web-override 418 Course 201-v4. Expand Local Categories in the category table. 3 Expand FortiGuard Web Filtering Overrides and enable HTTP and HTTPS. Content Inspection and SSL VPN 01-4200-0201-20100604 . Click OK to save the changes. Click to enable Log. Expand FortiGuard Web Filtering and edit the URL block message. Expand FortiGuard Web Filtering and enable Allow Override for all categories. Enter the URL of a web site. Verify that other web sites not found in the local category are still blocked. 9 Go to UTM > Web Filter > Profile. Note: Do not use a web proxy. Click to enable the Local-1 category and set to Allow. Enter a new Local Category name of Local-1 and click Create New. Click Create New and configure a new user group with the following settings: Name Type Members web-override Firewall Enter the User Name of the sample user created in the Authentication lab. 7 Go to UTM > Web Filter > Local Categories.Web Filtering Overrides Web Filtering 6 Go to System > Config > Replacement Message to configure a custom replacement message. Click Create New to create new entries for some of the web sites visited previously that were blocked. Set the following: Override Scope Override Type Off-site URL Override Time User Group Click OK. Note: Some parts of an allowed web page may be blocked if off-site URLs are used that are not in the allowed category. otherwise the Web Category Override web page will not work. Expand Local Categories in the Category Rating table and enable the rating for Local-1. Edit the Category_Test profile and expand FortiGuard Web Filtering. Exercise 3 Web Filtering Overrides 1 Go to User > User Group > User Group.

7 Disable the web filter profile in the firewall policy. Note that other fields are grayed out as they are set by the override user group. 6 Go to Log&Report > Log Access > Web Filter. click Continue.Authentication. Click to select User Overrides and click Edit ( ) (or double-click the entry) to view the web filter override list.1 Administration. Locate the log messages related to category blocking. Content Inspection and SSL VPN 01-4200-0201-20100604 419 .Web Filtering Web Filtering Overrides 4 Try to visit a blocked category website. This time the blocked page replacement message will have an Override link. Note the Expiry Date column of the dynamically added entries. Scroll or page down to locate the log messages from the URL and content filtering performed earlier in this lab. 5 Go to UTM > Web Filter > Override. Enter the user name of and the password of a sample user created in Lab 5 . Course 201-v4. After completing the required fields that will grant access to the desired website. Click the Override link to view a Web Filter Block Override.

Web Filtering Overrides Web Filtering 420 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.

com .LESSON 11 Data Leak Prevention 421 www.fortinet.

.

combining the rules into sensors. personal webmail and wiki entries. Sensitive information could include personal information such as health data or credit card information. including harm to their reputation. including HTML and email content Plaintext contents of PDF files Pre-2007 Microsoft Word files Microsoft Office 2007 files The file option settings within each DLP rule will define whether the rule applies to files within an archive. The DLP system is configured by creating individual rules. and then assigning a sensor to a firewall policy. Restrict the channels through which the leak may be occurring. Users might not be aware of the value of the data they could potentially be disclosing. not only from illegitimate access from the outside. or a user could forward or add a participant who should not have access to sensitive information. Detect and block any data leaks as they occur. A variety of file types can be monitored including: • • • • Text. instant messaging. blogs. or how it could be used by another party who would receive the data.Data Leak Prevention Monitored Data Types Lesson 11 Data Leak Prevention An organization's data requires protection. The risk can increase in email exchange as the number of participants increases. but also from careless handling by those on the inside. either from a business or legal point of view. release schedules and other intellectual property. it can also be used to prevent unwanted data from entering the network. violation of regulatory requirements and potential legal action. Possible data leak points in the organization could include employee email. The impact of sensitive data leaving the organization could be severe. Monitored Data Types The FortiGate Unit’s Data Leak Prevention features build on the threat management capabilities of the proxies and the scanunit. Participants in the exchange might not remember that earlier in a conversation thread that sensitive information was being discussed. or confidential and proprietary information held by the organization such as product designs.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 423 . Although the primary use of the DLP feature is to stop sensitive data from leaving the network. and data matching these patterns will be blocked and/or logged when passing through the FortiGate unit. Course 201-v4. The FortiGate Data Leak Prevention (DLP) system prevents sensitive data from leaving the network. Organizations process large amounts of information that can often be classified as sensitive. Protecting the organization against the loss of important information through data leakage will require a solution to perform the following: • • • Monitor and audit the possible locations where data may be leaking. An administrator can define sensitive data patterns.

click to select the rule from the list and click Edit ( ) or double-click the entry. Multiple regular rules can be added on the FortiGate device. go to UTM > Data Leak Prevention > Rule.Data Leak Prevention Rules Data Leak Prevention Data Leak Prevention Rules Rules are the core element of the Data Leak Prevention feature. or URLs. and combined to create compound rules or added directly to a DLP sensor. To view the list of DLP regular rules currently available on the FortiGate unit. To view or modify any individual regular rules. There are some built-in DLP regular rules available to help illustrate how rules could be used to address certain data leak issues using known patterns. for example strings. cookies. Rules can define the types of data to look for. or being requested. 424 Course 201-v4. for example credit card numbers. Content Inspection and SSL VPN 01-4200-0201-20100604 . Regular Rules A regular rule contains a single parameter used to define data to be protected.1 Administration. Rules also describe where to look for this data for example file types or transaction types in addition to where the data is originating from.

Assign a name for the rule. select the protocol and define the parameter by selecting the rule and defining the rule criteria. Content Inspection and SSL VPN 01-4200-0201-20100604 425 . A variety of rule types are available for use in regular rules. Course 201-v4. Email Rules Email rules are used to scan SMTP. IMAP and POP3 traffic and contains criteria common to mail messages.Data Leak Prevention Data Leak Prevention Rules New DLP regular rules can be defined by clicking Create New on the DLP Rules List page.1 Administration.

Data Leak Prevention Rules Data Leak Prevention HTTP Rules HTTP rules contain criteria common to HTTP POST and GET traffic. 426 Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.

Content Inspection and SSL VPN 01-4200-0201-20100604 427 . Course 201-v4.1 Administration.Data Leak Prevention Data Leak Prevention Rules HTTPS Rules HTTPS rules contains a single criteria which is always enabled.

428 Course 201-v4.Data Leak Prevention Rules Data Leak Prevention FTP Rules FTP rules contain criteria common to FTP PUT and GET traffic. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration.

Course 201-v4.Data Leak Prevention Data Leak Prevention Rules NNTP Rules NNTP rules contain criteria common to NNTP traffic.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 429 .

MSN and Yahoo! instant messaging traffic. ICQ. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. 430 Course 201-v4.Data Leak Prevention Rules Data Leak Prevention Instant Messaging Rules Instant messaging rules contain criteria common to AIM.

go to UTM > Data Leak Prevention > Compound. Compound rules allow an administrator to group individual rules to specify far more detailed activation conditions. click to select the rule from the list and click Edit ( ) or double-click the entry. To view the list of DLP compound rules currently available on the FortiGate unit. Content Inspection and SSL VPN 01-4200-0201-20100604 431 . Individual regular rules in a sensor are linked with an implicit OR condition while rules within a compound rule are linked with an implicit AND condition. but every attribute must be present before the rule is activated. There are some built-in compound rules available to help illustrate how compound rules could be used to address certain data leak issues. Course 201-v4. If the rules are first combined into a compound rule and then specified in a sensor.Data Leak Prevention Data Leak Prevention Rules Compound Rules DLP regular rules can be combined into compound rules that can be included in sensors. If regular rules are specified directly in a sensor. traffic matching any single rule will trigger the configured action. every rule in the compound rule must match the traffic to trigger the configured action. To view or modify any individual compound rules.1 Administration. Each included rule is configured with a single attribute.

For each protocol selected.1 Administration. Assign a name for the compound rule. Content Inspection and SSL VPN 01-4200-0201-20100604 . Click to add an additional regular rule to the compound rule. select the individual regular rules to be included in the compound rule.Data Leak Prevention Rules Data Leak Prevention New DLP compound rules can be defined by clicking Create New on the DLP Rules List page. select the protocol and regular rules to be included. 432 Course 201-v4. Click to remove a regular rule from the compound rule.

attachment text. others such as Ban or Quarantine will affect future requests. such as Block will affect the current request. binary patterns. attachment size. subject. sender. Some actions. The order of the rules is not important. file text. and user group). server. the order of priority for the rules are as follows: 1 If archive is selected. receiver. The results are sent back to the proxy and final action is determined if all the DLP rules matched. hostname. body. CGI parameters. but instead the proxy and scanunit work together to match as many of the rules as possible. Content Inspection and SSL VPN 01-4200-0201-20100604 433 .Data Leak Prevention Data Leak Prevention Rules Rule Processing When a DLP rule is configured. The actions are listed in order from most restrictive to least restrictive: • Quarantine interface • Quarantine IP • Ban IP • Ban user • Ban sender 4 Block 5 None Course 201-v4. encrypted.1 Administration. traffic passes through the proxies as usual. DLP rules differ from other types of rules on the FortiGate unit in that it is not the first rule matched which determines the behavior. cookie content. • • Rule Priority If multiple DLP rules are matched. HTTP header. it will always be performed 2 Exempt overrides all other actions 3 Ban and quarantine Actions in this grouping will be simultaneously applied. No action is taken at this point. The files associated with that session are sent to the scanunit for scanning and archiving (if required). attachment type and file type). • Traffic coming into the FortiGate unit along the network connection passes through the proxy. user. Some of the rules are matched in the proxies (for example URL. all the rules are combined to determine the resulting action. while others are matched in the scanunit (for example. The headers in the data are examined and some DLP rules may be matched.

To view or modify any individual sensors. Create a new DLP sensor and configure it to include the regular and compound rules required to protect the traffic leaving the network. Content Inspection and SSL VPN 01-4200-0201-20100604 . click to select the sensor from the list and click Edit ( ) or double-click the entry. There are some built-in sensors available to help illustrate how sensors could be used to address certain data leak issues.Data Leak Prevention Sensors Data Leak Prevention Data Leak Prevention Sensors DLP sensors are simply collections of DLP regular and compound rules. To view the list of DLP sensors currently available on the FortiGate unit. go to UTM > Data Leak Prevention > Sensor. 434 Course 201-v4.1 Administration.

Content Inspection and SSL VPN 01-4200-0201-20100604 435 .Data Leak Prevention Data Leak Prevention Sensors New DLP sensors can be defined by clicking Create New on the Sensor List page and assigning a name for the sensor. Click OK. Course 201-v4.1 Administration.

Certain actions will allow the definition of an expiry period to define how long users will be banned or the the time data is kept in quarantine when these options are enabled. Summary Only or Full. Select the severity level. including no archiving. Content Inspection and SSL VPN 01-4200-0201-20100604 . select Compound Rule to choose from a list of the compound rules. Archive Severity Member Type Expires 436 Course 201-v4.1 Administration. Action Select the action to be taken when any individual regular rule or all the regular rules in the compound rules are triggered.Data Leak Prevention Sensors Data Leak Prevention Click Create New to define the attributes of the sensor. Select the archive level for data triggering the sensor. Select Rule to choose from a list of regular rules available on the FortiGate unit.

If the user is not authenticated.Data Leak Prevention Data Leak Prevention Sensors Data Leak Prevention Sensor Actions The action to be taken against traffic matching the configured DLP regular rule or DLP compound rule are defined during the sensor creation process. None This prevents the DLP rule from taking any action on network traffic. This action is available only for IM and email protocols. Content Inspection and SSL VPN 01-4200-0201-20100604 437 .1 Administration. Quarantine Interface This action will block access to the network from any client on the interface that sends traffic matching a sensor with this action. Ban This action will block all traffic using the protocol that triggered the rule if the user is authenticated. This action overrides any other action from any matching sensors. Quarantine IP address This action is a more restrictive approach and will block access to the network from any IP address that sends traffic matching a sensor with this action. Ban Sender This action will add the sender of matching email/IM messages to the Banned User list. Other matching rules in the same sensor and other sensors may still operate on matching traffic. Exempt This action prevents any DLP sensors from taking action on matching traffic. Course 201-v4. all traffic using the protocol that triggered the rule will be blocked. Block This action prevents the traffic matching the rule from being delivered.

If an entry is listed in the Application Protocol column of the Banned User list. Due to data latency issues. To indicate that text should also be archived. not the content of the messages exchanged. To view the Banned User list. Content Inspection and SSL VPN 01-4200-0201-20100604 . The text of IM messages can be archived. 438 Course 201-v4. be sure to add a DLP rule which specifies transfer size >=0 and then select the Archive option when applying this rule to the DLP sensor. If the protocol is not listed.1 Administration. only file transfers performed through instant messaging will be subject to DLP filtering. then a quarantine action has been applied because it applies to all protocols. however. not just the ones mentionned.Data Leak Prevention Sensors Data Leak Prevention Any ban or quarantine actions will place an entry in the Banned User list. the item has had a ban action applied. go to User > Monitor > Banned User. Note: DLP for instant messaging (IM) requires that application control be enabled since application detection is performed before handing off to the IM proxy.

Any traffic passing through the firewall when the policy is in use will be filtered based on the rules identified in the sensor.Data Leak Prevention Data Leak Prevention Sensors Enabling Data Leak Prevention in Firewall Policies The DLP sensor used to define the data leak rules is identified when the firewall policy is created. Course 201-v4. Click Edit ( ) to modify the attributes of the DLP sensor directly from the New Policy window.1 Administration. Select the name of the sensor to be used from the list. Click to enable UTM filtering in the policy and enable DLP Sensor. Content Inspection and SSL VPN 01-4200-0201-20100604 439 .

Content Inspection and SSL VPN 01-4200-0201-20100604 . 440 Course 201-v4.Data Leak Prevention Sensors Data Leak Prevention Data Leak Prevention Logging Logging DLP actions is enabled when the sensor is created.1 Administration. Any DLP-triggered log entries will be displayed in Log&Report > Log Access > DLP.

a better solution is to use application control or the Post Block option in a protection profile. but if the requirement is to block all HTTP posts. Use DLP to block posts selectively based on their content. Content Inspection and SSL VPN 01-4200-0201-20100604 441 . A complete DLP solution may include other components such as application control to limit access to some communication channels such as instant messaging or peer-to-peer communications. Course 201-v4. it is preferable to scan the text of a file rather than the archive if possible.1 Administration.Data Leak Prevention Data Leak Prevention Suggested Practices Data Leak Prevention Suggested Practices Specific rules related to HTTP posts can be created. In the File Options for a DLP rule.

then 201 . Tasks In this lab. Block disable 1 (Lowest) Rule HTTP enabled File is encrypted Enable Block_Encrypted_Rule.fortinet.Blocking Encrypted Files Data Leak Prevention Lab 9 Data Leak Prevention Objectives In this lab. Enable logging and click Create New to define a new rule with the following details: Action: Archive: Severity: Member Type: Click OK. Save the file a location on the local PC. 2 In the Web Config. Create a new DLP rule called Block_Encrypted_Rule with the following details: Protocol: HTTP POST: Rule: Click OK. Users who attempt to send sensitive data outside the network will be banned from sending further email.com Click Class Descriptions. 442 Course 201-v4.1 Administration. the DLP features of the FortiGate unit will be tested to block the transmission of sensitive data outside the network. 3 Go to UTM > Data Leak Prevention > Sensor.training. the following tasks will be completed: • • • • Exercise 1 Blocking Encrypted Files Exercise 2 Blocking Leakage of Credit Card Information Exercise 3 Blocking Oversize Files by Type Exercise 4 DLP Banning and Quarantining Timing Estimate time to complete this lab: 40 minutes Exercise 1 Blocking Encrypted Files 1 Download a copy of the dlp-test-encrypt.FortiGate I tab to access the file.zip file from Fortinet Online Campus at the following location: http://campus. go to UTM > Data Leak Prevention > Rule. Content Inspection and SSL VPN 01-4200-0201-20100604 . Create a new DLP Sensor called Block_Encrypted.

Course 201-v4.zip file to an email address. Select the default list. Enable UTM and DLP Sensor. Edit the rule and note the regular expression used to identify the credit card number. 5 Using a web-based file transfer tool (for example. Enable DLP sensor and select the Sensitive_Data sensor from the list. www.FortiGate I tab to access the file.xlsx containing credit card numbers from the Fortinet Online Campus at the following location: http://campus.sendspace. 2 Go to UTM > Data Leak Prevention > Sensor and create a new DLP sensor called Sensitive_Data.com Click Class Descriptions. 7 Change the extension on the file name to *. a Protocol Options list must be defined. The DLP block replacement message should be presented when the file download is attempted. Exercise 2 Blocking Leakage of Credit Card Information 1 Go to UTM > Data Leak Prevention > Rule and locate the built-in DLP rule called HTTP-Visa-Mastercard. Click OK. Click OK. 4 Test the ability to download a file called creditcards.1 Administration. 5 Locate the full archived entry of the file on the FortiAnalyzer unit. Select the Block_Encrypted DLP sensor. then 201 . The DLP block replacement message should be presented. 3 Go to Firewall > Policy > Policy and edit the default internal wan1 policy. Enable the file option Scan archive contents.fortinet.txt and attempt to send the file again.yousendit. Disable any other UTM elements that are enabled from previous exercises and click OK.com or www. 6 Locate the DLP log entry for this action. Enable HTTP GET. Block Full 1 (Lowest) Rule Enable HTTP-Visa-Mastercard. 6 Locate the DLP log entry for this action. The file should still be blocked.training. When DLP Sensor is enabled. Content Inspection and SSL VPN 01-4200-0201-20100604 443 . Enable logging and create a new rule with the following details: Action: Archive: Severity: Member Type: Click OK.com) attempt to send the dlp-test-encrypt.Data Leak Prevention Blocking Leakage of Credit Card Information 4 Edit the default internal wan1 policy. This rule has been designed to block any HTTP transfer that contains a Visa or Mastercard number in the message body.

1 Go to UTM > Data Leak Prevention > Rule and create a new DLP rule called Big_File with the following details: Protocol: HTTP-POST HTTP-GET Rule: Click OK. Block Full 1 Compound rule HTTP enabled enabled Big_File MP3 HTTP enabled enabled File type is found in No_MP3 HTTP enabled enabled Transfer Size >= 1000KB Enable the MP3_Compound compound rule. 444 Course 201-v4.mp3. then 201 . 3 Create a second DLP rule called MP3 with the following details: Protocol: HTTP-POST HTTP-GET Rule: Click OK.Blocking Oversize Files by Type Data Leak Prevention Exercise 3 Blocking Oversize Files by Type An alternate use of DLP is to control bandwidth usage by limiting the size of files of certain file-types. 2 Go to UTM > AntiVirus > File Filter and create a new file filter called No_MP3 to block files with a file name pattern of *. 4 Go to UTM > Data Leak Prevention > Compound and create a compound called MP3_Compound with the following details: Protocol: HTTP-POST HTTP-GET Rules: Click OK.FortiGate I tab to access the file.mp3 from Fortinet Online Campus at the following location: http://campus.fortinet. The DLP block replacement message should be presented when the file download is attempted. 7 Locate the full archived entry of the file on the FortiAnalyzer unit.com Click Class Descriptions. 5 Edit the Sensitive_Data sensor to include the compound rule: Action: Archive: Severity: Member Type: Click OK. 8 Locate the DLP log entry for this action. In this exercise compound rules will be used. Content Inspection and SSL VPN 01-4200-0201-20100604 . 6 Attempt to download the file called big.training.1 Administration.

1 Administration. Course 201-v4.mp3 file once again. Content Inspection and SSL VPN 01-4200-0201-20100604 445 . indicating that the user is quarantined. Check the banned user list once again and the locate the user entry. The user should be banned. how can an administrator tell whether the entry is a ban entry and not a quarantine entry? 4 Click Clear ( ) to remove the ban entry.Data Leak Prevention DLP Banning and Quarantining Exercise 4 DLP Banning and Quarantining 1 Edit the DLP sensor called Sensitive_Data and change the action for the HTTP-VISA-MASTERCARD rule to Ban. 5 Modify the Sensitive_Data sensor to change the action for the No_Big_MP3 rule to Quarantine IP address.xlsx file once again. The user should be quarantined. Set the expiry to 5 minutes. By looking at the user ban list. Note that the Application Protocol column is empty. 6 Attempt to download the big. 3 Go to User > Monitor > Banned User and locate the ban entry in the list. 2 Attempt to download the creditcard. 7 Disable the Sensitive_Data DLP sensor in the default internal wan1 policy.

DLP Banning and Quarantining Data Leak Prevention 446 Course 201-v4.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 .

fortinet.LESSON 12 Application Control 447 www.com .

.

Course 201-v4. Archiving content for instant messaging. This allows for the detection of application traffic within another protocol. Content Inspection and SSL VPN 01-4200-0201-20100604 449 . Application control can regulate the behavior of applications with a fine level of granularity. Since Application Control detects based on protocols. Inspecting files for malicious content within instant messaging protocols. Blocking file transfers for instant messaging.Application Control Lesson 12 Application Control Application Control is used to detect and take actions on network traffic based on the applications generating the traffic. Application Control can log and manage the behavior of application traffic passing through the FortiGate unit. for example. blocking the PUT command for FTP. for example HTTP traffic passing through ports other than the default port of 80. Blocking certain commands. passing.1 Administration. traffic running on nonstandard ports can be easily monitored. protocols or applications configured by the user. Proprietary pattern matching technologies allow the Application Control feature to detect application traffic even if contained within other protocols. traffic shaping and adding user controls. Reporting can be configured to log and display traffic based on ports. including: • • • • • Performing actions such as blocking. Using FortiGate Intrusion Prevention protocol decoders. for example in the case of HTTP tunneling.

Includes self-upgrade function of a particular software or system. MSRPC. MGCP. YouSendIt iTunes. Salesforce. Examples AIM.Toolbar. Ebay.Backup.Request AIM.SiteAdvisor. Includes voice communication software using VoIP technologies (e. Includes P2P (Peer to Peer) applications and associated P2P protocols. RDP. PPStream.Command Internet Protocol Network Services Enterprise Applications System Update Includes protocols used for communicating data across a ICMP. HTTP.Manager. SMTP. Apple. Google. Content Inspection and SSL VPN 01-4200-0201-20100604 . Myspace. Amazon.Command.Proxy.Toolbar. IMAP. Second. Yahoo BitTorrent.Update. Yahoo. Oracle. Includes specific commands of some protocols. Yahoo. TrendMicro. POP3. which could be automatic or scheduled. Skype H. 450 Course 201-v4.Update. Includes enterprise applications used in the daily work of a company. VNC.g.MacOS. Tor.Audio.1 Administration. MSSQL. which can provide online video/audio.Lotus. L2TP. Teamviewer. McAfee. WorldofWarcraft Alexa. Includes network and Internet games. Kazaa. Google.Life. Gnutella. Includes web sites and browser-based applications.Update Big. Edonkey.Tunnel. which can be used to log in and operate remote machines. AOL. Webex. Includes file transfer applications and associated protocols.Storage. H. MSN. Includes database applications.Command.Application Types Application Control Application Types Application Control on the FortiGate unit supports over 100 applications.Webmail through web browsers. etc. Rsync Network Backup Includes backup software and network backup applications.CRM. KnightOnline.Web. CA. Includes application layer protocols over TCP or UDP.Weboffice Adobe. Quicktime. RSVP network. Wikipedia FTP.Toolbar DB2.Command.Toolbar. Facebook. HTTP. MSN. Net2phone. which can make indirect network connections to other networks and bypass the firewall policy. SSL.RDP.Talk. Includes streaming video/audio applications and associated protocols. Hotmail. MS.Tivoli. which enable two or more people to exchange files over the network.Request.Brother. Postgres. IBM.Method.323. RapidShare.Game. Includes third-party toolbars adding functionality and ease-of-use options to web browsers. RADIUS. IBM.Notes. Ultrasurf Gotomypc.). RealPlayer Ghostsurf. SIP.Update.245. which can establish a P2P network to provide fast data sharing. Netmeeting.MQ. Includes remote management software and associated protocols.TCP FTP. which can deliver voice over network. Sybase Voice over IP File Transfer Video/Audio Streaming Internet Proxy Remote Access Connection Games Web Browser Toolbar Database Web-based Mail Web Protocol Command Includes email services intended to be primarily accessed Gmail. IGMP. MySQL. Hamachi. HTTP. Mcafee. SIP. Peercast. IPv6. SSH. HTTP. PCAnywhere.EXE. Microsoft. LDAP. Includes proxy software and websites. Application Category Description Instant Messaging Peer-to-Peer Includes IM (Instant Messaging) software and online chatting applications. grouped into 18 categories. Telnet entric.Update.

Application Control Application Types To view the entire list of applications that can be managed through FortiGate Application Control. Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 451 . Columns can be filtered to help limit the display of applications in the list. Click Filter ( ) for a specific column and edit the filters as needed.1 Administration. go to UTM > Application Control > Application List.

go to UTM > Application Control > Application Control List. specific commands normally allowed by the application can be blocked. For each application.Application Control Lists Application Control Application Control Lists The Application Control Lists define the applications that will be subject to inspection as well as settings for each of the applications. To view or modify any individual Application Control Lists.1 Administration. click to select the list and click Edit ( ) or double-click the entry. Content Inspection and SSL VPN 01-4200-0201-20100604 . the administrator can specify whether to pass or block the applicaton traffic and enable logging of the application traffic. Defining Application Control Lists Multiple Application Control Lists can be added on the FortiGate device and the appropriate list can be selected within a firewall policy. 452 Course 201-v4. To view the Application Control Lists currently available on the FortiGate unit. Depending on the application.

Click OK. Course 201-v4.Application Control Application Control Lists New Application Control Lists can be created by clicking Create New on the Application Control List page and assigning a name for the list.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 453 .

454 Course 201-v4. different parameters may become available for configuration.1 Administration. Select Block or Pass for the Application selected. Select the required Application from the list. Category Application Select the Application Category from the list. Based on the category selected. Click to enable Logging of activity for this application entry if requried. For example. Click to enable Packet Log for this application entry if required.Application Control Lists Application Control Click Create New to define a new application entry in the list. Content Inspection and SSL VPN 01-4200-0201-20100604 . Click to enable Session TTL and indicate the time value. when certain applications are set with an Action of Pass. a list of Applications will be displayed. traffic shaping parameters may become available for configuration. Action Options Note: Depending on the Application and Action selected.

Click to enable UTM filtering in the policy. Click Edit ( ) to modify the attributes of the Application Control List directly from the New Profile window.] to define a new list.1 Administration. Content Inspection and SSL VPN 01-4200-0201-20100604 455 ... Click to enable Application Control and select the name of the Application Control List.Application Control Application Control Lists Enabling Application Control in a Firewall Policy The Application Control List used to enable the Application Control elements is identified when a firewall policy is created. or select [Create New. Course 201-v4. Any traffic passing through the firewall when the policy is in use will be filtered based upon the elements identified in the Application Control List.

Content Inspection and SSL VPN 01-4200-0201-20100604 . Any Application Control-triggered log entries will be displayed in Log&Report > Log Access > Application Control. 456 Course 201-v4.1 Administration.Application Control Lists Application Control Application Control Logging Logging Application Control actions is enabled when the Application Control List is defined.

the following tasks will be completed: • • Exercise 1 Creating an Application Control List Exercise 2 Testing Application Control Timing Estimated time to complete this lab: 10 minutes Exercise 1 Creating an Application Control List 1 In Web Config.com. Click OK. Double-click the entry to view the details of the log entry. 3 In a web browser.com. go to myspace. Click OK. Course 201-v4. Content Inspection and SSL VPN 01-4200-0201-20100604 457 . and Application Control.Application Control Creating an Application Control List Lab 10 Application Control Objectives In this lab. 2 Create new application entries in the App_Control_Lab list as follows: Category: Application: Action: Logging: Category: Application: Action: Logging: media YouTube.1 Administration. Select the App_Control_Lab control list. 4 Locate the log entry for this action in the Application Control log. Create a new Application Control List called App_Control_Lab. Exercise 2 Testing Application Control 1 In a web browser. attempt to play a video on youtube.Download Pass Enabled web Myspace Block Enabled 3 Go to Firewall > Policy > Policy and edit the default policy. Tasks In this lab. Enable UTM. access to specific applications will be blocked using the Application Control features on the FortiGate unit. 2 Go to Log&Report > Log Access > Application Control and locate the log entry for this action. go to UTM > Application Control > Application Control List.

1 Administration. 458 Course 201-v4.com once again. 6 In a web browser. 7 Locate the log entry for this action in the Application Control log.com to Block. Double-click the entry to view the details of the log entry. attempt to play a video on youtube. Content Inspection and SSL VPN 01-4200-0201-20100604 .Testing Application Control Application Control 5 Edit the App_Control_Lab Application Control List and set the action for youtube.

com .fortinet.LESSON 13 Endpoint Control 459 www.

.

1 Administration.Endpoint Control Endpoint Network Access Control Lesson 13 Endpoint Control The FortiGate unit can monitor client computers on the network to ensure their compliance to corporate standards for installed software. go to Endpoint > NAC > Application Database. The device can detect software running on the client computer. including FortiClient and display the status for administrators. Applications available for use within the sensors are predefined on the FortiGate device. Endpoint Network Access Control Endpoint Network Access Control (NAC) can be enabled in the firewall policy to enforce compliance of client software running on the host computer. Course 201-v4. Columns can be filtered to help limit the display of applications in the list. This feature can also be used to enforce the use of FortiClient or other antivirus applications on the host computer. Each application is assigned to one of 37 categories. denied or monitored through FortiGate Endpoint NAC. Application Sensors Application sensors describe the applications to be allowed. Click Filter ( ) for a specific column and edit the filters as needed. Content Inspection and SSL VPN 01-4200-0201-20100604 461 . To view the list of predefined application available on the FortiGate device.

go to Endpoint > NAC > Application Sensor. Actions can include allowing the application. denying the application or monitoring the application through the logs.1 Administration. To view the list of available application sensors. 462 Course 201-v4. Multiple application sensors can be added on the FortiGate device and the appropriate sensor can be selected when creating the Endpoint NAC profile. To view or modify any application sensor in the list.Endpoint Network Access Control Endpoint Control Defining Application Sensors An application sensor defines the application to be detected and the action to be taken. Content Inspection and SSL VPN 01-4200-0201-20100604 . select the sensor and click Edit ( ) or double-click the entry. There are some built-in sensors available to help illustrate how sensors could be used to control application use on client computers.

Click OK and define the parameters of the application sensor.] from the Application Detection List drop-down list on the New Endpoint NAC Profile page. Assign a name for the list. Content Inspection and SSL VPN 01-4200-0201-20100604 463 .Endpoint Control Endpoint Network Access Control New application sensors can be defined by clicking Create New ( ) on the Application Sensor List page or by selecting [Create New.. Course 201-v4..1 Administration.

Vendors are assigned by Fortinet and can be viewed in the Application Database. Other Applications Multiple application entries can be added to the sensor by clicking Create New ( ) on the Application Entry List page and defining the parameters and status of the application as well as the action to be taken. ) or Vendor Application Status Action To view or modify any application entries. 464 Course 201-v4. either Allow. select the entry and click Edit ( double-click the entry. Not Installed or Not Running. Running. Content Inspection and SSL VPN 01-4200-0201-20100604 . Deny or Monitor.Endpoint Network Access Control Endpoint Control Name The name assigned to the application sensor will be used to identify the sensor on the Endpoint NAC Profile page. Select the state for the selected application. Select how any applications not specified in the application sensor will be handled. Select the action to be taken when the selected application. either Allow. Select the Vendor for the application entry. including Installed. in the selected state is detected. Category Select the Category for the application entry. Categories are assigned by Fortinet and can be viewed in the Application Database. Applications can be viewed in the Application Database.1 Administration. Select the Application for the application entry. Deny or Monitor.

these files are cached to more efficiently serve downloads to multiple end points.Endpoint Control Endpoint Network Access Control FortiClient Compliance The use of FortiClient Endpoint Security can be enforced on network through Endpoint NAC. Course 201-v4. The FortiGate unit retrieves FortiClient software and antivirus updates from FortiGuard servers. Content Inspection and SSL VPN 01-4200-0201-20100604 465 . If the FortiGate unit contains a hard disk drive.1 Administration. Go to Endpoint > NAC > FortiClient to see the software and antivirus signature versions that the Endpoint NAC will enforce. This will ensure that clients have both the most recent version of the FortiClient software and the most up-to-date antivirus signatures.

any traffic being examined by the policy will have the endpoint NAC operations applied to it. Some predefined endpoint NAC profiles are available on the FortiGate device.Endpoint Network Access Control Endpoint Control Endpoint NAC Profiles Endpoint NAC operations are defined through endpoint NAC profiles. Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. go to Endpoint > NAC > Profile. Click to select the profile in the list and click Edit ( ) or double-click the entry. 466 Course 201-v4. The endpoint NAC profiles are in turn enabled within firewall policies. The view the details or modify the attributes of the pre-defined profiles.

Select the action to be taken on hosts without FortiClient installed or enabled. The sensor used is selected from the list. Hosts can be notified to install FortiClient or they can be quarantined. or the firewall is not enabled. The host can also be quarantined if the application sensor check is successful.1 Administration. Name The name assigned to the endpoint NAC profile will be used to identify the profile on the New Policy page. click Create New and define the parameters of the profile. Endpoint NAC Checks for FortiClient Additonal Host Checks Course 201-v4.Endpoint Control Endpoint Network Access Control To create a new endpoint NAC profile. Content Inspection and SSL VPN 01-4200-0201-20100604 467 . including antivirus scanning is not enabled. antivirus definitions are not up to date. Hosts running FortiClient can also be quarantined if any of the additional checks fail.

Any traffic passing through the firewall when the policy is in use will be filtered based on the elements identified in the endpoint NAC profile.Endpoint Network Access Control Endpoint Control Enabling Endpoint NAC in Firewall Policies The endpoint NAC profile used to enable the endpoint NAC elements is identified when a firewall policy is created. Content Inspection and SSL VPN 01-4200-0201-20100604 . Select an appropriate endpoint NAC profile from the list. 468 Course 201-v4.1 Administration. Click Edit ( ) to modify the attributes of the endpoint NAC profile directly from the New Policy window. Click to enable Endpoint NAC.

) or Course 201-v4. an administrator must identify the client computers to be included in the scan. go to Endpoint > Network Vulnerability Scan > Asset. The FortiGuard Vulnerability Management Service provides a database of common vulnerabilties for which to scan. Content Inspection and SSL VPN 01-4200-0201-20100604 469 . Assets Before the FortiGate unit can scan for vulnerabilties. allowing hosts to be scanned for the most current security risks.1 Administration. The FortiGate unit can search an IP range to automatically discover assets to be added to the scan. The client computers can be identified using a specific IP address or a range of IP addresses. Scans are perfomed against configured hosts and information is summarized for review by an administrator. select the asset and click Edit ( double-click the entry. To view the list of assets to be scanned for vulnerabilties. This database is kept up to date through a subscription service to ensure that new vulnerabilities are added to the database as they are discovered.Endpoint Control Vulnerability Scanning Vulnerability Scanning A vulnerability scan can help determine whether an organization’s client computers are vulnerable to attack. To view or modify any assets in the list.

To discover a specific host computer. New assets can be defined by clicking Create New ( ) on the Asset List page. To discover hosts within a range of IP addresses. Content Inspection and SSL VPN 01-4200-0201-20100604 . click Asset Discover Only. Once added to the Asset List. Select Host from the Type list and identify the IP address of the client computer. select Range from the type list and identify a range of IP addresses to search. client computer can be scanned regularly based on the schedule settings.1 Administration.Vulnerability Scanning Endpoint Control Asset Discovery Client computers can be added to the Asset List by using the Asset Discovery mechanism. 470 Course 201-v4.

If authentication is used on the client computer. the administrator username and password must be defined. Clicking Create New ( ) on the Asset List page and identify a host or a range of IP addresses and click Vulnerbaility Scan. Assets can also be scanned without adding them to the Asset List. Content Inspection and SSL VPN 01-4200-0201-20100604 471 . go to Endpoint > Vulnerability Scan > Asset. To scan a client computer withought adding it to the Asset List. Course 201-v4.1 Administration.Endpoint Control Vulnerability Scanning Vulnerability Scan Any host computer displayed in the Asset List can be scanned regularly based on the schedule settings that have been defined.

Content Inspection and SSL VPN 01-4200-0201-20100604 .1 Administration. Scan Mode Schedule Select the type of scan to be performed. Go to Endpoint > Network Vulnerability Scan > Scan to define the scan options.Vulnerability Scanning Endpoint Control Manual or scheduled scans can be performed on any client computers on the Asset List for which Enable Scan is enabled. 472 Course 201-v4. Select whether scans are to be triggered manually or based on a schedule. the timing settings are displayed. Quick. Standard or Full. When Schedule is selected.

Click Filter ( ) for a specific column and edit the filters as needed.Endpoint Control Monitoring Endpoints Monitoring Endpoints Administrators can monitor the compliance of client computes through the endpoint monitor. Content Inspection and SSL VPN 01-4200-0201-20100604 473 . or both. Compliant or non-compliant client computers. To view the endpoint monitor. Columns can be filtered to help limit the display of clients in the list. can be displayed on the monitor list.1 Administration. go to Endpoint > Monitor > Endpoint Monitor. Select the type of client to be displayed from the View list. Course 201-v4.

Content Inspection and SSL VPN 01-4200-0201-20100604 .Monitoring Endpoints Endpoint Control 474 Course 201-v4.1 Administration.

.

com .www.fortinet.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times