Вы находитесь на странице: 1из 224

FortiGate Multi-Threat Security Systems

Administration, Content Inspection and VPNs


Student Training Guide
Course 201

FortiGate Multi-Threat Security Systems


Administration, Content Inspection and VPNs
Student Training Guide
Course 201
Copyright 2013 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuardAntivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS,
FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are
trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners.

Course 201 Administration, Content Inspection and VPNs

MODULE 1:
Introduction to Fortinet Unified Threat Management .................................................................................. 1

MODULE 2:
Logging and Monitoring ................................................................................................................................. 17

MODULE 3:
Firewall Policies ............................................................................................................................................... 30

MODULE 4:
Local User Authentication ............................................................................................................................. 50

MODULE 5:
SSL VPN ............................................................................................................................................................ 59

MODULE 6:
IPSec VPN ......................................................................................................................................................... 71

MODULE 7:
Antivirus ............................................................................................................................................................ 82

MODULE 8:
Email Filtering .................................................................................................................................................. 93

01-50003-0201-20131018-D

Course 201 Administration, Content Inspection and VPNs

MODULE 9:
Web Filtering .................................................................................................................................................. 105

MODULE 10:
Application Control ....................................................................................................................................... 120

01-50003-0201-20131018-D

ii

Course 201 - Administration, Content Inspection and VPNs

Introduction

FortiGate Multi-Threat Security


Systems I
Module 1: Introduction to Fortinet Unified Threat Management

2013 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
01-50003-0201-20131018-D

Module Objectives
By the end of this module, participants will be able to:
Identify the major features of the FortiGate Unified Threat Management appliance
Modify administrative access restrictions on an interface
Create and manage administrative users
Create and manage administrator access profiles
Backup and restore configuration files
Create a DHCP server on a FortiGate device interface
Upgrade or downgrade a FortiGate units firmware

01-50003-0201-20131018-D

Course 201 - Administration, Content Inspection and VPNs

Introduction

Traditional Network Security Solutions

VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall

Many single purpose systems needed to


cope with a variety of threats

FortiGate Integrated Network Security Platform

FortiGate Appliance

VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall
and more

One device provides a comprehensive


security and networking solution

01-50003-0201-20131018-D

Course 201 - Administration, Content Inspection and VPNs

Introduction

Unit Design

FortiGuard Subscription Services

Firewall

AV

Web
Filter

IPS

FortiOS
Hardware

Security
Automated
and network-level
update
service
services
Specialized
operating
system
Purpose-driven
hardware
5

FortiGate Unit Capabilities

1
1
1
1

Application
control
WAN
Intrusion
Data
Antivirus
optimization
leak
prevention
prevention
Secure
VPN
Email
filtering
High
availability
Firewall
Endpoint
compliance
Dynamic
routing
Wireless
Logging
Authentication
and
reporting
Traffic
shaping
Virtual
Web
filtering
domains

01-50003-0201-20131018-D

Course 201 - Administration, Content Inspection and VPNs

Introduction

Fortinet Products
Network Security
FortiGate appliances
High-end, mid-range and
desktop models

Network Access
Wireless: FortiWiFi, FortiAP
Switching: FortiSwitch
End-point and mobility:
FortiClient
User Identity:
FortiAuthenticator, FortiToken

Infrastructure Security
Application and Content Delivery:
FortiADC
DDos Mitigation: FortiDDos
Advanced Threat Protection
Voice and Video: FortiVoice,
FortiCamera, FortiRecorder

Application Security
FortiMail, FortiWeb, FortiDB
FortiCache

Management
FortiManager, FortiAnalyzer,
FortiCloud

FortiGuard Subscription Services


Global Update service for AV/IPS (update.fortiguard.com)
Global Live service for FortiGuard WF/AS (service.fortiguard.net)
FortiGate unit will prefer servers nearby
Calculates server distance based on time zones

Major server centers in North America as well as Asia and Europe


Nearest servers are preferred but will adjust based on server load

01-50003-0201-20131018-D

Course 201 - Administration, Content Inspection and VPNs

Introduction

Device Factory Defaults


port1 or internal interface will have an IP of 192.168.1.99
port1 or internal interface will have a DHCP server set up and
enabled (on devices that support DHCP Servers)
Default login will always be:
user: admin
password: (blank)
Usernames and passwords are BOTH case sensitive

Device Administration

Web GUI

CLI

10

01-50003-0201-20131018-D

Course 201 - Administration, Content Inspection and VPNs

Introduction

Admin Profiles

11

Profile Permissions

Read
System Configuration
Network Configuration
Firewall Configuration
UTM Configuration
VPN Configuration
etc.

Read-Write

Admin
Profile

12

01-50003-0201-20131018-D

Course 201 - Administration, Content Inspection and VPNs

Introduction

Administrators

Full access

super_admin
profile

Custom access

Full access within


a single virtual
domain

custom
profile

prof_admin
profile

13

Administrator Trusted Hosts

14

01-50003-0201-20131018-D

Course 201 - Administration, Content Inspection and VPNs

Introduction

Two Factor Authentication

Username and Password (one factor)


+
FortiToken (two factor)

15

Administrator Two Factor Authentication

16

01-50003-0201-20131018-D

Course 201 - Administration, Content Inspection and VPNs

Introduction

Device Configuration

Device configuration settings can be saved to


an external file
Optional encryption
The file can be restored to rollback device to a
previous configuration

17

Per VDOM Configuration File

18

01-50003-0201-20131018-D

Course 201 - Administration, Content Inspection and VPNs

Introduction

Interface IPs
Every used interface on the
unit must have an IP
assigned (in NAT mode)
using one of three methods:
Manual IP, DHCP assigned,
PPPoE

19

Static Gateway
There must be at least one default gateway
If an interface is DHCP or PPPoE, then a gateway can be added
to the routing dynamically

20

01-50003-0201-20131018-D

10

Course 201 - Administration, Content Inspection and VPNs

Introduction

DHCP Server Setup

21

DHCP Server IP Reservation


IP address reserved and always assigned to the same DHCP host
Select an IP address or choose an existing DHCP lease to add to the reserved list
Identify the IP address reservation as either DHCP over Ethernet or DHCP over
IPSec

MAC address of the DHCP host is used to look up the IP address in


the IP reservation table
Found in the Advanced settings of the DHCP server, on the interface

22

01-50003-0201-20131018-D

11

Course 201 - Administration, Content Inspection and VPNs

Introduction

DHCP - Activity

23

FortiGate as a DNS Server


Resolve DNS lookups from an internal network
Methods to set up DNS for each interface:
Forward-only: DNS requests sent to the DNS servers configured for the unit
Non-recursive: DNS requests resolved using a FortiGate DNS database and
unresolved DNS requests are dropped
Recursive: DNS requests will be resolved using a FortiGate DNS database and
any unresolved DNS requests will be relayed to DNS servers configured for the
unit

One DNS database can be shared by all the FortiGate interfaces


If VDOMs are enabled, a DNS database needs be created in each VDOM

24

01-50003-0201-20131018-D

12

Course 201 - Administration, Content Inspection and VPNs

Introduction

DNS Forwarding
FortiGate units can forward (or not) DNS requests sent to its
interfaces
Behavior on each interface is configured separately

Allows direct control of the DNS


GUI allows setting to Forward only
CLI allows Forward, Recursive and Non-recursive behavior

25

DNS Database Configuration


DNS zones need to be added when configuring the DNS database
Each zone has its own domain name
Zone format defined by RFC 1034 and1035

DNS entries are added to each zone


An entry includes a hostname and the IP address it resolves to
Each entry also specifies the type of DNS entry

IPv4 address (A) or an IPv6 address (AAAA)


name server (NS)
canonical name (CNAME)
mail exchange (MX) name
IPv4 (PTR) or IPv6 (PTR)

26

01-50003-0201-20131018-D

13

Course 201 - Administration, Content Inspection and VPNs

Introduction

Firmware Upgrade Steps

Step 1: Backup and store old configuration (Full config backup from CLI)
Step 2: Have copy of old firmware available
Step 3: Have disaster recovery option on standby (especially if remote)
Step 4: READ THE RELEASE NOTES (upgrade path, bug information)
Step 5: Double check everything
Step 6: Upgrade
27

Firmware Downgrade Steps

Step 1: Locate pre-upgrade configuration file


Step 2: Have copy of old firmware available
Step 3: Have disaster recovery option on standby (especially if remote)
Step 4: READ THE RELEASE NOTES (is a downgrade possible?)
Step 5: Double check everything
Step 6: Downgrade (all settings except those needed for access are lost)
Step 7: Restore pre-upgrade configuration

28

01-50003-0201-20131018-D

14

Course 201 - Administration, Content Inspection and VPNs

Introduction

Maintainer Access
Available on all FortiGate devices and some non-FortiGate devices
Only available through the console port
Highly secure (requires physical access)

Only open after a HARD boot


About 30 seconds (varies by model, by approximately 1 minute)
Highly secure (soft boot does not activate user)
User: maintainer
Password: bcpb<serial number>

All letters in serial number MUST BE uppercase

Can be disabled in the CLI if physical security is a risk


config sys global
set admin-maintainer disable
end
29

Console Port
Depending on the FortiGate model, console port
access is provided in the following ways:
Serial port (older models)
Standard null model cable will work for console port access

RJ-45 port
RJ-45-serial cable is required for access

USB 2 port
Requires FortiExplorer to connect

Each devices ships with proper console cables

30

01-50003-0201-20131018-D

15

Course 201 - Administration, Content Inspection and VPNs

Introduction

Labs
Lab 1: Initial Setup and Configuration
Ex 1: Configuring Network Interfaces
Ex 2: Exploring the Command Line Interface
Ex 3: Restoring Configuration Files
Ex 4: Performing Configuration Backups

(OPTIONAL)
Lab 2: Administrative Access
Ex 1: Profiles and Administrators
Ex 2: Restricting Administrator Access

31

Classroom Lab Topology

32

01-50003-0201-20131018-D

16

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

FortiGate Multi-Threat Security


Systems I
Module 2: Logging and Monitoring

2013 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
01-50003-0201-20131018

Module Objectives
By the end of this module participants will be able to:
Define the storage location for log information
Enable logging for different FortiGate unit events
View and search logs
Monitor log activity
Understand RAW log output
Customize widgets on the dashboard
Describe when (and where) a FortiGate device creates log events based on the
configuration

01-50003-0201-20131018-D

17

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

Logging and Monitoring

Logging and monitoring are key


elements in maintaining devices
on the network
Monitor network and Internet traffic
Track down and pinpoint problems
Establish baselines
3

Logging Severity Levels


Administrators define the severity level at which the FortiGate unit
records log information
All messages at, or above, the minimum severity level will be logged
Emergency = System unstable
Alert = Immediate action required
Critical = Functionality affected
Error = Error exists that can affect functionality
Warning = Functionality could be affected
Notification = Info about normal events
Information = General system information (default)
Debug = Debug log messages

01-50003-0201-20131018-D

18

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

Log Storage Locations

Memory and
Hard drive

Syslog

SNMP

Local logging
Remote logging
5

Log Types and Subtypes


Traffic Log
Forward (Traffic passed/blocked by Firewall policies)
Local (Traffic aimed directly at, or created by FortiGate device)
Invalid (Packets considered invalid/malformed and dropped)

Event Log
System (System related events)
Router, VPN, User, WanOpt & Cache, Wifi

Security Log
Antivirus, Web Filter, Intrusion Protection, etc.
Not created by default

01-50003-0201-20131018-D

19

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

Log Structure and Behavior


Logging is divided into 3 sections: Traffic Log, Event Log, Security Log
Traffic logs relate to packets to and through the device
Event logs relate to any admin and system activity events on the device
Security logs contain log messages related to profiles acting on traffic passing
through the device

Security events consolidated into Forward Traffic log


Less CPU intensive this way
Exceptions: DLP, Intrusion Scanning (Security Log only)

Additional log information can be obtained in some security profiles via


the CLI (Antivirus, Web Filter, Email, Application Control)
extended-utm-log [disable (default) | enabled]
New log options show up (CLI only, varies depending on profile type)
Security event logs show up in Security Logs with more details
7

Traffic Log Log Generation


Policy Log
Setting

AV,Web Filter, Email or


App Control

No Log

Disabled

N/A

No Forward Traffic or Security Logs

No Log

Enabled

Disabled

No Forward Traffic or Security Logs

No Log

Enabled

Enabled

No Forward Traffic or Security Logs

extended-utm-log

Behavior

Log Security Events

Disabled

N/A

Log Security Events

Enabled

Disabled

Security log events appear in Forward Traffic Log.


Forward Traffic Log generated for packets causing a
security event.

No Forward Traffic or Security Logs.

Log Security Events

Enabled

Enabled

Security log events appear in Security Log.


Forward Traffic Log generated for packets causing a
security event.

Log all Sessions

Disabled

N/A

Forward Traffic Log generated for every single packet.

Log all Sessions

Enabled

Disabled

Security log events appear in Forward Traffic Log


Forward Traffic log generated for every single packet

Log all Sessions

Enabled

Enabled

Security log events appear in Security Logs.


Forward Traffic Log generated for every single packet.

01-50003-0201-20131018-D

20

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

Viewing Log Messages

Log Viewer Filtering


Use Filter Settings to customize the display of log messages to
show specific information in log messages
Reduce the number of log entries that are displayed
Easily locate specific information

10

01-50003-0201-20131018-D

21

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

Log Severity Level


Log severity level indicated in the level field of the log message
date=2013-09-10 time=13:00:30 logid=0100032001
type=event subtype=system level=information
vd="root" user="admin" ui=http(10.0.1.10)
action=login status=success reason=none
profile="super_admin" msg="Administrator admin
logged in successfully from http(10.0.1.10)"

information = normal event

11

Viewing Log Messages (Raw)


Fields in each log message are arranged into two groups:
Log header (common to all log messages)
date=2013-09-10 time=11:17:56 logid=0000000009
type=traffic subtype=forward level=notice vd=root

Log body (varies per log entry type)


srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100

12

01-50003-0201-20131018-D

22

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

Viewing Log Messages (Raw)


Log header
date=2013-09-10 time=12:55:06 log_id=32001 type=utm
subtype=dlp eventtype=dlp level=warning vd=root
filteridx=0

Log body
policyid=12345 identidx=67890 sessionid=312 epoch=0
eventid=0 user="user" group="group" srcip=1.1.1.1
srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120
dstintf="port1" service=mm1 .

type and subtype fields = log file that message is recorded in

13

Viewing Log Messages (Raw)


Log body
srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
hostname="host" url="www.abcd.com" msg="Data Leak
Prevention Testing Message" action=block severity=0
infection="carrier end point filter"

policyid = id number of firewall policy matching the session

14

01-50003-0201-20131018-D

23

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

Viewing Log Messages (Raw)


Log body
srcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0
dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0
status=deny user="test user" group="test group" policyid=0
dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat
tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0
service=other proto=0 appid=1 app="AIM" appcat="IM"
applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name"
shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name"
shaperdroprcvdbyte=16843009 shaperperipname="perip name"
shaperperipdropbyte=16843009 devtype="iPad" osname="linux"
osversion="ver" unauthuser="user" unauthusersource="none"
collectedemail="mail" mastersrcmac=02:02:02:02:02:02
srcmac=01:01:01:01:01:01

status = action taken by the FortiGate unit


15

Alert Email

Send notification to email address upon


detection of defined event
Identify SMTP server name
Configure at least one DNS server
Up to three recipients per mail server
16

01-50003-0201-20131018-D

24

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

SNMP
SNMP agent

Managed device

Fortinet MIB

SNMP manager

Traps received by agent sent to SNMP manager


Configure FortiGate unit interface for SNMP access
Compile and load Fortinet-supplied MIBs into SNMP
manager
Create SNMP communities to allow connection from
FortiGate unit to SNMP manager
17

Event Logging

18

01-50003-0201-20131018-D

25

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

Event Log

19

Monitor

20

01-50003-0201-20131018-D

26

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

Monitor
Monitor sub-menus found in CLI for all main function menus
User-friendly display of monitored information
View activity of a specific feature being monitored
Various settings are found under config system global
gui-antivirus

gui-ap-profile

gui-application-control

gui-central-nat-table

gui-certificates

gui-client-reputation

gui-dlp

gui-dns-database

gui-dynamic-profile-display

gui-dynamic-routing

gui-endpoint-control

gui-explicit-proxy

gui-ipsec-manual-key

gui-implicit-policy

gui-ips

gui-icap

gui-ipv6

gui-lines-per-page

gui-load-balance

gui-local-in-policy

gui-multicast-policy

gui-multiple-utm-profiles

gui-object-tags

gui-policy-interface-pairs-view

gui-replacement-message-groups

gui-spamfilter

gui-sslvpn-personal-bookmarks

gui-sslvpn-realms

gui-utm-monitors

gui-voip-profile

gui-vpn

gui-vulnerability-scan

gui-wanopt-cache

gui-webfilter

gui-wireless-controller

gui-wireless-opensecurity

21

Monitor
Example: Security Profiles Monitor
Includes all security features
AV Monitor
Recent and top virus activity

Web Monitor
Top blocked FortiGuard categories

Application Monitor
Most used applications

Intrusion Monitor
Recent attacks

FortiGuard Quota
Per user list of quota usage
22

01-50003-0201-20131018-D

27

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

Status Page Custom Widgets


Many widgets can have their settings altered to display different
information
The same widget can be added multiple times to the same dashboard showing
different information

23

Labs
Lab 1: Status Monitor and Event Log
Ex 1: Exploring the GUI Status Monitor
Ex 2: Event Log and Logging Options

(OPTIONAL)
Lab 2: Remote Monitoring
Ex 1: Remote Syslog and SNMP Monitoring

24

01-50003-0201-20131018-D

28

Course 201 - Administration, Content Inspection and VPNs

Logging and Monitoring

Classroom Lab Topology

25

01-50003-0201-20131018-D

29

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

FortiGate Multi-Threat Security


Systems I
Module 3: Firewall Policies

2013 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
01-50003-0201-20131018-D

Module Objectives
By the end of this module participants will be able to:
Identify the components used in a firewall policy
Create firewall objects
Create address based firewall policies
Create device identity-based firewall policies
Manage the ordering of different firewall policies
Monitor traffic through policies
Create central NAT rules
Enable client reputation

01-50003-0201-20131018-D

30

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Firewall Policies
Incoming and outgoing interfaces
Source and destination IP addresses
Services
Schedules

Action = ACCEPT

Authentication

Threat
Management

Traffic
Shaping

Logging

Firewall policies include the


instructions used by the FortiGate
device to determine what to do with a
connection request
Packet analyzed, content compared to
policy, action performed

Types of Policies

Address
Policy match based on IPs

User Identity
Policy match based on authentication information (user)

Device Identity
Policy match based on OS/Type

01-50003-0201-20131018-D

31

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Firewall Actions

Traffic matches a policy


Policy Action
Accept

Deny

Traffic does not match a Policy

Deny
5

Firewall Policy Elements - Address Subtype

01-50003-0201-20131018-D

32

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Firewall Policy Elements User Identity Subtype

Firewall Policy Elements - Device Identity Subtype

OS identity device based on packet behavior and details


MAC address (Forti-Device only), DHCP VCI, TCP SYN Fingerprint, HTTP
UserAgent
Identification rules updated with FortiGuard definitions
8

01-50003-0201-20131018-D

33

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Device Identification (Bring your own Device)


Device detection is dependent on it being enabled in the interface
In the GUI, you will be prompted when you create a device identification policy
Enable directly through the CLI
config system interface
edit "port1"
set device-identification (enable|disable*)
set device-user-identification (enable*|disable)
end

Per-VDOM settings on what to detect


config system network-visibility

Global setting of the device types FortiOS detects is hardcoded

Device Identification Manual Device Entry


Devices can be manually identified in the config
config user device
edit me
set mac-address
set type type name
set user user name

end

Once the device is created it can be added to a device group


config user device-group

10

01-50003-0201-20131018-D

34

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Device Identification Captive Portal


Captive Portal options:
Email collection (attach an email to the device)
Currently, Authentication and Device identification are not compatible

FortiClient download (force FortiClient install)


Portal to identify OS through HTTP user agent

11

Device Identification Email Collection


Email Collection
Used in conjunction with device type Collected Emails
Collects an email to be associated with the device
Email are not verified, domain is checked for DNS resolution

12

01-50003-0201-20131018-D

35

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Device Identification Email Portal


config sys setting
set email-portal-check-dns [enable|disable]

13

Device Identification Device List


User & Devices > Device > Device
diag user device list

14

01-50003-0201-20131018-D

36

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Firewall Address Objects


The FortiGate device compares the source and destination address in
the packet to the policies on the device
Default of ALL addresses available

Addresses in policies configured with:


Name for display in policy list
IP address and mask
FQDN if desired (DNS used to resolve)

Use Country to create addresses based on geographical location


Create address groups to simplify administration

15

Firewall Interfaces

Incoming
Interface

Outgoing
Interface

Select Incoming Interface to identify the interface or zone on which


packets are received
Select an individual interface or ANY to match all interfaces as the source

Select Outgoing Interface to identify the interface or zone to which


packets are forwarded
Select an individual interface or ANY to match all interfaces as the source

16

01-50003-0201-20131018-D

37

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Firewall Service Objects

Packet
Protocol and Port

Firewall Policy

Protocol and Port

FortiGate unit uses Services to determine the types of communication accepted or denied
Default of ALL services available
Select a Service from predefined list on FortiGate unit or create a custom service
Web Proxy Service also available if Incoming Interface is set to web-proxy
Group Services and Web Proxy Service Group to simplify administration

17

Traffic Logging

Accept

Log All Sessions

Deny

Log Violation Traffic

18

01-50003-0201-20131018-D

38

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Network Address Translation (Source NAT)

Firewall policy
with NAT enabled
wan1 IP address: 200.200.200.200

11.12.13.14

wan1
200.200.200.200

Source IP address:
200.200.200.200
Source port: 30912

internal

10.10.10.1
Source IP address:
10.10.10.1
Source port: 1025

Destination IP address:
11.12.13.14
Destination Port: 80

Destination IP address:
11.12.13.14
Destination Port: 80
19

NAT Dynamic IP Pool (Source Nat)

Firewall policy
with NAT + IP pool enabled
wan1 IP pool: 200.200.200.2-200.200.200.10

11.12.13.14

wan1
200.200.200.200

internal

10.10.10.1
Source IP address:
10.10.10.1
Source port: 1025

Source IP address:
200.200.200.?
Source port: 30957
Destination IP address:
11.12.13.14
Destination Port: 80

Destination IP address:
11.12.13.14
Destination Port: 80
20

01-50003-0201-20131018-D

39

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Central NAT Table


Disabled in the GUI (default)
config system global
set gui-central-nat-table enable
end

21

Traffic Shaping
Traffic shaping controls which policies
have higher priority when large
amounts of data is passing through
the FortiGate unit
Normalize traffic bursts by prioritizing
certain flows over others
HTTP
FTP
IM

22

01-50003-0201-20131018-D

40

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Source NAT IP Address and Port


Session table identifies IP and port with NAT applied

23

Fixed Port (Source NAT)

Firewall policy
with NAT + IP pool enabled + fixed port (CLI only)
wan1 IP pool: 200.200.200.201

11.12.13.14

wan1
200.200.200.200

internal

Source IP address:
200.200.200.201
Source port: 1025

10.10.10.1
Source IP address:
10.10.10.1
Source port: 1025

Destination IP address:
11.12.13.14
Destination Port: 80

Destination IP address:
11.12.13.14
Destination Port: 80
24

01-50003-0201-20131018-D

41

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Virtual IPs (Destination NAT)

Firewall policy
with destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200

11.12.13.14

wan1

Source IP address:
11.12.13.14

internal

10.10.10.10

Destination IP address:
200.200.200.222
Destination Port: 80
VIP translates destination
200.200.200.222 -> 10.10.10.10

25

Virtual IPs (Destination NAT)

Firewall policy
with destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200

11.12.13.14

wan1

Used to allow connections through a FortiGate


using NAT firewall policies
Source IP address:

internal

10.10.10.10

11.12.13.14

FortiGate unit can respond to ARP requests on a


Destination
IP address:
network for a server that
is installed
on another
200.200.200.200
network
Destination Port: 80
Used for (1) Server Redundancy and Load Balancing;
(2) IPSec VPN site-to-site with identical subnets at
VIP translates destination
both sites;
200.200.200.200
-> etc.
10.10.10.10
VIP Group: A group of Virtual IPs for ease-of-use

26

01-50003-0201-20131018-D

42

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Local-In Firewall Policies


Policies designed for traffic that is localized to the FortiGate unit
Central management
Update announcement
NetBIOS forward

Destination address of firewall policies for local-in traffic is limited to the


FortiGate interface IP and secondary IP addresses
Can create local-in firewall policies for IPv4 and IPv6 (CLI Only)

27

Threat Management

28

01-50003-0201-20131018-D

43

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Threat Management Client Reputation


Disabled in the GUI (default)
config system global
set gui-client-reputation enable
end

Hard drive required for Reputation Score (FortiAnalyzer, FortiManager or FortiCloud)


29

Proxy Options - File Size


Firewall Policy
Enable Security Profile
Proxy Options
Oversize File/Email
Pass or Block
+
Threshold

File size is checked against


preset thresholds (configured
in the CLI : config
firewall profileprotocol-options)

If larger than threshold (default


10 MB) and action set to
block, then file is rejected
If larger than threshold and
action set to allow,
uncompressed file must fit
within memory buffer
If not, by default no further
scanning operations
performed

30

01-50003-0201-20131018-D

44

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Traffic Shapers
Shared Traffic Shaper

Per-IP Traffic Shaper

Guaranteed Bandwidth
Maximum Bandwidth

Guaranteed Bandwidth
Maximum Bandwidth

Guaranteed Bandwidth
Maximum Bandwidth

Guaranteed Bandwidth
Maximum Bandwidth

31

Traffic Shapers
Shared Traffic Shaper

Per-IP Traffic Shaper

Guaranteed Bandwidth
Maximum Bandwidth

Guaranteed Bandwidth
Maximum Bandwidth

Traffic shapers apply Guaranteed Bandwidth


and Maximum Bandwidth
values to addresses
Guaranteed Bandwidth
Maximum Bandwidth
affected by policy
Share values between all IP address affected by the
policy
Bandwidth
Values applied toGuaranteed
each IP
address affected by the
Maximum Bandwidth
policy

32

01-50003-0201-20131018-D

45

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

DoS Policies
DoS policies identify network traffic
that does not fit known or common
patterns of behavior
If determined to be an attack,
action in DoS sensor is taken
DoS policies applied before firewall
policies
If traffic passes DoS sensor, it
continues to firewall policies

DoS Policy

Firewall Policy

33

Endpoint Control

?
Up to date ?
Disallowed software
installed ?
34

01-50003-0201-20131018-D

46

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Firewall Object Usage


Allows for faster changes to settings
The Reference column allows administrators to determine where
the object is being used
Navigate directly to the appropriate edit page

35

Object Tagging
Simplifies firewall policy object management
Useful for administering multiple VDOMs
Easier to find and access specific firewall policies within specific VDOMs

Available for firewall policies, address objects, IPS predefined


signatures and application entries/filters
Objects can provide useful organizational information

36

01-50003-0201-20131018-D

47

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Monitor
View policy usage by active sessions, bytes or packets
Policy > Monitor > Policy Monitor

37

Labs
Lab 1: Firewall Policy
Ex 1: Creating Firewall Objects and Rules
Ex 2: Policy Action
Ex 3: Configuring Virtual IP Access
Ex 4: Configuring IP Pools

(OPTIONAL)
Lab 2: Traffic Log
Ex 1: Enabling Traffic Logging

Lab 3: Device Policies


Ex 1: Enabling Device Identification

38

01-50003-0201-20131018-D

48

Course 201 - Administration, Content Inspection and VPNs

Firewall Policies

Classroom Lab Topology

39

01-50003-0201-20131018-D

49

Course 201 - Administration, Content Inspection and VPNs

Local User Authentication

FortiGate Multi-Threat Security


Systems I
Module 4 Local User Authentication

2013 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
01-50003-0201-20131018-D

Module Objectives
By the end of this module participants will be able to:
Describe the authentication mechanisms available through the FortiGate device
Create local users and user groups
Monitor active users
Check authentication log entries
Configure user disclaimers
Describe two-Factor authentication
Create identity-based policies to enable local user authentication

01-50003-0201-20131018-D

50

Course 201 - Administration, Content Inspection and VPNs

Local User Authentication

Authentication
The identity of users and host computersA
A
must be established to ensure that only A
A
A
authorized parties can access the network
The FortiGate unit provides network access
control and applies authentication to users
of firewall policies and VPN clients

Local User Authentication


Local user authentication is based on usernames and passwords
stored locally on the FortiGate unit
An administrator creates local user accounts on the FortiGate device
For each account, a user name and password is stored
Two-factor authentication can be enabled on a per user basis

01-50003-0201-20131018-D

51

Course 201 - Administration, Content Inspection and VPNs

Local User Authentication

User Authentication via Remote Server


The FortiGate unit must be configured to access the external servers
used to authenticate the users
Administrators can create an account for the user locally and specify
the server to verify the password or
Administrators can add the authentication server to a user group
All users in that server become members of the group

User Authentication via Remote Server

RADIUS

LDAP

Digital
certificates

Directory
Services

TACACS+

Remote Users
6

01-50003-0201-20131018-D

52

Course 201 - Administration, Content Inspection and VPNs

Local User Authentication

User Groups

Paris

Firewall
User Group

Active
Directory

Visitors

Guest User Group

Directory Service
User Group

User groups are assigned one of four group types: Firewall, Fortinet Single Sign on
(FSSO), Guest and Radius Single Sign on (RSSO)
Firewall user groups provide access to firewall policies that require authentication
Directory Service user groups used to allow single sign on for Active Directory or Novell
eDirectory users
7

Identity-Based Policies
Identity-based policies are
enabled to require firewall
authentication
Authentication rules identify the
users and user groups that will
be forced to authenticate
Also defines other aspects of
authentication, including services,
schedules, UTM, logging and
traffic shaping

Policy
Enable Identity Based Policy

Authentication Rule
User/Group
Services
Schedules
Logging
Threat management
Traffic Shaping

01-50003-0201-20131018-D

53

Course 201 - Administration, Content Inspection and VPNs

Local User Authentication

Disclaimers
Displays the Terms and
Disclaimer Agreement page
before the user authenticates
User must accept the
disclaimer to proceed with the
authentication process
Once authenticated, the user
is directed to the original
destination

Policy
Enable Disclaimer

Authentication Timeout

Timeout values specify how long an


authenticated connection can be idle
before the user must authenticate again
User Authentication Timeout controls
the firewall authentication timer
Default value is 5 minutes
SSL VPN Idle Timeout controls the
SSL VPN user authentication timer
Default value 300 seconds (5
minutes)

10

01-50003-0201-20131018-D

54

Course 201 - Administration, Content Inspection and VPNs

Local User Authentication

Password Policy
Minimum Length:

8 to 64 characters

Must Contain:

Uppercase letters
Lowercase letters
Numerical digits
Non-alphanumeric characters

Password Expiration:

X days

Apply to:

Administrators
IPSec Preshared Key

Set a password policy to enforce higher standards for both the length and complexity
of passwords
Policies can be applied to administrator password and IPSec VPN preshared keys
11

Two-Factor Authentication
A one-time password can be delivered to the user through various
methods:
FortiToken: Every 60 seconds, the token generates a 6-digit code based on a
unique serial number, seed and GMT time
Email: The one-time password is sent to users configured email address after
successful password authentication
SMS phone message: The one-time password sent through email to the users
SMS provider. The email address pattern varies by provider.

12

01-50003-0201-20131018-D

55

Course 201 - Administration, Content Inspection and VPNs

Local User Authentication

Two-Factor Authentication

13

Policy Configuration

14

01-50003-0201-20131018-D

56

Course 201 - Administration, Content Inspection and VPNs

Local User Authentication

User Monitor

Displays logged in users, groups, policy ID being


used, time left before inactivity timeout, IP, the
amount of traffic sent by user, and the
authentication method
Also used to terminate authentication sessions

15

Labs
Lab 1: User Authentication
Ex 1: Identity-based Firewall Policy

16

01-50003-0201-20131018-D

57

Course 201 - Administration, Content Inspection and VPNs

Local User Authentication

Classroom Lab Topology

17

01-50003-0201-20131018-D

58

Course 201 - Administration, Content Inspection and VPNs

SSL VPN

FortiGate Multi-Threat Security


Systems I
Module 5: SSLVPN

2013 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
01-50003-0201-20131018-D

Module Objectives
By the end of this module participants will be able to:
Identify the VPN technologies available on the FortiGate device
Configure the SSL VPN operating modes
Define user restrictions
Setup SSL VPN portals
Customize logins
Configure firewall policies and authentication rules for SSL VPNs

01-50003-0201-20131018-D

59

Course 201 - Administration, Content Inspection and VPNs

SSL VPN

Virtual Private Networks (VPN)


Secure tunnel over an unsecured network
Used when there is the need to transmit private data over a public
network
PC based, suitable for use when traveling

FortiGate VPN
SSL VPN
Typically used to secure
web transactions
HTTPS link created to
securely transmit
application data between
client and server
Client signs on through
secure web page (SSL
VPN portal) on the
FortiGate device

IPSec VPN
VPN

Well suited for networkbased legacy applications


Secure tunnel created
between two host devices
IPSec VPN can be
configured between
FortiGate unit and most
third-party IPSec VPN
devices or clients

01-50003-0201-20131018-D

60

Course 201 - Administration, Content Inspection and VPNs

SSL VPN

SSL VPN Web-Only Mode


1. Connection of remote user to SSL VPN portal
(HTTPS Web Site)
2. Tunnel created
3. User authentication
4. Portal Web page presented
5. Click bookmark to access resource

SSL VPN Tunnel Mode


1. Connection of remote user to SSL VPN Portal
(HTTPS Web Site)
2. Tunnel created
3. Authenticate
4. Portal Web page presented
5. Access Resources

01-50003-0201-20131018-D

61

Course 201 - Administration, Content Inspection and VPNs

SSL VPN

User Groups
Web mode and tunnel mode both require a firewall policy for
authentication
Tunnel mode requires additional policies to allow internal network
access
Mode(s) user has access to is determined by authentication policy
Determines the portal page users are presented

Authentication

Username and Password (one factor)


+
FortiToken (two factor)

01-50003-0201-20131018-D

62

Course 201 - Administration, Content Inspection and VPNs

SSL VPN

SSL VPN Server Certificate


Certificate presented to client initiating SSL VPN session
FortiGate device uses a self-signed certificate by default

User certificates issued by trusted Certificate Authority to avoid web


browser security warnings
9

Encryption Key Algorithm


Level of encryption used for SSL VPN connections
High, Default, Low

The default setting is RC4 (128 bits) and higher


If set to High, SSL VPN connections with clients that cannot meet this
standard will fail

10

01-50003-0201-20131018-D

63

Course 201 - Administration, Content Inspection and VPNs

SSL VPN

Web Portal Interface


Web page displayed when client logs into SSL VPN
Includes widgets to access functionality on the portal (such as
bookmarks and connection tools)
Software download option for tunnel mode
Default SSL VPN web portal page is accessible on port 4443:
https://<FortiGate IP address>:4443

11

Full-Access Web Portal Interface

12

01-50003-0201-20131018-D

64

Course 201 - Administration, Content Inspection and VPNs

SSL VPN

Tunnel Mode Split-Tunneling


Only traffic destined for the tunnel IP range network will be routed over
the SSL VPN
If access to another inside network is desired, the client will need to
create a static route pointing to their own SSL VPN interface
Associated firewall policies must exist

13

Client Integrity Checking


SSL VPN gateway checks client system
Detects client protection applications (for example, antivirus and
personal firewall)
Determines state of applications (active/inactive, current version
number and signature updates)
Examples include: Cisco Network Admission Control (NAC), MS
Network Access Protection (NAP), Trusted Computing Groups
(TCG) Trusted Network Connect

14

01-50003-0201-20131018-D

65

Course 201 - Administration, Content Inspection and VPNs

SSL VPN

Client Host Checking


Relies on external vendors to ensure client integrity (not
implemented by all SSL VPN vendors)
Requires administrators to determine appropriate version/signature
versions and policy
Easily outdated, limiting the protection provided

Checks to see if required software is installed on the connecting


PC, otherwise connection is refused
CLI only
config vpn ssl web portal
edit (portal name)
set host-check [av|av-fw|custom|fw]
set host-check-interval [# seconds]
end
15

SSL VPN Tunnel Mode Connection


A new network connection called fortissl is created
The connection obtains a virtual IP address
This virtual adapter becomes the preferred default route if split tunneling is
disabled

The web portal page will display the status of the SSL VPN client
ActiveX control
The portal web page must remain open for the tunnel to function
FortiGate needs to have route to added for Tunnel IP addresses

16

01-50003-0201-20131018-D

66

Course 201 - Administration, Content Inspection and VPNs

SSL VPN

SSL VPN Client Port Forward


Port Forward mode extends applications supported by Web
Application Mode
Application Types (some examples):
PortForward: for generic port forward application
Citrix: for Citrix server web interface access
RDPNative: for Microsoft Windows native RDP client over port forward
etc.

17

Custom Login
Allows creation of additional login URLs
Adds another layer of user separation
May be necessary for a seamless migration from other platforms
Example:
https://x.x.x.x/Students:<port>
https://x.x.x.x/Teachers:<port>

18

01-50003-0201-20131018-D

67

Course 201 - Administration, Content Inspection and VPNs

SSL VPN

SSL-VPN Policy De-Authentication


Firewall policy authentication session is associated with SSL VPN
tunnel session
Forces expiration of firewall policy authentication session when
associated SSL VPN tunnel session is ended by user
Prevents reuse of authenticated SSL VPN firewall policies (not yet expired) by a
different user after the initial user terminates their SSL VPN tunnel session

19

SSL VPN Access Modes

Web Mode

Tunnel Mode

Port Forward Mode

No client software
required (web browser
only)

Uses FortiGate-specific
client downloaded to PC
(ActiveX or Java applet)

Java applet works as a


local proxy to intercept
specific TCP port traffic
then encrypt in SSL

Reverse proxy rewriting


of HTTP, HTTPS, FTP,
SAMBA (CIFS)

Requires admin/root
privilege to install layer3 tunnel adaptor

Java applets for RDP,


VNC, TELNET, SSH

Downloaded to client PC
and installed without
admin/root privileges
Client App must point to
Java applet

20

01-50003-0201-20131018-D

68

Course 201 - Administration, Content Inspection and VPNs

SSL VPN

Configuration
Step 1: Configure the Settings
IP Pool, Certificate, Port,
VPN > SSL > Config

Step 2: Configure your Portals for user access


Web or Tunnel mode access, bookmarks,
VPN > SSL > Portal
Custom URL(s) if nessecary

Step 3: Decide Split Tunneling or not


In Portal Config

Step 4: Setup Firewall VPN policy for access

21

Configuration

22

01-50003-0201-20131018-D

69

Course 201 - Administration, Content Inspection and VPNs

SSL VPN

Labs
Lab 1: SSL VPN
Ex 1: Configuring SSL VPN for Web Access
Ex 2: Configuring SSL VPN for Tunnel Mode

23

Classroom Lab Topology

24

01-50003-0201-20131018-D

70

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

FortiGate Multi-Threat Security


Systems I
Module 6: IPSec VPN

2013 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
01-50003-0201-20131018-D

Module Objectives
By the end of this module participants will be able to:
Define the architectural components of IPSec VPN
Define the protocols used as part of an IPSec VPN
Identify the phases of Internet Key Exchange (IKE)
Identify the FortiGate unit IPSec VPN modes
Deploy a site-to-site VPN
Identify the differences between Interface and Policy mode VPNs
Configure IPSec VPN on the FortiGate unit

01-50003-0201-20131018-D

71

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

IPSec VPN

Private network

Data
confidential

Data has
integrity

Sender
authenticated
3

IPSec VPN
IPSec is a set of standard protocols and services used to encrypt data so
that it cannot be read or tampered with as it travels across a network
Provides:
Authentication of the sender
Confidentiality of data
Proof that data has not been tampered with

01-50003-0201-20131018-D

72

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

IPSec VPN
IPSec VPN operates at the network layer (layer 3)
Encryption occurs transparently to the upper layers
Applications do not need to be designed to use IPSec

IPSec VPN can protect upper layer protocols (such as TCP) but
the complexity and overhead of the exchange is increased
For example, IPSec cannot depend on TCP to manage reliability and
fragmentation

Internet Key Exchange


Internet Key Exchange (IKE) allows the parties involved in a
transaction to set up their Security Associations
Phase 1 authenticates the parties involved and sets up a secure
channel to enable the key exchange
Phase 2 negotiates the IPSec parameters to define an IPSec tunnel

01-50003-0201-20131018-D

73

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

Phase 1
IKE Phase 1 performs the following:
Authenticates and protects the parties involved in the IPSec transaction
Can use pre-exchanged keys or digital certificates

Negotiates a matching SA policy between the computers to protect the


exchange
Performs a Diffie-Hellman exchange
The keys derived from this exchange are used in Phase 2

Sets up a secure channel to negotiate Phase 2 parameters

Defining Phase 1 Parameters

KB IDs:
11657
13574
8

01-50003-0201-20131018-D

74

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

Phase 2
IKE Phase 2 performs the following:
Negotiates IPSec SA parameters
Protected by existing IKE SA

Renegotiates IPSec SAs regularly to ensure security


Optionally, additional Diffie-Hellman exchange may be performed

Defining Phase 2 Parameters

10

01-50003-0201-20131018-D

75

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

Interface Mode
Creates a virtual IPSec network interface that applies encryption
or decryption as needed to any traffic that it carries
Also known as Route-Based

Create two firewall policies between the virtual IPSec interface and
the interface that connects to the private network
The firewall policy action is ACCEPT
Needs static routes over VPN tunnels
Required if dynamic routing, GRE over IPSec or altering of
incoming subnet is needed

11

Policy Mode
Easy to configure, single internal external firewall policy
supports bi-directional traffic
Also known as tunnel based

Policy action is IPSec, Phase1 tunnel selected


IPSec policies should be located first in your policy list
Vulnerable to errors in quickmodes or policies
Order of policies is very important

12

01-50003-0201-20131018-D

76

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

Policy Versus Interface Mode

Policy
Mode

Less configuration involved


Dependent on policy order for proper operation
Less granular control then Interface

Interface
Mode

Required for GRE over IPSec


Required if manipulation of packet source IPs is
necessary
Required to have FortiGate unit participate in
dynamic routing communication over the IPSec
connection
More control

13

Overlapping Subnets
Site-to-site route-based VPN configurations sometimes experience a
problem where private subnet addresses at each end of the
connection are the same
After a tunnel is established, hosts on each side can communicate with
hosts on other side using the mapped IP addresses
Use NAT with IP Pool

Interface mode can NAT both the incoming and outgoing traffic
Policy mode can only NAT outgoing traffic

14

01-50003-0201-20131018-D

77

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

IPSec Topologies (Site-to-Site)


Headquarters

Site-to-site

Branch office

15

IPSec VPN Monitor


Monitor activity on IPSec VPN tunnels
Stop and start tunnels
Display address, proxy IDs, timeout information

Green arrow indicates that the negotiations were successful and


tunnel is UP
Red arrow means tunnel is DOWN or not in use

16

01-50003-0201-20131018-D

78

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

IPSec VPN Monitor

17

Configuration
Step 1: Configure Phase 1
Choose interface to listen for connections
Choose remote location
Choose advanced options (DH Group, XAUTH, ..)

Step 2: Configure Phase 2


Possibility for multiple Phase 2s on a single Phase 1 tunnel

Step 3: Create Firewall VPN policy(s)


May need more than 1 policy to allow all the access required

18

01-50003-0201-20131018-D

79

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

Configuration

19

Labs
Lab 1: IPSec VPN
Ex 1: Site to Site IPSec VPN

20

01-50003-0201-20131018-D

80

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

Classroom Lab Topology

21

01-50003-0201-20131018-D

81

Course 201 - Administration, Content Inspection and VPNs

Antivirus

FortiGate Multi-Threat Security


Systems I
Module 7: Antivirus

2013 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
01-50003-0201-20131018-D

Module Objectives
By the end of this module participants will be able to:
Identify conserve mode conditions and AV system behavior
Define the virus scanning techniques used on the FortiGate unit
Differentiate between file-based and flow-based virus scanning
Configure virus scanning
Define firewall policies using antivirus profiles
Update FortiGuard Services
Identify which protocols can be scanned
Set up grayware and heuristic scanning
Submit unknown virus samples to Fortinet

01-50003-0201-20131018-D

82

Course 201 - Administration, Content Inspection and VPNs

Antivirus

Conserve Mode
What is conserve mode?
System self protection measure when facing local resource exhaustion
When entering conserve mode the FortiGate unit activates protection measures in
order to recover memory space
Once enough memory is recovered, the system leaves the conserve mode state
and releases the protection measures

Two types: regular and kernel


Search conserve mode at: http://kb.fortinet.com
KB Article IDs: FD33103, 11076, 10209

Conserve Mode
Regular conserve mode is depletion of shared memory
Used mainly by proxies (to store the buffered data) but also by buffers (logging,
quarantining)

Impact (configurable)
Established sessions remain unchanged
New sessions are not inspected
Fail-open action applies to stream and proxy-based inspection

01-50003-0201-20131018-D

83

Course 201 - Administration, Content Inspection and VPNs

Antivirus

AV Fail-Open
There are currently two conditions that can cause the FortiGate unit to
operate in AV fail-open mode:
The system is low on memory and has entered conserve mode
The individual proxy pool is full (no free connections are available)

With the first condition, low memory, the av-failopen setting will be
applied
The default for this setting is Pass

AV Fail-Open
The system enters conserve mode when the amount of free
shared memory is less than approximately 20%
Goes back to non-conserve mode when this value increases to
approximately 30%
Log entry details actual amount of memory
config system global
set av-failopen
idledrop drop idle connections
off
off
one-shot one-shot
pass
pass

01-50003-0201-20131018-D

84

Course 201 - Administration, Content Inspection and VPNs

Antivirus

AV Fail-Open
The second condition occurs when the individual proxy pool
is full (default disable)
The action will depend on the av-failopen-session settings

If the av-failopen-session is enabled and the free


connections in the proxy connection pool reaches zero
Protocol reverts back to the av-failopen settings

If the av-failopen-session is disabled and the limit is


reached, all sessions will be blocked for the proxy

Antivirus
Detect and eliminate viruses,
worms, Trojans and spyware in realtime
Stop threats before they enter the
network

Antivirus

Scans HTTP and FTP traffic as well


as incoming and outgoing SMTP,
POP3 and IMAP email
Internet Content Adaption Protocol
(ICAP) support
FortiGate unit acts as ICAP client to
communicate with ICAP servers that
the FortiGate unit can utilize for
offloading AV scanning services
First enable in CLI:
conf sys global
set gui-icap enable

then configure under Security


Profiles > ICAP

01-50003-0201-20131018-D

85

Course 201 - Administration, Content Inspection and VPNs

Antivirus

Antivirus Scanning Order

.jpg

File
size

File
Name
pattern

Virus
scan

File
type

Grayware

Heuristics

Proxy-Based Scanning

Antivirus proxy buffers the


file as it arrives
Once transmission is
complete, virus scanner
examines the file
Higher detection and
accuracy rate
Comfort Clients can be used
to avoid timeouts

10

01-50003-0201-20131018-D

86

Course 201 - Administration, Content Inspection and VPNs

Antivirus

Flow-Based Scanning

File is scanned on a
packet-by-packet basis as
it passes through the
FortiGate unit
Faster scanning, but lower
accuracy rate
Difficulty in catching virus
variants

Only available on certain


models
Non-proxy scanning
11

Virus Scanning

Regular

Extended

Extreme

Flow-based

12

01-50003-0201-20131018-D

87

Course 201 - Administration, Content Inspection and VPNs

Antivirus

Submitting Unknown Viruses


Sometimes a virus may go undetected because
it is not in the signature database
To submit a virus go to:
http://www.fortiguard.com/antivirus/virus_scanner.html

13

Known Virus
Sometimes viruses will get through because the
proper antivirus scan options are not enabled
FortiGuard Subscription Service contains information on
which database a virus is in

14

01-50003-0201-20131018-D

88

Course 201 - Administration, Content Inspection and VPNs

Antivirus

Heuristics Scanning
Virus-like attribute
+ Virus-like attribute
+ Virus-like attribute
> Heuristic threshold
FortiGate unit tests for virus-like behavior
Virus-like attributes are totaled and if greater
than a threshold, the file is marked as
suspicious

Suspicious

Use CLI command to block suspicious files

Possibility of false positives


15

Antivirus Profiles

16

01-50003-0201-20131018-D

89

Course 201 - Administration, Content Inspection and VPNs

Antivirus

FortiGuard Sandbox

Files detected by Heuristics as suspicious can be submitted to


FortiGuard for Sandboxing
Or submitted to the FortiSandbox

Sandboxing a file is when it is executed and monitored within a


protected environment to determine if it is a new kind of virus or just a
software install
Driver install modifies the registry and/or the system files

Helps detect Zero day vulnerabilities and provide data for the
FortiGuard AV analysts
17

Botnet Connections

FortiGuard maintains a list of known Botnet IP addresses


Anything attempting to connect to a known Botnet server will be
blocked
Botnet list periodically updated with FortiGuard updates
Requires valid contract
Can view database version in CLI

diag autoupdate version

18

01-50003-0201-20131018-D

90

Course 201 - Administration, Content Inspection and VPNs

Antivirus

SSL Inspection Options

19

Logs

20

01-50003-0201-20131018-D

91

Course 201 - Administration, Content Inspection and VPNs

Antivirus

Labs
Lab 1: Antivirus Scanning
Ex 1: Antivirus Testing

21

Classroom Lab Topology

22

01-50003-0201-20131018-D

92

Course 201 - Administration, Content Inspection and VPNs

Email Filtering

FortiGate Multi-Threat Security


Systems I
Module 8: Email Filtering

2013 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
01-50003-0201-20131018-D

Module Objectives
By the end of this module participants will be able to:
Identify the email filtering methods used on the FortiGate device
Configure banned word, IP address and email address filters
Define firewall policies using email filter profiles
Identify some inspection options available for each protocol (SMTP, POP3, IMAP)

01-50003-0201-20131018-D

93

Course 201 - Administration, Content Inspection and VPNs

Email Filtering

Email Filtering
FortiGate unit can detect and
manage spam email
Email filtering
SPAM?

Spam Actions
Tag to add a custom
phrase/word to subject line
or a MIME header and
value to body of an email
message for use in back
end or client filtering
Discard to immediately
drop the SMTP connection
if spam is detected

Tag

Discard

Subject: Free Stuff

Subject: [SPAM] Free Stuff

01-50003-0201-20131018-D

94

Course 201 - Administration, Content Inspection and VPNs

Email Filtering

Email Filtering Methods


The FortiGate unit uses a number of techniques to help detect spam
Some use the FortiGuard Antispam service and require a subscription
Others use DNS servers or filters created on the device
Heuristic check
Manually configured options

FortiGuard IP Address Check


Connecting IP address is checked
FortiGuard is a reputation database
IP behavior is tracked
More queries about an IPs activity to the FortiGuard network makes the
reputation worse
IPs have a score 1-9
1 is permanently black listed
9 is permanently white listed (Fortinet Server IPs only)
Less than 3 is considered spam

01-50003-0201-20131018-D

95

Course 201 - Administration, Content Inspection and VPNs

Email Filtering

FortiGuard URL and Email Address Check

Visit our web site at www.acme.com to


learn more about this great offer or
send an email to deals@acme.com.

What language or character set is the email in?


KB Article ID: FD32502

FortiGuard Email Checksum Check

The FortiGate unit


sends a hash of
the email message
to the FortiGuard
Antispam Service
FortiGuard
Antispam Service
compares the hash
received to hashes
of known spam
messages

Our online
pharmacy offers
great prices on
all your
prescription
medications.

hash

01-50003-0201-20131018-D

96

Course 201 - Administration, Content Inspection and VPNs

Email Filtering

IP Address Black/White List (BWL)


The FortiGate unit compares the IP address of the sender of an
email message to the IP addresses specified in the email filter
profile
An administrator can add to or edit the IP addresses and configure the action
to take

Possible actions on a match


Spam (use spam action)
Clear (consider Not Spam)
Reject (SMTP Only)

Email Address Black/White List (BWL)


The FortiGate unit
compares the email
address of the sender of
an email message to the
email addresses specified
in the email filter profile

From: bsmith@acme.com

Mark as Spam
Mark as Clear

An administrator can add


to or edit the email
addresses and configure
the action to take
Wild card and regular
expressions can be used
to define the email
address

10

01-50003-0201-20131018-D

97

Course 201 - Administration, Content Inspection and VPNs

Email Filtering

HELO DNS Lookup


Received: from mail.acme.com (10.10.10.1)
by classroom.fortinet.com with SMTP;
30 Sept 2013 02:27:02 -0000

DNS

11

HELO DNS Lookup


Performs an A record lookup of SMTP HELO details to
confirm it resolves to an IP address
Domain specified in the email should resolve to an IP

Does NOT perform any kind of comparison to senders IP

12

01-50003-0201-20131018-D

98

Course 201 - Administration, Content Inspection and VPNs

Email Filtering

Return Email DNS Check


Confirms that sending email domain from the reply-to field resolves to
an IP Address
Domain the email gets sent to, should resolve to an IP

Does NOT perform any kind of comparison to senders IP

13

Banned Word Check


Banned words
FortiGate unit blocks
email based on words or
patterns in the message
A weight is assigned to
any banned words in the
message
If threshold is exceeded,
the message is marked
as spam
Can define Banned
words using Wildcards
and regular expressions

Let us fill all your prescription


drugs. Visit our online pharmacy
for great prices on prescription
medications. We offer the widest
selection of popular drugs.

Drugs
Score=10

Pharmacy
Score=5

Prescription
Score=5

Threshold=18
10 +5 +5 =20

14

01-50003-0201-20131018-D

99

Course 201 - Administration, Content Inspection and VPNs

Email Filtering

MIME Headers Check


The FortiGate unit can check the MIME header information of
incoming email messages
If a match is found in the header list configured on the device, the
corresponding action is taken

Configured through CLI only


config spamfilter mheader

15

DNSBL and ORDBL Check


The FortiGate unit can compare the IP address or domain
name of incoming email message against third-party DNSBL
and ORDBL lists
Match IP addresses or domain names of known spammers

Configured through CLI only


config spamfilter dnsbl
config spamfilter ordbl

16

01-50003-0201-20131018-D

100

Course 201 - Administration, Content Inspection and VPNs

Email Filtering

Email Filtering Order (SMTP)

IP BWL Check

DNSBL & ORDBL


FortiGuard IP
HELO DNS

MIME Header
Email BWL

Banned word
(on Body)

IP BWL Check
(Receive Header)

Banned word
(on Subject)

Return Email DNS


FortiGuard URL
FortiGuard Checksum
DNSBL & ORDBL
(Receive Header)

17

Email Filtering Order (POP3, IMAP)

MIME Header
Email BWL

Not all SMTP based spam checks


are available!!
POP3/IMAP used between Mail server
and client checking email
SMTP used between Mail servers
delivering email

Banned Word
(on Subject)

Return Email DNS


FortiGuard IP
FortiGuard URL
FortiGuard Checksum
DNSBL & ORDBL

IP BWL Check

Banned word
(on Body)

18

01-50003-0201-20131018-D

101

Course 201 - Administration, Content Inspection and VPNs

Email Filtering

Request Removal From FortiGuard


Spam filtering is best effort so there can be false positives that
occur periodically
Submit details to the Spam department at:
www.fortiguard.com/antispam/antispam.html

19

FortiGuard Email Filtering Options


Cache
Caching reduces
FortiGuard requests;
can improve
performance
Small % of system
memory dedicated to
cache
Query results cached
until TTL setting is
reached
Alternate port 8888 for
access to FortiGuard
servers

IP address:
10.10.10.1
URL:
www.acme.com
Message
checksum:
x65Fsd34c

20

01-50003-0201-20131018-D

102

Course 201 - Administration, Content Inspection and VPNs

Email Filtering

Email Filter Profile


Email Filter security feature disabled by default
To configure profile, first go to System > Status and set Email Filter to ON

21

Labs
Lab 1: Email Filtering
Ex 1: Configuring FortiGuard AntiSpam

22

01-50003-0201-20131018-D

103

Course 201 - Administration, Content Inspection and VPNs

Email Filtering

Classroom Lab Topology

23

01-50003-0201-20131018-D

104

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

FortiGate Multi-Threat Security


Systems I
Module 9: Web Filtering

2013 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
01-50003-0201-20131018-D

Module Objectives
By the end of this module participants will be able to:
Identify the web filtering mechanisms used on the FortiGate device
Create web content and URL filters
Configure FortiGuard Web Filtering
Configure FortiGuard Web Filtering exemptions and rating overrides
Define firewall policies using web filter profiles
Explain the differences between various web filter modes

01-50003-0201-20131018-D

105

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

Web Filtering
Means of controlling the web content that a user is able to view
Preserve employee productivity
Prevent network congestion where valuable bandwidth is used for non-business
purposes
Prevent loss or exposure of confidential information
Decrease exposure to web-based threats
Limit legal liability when employees access or download inappropriate or offensive
material
Prevent copyright infringement caused by employees downloading or distributing
copyrighted materials
Prevent children from viewing inappropriate material

Proxy-Based Web Filtering


Proxy based solution that communicates between client and server
Inspects full URL
Allows for customizable block pages to display when sites are
prevented
Most resource intensive option
Lowest throughput
Has the Most options available in Advanced section

01-50003-0201-20131018-D

106

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

Proxy-Based Web Filtering


Select inspection mode
in web filter profile

Flow-Based Web Filtering


Non-proxy solution that uses IPS engine to perform inspection
High throughput
Inspects full URL
FortiGuard Web Filtering override will not apply when flow-based
inspection is enabled
Only a few Advanced options available
Not as flexible as proxy-based
Allow, Monitor, Block ONLY
Warn and Authenticate not possible
Overrides not possible

01-50003-0201-20131018-D

107

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

Flow-Based Web Filtering


Select inspection mode in web filter profile

DNS-Based Web Filtering


DNS-proxy solution that uses DNS queries to decide access
DNS queries redirected to FortiGuard SDNS server
Very lightweight
SSL inspection never required
Cannot inspect URL, only hostname (DNS)
Supports URL Filtering and FortiGuard Category only
No individual block pages, can redirect to a portal
Web site access by IP means no DNS lookup

01-50003-0201-20131018-D

108

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

DNS-Based Web Filtering


Select inspection mode in web filter profile

When Does Filtering Activate?


www.acme.com

DNS Request

DNS Response

TCP 3-Way Handshake

HTTP GET

HTTP 200

10

01-50003-0201-20131018-D

109

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

HTTP Inspection Order


Block Page

EXEMPT (from ALL further inspection)


Exempt

URL

Block

Web URL
Filter

FortiGuard
Filter

Allow

Block

Allow

Block Page

Block Page

Block

Allow

Advanced
Filter

Content
Filter
Block

Allow

Block Page
Block

Block Page

Allow

Virus Scan

Display Page

11

Types of Web Filtering


Proxy-Based
Highly secure
Traffic is cached

Flow-Based
High throughput
No caching
Not as secure

DNS-Based
Very lightweight
Hostname filtering only
No advanced options, URL and FortiGuard only

12

01-50003-0201-20131018-D

110

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

Web Content Filtering


Drugs

Allow or block web pages


containing specific words or
patterns
Wildcards or regular
expressions used to
define patterns

Create Pattern list in


the CLI

Pharmacy
Score=5

Prescription
Score=5

Scores for matched patterns


are added
If greater than threshold,
FortiGate unit performs
configured action
If pattern appears
multiple times on web
page, score is only
counted once

Score=10

Threshold=18
10 +5 +5 =20

Block or Exempt

www.acme.com

13

Web URL Filtering


Control web access by allowing or blocking URLs
Text, wildcards or regular expressions can be used to define the URL patterns
If no URL match on list, go on to next enabled check

Possible web URL filter actions are:


Allow
Block
Monitor
Exempt

14

01-50003-0201-20131018-D

111

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

Web URL Filtering


URL Filter list

URL: www.mypage.com/index.html

www.example.com
www.abc.com
www.mypage.com/index.html

Block
Allow
Monitor
Exempt

www.mypage.com
15

Forcing Safe Search


Safe Search is used by search sites to prevent explicit web sites and
images from appearing in search results
FortiGate unit rewrites the search URL to include the required codes to
enable Safe Search
Supported for Google, Bing, Yahoo! And Yandex
Does NOT force strict safe search

Youtube EDU available


Instructions for Youtube will include value to enter on FortiGate unit

16

01-50003-0201-20131018-D

112

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

FortiGuard Category Filter

URL: www.mypage.com

Categories
Allow
Block
Monitor
Warning
Authenticate

www.mypage.com
17

FortiGuard Category Filter


The FortiGate unit accesses the FortiGuard Distribution Server to
determine the category of a requested page
Action is taken based on selection in web filtering profile

Web filter rating determined by:


Human rater
Text analysis
Exploitation of web structure

Description of Categories can be found on FortiGuard website


http://www.fortiguard.com/static/webfiltering.html

18

01-50003-0201-20131018-D

113

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

FortiGuard Category Filter


Split into multiple categories and sub-categories
Layout will switch periodically as the Internet changes
New categories and sub-categories are released and compatible with
updated firmware
Older firmware has new values mapped to existing categories

19

FortiGuard Caching
Most web sites are visited over and over again
FortiGate unit can remember what the response was

Caching improves performance by reducing FortiGate unit requests to


FortiGuard servers
Cache checked before sending request to FortiGuard server
TTL settings controls the number of seconds query results are cached

Small amount of FortiGate unit system memory dedicated to the cache


Default is 2% used for cache, can be increased to 15% from CLI

Port 53 used for FortiGuard communications


Alternate port number of 8888 can used

KB Article IDs: 11779, FD32121, FD30088


20

01-50003-0201-20131018-D

114

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

FortiGuard Usage Quotas

Games Quota

Games Quota

Games Quota

Category:
Games

Quotas allow access to specific categories for a


specific length of time (calculated separately for
each quota configured)
If authentication is enabled, quota is automatically
based on the user, otherwise IP is used
Can only apply to categories with actions: Monitor,
Warn or Authenticate

21

Rating Submissions
Requests for rating of a web site, or to have a web sites rating
re-evaluated can be submitted by accessing:
http://www.fortiguard.com/ip_rep.php

22

01-50003-0201-20131018-D

115

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

Rating Override

Rating override

Category:
General Organizations

www.acme.com
Sub-Category: Information and Computer Security
23

Rating Override
Can override the rating applied to a hostname by FortiGuard
Subscription Services
Hostname reassigned to a completely different category and uses that action

Override applies to FortiGate unit only


Changes not submitted to FortiGuard Subscription Services

Hostnames only
google.com
www.google.com
www.google.com/index.html

24

01-50003-0201-20131018-D

116

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

Local Categories

Rename and deletion of sub-categories only in CLI


config webfilter ftgd-local-cat
delete <cat_name>
rename <cat_name> to <cat_name>

25

Warning Action
Action = Warning (right click in the GUI)

Web Filtering Warning Page

26

01-50003-0201-20131018-D

117

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

Authenticate Action

Marketing

www.hackthissite.org
27

Web Filter Profiles


Web filtering,
FortiGuard web filtering
and Advanced Filter
options enabled
through web filtering
profiles
Profile in turn applied to
firewall policy
Any traffic being
examined by the
policy will have the
web filtering
operations applied
to it

28

01-50003-0201-20131018-D

118

Course 201 - Administration, Content Inspection and VPNs

Web Filtering

Labs
Lab 1: Web Filtering
Ex 1: FortiGuard Web Filtering

29

Classroom Lab Topology

30

01-50003-0201-20131018-D

119

Course 201 - Administration, Content Inspection and VPNs

Application Control

FortiGate Multi-Threat Security


Systems I
Module 10: Application Control

2013 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc.
01-50003-0201-20131018-D

Module Objectives
By the end of this module participants will be able to:
Describe how a signature trigger is accomplished
Add additional software
Define application control rules by category
Define application control rules by specific entry
Define firewall policies using application control lists
Use application control to perform traffic shaping

01-50003-0201-20131018-D

120

Course 201 - Administration, Content Inspection and VPNs

Application Control

Application Control
Application control is used to detect and take actions on network traffic
based on the application generating the traffic
Facebook, Skype, Gmail etc.

Can detect application traffic even if contained within other protocols


Supports a large number of applications and categories
DiffServ per application filter
Supports shared and per-IP traffic shaping for application control

Application Control List


An application control list defines the applications that will be
subject to inspection
For each application, the administrator can specify whether to
pass or block the application traffic in addition to other settings
Default rule set is very restrictive, must perform an AV/IPS update
in order to obtain new rules

01-50003-0201-20131018-D

121

Course 201 - Administration, Content Inspection and VPNs

Application Control

Adding to the List


Requests for additional or revised application control
coverage can be submitted using FortiClient or by accessing:
http://www.fortiguard.com/applicationcontrol/appform.html

Application Control Profile


Application control profile

Application control options are enabled through


application control sensors
Sensor in turn is applied to firewall policy
Any traffic being examined by the policy will have the
application control operations applied to it

01-50003-0201-20131018-D

122

Course 201 - Administration, Content Inspection and VPNs

Application Control

Example: Facebook Application Control

FOR
REVIEW
ONLY

Order of Operations

Processed from the top down


First match action is applied
Can be single application or picked from a set of
options to apply to multiple applications

01-50003-0201-20131018-D

123

Course 201 - Administration, Content Inspection and VPNs

Application Control

Implicit Rules
Implicit 1
Matches traffic against every possible application control signature

Implicit 2
Matches traffic that does not conform to any application control signature

Creating a Filter Rule

10

01-50003-0201-20131018-D

124

Course 201 - Administration, Content Inspection and VPNs

Application Control

FortiGuard

Searchable list of signatures, with descriptions


http://www.fortiguard.com/encyclopedia/applications/
Signatures change and update

11

Behavior Identification

12

01-50003-0201-20131018-D

125

Course 201 - Administration, Content Inspection and VPNs

Application Control

Instant Messenger
Support for MSN(defunct), Yahoo, ICQ and AIM
Software passes traffic through a single IM proxy

Communications protocols have never been released or had RFC


published
Proxy designed through reverse engineering

Must be explicitly enabled in order to activate IM proxy (not enabled if


IM selected)

13

Instant Messenger

14

01-50003-0201-20131018-D

126

Course 201 - Administration, Content Inspection and VPNs

Application Control

Instant Messenger

15

Fine Tuning Instant Messenger


Instant Messenger Policy configurable from the CLI, default is to allow
all users
config imp2p policy
set [aim/icq/msn/yahoo] [allow/deny]
end

Users can only be restricted if policy is set to deny


Cannot block by user if policy set to allow
Maximum 1000 IM users

16

01-50003-0201-20131018-D

127

Course 201 - Administration, Content Inspection and VPNs

Application Control

Instant Messenger Users


First user must be created in CLI
config imp2p (protocol)-user
edit (username)
end

17

Monitor

18

01-50003-0201-20131018-D

128

Course 201 - Administration, Content Inspection and VPNs

Application Control

Traffic Shaping
Allows for traffic shaping to apply to only SOME of the traffic passing
through a profile/policy
Only traffic matching application control signature is shaped
Can track application bandwidth usage and use traffic shaping to
control heavy traffic applications
Can use all normal traffic shaping options: Shared, Per-IP, Reverse

19

Traffic Shaping: Working Example

20

01-50003-0201-20131018-D

129

Course 201 - Administration, Content Inspection and VPNs

Application Control

How Does My Software Actually Work?

? ?

21

Under the Hood

Application control looks at packets and performs


a pattern match comparison to determine traffic
Does not perform any kind of scanning of either
system
Only reports that packets match an enabled pattern
22

01-50003-0201-20131018-D

130

Course 201 - Administration, Content Inspection and VPNs

Application Control

Peer-to-Peer Detection

Traditional file transfer


1 Client
1 Server

23

Peer-to-Peer Detection

Peer-to-peer transfer
1 Client
N Servers

24

01-50003-0201-20131018-D

131

Course 201 - Administration, Content Inspection and VPNs

Application Control

Peer-to-Peer Detection

Why is P2P traffic so


difficult to detect?
Traditional Protocols (HTTP, FTP) were designed to be distinct and
separate from other protocols.
P2P communication protocols were designed to be difficult to distinguish
from other protocols
25

Labs
Lab 1: Application Identification
Ex 1: Creating an Application Control list

Lab 2: Traffic Shaping


Ex 1: Limiting YouTube Traffic

Lab 3: Selective Application Control


Ex 1: Block Wikipedia Editing

26

01-50003-0201-20131018-D

132

Course 201 - Administration, Content Inspection and VPNs

Application Control

Classroom Lab Topology

27

01-50003-0201-20131018-D

133

FortiGate Multi-Threat Security Systems I


Administration, Content Inspection and VPNs
Student Lab Guide
Course 201

FortiGate Multi-Threat Security Systems


Administration, Content Inspection and VPNs
Student Lab Guide
Course 201
01-50003-0201-20131018-D

Copyright 2013 Fortinet, Inc. All rights reserved. No part of this publication including text,
examples, diagrams, or illustrations may be reproduced, transmitted, or translated in any form
or by any means, electronic, mechanical, manual, optical, or otherwise, for any purpose,
without prior written permission of Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge,
FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuardAntispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer,
FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse,
FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or
other countries. The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.

Table of Contents

VIRTUAL LAB ENVIRONMENT BASICS ....................................................................................... 3


Topology for Labs ......................................................................................................................................................................................... 3
Logging in to the Virtual Lab Environment ....................................................................................................................................... 4

CLASSROOM LAB CONFIGURATION.......................................................................................... 8


MODULE 1 ............................................................................................................................... 9
Lab 1: Initial Setup and Configuration ................................................................................................................................ 9
Exercise 1 (Optional) Configuring Network Interfaces on Student and Remote FortiGate Devices .................. 10
Exercise 2 Exploring the Command Line Interface .................................................................................................................... 12
Exercise 3 Restoring Configuration Devices ................................................................................................................................. 14
Exercise 4 Performing Configuration Backups ............................................................................................................................ 16
Lab 2: Administrative Access ............................................................................................................................................... 17
Exercise 1 Profiles and Administrators .......................................................................................................................................... 18
Exercise 2 Restricting Administrator Access ............................................................................................................................... 20

MODULE 2 ............................................................................................................................. 22
Lab 1: Status Monitor and Event Log ................................................................................................................................. 22
Exercise 1 Exploring the GUI Status Monitor ............................................................................................................................... 23
Exercise 2 Event Log and Logging Options ................................................................................................................................... 25
Lab 2: Remote Monitoring ..................................................................................................................................................... 27
Exercise 1 Remote Syslog Logging and SNMP Monitoring ..................................................................................................... 28

MODULE 3 ............................................................................................................................. 30
Lab 1: Firewall Policy .............................................................................................................................................................. 30
Exercise 1 Creating Firewall Objects and Rules .......................................................................................................................... 31
Exercise 2 Policy Action ......................................................................................................................................................................... 33
Exercise 3 Configuring Virtual IP Access ........................................................................................................................................ 34
Exercise 4 Configuring IP Pools .......................................................................................................................................................... 36
Lab 2: Traffic Log ...................................................................................................................................................................... 38
Exercise 1 Enabling Traffic Logging ................................................................................................................................................. 39
Lab 3: Device Policies .............................................................................................................................................................. 40
Exercise 1 Enabling Device Identification ..................................................................................................................................... 41

Page |1
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Table of Contents

MODULE 4 ............................................................................................................................. 45
Lab 1: User Authentication .................................................................................................................................................... 45
Exercise 1 Identity-based Firewall Policy ...................................................................................................................................... 46

MODULE 5 ............................................................................................................................. 48
Lab 1: SSL VPN ............................................................................................................................................................................ 48
Exercise 1 Configuring SSL VPN for Web Access ........................................................................................................................ 49
Exercise 2 Configuring SSL VPN for Tunnel Mode ..................................................................................................................... 53

MODULE 6 ............................................................................................................................. 56
Lab 1: IPSec VPN ........................................................................................................................................................................ 56
Exercise 1 Site to Site IPsec VPN ........................................................................................................................................................ 57

MODULE 7 ............................................................................................................................. 60
Lab 1: Antivirus Scanning ...................................................................................................................................................... 60
Exercise 1 Antivirus Testing ................................................................................................................................................................ 61

MODULE 8 ............................................................................................................................. 64
Lab 1: Email Filtering .............................................................................................................................................................. 64
Exercise 1 Configuring FortiGuard AntiSpam .............................................................................................................................. 65

MODULE 9 ............................................................................................................................. 68
Lab 1: Web Filtering................................................................................................................................................................. 68
Exercise 1 FortiGuard Web Filtering................................................................................................................................................ 69

MODULE 10 ........................................................................................................................... 73
Lab 1: Application Identification ........................................................................................................................................ 73
Exercise 1 Creating an Application Control List .......................................................................................................................... 74
Lab 2: Traffic Shaping.............................................................................................................................................................. 76
Exercise 1 Limiting YouTube Traffic ................................................................................................................................................ 77
Lab 3: Selective Application Control .................................................................................................................................. 78
Exercise 1 Block Wikipedia Editing .................................................................................................................................................. 79

APPENDIX A: ADDITIONAL RESOURCES .................................................................................. 80

Page |2
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Virtual Lab Environment Basics

This section provides details of the virtual lab environment that will be used for the hands-on labs in
this course. Steps are included for connecting to the virtual environment along with troubleshooting
tips to help students easily navigate the lab configuration.

Alert: The following section is only applicable to the Fortinet hosted virtual lab
environment. Please ignore this section if you are using an alternate classroom lab
environment unless otherwise directed by your trainer. If you are uncertain, consult your
trainer to find out which lab setup documentation you must follow.

The network diagram below shows the configuration of the virtual environment that students will use
in the course.

Page |3
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Virtual Lab Environment Basics

1. Run the TrueLab System Checker to verify the compatibility of your computer with the virtual
lab environment.
Use the URL that is specific to your location.
Americas:
http://truelab.hatsize.com/syscheck
EMEA:
http://truelab.hatsize.com/syscheck/frankfurt/
APAC:
http://truelab.hatsize.com/syscheck/singapore/
Click Run if a security warning window appears.
The TrueLab System Checker will determine whether a connection can be established from
the PC to the TrueLab environment. It can also help troubleshoot connectivity problems
related to the Java Virtual Machine, company firewall, or proxy server.
If the PC is successfully able to connect to the TrueLab virtual lab environment a Success
message will be displayed.

Page |4
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Virtual Lab Environment Basics

If a status of Failed is displayed, verify the on-screen messages to identify potential problem
areas or click the Troubleshooter link to help diagnose any problems that were encountered.
For assistance with troubleshooting speak to your instructor.
2. If a status of SUCCESS is displayed, log in to the virtual lab portal by browsing to the
following URL:
http://remotelabs.training.fortinet.com/

Enter the username and password provided by the instructor and click LOGIN.
Alternatively, you may have received log in credentials for the following URL:
http://virtual.mclabs.com/
Check with your instructor if you are not certain about which portal to use.

3. Select the time zone for your location from the drop-down menu and click UPDATE.
By selecting the proper time zone you ensure that the class schedule is accurate.

Page |5
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Virtual Lab Environment Basics

4. The virtual lab Java applet is launched. Select a resolution for the applet and click Open to
access the Windows 2003 Server device in the virtual lab environment. This will serve as the
primary student machine for the classroom exercises.
Note: If for any reason the connection to the virtual Windows 2003 Server is lost, regain
access by selecting Operations > Disconnect and then Operations > Connect to Primary from
the menu.
5. To connect to other virtual machines in this environment go to Operations > Connect to
Secondary and select one of the available machines in the list.

The instructor will provide a description of each of the virtual systems available to you in the
virtual lab environment.

Page |6
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Virtual Lab Environment Basics

Troubleshooting Tips
It is not recommended to connect to the virtual lab environment using a wireless (Wi-Fi)
connection or a VPN tunnel. For optimal performance, connect to the lab environment
through a dedicated LAN connection.
Ensure that the company network or firewall policies are not blocking Java applets.
Students should ensure that the following settings are configured on their computer:
Screen savers should be disabled on the computer
The Power Scheme used on the computer should be set to Always on
In the Java Control Panel (located in the Windows Control Panel) ensure that Java
console is set to Show console. It is recommended that the Java console be left open
as it often provides useful logs for troubleshooting.
If you get disconnected unexpectedly from any of the virtual machines (or from the virtual
lab portal) please reattempt a connection. If unable to reconnect repeatedly after multiple
attempts, please notify the instructor.
If during the labs, particularly when reloading configuration files, you see a message
similar to the one shown below, go to the console and enter the CLI command execute
update-now.

This message indicates that the FortiGate VM is waiting for a response from the
authentication server. The command execute update-now will resend the request and
force a response.

Page |7
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Classroom Lab Configuration

The following diagram illustrates the classroom network configuration that will be used for the labs in
this course. Each student has an identical lab environment and has full control of their lab devices.

Each student will manage the following devices:


Windows 2003 Server (student working device)
2 FortiGate devices
Windows XP
Linux Server

Page |8
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 1: Initial Setup and Configuration

This first lab will provide an initial orientation to the CLI and administrative GUI and will guide the
student through the basic setup of the FortiGate unit. This lab will demonstrate how to properly
backup and restore a configuration file, as well as manipulate administrative access to a FortiGate
unit.
If during the labs, particularly when reloading configuration files, you see a message similar to the
one shown below, go to the console and enter the CLI command execute update-now.

This message indicates that the FortiGate VM is waiting for a response from the authentication
server. The execute update-now command will resend the request and force a response.

Distinguish between an encrypted and non-encrypted configuration file


Describe how to back up and restore configuration files
Recognize model and build information inside a configuration file

Estimated time to complete this lab: 15 minutes

Page |9
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 1: Initial Setup and Configuration Exercise 1

The steps below only need to be performed if your virtual lab set-up has been started from a blank
FortiGate image. Before proceeding, please check with your Instructor to confirm if these steps are
required for your particular classroom lab configuration.
1. Connect to the console of the Student FortiGate device (in the virtual lab applet, go to
Operations > Connect to Secondary > Student) and at the login screen, enter the default
username of admin (all lowercase) and leave the password blank.
2. To access the Student FortiGate device using the GUI, you must first modify the port3
interface settings by executing the following CLI commands:
conf system interface
edit port3
set ip 10.0.1.254/24
set allowaccess http
end
You have now configured the port3 interface with a proper IP address and device access
settings.
3. Enter the following command to check your configuration:
show system interface
4. Open a web browser and enter the following URL to access the GUI for the Student
FortiGate device:
http://10.0.1.254
Accept the FortiGate units self-signed certificate or security exemption if a security warning
appears.
HTTPS is the recommended protocol for administrative access to the FortiGate unit. Other
available protocols include SSH, PING, SNMP, HTTP and Telnet.
Note: To access the FortiGate GUI using a standard web browser, cookies and JavaScript
must be enabled for proper rendering and display of the graphical user interface.

P a g e | 10
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 1: Initial Setup and Configuration Exercise 1

The login page of the Student FortiGate device should now be displayed. Please do not log
in at this point. You will have the opportunity to explore the FortiGate units GUI in a later
exercise.
If you are not presented with a login page, check with your Instructor before proceeding.
5. Connect to the console of the Remote FortiGate device (in the virtual lab applet, go to
Operations > Connect to Secondary > Remote) and at the login screen, enter the default
username of admin (all lowercase) and leave the password blank.
6. Enter the following CLI commands to set the port4 IP address and access control settings for
your device.
conf system interface
edit port4
set ip 10.200.3.1/24
set allowaccess http ping
end
7. Next, check the route configuration by executing the following command:
show router static
If there is no static route configured on port4, execute the commands shown below to set this
static route. (Routing will be explained in more detail in a later section.)
conf route static
edit 0
set device port4
set gateway 10.200.3.254
end
8. You can enter the following commands to check your configuration:
show system interface
show router static
At this stage, you will not be able to connect to the Remote FortiGate device until you have
configured your Student FortiGate device with routing information and a firewall policy to
allow that management traffic. This configuration will be added later.

P a g e | 11
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 1: Initial Setup and Configuration Exercise 2

In this exercise, students will be introduced to the FortiGate units command line interface (CLI).
1. Connect to the console of the Student FortiGate device and at the login screen enter the
default username of admin (all lowercase) and no password.
2. Type the following command to display status information about the FortiGate unit:
get system status
The output displays the FortiGate unit serial number, firmware build, operational mode, and
additional settings.
Confirm that the firmware build is the correct version for this class.
3. Type the following command to see a full list of accepted objects for the get command:
get ?
Note: The ? character is not displayed on the screen.

At the --More-- prompt in the CLI, press the spacebar to continue scrolling or <enter> to
scroll one line at a time. Press <q> to exit.
Depending on objects and branches used with this command, there may be other subkeywords and additional parameters to enter.
4. Press the up arrow key to display the previous get system status command and try
some of the control key sequences that are summarized below.
Previous command

up arrow, or CTRL+P

Next command

down arrow, or CTRL+N

Beginning of line

CTRL+A

End of line

CTRL+E

Back one word

CTRL+B

Forward one word

CTRL+F

Delete current character

CTRL+D

Clear screen

CTRL+L

Abort command and exit branch

CTRL+C

CTRL+C is context sensitive and in general aborts the current command and moves up to
the previous command branch level. If already at the root branch level, CTRL+C will force a
logout of the current session and another login will be required.

P a g e | 12
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 1: Initial Setup and Configuration Exercise 2

5. Type the following command and press the <tab> key 2 or 3 times.
execute <tab>
The command displays the list of available system utility commands one at a time each time
the <tab> key is pressed.
6. Type the following command to see the entire list of execute commands:
execute ?
7. Enter the following CLI commands and compare the available keywords for each one:
config ?
show ?
config begins the configuration mode while show displays the configuration. The only
difference is show full-configuration. The default behavior of the show command is
to only display the differences from the factory-default configuration.
8. Enter the CLI commands shown below to display the FortiGate units internal interface
configuration settings and compare the output for each of them.
Only the characters shown in bold type face need to be typed, optionally followed by <tab>,
to complete the command key word. Use this technique to reduce the number of keystrokes
to enter information. CLI commands can be entered in an abbreviated form as long as
enough characters are entered to ensure the uniqueness of the command keyword.
show system interface port3
show full-configuration system interface port3

P a g e | 13
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 1: Initial Setup and Configuration Exercise 3

From the Windows Server, you first will need to connect to the Student FortiGate device and restore
the configuration file needed to complete the upcoming exercises.
1. Open a web browser and connect to the following URL to access the GUI on the Student
FortiGate device:
http://fgt.student.lab
2. Go to System > Dashboard > Status. Under System Information, click Restore.

3. Browse the Desktop and navigate to the Resources > Module1 > Student folder.

Select the file student-initial.conf and click Restore.


After restoring the configuration, the FortiGate unit will automatically reboot. The length of
the boot process is affected by how complex the configuration is. The more complicated the
configuration, the longer it will take to parse it and complete the boot process.
Most configurations take less than 1 minute to complete the reboot process.

P a g e | 14
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 1: Initial Setup and Configuration Exercise 3

4. Reconnect to the GUI on the Student FortiGate device and verify the restored configuration.
Go to System > Network > Interface and check your network interfaces.
Go to Router > Static > Static Route and check your default route.
5. Next, perform the following steps on the Student FortiGate device to verify the DNS
configuration settings for the Student and Remote FortiGate devices. These DNS settings
have been added to simplify access to the lab devices.
Go to System > Network > DNS Server and review the student and remote DNS zones.
In the student DNS zone, verify the IPv4 Address (A) records and Pointer (PTR) records
for the Student FortiGate device (10.0.1.254) and the Windows Server (10.0.1.10).
In the Remote DNS zone, check the IPv4 Address (A) records and Pointer (PTR) records
for the Remote FortiGate device (10.200.3.1) and the Windows host (10.0.2.10).
6. From a DOS command prompt on the virtual Windows Server, execute the following
commands to verify the DNS lookup functionality. DNS requests are being sent to port3, and
recursive DNS requests are allowed on this interface.
nslookup server.student.lab 10.0.1.254
nslookup fgt.student.lab 10.0.1.254
nslookup pc.remote.lab 10.0.1.254
nslookup fgt.remote.lab 10.0.1.254
Note: The parameters of the nslookup command are:
nslookup [-option] [hostname] [server]

7. In a web browser on the virtual Windows Server, connect to the following web pages to verify
that the GUI of the Student and Remote FortiGate devices can be accessed using their DNS
hostnames:
http://fgt.student.lab
http://fgt.remote.lab

P a g e | 15
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 1: Initial Setup and Configuration Exercise 4

1. Connect to the GUI on the Student FortiGate device by accessing the URL:
https://fgt.student.lab
2. Go to System > Dashboard > Status and under System Information, click Backup.

Select Encrypt configuration file and enter the password: fortinet. Click Backup and
save the encrypted configuration file to the Desktop with the filename student-initial-enc.conf.
(You may need to modify the web browsers settings to prompt for the location to save files.
For Firefox, go to Tools > Options > General and select Always ask me where to save files.)

Caution: When backing up the FortiGate units configuration, be sure to use a naming
convention that you understand and which identifies both the date and the device
information. Every time that you log in and make changes to your device (even if the
change seems minor or insignificant), you should ALWAYS make a backup of the
configuration file. This will always be the best form of protection against problems.

3. Next try restoring the encrypted configuration file. Browse the Desktop and navigate to the
file student-initial-enc.conf and click Restore.
This time you will need to enter the password fortinet as this file is encrypted.
Using WordPad or Notepad++, open the file student-initial.conf. In another instance of
WordPad, open the file student-initial-enc.conf and compare the details in both.

Note: In both the normal and encrypted configuration the top of the file acts as a
header, describing the firmware and model information this configuration belongs
to.

P a g e | 16
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 2: Administrative Access

The aim of this lab will be to demonstrate how to create and modify administrative access
permissions.

Identify the steps to create a new administrative user


Recognize the options to restrict administrative access

Estimated time to complete this lab: 10 minutes

P a g e | 17
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 2: Administrative Access Exercise 1

1. From the GUI on the Student FortiGate device, go to System > Admin > Settings and select
Enable Password Policy.
Configure the password policy using the following settings:
Minimum Length:

Must Contain:

Enable
1 Upper Case Letter
1 Numerical Digit

Enable Password Expiration:

Enable
90 days

Once the settings have been modified, click Apply to save the changes.
2. Log out of the GUI then log back in again and you will be prompted to enter a new
administrator password. Enter a new password that meets the requirements configured
above.
3. Next, go to System > Admin > Admin Profile and create a new Admin profile called
Security_Admin_Profile. Set Security Profile Configuration to Read-Write and set all other
permissions to Read Only.
Once the profile settings have been modified, click OK to save the changes.
4. Go to System > Admin > Administrators and click Create New to add a new Admin user
called Security_Admin. Set Admin Profile to the new profile you created in the previous step.
By doing this, you are limiting this Admin users access so that they will only able to modify
and create security profiles.
Note: Administrator names and passwords are case-sensitive. You cannot include the
< > ( ) # characters in an administrator name or password. Spaces are allowed, but
not as the first or last character. Spaces in a name or password can be confusing and
require the use of quotes to enter the name in the CLI.

Once the Administrative user settings have been entered, click OK to save the changes.
5. To view the configuration for administrative users and profiles, type the following CLI
commands:
show system admin
show system accprofile

P a g e | 18
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 2: Administrative Access Exercise 1

6. Log out of the GUI on the Student FortiGate device and log back in as the Security_Admin
user created earlier.
7. Test this administrators access by attempting to create or modify various settings on the
Student FortiGate device. You should observe that this admin user is only able to configure
settings under Security Profiles.
For convenience in the labs, the admin password will not be set in the configuration files
used in the subsequent modules.

P a g e | 19
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 2: Administrative Access Exercise 2

1. Connect to the GUI on the Remote FortiGate device by accessing the following URL:
http://fgt.remote.lab
Log in with the default username of admin (all lowercase) and no password.
2. Edit the admin account and enable the setting Restrict this Admin Login from Trusted Hosts
Only. Set Trusted Host #1 to the address 10.0.2.0/24.
Once the trusted host details have been entered, click OK to save the changes.
Now, try connecting to the GUI of the Remote FortiGate device again. What is the result this
time?
Because you are connecting from the 10.200.1.1 address (because of NAT on the
Student FortiGate device) you should notice that you are no longer able to connect to the
device since restricting the connecting source IP using Trusted Hosts.
3. Attempt to ping the IP address 10.200.3.1. You should note that the ping no longer
responds. This type of access is also affected by the restriction on source IP which we have
configured above.
4. Go to the console of the Remote FortiGate device and enter the following CLI commands to
add 10.200.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin
account:
conf sys admin
edit admin
set trusthost2 10.200.0.0/16
end
5. Test the GUI and ping access again to the IP address 10.200.3.1. You should now be
able to connect to the GUI of the Remote device and ping it as well.
6. Go to System > Dashboard > Status and under System Information, click Details for Current
Administrator.
The administrators currently logged in to the FortiGate unit are displayed.

P a g e | 20
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 1 Lab 2: Administrative Access Exercise 2

7. By default, an administrator has a maximum of three attempts to log in to their account


before they are locked out for 60 seconds. The source IP address is taken into account by
the attempt counter.
The number of login attempts and the lockout period can be configured through the CLI.
To help improve the overall password security, the maximum number of attempts can be
decreased and the lockout timer can be increased using the following CLI commands:
config system global
set admin-lockout-threshold 2
set admin-lockout-duration 100
end

P a g e | 21
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 2 Lab 1: Status Monitor and Event Log

The aim of this lab is for students to work with the event log and monitoring on a FortiGate unit.

Identify and properly enable logging of system events


Locate event logs for specific information

Estimated time to complete this lab: 10 minutes

P a g e | 22
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 2 Lab 1: Status Monitor and Event Log Exercise 1

1. From the GUI of the Student FortiGate device, go to System > Dashboard > Status and
locate the System Resources widget.
2. Some widgets are not displayed on the dashboard by default. Click Widget to display the list
of widgets available to add to the dashboard.

If not already added, click the Sessions History widget from the pop-up window to add it to
the dashboard.
Close the widget list window.
3. Hover the mouse over the title bar of the System Resources widget and click Edit to create a
custom widget.

Configure a custom widget with the following details:


Custom Widget Name:

System Resource History

View Type:

Historical

Time Period:

Last 60 minutes

A line chart appears in a new custom System Resource History widget showing a trace of
past CPU and memory usage.
P a g e | 23
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 2 Lab 1: Status Monitor and Event Log Exercise 1

The refresh rate of this window is automatically set to 1/20 of the time period (interval)
configured.
4. The Alert Message Console widget displays recent system events, such as system restart
and firmware upgrade.
Hover the mouse over the title bar of the Alert Message Console widget and click History to
view the entire message list.

Scroll to the bottom of the window and click Close.


5. Go to System > Dashboard and select Add Dashboard. Enter any name of your choice for
the new dashboard and select the single column display.
6. Next add the Top Sessions widget on your new dashboard. Click the edit icon in the title bar
of the Top Sessions widget and observe the different ways in which top sessions can be
reported. For example, by top Destination Address, top Applications etc. You can also select
to display the top sessions by Source and Destination interfaces. Create your own
customized Top Sessions widget and examine the sessions that are listed.
7. Test the functionality of the refresh, page forward, and page back icons in this window. You
may need to generate some additional traffic in order to properly test these functions.
8. Click Dashboard and select Reset Dashboards to re-display the default dashboard.

P a g e | 24
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 2 Lab 1: Status Monitor and Event Log Exercise 2

1. From the Student FortiGate CLI, execute the following command to check the system status:
get system status
2. Verify the Log hard disk status. If it is set to Available proceed to Step 3. If the status
appears as Need Format, enter the following command to format the drive.
execute formatlogdisk
When prompted to continue, type y and wait for the system to reboot.
Once the system has restarted, check the log disk settings by executing the following
command:
config log disk setting
get
You should observe that the status is enabled.
3. Repeat the previous steps on the Remote FortiGate device.
4. Return to the Student FortGate device and log out of the GUI. When logging back in, use an
incorrect password once and then use the correct password to log back in again.
Go to Log & Report > Event Log > System and examine the log to find the invalid password
event.
5. Go to Firewall Objects > Address > Address, and create a new firewall address using the
following settings:
Name:

fortinet

Type:

FQDN

FQDN:

www.fortinet.com

Leave the remaining settings at their defaults and click OK to save the changes.
6. Next go to Log & Report > Event Log > System and review the log entries.

P a g e | 25
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 2 Lab 1: Status Monitor and Event Log Exercise 2

7. Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.

Click Apply to save the changes.


Different types of log entries fall into different categories. Only enable logging for the
activity(s) that you need to monitor. This avoids filling the logs with information you do not
need, and consuming unnecessary system resources.
8. Go to Firewall Objects > Address > Address and create another firewall address entry. Go to
Log & Report > Event Log > System and review the log entries again.
Note that the entries are no longer visible for this activity. With this option deselected in the
Event Logging settings, you will no longer see entries in the log for Admin users logging
on/off or making changes to the units configuration. Other types of log entries will still appear.
9. Go to Log & Report > Log Config > Log Settings and re-enable System activity event.

P a g e | 26
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 2 Lab 2: Remote Monitoring

The aim of this lab is for students to set up logging to a remote device and monitoring of the
FortiGate units behavior. It can be advantageous to use remote monitoring instead of local
monitoring in order to reduce resource usage. For example, while the GUI widgets provide useful
displays of your system information, they also carry a significant resource cost and should be used
sparingly.

Enabling monitoring from a syslog and SNMP device

Estimated time to complete this lab: 10 minutes

P a g e | 27
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 2 Lab 2: Remote Monitoring Exercise 1

The LINUX host in your student lab environment has been pre-configured for you to allow remote
syslog.
1. From the CLI on the Student FortiGate device enter the following commands to set up
logging to the syslog server:
conf log syslogd setting
set status enable
set facility local6
set server 10.200.1.254
end
2. Repeat the above step from the CLI on the Remote FortiGate device.
3. From the virtual Windows Server desktop launch the putty.exe application and open an SSH
session to the LINUX host (10.200.1.254).

Log in as root and with the password: password.

P a g e | 28
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 2 Lab 2: Remote Monitoring Exercise 1

4. Run the following command to monitor the FortiGate unit syslog messages which are
mapped to their own file by the local6 facility.
tail f /var/log/fortinet
5. Leave the SSH window open and return to the Student FortiGate device and generate some
log entries by doing the following:
Attempt to log in with invalid credentials
Make a minor configuration change
6. From the GUI on the Student FortiGate device, go System > Config > SNMP to enable
SNMP monitoring. Select Enable for the SNMP Agent then click Apply.
7. Create a new SNMP v3 security name using the settings displayed below. Set the Auth
password to fortinet.

Click OK.
8. Go to System > Network > Interface and edit port1. Confirm that SNMP is enabled under the
Administrative Access settings. If it is not enabled you will need to enable it first then click OK
to save the changes.
9. Leave the SSH window open that is currently running the tail command and run putty
again to open a new SSH connection to the LINUX host (10.200.1.254).
Next, execute the following snmpwalk command to find and display all of the monitoring
options that a device presents through SNMP:
snmpwalk -v 3 -a sha -A fortinet -u training -l authNoPriv
10.200.1.1
A tree listing of all the options available to monitor this FortiGate VM device will be displayed.
To make it easier to view the information available, you may also append >snmp.test to
the command entered above. This will save the output to a file named snmp.test. Enter the
command view snmp.test to view the output file.

P a g e | 29
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 1: Firewall Policy

The aim of this lab is for students to work with firewall policies and examine the FortiGate unit
behavior when policies are re-ordered.

Describe the various actions that can be set in a firewall policy


Demonstrate policy order

Estimated time to complete this lab: 20 minutes

P a g e | 30
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 1: Firewall Policy Exercise 1

1. From the Windows Server, you first will need to connect to the GUI on the Student FortiGate
device (10.0.1.254) and restore the following configuration file that is needed for this lab:
Resources\Module3\Student\student-policy.conf. The Student FortiGate device will reboot.
2. From the GUI on the Student FortiGate device, go to Firewall Objects > Address > Address
and create the following address object:
Name:

STUDENT_INTERNAL

Type:

Subnet

Subnet/IP Range:

10.0.1.0/255.255.255.0

Interface:

Any

Once the settings have been entered, click OK to save the changes.
3. The unrestricted port3port1 policy will need to be temporarily disabled in the policy list. To
do this, go to Policy > Policy > Policy, right-click the unrestricted port3port1 policy and
select Status > Disable.
4. Next click Create New to add a new firewall policy to provide general Internet access from
the internal network. Configure the following settings:
Policy Type:

Firewall

Policy Subtype:

Address

Incoming Interface:

port3

Source Address:

STUDENT_INTERNAL

Outgoing Interface:

port1

Destination Address:

all

Schedule:

always

Service:

HTTP, HTTPS, DNS, ALL_ICMP, SSH


(Hold down the CTRL-key to select multiple services.)

Action:

ACCEPT

Enable NAT:

Enabled

Use Destination Interface Address:

Enabled

Log Options:

Enable Log all Sessions and select Generate Logs


when Session Starts

Comments:

General Internet access

P a g e | 31
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 1: Firewall Policy Exercise 1

When creating firewall policies, keep in mind that the FortiGate device is a stateful firewall,
therefore, a firewall policy only needs to be created for the direction of the originating traffic.
Once the policy settings have been entered, click OK to save the changes.
5. From the virtual Windows Server desktop, open a web browser and connect to various
external web servers.
6. From the CLI, enter the following command to see the source NAT action.
#get system session list
Sample Output:
STUDENT # get sys session list
PROTO
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp

EXPIRE
3600
3587
3570
3577
3587
3587
2274
3587
3566

SOURCE
10.0.1.10:3677
10.0.1.10:3717
10.0.1.10:3681
10.0.1.10:3710
10.0.1.10:3708
10.0.1.10:3706
10.0.1.10:3608
10.0.1.10:3712
10.0.1.10:3679

SOURCE-NAT
10.200.1.1:64133
10.200.1.1:64097
10.200.1.1:64126
10.200.1.1:64124
10.200.1.1:64122
10.200.1.1:64024
10.200.1.1:64128
10.200.1.1:64095

DESTINATION
10.0.1.254:22
72.30.38.140:80
69.171.228.70:80
74.125.228.92:80
74.125.228.92:80
66.94.245.1:80
10.200.1.254:22
80.239.217.66:80
74.125.227.24:80

DESTINATION-NAT
-

Note that the new source address being applied is that of the destination interface
port1(10.200.1.1).

P a g e | 32
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 1: Firewall Policy Exercise 2

1. Use the same steps you performed earlier to create a second firewall policy. Configure the
following settings:
Policy Type:

Firewall

Policy Subtype:

Address

Incoming Interface:

port3

Source Address:

STUDENT_INTERNAL

Outgoing Interface:

port1

Destination Address:

Click Create and configure the following:


Name: LINUX_ETH1
Type: Subnet
Subnet / IP Range: 10.200.1.254/255.255.255.255
Click OK.

Schedule:

always

Service:

PING

Action:

DENY

Log Violation Traffic:

Enabled

Once the policy settings have been entered click OK to save the changes.
2. From the Windows Server, open a DOS command prompt and ping the port1 gateway as
follows.
ping t 10.200.1.254
Provided you have not changed the rule ordering, the ping should still work as it matches the
ACCEPT policy and not the DENY policy just created. This demonstrates the behavior of
policy ordering. The second policy was never checked because the traffic matched the first
policy. Leave this window open and perform the next step.
3. From the GUI on the Student FortiGate device, go to Policy > Policy > Policy and right-click
any of the column headings. Select Column Settings > ID. Move this column accordingly for
easier viewing. By default only the sequence number of the firewall policy is displayed in the
GUI.
4. Next, click the Seq.# for the DENY policy created previously and drag this policy upwards to
position it before the General Internet access policy.
5. Return to the Windows Server and examine the DOS command prompt window still running
the continuous ping. You should observe that this traffic is now blocked and the replies
appear as Request timed out. Enter CTRL-C to end the ping command.
P a g e | 33
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 1: Firewall Policy Exercise 3

In this exercise, a virtual IP address will be configured to allow remote Internet connections to
the Windows Server located at 10.0.1.10.
1. Go to Firewall Objects > Virtual IP > Virtual IP and click Create New to add a new virtual IP
mapping with the following details:
Name:

VIP_WIN2K3

External Interface:

port1

Type:

Static NAT

External IP Address/Range:

10.200.1.200

Mapped IP Address/Range:

10.0.1.10

Once the virtual IP settings have been entered click OK to save the changes.
2. Next, create a new firewall policy to provide access to the web server. Configure the
following settings:
Policy Type:

Firewall

Policy Subtype:

Address

Incoming Interface:

port1

Source Address:

all

Outgoing Interface:

port3

Destination Address:

VIP_WIN2K3

Schedule:

always

Service:

HTTP

Action:

ACCEPT

Log Options:

Enable Log all Sessions and select Generate Logs


when Session Starts

Enable NAT:

Disabled (default)

Comments:

Public access to web server

Once the policy settings have been entered click OK to save the changes.
3. The firewall is stateful so any existing sessions will not use this new firewall policy until they
time out or are cleared. The sessions can be cleared individually from the session widget on
the Status page or from the CLI by executing the following:
diag sys session clear
P a g e | 34
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 1: Firewall Policy Exercise 3

4. Connect to the console of the remote Windows host. (From the virtual lab applet, go to
Operations > Connect to Secondary > WinXP to connect to the console of your WINXP host.)
On the WinXP desktop, open a web browser and access the following URL:
http://10.200.1.200
If the virtual IP operation is successful a simple web page appears displaying the message It
works!.
5. From the CLI on the Student FortiGate device, check the destination NAT entries in the
session table by using the following command:
#get system session list
Sample Output:
STUDENT # get sys session list
PROTO
tcp

EXPIRE SOURCE
SOURCE-NAT
DESTINATION
3537
10.200.3.1:62426 10.200.1.200:80 10.0.1.10:80

DESTINATION-NAT

6. On the virtual Windows Server desktop open a web browser and connect to a few external
web sites. Now examine the session information again as follows:
#get system session list
Sample Output:
STUDENT
PROTO
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp

# get sys session list


EXPIRE SOURCE
3591
10.0.1.10:3995
3590
10.0.1.10:3977
3553
10.0.1.10:3965
3592
10.0.1.10:3998
3584
10.0.1.10:3969
3596
10.0.1.10:4001
3590
10.0.1.10:3983
3590
10.0.1.10:3979
3590
10.0.1.10:3987
3590
10.0.1.10:3981
3590
10.0.1.10:3985
1013
10.0.1.10:3608
3589
10.0.1.10:3976
3591
10.0.1.10:3996
3554
10.0.1.10:3967
3590
10.0.1.10:3990
3591
10.0.1.10:3978
3590
10.0.1.10:3980

SOURCE-NAT
DESTINATION
DESTINATION-NAT
10.200.1.200:3995 66.94.241.1:80
10.200.1.200:3977 72.30.38.140:80 10.200.1.200:3965 184.150.187.83:80 10.200.1.200:3998 74.125.228.92:80 10.200.1.200:3969 69.171.237.16:80 10.200.1.200:4001 208.91.113.80:80 10.200.1.200:3983 216.115.100.102:80 10.200.1.200:3979 216.115.100.103:80 10.200.1.200:3987 216.115.100.102:80 10.200.1.200:3981 216.115.100.103:80 10.200.1.200:3985 216.115.100.102:80 10.200.1.1:64024 10.200.1.254:22 10.200.1.200:3976 72.30.38.140:80 10.200.1.200:3996 184.150.187.99:80 10.200.1.200:3967 74.125.228.65:80 10.200.1.200:3990 216.115.100.103:80 10.200.1.200:3978 216.115.100.103:80 10.200.1.200:3980 216.115.100.103:80 -

Note that the outgoing connections from the Windows Server are now being NATed with the
VIP address as opposed to the firewall address. This is a behavior of the static NAT (SNAT)
VIP. That is, when SNAT is enabled on a policy, a VIP static NAT takes priority over the
destination interface IP address.

P a g e | 35
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 1: Firewall Policy Exercise 4

Currently, all traffic generated from the Windows Server through the Student FortiGate
device has a translated source IP address of 10.200.1.200 because of the static NAT
translation in the VIP.
In this exercise, an IP address pool will be applied to a new rule which will override this
behavior.
1. From the GUI on the Student FortiGate device, go to Firewall Objects > Virtual IP > IP Pool
and create a new IP pool using the following settings:
Name:

WIN2K3_EXT_IP

External IP Range/Subnet:

10.200.1.100

Once the policy settings have been entered click OK to save the changes.
2. Go to Policy > Policy > Policy, and right-click the outgoing General Internet access policy.
Select Copy Policy then right-click the same policy again and select Paste > Above.
3. Select the new copy of the General Internet access policy and configure the following
settings:
Policy Type:

Firewall

Policy Subtype:

Address

Incoming Interface:

port3

Source Address:

WIN2K3

Outgoing Interface:

port1

Destination Address:

all

Schedule:

always

Service:

ALL

Action:

ACCEPT

Log Options:

Enable Log all Sessions and select Generate Logs


when Session Starts

Enable NAT:

Enabled

Use Dynamic IP Pool:

WIN2K3_EXT_IP

Comments:

Windows Server source NAT override

Once the Policy settings have been entered click OK to save the changes and verify that you
have enabled it.

P a g e | 36
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 1: Firewall Policy Exercise 4

4. The firewall does stateful inspection so any existing sessions will not use this new firewall
policy until they time out or are cleared. The sessions can be cleared individually from the
session widget on the status page or from the CLI by executing the following:
diag sys session clear
5. Connect to a few external web sites and then examine the session table to check the source
NAT used. From the CLI on the Student FortiGate device enter the following command to
verify the source NAT IP address:
# get system session list
Sample Output:
STUDENT
PROTO
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp

# get system session list


EXPIRE SOURCE
SOURCE-NAT
DESTINATION
DESTINATION-NAT
3599
10.0.1.10:3963
10.200.1.100:64379 74.125.225.126:443 3599
10.0.1.10:3961
10.200.1.100:64377 74.125.225.111:443 3552
10.0.1.10:3953
10.200.1.100:64369 76.74.133.167:80 3597
10.0.1.10:3956
10.200.1.100:64372 74.125.225.118:80 3597
10.0.1.10:3954
10.200.1.100:64370 74.125.225.117:80 3598
10.0.1.10:3959
10.200.1.100:64375 199.7.57.72:80
16
10.0.1.10:3948
10.200.1.100:64364 66.36.238.121:22 3598
10.0.1.10:3958
10.200.1.100:64374 209.85.225.84:443 3599
10.0.1.10:3962
10.200.1.100:64378 74.125.225.99:443 0
10.0.1.10:3960
10.200.1.100:64376 98.139.200.238:80 3597
10.0.1.10:3955
10.200.1.100:64371 74.125.225.118:80 -

Observe that the source NAT address is now 10.200.1.100 as configured in the VIP pool,
therefore the order of precedence is IP Pool > Static-NAT VIP > Destination Interface.

P a g e | 37
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 2: Traffic Log

The aim of this lab is to read traffic logs and become familiar with its contents.

Demonstrate how to enable traffic logging


Read and understand traffic log entries

Estimated time to complete this lab: 5 minutes

P a g e | 38
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 2: Traffic Log Exercise 1

1. Go to Policy > Policy > Policy and click the Seq.# of the DENY policy that you created
previously. Drag this policy to position it BEFORE the Window Server Source NAT Override
policy.
2. Edit the DENY policy and verify that Log Violation Traffic is enabled.
3. From the Windows Server, open a DOS command prompt and ping the port1 gateway as
follows.
ping t 10.200.1.254
Provided you have positioned the rule correctly this traffic should be blocked, and timeout.
4. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward
Traffic to examine the log entries. You should observe violation traffic entries. These entries
appear with red X symbols under the column Security Action.
5. Edit the DENY policy. Change the Action setting to ACCEPT, and enable NAT by selecting
the Enable NAT checkbox. Once these policy settings have been entered click OK to save
the changes.
From the Windows Server, you should observe that the ping now succeeds.
6. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward
Traffic.
The log entries will no longer show violation traffic, but summaries of the ping traffic that
passed.

P a g e | 39
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 3: Device Policies Exercise 1

In this exercise you will create a Firewall policy that uses email captive portal. Once the device is
learnt, access to a test web server should be given to the device.

Demonstrate how to enable Device Identification


Configure Device Identification policies

Estimated time to complete this lab: 10 minutes

P a g e | 40
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 3: Device Policies Exercise 1

1. From the virtual Windows Server host, you first will need to connect to the Student FortiGate
device and restore the configuration file needed for this exercise.
Restore the following configuration file: Resources\Delta\delta-student-initial.conf.
2. Edit the outgoing port3 to port2 firewall policy using the following settings:
Policy Type:

Firewall

Policy Subtype:

Device Identity

Incoming Interface:

port3

Source Address:

STUDENT_INTERNAL

Outgoing Interface:

port2

Enable NAT:

Enabled. Select Use Destination Interface Address

Next click Create New under Configure Authentication Rules and create the following subpolicies:
Sub-policy 1:
Destination Address:

all

Device:

Windows PC

Schedule:

always

Service:

HTTP

Action:

Accept

Click OK.
Sub-policy 2:
Destination Address:

all

Device:

Collected Emails

Schedule:

always

Service:

HTTP, HTTPS, ALL_ICMP, SSH, SMTP, POP3, FTP


(Hold down the CTRL-key to select multiple services.)

Action:

ACCEPT

Click OK.

P a g e | 41
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 3: Device Policies Exercise 1

Under Device Policy Options enable Prompt E-mail Collection Portal for all devices as
follows:

Once you have configured all the above policy settings, click OK to save the changes.
3. Use drag-and-drop to reorder the sub-policies. The captive portal policy should be last in the
sub-policy list because this rule should only be matched if the device has not already been
identified.
In this example, the first web traffic from the client matches the email captive portal rule. The
subsequent traffic matches the collected email device object as we now have this information.
4. Check the device policy and sub-policies.

Click OK.
5. You will now test the device policy on the Student FortiGate device. First execute the
following CLI commands to disable the email DNS check for the captive portal. (This step is
required for the purposes of this lab.)
config system settings
set email-portal-check-dns disable
end

P a g e | 42
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 3: Device Policies Exercise 1

6. From your web browser, connect to: http://10.200.1.254.


You should get to the portal. Accept the conditions and enter your email address when
prompted.
You should now be redirected to the web site.
7. From the CLI, you can use debug flow to examine the traffic:
diag debug flow filter addr 10.200.1.254
diag debug flow show func en
diag debug flow show cons en
diag debug enable
diag debug flow trace start 20
8. Go to User & Device > Device > Device Definition and check the new device.
This device is a dynamic device. These devices may update and are stored to the flash to
speed up detection.
diag user device list
9. Clear the device from the CLI and reload the web page as follows:
diag user device clear
You should observe that you are redirected to the email portal again. Accept the conditions
and enter your email address.
10. Perform a show from the CLI to confirm there are no devices in the configuration file.
show user device
11. From the GUI, go to User & Device > Device > Device Definition and edit your device from
the device list. Add an alias called myDevice. This creates a static device in the configuration
file.
Once you have the alias entered, click OK to save the change.
Perform the following show command to confirm that the device now appears in the
configuration file.
show user device
12. Go to User & Device > Device > Device Group. Note that your device is already a member
of several predefined device groups.
Click Create New and add a new device group called myDevGroup.
Next, add myDevice to the Members list and click OK.
Note that your device is still a member of the predefined groups and is now a member of the
custom group myDevGroup.
P a g e | 43
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 3 Lab 3: Device Policies Exercise 1

13. From a DOS prompt on the virtual Windows host, open an FTP connection to:
10.200.1.254
Once you have connected, close the FTP connection.
14. Now add a sub-policy to your firewall device policy blocking FTP.
Edit the device policy and create the following sub-policy:
Sub-policy 3:
Destination:

LINUX_ETH1

Device:

myDevGroup

Schedule:

always

Service:

FTP

Action:

Deny

Log Violation Traffic:

Enable

Click OK.
15. Use drag-and-drop to reorder the sub-policies so that this policy is first in the list.
16. From your PC test that you can open an FTP connection to 10.200.1.254.
You should observe that the connection now fails to establish.
View the traffic logs and find the deny entry.

P a g e | 44
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 4 Lab 1: User Authentication

The aim of this lab is to introduce students to user authentication management on the FortiGate unit.

Create an identity-based policy


Manage user authentication

Estimated time to complete this lab: 20 minutes

P a g e | 45
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 4 Lab 1: User Authentication Exercise 1

1. From the Windows Server, you first will need to connect to the Student FortiGate device and
restore the configuration file that is needed for this lab.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following
configuration file: Resources\Module4\Student\student-auth.conf.
The Student FortiGate device will reboot.
2. When the device has rebooted review the user configuration for this lab.
Go to User & Device > User > User Definition to review the local user settings
Go to User & Device > User Group > User to review the user group configuration.
3. On the virtual Windows Server desktop, open a web browser and connect to a new web site.
At the login prompt, enter the following credentials:
Username:

student

Password:

F0rtinet

You should observe that after successful authentication, you are redirected to your
destination web site.
4. From the GUI on the Student FortiGate device go to Policy > Policy > Policy and review the
outgoing port3 port1 firewall policy with authentication configured.
5. Next, open a putty.exe session and try to ping or connect via SSH to 10.200.1.254.
You should observe that using either of these tests will fail.
Even though there is an accept rule for this traffic, it is not being allowed. This highlights an
important behavior of identity policies. The service becomes a permission and not a selector,
therefore, in our example the identity policy matches all outgoing traffic regardless of service.
The service is then allowed if it is set for the user.
Since the Authentication policy matches the source IP and SSH is not an allowed service, the
FortiGate will not look for another matching firewall policy. A policy has already been found
and the traffic is not allowed through it.
There are two ways that you can use to correct this. You can either add ALL_ICMP and SSH
to the identify policy rule for the training user group, or move the regular policy before the
identity policy.
Using either one of these options, make your configuration change and retest using ping or
by connecting through SSH. If using SSH, log in as root with the password: password.

P a g e | 46
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 4 Lab 1: User Authentication Exercise 1

6. Go to User & Device > Monitor > Firewall to view the details of the authenticated user along
with the policy used to authenticate this user.
7. Next go to Log & Report > Event Log > User and locate the log messages for the firewall
policy authentication events. The details for the entry are displayed in the lower pane of the
Event Log window.
Notice that the users name student is now included in the log messages.
8. From the CLI, view the IP addresses and users which have successfully authenticated to the
FortiGate unit with the following command:
diag firewall auth list
Clear all authenticated sessions with the following command:
diag firewall auth clear

Caution: Be careful using this command on a live FortiGate system as it will


clear ALL authenticated users

P a g e | 47
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 5 Lab 1: SSL VPN

The aim of this lab is for students to work with and manage user groups and portals for the SSL
VPN.

Configure and connect to an SSL VPN


Enable various authentication security options

Estimated time to complete this lab: 30 minutes

P a g e | 48
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 5 Lab 1: SSL VPN Exercise 1

1. From the Windows Server, you first will need to connect to the Student FortiGate device and
restore the configuration file that is needed for this lab.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following
configuration file: Resources\Module5\Student\student-ssl.conf.
The Student FortiGate device will reboot.
2. When the device has rebooted, review the SSL VPN configuration access for this lab. Go to
Policy > Policy > Policy and examine the port1port3 policy for SSL VPN. Note from the
policy list that this policy has a sub-policy.
Edit this policy to view its components. The settings are configured as follows:
Policy Type:

VPN

Policy Subtype:

SSL-VPN

Incoming Interface:

port1

Remote Address:

all

Local Interface:

port3

Local Protected Subnet:

WIN2K3

SSL Client Certificate Restrictive:

Disabled

The policy is incoming, that is from the external network to the internal network.
The policy subtype is SSL VPN which indicates further processing besides only accepting the
traffic.

P a g e | 49
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 5 Lab 1: SSL VPN Exercise 1

Under Configure SSL-VPN Authentication Rules, edit the first rule to view its contents. Notice
that this allows users in the training group to access the web-access SSL-VPN portal.

You will notice that this rule contains many settings including Groups(s), User(s), Schedule,
Service and SSL-VPN Portal. Select Cancel to close the edit window for this sub-policy.
In an upcoming exercise, we will be adding on to this policy to allow tunnel access.
3. To observe the effect of this policy you will now access the SSL VPN. On the virtual external
Windows XP host desktop, open a web browser and access the SSL VPN by browsing to
the following URL: https://10.200.1.1.
Accept the security warnings for the self-signed certificate and log in using the following
credentials:
Username:

student

Password:

F0rtinet

You should notice that you are successfully able to log in however, the web portal is currently
in default settings. We will now configure the web-access portal which is selected in the SSL
VPN policy. Log out and return to the virtual Windows Server host.

P a g e | 50
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 5 Lab 1: SSL VPN Exercise 1

4. Go to VPN > SSL > Portal and from the drop-down list displayed in the top right hand corner,
select web-access to edit this portal. Verify that Include Bookmarks is selected and then in
the table shown, create the following bookmarks for the internal server.
Bookmark for HTTP:
Category:

Test

Name:

HTTP/HTTPS

Type:

HTTP/HTTPS

Location:

10.0.1.10

Click OK.

Bookmark for RDP:


Category:

Test

Name:

RDP

Type:

RDP

Location:

10.0.1.10

Click OK.
Modify the Portal Message with a message of your choice then click Apply to save all the
changes.
Select View Portal to review your changes.
5. Test the SSL VPN access again from the external Windows host (WINXP) by browsing to:
https://10.200.1.1
You should now observe that you have two book marks listed.

P a g e | 51
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 5 Lab 1: SSL VPN Exercise 1

6. Select the HTTP/HTTPS bookmark and examine the items listed below to understand how
the web access functions.
Note the URL of the web site in the browser address bar:
https://10.200.1.1/proxy/http/10.0.1.10/
The first part of the address is the encrypted link to the FortiGate SSL VPN gateway:
https://10.200.1.1/
The second part of the address is the instruction to use the SSL VPN HTTP
proxy: .../proxy/http...
The final part of the address is the destination of the connection from the HTTP
proxy: .../10.0.1.10/
In this example, the connection is encrypted up to the SSL VPN gateway. The connection to
the final destination from the HTTP proxy is in clear text.
7. Return to the virtual Windows Server device and from the GUI on the Student FortiGate
device, go to VPN > Monitor > SSL-VPN Monitor. Locate the details of the SSL VPN
connection.
Note the User, Source IP and Begin Time.
8. Go to Log & Report > Event Log > VPN and view the corresponding log entry. Look for the
SSL tunnel established message.
9. From the external Windows XP host, log out of the SSL VPN connection. Return to the log
and look for the SSL tunnel shutdown message.

P a g e | 52
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 5 Lab 1: SSL VPN Exercise 2

In this exercise you will edit the current SSL policy adding a new sub-rule for a second user
configured for tunnel mode.
1. Edit the SSL VPN policy and under Configure SSL-VPN Authentication Rules, create a new
sub-policy for a full-access portal using the following settings:
Group(s):

training

Schedule:

always

SSL-VPN Portal:

full-access

After adding the sub-policy, click OK to save the changes.


2. To observe the effect of this sub-policy you will now access the SSL VPN again. From the
virtual external Windows XP host desktop, open a web browser and access the SSL VPN by
browsing to the following URL:
https://10.200.1.1
When prompted, log in to the SSL VPN using the following credentials:
Username:

student

Password:

F0rtinet

3. What do you see when you login?


You should see the same portal as in the previous exercise. Why?
The training user group is associated with both sub-policies therefore the first one matching
the web-access portal is applied.
You could move the rule so that the rule for the full-access portal is first in the list however,
this will end up affecting all users in that group. Instead, edit the sub-rule created in step 1
above and set the user group to training2.
Click OK to save the rule settings, then click OK again to save the policy changes.

P a g e | 53
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 5 Lab 1: SSL VPN Exercise 2

4. In the web browser on the virtual remote Windows XP host, connect to the SSL VPN portal
once again using the URL: https://10.200.1.1. Note that you may need to clear the
web browsers cache if the login window is not displayed.
This time, log in to the SSL VPN using the following credentials:
Username:

student2

Password:

F0rtinet2

You should now observe that the portal established is the full-access portal.
Note: If using the SSL VPN client available with FortiClient, you do not need to log
in via the portal.

5. In the Tunnel Mode panel, click Connect. You should see a link status of UP and the bytes
sent and received incrementing.
6. On the virtual remote Windows host, open a DOS command prompt and perform the
following:
ipconfig
Note down your assigned IP address for reference.
Note that the fortissl adapter has an IP address. Where does this IP address come
from? Display the routing information by entering the following command:
route print
Note the low metric routes and observe that there is a route to 10.0.1.10. Where did this
come from?
Run a continuous ping to 10.0.1.10 as follows.
ping t 10.0.1.10
7. From the GUI on the Student FortiGate device go to VPN > Monitor > SSL-VPN Monitor.
The SSL-VPN Monitor displays the client connections and the IP allocated to the tunnel
connection.
8. In the firewall policy list, examine the Count field to see the packets and bytes per policy. You
may need to reposition this column accordingly for easier viewing.
Notice that there is traffic associated with the incoming rule from the ssl.<vdom name>
interface. This rule is created automatically. This traffic is the incoming traffic from your SSL
VPN client.
Where does your assigned address come from?
9. Go VPN > SSL > Portal to access the SSL VPN portal configuration. Edit the full-access
portal.

P a g e | 54
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 5 Lab 1: SSL VPN Exercise 2

Within the Enable Tunnel Mode options, note the IP Pool used which refers to a firewall
address object.
10. Go to Firewall Objects to look up that firewall address object. What are the values of that
object?
The object defines an address range that matches your assigned address, so this is how IP
addresses are configured and assigned to SSL VPN clients.
Where does the route to 10.0.1.10 come from?
HINT: In the policy list, look at the Destination address of the SSL VPN policy.
You will observe that the address object values for WIN2K3 are 10.0.1.10/32, so this is
where the SSL VPN client route came from.
With this present configuration, the SSL VPN client is split tunneling. This means that only
traffic to the specific destination behind the firewall is tunneled, and all other traffic goes to
the default gateway.
What configuration change would you need to make to give the client a default route into the
tunnel?
Disable split tunneling in the full-access portal which means a default route is pushed to the
client forcing all traffic into the tunnel.

P a g e | 55
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 6 Lab 1: IPSec VPN

The aim of this lab is for students to configure an IPSec VPN on the FortiGate device using both
interface-based and policy-based modes.

Configure and implement interface and policy-based IPSec VPNs


Demonstrate the differences between interface and policy-based VPNs
Explain IPSec VPN configuration options

Estimated time to complete this lab: 30 minutes

P a g e | 56
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 6 Lab 1: IPSec VPN Exercise 1

1. From the Windows Server, you first will need to connect to the Student and Remote
FortiGate devices and restore the configuration files that are needed for this lab.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the
following configuration file: Resources\Module6\Student\student-ipsec.conf.
The Student FortiGate device will reboot.
Connect to the GUI on the Remote FortiGate device (10.200.3.1) and restore the
following configuration file: Resources\Module6\Remote\remote-ipsec.conf.
The Remote FortiGate device will reboot.
2. When the Student FortiGate device has rebooted, open a DOS command prompt from the
virtual Windows Server and run a continuous ping to the remote Windows XP host as
follows:
ping

-t 10.0.2.10

3. From the GUI on the Student FortiGate device, go to VPN > Monitor > IPsec Monitor and
examine the tunnel status.
You should observe a tunnel named remote with the destination 10.200.3.1 and the status
is currently up. This is the tunnel that is established to the Remote FortiGate device.
4. From the Student FortiGate device review the firewall policy port3remote. View the Count
column so that you can see the packets and bytes per policy.
Observe that the counter is incrementing for the port3remote policy.
What is the interface remote?
Go to System > Network > Interface and note the blue arrow head associated with port1. If
you expand this you will be able to see the remote interface and the type for this interface
which is set to Tunnel Interface.
5. Go to VPN > IPsec > Auto Key (IKE) and review the IPsec configuration. Note the Phase 1
and Phase 2 IKE objects.
Edit the Phase1 IKE object remote. Select Advanced to view all the settings. Note that IPsec
Interface Mode is selected.
These settings can also be viewed through the CLI as follows:
conf vpn ipsec phase1-interface
show

P a g e | 57
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 6 Lab 1: IPSec VPN Exercise 1

The Phase1 IKE object is the IPsec interface referenced in the interface list and firewall
policy. How is the traffic getting to this policy?
Traffic arrives at the FortiGate unit on the ingress interface. For new connections, a routing
lookup is performed to select the egress interface and gateway, and then there is a lookup in
the firewall policy to find a matching rule. It is the routing lookup that selects the egress, and
therefore, the remote interface is selected in this case. So a route is driving the traffic to the
IPsec interface.
6. Go to Router > Monitor and view the current routing table. You will observe a static route to
the destination 10.0.2.0/24 pointing to the remote interface.
This is an example of the route-based VPN configuration. The alternative is the policy base
VPN which we will review next.
Generally, the route-based VPN is the preferred approach however there are a few
exceptions where you would need to use the policy-based VPN. These will be discussed
later.
7. Open a web browser on the Windows Server and connect to the GUI on the Remote
FortiGate device.
8. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote
FortiGate device. You should observe a tunnel named student with the destination
10.200.1.1 and the Status is up.
This is the tunnel that is established to the Student FortiGate device.
9. Still on the Remote FortiGate device, go to System > Network > Interface and note there is
no tunnel sub-interface for port4.
10. Go to Route > Monitor and view the current routing table. You will observe that there is no
route to the 10.0.2.0/24 destination, there is only a default route.
How is the traffic entering the tunnel then?
11. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a
policy from port6 to port4 for address 10.0.2.0/24 (REMOTE_INTERNAL) to address
10.0.1.0/24 (STUDENT INTERNAL) with action IPsec.
Edit this policy to view its settings.
The policy subtype is IPsec, and it uses the VPN Tunnel called student. It also has
permissions to allow traffic inbound as well as outbound. We will look at these settings later.
How is the traffic matching this policy?
On the Student FortiGate device, a static route was sending traffic to the IPSec interface.
Here there is no static route and the traffic is being sent to the tunnel using the policy subtype
setting, hence policy-based.
The IPSec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the
tunnel student.

P a g e | 58
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 6 Lab 1: IPSec VPN Exercise 1

12. From the Remote FortiGate device, go to VPN > IPsec > Auto Key (IKE) and review the
IPSec configuration. Note the Phase 1 and Phase 2 IKE objects.
These settings can also be viewed through the CLI:
conf vpn ipsec phase1-interface
conf vpn ipsec phase2-interface
13. Edit the Phase1 IKE object remote and select Advanced to view all the settings. Note that
IPSec Interface Mode is not selected.
The Phase1 IKE object is the IPSec tunnel referenced in the IPSec firewall policy. Here we
are using policy-based on the Remote FortiGate device and interface-based on the Student
FortiGate device. The type we use is of local significance therefore we can mix them, as is
the case in this example.
14. From the remote Windows XP host, attempt to run a continuous ping to: 10.0.1.10.
You should observe this ping fails. Can you Identify why?
If the VPN is in Tunnel mode then only a single Firewall policy is used in order to allow and
regulate incoming and outgoing traffic. However if the policy is in Interface mode then a VPN
Firewall policy is separately needed to allow inbound and outbound communication.
In the Student FortiGate device we have only configured the outgoing policy and the VPN is
in Interface mode. This is why the new incoming connection is dropped, there is no firewall
policy to allow it.
15. Return to the Student FortiGate device and add the missing firewall policy.
You should observe the ping now succeeds.

P a g e | 59
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 7 Lab 1: Antivirus Scanning

The aim of this lab is to work with both flow-based and proxy-based Antivirus scanning.

Configure flow-based and proxy-based antivirus scanning


Test FortiGate unit AV scanning behavior

Estimated time to complete this lab: 30 minutes

P a g e | 60
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 7 Lab 1: Antivirus Scanning Exercise 1

1. From the Windows Server, you first will need to connect to the Student FortiGate device and
restore the configuration file that is needed for this lab.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the
following configuration file: Resources\Module7\Student\student-utm.conf.
The Student FortiGate device will reboot.
2. When the FortiGate device has rebooted go to Security Profiles > AntiVirus > Profile and
configure the default profile as follows to enable AV scanning on HTTP:
Inspection Mode:

Proxy

Virus Scan and Removal:

Select HTTP and deselect all other settings

Once the inspection settings have been entered click Apply to save the changes.
3. Go to Policy > Policy > Policy and edit the port3port1 policy. Turn ON AntiVirus and ensure
that the default antivirus profile is selected.
Once the profile is enabled on the policy click OK to apply the changes.
4. Next go to Policy > Policy > Proxy Options and examine the default proxy options that are
shown.
These settings determine how FortiOS handles each protocol. For example, which port
numbers to use, whether to use client comforting, block oversized emails and so on.
5. Go to System > Config > Replacement Message. From the top right-hand corner select
Extended View and under Security modify the Virus Block Page.
The HTML editor that is displayed allows you to see the changes as you are making them. If
you do not wish to use the standard block pages they can be edited and modified as the
situation requires.
Click Save shown above the editor window to apply any changes.
6. From the virtual Windows Server host, launch a web browser and access the following web
site:
http://eicar.org
7. On the Eicar web page, click Download ANTI MALWARE TESTFILE (located in the top righthand corner of the page) and then click the Download link that appears on the left.
Download the any of the eicar sample files from the section Download area using the
standard HTTP protocol.

P a g e | 61
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 7 Lab 1: Antivirus Scanning Exercise 1

The download attempt will be blocked by the FortiGate unit and a replacement message will
be displayed similar to the following (should also include any customization you made
earlier):

The Eicar file is an industry-standard used to test antivirus detection. The file contains the
following characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
8. The HTTP virus message is shown when infected files are blocked or have been quarantined.
In the message that is displayed, click the link to the Fortinet Virus Encyclopedia to view
information about the detected virus.
9. From the GUI on Student FortiGate device, go to Log & Report > Traffic Log > Forward
Traffic and locate the antivirus event messages.
In order to view summary information of the AV activity, add the Advanced Threat Protection
Statistics widget to the Dashboard.
10. On the Eicar web page, click Download ANTI MALWARE TESTFILE and then click the
Download link that appears on the left. This time, select the eicar.com file from the Download
area using the secure SSL enabled protocol HTTPS section.
The download should be successful because we have not enabled SSL inspection.
11. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy >
Policy > SSL/SSH Inspection and under SSL Inspection Options, ensure the protocol HTTPS
on port 443 is enabled.
Click Apply.
12. Next, go to Policy > Policy > Policy and edit the policy: port3port1. Under Security Profiles
enable SSL/SSH Inspection by setting this to ON. Click OK.

P a g e | 62
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 7 Lab 1: Antivirus Scanning Exercise 1

13. To ensure that there are no existing sessions prior to deep scanning the communication
exchange, connect to the CLI of the Student FortiGate unit and enter the following command:
diag sys session filter dport 443
diag sys session clear
14. Return to the Eicar web page and attempt to download the eicar.com file from the Download
area using the secure SSL enabled protocol HTTPS section.
This time, the download will be blocked by the FortiGate unit and the replacement message
will be displayed. If this is not the case, you may need to clear your recent browsing history
as the object may be cached. In Firefox select History > Clear Recent History > Everything.
15. Go to Security Profiles > Antivirus > Profile and change the Inspection Mode for the default
Antivirus Profile to Flow-based. Click Apply.
Try downloading the eicar.com file again. What happens now when the virus is detected?

P a g e | 63
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 8 Lab 1: Email Filtering

The aim of this lab is for students to work with email filtering.

Enable and use email filtering on a FortiGate unit


Modify inspection rules to black or white list emails (using banned word, IP, email etc.)
Read and interpret email log entries

Estimated time to complete this lab: 30 minutes

P a g e | 64
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 8 Lab 1: Email Filtering Exercise1

1. From the Windows Server, you will first need to connect to the Student FortiGate device and
restore the configuration file that is needed for this lab. This module uses the same config as
in Module 7.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the
following configuration file: Resources\ Module7\Student\student-utm.conf.

The Student FortiGate device will reboot.


2. When the FortiGate device has rebooted go to System > Config > Features. Under Security
Features turn ON Email Filtering. This step is required to enable the Email filtering feature on
the FortiGate device. By default, this is a hidden security feature. Click Apply to save the
changes.
3. Next, go to Security Profiles > Email Filter > Profile and edit the default email filtering profile.
Select Enable Spam Detection and Filtering to enable it then click Apply. Configure the
following settings:
SMTP Spam Action:

Tagged

FortiGuard Spam Filtering:

Enable IP Address Check


Enable URL Check

Once the changes to the email profile have been entered, click Apply to save the changes.
4. By default FortiGuard services are enabled. Go to System > Config > FortiGuard and check
the status of the service. (If you are using the hosted virtual lab environment you will need to
change the service port to UDP 8888).
5. Go to Policy > Policy > Policy and edit the port3port1 outgoing policy. Under Security
Profiles, turn ON Email Filter and ensure that the default email filter profile is selected.
In the steps that follow, you will generate and send test spam emails to your Microsoft
Outlook user@internal.lab inbox. In the classroom lab environment, you will initiate the spam
generation using a script called smtpmboxgen.pl which is provided in the Resources\Module8
folder. Details for using this script will be provided in the steps that follow.
6. From the Windows server, open a command prompt and change directory to the
C:\Documents and Settings\Administrator\Desktop\Resources\Module8 folder as follows:
CD C:\Documents and Settings\Administrator\Desktop\Resources\Module8
Next run the spam script by entering the following:
smtpmboxgen.pl
7. From your Microsoft Outlook mail client, check the email inbox to review the tagged spam. To
view the corresponding logging events, go to Log & Report > Traffic Log > Forward Log.

P a g e | 65
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 8 Lab 1: Email Filtering Exercise1

8. From the CLI on the Student FortiGate device, execute the following commands to enable
Banned Word Check in the default email filter profile:
config spamfilter profile
edit "default"
set spam-filtering enable
set options bannedword spamfsip spamfsurl
set spam-bword-table 1
end
9. Next, run the commands below to review the banned words that have already been
configured for you in the configuration file being used for this lab.
config spam bword
show
Notice the use of both regular expression and wild cards in that list.
10. Go to Security Profiles > Email Filter > Profile again and this time modify the default email
filtering profile to set the SMTP Spam Action to Discard.
11. From your Microsoft Outlook mail client, generate a message to: test@gmail.com that will be
caught by the banned words that have been configured. For example, add the word training
to the subject or message body of your test email and attempt to send the message.
When you send the email the following message displays indicating the message was
blocked:

P a g e | 66
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 8 Lab 1: Email Filtering Exercise1

Remember that some banned words apply only to the subject line, others apply only to the
body and others apply to both.
A banned word is only scored once, for example if a banned word has a score 10 and yet the
word occurs four times in the message body, it will only still be assigned a count of 10.
12. Go to Log & Report > Security Log > Email Filter and check the email filtering log entries for
this event as well. To make it easier to view all email activity, add the column Dst Port and
filter on port 25.

P a g e | 67
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 9 Lab 1: Web Filtering

The aim of this lab is for students to configure web filtering to block specific categories of web
content. The interaction of local categories and overrides will also be demonstrated.

Enable and use web filtering on a FortiGate device


Select the most effective method for blocking or allowing a web site
Read and interpret web filter log entries

Estimated time to complete this lab: 30 minutes

P a g e | 68
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 9 Lab 1: Web Filtering Exercise 1

1. From the Windows Server, you will first need to connect to the Student FortiGate device and
restore the configuration file that is needed for this lab. This module uses the same config as
in Module 7.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following

configuration file: Resources\ Module7\Student\student-utm.conf.


The Student FortiGate device will reboot.
2. When the FortiGate device has rebooted go to System > Status and under License
information check the FortiGuard Services Web Filtering status to ensure that the license has
been validated. A green check mark should be displayed.
3. In the GUI on the Student FortiGate device, go to Security Profiles > Web Filter > Profile and
review the settings of the default web filter profile.
4. Verify that the Inspection Mode is set to Proxy and enable FortiGuard Categories.
Under FortiGuard Categories right-click the web category Potentially Liable and select the
action: Authenticate.
Next, set Selected User Groups to the training user group and accept the default Warning
Interval value of 5 minutes.
Click OK to save the settings.
5. Repeat the above step for the following web categories:
Adult/Mature Content
Security Risk
Click OK to save the settings.
6. Next right-click the web category Bandwidth Consuming, and select Warning. Accept the
default Warning Interval value of 5 minutes then click OK to save the settings.
7. Repeat the above step for the web category: Unrated.
Right-click the web category General Interest Business and select Block.
Click Apply to save your changes.

P a g e | 69
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 9 Lab 1: Web Filtering Exercise 1

8. Go to Policy > Policy > Policy and edit the outing port3port1 policy. Under Security Profiles,
turn on Web Filter and ensure that the default profile is selected.
Next, turn ON SSL/SSH Inspection under Proxy Options and ensure the default profile is
selected.
Click OK to save the policy changes.
9. From the CLI on the Student FortiGate device, check the low-level status information of the
web filtering service by entering the following command:
diag debug rating
The command diag debug rating shows the list of FDS servers for web filtering that the
FortiGate unit is using to send requests. Rating requests are only sent to the server on the
top of the list in normal operation. Each server is probed for RTT every 2 minutes.
The diag debug rating flags indicate the server status as explained below:
D indicates the server was found via the DNS lookup of the hostname. If the
hostname returns more than one IP address, all of them will be flagged with 'D' and
will be used first for INIT requests before falling back to the other servers.
I indicates the server to which the last INIT request was sent.
F signifies the server has not responded to requests and is considered to have failed.
T signifies server is currently being timed.
10. From a web browser on the virtual Windows Server, connect to a web site that is usually
blocked by the training policy and verify that the blocked message is displayed.
A FortiGuard replacement message should be displayed.
11. Go to System > Config > Replacement Message and under Security select FortiGuard Block
Page and change the text of the block message to customize it. Click Save located in the
upper-right hand corner of the edit pane to apply your changes.
12. Revisit the same web site and ensure that the customized FortiGuard Block Page Blocked
message is displayed.
You may need to clear your browsers cache or refresh the block page as the browser might
take the information from its local cache.

P a g e | 70
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 9 Lab 1: Web Filtering Exercise 1

13. Next, in the web browser, attempt to connect to a web site category with an Authenticate
action. For example:
A Web Page Blocked message is displayed again, this time with a Proceed button.

14. Click Proceed to view the Web Filter Block Override page. Enter the username student and
the password F0rtinet and click Continue.
The web page should now be displayed.
15. From the GUI on the Student FortiGate device, go Log & Report > Traffic Log > Forward
Traffic and locate the log messages related to the web filtering activity.
In the following step, you will configure an access quota for a couple of categories. Quotas
allow access to web resources for a specified length of time.
16. Go to Security Profiles > Web Filter > Profile and edit the default web filter profile.
17. Expand Quota on Categories with Monitor, Warning and Authenticate Actions and click
Create New to create new quotas. Select the categories (same as in Step 4) to be assigned
quotas and set the quota time value to 5 minutes.
Once you have altered the web filter profile, click OK then click Apply to save the profile
settings.
18. From a web browser on the Windows Server, attempt to visit a blocked category web site
again.

P a g e | 71
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 9 Lab 1: Web Filtering Exercise 1

19. Click Proceed on the Web Page Blocked page. Authenticate on the Web Filter Block
Override page using the username student and the password F0rtinet and click Continue.
Once authenticated properly, the quota timer is initiated.
20. To view the quota timer value, enable the Security Profiles monitors through the CLI as
follows:
config sys global
set gui-utm-monitor enable
end
then, go to Security Profiles > Monitor > FortiGuard Quota. If the FortiGuard Monitor is not
displayed, you may need to clear the web browsers cache or refresh the page.
When the daily quota value is reached, the FortiGuard replacement message will be
displayed again.
21. From the GUI on the Student FortiGate device go Log & Report > Traffic Log > Forward
Traffic and locate the log messages related to the web filtering activity.
22. Edit the default web filter profile, expand Quota on Categories with Monitor, Warning and
Authenticate Actions and delete the quotas on the selected categories. Click OK then click
Apply to save the profile settings.
23. Still in the web filter profile and select flow-based. A notification is displayed as follows:

Click OK and then click Apply.


24. Test the behavior of the flow based inspection by connecting to a web site that is usually
blocked. Check the log entry for this blocked request.

P a g e | 72
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 10 Lab 1: Application Identification

The aim of this lab is for students to use the application control feature to properly identify a given
application.

Configure application control in the student lab environment


Read and understand application control logs

Estimated time to complete this lab: 30 minutes

P a g e | 73
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 10 Lab 1: Application Identification Exercise 1

1. From the Windows Server, you will first need to connect to the Student FortiGate device and
restore the configuration file that is needed for this lab. This module uses the same config as
in Module 7.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the

following configuration file: Resources\ Module10\Student\student-app.conf.


The Student FortiGate device will reboot.
2. From the GUI on the Student FortiGate device, go to Security Profiles > Application Control >
Application Sensor and review the default application control sensor.(Ensure you are
selecting the sensor named default.)
3. On the Edit Application Sensor page, check the settings for the following rules:
Application:

Youtube

Application:

Myspace

Check the Action setting for each filter. What are the expected actions of these sensors?
Traffic shaping is enabled for Youtube and these applications use a shared traffic shaper
which is capped at 1 Mbps. Connections to Myspace are blocked.
Before proceeding ensure both of these signatures are located at the top of the list. Click
Apply to save changes to the profile.
4. Go to Policy > Policy > Policy and edit the port3port1 policy. Ensure that Application
Control is turned ON and that the default Application Control sensor is selected. Click OK.
You will now test the application control configuration. From the virtual Windows Server,
open a web browser and connect to YouTube.com.
5. On the YouTube web site, attempt to play a few videos.
Check the traffic shaper monitor in Firewall Objects > Monitor > Traffic Shaper Monitor.
6. Next, enable the Security Profiles monitors through the CLI as follows:
config sys global
set gui-utm-monitor enable
end
then, check the Application monitor in Security Profiles > Monitor > Application Monitor. If the
Application Monitor is not displayed, you may need to clear the web browsers cache or
refresh the page.

P a g e | 74
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 10 Lab 1: Application Identification Exercise 1

7. From the virtual Windows Server host, open a web browser and connect to Myspace.com.
You should observe that you cannot connect to this site.
8. Go to Security Profiles > Application Control > Application Sensor and edit the default sensor
again. Click Create New to add a new application filter and select Specify Applications.
9. In the search field shown above the Application Name column enter Facebook. From the
results that display, select Facebook from the Application Name column. A window displays
with a description of the application including popularity, and a reference link that you can
click to obtain more rating information from the FortiGuard Center.
Set Action to block and ensure that this new signature is place at the top of the list.
Once you have added the filter to the profile, click Apply to save the changes.
Test that this site is now blocked. Go to Log & Report > Traffic Log > Forward Traffic and
view the log information to confirm that this action was correctly logged. The status of the
connection should be displayed as deny.
10. From the web browser, and attempt to access the following web site:
http://proxite.us
On the proxy web page, scroll down to the bottom and enter the URL of MySpace.com. Click
Go.
You should observe this does allow some connectivity to the site. What action can be taken
to stop this?
You can create a new rule in the sensor to block the Proxy category.

P a g e | 75
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 10 Lab 2: Traffic Shaping

The aim of this lab is for students to work with the traffic shaping function of application control to
limit a specific application.

Students will complete the following tasks:


Restrict YouTube video bandwidth

Estimated time to complete this lab: 10 minutes

P a g e | 76
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 10 Lab 2: Traffic Shaping Exercise 1

1. From the Windows Server, you first will need to connect to the Student FortiGate device and
restore the configuration file that is needed for this lab.
Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the
following configuration file: Resources\Module10\Student\Student-app.conf
The Student FortiGate device will reboot.
2. Go to Policy > Policy > Policy and edit the outbound port3 > port1 firewall policy. Set
Application Control to ON and from the drop-down list select the monitor-p2p-and-media
profile.
Click OK to save the policy settings.
3. From a web browser on the virtual Windows Server host, connect to a Youtube web site and
stream a random video. Go to Log & Report > Traffic Log > Forward Traffic and view the
application control log entries that are generated.
4. From the GUI on the Student FortiGate device go to Firewall Objects > Traffic Shaper >
Shared and create a new traffic shaper with the following details:
Name :

YouTube

Maximum Bandwidth:

100

Note: The units are in kilobits per second. Take this into consideration when
setting values, as typically bandwidth measurements are done in kilo bytes, or
even larger units.

5. Go to Security Profiles > Application Control > Application Sensor and select the monitorp2p-and-media application control profile from the drop-down list shown in the upper righthand corner of the window.
6. Next, edit the sensor: ID2 (Video/Audio). If the ID column is not visible, modify the column
settings to add it.
Scroll to the bottom of the window, and set Action to Traffic Shaping. Enable both Forward
and Reverse Direction Traffic Shaping and from the drop-down list, select the YouTube traffic
shaper you created in the previous.
Once you have applied the YouTube shaper to both the normal and reverse direction for this
signature, click OK then click Apply.
7. Clear the web browser cache and re-open it. Connect to the Youtube web site again and
stream the same video. If you set the Shaper levels low enough the experience of playing
the video will be very different.
Note: Only shared shapers are allowed, so the maximum value here would apply
to everyone inside the network that was using the application (YouTube videos in
this case). Keep this in mind when using this option.

P a g e | 77
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 10 Lab 3: Selective Application Control

The aim of this lab is to demonstrate how application control can be used to selectively block only
specific features inside some network applications.

Students will complete the following tasks:


Block user attempts to edit any Wikipedia article, while allowing read-only access to that website.

Estimated time to complete this lab: 10 minutes

P a g e | 78
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Module 10 Lab 3: Selective Application Control Exercise 1

1. From the Windows Server, open a browser window and access:


http://www.wikipedia.org
Search for and open any Wikipedia article.
2. Click on the Edit tab on the top of the page. This should open the Wikipedia editor feature
that allows any user to modify articles.
3. From GUI on the Student FortiGate device, go to Security Profiles > Application Control >
Application Sensor and select the monitor-p2p-and-media application control profile from the
drop-down list shown in the upper right-hand corner of the window.
4. Click Create New to add a new application filter and select Specify Applications.
5. In the search field shown above the Application Name column enter Wikipedia. From the
results displayed, select Wikipedia_Edit from the Application Name column.
Set Action to block and ensure that this new signature is placed at the top of the list.
Once you have added the filter to the profile, click Apply to save the changes
6. Clear the web browsers cache and access a different Wikipedia article. You should still have
access to the Wikipedia document. Try to edit any article again. You should notice that this
time you are not able to edit the article.

P a g e | 79
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D

Appendix A: Additional Resources

1. Fortinet Documentation : http://docs.fortinet.com


The documentation web site contains all Fortinet manuals, white papers and guides for
Fortinet products.
2. Fortinet Knowledge Base: http://kb.fortinet.com
This site is useful for finding working examples and tips for Fortinet products.
3. Fortinet Web Site: http://www.fortinet.com
The Fortinet web site contains all hardware and product specifications.
4. FortiGuard Web Site: http://www.fortiguard.com
This site is suitable for finding information about the FortiGuard Subscription Services.
5. FortiCare Web Site: https://support.fortinet.com
The FortiCare web site is used to interface with Fortinet support, register devices you have
purchased and download firmware updates.
6. Fortinet User Forums: http://support.fortinet.com/forum/
These are user-led and run forums that discuss many different topics surrounding the use of
Fortinet devices.

P a g e | 80
Course 201 Administration, Content Inspection and VPNs
01-50003-0201-20131018-D