Вы находитесь на странице: 1из 21

Training

Security Fabric
VERSION 1.0
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
CONTENTS

Introduction ....................................................................................... 4

Prerequisites...................................................................................... 4

Connectivity Diagram ........................................................................ 5

Management IP Addresses ............................................................... 6

Lab 1: Enabling FortiLink.................................................................. 7

Lab 2: Creating VLANs .....................................................................12

Security Fabric 1.0 LAB guide 3


Fortinet Technologies Inc.
Fortinet Security Fabric Participant Guide

Last Updated: 10 July 2018

Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare®, and FortiGuard®, and
certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be
registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks
of their respective owners. Performance and other metrics contained herein were attained in internal lab tests
under ideal conditions, and actual performance and other results may vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent
Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly
warrants that the identified product will perform according to certain expressly-identified performance metrics
and, in such event, only the specific performance metrics expressly identified in such binding written contract
shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer,
or otherwise revise this publication without notice, and the most current version of the publication shall be
applicable.

Introduction
This document is intended to provide the student with a tool to show to the Customers and Partners
the main functionalities of the Fortinet devices with the appliance installed in the LATAM lab. It has
several step by step exercises to configure and setup all the devices and how to show it to the
customer

This document includes FortiSandbox version 2.5

Prerequisites
In order to get access to the lab environment you need to setup an IPSEC vlan the IP address of the
FortiGate

SSL (FortiClient)
Remote GW: sunrise-lab.fortidyndns.com
Port: 10443
user: test
pass: P@ssw0rd

Security Fabric 1.0 LAB guide 4


Fortinet Technologies Inc.
Connectivity Diagram

Security Fabric 1.0 LAB guide 5


Fortinet Technologies Inc.
Management IP Addresses
Management Segment 192.168.0.0/24

FortiGate-01 port 1 192.168.0.11


FortiGate-02 port 1 192.168.0.12
FortiADC-01 port 1 192.168.0.13
FortiADC-02 port 1 192.168.0.14
FortiWeb port 1 192.168.0.15
FortiMail-GW port 1 192.168.0.16
FortiMail-SRVR port 1 192.168.0.17
FortiSandbox port 1 192.168.0.18
FortiAnalyzer port 1 192.168.0.19
FortiAuthenticator port 1 192.168.0.20
FortiSwitch-01 port 1 192.168.0.21
FortiSwitch-02 port 1 192.168.0.22

In order to access the windows client, you need to make a remote desktop connection

Address:XXXXXXXX
user: XXXXXX
password: XXXXXXX

Security Fabric 1.0 LAB guide 6


Fortinet Technologies Inc.
Lab 1: Enabling FortiLink
Go to the FGT-01 in order to configure the proper interface.

Network -> Interfaces

Edit port 6 Select the option Dedicated to FortiSwitch and leave the default IP Address

We enable already an interface for switch management, but in the FGT GUI there is no option for this
purpose

Security Fabric 1.0 LAB guide 7


Fortinet Technologies Inc.
It is disabled by default you need to enter to the FGT console and enable it.

Once you have enabled yu need to refresh your browser

Security Fabric 1.0 LAB guide 8


Fortinet Technologies Inc.
The next step is to authorize the FortiSwitch

Security Fabric 1.0 LAB guide 9


Fortinet Technologies Inc.
There are two FortiSwitches in the topology, when you authorize the first one, make a refresh and
the second will appear to authorize as well

After a few minutes your FortiGate screen should look like this
Please note the FortiLink port is colored with the same color of the line where is connected, in this
way you can easily identify how the devices are physically connected.

Security Fabric 1.0 LAB guide 10


Fortinet Technologies Inc.
Blue Circle – Blue Line

Black Circle – Black Line

In the FGT console type the following command in order to get the connection status

FortiGate-01 # execute switch-controller get-conn-status


Managed-devices in current vdom root:

STACK-NAME: FortiSwitch-Stack-port6
SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
S108DVMR221VZZ73 v3.6.0 Authorized/Up 169.254.1.2 Mon Sep 17 20:39:40 2018 -
S108DVSLYAPDHX6E v3.6.0 Authorized/Up 169.254.1.3 Mon Sep 17 20:40:28 2018 -

Now to get the physical connection type:

FortiGate-01 # execute switch-controller get-physical-conn standard FortiSwitch-Stack-port6

FortiGate(s)
FGVM020000159778(port6 ) <<------------------>> S108DVMR221VZZ73(port8 )

Tier 1
S108DVMR221VZZ73(port8 ) <<------------------>> FGVM020000159778(port6 )

Tier 2+
S108DVSLYAPDHX6E(port8 /8DVMR221VZZ73-0 ) <<------------------>> S108DVMR221VZZ73
(port7 /8DVSLYAPDHX6E-0 )

Security Fabric 1.0 LAB guide 11


Fortinet Technologies Inc.
Lab 2: Creating VLANs
In order to start creating the VLANs yo can go to. WiFi & Switch Controller -> FortiSwitch VLANs

When you connect the FortiSwitch via FortiLink the system automatically creates two VLANS, the
default VLAN with a VLAN ID of 1 and the Quarantine VLAN with a VLAN ID of 4093.

Click on create new and fill with the following information:

Security Fabric 1.0 LAB guide 12


Fortinet Technologies Inc.
Enable the DHCP on the VLAN 10

Now create a new VLAN

Security Fabric 1.0 LAB guide 13


Fortinet Technologies Inc.
Your FortiGate should look like this

Now we need to assign this VLAN to the port on the FortiSwitch


Go to WiFi & Switch Controller -> FortiSwitch Ports

Security Fabric 1.0 LAB guide 14


Fortinet Technologies Inc.
And select port1 Native VLAN and assign to VLAN_10 and port2 to the VLAN_20 do this for both
switches

Your FortiGate should look like this

Now in order to start moving traffic from those VLANs you need to create the Firewall Policies and
select all the defaults security policies

Security Fabric 1.0 LAB guide 15


Fortinet Technologies Inc.
Do the same for the VLAN_10

Let’s increase the threat value to some web filter settings

Go to Log & Report -> Threat Weight

Security Fabric 1.0 LAB guide 16


Fortinet Technologies Inc.
Now from your bastion host make a ssh connection to a linux computer behind the FortiSwitch, in a
terminal window type:

ssh tc@192.168.0.32

password: password

Security Fabric 1.0 LAB guide 17


Fortinet Technologies Inc.
And start the script traffic.sh which will try to connect to several malicious sites, you will see if the
script is running because it also is sending pings to the router.

Go to the Compromised host in FortiView -> Compromised hosts, and ban this ip by selecting the IP
with the right click

And choose the desired time

If you go back to the console in your bastion host you can appreciate the pings are stopped and no
traffic is leaving that computer anymore

Under Monitor -> Quarantine Monitor you can appreciate how much time this computer will
remained banned, and from there you can remove the restriction with the right click and the script
will resume the communication.

Security Fabric 1.0 LAB guide 18


Fortinet Technologies Inc.
Now we are going to automate this function, go to Security Fabric -> Automation and create new

Security Fabric 1.0 LAB guide 19


Fortinet Technologies Inc.
Now change the IP address of the interface eth1 on the windows machine, please be careful to
change the correct interface we are going to move from the 10.0.20.49 to 10.0.20.80

Security Fabric 1.0 LAB guide 20


Fortinet Technologies Inc.
Security Fabric 1.0 LAB guide 21
Fortinet Technologies Inc.